Survey Says Attacks are Down
But hackers may be relying more on inside men to get the job done.
Hacking/Denial of Service
Deloitte's 2005 Global Security Survey
has been published. Significant findings in this year's survey included:
- Fewer of the top 100 financial institutions experienced IT security breaches.
The number was down to 33 percent this year, compared with 83 percent last
- Internal IT security breaches more than doubled.
As for the drop in security incidents, nothing incredibly significant has changed
in the IT security landscape to account for it; it may be due to additional
experience in identifying and dealing with such attacks. It's also noteworthy
that over the past 12 months there hasn't been a significant world-wide IT security
event, which may have accounted for many of the past year's reports of external
IT security breaches. With fewer external events to focus security teams on,
it's also possible that they had more time to concentrate on discovering internal
IT security events.
It's hard to say whether the increase in internal breaches is the result of
better investigations, discovering the internal component of what may have previously
been believed to be a completely external attack, or that attackers are putting
more effort into involving an internal person.
Two distinct vulnerabilities have been discovered in Microsoft objects.
The first is a vulnerability in the Log Sink Class ActiveX control.
The control is incorrectly marked safe for scripting, and safe for initialization,
in any security zone. As a result, it's possible for an attacker to cause files
to be created on the victim system. Patches are available.
The second is a vulnerability in the JAVAPRXY.DLL COM object. The control
incorrectly handles additional code supplied during initialization, and as a
result it's possible for an attacker to initialize the control and supply code
of his choice to run when the control is started. Patches are not available,
but instructions have been provided on how to limit the object's invocation,
or disable it entirely. Also, a scanning tool is available from Microsoft to
determine which systems contain the vulnerable control.
The insidious thing about this is that if you've done a new installation of
Windows XP bundled with Service Pack 1a or 2, or a new installation of Windows
Server 2003, you didn't install the Microsoft JVM (Java Virtual Machine) and
therefore probably don't have the vulnerable object.
But if you upgraded from a previous version of Windows to either of the above,
you probably do have the vulnerable control (and the Microsoft JVM.) Further,
other applications may have required the JVM and installed it as part of their
installation process. The result is that the object's presence on your network
may be arbitrary, which is why Microsoft produced a scanning tool to determine
which systems contain the JVM. It's available at http://snipurl.com/4lut.
PHP Extension and Application Repository (PEAR) prior to version 1.3.1
contains a vulnerability in its implementation of XML-RPC. XML-RPC provides
a means for various operating systems to issue procedure calls to XML servers
via the Internet. The vulnerability permits PHP (a scripting language) to be
included in the XML-RPC stream, which is executed when the RPC call is evaluated.
An attacker could run PHP code of his choice on the victim system as a result.
Patches are available.
Be on the lookout for W32.Toxbot.C, a worm that allows a remote attacker
to gain unauthorized access to a system via IRC. The worm propagates by exploiting
the following vulnerabilities:
- Microsoft RPC DCOM vulnerability reported in MS03-026
and Cybertrust Alert 6307
- Microsoft Windows LSASS buffer overflow vulnerability reported in MS04-011
and Cybertrust Alert 7535
- Microsoft SQL Server privilege escalation vulnerability reported in MS02-061
and Cybertrust Alert 4762
- Veritas Backup Exec registration request buffer overflow vulnerability
The malcode writers are still using the "Swiss Army Knife" approach,
just trying anything they can. The new piece on Toxbot is the Veritas vulnerability.
People were wondering what was causing the port 10000 TCP hits, and the consensus
points to Toxbot.
Sophos has suggested that the huge increase in new pieces of malware
(7,944 new pieces in the first six months of this year, a 60 percent increase
over the same period last year) suggests that more criminals are seeking to
use malware to commit their crimes.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
Cybertrust (my employer) has been stating that criminals have been using
malware for a considerable length of time; however, a dramatic increase in the
number of new pieces of malware doesn't necessarily prove Sophos' theory. For
example, numerous viruses this year, including MyTob, have produced hundreds
of variants in a very short time span, seemingly in an attempt to overwhelm
anti-virus vendors. The release last year of malware source code has also led
to a dramatic increase in the number of people who can author malware, most
of whom probably have no criminal intent per se.
Sophos also suggested that anti-spam laws were having an affect on criminals
who previously used spam to entice their victims, forcing them to shift from
spam to Trojans. Given that spam volume is up over last year, this connection
seems tenuous at best.
The University of Southern California's online system for accepting applications
from prospective students left the personal information of users publicly accessible,
school officials confirmed this week. The flaw put at risk "hundreds of
thousands" of records containing personal information, including names,
birth dates, addresses and social-security numbers, according to the vulnerability's
Reports suggest the information was left available as a result of a misconfiguration
involving a SQL server which would allow SQL injection attacks. It's also unclear
whether or not this information was actually compromised or that the misconfiguration
was discovered and the school reported the possibility that the data may have
All banks in Hong Kong are now required to use two-factor authentication
to enhance security for high risk online transactions. The Hong Kong Monetary
Authority mandated the upgrade and all banks in the country have complied.
Although the mandate didn't include specifics as to how two-factor authentication
was to be implemented, it appears the banks have chosen to use smart cards with
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.