Posts Tagged ‘spam’
It’s been a busy year for IT security incidents. Yesterday, John Markoff and Nicole Perlroth with The New York Times told us about yet another incident, this time a cyberattack involving antispam group Spamhaus and an anonymous group unhappy with their efforts.
But the list goes on and on. From the discovery of sophisticated toolkits with ominous names like Flame to cross-platform zero-day vulnerabilities, both consumers and corporations have been inundated with advisories and alerts regarding emerging threats. The frequency of data breaches and incidents—which had already hit a new high in 2011—continued their upward trajectory.
At the mid-year of 2012, IBM’s X-Force team predicted that the explosive nature of attacks and security breaches seen in the first half would continue. Indeed this was the case. While talk of sophisticated attacks and widespread distributed denial-of-service (DDoS) attempts made the year’s headlines, a large percentage of breaches relied on tried and true techniques such as SQL injection.
What continues to be clear is that attackers, regardless of operational sophistication, will pursue a path-of-least-resistance approach to reach their objectives. Integration of mobile devices into the enterprise continues to be a challenge. In the previous report, X-Force looked at some of the pitfalls and perils of implementing BYOD programs without strict formulations of policy and governance to support the use of these devices.
That said, recent developments have indicated that while these dangers still exist, and X-Force believes mobile devices should be more secure than traditional user computing devices by 2014. While this prediction may seem far fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.
In its latest report, X-Force explores how security executives are advocating the separation of personas or roles on employee-owned devices. It also addresses some secure software mobile application development initiatives that are taking place today. The distribution and installation of malware on end-user systems has been greatly enabled by the use of Web browser exploit kits built specifically for this purpose.
Exploit kits first began to appear in 2006 and are provided or sold by their authors to attackers that want to install malware on a large number of systems. They continue to be popular because they provide attackers a turnkey solution for installing malware on end-user systems.
Java vulnerabilities have become a key target for exploit kits as attackers take advantage of three key elements: reliable exploitation, unsandboxed code execution, and cross-platform availability across multiple operating systems. Java exploits have become key targets in 2012 and IBM X-Force predicts this attack activity to continue into 2013.
As X-Force also reported in the mid-year, spam volume remained nearly flat in 2012, with India claiming the top country of origin for spam distribution, but the nature of spam is changing. Broadly targeted phishing scams, as well as more personalized spear-phishing efforts continue to fool end users with crafty social-engineering email messages that look like legitimate businesses. Also, fake banking alerts and package delivery service emails have been effective as attackers refine their messages to look like the authentic messages that customers might normally receive.
Whether the target is individuals or the enterprise, once again, X-Force reminds organizations that many breaches were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.
Web applications are still topping the chart of most disclosed vulnerabilities, rising 14% in 2012 over the 2011 end of year numbers. As reported earlier in the mid-year report, cross-site scripting (XSS) dominated the web vulnerability disclosures at 53% of all publicly released vulnerabilities. Although SQL injection attack methods remain as a top attack technique, the actual disclosures of new SQL injection vulnerabilities remain lower than the 2010 peak X-Force recorded.
Social media has dramatically changed our lives with new ways to connect, personally and professionally. From this constant availability of information about individuals, attackers can readily access data to use in their activities.
Now, more than ever, individual employees who share personal details in their social profiles can be targeted for attacks.
2012 X-Force Trend And Risk Report Highlight
Malware and the malicious web
- In 2012, near daily leaks of private information about victims were announced like game scoreboards through tweets and other social media. Personal details, such as email addresses, passwords (both encrypted and clear text), and even national ID numbers were put on public display.
- Based on data for 2012, it is not surprising that the bulk of the security incidents disclosed were carried out with the majority of attackers going after a broad target base while using off-the-shelf tools and techniques. X-Force attributes this to the wide public availability of toolkits and to the large number of vulnerable web applications that exist on the Internet.
- The year began and ended with a series of politically motivated, high-profile DDoS attacks against the banking industry. An interesting twist to the banking DDoS attacks was the implementation of botnets on compromised web servers residing in high bandwidth data centers. This technique assisted in much higher connected uptime as well as having more bandwidth than home PC’s to carry out the attacks. In the sampling of security incidents from 2012, the United States had the most breaches, at 46%. The United Kingdom was second at 8% of total incidents, with Australia and India tied for third at 3%.
- IBM Managed Security Services (MSS) security incident trends are markers that represent the state of security across the globe. The relative volume of the various alerts can help to describe how attacks are established and launched. They also frequently provide hints about how methods have evolved. Based on this, the main focus in 2012 may have been the subversion of systems, with larger coordinated attacks being executed across fairly broad swaths of the Internet.
- IBM MSS has noted a dramatic and sustained rise in SQL injection-based traffic due, in large part, to a consistent effort from the Asia Pacific region. The alerts came from all industry sectors, with a bias toward banking and finance targets.
- Web browser exploit kits (also known as exploit packs) are built for one particular purpose: to install malware on end-user systems. In 2012 X-Force observed an upsurge in web browser exploit kit development and activity—the primary target of which are Java vulnerabilities—and X-Force supplies some strategies and tips to help protect against future attacks (see end of post to download full report).
- Java continues to be a key target for attackers. It has the advantage of being both cross-browser and cross-platform—a rare combination that affords attackers a lot of value for their investment. Web content trends, spam, and phishing Web content trends Top used websites are readily deployed as IPv6- ready, although attackers do not yet seem to be targeting IPv6 on a large scale.
- One third of all web access is done on websites which allow users to submit content such as web applications and social media.
- Nearly 50% of the relevant websites now link to a social network platform, and this intense proliferation poses new challenges to companies that need to control the sharing of confidential information.
Spam and phishing
- Spam volume remained nearly flat in 2012.
- India remains the top country for distributing spam, sending out more than 20% of all spam in the autumn of 2012. Following India was the United States where more than 8% of all spam was generated in the second half of the year. Rounding out the top five spam sending countries of origin were Vietnam, Peru, and Spain.
- At the end of 2012, IBM reports that traditional spam is on the retreat, while scam and spam containing malicious attachments is on the rise. In addition, attackers are demonstrating more resiliency to botnet take downs which results in an uninterrupted flow of spam volume.
Operational Security Practices
Vulnerabilities and exploitation
- In 2012, there were over 8,168 publicly disclosed vulnerabilities. While not the record amount X-Force expected to see after reviewing its mid-year data, it still represents an increase of over 14% over 2011.
- Web application vulnerabilities surged 14% from 2,921 vulnerabilities in 2011 to 3,551 vulnerabilities in 2012.
- Cross-site scripting vulnerabilities accounted for over half of the total web application vulnerabilities disclosed in 2012. Cross-site scripting dominated the web vulnerability disclosures. Fifty-three percent of all publicly released web application vulnerabilities were cross-site scripting related. This is the highest rate X-Force has ever seen. This dramatic increase occurred while SQL injection vulnerabilities enjoyed a higher rate than 2011 but were still down significantly since 2010.
- There were 3,436 public exploits in 2012. This is 42% of the total number of vulnerabilities, up 4% from 2011 levels.
- Web browser vulnerabilities declined slightly for 2012, but not at as high a rate as document format issues. While the overall number of web browser vulnerabilities dropped by a nominal 6% from 2011, the number of high- and critical severity web browser vulnerabilities saw an increase of 59% for the year.
- Few innovations have impacted the way the world communicates quite as much as social media. However, with the mass interconnection and constant availability of individuals, new vulnerabilities and a fundamental shift in intelligence-gathering capabilities has provided attackers and security professionals alike with information useful for enhancing their activities.
- Rather than seeing a particular enterprise as an individual entity, attackers can view enterprises as a collection of personalities. This gives attackers the opportunity to target specific people rather than enterprise infrastructures or applications. Furthermore, targeted people may also be targeted as individuals and not just as employees. In other words, the personal activities and lives of employees can be leveraged to target an enterprise.
Emerging Trends In Security
- Prediction: Mobile computing devices should be more secure than traditional user computing devices by 2014. This is a bold prediction that IBM recently made as part of its look ahead in technology trends. While this prediction may seem far-fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.
- Separation of personas or roles: While a small percentage of enterprises have dealt with BYOD by using virtualized desktop solutions to separate and control enterprise applications and data from the rest of the personally owned device, a greater number of enterprises have wanted or required some form of separation or dual persona on mobile devices. This difference in use or adoption could be the result of greater numbers of devices driving greater risk in the percentage of personally owned mobile devices versus personally owned PCs in a BYOD program.
- In many cases, enterprises have made significant investments into implementing Secure Software Development Life Cycle (SSDLC) processes. Today’s mobile application development benefits from this. Tools exist to support secure development as part of the process instead of being conducted in qualification or production. As a result, it should be more common for enterprises to have more securely developed mobile applications than their existing legacy applications. Closure of vulnerabilities in some traditional computing applications may only conclude as existing versions are sunset and replaced with newer, more securely developed replacements.
- Over 2012, it is safe to conclude that more enterprises are supporting BYOD or the use of personally owned devices than previously. In the last two years, IBM Security has spoken to hundreds of global 2000 customers and out of those interviewed, only three said they had no plans to implement any kind of BYOD program.
To learn more on how your organization can work to address these types of vulnerabilities, download the full IBM X-Force 2012 Trend And Risk Report here.
IBM’s 2011 “Five in Five”: Innovations That Could Change The World (And A Little Monty Python Thrown In For Good Measure)
Before I get to the business news of the day, let me send a hearty congratulations to U.K. golfer Ian Poulter, who won the Australian Masters yesterday and outgunned Aussie’s own Geoff Ogilvy, who was attempting to take the tourney on his boyhood course.
Poulter was two strokes behind Ogilvy heading into the final round and closed with a 4-under 67 on a very windy Victoria Golf Club.
Nice win, Poulter. Poulter should have plenty of Aussie dollars to head out for a little X-mas shopping, and perhaps he’d like to invite English striker Darren Bent to join him for a little shopping.
Bent was busted on the sidelines of Sunday’s game against Liverpool for doing a little online shopping (his team was losing), even though he was out for the day due to injury. Otherwise, Bent is Villa’s leading scorer, to which I say, “A goal a day helps keep the Xmas cash register away!
But enough of sport. It’s time to get serious. And IBM’s latest “IBM 5 in 5,” a list of innovations that have the potential to change the way people work, live and interact during the next five years, has arrived just in time for the holidays.
We’ll take them one at a time.
Watch the 5-minute video above for a quick fly-by of IBM’s 2011 “5 in 5″ innovations.
1. People power will come to life.
No, we don’t mean protests in the streets of Egypt or Libya, although that is certainly a worthwhile sort of people power. We’re talking about real people power, anything that moves or produces heat and which has the potential to create energy that can be captured.
Walking. Jogging. Bicycling. The heat from your computer. Even the water flowing through your pipes.
Advances in renewable energy technology will allow individuals to collect this kinetic energy, which now goes to waste, and use it to help power our homes, offices and cities.
Imagine attaching small devices to the spokes on your bicycle wheels that recharge batteries as you pedal along.
You will have the satisfaction of not only getting to where you want to go, but at the same time powering some of the lights in your home.
Created energy comes in all shapes and forms and from anything around us. IBM scientists inIreland are looking at ways to understand and minimize the environmental impact of converting ocean wave energy into electricity.
2. You will never need a password again.
I’m paying special and close attention to this one. I have so many IDs and passwords I don’t know when I’m coming or going, and my new favorite pastime is emailing web sites to request they send me an email reminder or password reset.
In this “5,” your biological makeup is the key to your individual identity, and soon, it will become the key to safeguarding it.
So to speak. No, you will no longer need to create, track or remember multiple passwords for various log-ins.
Imagine you will be able to walk up to an ATM machine to securely withdraw money by simply speaking your name or looking into a tiny sensor that can recognize the unique patterns in the retina of your eye.
Or by doing the same, you can check your account balance on your mobile phone or tablet.
Each person has a unique biological identity and behind all that is data. Biometric data — facial definitions, retinal scans and voice files — will be composited through software to build your DNA unique online password.
Referred to as multi-factor biometrics, smarter systems will be able to use this information in real-time to make sure whenever someone is attempting to access your information, it matches your unique biometric profile and the attempt is authorized.
To be trusted, such systems should enable you to opt in or out of whatever information you choose to provide.
3. Mind reading is longer science fiction.
Hey, get out of my head! I see what you’re trying to do! It won’t work…well, maybe…it…won’t.
But maybe it will!
From Houdini to Skywalker to X-Men, mind reading has merely been “wishful thinking” for science fiction fans for decades, but their wish may soon come true.
IBM scientists are among those researching how to link your brain to your devices, such as a computer or a smartphone. If you just need to think about calling someone, it happens.
Or you can control the cursor on a computer screen just by thinking about where you want to move it.
Scientists in the field of bioinformatics have designed headsets with advanced sensors to read electrical brain activity that can recognize facial expressions, excitement and concentration levels, and thoughts of a person without them physically taking any actions.
Within 5 years, we will begin to see early applications of this technology in the gaming and entertainment industry.
Furthermore, doctors could use the technology to test brain patterns, possibly even assist in rehabilitation from strokes and to help in understanding brain disorders, such as autism. .
4. The digital divide will cease to exist.
You’ve heard of the digital divide? Well, get ready to see that divide get split in half…or even divided into infinity.
In our global society, growth and wealth of economies are increasingly decided by the level of access to information.
And in five years, the gap between information haves and have-nots will narrow considerably due to advances in mobile technology.
There are 7 billion people inhabiting the world today. In five years there will be 5.6 billion mobile devices sold – which means 80% of the current global population would each have a mobile device.
As it becomes cheaper to own a mobile phone, people without a lot of spending power will be able to do much more than they can today.
For example, in India, using speech technology and mobile devices, IBM enabled rural villagers who were illiterate to pass along information through recorded messages on their phones.
With access to information that was not there before, villagers could check weather reports for help them decide when to fertilize crops, know when doctors were coming into town, and find the best prices for their crops or merchandise.
Growing communities will be able to use mobile technology to provide access to essential information and better serve people with new solutions and business models such as mobile commerce and remote healthcare.
5. Junk mail will become priority mail.
Do you remember the original spam, the one that led to the Internet terminology? It was a reference to a 1970s Monty Python sketch set in a case where nearly every item on the menu included Spam canned luncheon meet.
As the waiter recited the Spam-filled menu, a chorus of Viking patrons downs out all conversations iwth a song repeating “Spam…Spam….Spam…” You get the picture?
Now, think about how often we’re flooded with advertisements we consider to be irrelevant or unwanted. It may not be that way for long.
In five years, unsolicited advertisements may feel so personalized and relevant it may seem spam is dead. At the same time, spam filters will be so precise you’ll never be bothered by unwanted sales pitches again.
Imagine if tickets to your favorite band are put on hold for you the moment they became available, and for the one night of the week that is free on your calendar.
Through alerts direct to you, you’ll be able to purchase tickets instantly from your mobile device. Or imagine being notified that a snow storm is about to affect your travel plans and you might want to re-route your flight?
IBM is developing technology that uses real-time analytics to make sense and integrate data from across all the facets of your life such as your social networks and online preferences to present and recommend information that is only useful to you.
From news, to sports, to politics, you’ll trust the technology will know what you want, so you can decide what to do with it.
Congrats to India on their Cricket World Cup victory over Sri Lanka. You’ve had a whole long weekend to celebrate, so let’s get back to work, shall we? : )
Because as it turns out, the most recent IBM X-Force Trend and Risk Report (2010 edition) suggests there’s still plenty of work to do, at least on the IT security front.
The IBM X-Force Trend and Risk Report is an annual assessment of the security landscape, designed to help clients better understand the latest security risks, and stay ahead of these threats. The report gathers facts from numerous intelligence sources, including its database of over 50,000 computer security vulnerabilities, its global Web crawler and its international spam collectors, and the real-time monitoring of 13-billion security events every day for nearly 4,000 clients in more than 130 countries.
These 13-billion events monitored each day – more than 150,000 per second – are a result of the work done in IBM’s nine, global Security Operations Centers (SOC), which is provided as a Managed Security Service to clients.
IBM X-Force’s Tom Cross explains the most recent results of IBM’s global security study. High on this past year’s list of security concerns: Cloud computing and mobile devices (including the exposure presented by smartphones).
150,000 Security Threats Per Second
Based on the intelligence gathered through research of public vulnerability disclosures, and the monitoring and analysis of more than 150K security events per second during every day of 2010, here are the headlines from the latest X-Force report:
- More than 8,000 new vulnerabilities were documented, a 27 percent rise from 2009. Public exploit releases were also up 21 percent from 2009 to 2010. This data points to an expanding threat landscape in which sophisticated attacks are being launched against increasingly complex computing environments.
- Spam volume leveled off by the end of 2010 (as compared to its historically high growth rate). This indicates that spammers may be seeing less value from increasing the volume of spam, and instead are focusing on making sure it is bypassing filters.
- “Spear phishing,” a more targeted attack technique, was on the rise in 2010, even though there were significantly fewer phishing attacks relative to previous years. This suggests that cyber crooks are focusing more on quality of attacks, rather than just quantity.
- End user adoption of smartphones and other mobile devices demonstrated a rise in vulnerability disclosures and exploits that target these devices. IT security departments, of course, have been struggling to determine the right way to bring these devices safely into corporate networks.
IBM documented more than 8,000 new vulnerabilities, a 27 percent rise from 2009. Public exploit releases were also up 21 percent from 2009 to 2010. This data points to an expanding threat landscape in which sophisticated attacks are being launched against increasingly complex computing environments.
In conjunction with this year’s report, IBM is launching the IBM Institute for Advanced Security in Europe to combat growing security threats in the region. The IBM X-Force report stated that in 2010, nearly a quarter of all financial phishing emails targeted banks located in Europe. It also identified the UK, Germany, Ukraine and Romania among the top 10 countries sending spam in 2010.
This Institute joins its predecessor in Washington, D.C., focused on U.S. clients.
Emerging Security Threats In Cloud Computing, Mobile
A new section in the IBM X-Force Trend and Risk Report is dedicated to the security trends and best practices for the emerging technologies of mobile devices and cloud computing. The report highlighted a shift in perception about cloud security as adoption continued to evolve and knowledge around this emerging technology increased. Since security is still considered an inhibitor to cloud adoption, cloud providers must earn their customers’ trust.
Organizations are also increasingly concerned about the security implications of personal mobile devices used by employees. Organizations must ensure control of their data regardless of where it is, including employee-owned or business-issued smartphones.
In 2010, IBM X-Force documented increases in the volume of vulnerabilities disclosed in mobile devices as well as the disclosure of exploits that target them. The desire to “jailbreak” or “root” mobile devices has motivated the distribution of mature exploit code that has been reused in malicious attacks.
Nevertheless, malware is not yet common on the latest generation of mobile devices and most IT professionals view the data stored on them and how that can be misused or lost as the main security threats associated with these devices. According to the IBM X-Force Report, best practices for mobile security are evolving with enhanced password management and data encryption capabilities.
Additional trends highlighted in the report included:
- The new, sophisticated face of cyber crime — From a security standpoint, 2010 is most remembered as a year marked by some of the most high profile, targeted attacks that the industry has ever witnessed. For example, the Stuxnet worm demonstrated that the risk of attacks against highly specialized industrial control systems is not just theoretical. These types of attacks are indicative of the high level of organization and funding behind computer espionage and sabotage that continues to threaten a widening variety of public and private networks.
- Web applications accounted for nearly half of vulnerabilities disclosed in 2010 — Web applications continued to be the category of software affected by the largest number of vulnerability disclosures, representing 49 percent in 2010. The majority represented cross site scripting and SQL injection issues, and the IBM X-Force data showed that these vulnerabilities are being targeted by attackers. According to the report results, every summer for the past three years there has been a globally scaled SQL injection attack some time during the months of May through August. The anatomy of these attacks has been similar across the board, targeting .asp pages that are vulnerable to SQL injection.
- A secure by design approach can improve security — IBM X-Force has determined that taking proactive steps to evaluate web application security and improve development and quality assurance processes can result in a significant improvement in the security of web application software. The report included data showing that web applications scanned for vulnerabilities often showed significant improvements upon being retested – exhibiting less than half of the number of particular classes of vulnerabilities, on average, the second time they are assessed. This encouraging information points the way toward sustained improvements in Internet security.
- Nearly half of vulnerabilities remain unpatched – To help prevent attackers from exploiting vulnerabilities, organizations must focus on shortening the window of time between vulnerability disclosure and patch installation. Forty-four percent of all security vulnerabilities had no vendor-supplied patch at the end of 2010. However, even in cases where patches are made available on the same day that a vulnerability is publicly disclosed, there may be a significant gap in time before those patches are installed on vulnerable systems. Computer criminals often privately develop exploits that target publicly disclosed security vulnerabilities, and use those exploits to launch attacks. Later, when these private exploits have ceased to be valuable as attack tools, they are publicly disclosed. The IBM X-Force report data showed that exploits are often publicly disclosed tens or hundreds of days after the vulnerabilities they target. If it is taking a long time for these exploits to surface, it may be taking a long time for networks to patch.
- Continued growth of Internet botnets – IBM X-Force saw an upward trend in Trojan botnet activity during 2010. This growth is significant because despite increasing coordinated efforts to shut down botnet activity, this threat appeared to be gaining momentum. However, IBM X-Force’s data did illustrate the dramatic impact of a successful effort in early 2010 to shutdown the Waledac botnet, which resulted in an instantaneous drop off in observed command and control traffic. On the other hand, the Zeus botnet continued to evolve and constituted a significant portion of the botnet activity detected by IBM X-Force in 2010. Due to its extreme popularity with attackers, there are hundreds, or even thousands, of separate Zeus botnets active at any given time. The Zeus botnet malware is commonly used by attackers to steal banking information from infected computers.
To help address these challenge IBM now has nine worldwide research labs innovating security technology and nine security operations centers around the world. These are designed to help global clients maintain the appropriate security posture.
Click here to access the 2010 IBM X-Force Trend and Risk report.
You can find more information on IBM Security Solutions at www.ibm.com/security.