Threat Landscape Shifts

I have watched the vulnerability exploitation window move down over the years, from 1 year in the ’90s, to 3 months in 2000, and more recently to just under 30 days.  This is the amount of time that it takes for an attacker to develop working, weaponized exploit code for execution in the wild.  This development window is for privately reported vulnerabilities, and does not consider the zero-day threat where a “researcher” discovers a vulnerability and publicly discloses the details, or simply starts exploiting it.

Fortinet, a network security and unified threat management (UTM) solutions provider reveals a 61% exploitation rate of new vulnerabilities discovered in January in its January 2011 Threat Landscape report.  Fortinet says that during a typical month, exploit activity falls between 30% and 40%.  Half of new critical rated vulnerabilities were targeted, offering arbitrary code execution by an attacker on a target machine. 

In order to pull this accelleration off, they have been reverse engineering patches released by the vendors, identifying the differences between the patched and unpatched files, and then targeting their research on the changes being made to develop their exploit code.  SecurityWeek

InformationWeek is reporting that Distributed denial of service (DDoS) attacks, the bane of all online services, have broken the 100 Gbps barrier, increasing in bandwidth by 102% over the past year, and by 1000% since 2005.   This finding comes from an infrastructure security report, released on Tuesday by Arbor Networks.  The company surveyed 111 IP network operators from around the world, and found the volume and severity of attacks continues to increase.

The attacks appear to be driven by the spread of botnet malware agents that allow an attacker to use compromised computers to launch coordinated and focused attacks.  This has led to rapidly escalating DDoS attack size, frequency, and sophistication.  “Adding to the challenges facing operators is the increasing number of attack vectors, including applications and services, not to mention the proliferation of mobile devices” according to Roland Dobbins, a solutions architect at Arbor Networks.

Dealing with DDoS has been a major challenge for businesses of all size.  Solutions have been targeted at ISPs and very, very large enterprises, but have had very low adoption rates becaused of cost limitations.  ISPs can’t generally justify the expense without some sort of return on investment, and protection against a threat that may or may not materialize is a very tough sell as a value added proposition and justify in the boardroom.


SIA Reports High Confidence

Business confidence among members of the security industry remained high going into 2011, according to a 25 page report in the Security Industry Association’s (SIA) Quarterly Research Update.

The SIA Business Confidence Index is based on a survey of 100 top executives at member manufacturing companies. It reports a ranking of approximately 75% in the fourth quarter of 2010, up from the third Q’s 74% and much better than the 59% a year earlier.  Interestingly positive, the report also inidcates that 78% rate market conditions as good to excellent.



Continue reading

Mozilla Apps To Become “Attack Aware”

Mozilla wants to advance the security of their web applications.  This includes stepping up efforts such as threat modelling, security training, secure development, code review, security testing, offering bug bounties, and making their applications “attack aware”.

Michael Coates states that an “attack aware” application is able to identify abnormal user actions that are the result of deliberate attacks, detecting a malicious user probing for application weaknesses and disabling their ability to cause damage to the system, while avoiding false positive user errors.  Michael states that “attack aware” applications will use a blacklist style detection of a potential attack.  I would have thought a whitelist would be a more appropriate concept, since blacklists tend to grow quickly, and known or expected user behavior would be a smaller target to code for.

Mozilla currently monitors attack reports from their applications.  After an attack is detected, this data is fed into a security integration manager that monitor for trends and initiates individual attack report investigations.  This initiative will move towards a system that will enable them to selectively block offending users from the app to prevent further attacks.

In order to prevent malicious sites from using XSS or CSRF to create a Denial of Service condition by causing a user to submit malicious appearing requests, automatic blocking would need to be limited to pages that that utilize controls to prevent against cross domain pollution.

Google Stings Microsoft

Google’s executives have grown suspicious of how closely Microsoft’s search engine results mirror their own. On Feb. 1, the blog Search Engine Land detailed Google’s “sting operation” against Bing.  

  • First, Google found some search terms with no matches on either search engine.
  • Next, Google created “honeypot” pages that appeared on top of its search results for those terms.
  • When a portion of Bing search results mirrored Google’s honeypot tainted results, accusations flew.

Continue reading