News from the Front:
The Battle against Identity Theft
Constantine Karbaliotis, LL.B., CIPP
October 30, 2006
Abstract
From data gathered through Symantec’s Global Intelligence
Network – which consists of millions of systems world-wide
– this session focuses on the nature of attacks used to gain
critical information needed to commit identity fraud such as
phishing scams and malware. Armed with this intelligence
this session speaks to the strengths of identity
management in defending organizations as well as
individuals from such attacks without encroaching on
privacy.
News from the Front
2
Agenda
Intelligence
Gathering
6
The Battleground for Identity
Know your Enemy
Strategies and Tactics to Protect Identity
Conclusion
News from the Front
3
Intelligence Gathering
What the Symantec Internet Security Threat Report is…
Information that:
 Provides a comprehensive analysis of Internet security activities and
trends
 Compiled every six months
 Offers a complete view of today’s Internet security landscape
 Identifies and analyzes attacker methods and preferences
 Details the latest trends and information
• Internet attacks
• Vulnerabilities that have been discovered and exploited
• Malicious code
• Additional Security Risks - Adware, Spyware, Phishing, and Spam
 Provides a complete view of the state of the Internet
News from the Front
5
Symantec’s sources of intelligence: The G.I.N.
4 Symantec SOCs
74 Symantec Monitored
Countries
+
>6,200 Managed Security Devices
+
40,000+ Registered Sensors
in 180+ Countries
+
8 Symantec Security
Response Centers
200,000
Millions
Millions
Hundreds
malware
of
of security
threat
of
submissions
MSS
reports
alerts
customers
per
per
month
month
+ 120
Million
Systems
Worldwide
+per
30%
ofmonth
World’s email Traffic +
Advanced
Honeypot Network
Dublin, Ireland
Tokyo, Japan
Calgary, Canada
San Francisco, CA
Redwood City, CA
Twyford, England
Santa Monica, CA
Munich, Germany
Alexandria, VA
Pune, India
Taipei, Taiwan
Sydney, Australia
News from the Front
6
The Battleground for
Identity
ISTR X Main Findings
Home users are often the weakest link in the chain
and are the most targeted
Malicious code is increasingly targeted at individual
organizations and there is a rise in new, previously
unseen malicious code, especially Trojans
Web enabled technologies and browsers are the
preferred target of attack - Web 2.0 and AJAX
Re-emergence of older attack methods and social
engineering on the rise - continued increase in
unique phishing messages
News from the Front
8
Attack Trends – Denial of Service - Top Target Countries
During the current reporting period, Symantec saw an average of 6,110 Denial of
Service attacks per day. The average grew from 4,000 per day in January to over
7,500 per day in June. One period in March saw a spike to over 8,000.
The U.S. was the most targeted nation for DoS attacks followed by China and the
United Kingdom.
News from the Front
9
Attack Trends – Denial of Service - Top Targeted Sectors
Internet Service Providers - bigger net = more fish
Government - high profile
Telecom - regional, smaller ISP’s.
News from the Front
10
Attack Trends – Top Originating Countries
The United States remains the top source country for attacks with 37% of the
worldwide total. Attacks originating from the United States grew by 29% due to a large
increase in broadband users.
China increased from 7% to 10% of the worldwide total. Attacks grew by 37%.
News from the Front
11
Attack Trends – Top targeted sectors
Home user are often targets of opportunity and provide “cover” for larger, more
targeted attacks
Targeted attacks against Government, Information Technology, Utilities and Energy
are on the rise.
News from the Front
12
Attack Trends – Web browser attack distribution
Despite having a lower number of vulnerabilities this reporting period than Mozilla,
Internet Explorer is the most targeted browser for attack due to high profile vulnerabilities
and widespread deployment.
Multiple browsers include vulnerabilities that target all browsers chosen for this metric
News from the Front
13
Attack Trends – Additional Data Points
Top Wireless Threats

Probing for access point - 30%

Spoofed MAC Address - 17%
Top Browser Attacks

Multiple Browser Zero Width GIF Image Memory Corruption Attack - 31%

5 of the Top 10 are IE specific - 3 are Mozilla specific
News from the Front
14
Vulnerability Trends –Web Browsers (Vendor and Non-vendor
confirmed)
Mozilla browsers (Mozilla and Firefox) had the highest number of reported vulnerabilities during this
reporting period with 47, almost 3 times the number reported during the last reporting period (17).
Internet Explorer was second with 38, a 52% increase over the previous reporting period.
For the past three reporting periods, vulnerabilities affecting Apple’s Safari web browser (12) have
continued to increase.
News from the Front
15
Vulnerability Trends – W.O.E. - Web browsers
Window of exposure is the time between the announcement of a vulnerability and a vendor supplied
patch, minus the number of days before the appearance of an exploit
In general, the patch development time for browsers is shorter than other W.O.E. metrics as vendors
seem to respond quicker to web browser vulnerabilities.
News from the Front
16
Vulnerability Trends – Volume
Between January 1 and June 30, 2006, the total number of vulnerabilities grew by 18% over the
previous reporting period and 20% over the same period last year.
Primarily due to the high percentage of Web application vulnerabilities. Once again, this is the
highest total Symantec has ever recorded.
News from the Front
17
Vulnerability Trends – Easily exploitable vulnerabilities by type Web applications
69% of all vulnerabilities reported were web application vulnerabilities a slight increase over the
previous reporting period.
80% of all vulnerabilities were easily exploitable. Of those, the largest proportion (78%) were web
application vulnerabilities. This is due in part to a quicker release cycle, less secure coding practices
and low complexity vulnerabilities.
News from the Front
18
Vulnerability Trends – W.O.E. - Enterprise Vendors
The window of exposure for enterprise vendors continues to shrink primarily due to the
increased speed at which vendors are developing patches.
News from the Front
19
Vulnerability Trends – Operating system vendors - Time-to-patch
Over the past three reporting periods, Microsoft has had the shortest patch development time of
all operating system vendors.
Microsoft is beginning to challenge the “open-source is quicker” school of thought
News from the Front
20
Vulnerability Trends – Additional Data Points
Exploit development time for Web browsers

Internet Explorer - 1 day (0 days during last reporting period)

Mozilla - 2 days (7 days during last reporting period)

Safari - 0 days (0 days during last reporting period)

Opera - 0 days (0 days during last reporting period)
Patch development time for Web browsers

Internet Explorer - 10 days (25 days during the last reporting period)

Mozilla - 3 days (5 days during the last reporting period)

Safari - 5 days (0 days during the last reporting period)

Opera - 2 days (18 days during the last reporting period)
Exploit code release period

25% - less than one day (decrease of 8 percentage points from last reporting period)

33% - one to six days (increase of 4 percentage points from last reporting period)
News from the Front
21
Malicious Code Trends – Win32 Variants
Nearly a 40% reduction from the previous reporting period - predicted decline in future periods
22% of the Top 50 reported samples were bots - an increase of two percentage points
News from the Front
22
Malicious Code Trends – Previously Unseen malicious code
(proportion of all threats)
Detected by Symantec Honeypots - higher proportions indicate that attackers are more
actively trying to evade signature based detection methods.
Primarily due to variants utilizing metamorphic code, run-time packers and changes to code
functionality.
News from the Front
23
Malicious Code Trends – Top ten new malicious code families
New techniques and more dangerous threats appear:
 Polip - polymorphic

Bomka - uses rootkit techniques, click fraud
News from the Front
24
Malicious Code Trends – Malicious code types by volume
Worms - primarily mass mailers - continue to dominate. 60% increase over the previous
reporting period.
Decline in back door levels due to decline in reports of Spybot, Gaobot and Randex. Only
Spybot remains in the Top 50. Back doors levels are high due to Mytob variants (16 of the
Top 50).
Trojans have dropped from 21 of the Top 50 reports to 10 in the current reporting period.
News from the Front
25
Malicious Code Trends – Propagation vectors
SMTP continues to be the top propagation mechanism - 1 out of every 122 email messages
contained malicious code. Driven by Netsky, Beagle, Mytob and SoberX.
All of the Top Ten malicious code samples reported to Symantec utilized SMTP as a
propagation mechanism.
News from the Front
26
Malicious Code Trends – Exposure of confidential information
Threats that expose sensitive data such as system information, confidential files, documents, cached
logon credentials, credit card details, etc. Potential use in criminal activities resulting in significant
financial losses.
News from the Front
27
Malicious Code Trends – Instant messaging threats
Variants of Spybot, Gaobot, Esbot and Randex commonly use AOL Instant Messenger as a
propagation mechanism.
The announced interoperability of Yahoo! Instant Messenger and Windows Live Messenger may result
in attackers focusing on these protocols to maximize potential propagation.
News from the Front
28
Malicious Code Trends – Additional Data Points
The top ten malicious code samples reported to Symantec during the current reporting period:

Sober.X

Blackmal.E

Netsky.P

Beagle.DL

Mytob.EA

Beagle.AG

Mytob.AG

Mytob.DF

Mytob

Mytob.EE
Tooso was the most reported Trojan (modular) and Netsky.P was the most reported threat to
confidential information
The number of modular malicious code samples in the Top ten (36) has remained the same as the
previous reporting period though the overall volume has dropped to 79% from the 88%
News from the Front
29
Phishing - Unique phishing messages
Definitions:
Phishing message - single, unique message sent to targets with the intent of gaining confidential
or personal information. Each message has different content and different method of trying to
obtain information.


Phishing attempt - instance of a phishing message being sent to an individual user(s).
81% increase over the previous reporting period - Average of 865 unique phishing messages per day
News from the Front
30
Phishing - Top targeted most phished sectors
9 of the top ten brands phished are from the Financial Services sector.
Symantec saw an average of 7.19 million phishing attempts per day down from the 7.91 million
observed during the last reporting period.
Blocked phishing messages decreased from 1.46 billion in the last report to 1.3 billion this reporting
period. An 11% decrease.
News from the Front
31
Spam - Top countries of origin, categories and volume
Between January 1st and June 30th, 2006, the average percentage of email that is Spam was 54%,
an 4 percentage point increase from the last reporting period
Health makes up 26% of all spam, followed by Adult with 22%. Heath and Adult traditionally have the
highest click-through rates as they are more difficult to market through traditional means
Canada and South Korea were the only countries with a drop in percentage - 2% each
News from the Front
32
Spam - Percentage of spam containing malicious code
From January 1 - June 30, 2006 .81% of all spam contained malicious code - 1 out of every 122 spam
messages contained malicious code
Spam with malicious attachments is likely blocked by spam filtering and anti-virus software. In
response, malicious code authors are more likely to include a URL in a spam message which links to
a malicious website or directly downloads malicious code
News from the Front
33
Security Risks – Top ten new security risks
Misleading applications constitute three of the Top Ten new security risks. ErrorSafe
represented 19% of new security risks reported to Symantec
The most reported Adware from January 1 - June 30, 2006 was Hotbar (24%) and 6 of
the Top ten employed some form of anti-removal techniques.
News from the Front
34
Future Watch
Web 2.0 and AJAX
 Symantec speculates that Web 2.0 security threats and AJAX
attacks will increase.
Windows Vista:
 Symantec speculates that the new features and changes to
Windows Vista’s code base, in conjunction with increased scrutiny
from security researchers and malicious code authors, will result in
previously unseen attacks.
Increase in polymorphic malicious code
 Due to the difficulty in detecting and removing polymorphic viruses,
Symantec speculates that more malicious code authors may begin
to use more polymorphic techniques at all levels of malicious code
development.
News from the Front
35
Know your Enemy
From Oceans 11 to 7-11
Common Attacks of Yesterday
Sneak
through the network perimeter
Steal
customer data or intellectual property
Make
the escape unnoticed
Common Attacks of Today
Don’t
bother penetrating the network
Phish
or use crimeware on a company’s
customers when they’re online
Aggregate
and sell their data on the black
market or use it yourself
News from the Front
37
Successfully Exploiting Home Users
Makes Fraudsters $$$
Phisher
Cashier
Fraud
Website
(+ Trojan horse)
Spammer
Egg Drop
Server
Botherder
Phishing Messages
News from the Front
Victims
38
“Underground” Economies
News from the Front
39
“Underground” Economies (2)
News from the Front
40
Who are most of the attackers looking to victimize?
Home users are targets of opportunity– attackers “casting the net” to find victims
Financial Services remains interesting– go to the money
News from the Front
41
Crimeware & The Fraud Community
I'm here to sell a working version of win32.grams trojan,
for those who don't know what this trojan does i will
explain. It simply steals all the e-gold from the victims
account and transfers all the gold into your account.
Simple and efficient.
The trojan has been tested successfully with Windows XP
(all SP's) and works ONLY on IE (Internet Explorer).
If any bugs are found it is my responsibility to fix them
immediately.
The price for this wonder trojan is only 1000 dollars and I
accept only WU / MG and e-gold.
News from the Front
42
Making $$$ By Exploiting Browsers: Rogue Distributors
Rogue distribution networks
make money by using
browser exploits to install
downloader Trojans
The downloaders are then
used to install adware &
spyware
Reportedly pay for 0-day
vulnerabilities such as WMF
WMF vulnerability said to be
purchasd for ~$4K USD
Discovered in active exploit
via iframecash.biz & others
News from the Front
43
Web Attacker: Automated Tools Make it Easy
News from the Front
44
How much can they make? Ask Direct Revenue
The spoils of
spyware: all
execs at Direct
Revenue became
millionaires in
2004
News from the Front
45
Good news: window of exposure (WOE) is shrinking
Limited set of vendors: Symantec, Microsoft, Cisco, Sun, HP, EMC, IBM, Oracle, CA & McAfee
The window of exposure for enterprise vendors continues to shrink primarily due to the increased
speed at which vendors are developing patches
News from the Front
46
Bad news: it’s still 28 days on
average
Day 1
Day 3
Day 31
Vulnerability
Announced
Exploit
Becomes
Public
Patch
Available
~28 Day Window of Exposure
With No Patch for Protection
Source: Internet Security Threat Report X, September 2006, All Numbers Above Averages
News from the Front
47
Worse news: averages don’t tell the real story
Old proverb: Never cross a river that’s on average 5 feet deep
Zero day attacks are not unusual anymore
A few key vulnerabilities get the bulk of the exploit action
WMF Jan 06
News from the Front
VML Sep 06
48
Strategies and Tactics to
Protect Identity
Protect Thy Customer
Education – let them know how you
communicate, inform them of any new
twists in attacks that might catch them
off-guard
Communication: Consider fraud alerting
services & contribute known fraud to the
PRN phish blocking community (free)
News from the Front
50
Protect Thy Customer (2)
Establish zero-hour, behavioral detection
and mitigation of malicious threats – less
reliant on ‘signatures’
Establish protection that follows users
Establish protection from the unmanaged
endpoints
News from the Front
51
Protect Thy Customer (2)
Become the
customer’s IT
department
Advise customers
to use, or better,
provide them, with
products, toolbars,
and/or web
browsers with antiphishing protection
News from the Front
52
Protect Thy Customer (3)
Put your customer in charge of their identity:
 Identity management tools
 Preference management
As a consumer, I want to:
 Have a single sign-on to my personal information
 NOT have any enterprise aware of what I am doing
elsewhere
 NOT communicate any information about myself, until I
CHOOSE to do so
 Know that even within the systems of the businesses I
do business with, that my identity is protected and in the
event that there is a breach of security, the information
is anonymized or encrypted
News from the Front
53
Make Yourself Unattractive
Validate track 2 magnetic stripe information
 It’s not phishable data and makes your business
“cashable”
a lot less
 “Up to half of U.S. banks fail to validate Track 2 data and only rely on
customer PINs to authorize ATM transactions” – C|net
Use multi-factor authentication
 Something the user is (fingerprint, retinal pattern)
 Something the user has (security token, software token, cell phone)
 Something the user knows (password, pass phrase, PIN)
 Can be broken, but it makes attackers work harder
News from the Front
54
Block Web Attacks
Standardize web browsers to the extent that you can
Patch your web browser(s) of choice as soon as
possible
Block exploits through host-based IPS & modern AV
Make sure people who enter your networks are “clean”
and have up-to-date protection
 They are the biggest risk since they live outside perimeter
protections
 This means network access compliance (NAC) of some sort
News from the Front
55
Cleaning up after a successful web attack
Ensure you have an up-to-date AV or AntiSpyware product
Make sure you get the downloader (usual source
of the problem)
Keep an eye out for misleading applications
Address any signs of high risk user behavior
News from the Front
56
Keeping ahead of the vulnerability flood
Intrusion prevention at the network
and the host
 Defend against unprotected hosts
inside the perimeter & when
employees are remote
(outside the perimeter)
Anti-Virus can block the file-based
attacks (e.g. WMF, VML)
Vulnerability
Vulnerability in Server Service
(MS06-040, Critical)
Vulnerability
Announced
August 8th, 2006
Symantec IPS
Protection
August 8th, 2006
1st Public Exploit
August 10th, 2006
1st Worm
August 11th, 2006
 But keep it current, WMF changed
everyday and required frequent
updates
Routinely assess your environment
for vulnerabilities & misconfigurations
Have a patch process in place
News from the Front
57
Do not become the Enemy…
Consider whether your tactics create greater risk:
 Using biometric information may be create higher
security, but are you now creating a greater risk?
 Use of privacy impact assessments to determine impact
of even technologies introduced to protect identity
Are you doing the right things to avoid risk to your
customers?
 Information inside the enterprise is the prize – are you
keeping information unnecessarily?
News from the Front
58
Know your Weaknesses

Unstructured information (Word documents, e-mails) on mail
and file servers on local office LANs as well as WANs

Web, e-commerce systems collect personal information and
preferences, and utilize technologies such as tracking cookies

Backup systems are ‘snapshots’ of the whole network,
maintained for years

While security/access is based on role, in general within
individual systems there is no roles-based access controls
that limits what can be seen or accessed

A lot of information is ‘portable’ – contained on laptops or
PDA’s used by sales and field technicians
News from the Front
59
Know your Weaknesses (2)




CRM systems contains information about contacts within
customers, suppliers, business partners
Many businesses have an unrecognized risk with business
customers who are unincorporated –personal information is also
business information:
 Credit reports and payment histories in internal systems or
shared with or obtained from third parties
 Leasing and financing data, including personal guarantees
 Collections information
In human resource systems, corporations maintain information
about potential candidates (resumes, background checks),
employees, and ex-employees
Most customer and technical support systems contain a wealth of
personal information
News from the Front
60
Where technology can’t help
Security and privacy are aspects of good
governance, and not simply IT issues
Enforcing ‘best practices’ is an issue for both IT
and the ‘business’ sides
Recognized standards that are both measurable
and auditable (i.e. creating evidence of
compliance) are key to achieving compliance
Education and awareness are often the ‘missing’
ingredient to good security and privacy practices,
and cannot be overlooked
News from the Front
61
Conclusion
It’s a battle…
Critical to understand the nature of the struggle
underway:
 The ‘opposition’ is organized and capable
 The stakes are high
 The battle is on many fronts
Necessary to think in terms of strategy and tactics
You must act as the customer’s IT department to
ensure that you preserve the customer’s
confidence in your enterprise
News from the Front
63
Appendix A:
Presenters’ Background
Constantine Karbaliotis, LL.B., CIPP
Canadian Senior Compliance Business Specialist
 called the Bar of the Province of Ontario in 1986
 practiced law in the areas of litigation, intellectual property for ten
years, arbitration and mediation, teaching at Bar Admission Course
and CLE programs
Ten years consulting experience with small to large law firms,
public legal sector, as well as other public sector and private
sector organizations
Experience with both document management and privacy,
security and project management, government
Video Remand and Bail Project – worked for 3 years within
Ontario government to establish largest criminal justice video
network, won a Diamond award at Showcase 2001
Certified Information Privacy Professional
News from the Front
65