Microsoft Security Intelligence Report (vol 10)

Microsoft has released volume 10 of their Security Intelligence Report, covering 2010.

The SIR is the results of an  investigation of the threat landscape, analyzing exploits, vulnerabilities, and malware based on data from over 600 million systems worldwide, internet services, and Microsoft  Security Centers.  In SIRv10, Microsoft presents a short video that  calls attention to the second most commonly detected fake anti-virus software:  Win32/FakePAV.   The video describes how Win32/FakePAV steals credit card  information, and then shows how to remove the trojan.

In addition to the Win32/FakePAV feature, they continue to highlight the ongoing threat of botnets in “Battling Botnets,” which was  released in 2010.

Key Findings:

  • Application versus operating system or web browser vulnerabilities continued to account for the majority of vulnerabilities in 2010.
  • The total number of application vulnerabilities declined 22.2% from 2009.
  • Vulnerability disclosures for Microsoft products increased slightly in 2010 but have generally remained stable over the past several periods.
  • Exploitation thru Java is rising since Q2 2010.  Exploitation on the Java platform far exceeds Adobe software and OS platforms.
  • Malicious IFrames account for a large number of attacks over HTTP, likely indicating the effect of hijacked and compromised websites.
  • Conficker is the most active malware family in the Enterprise environment and only 9th in the general Internet environment.
  • JS/Pornpop is the most active malware family on the non-corporate Internet environment.
  • Phishing sites targeting social networks are increasing and they are effective in getting themselves presented to victims.
  • Overall OS level vulnerability counts is steady and browser vulnerability count is increasing slower.

Download and read this interesting report.

FCC To Offer SMBs Advice With Security

Data breaches and other cyber security threats pose a serious risk for all businesses, large and small, but many business owners are not aware of the full extent of the dangers lurking on the wire.  Criminals are switching some of their focus towards targeting small business networks, intellectual property and customers’ information as larger companies increase their security capabilities.  The  average cost of an online attack is around $200,000, according to a recent study by security software company Symantec.

Raising awareness of a real threat to the vitality of all businesses is an important but difficult task.  The Federal Communications Commission is launching an initiative to help small businesses understand the risks associated with using the Internet as a business and communication medium.  The commission on Monday unveiled a new website, “Cybersecurity for Small Business,” and a tipsheet of actions for small  businesses to better protect themselves.

“It’s a culture change. It’s going to take a long time,” , VP of national security and  emergency preparedness for the U.S. Chamber of Commerce Ann Beauchesnesaid said.  “Basically the message for small businesses is, yes, the Internet’s a great tool  but you need to protect yourselves.”  Eliminating the risk of online attacks is virtually impossible, so it is vital to minimize the risks that could lead to a breach.  It has been easy for people to ignore online security issues, because attacks have been focused on the larger organizations, and the security issues are technical and complicated.  The FCC’s measures will help empower people to understand that they can tackle these problems.

News of these security issues should be nothing new for SMBs, the catstrophic results have been all over the mainstream press, and the warnings have been posted all over the Internet on blogs like this one.  It is about time that formal governing bodies sat up and took action.  I applaud the FCC for this effort, and hope that legislation proposed by Barrack Obama and others starts the ball rolling in the US.  This website may offer simple and basic security advice, but it is a start.  The Canadian government and businesses had better take notice and start studying the lessons learned that have driven the US to at least scratch a line in the sand, dotted and snaggle-toothed as it may be.

I know that there will be cries of “Oh no, the government can’t control the Internet, FREE SPEECH!”  Well, nobody else is fixing it, so if you can’t control it, big brother will do it for you.  I’m personally sick and tired of allowing these lawless, callous, malicious and uncaring indivduals from crapping in my online sandbox and getting away with it.  I’ve seen some of the damage that they can do, and no one is immune to the effects.  Family members have had accounts drained, friends have experienced ID-Theft.  Small business owners have had their systems hacked, and folded up shop as a result.  Canadian government, BRING IT ON!  Let’s clean up our sandbox too.

Proceedings of the FCC Roundtable are available here.

QakBot Infects Mass. Websites

Personal information about an unknown number of Massachusetts residents may have been stolen from the Massachusetts Executive Office of Labor and Workforce Development, after hundreds of the agency’s computers were infected with malware.  Anyone who conducted business from April 19 – May 13 requiring that a staff person access thier file on-line with DCS, DUA or at a One Stop Career Center should take the  precautions found at

About 1,500 computers at the state’s One Stop Career Centers and other departments were infected with W32.QAKBOT, designed to allow remote control and to steal information.  There is a possibility that as a result of the infection, the virus collected confidential claimant or employer information. This information may include names, Social Security Numbers, Employer Identification Numbers, email addresses and residential or business addresses.  It is possible that bank information of employers was also transmitted.  About 1,200 of 180,000 employers that manually file with the agency may be impacted by the data breach, however the agency has no way to verify this number.

The agency first detected the malware on April 20th, and took immediate steps to contain and remove the infection.  Yesterday, the agency said that the virus was not remediated as originally believed, and that persistence of the malware resulted in a data breach.  “We were targeted by criminal hackers who penetrated our system with a new strain of a virus,” reports the secretary of labor and workforce development in a statement released this afternoon.  “All steps possible are being taken to avoid any future recurrence.”

Government Press Release

GEEK.COM Hacked, Serves Malware, one of the Web’s oldest and most popular tech sites, has been hacked and was serving malware to visitors.  According to Zscaler’s blog, many areas on, including articles and the site’s main pages like home, and about us, are infected with malicious iFrames pointing to different malicious sites.  Hackers injected a malicious HTML iFrame into legitimate pages on the site.

One example is the iFrame injected into a May 13th article about Call of Duty: Modern Warfare 3, which redirects visitors to an exploit kit.  Upon visiting the page, heavily obfuscated JavaScript is returned which will try to determine what versions of certain programs users have installed on their computers, and then serve up exploits for vulnerabilities in those products.  As of 6:14am, the malware was still present in some forum postings.

Many legitimate websites are being compromised by taking advantage of poor coding practices in web applications.  Attackers are on the lookout for popular websites or news sites to use as launchpads for their attacks.  Web users need to be aware that no web site is a safe web site.

Mandiant Intelligent Response v.2.0 Released

Mandiant has just announced the release of Mandiant Intelligent Response (MIR) v.2.0, featuring powerful, host-based incident response capabilities for enterprises.  You may not have heard of Mandiant, unless you are currently involved in Security Incident Response.  Mandiant is a leading provider of incident response and computer forensics solutions and services.  Headquartered in Alexandria, Va., with offices in New York, Los Angeles and San Francisco, Mandiant provides products, professional services and education to Fortune 500 companies, financial institutions, government agencies, domestic and foreign police departments and leading U.S. law firms.

Mandiant believes as I do, that an incident within your organization WILL take place, regardless of the efforts that are put in place to mitigate, prevent and detect threat events.  Many security safeguards simply cannot keep pace with today’s modern, mult-faceted, targeted attacks.  Many organizations rely exclusively on inadequate, out-dated, and ineffective preventive measures and do not plan for the eventuality of compromise.  MIR 2.0 extends beyond traditional threat detection products to protect enterprise assets and tackle unpredictable events.  Intelligent Response lowers risk by decreasing response time after a breach, and ensures containment by identifying every host compromised in an attack.  Security teams can respond remotely to any host in minutes rather than hours, improving containment, reducing an attacker’s window of opportunity, and speeding the organization’s return to normal business operations.

MIR 2.0 is fueled by Indicators of Compromise, (many of my colleagues will remember my nagging talks about precursors and indicators…) XML-based descriptors of malicious activity that allow an organization to sweep tens of thousands of endpoints in search of compromised hosts.  Mandiant’s IoCs are developed through a combination of external and internal intelligence sources, enabling organizations to benefit from threat intelligence derived from breaches in other environments.

MIR 2.0 features and benefits include:

Continue reading