the exclamake! blog

Nice post here surveying various security organizations and the wide disparity between them. One will issue a vulnerability as Low while another as Highly Critical. The lesson, to be serious about security, you have to be reading a lot to keep up with what’s really going on and cannot get comfortable with a particular monitor (Secunia, for example, which in this case was very slow on an accurate severity of this Firefox vulnerability.)

I think another lesson is to treat all vulnerabilities as important. It’s easy to see a vulnerability that doesn’t seem too bad (not allowing remote code execution for example) and file it away mentally. Then this vulnerability begins to be exploited in more severe ways but you’re still mentally putting it off.

Of course, it doesn’t help that there are so many unpatched vulnerabilties. There are still 21 unpatched vulnerabilites in IE6.

SecuriTeam Blogs » The difficulties of (reading) vulnerability severity meters

FaceTime has released their report analyzing attacks via IM, P2P, and Chat vectors. One thing I like about this report is it’s fresh, comparing the 1st quarter of 2006 with all of 2005. FaceTime offers security appliances with a very specific focus, which is, surprise, the same areas highlighted in the above report: IM, P2P, and Chat (IRC).

Like all reports, statistics can be used to prove or disprove just about anything. As far as reports go, I found this one to contain lots of data and little context. Let me first provide ‘the grain of salt’ for this report based on my semi-casual review of it.

The report states that:

The data used in this analysis are derived from server log files maintained by FaceTime Security Labs, the threat research and response arm of FaceTime; each individual incident report represents a detection of a security issue impacting one or more real-time communications channels on one day.

My interpretation of this is that the data used for the IMPact report comes from FaceTime users. I would guess that users include those behind their security appliances and also those that use their free online spyware scanner at spywareguide.com .

With that in mind, the first graph shows one of the most alarming statistics:

Incidents of viruses and security threats have increased by almost 723% in Q1 2006 compared to the first quarter of 2005.

There were 55 reported incidents in Q1 2005 while 453 were reported in Q1 2006

My issue is that both of these numbers seem low.  I find it hard to believe that there were only 55 attacks through IM, P2P, or IRC vectors worldwide in the 1st quarter of 2005.  And although 453 is a little more believable, I still find this to be low.  I would guess these numbers are low because, as stated above, we’re only seeing data from FaceTime customers.  I also presume that the increase in incidents from 2005 to 2006 is also due to an increase in FaceTime users or even an increase in FaceTime detection parameters.

Mini-summary:  I’m sure that these types of attacks are on the increase, but I have a problem with this report’s accuracy of the situation.

That said, one of the stats was interesting to me:

In fact, the number of threats using P2P in the first quarter of 2006, at 180, has already surpassed the total number of P2P attacks in all of 2005, when 142 such attacks took place.

This highlights the creativity of malware distributors.  Like above, I feel these numbers could still be skewed by FaceTime data points, but measuring threats will vary less than measuring attacks/incidents as the datapoints increase.

Conclusion:  Yes, implement security policies and enforcement for Instant Messaging, Peer 2 Peer, and IRC usage.  But please also study reports carefully, especially those that come from security vendors!

An article in Channel Insider explains that state legislation that requires companies to report data breaches stengthens the case for MSPs (Managed Service Providers). Mike Rothman provides a viewpoint in Security Incite Rants.

My thoughts on this are… who are we talking about here, the enterprise or SMB’s? If the enterprise, I think this is a weak argument since they’re not relying on VAR’s (reactive) for service, they have their own IT staff and first option is to bolster that. Seriously, would hiring an MSP reduce your company’s liability for breaches? Distribute it, maybe, but if you’ve ever seen an MSP contract, there are a lot of disclaimers.

If we’re talking about SMBs, the issue of liability exists whether the breached company reports or not. I don’t know what the penalty is for not reporting, but if you look at the breaches reported in California, you won’t find one small or medium business in there. An MSP is attractive for an SMB because they get a proactive security provider (proactivity?), but I don’t really see liability toward reporting as being a major selling point.

As an MSP, I definitely like pro-MSP arguments, but this article was a little underwhelming. It seems the report was based on the recent MSP Alliance Expo. Maybe they’re stretching the press on this event a little too far. More compelling arguments for MSPs can be found here.

Mike Rothman posted an article on Skype and the need to control it in many environments.  His opinion is that will be very difficult to control it on the network side of thing and he recommends controlling at the endpoint.  I thought it would be a good time to bring out that SonicWALL is very effective at blocking Skype at the gateway.  In fact, SonicWALL’s IDS/IPS engine is extremely effective and blocking all types of p2p traffic.  Amazing capabilities for the prices.

ps: I really like Mike Rothman’s Security Incite Rants… I’ve only been reading them for a couple weeks, but very realistic and balanced viewpoints.

Here’s the deal. I do get irritated with the ‘media’ and ‘hype’. Because I’m in the network security arena, I frequently ask myself, is all the press about network attacks legitimate? Are the fears justified? Then I see something like this that settles it in my mind.

Some of you may remember the Windows WMF 0-day exploit. A quick recap, exploit discovered (at least publicly) on December 27th, 2005. Found in the wild just two days later! Patched by Microsoft relatively quickly on January 5th, 2006. This one was a nasty one. Not only it’s method of infection (simply browsing a website would trigger the vulnerability in Windows), but the fact that antivirus vendors were very slow in providing patches. Nice page from Ilfak summarizing the extent of exploit and fixes.

The point is, though, is that’s it hard to see how widespread an infection like this is until it’s clear what it’s being used for. In this case, many malicious parties used this exploit for many different purposes. But today, an article in Channelweb demonstrates that one particular attack using this exploit has apparently affected about one million computers. Again, this is just one discovered bot infestation that uses one particular exploit that uses one particular type of theft (targeting bank accounts).

The media coverage is justified. If you’re not adequately protected, it’s not just that you will be attacked, you could already be hit. And you might not even know it.

UPDATE: Sure enough… exploits visible the next day.  Here’s the SANS Report.

Another week, another Highly Critical IE vulnerability published by Secunia.

Secunia - Advisories - Microsoft Internet Explorer “createTextRange()” Code Execution

I recommend monitoring SANS for exploits of this vulnerability and Microsoft patch announcements.

SANS Internet Storm Center - New IE Vulnerability

Great post here by Alan Shimel that highlights how business owners are perceiving cybercrime from inside and outside the internal network.

According to a survey by Braun Research on behalf of IBM, out of over 2,400 IT managers, nearly 60% said that in their opinion cyber-crime was more costly than traditional physical crime.  Of even more interest to me was that almost 3/4’s of them said the greater threat came from their own users rather than from the outside.

Keith Schultz of Infoworld has a good review of UTM appliances from Astaro, Fortinet, SonicWALL, and WatchGuard.  The encouraging thing is that all the devices operate very well.

The biggest distinction, in my opinion, is that only the SonicWALL and the ServGate allow for deep packet inspection through all types of traffic.  The other devices rely on proxying, which limit the traffic can be scanned for a particular service.  For example, some of the devices will only allow for antivirus scanning on an SMTP (email) port.

SonicWALL got the highest marks with it’s PRO2040.  If you want to learn more about what a UTM appliance is, read this review!

The Privacy Rights Clearinghouse has a Chronology of Data Breaches since the first ChoicePoint incident in February 2005.  I spent some time grouping the breaches into some similar categories and analyzing the cause of the breaches.  This analysis covers the report incidents from February 15, 2005 through March 14, 2006.
The categories I used are:

• Backup Loss (Loss or Theft of Backup Tapes or other Archived Data)
• Computer Loss (Loss or Theft of Laptops, Computers, or hard drives)
• ID Theft (Stolen user accounts or compromised passwords)
• Inside Data Theft (Theft of data from inside the company, malicious intent or violation of policy)
• Network Attack (compromised network or servers through various hacking methods)
• Self-Exposed (Exposure of information either accidentally or ignorantly through websites, email, or other public means)

These numbers are very conservative.  If there was an estimate of those affected, I used the low number.  If it was an unknown or undisclosed number, I did not include it.  Here’s the breakdown:

• Network Attacks (43,470,180 affected) 81%
• Backup Loss (6,705,690 affected) 13%
• Inside Data Theft (1,378,450 affected) 3%
• Computer Loss (1,195,724 affected) 2%
• Self-Exposed (679,813 affected) 1%
• ID Theft (180,903 affected) 0%

The biggest single breach was the June 16, 2005 hack of CardSystems which affected 40,000,000 individuals.  It’s also interesting to note that Network Attacks was also the largest factor for number of incidents at 37%.

Darknet has compiled a list of the 10-best livecd security tools.  Some of them are intended more for forensics, but most are for penetration testing.  Nice list!

10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery)