News from the Front:The Battle against Identity Theft
October 30, 2006
Constantine Karbaliotis, LL.B., CIPP
News from the Front 2
Abstract
From data gathered through Symantec’s Global Intelligence Network – which consists of millions of systems world-wide – this session focuses on the nature of attacks used to gain critical information needed to commit identity fraud such as phishing scams and malware. Armed with this intelligence this session speaks to the strengths of identity management in defending organizations as well as individuals from such attacks without encroaching on privacy.
News from the Front 3
Intelligence Gathering
The Battleground for Identity
Know your Enemy
Strategies and Tactics to Protect
Identity
Conclusion
Agenda
6
Intelligence Gathering
News from the Front 5
What the Symantec Internet Security Threat Report is…
Information that: Provides a comprehensive analysis of Internet security activities and
trends
Compiled every six months
Offers a complete view of today’s Internet security landscape
Identifies and analyzes attacker methods and preferences
Details the latest trends and information
• Internet attacks
• Vulnerabilities that have been discovered and exploited
• Malicious code
• Additional Security Risks - Adware, Spyware, Phishing, and Spam
Provides a complete view of the state of the Internet
News from the Front 6
Hundreds of MSS customersMillions of security alerts per monthMillions of threat reports per month200,000 malware submissions per month
Symantec’s sources of intelligence: The G.I.N.
Twyford, England
Munich, Germany
Alexandria, VA
Sydney, Australia
Redwood City, CA
Santa Monica, CA
Calgary, Canada
San Francisco, CA
Dublin, Ireland
Pune, India
Taipei, Taiwan
Tokyo, Japan
>6,200 Managed Security Devices + 120 Million Systems Worldwide + 30% of World’s email Traffic +AdvancedHoneypot Network
74 Symantec Monitored Countries+4 Symantec SOCs 40,000+ Registered Sensors
in 180+ Countries+ +8 Symantec Security Response Centers
The Battleground for Identity
News from the Front 8
ISTR X Main Findings
Home users are often the weakest link in the chain and are the most targeted
Malicious code is increasingly targeted at individual organizations and there is a rise in new, previously unseen malicious code, especially Trojans
Web enabled technologies and browsers are the preferred target of attack - Web 2.0 and AJAX
Re-emergence of older attack methods and social engineering on the rise - continued increase in unique phishing messages
News from the Front 9
Attack Trends – Denial of Service - Top Target Countries
During the current reporting period, Symantec saw an average of 6,110 Denial of Service attacks per day. The average grew from 4,000 per day in January to over 7,500 per day in June. One period in March saw a spike to over 8,000.
The U.S. was the most targeted nation for DoS attacks followed by China and the United Kingdom.
News from the Front 10
Attack Trends – Denial of Service - Top Targeted Sectors
Internet Service Providers - bigger net = more fish
Government - high profile
Telecom - regional, smaller ISP’s.
News from the Front 11
Attack Trends – Top Originating Countries
The United States remains the top source country for attacks with 37% of the worldwide total. Attacks originating from the United States grew by 29% due to a large increase in broadband users.
China increased from 7% to 10% of the worldwide total. Attacks grew by 37%.
News from the Front 12
Attack Trends – Top targeted sectors
Home user are often targets of opportunity and provide “cover” for larger, more targeted attacks
Targeted attacks against Government, Information Technology, Utilities and Energy are on the rise.
News from the Front 13
Attack Trends – Web browser attack distribution
Despite having a lower number of vulnerabilities this reporting period than Mozilla, Internet Explorer is the most targeted browser for attack due to high profile vulnerabilities and widespread deployment.
Multiple browsers include vulnerabilities that target all browsers chosen for this metric
News from the Front 14
Attack Trends – Additional Data Points
Top Wireless Threats
Probing for access point - 30%
Spoofed MAC Address - 17%
Top Browser Attacks
Multiple Browser Zero Width GIF Image Memory Corruption Attack - 31%
5 of the Top 10 are IE specific - 3 are Mozilla specific
News from the Front 15
Vulnerability Trends –Web Browsers (Vendor and Non-vendor confirmed)Mozilla browsers (Mozilla and Firefox) had the highest number of reported vulnerabilities during this reporting period with 47, almost 3 times the number reported during the last reporting period (17). Internet Explorer was second with 38, a 52% increase over the previous reporting period.
For the past three reporting periods, vulnerabilities affecting Apple’s Safari web browser (12) have continued to increase.
News from the Front 16
Vulnerability Trends – W.O.E. - Web browsersWindow of exposure is the time between the announcement of a vulnerability and a vendor supplied patch, minus the number of days before the appearance of an exploit
In general, the patch development time for browsers is shorter than other W.O.E. metrics as vendors seem to respond quicker to web browser vulnerabilities.
News from the Front 17
Vulnerability Trends – Volume
Between January 1 and June 30, 2006, the total number of vulnerabilities grew by 18% over the previous reporting period and 20% over the same period last year.
Primarily due to the high percentage of Web application vulnerabilities. Once again, this is the highest total Symantec has ever recorded.
News from the Front 18
Vulnerability Trends – Easily exploitable vulnerabilities by type - Web applications
69% of all vulnerabilities reported were web application vulnerabilities a slight increase over the previous reporting period.
80% of all vulnerabilities were easily exploitable. Of those, the largest proportion (78%) were web application vulnerabilities. This is due in part to a quicker release cycle, less secure coding practices and low complexity vulnerabilities.
News from the Front 19
Vulnerability Trends – W.O.E. - Enterprise Vendors
The window of exposure for enterprise vendors continues to shrink primarily due to the increased speed at which vendors are developing patches.
News from the Front 20
Vulnerability Trends – Operating system vendors - Time-to-patch
Over the past three reporting periods, Microsoft has had the shortest patch development time of all operating system vendors.
Microsoft is beginning to challenge the “open-source is quicker” school of thought
News from the Front 21
Vulnerability Trends – Additional Data PointsExploit development time for Web browsers
Internet Explorer - 1 day (0 days during last reporting period)
Mozilla - 2 days (7 days during last reporting period)
Safari - 0 days (0 days during last reporting period)
Opera - 0 days (0 days during last reporting period)
Patch development time for Web browsers
Internet Explorer - 10 days (25 days during the last reporting period)
Mozilla - 3 days (5 days during the last reporting period)
Safari - 5 days (0 days during the last reporting period)
Opera - 2 days (18 days during the last reporting period)
Exploit code release period
25% - less than one day (decrease of 8 percentage points from last reporting period)
33% - one to six days (increase of 4 percentage points from last reporting period)
News from the Front 22
Malicious Code Trends – Win32 Variants
Nearly a 40% reduction from the previous reporting period - predicted decline in future periods
22% of the Top 50 reported samples were bots - an increase of two percentage points
News from the Front 23
Malicious Code Trends – Previously Unseen malicious code (proportion of all threats)
Detected by Symantec Honeypots - higher proportions indicate that attackers are more actively trying to evade signature based detection methods.
Primarily due to variants utilizing metamorphic code, run-time packers and changes to code functionality.
News from the Front 24
Malicious Code Trends – Top ten new malicious code families
New techniques and more dangerous threats appear:
Polip - polymorphic
Bomka - uses rootkit techniques, click fraud
News from the Front 25
Malicious Code Trends – Malicious code types by volume
Worms - primarily mass mailers - continue to dominate. 60% increase over the previous reporting period.
Decline in back door levels due to decline in reports of Spybot, Gaobot and Randex. Only Spybot remains in the Top 50. Back doors levels are high due to Mytob variants (16 of the Top 50).
Trojans have dropped from 21 of the Top 50 reports to 10 in the current reporting period.
News from the Front 26
Malicious Code Trends – Propagation vectorsSMTP continues to be the top propagation mechanism - 1 out of every 122 email messages contained malicious code. Driven by Netsky, Beagle, Mytob and SoberX.
All of the Top Ten malicious code samples reported to Symantec utilized SMTP as a propagation mechanism.
News from the Front 27
Malicious Code Trends – Exposure of confidential information
Threats that expose sensitive data such as system information, confidential files, documents, cached logon credentials, credit card details, etc. Potential use in criminal activities resulting in significant financial losses.
News from the Front 28
Malicious Code Trends – Instant messaging threats
Variants of Spybot, Gaobot, Esbot and Randex commonly use AOL Instant Messenger as a propagation mechanism.
The announced interoperability of Yahoo! Instant Messenger and Windows Live Messenger may result in attackers focusing on these protocols to maximize potential propagation.
News from the Front 29
Malicious Code Trends – Additional Data Points
The top ten malicious code samples reported to Symantec during the current reporting period:
Sober.X
Blackmal.E
Netsky.P
Beagle.DL
Mytob.EA
Beagle.AG
Mytob.AG
Mytob.DF
Mytob
Mytob.EE
Tooso was the most reported Trojan (modular) and Netsky.P was the most reported threat to confidential information
The number of modular malicious code samples in the Top ten (36) has remained the same as the previous reporting period though the overall volume has dropped to 79% from the 88%
News from the Front 30
Phishing - Unique phishing messages
Definitions:
Phishing message - single, unique message sent to targets with the intent of gaining confidential or personal information. Each message has different content and different method of trying to obtain information.
Phishing attempt - instance of a phishing message being sent to an individual user(s).
81% increase over the previous reporting period - Average of 865 unique phishing messages per day
News from the Front 31
Phishing - Top targeted most phished sectors
9 of the top ten brands phished are from the Financial Services sector.
Symantec saw an average of 7.19 million phishing attempts per day down from the 7.91 million observed during the last reporting period.
Blocked phishing messages decreased from 1.46 billion in the last report to 1.3 billion this reporting period. An 11% decrease.
News from the Front 32
Spam - Top countries of origin, categories and volume
Between January 1st and June 30th, 2006, the average percentage of email that is Spam was 54%, an 4 percentage point increase from the last reporting period
Health makes up 26% of all spam, followed by Adult with 22%. Heath and Adult traditionally have the highest click-through rates as they are more difficult to market through traditional means
Canada and South Korea were the only countries with a drop in percentage - 2% each
News from the Front 33
Spam - Percentage of spam containing malicious code
From January 1 - June 30, 2006 .81% of all spam contained malicious code - 1 out of every 122 spam messages contained malicious code
Spam with malicious attachments is likely blocked by spam filtering and anti-virus software. In response, malicious code authors are more likely to include a URL in a spam message which links to a malicious website or directly downloads malicious code
News from the Front 34
Security Risks – Top ten new security risks
Misleading applications constitute three of the Top Ten new security risks. ErrorSafe represented 19% of new security risks reported to Symantec
The most reported Adware from January 1 - June 30, 2006 was Hotbar (24%) and 6 of the Top ten employed some form of anti-removal techniques.
News from the Front 35
Future Watch
Web 2.0 and AJAX Symantec speculates that Web 2.0 security threats and AJAX
attacks will increase.
Windows Vista: Symantec speculates that the new features and changes to
Windows Vista’s code base, in conjunction with increased scrutiny from security researchers and malicious code authors, will result in previously unseen attacks.
Increase in polymorphic malicious code Due to the difficulty in detecting and removing polymorphic
viruses, Symantec speculates that more malicious code authors may begin to use more polymorphic techniques at all levels of malicious code development.
Know your Enemy
News from the Front 37
From Oceans 11 to 7-11
Common Attacks of Yesterday
Sneak through the network perimeter
Steal customer data or intellectual property
Make the escape unnoticed
Common Attacks of Today
Don’t bother penetrating the network
Phish or use crimeware on a company’s customers when they’re online
Aggregate and sell their data on the black market or use it yourself
News from the Front 38
Successfully Exploiting Home Users Makes Fraudsters $$$
Phishing Messages
Spammer
Botherder
Victims
Fraud
Website
(+ Trojan horse)
Phisher
Cashier
Egg Drop
Server
News from the Front 39
“Underground” Economies
News from the Front 40
“Underground” Economies (2)
News from the Front 41
Who are most of the attackers looking to victimize?
Home users are targets of opportunity– attackers “casting the net” to find victims
Financial Services remains interesting– go to the money
News from the Front 42
Crimeware & The Fraud CommunityI'm here to sell a working version of win32.grams trojan, for those who don't know what this trojan does i will explain. It simply steals all the e-gold from the victims account and transfers all the gold into your account. Simple and efficient.
The trojan has been tested successfully with Windows XP (all SP's) and works ONLY on IE (Internet Explorer).
If any bugs are found it is my responsibility to fix them immediately.
The price for this wonder trojan is only 1000 dollars and I accept only WU / MG and e-gold.
News from the Front 43
Making $$$ By Exploiting Browsers: Rogue Distributors
Rogue distribution networks make money by using browser exploits to install downloader Trojans
The downloaders are then used to install adware & spyware
Reportedly pay for 0-day vulnerabilities such as WMF
WMF vulnerability said to be purchasd for ~$4K USD
Discovered in active exploit via iframecash.biz & others
News from the Front 44
Web Attacker: Automated Tools Make it Easy
News from the Front 45
How much can they make? Ask Direct Revenue
The spoils of spyware: all execs at Direct Revenue became millionaires in 2004
News from the Front 46
Good news: window of exposure (WOE) is shrinking
Limited set of vendors: Symantec, Microsoft, Cisco, Sun, HP, EMC, IBM, Oracle, CA & McAfee
The window of exposure for enterprise vendors continues to shrink primarily due to the increased speed at which vendors are developing patches
News from the Front 47
Day 31
Patch Available
Day 3
Exploit Becomes Public
Day 1
Vulnerability Announced
Bad news: it’s still 28 days on average
Source: Internet Security Threat Report X, September 2006, All Numbers Above Averages
~28 Day Window of Exposure With No Patch for Protection
News from the Front 48
Worse news: averages don’t tell the real storyOld proverb: Never cross a river that’s on average 5 feet deep
Zero day attacks are not unusual anymore
A few key vulnerabilities get the bulk of the exploit action
VML Sep 06WMF Jan 06
Strategies and Tactics to Protect Identity
News from the Front 50
Protect Thy Customer
Education – let them know how you communicate, inform them of any new twists in attacks that might catch them off-guard
Communication: Consider fraud alerting services & contribute known fraud to the PRN phish blocking community (free)
News from the Front 51
Protect Thy Customer (2)
Establish zero-hour, behavioral detection and mitigation of malicious threats – less reliant on ‘signatures’
Establish protection that follows users
Establish protection from the unmanaged endpoints
News from the Front 52
Protect Thy Customer (2)
Become the customer’s IT department
Advise customers to use, or better, provide them, with products, toolbars, and/or web browsers with anti-phishing protection
News from the Front 53
Protect Thy Customer (3)
Put your customer in charge of their identity: Identity management tools Preference management
As a consumer, I want to: Have a single sign-on to my personal information NOT have any enterprise aware of what I am doing
elsewhere NOT communicate any information about myself, until I
CHOOSE to do so Know that even within the systems of the businesses I
do business with, that my identity is protected and in the event that there is a breach of security, the information is anonymized or encrypted
News from the Front 54
Make Yourself Unattractive
Validate track 2 magnetic stripe information It’s not phishable data and makes your business a lot less
“cashable” “Up to half of U.S. banks fail to validate Track 2 data and only rely on
customer PINs to authorize ATM transactions” – C|net
Use multi-factor authentication Something the user is (fingerprint, retinal pattern) Something the user has (security token, software token, cell phone) Something the user knows (password, pass phrase, PIN) Can be broken, but it makes attackers work harder
News from the Front 55
Block Web Attacks
Standardize web browsers to the extent that you can
Patch your web browser(s) of choice as soon as possible
Block exploits through host-based IPS & modern AV
Make sure people who enter your networks are “clean” and have up-to-date protection They are the biggest risk since they live outside perimeter
protections This means network access compliance (NAC) of some sort
News from the Front 56
Cleaning up after a successful web attack
Ensure you have an up-to-date AV or Anti-Spyware product
Make sure you get the downloader (usual source of the problem)
Keep an eye out for misleading applications
Address any signs of high risk user behavior
News from the Front 57
Keeping ahead of the vulnerability flood
Intrusion prevention at the network and the host Defend against unprotected hosts
inside the perimeter & when employees are remote (outside the perimeter)
Anti-Virus can block the file-based attacks (e.g. WMF, VML) But keep it current, WMF changed
everyday and required frequent updates
Routinely assess your environment for vulnerabilities & mis-configurations
Have a patch process in place
Vulnerability Vulnerability in Server Service (MS06-040, Critical)
Vulnerability Announced
August 8th, 2006
Symantec IPS Protection
August 8th, 2006
1st Public Exploit August 10th, 2006
1st Worm August 11th, 2006
News from the Front 58
Do not become the Enemy…
Consider whether your tactics create greater risk: Using biometric information may be create higher
security, but are you now creating a greater risk?
Use of privacy impact assessments to determine impact of even technologies introduced to protect identity
Are you doing the right things to avoid risk to your customers? Information inside the enterprise is the prize – are you
keeping information unnecessarily?
News from the Front 59
Know your Weaknesses
Unstructured information (Word documents, e-mails) on mail and file servers on local office LANs as well as WANs
Web, e-commerce systems collect personal information and preferences, and utilize technologies such as tracking cookies
Backup systems are ‘snapshots’ of the whole network, maintained for years
While security/access is based on role, in general within individual systems there is no roles-based access controls that limits what can be seen or accessed
A lot of information is ‘portable’ – contained on laptops or PDA’s used by sales and field technicians
News from the Front 60
Know your Weaknesses (2)
CRM systems contains information about contacts within customers, suppliers, business partners
Many businesses have an unrecognized risk with business customers who are unincorporated –personal information is also business information: Credit reports and payment histories in internal systems or
shared with or obtained from third parties Leasing and financing data, including personal guarantees Collections information
In human resource systems, corporations maintain information about potential candidates (resumes, background checks), employees, and ex-employees
Most customer and technical support systems contain a wealth of personal information
News from the Front 61
Where technology can’t help
Security and privacy are aspects of good governance, and not simply IT issues
Enforcing ‘best practices’ is an issue for both IT and the ‘business’ sides
Recognized standards that are both measurable and auditable (i.e. creating evidence of compliance) are key to achieving compliance
Education and awareness are often the ‘missing’ ingredient to good security and privacy practices, and cannot be overlooked
Conclusion
News from the Front 63
It’s a battle…Critical to understand the nature of the struggle underway: The ‘opposition’ is organized and capable The stakes are high The battle is on many fronts
Necessary to think in terms of strategy and tacticsYou must act as the customer’s IT department to ensure that you preserve the customer’s confidence in your enterprise
Appendix A:Presenters’ Background
News from the Front 65
Constantine Karbaliotis, LL.B., CIPP
Canadian Senior Compliance Business Specialist called the Bar of the Province of Ontario in 1986 practiced law in the areas of litigation, intellectual property for ten
years, arbitration and mediation, teaching at Bar Admission Course and CLE programs
Ten years consulting experience with small to large law firms, public legal sector, as well as other public sector and private sector organizations
Experience with both document management and privacy, security and project management, government
Video Remand and Bail Project – worked for 3 years within Ontario government to establish largest criminal justice video network, won a Diamond award at Showcase 2001
Certified Information Privacy Professional
Top Related