by William Murray

Recent headlines have reported on denial of service attacks against Twitter, Facebook and several other social networking sites.  These follow attacks in July against various government sites in the US and South Korea.  The headlines have elicited all kinds of commentary, most of it stopping just short of concluding that the sky is falling.  In all of this coverage, I have seen almost nothing about what this means to the average enterprise or what one ought to do about it.

Denial of service attacks work by exhausting finite resources.  (They are different from an attack that compromises a system and then breaks it or shuts it down.) Historically we thought of them as exhausting system resources.  For example, “Syn  flood” attacks against servers work by exhausting memory until the server dies.   However, modern distributed denial of service (“DDoS”) attacks (“distributed” modifies “attack,” not “denial of service”) work by exhausting network bandwidth, usually the “last mile” to the victim.

(more…)

by Peter Tippett and David Kennedy

The acetaminophen and antacid consumption in enterprise IT staffs is likely on the increase due to the recent release of two Security Bulletins by Microsoft, one for Internet Explorer and one for Visual Studio. This security problem has the potential to be both far-reaching and subtle in nature.  We would like to offer a dose of reason in hopes that your stress-induced ailments will at least be caused by wrestling with the real problem. The biggest risk is not from attacks; lost productivity dealing with the scope and confusion around the ATL issue is the greatest risk from these announcements.

To be clear, we do expect attacks but do not believe they will be novel or pervasive. We have seen hundreds of browser vulnerabilities over the years and the pattern of successful exploits is well understood:  such attacks mainly result in home-user machines being absorbed into large-scale botnets.  Our series of Data Breach Investigations Reports, covering nearly 600 breaches studied over five years, consistently finds that browser vulnerabilities rarely contribute (even incidentally) to significant enterprise data breaches.

(more…)

The Microsoft Active Template Libraries (ATL) issue described in MS09-035 has revealed that a great many Component Object Model (COM) programs may be vulnerable to exploitation in a way the developers of those programs may not have realized. Internet Explorer is not the only program that hosts COM programs, but it is the most likely primary attack vector for criminals to exploit vulnerable programs via ActiveX controls as is the case with the current criminal activity using the Microsoft Video Control that was the subject of MS09-032 recently.

MS09-034 includes two significant new features, both intended to provide security enhancement to IE to allow it to protect users from exploitation of vulnerable controls.

(more…)

Executive Summary

Security-related issues exist in some of the programs written using the Microsoft Active Template Library (ATL) that could allow code execution by browsing to a web site under criminal control. If a programmer created a code object using the ATL, the final product could potentially have an exploitable vulnerability. We say “Potentially” has a vulnerability because, at this time, no systematic attack is known to exist. However, many popular programs used in conjunction with Internet Explorer (IE) are vulnerable. At this time at least three discrete ActiveX controls are being exploited and used to compromise systems. Enterprises should assess the mission impact of preventing vulnerable controls from running. This is best achieved by using Group Policy Object (GPO) to allow only Administrator-approved ActiveX controls to run and by supplying a white list of known good, or patched, controls.

Update 2009-07-29:  The reader’s attention is invited to additional information immediately above the tags in the full article.

(more…)

by William Murray

Not so long ago, but in a different era, the rogue hackers were building tools to automate the creation of viruses and worms to exploit newly publicized vulnerabilities.  They boasted that these tools were enabling them to develop malicious code faster and faster and that soon they would be able to create an attack within twenty-four hours of the identification of a vulnerability. Thus was born the idea of the “zero-day” attack.  Note that “zero-day” is a term of art, that it modifies attack, and that it is relative to the identification of the vulnerability.  

While it is sometimes used to refer to a previously unknown vulnerability, the words have no meaning in that context. “Zero-day” relative to what?  To yesterday?  The term has lost its original meaning without gaining a new one.  It became an expression that, not only carried no meaning of its own, but confused the meaning of any terms with which it was used.  This aggravates the general problem in security that our terms of art, e.g. threat, attack, vulnerability, and risk are used without distinction, not to say interchangeably.  Multiple times a week I find myself parsing quotes about security in the media, in a sometimes vain attempt to figure out what the source intends.

(more…)

Today we published a notification to our security customers advising them that the latest Microsoft vulnerability, discovered only after in-the-wild criminal attacks, should be treated as “Hot.” Hot is our term for something which needs to be addressed within seven days.

In June we published a similar advisory regarding the DirectShow vulnerability, also discovered only after in-the-wild criminal attacks, wherein we advised the issue as “Important.” Important means to take action within thirty days.

Both issues were discovered only after in-the-wild criminal attacks, so why would we rate them different?

(more…)

Some readers of our 2009 Data Breach Investigations Report have inquired about this odd inscription on page 48. Is it a printing mistake? An easter egg? A secret message? Random gibberish from an insane mind? Hmmm…

Well, we’re not going to reveal all here but we will tell you that it was entirely intentional and that the hunt doesn’t end with a french oxymoron. If you’re into puzzles, it might be an enjoyable way to pass some time during one of those dreadful post-lunch conference calls you inevitably get dragged into. A few others have figured it out (see here, here, and here), though we warn you that the links definitely contain spoilers.

Happy Hunting.

At times, there are topics in information security discussions that get a lot of attention, fall out of interest, only to be resurrected again and reemerge as a hot topic. I call these “Information Security Zombie Memes”; they are the walking dead of discussion and rhetoric that we can’t seem to destroy. Return on investment, security and obscurity, full/partial/responsible disclosure, how to measure security, and such topics are good examples of those subjects that boomerang back around into our collective consciousness again and again. One that has been in my mind lately as I think about the convergence of risk management and management science, is the “security, art or science” meme. (more…)

Microsoft has announced that they have discovered a vulnerability in DirectShow. Exploitation of the vulnerability could allow a criminal to run code of their choice in the victim’s security context simply by the victim browsing to a website while allowing scripts to run. The browser being used doesn’t matter providing it allows scripting. Microsoft is aware of limited attacks in-the-wild. Patches are being developed.

All versions of Windows are vulnerable, except Vista and Server 2008. It is worth noting that DirectShow was patched for similar vulnerabilities in April 2009, and previously in December of 2007. Neither of those vulnerabilities was ever significantly exploited.

(more…)

One of the fun things about being in Information Security is the amount of change our profession goes through. In a sense, we might pity the accountant, the sales person, or others whose role in the corporation has been well defined for many years. Our role is centered on understanding the use (and therefore protection of) information, and as such our job is as dynamic as that which we seek to protect. Now if I haven’t mistaken this role, how the CISO approaches her job is about to fundamentally change (again).

(more…)

Multiprotocol Label Switching (MPLS) security is not for the faint hearted. However, like most information technology, understanding basic principles and having a policy founded on sound principles allows an administrator to sleep at night knowing the networks are secure.  A policy for employing thoughtful and conservative essential practices and having quality assurance practices to ensure continuity of secure operations is one of those basic principles.  An antithetical principle is that when a criminal takes control of your systems, bad things are going to happen.

(more…)

In our minds, there are two very interesting items with regard to demographics in this years report.  The first is that the number of attacks in the financial services industry more than doubled in 2008.  More importantly, an amazing 93% of compromised records were the result of breaches in the financial services industry.  As we said in our report, this is largely due to a few cleverly designed and executed attacks which yielded huge payloads.  It will be interesting to see if this trend continues or if the bigger players in the financial services field will be more successful in avoiding these attacks in the coming year.
On a side note, we have seen a few comments from our readers in which they question why we included size of industry in our demographics section.  This was done simply to illustrate that the caseload didn’t all come from very large or very small companies, but was spread across a wide range.
The other noteworthy item is that 13% of the organizations in our caseload had recently changed hands as a result of an acquisition or merger.  While we make no bones about the fact that we cannot draw any ‘scientific’ conclusions from this data point, we find it relevant and of great interest.  Anyone with any experience of large scale change in any company can testify to the fact that they rarely (nice way of saying NEVER) go smoothly. Hopefully, any insight our investigators can lend to what commonalities exist between the breach victims of recently merged companies can be applied to prevent future crimes from occurring.  What are your thoughts?

By William H. Murray

This week sparked the latest round of buzz around the security of the power grid. We’ve been here before and we will be again. Civilization began with the well and the aqueduct, i.e., infrastructure. That is why we call it civilization. Get over it.

To the extent that we benefit from and rely upon any complex infrastructure, we are vulnerable to interference with and contamination of that infrastructure. Get over it.

Most of the vulnerability in the electric power grid is fundamental, not implementation induced. One can compensate for fundamental vulnerabilities but only within limits of complexity, scale, scope, and load. That is why, at least once a generation, the electric grid fails at those limits, let alone easily anticipated and compensated for misuse and abuse. Even when we compensate for the anticipated misuse and abuse, there will still be failures. Get over it.

(more…)

I’ve been reading, with no small amount of interest, about the congressional hearings surrounding the Payment Card Industry Data Standards (PCI DSS) that took place on March 30th. Over the last six months, various incidents and data breaches have renewed discussion about the Payment Card Industry’s Security Standards Council and the value of PCI DSS. It all came to a head on Tuesday in various testimonies given to the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology (or ‘SETCAST’ – see http://www.homeland.house.gov/hearings/index.asp?ID=185). I thought I’d take the opportunity to write my first blog post for Verizon Business to discuss why I think the PCI DSS is just fine.

(more…)

Verizon Business customers, and security professionals generally, should resist succumbing to a herd mentality and fear of the unknown surrounding the Conficker worm. In most respects, Conficker (a.k.a. Downadup or Kido) is just another piece of crimeware threatening Windows computers. The known risks it represents are minimal; so far, versions A and B simply spread and version C is presently dormant. They impact the integrity of infected systems but the costs are limited to disinfection. Our defenses are set and we are alert for significant changes in the risk environment if they come, but risk has changed little at this time regardless of the apparent desire of the technical press and the blogosphere to indicate otherwise.

Conficker is not generating spam revenue for the outlaws, nor is it exporting data from infected systems or any of the other myriad of hostile activities current crimeware usually exhibits. Infected systems are under the control of a criminal and could begin executing more criminal instructions. On April 1st, 2009, version C is expected to begin listening for instructions from its master(s) using a new Command and Control (C&C) method.

(more…)