1 / 65

News from the Front: The Battle against Identity Theft

News from the Front: The Battle against Identity Theft. Constantine Karbaliotis, LL.B., CIPP. October 30, 2006. Abstract.

laurel
Télécharger la présentation

News from the Front: The Battle against Identity Theft

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. News from the Front:The Battle against Identity Theft Constantine Karbaliotis, LL.B., CIPP October 30, 2006

  2. Abstract • From data gathered through Symantec’s Global Intelligence Network – which consists of millions of systems world-wide – this session focuses on the nature of attacks used to gain critical information needed to commit identity fraud such as phishing scams and malware. Armed with this intelligence this session speaks to the strengths of identity management in defending organizations as well as individuals from such attacks without encroaching on privacy.

  3. Agenda • Intelligence Gathering • The Battleground for Identity • Know your Enemy • Strategies and Tactics to Protect Identity • Conclusion 6

  4. Intelligence Gathering

  5. What the Symantec Internet Security Threat Report is… • Information that: • Provides a comprehensive analysis of Internet security activities and trends • Compiled every six months • Offers a complete view of today’s Internet security landscape • Identifies and analyzes attacker methods and preferences • Details the latest trends and information • Internet attacks • Vulnerabilities that have been discovered and exploited • Malicious code • Additional Security Risks - Adware, Spyware, Phishing, and Spam • Provides a complete view of the state of the Internet

  6. 74 Symantec Monitored Countries 40,000+ Registered Sensors in 180+ Countries 8 Symantec Security Response Centers + + + AdvancedHoneypot Network +120 Million Systems Worldwide +30% of World’s email Traffic + >6,200 Managed Security Devices Dublin, Ireland Calgary, Canada Tokyo, Japan San Francisco, CA Redwood City, CA Twyford, England Santa Monica, CA Munich, Germany Alexandria, VA Pune, India Taipei, Taiwan Sydney, Australia Symantec’s sources of intelligence: The G.I.N. 4 Symantec SOCs 200,000 malware submissions per month Millions of security alerts per month Millions of threat reports per month Hundreds of MSS customers

  7. The Battleground for Identity

  8. ISTR X Main Findings • Home users are often the weakest link in the chain and are the most targeted • Malicious code is increasingly targeted at individual organizations and there is a rise in new, previously unseen malicious code, especially Trojans • Web enabled technologies and browsers are the preferred target of attack - Web 2.0 and AJAX • Re-emergence of older attack methods and social engineering on the rise - continued increase in unique phishing messages

  9. Attack Trends – Denial of Service - Top Target Countries • During the current reporting period, Symantec saw an average of 6,110 Denial of Service attacks per day. The average grew from 4,000 per day in January to over 7,500 per day in June. One period in March saw a spike to over 8,000. • The U.S. was the most targeted nation for DoS attacks followed by China and the United Kingdom.

  10. Attack Trends – Denial of Service - Top Targeted Sectors • Internet Service Providers - bigger net = more fish • Government - high profile • Telecom - regional, smaller ISP’s.

  11. Attack Trends – Top Originating Countries • The United States remains the top source country for attacks with 37% of the worldwide total. Attacks originating from the United States grew by 29% due to a large increase in broadband users. • China increased from 7% to 10% of the worldwide total. Attacks grew by 37%.

  12. Attack Trends – Top targeted sectors • Home user are often targets of opportunity and provide “cover” for larger, more targeted attacks • Targeted attacks against Government, Information Technology, Utilities and Energy are on the rise.

  13. Attack Trends – Web browser attack distribution • Despite having a lower number of vulnerabilities this reporting period than Mozilla, Internet Explorer is the most targeted browser for attack due to high profile vulnerabilities and widespread deployment. • Multiple browsers include vulnerabilities that target all browsers chosen for this metric

  14. Attack Trends – Additional Data Points • Top Wireless Threats • Probing for access point - 30% • Spoofed MAC Address - 17% • Top Browser Attacks • Multiple Browser Zero Width GIF Image Memory Corruption Attack - 31% • 5 of the Top 10 are IE specific - 3 are Mozilla specific

  15. Vulnerability Trends –Web Browsers (Vendor and Non-vendor confirmed) • Mozilla browsers (Mozilla and Firefox) had the highest number of reported vulnerabilities during this reporting period with 47, almost 3 times the number reported during the last reporting period (17). Internet Explorer was second with 38, a 52% increase over the previous reporting period. • For the past three reporting periods, vulnerabilities affecting Apple’s Safari web browser (12) have continued to increase.

  16. Vulnerability Trends – W.O.E. - Web browsers • Window of exposure is the time between the announcement of a vulnerability and a vendor supplied patch, minus the number of days before the appearance of an exploit • In general, the patch development time for browsers is shorter than other W.O.E. metrics as vendors seem to respond quicker to web browser vulnerabilities.

  17. Vulnerability Trends – Volume • Between January 1 and June 30, 2006, the total number of vulnerabilities grew by 18% over the previous reporting period and 20% over the same period last year. • Primarily due to the high percentage of Web application vulnerabilities. Once again, this is the highest total Symantec has ever recorded.

  18. Vulnerability Trends – Easily exploitable vulnerabilities by type - Web applications • 69% of all vulnerabilities reported were web application vulnerabilities a slight increase over the previous reporting period. • 80% of all vulnerabilities were easily exploitable. Of those, the largest proportion (78%) were web application vulnerabilities. This is due in part to a quicker release cycle, less secure coding practices and low complexity vulnerabilities.

  19. Vulnerability Trends – W.O.E. - Enterprise Vendors • The window of exposure for enterprise vendors continues to shrink primarily due to the increased speed at which vendors are developing patches.

  20. Vulnerability Trends – Operating system vendors - Time-to-patch • Over the past three reporting periods, Microsoft has had the shortest patch development time of all operating system vendors. • Microsoft is beginning to challenge the “open-source is quicker” school of thought

  21. Vulnerability Trends – Additional Data Points • Exploit development time for Web browsers • Internet Explorer - 1 day (0 days during last reporting period) • Mozilla - 2 days (7 days during last reporting period) • Safari - 0 days (0 days during last reporting period) • Opera - 0 days (0 days during last reporting period) • Patch development time for Web browsers • Internet Explorer - 10 days (25 days during the last reporting period) • Mozilla - 3 days (5 days during the last reporting period) • Safari - 5 days (0 days during the last reporting period) • Opera - 2 days (18 days during the last reporting period) • Exploit code release period • 25% - less than one day (decrease of 8 percentage points from last reporting period) • 33% - one to six days (increase of 4 percentage points from last reporting period)

  22. Malicious Code Trends – Win32 Variants • Nearly a 40% reduction from the previous reporting period - predicted decline in future periods • 22% of the Top 50 reported samples were bots - an increase of two percentage points

  23. Malicious Code Trends – Previously Unseen malicious code (proportion of all threats) • Detected by Symantec Honeypots - higher proportions indicate that attackers are more actively trying to evade signature based detection methods. • Primarily due to variants utilizing metamorphic code, run-time packers and changes to code functionality.

  24. Malicious Code Trends – Top ten new malicious code families • New techniques and more dangerous threats appear: • Polip - polymorphic • Bomka - uses rootkit techniques, click fraud

  25. Malicious Code Trends – Malicious code types by volume • Worms - primarily mass mailers - continue to dominate. 60% increase over the previous reporting period. • Decline in back door levels due to decline in reports of Spybot, Gaobot and Randex. Only Spybot remains in the Top 50. Back doors levels are high due to Mytob variants (16 of the Top 50). • Trojans have dropped from 21 of the Top 50 reports to 10 in the current reporting period.

  26. Malicious Code Trends – Propagation vectors • SMTP continues to be the top propagation mechanism - 1 out of every 122 email messages contained malicious code. Driven by Netsky, Beagle, Mytob and SoberX. • All of the Top Ten malicious code samples reported to Symantec utilized SMTP as a propagation mechanism.

  27. Malicious Code Trends – Exposure of confidential information • Threats that expose sensitive data such as system information, confidential files, documents, cached logon credentials, credit card details, etc. Potential use in criminal activities resulting in significant financial losses.

  28. Malicious Code Trends – Instant messaging threats • Variants of Spybot, Gaobot, Esbot and Randex commonly use AOL Instant Messenger as a propagation mechanism. • The announced interoperability of Yahoo! Instant Messenger and Windows Live Messenger may result in attackers focusing on these protocols to maximize potential propagation.

  29. Malicious Code Trends – Additional Data Points • The top ten malicious code samples reported to Symantec during the current reporting period: • Sober.X • Blackmal.E • Netsky.P • Beagle.DL • Mytob.EA • Beagle.AG • Mytob.AG • Mytob.DF • Mytob • Mytob.EE • Tooso was the most reported Trojan (modular) and Netsky.P was the most reported threat to confidential information • The number of modular malicious code samples in the Top ten (36) has remained the same as the previous reporting period though the overall volume has dropped to 79% from the 88%

  30. Phishing - Unique phishing messages • Definitions: • Phishing message - single, unique message sent to targets with the intent of gaining confidential or personal information. Each message has different content and different method of trying to obtain information. • Phishing attempt - instance of a phishing message being sent to an individual user(s). • 81% increase over the previous reporting period - Average of 865 unique phishing messages per day

  31. Phishing - Top targeted most phished sectors • 9 of the top ten brands phished are from the Financial Services sector. • Symantec saw an average of 7.19 million phishing attempts per day down from the 7.91 million observed during the last reporting period. • Blocked phishing messages decreased from 1.46 billion in the last report to 1.3 billion this reporting period. An 11% decrease.

  32. Spam - Top countries of origin, categories and volume • Between January 1st and June 30th, 2006, the average percentage of email that is Spam was 54%, an 4 percentage point increase from the last reporting period • Health makes up 26% of all spam, followed by Adult with 22%. Heath and Adult traditionally have the highest click-through rates as they are more difficult to market through traditional means • Canada and South Korea were the only countries with a drop in percentage - 2% each

  33. Spam - Percentage of spam containing malicious code • From January 1 - June 30, 2006 .81% of all spam contained malicious code - 1 out of every 122 spam messages contained malicious code • Spam with malicious attachments is likely blocked by spam filtering and anti-virus software. In response, malicious code authors are more likely to include a URL in a spam message which links to a malicious website or directly downloads malicious code

  34. Security Risks – Top ten new security risks • Misleading applications constitute three of the Top Ten new security risks. ErrorSafe represented 19% of new security risks reported to Symantec • The most reported Adware from January 1 - June 30, 2006 was Hotbar (24%) and 6 of the Top ten employed some form of anti-removal techniques.

  35. Future Watch • Web 2.0 and AJAX • Symantec speculates that Web 2.0 security threats and AJAX attacks will increase. • Windows Vista: • Symantec speculates that the new features and changes to Windows Vista’s code base, in conjunction with increased scrutiny from security researchers and malicious code authors, will result in previously unseen attacks. • Increase in polymorphic malicious code • Due to the difficulty in detecting and removing polymorphic viruses, Symantec speculates that more malicious code authors may begin to use more polymorphic techniques at all levels of malicious code development.

  36. Know your Enemy

  37. Common Attacks of Yesterday • Sneak through the network perimeter • Steal customer data or intellectual property • Make the escape unnoticed • Common Attacks of Today • Don’t bother penetrating the network • Phish or use crimeware on a company’s customers when they’re online • Aggregate and sell their data on the black market or use it yourself From Oceans 11 to 7-11

  38. Successfully Exploiting Home Users Makes Fraudsters $$$ Phisher Cashier Fraud Website (+ Trojan horse) Spammer Egg Drop Server Botherder Phishing Messages Victims

  39. “Underground” Economies

  40. “Underground” Economies (2)

  41. Who are most of the attackers looking to victimize? • Home users are targets of opportunity– attackers “casting the net” to find victims • Financial Services remains interesting– go to the money

  42. Crimeware & The Fraud Community I'm  here to sell a working version of win32.grams trojan, for those who don't know what this trojan does i will explain. It simply steals all the e-gold from the victims account and transfers all the gold into your account. Simple and efficient. The trojan has been tested successfully with Windows XP (all SP's) and works ONLY on IE (Internet Explorer). If any bugs are found it is my responsibility to fix them immediately. The price for this wonder trojan is only 1000 dollars and I accept only WU / MG and e-gold.

  43. Making $$$ By Exploiting Browsers: Rogue Distributors • Rogue distribution networks make money by using browser exploits to install downloader Trojans • The downloaders are then used to install adware & spyware • Reportedly pay for 0-day vulnerabilities such as WMF • WMF vulnerability said to be purchasd for ~$4K USD • Discovered in active exploit via iframecash.biz & others

  44. Web Attacker: Automated Tools Make it Easy

  45. How much can they make? Ask Direct Revenue The spoils of spyware: all execs at Direct Revenue became millionaires in 2004

  46. Good news: window of exposure (WOE) is shrinking • Limited set of vendors: Symantec, Microsoft, Cisco, Sun, HP, EMC, IBM, Oracle, CA & McAfee • The window of exposure for enterprise vendors continues to shrink primarily due to the increased speed at which vendors are developing patches

  47. Day 1 Vulnerability Announced Day 3 Exploit Becomes Public Day 31 Patch Available Bad news: it’s still 28 days on average ~28 Day Window of Exposure With No Patch for Protection Source: Internet Security Threat Report X, September 2006, All Numbers Above Averages

  48. Worse news: averages don’t tell the real story Old proverb: Never cross a river that’s on average 5 feet deep Zero day attacks are not unusual anymore A few key vulnerabilities get the bulk of the exploit action VML Sep 06 WMF Jan 06

  49. Strategies and Tactics to Protect Identity

  50. Protect Thy Customer • Education – let them know how you communicate, inform them of any new twists in attacks that might catch them off-guard • Communication: Consider fraud alerting services & contribute known fraud to the PRN phish blocking community (free)

More Related