Unplug Everything!

Just kidding…partially.  Have you seen the latest 2011 Verizon Data Breach Investigations Report?  It is chock full of data about breaches, vulnerabilities, industry demographics, threats and all the other internet security terms that make the headlines.  It is an interesting view into cybercrime and like last year, there is also information and analysis from the US Secret Service, who arrested more than 1200 cybercrime suspects in 2010.  One very interesting note from the Executive Summary is that while the total number of records compromised has steadily gone down – ‘08: 361 million, ‘09: 144 million, ‘10: 4 million – the case loads for cybercrime is at an all time high – 141 breaches in 2009 to a whopping 760 in 2010.  One reason may be is that the criminals themselves are doing the time-honored ‘risk vs. reward’ scenario when determining their bounty.  Hey, just like the security pros!  Oh yeah….the crooks are pros too.  Rather than going after the huge financial institutions in one fell swoop or mega-breach, they are attempting many more low risk type intrusions against restaurants, hotels and smaller retailers.  Hospitality is back on the top of the list this year, followed by retail.  Financial services round out pole position, but as noted, the criminals will always have their eye on our money.  Riff-raff also focused more on grabbing intellectual property rather than credit card numbers.

The Highlights:

• The majority of breaches, 96%, were avoidable through simple or intermediate controls; if only someone decided to prevent them. 
• 89% of companies breached are still not PCI compliant today, let alone when they were breached. 
• External attacks exploded in 2010, and now account for the vast majority at 92% and over 99% of the lost records. 
• 83% of victims were targets of opportunity.  Most attacks are opportunistic, with criminal rings relying on automation to discover susceptible systems for them. 
• Most breaches aren’t discovered for weeks to months, and most breaches, 86%, are discovered by third-parties, not internal security teams.
• Malware and ‘hacking’ are the top two threat actions by percentage of breaches, 50%/49% respectively, along with tops in percentage of records 89%/79%.  Misuse, a strong contender last year, went down in 2010.
• Within malware, sending data to an external source, installing backdoors and key logger functions were the most common types and all increased in 2010.
• 92% of the attacks were not that difficult.

You may ask, ‘what about mobile devices?’ since those are a often touted avenue of data loss.  The Data Breach Report says that data loss from mobile devices are rarely part of their case load since they typically investigate deliberate breaches and compromises rather than accidental data loss.  Plus, they focus on confirmed incidents of data compromise.  Another question might have to do with Cloud Computing breaches.  Here they answer, ‘No, not really,’ to question of whether the cloud factors into the breaches they investigate.  They say that it is more about giving up control of the systems and the associated risk than any cloud technology. 

Now comes word that subscribers of Sony’s PlayStation Network have had their personal information stolen.  I wonder how this, and the other high profile attacks this year will alter the Data Breach Report next year.  I’ve written about this type of exposure and felt it was only a matter of time before something like this occurred.  Gamers are frantic about this latest intrusion but if you are connected to the internet in any way shape or form, there are risks involved.  We used to joke years ago that the only way to be safe from attacks was to unplug the computers from the net.  With the way things are going, the punch line is not so funny anymore.

ps

Resources:

• 2011 Verizon Data Breach Investigations Report
• Verizon data breach report 2011: Hackers target more, smaller victims
• Data Attacks Increase 81.5% in 2010
• Verizon study: data breaches quintupled in 2010
• Sony comes clean: PlayStation Network user data was stolen
• X marks the Games
• Microsoft issues phishing alert for Xbox Live
• Today's Target: Corporate Secrets
• The Big Attacks are Back…Not That They Ever Stopped
• Sony PlayStation Network Security Breach: Credit Card Data At Risk
• Breach Complicates Sony's Network Ambitions‎
• Everything You Need to Know About Sony's PlayStation Network Fiasco‎ ‎

Technorati Tags: F5, data breach report, threats, Pete Silva, security, malware, technology, Verizon, cyber-threat, social engineering, attacks, virus, vulnerability, web, internet, cybercrime, identity theft, scam, data breach, psn, Sony, PlayStation

Connect with Peter:	Connect with F5:

‎

3 Billion Malware Attacks and Counting

Almost half the total population of this planet.  At this rate, we’ll all have our own personalized malware in the coming years, specifically tailored for our various behaviors.  I built this infection especially for you.  Symantec recently released their annual Internet Security Threat Report for 2010 and noted that the cyber threats are increasing both in sophistication and frequency.  They found more than 286 million new threats last year with social networks and mobile devices being a favorite targets.  Mobile vulnerabilities were up 42% with 163 discovered last year.  The U.S. actually topped the list in many nasty categories: Most targeted country by DoS attacks (65% of total), most bot command and control servers (37% of total), most infected computers (14% of total) and most overall malicious activity (19% of total). 

As you may know, I like numbers and statistics and there were a couple supplemental reports that I found interesting.  The Year in Numbers and The 2010 Timeline.  Each is a single page report with highlights from the year.  The highlights, or lowlights depending on your view are:

• 93% Increase in Web Based Attacks - URL shorts were the main culprit accounting for 65% of the malicious URLs over a 3 month period.
• 260,000 Identities Exposed per Breach - The average number for each of the data breaches during the year.
• 42% More Mobile Vulnerabilities – Remember, we’re now keeping our lives on these devices.
• 6,253 New Vulnerabilities  - More than any previous year and new vendors affected by a vulnerability grew 161%.
• 14 New Zero-Day Vulnerabilities – From IE to Flash to Reader.  Stuxnet used 4 unique zero-days. 
• 74% Pharmaceutical Spam – 3/4 of all spam were for Rx pills.  Will you take the red one or the blue one?
• 1 Million Plus Bots – Rustock had over a million bots under control.  No draft dodgers here.
• $15 per 10,000 bots – Utility spam services…Get your bot herrrrrrrrrrah.
• $.07 to $100 per Credit Card – Cost of a stolen credit card but if you buy in bulk, get a discount.

Lastly, if you are looking for porn, then more than likely you’ll find malware and the leading culprit of a breach which could lead to identity theft was a lost/stolen computer or data storage device.  One of the cool things about the data offered is the ability to build your own custom report.  You can select various topics or trends to customize the report specifically to your area of interest.

ps

Resources

• Symantec Threat Activity Report: U.S. Tops the List
• Looking for malware? Search for porn
• Internet Security Threat Report, Volume 16
• Build your custom version of the Internet Security Threat Report, Volume 16
• The Big Attacks are Back…Not That They Ever Stopped
• Where Do You Wear Your Malware?
• A Digital Poltergeist On Your Television
• The New Wallet: Is it Dumb to Carry a Smartphone?
• Social Media – Friend or Foe

Technorati Tags: F5, mobile, threats, Pete Silva, security, malware, technology, Symantec, cyber-threat, cloud, attacks, virus, vulnerability, web, internet, cybercrime, identity theft, scam, data breach

Connect with Peter:	Connect with F5:

Our Digital Life Deciphered

comScore always has some very interesting statistics when measuring the digital world and these recent reports are no different.  The 2010 U.S. Digital Year in Review has great info both in understanding media trends and knowing what the end user is actually doing out there.  The 2010 Mobile Year in Review is also interesting in looking at mobile device and OS trends and the differences worldwide, both in models and what users are utilizing them for.  There are tons of graphs and analysis covering areas like U.S. Retail E-Commerce Spending, Percent of Time Spent for Top 5 U.S. Web Properties,  U.S. Unique Visitor Trend for Leading Social Networking Sites, Percent Share of Searches Among U.S. Core Search Engines, Growth in Total U.S. Online Video Market, Top Mobile Activities in the U.S. and many more.

These were a few that I found interesting - taken directly from the reports.

* 9 out of every 10 U.S. Internet users now visit a social networking site each month.

* Facebook now accounts for 12.3% of time spent online in the US - up 7.2% just a year ago. 

* After Portals, Social Networking now ranks as the next most engaging activity at 14.4 percent of time spent online (up 3.8 percentage points), while Entertainment ranks third at 12.6 percent (up 0.8 percentage points). As communication continues to shift to other channels, including social media and mobile, usage of web-based email declined 1.5 percentage points to 11.0 percent of time spent.

* An average of 179 million Americans watch video each month and the average American spent more than 14 hours watching online video in December, a 12-percent increase from last year, and streamed a record 201 videos, an 8-percent increase.

* In September 2010, smartphone ownership crossed the 25 percent threshold, marking a significant milestone in smartphone adoption in the U.S. By December 2010, smartphone penetration had reached 27 percent of the mobile market.

* Samsung unseated last year’s OEM (original equipment manufacturer) leader, Motorola, to rank as top OEM provider with 24.8 percent of devices owned by mobile subscribers in December 2010, up 3.6 percentage points from the previous year.

ps

Related:

• The 2010 Mobile Year in Review
• The 2010 U.S. Digital Year in Review
• Why Video Advertising Needs to Dump Impressions and Move to 'Cost Per View'
• Android overtakes BlackBerry in US marketshare
• Seven million smartphone owners in Japan
• Facebook Cracks ComScore US Ad Survey Top 10 for First Time
• Yahoo, Tax Sites Attract Most January Visitors
• F5 YouTube Channel

Technorati Tags: blog, social media, comscore, music, statistics, blog traffic, web traffic, digital media, mobile device, analytics, video

Connect with Peter:	Connect with F5:

Identity Theft: Good News-Bad News Edition

So which would you like first? 

Javelin Strategy & Research said identity theft incidents were down 28% in 2010 (vs. 2009) according to their latest consumer survey.  This is the lowest level since 2007 and about 3 million less victims than in 2009.  They partially attribute this to a decline in industry reported data breaches going from 604 (221 million exposed records) to 404 (26 million exposed records) in 2010 along with economic conditions, better security measures and busts by law enforcement playing a major role.  If you have an existing credit card account, there’s good news on that front also – fraud from existing credit cards was down 38% ($14 billion) compared to 2009 ($23 billion).  New account fraud, where the victim might not have any idea than an account was opened in their name, took top honors in types of fraud with $17 billion siphoned.  ‘Change in physical address’ was the No. 1 method of account takeover reported by victims.

Don’t drop the confetti yet, however.  While the overall numbers look encouraging, the devil is in the details as the cliché goes.  Even thought the overall numbers are down, the consumer out-of-pocket expense to resolve ID fraud went from $387 per incident to $631 in 2010 – a 63% increase.  Because criminals are using more clever ways to steal you data, you have to spend more time fixing the issue and the costs can grew.  Your friends and family are also sticking it to ya. ‘Friendly Fraud,’ when someone you know steals your info, increased 7% with 41% of this batch saying their SSN was stolen.

They also found a correlation between retail sales and identity fraud.  When sales are up, fraud is down and when sales are down, fraud goes up, says James Van Dyke, founder of Javelin Strategy & Research.  He feels that when the economy is doing well and people can make purchases with their own money, they are less likely to steal.  Add to that, better security measures are in place and people are more aware of identify fraud, thus they keep a better eye on questionable transactions.  Another bad sign is that while credit card fraud has dropped, debit card fraud went from 26% to 36% in a year.  This could be due to more people using debit cards rather than credit for purchases but also due to debit’s lower level of protection when it comes to fraud. Some would question the validity of the survey since it is a ‘self-report’ telephone survey and bank data would argue that fraud is actually up in many areas.  There are many more intriguing tidbits in the report and you can check out Javelin’s report with a couple interesting charts here.

ps

Related:

• Identity Fraud Fell 28 Percent in 2010 According to New Javelin Strategy & Research Report
• Survey: Consumers say ID theft down 28%
• ID theft down 28 percent U.S. in 2010 – survey
• Statement from the Identity Theft Assistance Center on Report Citing Significant Decrease in Identity Theft
• Synthetic Identity Theft: The Silent Swindler
• Identity Theft Roundup
• The New Wallet: Is it Dumb to Carry a Smartphone?
• Dumpster Diving vs. The Bit Bucket
• Got a SSN I can Borrow?

Connect with Peter:	Connect with F5:

Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, intercloud, cloud, context-aware, infrastructure 2.0, automation, web, internet, cybercrime, security, holiday shopping, identity theft, scam, email, data breach

e-card Malware

I’ve gotten some e-cards this holiday season from organizations that I know, and you might even receive one from F5.  I just wanted to post a short reminder to be careful of these, especially if you get one from someone you don’t know.  This is, and has been for several years, one of cybercriminals favorite ways of distributing malware, infecting your computer and stealing your info.  Usually, the e-card arrives in your email with a link to view it online.  Once you click that link and visit the purported e-card site, you can become infected.  In fact, if you get one and don’t know the sender at all, I’d delete it right away.  Often you don’t need to visit a site to get infected since the payload might in the email itself.

The Better Business Bureau is also warning of another phishing scam with cybercriminals masquerading as a shipping company.  You’ll get an email with a tracking number in the subject line.  The note says that the package could not be delivered and asks the user to print the attached document.  At that point, if you do open the attachment, then a virus is installed on your computer.  There have also been charitable giving scams, coupon code scams, too good to be true sale scams and other rip-offs to swindle you of your money and sensitive info.

You might be thinking, ‘ahh, geeze – not another,’ but this is the time of year those cybercriminals like to prey on people’s holiday spirit and general preoccupation with with other things festive.  Keep anti-virus updated, use a firewall, be suspicious, use common sense and enjoy the holidays.

ps

Resources:

• BBB Raising Warning Against Phishing E-mails
• Better Business: Scammers eager to spoil your holiday season
• The Safe Shopper's Cyber Shopping Guide
• Holiday Scams To Watch Out For
• Beware of bogus online offers bearing a free iPad

Connect with Peter:	Connect with F5:

Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, intercloud, cloud, context-aware, infrastructure 2.0, automation, web, internet, cybercrime, security, holiday shopping, identity theft, scam, email, data breach

2010 Year End Security Wrap

Figured I’d write this now since many of you will be celebrating the holidays over the next couple weeks and who really wants to read a blog when you’re reveling with family and friends.  It’s been an interesting year for information security, and for me too.  I started the year with New Decade, Same Threats? and wondered if the 2010 predictions of: social media threats, smarter malware/botnets, using the cloud for crime, financial DDoS, rogue software, Mac and Mobile malware, more breaches and a whole host of others would come through.  And boy did they. 

Social media was a prime target for crooks with the top sites as top targets.  Users were tricked to accepting and sharing friends that really weren’t friendly and social networks became a new hotbed for malware distribution.  As for malware, while many botnets and spam outfits got taken down this year, Stuxnet was certainly the most sophisticated piece of malware researches have seen in a while.  Targeting industrial & utility systems along with the ability to reprogram itself, no longer was it my single laptop or a company’s system that had a bull's-eye, although the initial infection is with those systems, it was nuclear facilities, oil refineries and chemical plants that were the ultimate objective. For Cloud Computing, was it Cloud 9 or Cloud Crime when it came to using the cloud for nefarious activities?  Many people thought that with the cloud offering a slew of computing power, that it would be a prime way to initiate an attack.  We really didn’t see much pertaining to ‘cloud breaches’ even though almost every survey throughout the year indicated that security in the cloud was everyone’s ichiban concern.  I covered many of these surveys in my CloudFucius Series, now playing in a browser near you.  This article talks about that, the reason we might not have seen much in the way of cloud specific breaches is that many of the data loss repositories do not differentiate between a cloud based and non-cloud attack.  In addition, cloud providers are not that willing to spill vulnerabilities that have led to crimes.  Share please. 

Banks and financial institutions were certainly targets this year, why wouldn’t they be, that’s where all the money is.  In one incident, about $3 million was stolen from various banks around the world using viruses and more than 100 crooks suspected of running the global cybercrime ring were arrested in the US and UK this September.  A 16 year old Dutch kid was arrested last week for a Distributed Denial of Service attack on the MasterCard and Visa websites.  And, merging malware, mobile and money stores, the ZeuS Trojan could infect a desktop, capture the user’s bank credentials next time they logged in to their financial institution, popped a dialogue box for the user to ‘include’ their mobile phone for SMS payments, send the phone a fake message & certificate for acceptance and then installed another Trojan on the phone to monitor messages via SMS.  Lots of trickery and luck to be successful but still a very scary exploit.  And if you think those mobile banking apps are secure, think again.  Just last month, a number of those apps were found to have serious vulnerabilities, flaws and holes.  Many of those apps have been patched in light of the research but as with any ‘new-ish’ type technology, mobile banking must be locked down before the masses adopt.  Too late now.

I wrote about corporate espionage both in Today’s Target: Corporate Secrets (2010) and The Threat Behind the Firewall (2009) and this year did not disappoint.  Social engineering or convincing someone to give up their info is alive and well but throughout 2010, employees stole secrets from the companies they worked for: Former Goldman Programmer Found Guilty of Code Theft, Greenback engineers guilty of corporate espionage, Ford secrets thief caught red handed with stolen blueprints, and SEC Bares Text of Inept Suspects As They Sold Disney Earnings Info To FBI Agents.  These insider events can often be more costly than an external breach.

This is by no means an exhaustive list of the breaches, attacks, vulnerabilities, hijacks, frauds, or other cybercriminal activities from 2010.  I’d probably be writing through the holidays to get them all.  These were just some of the things I found interesting when looking back at my initial blog entry for the year.  With 2011 being the Year of the Rabbit, just how much will cybercrimes multiply?

ps

Resources:

• Social Life’s a ‘breach’
• Security: Malware, Hacks and Leaks: The Top 10 Security Stories of 2010
• 2010: Looking back at a year in information security
• Surprising little information about Cloud Computing and Terrorism or Crime
• Accounts Raided in Global Bank Hack
• ZeuS attacks mobiles in bank SMS bypass scam
• Firm finds security holes in mobile bank apps
• The truth about Mac malware. It's a joke
• Study: No Hacking Needed when Modern Spies Steal Corporate Data
• Growth in Social Networking, Mobile and Infrastructure Attacks Threaten Corporate Security in 2011
• Ponemon Encryption Trends, 2010
• Personal Data For Sale – In time for the Holidays!
• Synthetic Identity Theft: The Silent Swindler
• Cybercrime, the Easy Way
• Dumpster Diving vs. The Bit Bucket

Connect with Peter:	Connect with F5:

Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, intercloud, cloud, context-aware, infrastructure 2.0, automation, web, internet, cybercrime, security, holiday shopping, identity theft, scam, email, data breach

Giving Thanks for the Hackers, Crackers and Thieves

This holiday season, give you friendly neighborhood hacker (black or white hatted) and nice pat on the back.  ‘Why?’ you may ask.  ‘Aren’t they responsible for the nasty botnets, malware, SQL injections, stolen identities, government infiltration, Stuxnet, and all the malicious things you warn against in this very blog?’  Yes, but over the years it’s been the very same folks attempting to and successfully gaining access to systems to infect, steal, snoop and causing general havoc that have made security better.  All the new variants of worms, viruses, trojans or the all encompassing ‘malware’ force security professionals to stay alert, review risks and come up with solutions to thwart such attacks.  It is a great battle of wits in this game of chess that’s played out over the internet.  Patch one hole, find another; lock one system, infiltrate another; fix one vulnerability, expose another.

As an aside, I’m using the term ‘hacker’ to mean both the good and the bad.  In the media, the term hacker has grown to mean someone with bad intentions who breaks into computers with malicious intent, but within the programming world, it’s also considered a compliment.  A hacker is just someone with exceptional computer skills that can, essentially, make a system do what they want.  Even the term ‘hack’ can be good and bad; a compliment or insult.  If you ‘hack’ something with criminal intentions, then it is bad but if you come up with a clever way or a brilliant ‘hack’ to accomplish something, then you are praised.  Both break the rules - either the law or the accepted way of doing something.

Over the years, while software firms, financial institutions, retailers, travel outlets, ISPs and others would deny the fact that there might be something wrong or a vulnerability within their code, systems and infrastructure, it would be the ‘hacker’ that would prove to the world and force the manufacturer to both admit and fix the weak link.  As the years have passed and the hackers are often proven right, companies now (to some extent) welcome the insight of how to make their products more secure.  ‘Welcome’ might not be the most accurate term but there is less denial and more acceptance, with quicker fixes, patches and other remedies.  They have also made the individual user more aware of the things that might harm their computers and compromise their identity.  They have made the casual user more savvy to avoiding those pitfalls, tricks and methods to steal personal information.  They have taught us to be more careful about the links we click, the things we publish on social media sites and how we navigate the internet.  Imagine how open

If you haven’t figured it out by now, there has always been the Great Battle between Good and Evil – those who want to help and those who want to hurt; those with good intentions and those with bad; those with kindness and those who are cruel.  Granted, it is not as black and white as depicted and there are many, many grey areas when it comes to doing what is right.  If the bad guys have, by their actions, forced providers to bestow better solutions and make us, as users, safer, then have at it!  With anything, if you can pull whatever good out of a bad situation and learn from it, then you are living a fruitful life – and that, you should be thankful for.

ps

Related:

• PBS: Hackers Force Internet Users to Learn Self-Defense
• Personal Data For Sale – In time for the Holidays!
• Cybercrime, the Easy Way
• Urban Dictionary: hacker
• Open Thread: Since When Is "Hacker" a Bad Word?

twitter: @psilvas

Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, intercloud, cloud, context-aware, infrastructure 2.0, automation, web, internet, cybercrime, security, holiday shopping, identity theft, scam, email, data breach

Oracle OpenWorld 2010 - The Blooper Reel

We always have a great time shooting video and Oracle OpenWorld 2010 was no different.  Of course, there were some flubs and while Dick Clark made bloopers famous, we're not above sharing our own fun mistakes. I especially like the Mic Outtake/adlib about halfway through. Thanks to Chris Akker, Ron Carovano, Calvin Rowland, F5 Booth Staff, Oracle and everyone involved with Oracle OpenWorld.

ps

The Oracle OpenWorld 2010 Videos:

• Oracle OpenWorld 2010 - Final Thoughts, Thanks & Wrap
• Oracle OpenWorld 2010 - F5 and Oracle Partnership
• Oracle OpenWorld 2010 - PeopleSoft Acceleration
• Oracle OpenWorld 2010 - F5 and Oracle Integration
• Oracle OpenWorld 2010 - Optimize Oracle Database Replication
• Oracle OpenWorld2010 - Day Two Preview
• Oracle OpenWorld2010 - F5 Oracle Application Ready Solutions
• Oracle OpenWorld2010 - F5 Completes the Oracle Red Stack
• Oracle OpenWorld2010 - Find F5 Networks

Technorati Tags: F5, infrastructure 2.0, integration, Pete Silva, security, business, education, technology, application delivery, cloud, virtualization, oracle, oow

twitter: @psilvas