VeriSign Security Review - June 2006 from VeriSign, Inc.

You Are Here: US Home > Resources > Security Services Newsletters > The VeriSign Security Review > June 2006

VeriSign Security Review

June 2006

An eventful Microsoft patch week passed with no significant new exploits. Security managers, however, should remain vigilant as unpatched issues remain. Last month also saw the painful departure of spam warrior Blue Security who faced defeat of the money-hungry spam and phishing industry. VeriSign continues to monitor spam, phishing, and other malicious activities to help customers stave off costly attacks.

In this issue:

Hot Topics

Standards and Regulations

News from VeriSign

Ask a VeriSign Consultant

Security Events

Hot Topics

Phishing Attacks Against American Banks Increase

Phishing attacks against US financial organizations have increased to some 62 percent of all phishing scams noted, while identity fraud attacks against European targets have been dropping, according to a recent survey by RSA Security. Nevertheless, Germany recently outpaced China as the second worst country for hosting phishing attacks (14 percent of attacks), followed by China, the UK and South Korea. Of identity fraud attacks worldwide, 40 percent of non-US attacks are aimed at Spain, Germany and the Netherlands, according to the survey (Thomas, Daniel, “Phishing attacks against Europeans drop,” June 14, 2006, http://www.computing.co.uk/computing/news/2158229/phishing-attacks-against).

Back to Top

Monthly Threat Summary

The VeriSign iDefense Threat Level was raised to Elevated, or Level 3, and remained there due to concerns over the recent slew of Microsoft vulnerabilities. Despite Microsoft’s June 12 patch, VeriSign iDefense believes that the existence of unpatched issues in an application with the prevalence of Excel warrants an elevated alert level.

The Mozilla Foundation has released thirteen security advisories specifying security vulnerabilities in Mozilla Firefox, SeaMonkey, Camino, and Thunderbird. These vulnerabilities allow attackers to execute arbitrary machine code in the context of the vulnerable application crash affected applications. That may potentially allow remote execution of machine code gain access to potentially sensitive information.

The authors behind the Turkojan remote administration tool (RAT) announced the release of v.3.0 of their product in postings on a variety of cyber crime-related forums. Turkojan is a RAT designed to steal a victim’s passwords and other sensitive information.

A new worm that initiates contact with unsuspecting Internet users by sending an America Online Instant Messenger (AIM) message from a user's buddy list emerged in May. The message promises new photos and includes a hyperlink that directs victims to a fake logon page for the popular social-networking site MySpace. Once a user logs on, the fake Web page obtains the username and password, and then redirects the user to the legitimate logon page. With this information, a hacker could access a victim’s MySpace page to obtain personal information (such as home address, full name and date of birth) that could be used for identity theft.

Back to Top

The Demise of Blue Security

Continued denial-of-service attacks last month brought down the anti-spam startup Blue Security. The Israel-based company had 500,000 users and had been successful in getting some spammers to use its open-source mailing list scrubber. Other, more malicious spammers, however, launched massive attacks from zombie computers and flooded Blue Security’s database servers. The company decided to take down its service to prevent the damage from spreading to the rest of the Internet community.

Back to Top

Assessing Geopolitical Threats Via Data Analysis

A crucial role of security intelligence is determining the geographical location of salient cyber activity and its underlying motivations. Known as geopolitical intelligence, this information is often crucial in providing context for prevention and mitigation strategies. VeriSign iDefense takes a discerning look into the data that organizations commonly use to make such determinations and illustrates how the research and analysis can transform seemingly undirected data into actionable intelligence.

Open-Source Statistics

There is no “one-stop shop” for Internet statistics. As with any Internet search, the analyst must question the accuracy, timeliness, and objectivity of the information provided from search results. Even assuming perfect data, however, collecting and collating intelligence from millions of sources is an impossible task.

Proprietary Statistics 
Proprietary data are generally more accurate than open-source statistics, but the analyst must, once again, question the accuracy, timeliness, and objectivity. An example of constrained data appeared in Symantec Corporation’s recent semi-annual threat report (Symantec Corp, March 2006). The chart identified bot infections by country for the second half of 2005, which the publisher deemed an important indicator of bot-related attacks in specific geographic locations. For the July-December 2005 timeframe, the U.S. and U.K. are identified as having the highest percentages of bot-infected computers, 26 percent and 22 percent, respectively. China came in third at 9 percent, according to the published data. Interestingly, neither the hotspot countries of Russia or Brazil made the Top 10 list. The data is most likely accurate within the scope of their measurements. Given the limitations of the data collection methodology, however, the statistical statement made about worldwide bot infections is probably specious at best.

Data Samples: Analysts Must Consider the Scope

For a statistically valid argument about worldwide bot attacks, the same percentage of computers from each area studied should be included in the sample population. Symantec’s sample population consists of only computers that have installed Symantec’s anti-virus application. A similar visual illustration of this point can be found in a world map of virus and spam origins as determined by Postini’s email security and integrated message management solutions. Charts at http://www.postini.com/stats/ show data from Ethiopia and Brazil, detailing virus and spam origins in those countries. While independent analysis supports the conclusion that southern Brazil harbors many sophisticated cyber crime actors, Ethiopia’s role in cyber crime (and/or infection rates) has yet to be determined. The assessment from Postini indicates similar levels of involvement for viruses and spam, respectively.

Thus, without knowing the exact nature of the data displayed, the conclusions drawn from these data sources call for further scrutiny. Compare the above data with those from ClickZ.com and the CIA World Factbook, for example, one would notice that Brazil, a large source of spam, is among the countries with more than 20 million Internet users. Ethiopia, on the other hand, is not.

Conclusions 
Analysis and trending of numerical information from various sources is a useful way to prioritize workflow and gauge risks. The quality of the data, however, plays a large role in the decisions made.

Back to Top

Standards and Regulations

NIST Information Security Handbook Draft Released

The National Institute of Standards and Technology (NIST) released “Draft Special Publication 800-100, Information Security Handbook: A Guide for Managers.” It is a broad overview of information to assist CIOs and government agency security managers in understanding how to establish and implement and information security program. Earlier in May, the same organization published “Guide for Developing Performance Metrics for Information Security.”

Back to Top

News from VeriSign

2006 VeriSign Network Security Trend Survey

VeriSign released results of the annual network security trend survey in May. Polling on a cross-section of industries including manufacturing, banking, healthcare, and services, the survey found that the top five security budget priorities are vulnerability/risk management, security auditing, intrusion detection, compliance, and data privacy. Close to 90 percent of respondents engage in some degree of outsourcing, with intrusion detection and prevention management, firewall management, and VPN management at the top of the outsourcing list. See full report.

Ask a VeriSign Consultant

Each month, our highly experienced security consultants share their expertise in an area of your concern. This month, Branden Williams reviews best practices in complying with the new PCI data security standard. Send your questions to askverisignsecurity@verisign.com.

Complying With the New PCI Data Security Standard

Q: How can I optimize my compliance to PCI?

A:The Payment Card Industry Data Security Standard (PCI-DSS) is about to be updated and released to users of the electronic payment systems they govern.  While the details of the changes have been tightly controlled by the card associations, it is our understanding that only minor changes will be made.

Merchants & Service Providers can ensure that PCI has a minimal impact on their organization by doing everything possible to reduce the scope of PCI.  This can be accomplished in a number of ways.  Here are a few:

  • Eliminate card numbers from your environment as much as possible.  Use hashing or reference numbers in systems where you need to identify specific card numbers for tracking.  Card numbers are not needed after settlement occurs for the majority of your transactions.  Only in cases of investigations or charge backs would you need the number.
  • Surround credit card processing and storage with firewalls.  Companies can effectively reduce the scope of PCI-DSS on their infrastructure by treating the networks that store and process credit card data as “Secured Enclaves.”  Bring the perimeter closer to the payment systems and require users to use strong authentication and encryption to access those areas.
  • Push back on vendors that supply software for your credit card processing needs.  Vendors of Point Of Sale (POS), storage, and retrieval applications should make the needed changes to their applications to ensure compliance.  If an application that handles card numbers for you has not been certified under Visa’s Payment Application Best Practices, you should push the vendors to meet compliance.  In future releases of the PCI-DSS, this will be a requirement that can keep you from compliance.
  • Perform regular checks of your payment systems.  Though PCI-DSS requires an annual assessment, companies that endorse quarterly or 6-month reviews will ensure that special circumstances do not prevent them from being compliant.

Branden Williams is a Principal Consultant at VeriSign. He is a Certified Information System Security Professional (CISSP), Certified Information Security Manager (CISM), Visa Qualified Data Security Professional (QDSP) and Qualified Payment Application Security Professional (QPASP), Checkpoint Certified Security Administrator (CCSA), and Checkpoint Certified Security Expert (CCSE).

Back to Top

Security Events

June 27-29, 2006 
Identity Management Conference 
Chicago, IL  
 
July 26, 2006 
itsGOV Technology Showcase 
Washington, D.C. 
 
July 29-Aug 3, 2006 
Black Hat 
Las Vegas, NV 

Back to Top


Related Products & Services
Managed Security Services
Global Security Consulting
Unified Authentication
Managed PKI Services
Related Solutions
Consumer Products and Retail
Healthcare and Life Sciences
E-Commerce Security


Contact Us
Please contact sales at
650-426-5310 or
submit your inquiry online.
White Papers
A Guide to Providing Proactive Protection to Consumer Online Transactions
Practical Tips for Avoiding Payment Card Industry (PCI) Audit Failure