 |
VeriSign Security Review
|
September 2005
Summer was far from quiet around the enterprise security perimeter.
VeriSign® Intelligent Infrastructure detected continuous exploit activities,
including the latest wave of new attacks against a newly publicized
Plug-n-Play vulnerability, which was elevated to Extreme severity. In
this issue, we gather a few recent spyware news stories and offer an expert overview
of spyware attack vectors by Fred Doyle. We also help you catch up on this year's CSI/FBI Computer Crime
and Security Survey, as well as the recent FDIC advisory on mitigating
spyware risks. Lastly, VeriSign enjoyed a record summer quarter and
looks forward to further strengthening its leadership in the managed
security services space with the acquisition of
iDefense.
In this issue:
Microsoft PnP
Buffer Overflow Threat Elevated to Extreme
iDefense issued a FLASH Alert on Aug 11, 2005,
for the Microsoft
Plug-and-Play Buffer Overflow Vulnerability and later raised
the severity level to “EXTREME.” The security intelligence company newly
acquired by VeriSign also developed Snort signatures immediately after
the wave of exploits against this vulnerability.
The buffer overflow vulnerability exists in
the Plug-and-Play (PnP) device detection system in multiple versions
of Windows® and could allow an attacker to execute arbitrary code and
elevate privileges. PnP is used to help detect when new hardware is
installed on the system and to load the drivers needed. Due to an unchecked
buffer within the PnP service, a remote attacker could create a malicious
message that would result in code execution upon handling by PnP. The
precise results of exploitation vary depending on the version of Windows,
while anonymous remote code execution via this vulnerability is only
possible on Windows 2000 systems.
Malicious codes targeting this vulnerability
include RBot worms, the ZoTob.A worm, the Copa.A batch file tool, GaoBot.BQP
and SpyBot.MN. iDefense detected these exploit activities and developed
exploit-specific Snort signatures to detect attempts at using the above
exploits.
Back
to Top
CSI/FBI Survey Reveals Increased
Cost of Information Theft
The 2005 survey by the Computer
Security Institute and the FBI shows that while average financial loss
from attacks has declined, the cost of unauthorized information access
nearly sextupled from $51,545 in 2003 to $303,234 in 2004.The 10th annual CSI/FBI
Computer Crime and Security Survey also found that Web site
incidents rose dramatically. An astounding 95 percent of respondents
experienced 10 or more Web site incidents in 2004, up from a mere 5
percent in 2003.
When it comes to IT security spending, the
survey focused on economic measures used to justify spending. Adopted
by 38 percent of respondents, Return on Investment (ROI) is the most
popular method used, while security spending is admittedly seen as a
must-do.
Finally, two years after the ratification of
the Sarbanes-Oxley Act, its effects in the corporate environment are
indelible. The majority of the sectors surveyed believed that Sarbanes-Oxley
is having an impact on their organizations’ information security.
For more information on the CSI/FBI survey,
visit http://www.gocsi.com.
Back
to Top
FDIC Urges Banks to Mitigate
Spyware Risks
The Federal Deposit Insurance Corporation has
issued an advisory
to financial institutions outlining best practices in mitigating
risks of spyware and phishing and pharming attacks.
The FDIC document explains the risks associated
with spyware and urges financial institutions to restrict software downloads,
monitor inbound and outbound traffic, scan email for SPAM, regularly
review the list of trusted root SSL Certificates, and consider implementing
multi-factor user authentication.
The advisory also recommends banks to expand
security and Internet use policies to include risks associated with
spyware, as well as ask customers to keep anti-spyware, anti-virus and
firewall software up to date.
Back
to Top
Visa
and American Express Drop CardSystems After Breach
Atlanta-based payment processing firm CardSystems
told Congress in July that the company is “facing imminent extinction”
after disclosing that it compromised the data of 40 million cardholders.
Visa USA Inc. and American Express Co, who used CardSystems’ service,
announced that they would revoke the processor’s contract due to non-compliance
with data security standards. To learn more, visit http://www.washingtonpost.com/wp-dyn/content/article/2005/07/21/AR2005072102465_pf.html
Back
to Top
VeriSign News
VeriSign Acquires iDefense
VeriSign acquired Reston, Virginia-based iDefense,
Inc., the leading network security intelligence company known for providing
highly actionable intelligence content to government agencies, large
financial institutions, and e-commerce sites. The company's multi-lingual
network of more than 200 research contributors in over 30 countries
offers early and unique insight into the cyber underground and previously
unknown software vulnerabilities.
The iDefense research product portfolio includes
iAlert Daily Delivery and FLASH Reports, Weekly Threat Reports, and
Focused Intelligence Reports that customers use to modify security infrastructure
and respond to threats on a real-time basis.
"Network perimeters are expanding to include
customers, partners and remote employees, so enterprises must leverage
the most advanced security intelligence to protect customer data and
corporate assets," said Judy Lin, executive vice president and
general manager, VeriSign Security Services. "The acquisition of
iDefense expands the VeriSign suite of managed
security services, providing customers with additional capabilities
with which to proactively protect their networks from vulnerabilities
and attacks."
The iDefense Labs utilizes the team’s expertise
in vulnerability and malware research, as well as contribution from
outside researchers through its Vulnerability Contribution Program,
to detect new and known vulnerabilities, develop countermeasures, and
thwart exploit code. iDefense filters massive data from available sources
and extract information relating to more than 1,500 monitored products,
thereby enabling customers to have a consolidated view of new publicly
disclosed vulnerabilities that relate to their environment.
iDefense Malicious Code and iDefense Threat
gather threat intelligence on malicious code threats, cyber terrorism
incidents and actors and electronic crime incidents that impact cyber
security from a global perspective.
To learn more about iDefense and VeriSign Managed
Security Services, visit http://www.verisign.com/products-services/security-services/managed-security-services/idefense/
.
VeriSign Donates Trust Service Integration
Kit to Apache
In early August, VeriSign donated to the Apache
Software Foundation its source code to implement various W3C and OASIS
specifications related to XML and Web Services security, including WS-Security
(WSS).
Authored by VeriSign, IBM, and Microsoft, WSS
is one of the most important Web Services specifications by the Organization
for the Advancement of Structured Information Standards (OASIS).
The VeriSign implementation of WSS, Trust Service
Integration Kit (TSIK), complements existing Apache offerings and is
focused on a simplified programming model to help the user avert common
XML security issues.
To learn more or to download the open source
software, visit http://incubator.apache.org/projects/tsik.html.
Back
to Top
Expert Zone
In 2004, the spyware industry earned an estimated
$2 billion through the distribution and installation of applications
designed to monitor and report on the activities of victims (Webroot
Software Inc., State of Spyware Q1-2005, April 2005). A recent America
Online Inc. study showed that an estimated 80 percent of personal computers
unwittingly contained spyware. The following analysis from VeriSign
iDefense Intelligence Analyst Fred Doyle captures the state of the current
spyware environment and advises best-practice policies to mitigate risks
from spyware.
Spyware Attack Vectors
By Fred Doyle
Intelligence Analyst, iDefense, a VeriSign company
Spyware has been around since cookies existed.
Early spyware came in the form of commonly legitimate data gathering
programs bundled with an enticing service such as Napster music download
and instant messaging (IM). Modern spyware tend to be more discreet
yet far more dangerous. Web sites, email, removable media, legitimate
programs, and malicious codes can all serve as spyware “infection” vectors.
Vulnerabilities that spyware distributors have exploited in the past
include:
- Microsoft Internet
Explorer/Outlook Express MS-ITS URL Handler (iDefense Exclusive) (ID#208704,
Feb 13, 2004)
- Microsoft Internet
Explorer 6.x ADODB.Stream Object (ID #205330, Sep 25, 2003)
- Microsoft Internet
Explorer URL Display (ID#207317, Dec 10, 2003)
- Microsoft Internet
Explorer IFRAME dialogArguments Input Validation Error (ID#303196, Jun
19, 2004)
- Windows DNS Cache
Poisoning Incident (ID#409821, Apr 5, 2005)
- Googkle” Mistyped
URL Attack (ID# 411064, Apr 27, 2005)
Lawmakers are making efforts to curb spyware
with such examples as the 2004 SPY BLOCK Act and the 2005 SPY ACT and
I-SPY bills currently awaiting the Senate’s review. These laws prohibit
software installation without user consent or by misleading the user.
Loopholes and enforcement obstacles, however, continue to give spyware
distributors ground on which to thrive.
There is no silver bullet for mitigating all
spyware, but enterprises can better protect their employees through
a concerted spyware mitigation strategy that includes:
- Classifying spyware
as malicious code.
- Restricting users
from installing programs without administrative supervision. This method
locks down the client systems on the network, giving the enterprise
control over its applications. Increasing number of malicious code and
spyware, however, are subverting these restrictions through Web-based
applications.
- Educating the user
on the latest spyware and social engineering trickery.
- Deploying more than
one signature-based scanning solution such as anti-virus and anti-spyware
programs. Since anti-virus and anti-spyware programs are as good as
the antidotal signatures they include, using multiple solutions can
help decrease the chance of infection.
- Using advanced spyware
intelligence. In addition to using anti-virus and anti-spyware solutions,
intelligence services such as VeriSign
iDefense Security Intelligence Services is effective for
mission-critical enterprise environments, as spyware may be distributed
by malicious code yet undetected by major anti-virus or anti-spyware.
- Gateway anti-spyware
products. This new breed of products promises to stop spyware before
it enters the network.
Back
to Top
Security Events
September 26-30, 2005
3GSM
Asia
Singapore
September 28-30, 2005
IT
Security World Conference and Expo
San Francisco, California
October 9-11, 2005
Information
Security Forum Annual World Congress
Munich, Germany
October 9-12, 2005
Citrix
iForum 2005
Las Vegas, Nevada
October 16-21, 2005
Gartner
Symposium/IT Expo 2005
Orlando, Florida
Back
to Top
|
Worldwide Sites
