Results 1 to 9 of 9
  1. #1
    iNET Interactive
    Join Date
    Jan 2010
    Location
    Seattle, WA, USA
    Posts
    380
    Thanks
    1
    Thanked 29 Times in 24 Posts



    TOP STORY

    New analysis of stolen data brings surprises


    By Woody Leonhard

    Every year, the highly respected Verizon Business RISK data crime–investigation team publishes an analysis of major online data thefts it's been asked to study.

    This year, a first-ever joint report by VBR and the U.S. Secret Service presents a fascinating view into the state of the data-stealing art, with many surprising facts that should interest all consumers..

    The full text of this column is posted at WindowsSecrets.com/2010/08/19/02 (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.
    Last edited by revia; 2011-01-19 at 15:43.

  2. #2
    New Lounger
    Join Date
    Aug 2010
    Location
    Monbulk, Victoria, AUSTRALIA
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I read this article with interest. Although it stated that the vbr and secret service report did not record any malware exploitation in 2009, I wonder, did this statement apply only to the United States, or to other countries as well?
    Being an experienced computer user for decades, I thought that I knew how to keep safe on the net, and I thought that I could fix just about any problem caused by malware. NOT SO! There are quite a few examples of how I have been hacked, closed down, infiltrated and infected by some rather smart people, either with profit motives, or with too much ability, and time on their hands. One such item happened to me last year, when I was contacted by my ISP, advising that one of my unused email addresses (with a 21 character password), had been taken over, and was being used for Nigerian money scams. I was told that the FBI was investigating. On other occasions, I had quite some difficulties with malware infestation, despite using a few popular anti-malware progs, a good anti-virus, and a good firewall. In each case, I eventually got rid of the infections, and cleaned up my systems. But one infection in 2009 had me completely stymied. This was the win32.agent.ieu malware. When the infection became obvious, I put into play all my knowledge, taking the accepted steps to remove this nuisance, but with each step, I was second-guessed, and each time it shut the gate behind me, so that I quickly ran out of options. In the end, it seemed to have total control, so I junked the hard drives, and then tried a new hard drive. I was unable to do a new load of win XP, so I reckoned that the bios may have been corrupted, so I ended up junking that computer. My anti-virus company norton, was sympathetic, but could offer no fix for the problem at that time. This just shows that nobody is immune to these bugs, and that the above statement in the report is possibly naive, as many infections around the world likely go unreported.
    oldieuser.

  3. #3
    New Lounger
    Join Date
    Aug 2010
    Location
    New Zealand
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I don't understand one of the key claims in the report:

    "there wasn’t a single confirmed intrusion that exploited a patchable vulnerability"
    "13 The word “patchable” here is chosen carefully since we find that “vulnerability” does not have the same meaning for everyone within the security community. While programming errors and misconfigurations are vulnerabilities in the broader sense, lousy code can’t always be fixed through patching and the careless administration patch has yet to be released. Furthermore, many custom-developed or proprietary applications simply do not have routine patch creation or deployment schedules."

    This appears to be directly contradicted by some of the other claims:

    "Malware (38% of breaches, 94% of records)"

    "In fact, though phishing, SQL injection, and other attacks can and do steal credentials,malware nabbed more than all others combined by a ratio of 2:1."

    "Figure 18. Malware infection vectors by percent of breaches within Malware
    51% Installed/Injected by remote attacker
    19% Web/Internet (auto-executed/”driveby” infection)"


    It's remotely possible that by 'installed/injected' they mean ONLY server-side SQL injections of non-OS application-level code (eg PHP), so let's put those aside for now. That leaves 19% of 94% of leaked records obtained through drive-by/auto-execution of malware over the web. Not the user clicking or being social-engineered. Drive-bys.

    But by definition, isn't drive-by infection only possible if you have an unpatched vulnerability in Internet Explorer?

    How are they counting all these web drive-bys as 'not a single confirmed intrusion'?

    Is the capability for enabling drive-bys considered a non-patchworthy 'feature' of IE these days? I sure hope not.

    Or are all these drive-bys using 0-day IE exploits, and therefore not considered 'patchable' by the user? That would be exceedingly scary if true, but still wouldn't make sense, since even 0-days eventually get patched.

  4. #4
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,483
    Thanks
    176
    Thanked 152 Times in 129 Posts
    In answer to the issue of unpatchable vulnerabilities in IE8, yes there are a few. Secunia PSI reveals even on a personal laptop, at least a few unpatchable vulnerabilities in IE8 with every run over at least the past two years on both my Windows XP Pro Sp3 32-bit laptop and my Windows 7 Home Premium 64-bit laptop (two instances of IE8, one 32-bit, one 64-bit). Firefox often shows vulnerabilities for a few months, but at least two IE8 vulnerabilities went unpatched for over two years each. So yes, Microsoft does not close all security holes in IE with any reasonable frequency. Windows itself also has unpatchable vulnerabilities, some dating back over nine years in Windows XP. Third-party security software would be unnecessary if these facts were not so. After all, when was the last time that a Linux server or personal computer was compromised by an Internet based attack? It doesn't happen very often, I am sure.

    Server versions of Windows, and especially those with SQL Databases, are even more full of holes which users cannot patch. But I do not run servers, so I leave that end of the discussion to other Lounge Members to continue, if anyone wants to take up the baton from here.
    -- Bob Primak --

  5. #5
    New Lounger
    Join Date
    Jan 2010
    Location
    Bristol, England
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    There is a lot of loose language in this article which is probably not Woody's fault.

    QUOTE: The second-most-popular method for subverting servers uses drive-by Web infections (where you get an infection without actually clicking anything on a malicious site)

    QUOTE: not e-mail, not infected documents, and not zero-day attacks.

    QUOTE: there wasn't a single confirmed intrusion that exploited a patchable vulnerability

    Now a drive-by infection can only be effective by exploiting a vulnerability of some sort, usually in the browser. These vulnerabilities can either be patched (at which point it ceases to be a problem), patchable but not patched (which is a user problem), patchable but no patch published (which is the suppliers problem) or unknown to the security community (these don't exist for long). Where you define 0-Day between these last two is a matter of debate but there is no such thing as an unpatcahble vulnerability even if, in some cases, it would require reduction in function.

  6. #6
    New Lounger
    Join Date
    Dec 2009
    Location
    Alexandria, VA, USA
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by David Pym View Post
    I read this article with interest. Although it stated that the vbr and secret service report did not record any malware exploitation in 2009, I wonder, did this statement apply only to the United States, or to other countries as well?
    I am assuming it is wherever Verizon and the US Secret Service do business. The VERIS framework does include multiple international regions, and I know that Verizon has business all over. One thing to remember, is that this data is only from Verizon and the US Secret Service, no info from any other Network Providers. Futhermore, the Verizon information is only from "paid forensic investigations conducted by Verizon from 2004 to 2009" and then only from confirmed breaches. The data from the USSS was only for confirmed organizational data breaches, no consumer data. Then they weeded out cases where both Verizon and the USSS both worked the case and only used Verizon's data on those. Then, on the USSS date, they used a subset of the data for a total of 257 USSS cases.

    Basically, it sounds like all business information and no consumer (home user) information was used. (The Verizon inormation doesn't say this, but I don't know a lot of home users that would pay for a full on forensic investigation.)

    "It is very interesting to note that there were no confirmed cases in which malware exploited a system or software vulnerability in 2009 … there wasn't a single confirmed intrusion that exploited a patchable vulnerability."
    As for the above quote, the first part is taken from the bottom of page 25, where the second part is on page 30 of the report. Below is the rest of the context of page 30 with Verizon's explination of "patched".

    In the past we have discussed a decreasing number of attacks that exploit software or system vulnerabilities versus those that exploit configuration weaknesses or functionality. That downward trend continued this year; so much so, in fact, that there wasn't a single confirmed intrusion that exploited a patchable13 vulnerability. On the surface this is quite surprising—even shocking—but it begins to make sense when reviewing the types of hacking discussed above. SQL injection, stolen credentials, backdoors, and the like exploit problems that can't readily be "patched."

    13 The word "patchable" here is chosen carefully since we find that "vulnerability" does not have the same meaning for everyone within the security community. While programming errors and misconfigurations are vulnerabilities in the broader sense, lousy code can't always be fixed through patching and the careless administration
    patch has yet to be released. Furthermore, many custom-developed or proprietary applications simply do not have routine patch creation or deployment schedules.
    I origionally interpreted this as vulnerabilities that came to light in 2009 and had patches released, but after further reading, I don't think that is correct. As Verizon explained, "patchable" depends on your definition. It seems like most of the data breaches fall under system mis-configuration. For example, while there are many SQL patches, most SQL injections come down to configuration problems. Using input masks, limiting the size of the data input...etc...I'm not an SQL guru, so I'm sure it's not that easy, and as the report stated, there are probably tons of lines of code that need to be fixed for many of those. As for the other things like backdoors, they had to get on the system somehow.

    In the end, this was still an interesting read. As I stated above, I don't think there is much information about consumer breaches. However, it seems like business users are getting wise to email scams and some of the other avenues. Hopefully, this means that much work at trying to educate our users is paying off.

  7. #7
    New Lounger
    Join Date
    Aug 2010
    Location
    New Zealand
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Rick Parsons View Post
    Now a drive-by infection can only be effective by exploiting a vulnerability of some sort, usually in the browser. These vulnerabilities can either be patched (at which point it ceases to be a problem), patchable but not patched (which is a user problem), patchable but no patch published (which is the suppliers problem) or unknown to the security community (these don't exist for long). Where you define 0-Day between these last two is a matter of debate but there is no such thing as an unpatcahble vulnerability even if, in some cases, it would require reduction in function.
    Yes, exactly.

    This to me is a huge, glaring contradiction in the Verizon report (I downloaded and skimmed the whole thing and the contradiction between 'lots of malware auto-installation' and 'no patchable vulnerabilities exploited' remains). I have to wonder if Verizon is trying to slant it towards an anti-patching agenda, or was it just badly edited by someone who didn't understand security at all?

    It just doesn't make any sense to me, and I would like to see Woody and others here offer some explanation.

  8. #8
    3 Star Lounger Woody's Avatar
    Join Date
    Jan 2001
    Location
    Nashville, Tennessee
    Posts
    358
    Thanks
    1
    Thanked 645 Times in 4 Posts
    I think you have to keep it in context - this is a report that looks at data stolen from companies. The empirical method counts numbers of records stolen. So, as you say, it isn't an analysis of consumer breaches.

    SQL Injection attacks can happen with completely patched SQL systems. Frequently the problem comes from SQL applications that don't properly check input parameters: the bad guys send a properly mal-formed inquiry, and take over the system.

    When they talk about patching, their emphasis is on server patches - which is a whole different world, eh?
    Woody

    For Dummies book author, Senior Contributing Editor for InfoWorld, and long-suffering Windows victim. Check out the latest at AskWoody.com.

  9. #9
    New Lounger
    Join Date
    Aug 2010
    Location
    New Zealand
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Woody Leonhard View Post
    When they talk about patching, their emphasis is on server patches - which is a whole different world, eh?
    Not entirely. We all know that Internet Explorer runs on servers as well, so a server can get malware drive-bys through the same channel as a workstation and requires the same patches to keep it safe. At least drive-bys require *some* user intervention (firing up either IE or an application which embeds it) so aren't quite in the same category , but it's not unthinkable for a server administrator to need to access the Web while installing or changing a setting.

    At the very least I would have expected this report to make a clear distinction between infections delivered via Internet Explorer vs infections delivered remotely by always-on network services, say, exploits in Universal Plug-n-Play or the TCP/IP stack. The first you can mitigate by restricting Web usage, the second type is particularly concerning for server admins.

    But from the point of view of enterprise security, rather than just 'server team' security, and in the simplest reading of the phrase, I would have thought 'patchable exploit' applied to all devices on one's network for which regular patches are supplied by the manufacturer - workstations as well as servers.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •