News from the Front: The Battle against Identity Theft

News from the Front:The Battle against Identity Theft

October 30, 2006

Constantine Karbaliotis, LL.B., CIPP

News from the Front 2

Abstract

From data gathered through Symantec’s Global Intelligence Network – which consists of millions of systems world-wide – this session focuses on the nature of attacks used to gain critical information needed to commit identity fraud such as phishing scams and malware. Armed with this intelligence this session speaks to the strengths of identity management in defending organizations as well as individuals from such attacks without encroaching on privacy.


Intelligence Gathering

The Battleground for Identity

Know your Enemy

Strategies and Tactics to Protect

Identity

Conclusion

Agenda

6

Intelligence Gathering


What the Symantec Internet Security Threat Report is…

Information that: Provides a comprehensive analysis of Internet security activities and

trends

Compiled every six months

Offers a complete view of today’s Internet security landscape

Identifies and analyzes attacker methods and preferences

Details the latest trends and information

• Internet attacks

• Vulnerabilities that have been discovered and exploited

• Malicious code

• Additional Security Risks - Adware, Spyware, Phishing, and Spam

Provides a complete view of the state of the Internet


Hundreds of MSS customersMillions of security alerts per monthMillions of threat reports per month200,000 malware submissions per month

Symantec’s sources of intelligence: The G.I.N.

Twyford, England

Munich, Germany

Alexandria, VA

Sydney, Australia

Redwood City, CA

Santa Monica, CA

Calgary, Canada

San Francisco, CA

Dublin, Ireland

Pune, India

Taipei, Taiwan

Tokyo, Japan

>6,200 Managed Security Devices + 120 Million Systems Worldwide + 30% of World’s email Traffic +AdvancedHoneypot Network

74 Symantec Monitored Countries+4 Symantec SOCs 40,000+ Registered Sensors

in 180+ Countries+ +8 Symantec Security Response Centers

The Battleground for Identity


ISTR X Main Findings

Home users are often the weakest link in the chain and are the most targeted

Malicious code is increasingly targeted at individual organizations and there is a rise in new, previously unseen malicious code, especially Trojans

Web enabled technologies and browsers are the preferred target of attack - Web 2.0 and AJAX

Re-emergence of older attack methods and social engineering on the rise - continued increase in unique phishing messages


Attack Trends – Denial of Service - Top Target Countries

During the current reporting period, Symantec saw an average of 6,110 Denial of Service attacks per day. The average grew from 4,000 per day in January to over 7,500 per day in June. One period in March saw a spike to over 8,000.

The U.S. was the most targeted nation for DoS attacks followed by China and the United Kingdom.


Attack Trends – Denial of Service - Top Targeted Sectors

Internet Service Providers - bigger net = more fish

Government - high profile

Telecom - regional, smaller ISP’s.


Attack Trends – Top Originating Countries

The United States remains the top source country for attacks with 37% of the worldwide total. Attacks originating from the United States grew by 29% due to a large increase in broadband users.

China increased from 7% to 10% of the worldwide total. Attacks grew by 37%.


Attack Trends – Top targeted sectors

Home user are often targets of opportunity and provide “cover” for larger, more targeted attacks

Targeted attacks against Government, Information Technology, Utilities and Energy are on the rise.


Attack Trends – Web browser attack distribution

Despite having a lower number of vulnerabilities this reporting period than Mozilla, Internet Explorer is the most targeted browser for attack due to high profile vulnerabilities and widespread deployment.

Multiple browsers include vulnerabilities that target all browsers chosen for this metric


Attack Trends – Additional Data Points

Top Wireless Threats

Probing for access point - 30%

Spoofed MAC Address - 17%

Top Browser Attacks

Multiple Browser Zero Width GIF Image Memory Corruption Attack - 31%

5 of the Top 10 are IE specific - 3 are Mozilla specific


Vulnerability Trends –Web Browsers (Vendor and Non-vendor confirmed)Mozilla browsers (Mozilla and Firefox) had the highest number of reported vulnerabilities during this reporting period with 47, almost 3 times the number reported during the last reporting period (17). Internet Explorer was second with 38, a 52% increase over the previous reporting period.

For the past three reporting periods, vulnerabilities affecting Apple’s Safari web browser (12) have continued to increase.


Vulnerability Trends – W.O.E. - Web browsersWindow of exposure is the time between the announcement of a vulnerability and a vendor supplied patch, minus the number of days before the appearance of an exploit

In general, the patch development time for browsers is shorter than other W.O.E. metrics as vendors seem to respond quicker to web browser vulnerabilities.


Vulnerability Trends – Volume

Between January 1 and June 30, 2006, the total number of vulnerabilities grew by 18% over the previous reporting period and 20% over the same period last year.

Primarily due to the high percentage of Web application vulnerabilities. Once again, this is the highest total Symantec has ever recorded.


Vulnerability Trends – Easily exploitable vulnerabilities by type - Web applications

69% of all vulnerabilities reported were web application vulnerabilities a slight increase over the previous reporting period.

80% of all vulnerabilities were easily exploitable. Of those, the largest proportion (78%) were web application vulnerabilities. This is due in part to a quicker release cycle, less secure coding practices and low complexity vulnerabilities.


Vulnerability Trends – W.O.E. - Enterprise Vendors

The window of exposure for enterprise vendors continues to shrink primarily due to the increased speed at which vendors are developing patches.


Vulnerability Trends – Operating system vendors - Time-to-patch

Over the past three reporting periods, Microsoft has had the shortest patch development time of all operating system vendors.

Microsoft is beginning to challenge the “open-source is quicker” school of thought


Vulnerability Trends – Additional Data PointsExploit development time for Web browsers

Internet Explorer - 1 day (0 days during last reporting period)

Mozilla - 2 days (7 days during last reporting period)

Safari - 0 days (0 days during last reporting period)

Opera - 0 days (0 days during last reporting period)

Patch development time for Web browsers

Internet Explorer - 10 days (25 days during the last reporting period)

Mozilla - 3 days (5 days during the last reporting period)

Safari - 5 days (0 days during the last reporting period)

Opera - 2 days (18 days during the last reporting period)

Exploit code release period

25% - less than one day (decrease of 8 percentage points from last reporting period)

33% - one to six days (increase of 4 percentage points from last reporting period)


Malicious Code Trends – Win32 Variants

Nearly a 40% reduction from the previous reporting period - predicted decline in future periods

22% of the Top 50 reported samples were bots - an increase of two percentage points


Malicious Code Trends – Previously Unseen malicious code (proportion of all threats)

Detected by Symantec Honeypots - higher proportions indicate that attackers are more actively trying to evade signature based detection methods.

Primarily due to variants utilizing metamorphic code, run-time packers and changes to code functionality.


Malicious Code Trends – Top ten new malicious code families

New techniques and more dangerous threats appear:

Polip - polymorphic

Bomka - uses rootkit techniques, click fraud


Malicious Code Trends – Malicious code types by volume

Worms - primarily mass mailers - continue to dominate. 60% increase over the previous reporting period.

Decline in back door levels due to decline in reports of Spybot, Gaobot and Randex. Only Spybot remains in the Top 50. Back doors levels are high due to Mytob variants (16 of the Top 50).

Trojans have dropped from 21 of the Top 50 reports to 10 in the current reporting period.


Malicious Code Trends – Propagation vectorsSMTP continues to be the top propagation mechanism - 1 out of every 122 email messages contained malicious code. Driven by Netsky, Beagle, Mytob and SoberX.

All of the Top Ten malicious code samples reported to Symantec utilized SMTP as a propagation mechanism.


Malicious Code Trends – Exposure of confidential information

Threats that expose sensitive data such as system information, confidential files, documents, cached logon credentials, credit card details, etc. Potential use in criminal activities resulting in significant financial losses.


Malicious Code Trends – Instant messaging threats

Variants of Spybot, Gaobot, Esbot and Randex commonly use AOL Instant Messenger as a propagation mechanism.

The announced interoperability of Yahoo! Instant Messenger and Windows Live Messenger may result in attackers focusing on these protocols to maximize potential propagation.


Malicious Code Trends – Additional Data Points

The top ten malicious code samples reported to Symantec during the current reporting period:

Sober.X

Blackmal.E

Netsky.P

Beagle.DL

Mytob.EA

Beagle.AG

Mytob.AG

Mytob.DF

Mytob

Mytob.EE

Tooso was the most reported Trojan (modular) and Netsky.P was the most reported threat to confidential information

The number of modular malicious code samples in the Top ten (36) has remained the same as the previous reporting period though the overall volume has dropped to 79% from the 88%


Phishing - Unique phishing messages

Definitions:

Phishing message - single, unique message sent to targets with the intent of gaining confidential or personal information. Each message has different content and different method of trying to obtain information.

Phishing attempt - instance of a phishing message being sent to an individual user(s).

81% increase over the previous reporting period - Average of 865 unique phishing messages per day


Phishing - Top targeted most phished sectors

9 of the top ten brands phished are from the Financial Services sector.

Symantec saw an average of 7.19 million phishing attempts per day down from the 7.91 million observed during the last reporting period.

Blocked phishing messages decreased from 1.46 billion in the last report to 1.3 billion this reporting period. An 11% decrease.


Spam - Top countries of origin, categories and volume

Between January 1st and June 30th, 2006, the average percentage of email that is Spam was 54%, an 4 percentage point increase from the last reporting period

Health makes up 26% of all spam, followed by Adult with 22%. Heath and Adult traditionally have the highest click-through rates as they are more difficult to market through traditional means

Canada and South Korea were the only countries with a drop in percentage - 2% each


Spam - Percentage of spam containing malicious code

From January 1 - June 30, 2006 .81% of all spam contained malicious code - 1 out of every 122 spam messages contained malicious code

Spam with malicious attachments is likely blocked by spam filtering and anti-virus software. In response, malicious code authors are more likely to include a URL in a spam message which links to a malicious website or directly downloads malicious code


Security Risks – Top ten new security risks

Misleading applications constitute three of the Top Ten new security risks. ErrorSafe represented 19% of new security risks reported to Symantec

The most reported Adware from January 1 - June 30, 2006 was Hotbar (24%) and 6 of the Top ten employed some form of anti-removal techniques.


Future Watch

Web 2.0 and AJAX Symantec speculates that Web 2.0 security threats and AJAX

attacks will increase.

Windows Vista: Symantec speculates that the new features and changes to

Windows Vista’s code base, in conjunction with increased scrutiny from security researchers and malicious code authors, will result in previously unseen attacks.

Increase in polymorphic malicious code Due to the difficulty in detecting and removing polymorphic

viruses, Symantec speculates that more malicious code authors may begin to use more polymorphic techniques at all levels of malicious code development.

Know your Enemy


From Oceans 11 to 7-11

Common Attacks of Yesterday

Sneak through the network perimeter

Steal customer data or intellectual property

Make the escape unnoticed

Common Attacks of Today

Don’t bother penetrating the network

Phish or use crimeware on a company’s customers when they’re online

Aggregate and sell their data on the black market or use it yourself


Successfully Exploiting Home Users Makes Fraudsters $$$

Phishing Messages

Spammer

Botherder

Victims

Fraud

Website

(+ Trojan horse)

Phisher

Cashier

Egg Drop

Server


“Underground” Economies


“Underground” Economies (2)


Who are most of the attackers looking to victimize?

Home users are targets of opportunity– attackers “casting the net” to find victims

Financial Services remains interesting– go to the money


Crimeware & The Fraud CommunityI'm here to sell a working version of win32.grams trojan, for those who don't know what this trojan does i will explain. It simply steals all the e-gold from the victims account and transfers all the gold into your account. Simple and efficient.

The trojan has been tested successfully with Windows XP (all SP's) and works ONLY on IE (Internet Explorer).

If any bugs are found it is my responsibility to fix them immediately.

The price for this wonder trojan is only 1000 dollars and I accept only WU / MG and e-gold.


Making $$$ By Exploiting Browsers: Rogue Distributors

Rogue distribution networks make money by using browser exploits to install downloader Trojans

The downloaders are then used to install adware & spyware

Reportedly pay for 0-day vulnerabilities such as WMF

WMF vulnerability said to be purchasd for ~$4K USD

Discovered in active exploit via iframecash.biz & others


Web Attacker: Automated Tools Make it Easy


How much can they make? Ask Direct Revenue

The spoils of spyware: all execs at Direct Revenue became millionaires in 2004


Good news: window of exposure (WOE) is shrinking

Limited set of vendors: Symantec, Microsoft, Cisco, Sun, HP, EMC, IBM, Oracle, CA & McAfee

The window of exposure for enterprise vendors continues to shrink primarily due to the increased speed at which vendors are developing patches


Day 31

Patch Available

Day 3

Exploit Becomes Public

Day 1

Vulnerability Announced

Bad news: it’s still 28 days on average

Source: Internet Security Threat Report X, September 2006, All Numbers Above Averages

~28 Day Window of Exposure With No Patch for Protection


Worse news: averages don’t tell the real storyOld proverb: Never cross a river that’s on average 5 feet deep

Zero day attacks are not unusual anymore

A few key vulnerabilities get the bulk of the exploit action

VML Sep 06WMF Jan 06

Strategies and Tactics to Protect Identity


Protect Thy Customer

Education – let them know how you communicate, inform them of any new twists in attacks that might catch them off-guard

Communication: Consider fraud alerting services & contribute known fraud to the PRN phish blocking community (free)


Protect Thy Customer (2)

Establish zero-hour, behavioral detection and mitigation of malicious threats – less reliant on ‘signatures’

Establish protection that follows users

Establish protection from the unmanaged endpoints



Become the customer’s IT department

Advise customers to use, or better, provide them, with products, toolbars, and/or web browsers with anti-phishing protection



Put your customer in charge of their identity: Identity management tools Preference management

As a consumer, I want to: Have a single sign-on to my personal information NOT have any enterprise aware of what I am doing

elsewhere NOT communicate any information about myself, until I

CHOOSE to do so Know that even within the systems of the businesses I

do business with, that my identity is protected and in the event that there is a breach of security, the information is anonymized or encrypted


Make Yourself Unattractive

Validate track 2 magnetic stripe information It’s not phishable data and makes your business a lot less

“cashable” “Up to half of U.S. banks fail to validate Track 2 data and only rely on

customer PINs to authorize ATM transactions” – C|net

Use multi-factor authentication Something the user is (fingerprint, retinal pattern) Something the user has (security token, software token, cell phone) Something the user knows (password, pass phrase, PIN) Can be broken, but it makes attackers work harder


Block Web Attacks

Standardize web browsers to the extent that you can

Patch your web browser(s) of choice as soon as possible

Block exploits through host-based IPS & modern AV

Make sure people who enter your networks are “clean” and have up-to-date protection They are the biggest risk since they live outside perimeter

protections This means network access compliance (NAC) of some sort


Cleaning up after a successful web attack

Ensure you have an up-to-date AV or Anti-Spyware product

Make sure you get the downloader (usual source of the problem)

Keep an eye out for misleading applications

Address any signs of high risk user behavior


Keeping ahead of the vulnerability flood

Intrusion prevention at the network and the host Defend against unprotected hosts

inside the perimeter & when employees are remote (outside the perimeter)

Anti-Virus can block the file-based attacks (e.g. WMF, VML) But keep it current, WMF changed

everyday and required frequent updates

Routinely assess your environment for vulnerabilities & mis-configurations

Have a patch process in place

Vulnerability Vulnerability in Server Service (MS06-040, Critical)

Vulnerability Announced

August 8th, 2006

Symantec IPS Protection

August 8th, 2006

1st Public Exploit August 10th, 2006

1st Worm August 11th, 2006


Do not become the Enemy…

Consider whether your tactics create greater risk: Using biometric information may be create higher

security, but are you now creating a greater risk?

Use of privacy impact assessments to determine impact of even technologies introduced to protect identity

Are you doing the right things to avoid risk to your customers? Information inside the enterprise is the prize – are you

keeping information unnecessarily?


Know your Weaknesses

Unstructured information (Word documents, e-mails) on mail and file servers on local office LANs as well as WANs

Web, e-commerce systems collect personal information and preferences, and utilize technologies such as tracking cookies

Backup systems are ‘snapshots’ of the whole network, maintained for years

While security/access is based on role, in general within individual systems there is no roles-based access controls that limits what can be seen or accessed

A lot of information is ‘portable’ – contained on laptops or PDA’s used by sales and field technicians


Know your Weaknesses (2)

CRM systems contains information about contacts within customers, suppliers, business partners

Many businesses have an unrecognized risk with business customers who are unincorporated –personal information is also business information: Credit reports and payment histories in internal systems or

shared with or obtained from third parties Leasing and financing data, including personal guarantees Collections information

In human resource systems, corporations maintain information about potential candidates (resumes, background checks), employees, and ex-employees

Most customer and technical support systems contain a wealth of personal information


Where technology can’t help

Security and privacy are aspects of good governance, and not simply IT issues

Enforcing ‘best practices’ is an issue for both IT and the ‘business’ sides

Recognized standards that are both measurable and auditable (i.e. creating evidence of compliance) are key to achieving compliance

Education and awareness are often the ‘missing’ ingredient to good security and privacy practices, and cannot be overlooked

Conclusion


It’s a battle…Critical to understand the nature of the struggle underway: The ‘opposition’ is organized and capable The stakes are high The battle is on many fronts

Necessary to think in terms of strategy and tacticsYou must act as the customer’s IT department to ensure that you preserve the customer’s confidence in your enterprise

Appendix A:Presenters’ Background


Constantine Karbaliotis, LL.B., CIPP

Canadian Senior Compliance Business Specialist called the Bar of the Province of Ontario in 1986 practiced law in the areas of litigation, intellectual property for ten

years, arbitration and mediation, teaching at Bar Admission Course and CLE programs

Ten years consulting experience with small to large law firms, public legal sector, as well as other public sector and private sector organizations

Experience with both document management and privacy, security and project management, government

Video Remand and Bail Project – worked for 3 years within Ontario government to establish largest criminal justice video network, won a Diamond award at Showcase 2001

Certified Information Privacy Professional

News from the Front: The Battle against Identity Theft

Documents

Transcript of News from the Front: The Battle against Identity Theft