Archive for March 2013
Batten Down The Hatches! IBM’s X-Force 2012 Trend And Risk Report
It’s been a busy year for IT security incidents. Yesterday, John Markoff and Nicole Perlroth with The New York Times told us about yet another incident, this time a cyberattack involving antispam group Spamhaus and an anonymous group unhappy with their efforts.

Click to enlarge. Based on disclosed incident details such as the vulnerability used and attack type, IBM X-Force was able to determine that the majority of the security incidents disclosed in 2012 were carried out by the top left quadrant above, with attackers going after a broad target base while using off-the-shelf tools and techniques. This can be attributed to the wide public availability of toolkits, and to the large number of vulnerable web applications that exist on the Internet.
But the list goes on and on. From the discovery of sophisticated toolkits with ominous names like Flame to cross-platform zero-day vulnerabilities, both consumers and corporations have been inundated with advisories and alerts regarding emerging threats. The frequency of data breaches and incidents—which had already hit a new high in 2011—continued their upward trajectory.
At the mid-year of 2012, IBM’s X-Force team predicted that the explosive nature of attacks and security breaches seen in the first half would continue. Indeed this was the case. While talk of sophisticated attacks and widespread distributed denial-of-service (DDoS) attempts made the year’s headlines, a large percentage of breaches relied on tried and true techniques such as SQL injection.
What continues to be clear is that attackers, regardless of operational sophistication, will pursue a path-of-least-resistance approach to reach their objectives. Integration of mobile devices into the enterprise continues to be a challenge. In the previous report, X-Force looked at some of the pitfalls and perils of implementing BYOD programs without strict formulations of policy and governance to support the use of these devices.
That said, recent developments have indicated that while these dangers still exist, and X-Force believes mobile devices should be more secure than traditional user computing devices by 2014. While this prediction may seem far fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.
In its latest report, X-Force explores how security executives are advocating the separation of personas or roles on employee-owned devices. It also addresses some secure software mobile application development initiatives that are taking place today. The distribution and installation of malware on end-user systems has been greatly enabled by the use of Web browser exploit kits built specifically for this purpose.

Click to enlarge. The intense proliferation of social networking across the Internet poses new challenges to companies that need to control the sharing of confidential information. Any employee that has access to the Internet is going to be exposed to social networking sites and because they are so frequently accessed,
they have become a favorite target of scam and phishing.
Exploit kits first began to appear in 2006 and are provided or sold by their authors to attackers that want to install malware on a large number of systems. They continue to be popular because they provide attackers a turnkey solution for installing malware on end-user systems.
Java vulnerabilities have become a key target for exploit kits as attackers take advantage of three key elements: reliable exploitation, unsandboxed code execution, and cross-platform availability across multiple operating systems. Java exploits have become key targets in 2012 and IBM X-Force predicts this attack activity to continue into 2013.
As X-Force also reported in the mid-year, spam volume remained nearly flat in 2012, with India claiming the top country of origin for spam distribution, but the nature of spam is changing. Broadly targeted phishing scams, as well as more personalized spear-phishing efforts continue to fool end users with crafty social-engineering email messages that look like legitimate businesses. Also, fake banking alerts and package delivery service emails have been effective as attackers refine their messages to look like the authentic messages that customers might normally receive.
Whether the target is individuals or the enterprise, once again, X-Force reminds organizations that many breaches were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.
Web applications are still topping the chart of most disclosed vulnerabilities, rising 14% in 2012 over the 2011 end of year numbers. As reported earlier in the mid-year report, cross-site scripting (XSS) dominated the web vulnerability disclosures at 53% of all publicly released vulnerabilities. Although SQL injection attack methods remain as a top attack technique, the actual disclosures of new SQL injection vulnerabilities remain lower than the 2010 peak X-Force recorded.
Social media has dramatically changed our lives with new ways to connect, personally and professionally. From this constant availability of information about individuals, attackers can readily access data to use in their activities.
Now, more than ever, individual employees who share personal details in their social profiles can be targeted for attacks.

Click to enlarge. The values for the evaluated threat and residual threat can be determined by comparing the likelihood or frequency of a threat occurring (high, medium, low) against the damage impact that could happen if the threat occurred (catastrophic, high, medium, low). The goal is to implement mitigation processes that either reduce the frequency of the threat occurring or reduce the impact if the threat does occur. A requirement for this to be successful is to have a specific, designated monitoring mechanism to monitor the implementation of the treatment processes and for the appearance of the threats.
2012 X-Force Trend And Risk Report Highlight
Malware and the malicious web
- In 2012, near daily leaks of private information about victims were announced like game scoreboards through tweets and other social media. Personal details, such as email addresses, passwords (both encrypted and clear text), and even national ID numbers were put on public display.
- Based on data for 2012, it is not surprising that the bulk of the security incidents disclosed were carried out with the majority of attackers going after a broad target base while using off-the-shelf tools and techniques. X-Force attributes this to the wide public availability of toolkits and to the large number of vulnerable web applications that exist on the Internet.
- The year began and ended with a series of politically motivated, high-profile DDoS attacks against the banking industry. An interesting twist to the banking DDoS attacks was the implementation of botnets on compromised web servers residing in high bandwidth data centers. This technique assisted in much higher connected uptime as well as having more bandwidth than home PC’s to carry out the attacks. In the sampling of security incidents from 2012, the United States had the most breaches, at 46%. The United Kingdom was second at 8% of total incidents, with Australia and India tied for third at 3%.
- IBM Managed Security Services (MSS) security incident trends are markers that represent the state of security across the globe. The relative volume of the various alerts can help to describe how attacks are established and launched. They also frequently provide hints about how methods have evolved. Based on this, the main focus in 2012 may have been the subversion of systems, with larger coordinated attacks being executed across fairly broad swaths of the Internet.
- IBM MSS has noted a dramatic and sustained rise in SQL injection-based traffic due, in large part, to a consistent effort from the Asia Pacific region. The alerts came from all industry sectors, with a bias toward banking and finance targets.
- Web browser exploit kits (also known as exploit packs) are built for one particular purpose: to install malware on end-user systems. In 2012 X-Force observed an upsurge in web browser exploit kit development and activity—the primary target of which are Java vulnerabilities—and X-Force supplies some strategies and tips to help protect against future attacks (see end of post to download full report).
- Java continues to be a key target for attackers. It has the advantage of being both cross-browser and cross-platform—a rare combination that affords attackers a lot of value for their investment. Web content trends, spam, and phishing Web content trends Top used websites are readily deployed as IPv6- ready, although attackers do not yet seem to be targeting IPv6 on a large scale.
- One third of all web access is done on websites which allow users to submit content such as web applications and social media.
- Nearly 50% of the relevant websites now link to a social network platform, and this intense proliferation poses new challenges to companies that need to control the sharing of confidential information.
Spam and phishing
- Spam volume remained nearly flat in 2012.
- India remains the top country for distributing spam, sending out more than 20% of all spam in the autumn of 2012. Following India was the United States where more than 8% of all spam was generated in the second half of the year. Rounding out the top five spam sending countries of origin were Vietnam, Peru, and Spain.
- At the end of 2012, IBM reports that traditional spam is on the retreat, while scam and spam containing malicious attachments is on the rise. In addition, attackers are demonstrating more resiliency to botnet take downs which results in an uninterrupted flow of spam volume.
Operational Security Practices
Vulnerabilities and exploitation
- In 2012, there were over 8,168 publicly disclosed vulnerabilities. While not the record amount X-Force expected to see after reviewing its mid-year data, it still represents an increase of over 14% over 2011.
- Web application vulnerabilities surged 14% from 2,921 vulnerabilities in 2011 to 3,551 vulnerabilities in 2012.
- Cross-site scripting vulnerabilities accounted for over half of the total web application vulnerabilities disclosed in 2012. Cross-site scripting dominated the web vulnerability disclosures. Fifty-three percent of all publicly released web application vulnerabilities were cross-site scripting related. This is the highest rate X-Force has ever seen. This dramatic increase occurred while SQL injection vulnerabilities enjoyed a higher rate than 2011 but were still down significantly since 2010.
- There were 3,436 public exploits in 2012. This is 42% of the total number of vulnerabilities, up 4% from 2011 levels.
- Web browser vulnerabilities declined slightly for 2012, but not at as high a rate as document format issues. While the overall number of web browser vulnerabilities dropped by a nominal 6% from 2011, the number of high- and critical severity web browser vulnerabilities saw an increase of 59% for the year.
- Few innovations have impacted the way the world communicates quite as much as social media. However, with the mass interconnection and constant availability of individuals, new vulnerabilities and a fundamental shift in intelligence-gathering capabilities has provided attackers and security professionals alike with information useful for enhancing their activities.
- Rather than seeing a particular enterprise as an individual entity, attackers can view enterprises as a collection of personalities. This gives attackers the opportunity to target specific people rather than enterprise infrastructures or applications. Furthermore, targeted people may also be targeted as individuals and not just as employees. In other words, the personal activities and lives of employees can be leveraged to target an enterprise.
Emerging Trends In Security
Mobile
- Prediction: Mobile computing devices should be more secure than traditional user computing devices by 2014. This is a bold prediction that IBM recently made as part of its look ahead in technology trends. While this prediction may seem far-fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.
- Separation of personas or roles: While a small percentage of enterprises have dealt with BYOD by using virtualized desktop solutions to separate and control enterprise applications and data from the rest of the personally owned device, a greater number of enterprises have wanted or required some form of separation or dual persona on mobile devices. This difference in use or adoption could be the result of greater numbers of devices driving greater risk in the percentage of personally owned mobile devices versus personally owned PCs in a BYOD program.
- In many cases, enterprises have made significant investments into implementing Secure Software Development Life Cycle (SSDLC) processes. Today’s mobile application development benefits from this. Tools exist to support secure development as part of the process instead of being conducted in qualification or production. As a result, it should be more common for enterprises to have more securely developed mobile applications than their existing legacy applications. Closure of vulnerabilities in some traditional computing applications may only conclude as existing versions are sunset and replaced with newer, more securely developed replacements.
- Over 2012, it is safe to conclude that more enterprises are supporting BYOD or the use of personally owned devices than previously. In the last two years, IBM Security has spoken to hundreds of global 2000 customers and out of those interviewed, only three said they had no plans to implement any kind of BYOD program.
To learn more on how your organization can work to address these types of vulnerabilities, download the full IBM X-Force 2012 Trend And Risk Report here.
Tiger’s New Old Game
The last time Tiger Woods was the number one ranked golfer in the world was October 2010. That’s a grand total of 29 months ago.
That all changed this week at Arnold Palmer’s Bay Hill Invitational, which Tiger Woods won running away at -13. That’s Woods’ eighth time to win the same PGA tournament.
Justin Rose gave Woods his best, but faltered on Saturday before attempting a comeback on Monday’s round (after torrential storms in and around Orlando postponed play on Sunday), and Ricky Fowler tried to match Woods’ performance in the final grouping, but Woods’ irons were too much for Fowler and all the “chasers.”
And then there was Woods’ putting, which was nothing short of masterful. For the week, he made 19 of 28 putts between 7 and 20 feet. It was like the Tiger of old — the golf ball seemed to just follow a line from Woods’ putter to the middle of the hole, over and over and over again.
You could hear professional golfers around the globe simply deflate with each stroke of Tiger’s Nike Method putter.
So, Tiger has now won 77 PGA Tour wins, only 5 away from legend Sam Snead’s 82.
And then there’s The Masters coming up in Augusta in mid-April, the golfing equivalent of the Super Bowl.
You think a few odds makers in Vegas now have Tiger to win this year’s Masters?
Not that I would ever gamble on such a thing, but money does talk, and in this case, online casino Bovada already has Tiger at 11/4 odds to take this year’s green jacket.
But since this is a data driven, technology-oriented blog, let’s look at a few more numbers.
Bleacherreport’s Ryan Rudnansky observes that in 2010, Tiger ranked 109th in putting (strokes gained). 45th in 2011. 36th last year. And this year?
You got it? Numero uno.
At Doral, he recorded just 100 putts for the 72 holes, the lowest putting mark in his career.
Oh, yes, and he’s won three times this year in four stroke-play tournaments (we’ll disregard his nasty bit of business at the Accenture Match Play, where Charles Howell III ousted him in the first match).
Is Tiger’s taking the Master’s in two weeks a done deal?
Of course not.
Would I pick him over all the other players in the field?
What do you think?
A Mobile Summary
I’m going to have to start naming this “Mobile Monday.”
Because on Mondays, it seems like there’s always something of import to occur within the mobile space.
I guess one could say that for every other day of the week, and maybe it just seems more notable to me on Mondays.
In today’s case, it was Yahoo’s announced acquisition of Summly, a mobile app that has a unique algorithm which helps summarize news stories and which was started by a 15 year-old programmer, Nick D’Alosio. The Summly took Apple’s “Best Apps of 2012” award for Intuitive Touch capability.
So of course the first thing that will happen post acquisition is that the app will be REMOVED from the App Store starting today.
Does that seem counterintuitive or is it just me?
Kid writes app, app receives a gazillion downloads, Yahoo buys app, makes kid rich, Yahoo removes app from App Store.
Only in the tech industry.
The idea, of course, being that someday soon the capabilities of Summly will find themselves embedded in other Yahoo apps. Yeah, and I’ve got some great swamp land in south Florida that I’d like to show you.

Turbo recently shelled out a little over a hundred bucks for the daskeyboard Professional Model S. This keyboard features Mac-specific functions such as media controls, brightness controls, command and alt/option keys, eject and clear keys. The Professional Model S for Mac is “plug and play” with Mac computers and updated to also include media controls.
On the topic of mobile, nobody’s ever really created a good mobile Bluetooth keyboard that’s portable and, preferably, folds up…and I’ve tried just about all of them…Kickstarter, anyone?
But I am VERY happy with my new daskeyboard keyboard, which I’m going to tell you all about now.
When I’m working at home, it’s like hearing a machine gun emanating from my office (They don’t call me Turbo for nothin’, and it mostly had to do with my typing speed…How else would you expect me to be able to generate all these blog posts!?)
I saw daskeyboards for the first time last year at SXSW, but I was able to contain my credit card. This year, I decided to jump in headfirst.
With a discount, I was able to get the daskeyboard Pro Model S for about $100, and though that might seem like a lot for a keyboard, when you spend as much time every day in front of a computer as I do, it seemed like a pretty good investment at the time — and that turned out to be the case.
Remember those original IBM AT and XT (and later, PS/2) computers where you could use those clickety-clack Model M keyboards? Well, daskeyboard has reinvented that PC keyboarding past, and you can now go clickety-clack at 90 words per minute with the lightest, softest, but clickiest touch you can imagine.
Only this time, you can do it on both Macs and PCs, and you can do it all in black.
Brackets And Blades
I haven’t done my brackets yet because I only started paying attention to NCAA men’s basketball oh, say, about five minutes ago.
I was too busy watching Kevin Streelman win his first PGA Tour event ever down in Tampa Bay.
My favorite Bubba golfer, Boo Weekley, had trounced into the clubhouse with a record 63 (that is, in a final round at Copperhead), and had to sit around and wait a couple of hours to see if Streelman could “streel” his resolve and hang on to the lead (when Boo could have gone fishing the rest of the afternoon…Gotta love those Southern boys!).
Well, hold on Streelman did, shooting a total of ten under and striking a brilliant and bold 5-iron draw shot on the par 3 13th some 200 yards, planting it just past the pin and nailing the birdie that took him to 9 under.
It was a long road for Streelman to take his first PGA win: some 400,000+ miles on American highways long.
Streelman went through three cars driving around the country “dead broke” as he chased his golf dream — yesterday, it all paid off, and couldn’t have happened to a nicer, more deserving guy. Here’s to many more, Kevin.
As for my own golf game, I’ve decided to keep my Ben Hogan 1988 “redline” blades in the bag…well, mostly.
Yesterday, down in Wimberley, I shot an atrocious 50 on the front nine, which I’ll blame mostly on some exceptionally bad chipping (not to mention undulating sloped greens).
However, on the back nine, my iron play came alive and it struck me why so many Tour players continue to play with bladed irons.
Assuming you can find the center of the club with the ball, and actually strike the thing, the ball flight is nothing short of gorgeous with blades, and I’m finding the additional height is very helpful in cruising over certain tall objects, namely trees, in search of the green stuff.
Don’t let anyone tell you amateurs don’t have the chops to play with blades! It just takes a lot of work and perseverance, but it can also be very well worth the effort.
I hit several greens in regulation on the back nine by hosting some smooth, high-arc shots with a slight draw, planting them nicely a couple of times in birdie territory, but otherwise still getting close or on the greens.
Now, I’ve just got to go teach myself how to chip again.
So here’s now what’s in my bag: TaylorMade Rocketballz driver (adjusted at 9.5 degrees), a TaylorMade RBZ 3-wood, an old TaylorMade 5-wood, a Nike hybrid (I forget the loft, but I hit it around 200-220 yards), 5-6-7-8-9 Ben Hogan “Redline” blades, 3-4 Mizuno MP-25 irons and PW, Mizuno 56-degree wedge, a Vokey 60 degree wedge, and an Odyssey White Hot “Rossie” putter.
My handicap index is now a flat 12, but I am bound and determined to get into single digits over the next couple of years.
Back to the NCAA brackets: Despite Austin’s hosting the second round South play, there aren’t any Texas teams in the mix, so I’m going this year with my other all time favorite, Duke.
If you want to use some high tech for your own bracket picks, WPTV.com out of West Palm Beach has a list of several smartphone and tablet apps you can use to make your picks.
Spaceships, Aliens, And Androids: The Scott & Todd SXSW 2013 Podcast Debrief
Scott Laningham and I first met around six years ago at SXSW Interactive. Scott was already well known for his developerWorks podcast series and blog, and he was walking around the conference talking to people, so we decided to sit down and do a podcast discussing all the cool things we’d seen and learned about during the conference.
It was the beginning of a wonderful and still ongoing collaboration, and since that time, Scott and I have shared the stage at numerous IBM conferences, interviewing industry luminaries, IBM executives and business partners, and other thought leaders.
But we always come back to SXSW Interactive. And so it was with 2013.
Scott and I sat down on Friday via Skype and chatted for nearly 30 minutes about all the interesting things we heard and learned about at this year’s event, the first time it reached over 30,000 attendees.
Some would say SouthBy has jumped the shark. I’m not so sure. I joked early on in the event last week that perhaps it had jumped a few dolphins.
Has it gotten a lot more crowded? Absolutely.
Has it stretched the outer limits of Austin’s hotel and transportation capacity? Without question.
Do you have to wait in long lines stretching halfway around the Austin Convention Center just to see a keynote? Yes yes yes.
And to my mind, it’s still worth every minute.
P.S. Scott has also established a new blog, which you can find right here on WordPress.
Samsung Theatre, RSS-Less Google
Anybody watch that Samsung Galaxy S4 launch last night on the Webcast from Radio City Music Hall in New York City?
Well, the latest episode of Smash it certainly was not. I think the entire show could probably have used a dramaturg, but hey, what do I know? The last show I saw at Radio City Music Hall was Iron Maiden sometime around 1985.
But, if Samsung doesn’t exactly have a handle on the number of the thespian beast, they certainly do seem to have learned how to make smartphones.
Once I got past all the drama last night, I was ready to shell out a few hundred bucks to move back into the smartphone camp (I’m currently carrying an LG feature phone from Verizon, because unlike most people, I actually still use my cell phone to TALK to OTHER HUMAN BEINGS.) I currently depend on an iPod Touch 5th gen for most of my tablet computing (news consumption, email, calendaring, shooter games, travel, etc.)
But at some point, I’m going to create my own harmonic computing convergence and try to come back to one device.
Of course, the price point for an unlocked Galaxy S4 will likely require a second mortage, and that’s if you can even find one.
So I’m also keeping an eye on the downmarket players like BLU Products, a little known player from whom I recently ordered an unlocked feature phone for $35 that I now use as my bat phone.
BLU is introducing a whole slate of new smartphones in April, entitled “Live View,” “Life One,” and “Life Play,” all of which will allegedly be sold unlocked on Amazon and range between $229 and $299.
The Life View model will include a 5.7-inch display (bigger than the Galaxy 5 at 5 inches), a 12-megapixel rear/5-megapixel front camera, 1GB RAM, 16GB of expandable storage, and also a 2,600Ah battery for those lonnngg plane rides to Bangalore.
I imagine that phone will be “good enough,” and you can learn more here on Engadget.
What’s apparently not good enough for Google is having an RSS reader. It was just announced that Google Reader was going to be taken out back to the Google woodshed and shot, as of July 1 of this year, a resultant casualty of Google’s annual “Spring Cleaning.”
To whit I ask, couldn’t they have found something less useful to “clean?”
Not to pile on, but this is a really dumb move for Google, if not for the bad PR value alone (and there’s been plenty of that). Google Reader was a beloved product, if only by the niche social digerati — you know, all those massive influencers with a big social media megaphone.
For my money, it’s a jaded move — Google’s not making any money off Reader, and RSS feeds are notoriously difficult to measure, so why not bury it in the Mountain View backyard? On the other hand, it would be nice for them to keep a useful tool that helps we bloggers keep our blogging sanity, and Reader does/did? just that.
C’est la Google vie…I’ve turned to Feedly online and on the iPod, and Reeder on the Mac, to assuage my soon-to-be Google Readerless existence. So far, I’m digging the newspaper-ish like layout. I just hope I can learn how to add and subtract feeds as easily as I was able to on the Google Reader cloud.
As for my post-SXSW-partum depression, the sun’s shining in Austin and I plan to get out and play some golf this weekend. But I’ll just say this: For me, Best SouthBy ever. I saw a lot of great speakers and sessions, talked to a lot of cool and interesting people, consumed some of my native city’s great food and drink, and enjoyed myself all the way around.
And for those of you who made it to the IBM party at Haven Saturday night, well how about that? Definitely NOT your father’s IBM.
The bar she has been raised.