News from the Front: The Battle against Identity Theft Constantine Karbaliotis, LL.B., CIPP October 30, 2006 Abstract From data gathered through Symantec’s Global Intelligence Network – which consists of millions of systems world-wide – this session focuses on the nature of attacks used to gain critical information needed to commit identity fraud such as phishing scams and malware. Armed with this intelligence this session speaks to the strengths of identity management in defending organizations as well as individuals from such attacks without encroaching on privacy. News from the Front 2 Agenda Intelligence Gathering 6 The Battleground for Identity Know your Enemy Strategies and Tactics to Protect Identity Conclusion News from the Front 3 Intelligence Gathering What the Symantec Internet Security Threat Report is… Information that: Provides a comprehensive analysis of Internet security activities and trends Compiled every six months Offers a complete view of today’s Internet security landscape Identifies and analyzes attacker methods and preferences Details the latest trends and information • Internet attacks • Vulnerabilities that have been discovered and exploited • Malicious code • Additional Security Risks - Adware, Spyware, Phishing, and Spam Provides a complete view of the state of the Internet News from the Front 5 Symantec’s sources of intelligence: The G.I.N. 4 Symantec SOCs 74 Symantec Monitored Countries + >6,200 Managed Security Devices + 40,000+ Registered Sensors in 180+ Countries + 8 Symantec Security Response Centers 200,000 Millions Millions Hundreds malware of of security threat of submissions MSS reports alerts customers per per month month + 120 Million Systems Worldwide +per 30% ofmonth World’s email Traffic + Advanced Honeypot Network Dublin, Ireland Tokyo, Japan Calgary, Canada San Francisco, CA Redwood City, CA Twyford, England Santa Monica, CA Munich, Germany Alexandria, VA Pune, India Taipei, Taiwan Sydney, Australia News from the Front 6 The Battleground for Identity ISTR X Main Findings Home users are often the weakest link in the chain and are the most targeted Malicious code is increasingly targeted at individual organizations and there is a rise in new, previously unseen malicious code, especially Trojans Web enabled technologies and browsers are the preferred target of attack - Web 2.0 and AJAX Re-emergence of older attack methods and social engineering on the rise - continued increase in unique phishing messages News from the Front 8 Attack Trends – Denial of Service - Top Target Countries During the current reporting period, Symantec saw an average of 6,110 Denial of Service attacks per day. The average grew from 4,000 per day in January to over 7,500 per day in June. One period in March saw a spike to over 8,000. The U.S. was the most targeted nation for DoS attacks followed by China and the United Kingdom. News from the Front 9 Attack Trends – Denial of Service - Top Targeted Sectors Internet Service Providers - bigger net = more fish Government - high profile Telecom - regional, smaller ISP’s. News from the Front 10 Attack Trends – Top Originating Countries The United States remains the top source country for attacks with 37% of the worldwide total. Attacks originating from the United States grew by 29% due to a large increase in broadband users. China increased from 7% to 10% of the worldwide total. Attacks grew by 37%. News from the Front 11 Attack Trends – Top targeted sectors Home user are often targets of opportunity and provide “cover” for larger, more targeted attacks Targeted attacks against Government, Information Technology, Utilities and Energy are on the rise. News from the Front 12 Attack Trends – Web browser attack distribution Despite having a lower number of vulnerabilities this reporting period than Mozilla, Internet Explorer is the most targeted browser for attack due to high profile vulnerabilities and widespread deployment. Multiple browsers include vulnerabilities that target all browsers chosen for this metric News from the Front 13 Attack Trends – Additional Data Points Top Wireless Threats Probing for access point - 30% Spoofed MAC Address - 17% Top Browser Attacks Multiple Browser Zero Width GIF Image Memory Corruption Attack - 31% 5 of the Top 10 are IE specific - 3 are Mozilla specific News from the Front 14 Vulnerability Trends –Web Browsers (Vendor and Non-vendor confirmed) Mozilla browsers (Mozilla and Firefox) had the highest number of reported vulnerabilities during this reporting period with 47, almost 3 times the number reported during the last reporting period (17). Internet Explorer was second with 38, a 52% increase over the previous reporting period. For the past three reporting periods, vulnerabilities affecting Apple’s Safari web browser (12) have continued to increase. News from the Front 15 Vulnerability Trends – W.O.E. - Web browsers Window of exposure is the time between the announcement of a vulnerability and a vendor supplied patch, minus the number of days before the appearance of an exploit In general, the patch development time for browsers is shorter than other W.O.E. metrics as vendors seem to respond quicker to web browser vulnerabilities. News from the Front 16 Vulnerability Trends – Volume Between January 1 and June 30, 2006, the total number of vulnerabilities grew by 18% over the previous reporting period and 20% over the same period last year. Primarily due to the high percentage of Web application vulnerabilities. Once again, this is the highest total Symantec has ever recorded. News from the Front 17 Vulnerability Trends – Easily exploitable vulnerabilities by type Web applications 69% of all vulnerabilities reported were web application vulnerabilities a slight increase over the previous reporting period. 80% of all vulnerabilities were easily exploitable. Of those, the largest proportion (78%) were web application vulnerabilities. This is due in part to a quicker release cycle, less secure coding practices and low complexity vulnerabilities. News from the Front 18 Vulnerability Trends – W.O.E. - Enterprise Vendors The window of exposure for enterprise vendors continues to shrink primarily due to the increased speed at which vendors are developing patches. News from the Front 19 Vulnerability Trends – Operating system vendors - Time-to-patch Over the past three reporting periods, Microsoft has had the shortest patch development time of all operating system vendors. Microsoft is beginning to challenge the “open-source is quicker” school of thought News from the Front 20 Vulnerability Trends – Additional Data Points Exploit development time for Web browsers Internet Explorer - 1 day (0 days during last reporting period) Mozilla - 2 days (7 days during last reporting period) Safari - 0 days (0 days during last reporting period) Opera - 0 days (0 days during last reporting period) Patch development time for Web browsers Internet Explorer - 10 days (25 days during the last reporting period) Mozilla - 3 days (5 days during the last reporting period) Safari - 5 days (0 days during the last reporting period) Opera - 2 days (18 days during the last reporting period) Exploit code release period 25% - less than one day (decrease of 8 percentage points from last reporting period) 33% - one to six days (increase of 4 percentage points from last reporting period) News from the Front 21 Malicious Code Trends – Win32 Variants Nearly a 40% reduction from the previous reporting period - predicted decline in future periods 22% of the Top 50 reported samples were bots - an increase of two percentage points News from the Front 22 Malicious Code Trends – Previously Unseen malicious code (proportion of all threats) Detected by Symantec Honeypots - higher proportions indicate that attackers are more actively trying to evade signature based detection methods. Primarily due to variants utilizing metamorphic code, run-time packers and changes to code functionality. News from the Front 23 Malicious Code Trends – Top ten new malicious code families New techniques and more dangerous threats appear: Polip - polymorphic Bomka - uses rootkit techniques, click fraud News from the Front 24 Malicious Code Trends – Malicious code types by volume Worms - primarily mass mailers - continue to dominate. 60% increase over the previous reporting period. Decline in back door levels due to decline in reports of Spybot, Gaobot and Randex. Only Spybot remains in the Top 50. Back doors levels are high due to Mytob variants (16 of the Top 50). Trojans have dropped from 21 of the Top 50 reports to 10 in the current reporting period. News from the Front 25 Malicious Code Trends – Propagation vectors SMTP continues to be the top propagation mechanism - 1 out of every 122 email messages contained malicious code. Driven by Netsky, Beagle, Mytob and SoberX. All of the Top Ten malicious code samples reported to Symantec utilized SMTP as a propagation mechanism. News from the Front 26 Malicious Code Trends – Exposure of confidential information Threats that expose sensitive data such as system information, confidential files, documents, cached logon credentials, credit card details, etc. Potential use in criminal activities resulting in significant financial losses. News from the Front 27 Malicious Code Trends – Instant messaging threats Variants of Spybot, Gaobot, Esbot and Randex commonly use AOL Instant Messenger as a propagation mechanism. The announced interoperability of Yahoo! Instant Messenger and Windows Live Messenger may result in attackers focusing on these protocols to maximize potential propagation. News from the Front 28 Malicious Code Trends – Additional Data Points The top ten malicious code samples reported to Symantec during the current reporting period: Sober.X Blackmal.E Netsky.P Beagle.DL Mytob.EA Beagle.AG Mytob.AG Mytob.DF Mytob Mytob.EE Tooso was the most reported Trojan (modular) and Netsky.P was the most reported threat to confidential information The number of modular malicious code samples in the Top ten (36) has remained the same as the previous reporting period though the overall volume has dropped to 79% from the 88% News from the Front 29 Phishing - Unique phishing messages Definitions: Phishing message - single, unique message sent to targets with the intent of gaining confidential or personal information. Each message has different content and different method of trying to obtain information. Phishing attempt - instance of a phishing message being sent to an individual user(s). 81% increase over the previous reporting period - Average of 865 unique phishing messages per day News from the Front 30 Phishing - Top targeted most phished sectors 9 of the top ten brands phished are from the Financial Services sector. Symantec saw an average of 7.19 million phishing attempts per day down from the 7.91 million observed during the last reporting period. Blocked phishing messages decreased from 1.46 billion in the last report to 1.3 billion this reporting period. An 11% decrease. News from the Front 31 Spam - Top countries of origin, categories and volume Between January 1st and June 30th, 2006, the average percentage of email that is Spam was 54%, an 4 percentage point increase from the last reporting period Health makes up 26% of all spam, followed by Adult with 22%. Heath and Adult traditionally have the highest click-through rates as they are more difficult to market through traditional means Canada and South Korea were the only countries with a drop in percentage - 2% each News from the Front 32 Spam - Percentage of spam containing malicious code From January 1 - June 30, 2006 .81% of all spam contained malicious code - 1 out of every 122 spam messages contained malicious code Spam with malicious attachments is likely blocked by spam filtering and anti-virus software. In response, malicious code authors are more likely to include a URL in a spam message which links to a malicious website or directly downloads malicious code News from the Front 33 Security Risks – Top ten new security risks Misleading applications constitute three of the Top Ten new security risks. ErrorSafe represented 19% of new security risks reported to Symantec The most reported Adware from January 1 - June 30, 2006 was Hotbar (24%) and 6 of the Top ten employed some form of anti-removal techniques. News from the Front 34 Future Watch Web 2.0 and AJAX Symantec speculates that Web 2.0 security threats and AJAX attacks will increase. Windows Vista: Symantec speculates that the new features and changes to Windows Vista’s code base, in conjunction with increased scrutiny from security researchers and malicious code authors, will result in previously unseen attacks. Increase in polymorphic malicious code Due to the difficulty in detecting and removing polymorphic viruses, Symantec speculates that more malicious code authors may begin to use more polymorphic techniques at all levels of malicious code development. News from the Front 35 Know your Enemy From Oceans 11 to 7-11 Common Attacks of Yesterday Sneak through the network perimeter Steal customer data or intellectual property Make the escape unnoticed Common Attacks of Today Don’t bother penetrating the network Phish or use crimeware on a company’s customers when they’re online Aggregate and sell their data on the black market or use it yourself News from the Front 37 Successfully Exploiting Home Users Makes Fraudsters $$$ Phisher Cashier Fraud Website (+ Trojan horse) Spammer Egg Drop Server Botherder Phishing Messages News from the Front Victims 38 “Underground” Economies News from the Front 39 “Underground” Economies (2) News from the Front 40 Who are most of the attackers looking to victimize? Home users are targets of opportunity– attackers “casting the net” to find victims Financial Services remains interesting– go to the money News from the Front 41 Crimeware & The Fraud Community I'm here to sell a working version of win32.grams trojan, for those who don't know what this trojan does i will explain. It simply steals all the e-gold from the victims account and transfers all the gold into your account. Simple and efficient. The trojan has been tested successfully with Windows XP (all SP's) and works ONLY on IE (Internet Explorer). If any bugs are found it is my responsibility to fix them immediately. The price for this wonder trojan is only 1000 dollars and I accept only WU / MG and e-gold. News from the Front 42 Making $$$ By Exploiting Browsers: Rogue Distributors Rogue distribution networks make money by using browser exploits to install downloader Trojans The downloaders are then used to install adware & spyware Reportedly pay for 0-day vulnerabilities such as WMF WMF vulnerability said to be purchasd for ~$4K USD Discovered in active exploit via iframecash.biz & others News from the Front 43 Web Attacker: Automated Tools Make it Easy News from the Front 44 How much can they make? Ask Direct Revenue The spoils of spyware: all execs at Direct Revenue became millionaires in 2004 News from the Front 45 Good news: window of exposure (WOE) is shrinking Limited set of vendors: Symantec, Microsoft, Cisco, Sun, HP, EMC, IBM, Oracle, CA & McAfee The window of exposure for enterprise vendors continues to shrink primarily due to the increased speed at which vendors are developing patches News from the Front 46 Bad news: it’s still 28 days on average Day 1 Day 3 Day 31 Vulnerability Announced Exploit Becomes Public Patch Available ~28 Day Window of Exposure With No Patch for Protection Source: Internet Security Threat Report X, September 2006, All Numbers Above Averages News from the Front 47 Worse news: averages don’t tell the real story Old proverb: Never cross a river that’s on average 5 feet deep Zero day attacks are not unusual anymore A few key vulnerabilities get the bulk of the exploit action WMF Jan 06 News from the Front VML Sep 06 48 Strategies and Tactics to Protect Identity Protect Thy Customer Education – let them know how you communicate, inform them of any new twists in attacks that might catch them off-guard Communication: Consider fraud alerting services & contribute known fraud to the PRN phish blocking community (free) News from the Front 50 Protect Thy Customer (2) Establish zero-hour, behavioral detection and mitigation of malicious threats – less reliant on ‘signatures’ Establish protection that follows users Establish protection from the unmanaged endpoints News from the Front 51 Protect Thy Customer (2) Become the customer’s IT department Advise customers to use, or better, provide them, with products, toolbars, and/or web browsers with antiphishing protection News from the Front 52 Protect Thy Customer (3) Put your customer in charge of their identity: Identity management tools Preference management As a consumer, I want to: Have a single sign-on to my personal information NOT have any enterprise aware of what I am doing elsewhere NOT communicate any information about myself, until I CHOOSE to do so Know that even within the systems of the businesses I do business with, that my identity is protected and in the event that there is a breach of security, the information is anonymized or encrypted News from the Front 53 Make Yourself Unattractive Validate track 2 magnetic stripe information It’s not phishable data and makes your business “cashable” a lot less “Up to half of U.S. banks fail to validate Track 2 data and only rely on customer PINs to authorize ATM transactions” – C|net Use multi-factor authentication Something the user is (fingerprint, retinal pattern) Something the user has (security token, software token, cell phone) Something the user knows (password, pass phrase, PIN) Can be broken, but it makes attackers work harder News from the Front 54 Block Web Attacks Standardize web browsers to the extent that you can Patch your web browser(s) of choice as soon as possible Block exploits through host-based IPS & modern AV Make sure people who enter your networks are “clean” and have up-to-date protection They are the biggest risk since they live outside perimeter protections This means network access compliance (NAC) of some sort News from the Front 55 Cleaning up after a successful web attack Ensure you have an up-to-date AV or AntiSpyware product Make sure you get the downloader (usual source of the problem) Keep an eye out for misleading applications Address any signs of high risk user behavior News from the Front 56 Keeping ahead of the vulnerability flood Intrusion prevention at the network and the host Defend against unprotected hosts inside the perimeter & when employees are remote (outside the perimeter) Anti-Virus can block the file-based attacks (e.g. WMF, VML) Vulnerability Vulnerability in Server Service (MS06-040, Critical) Vulnerability Announced August 8th, 2006 Symantec IPS Protection August 8th, 2006 1st Public Exploit August 10th, 2006 1st Worm August 11th, 2006 But keep it current, WMF changed everyday and required frequent updates Routinely assess your environment for vulnerabilities & misconfigurations Have a patch process in place News from the Front 57 Do not become the Enemy… Consider whether your tactics create greater risk: Using biometric information may be create higher security, but are you now creating a greater risk? Use of privacy impact assessments to determine impact of even technologies introduced to protect identity Are you doing the right things to avoid risk to your customers? Information inside the enterprise is the prize – are you keeping information unnecessarily? News from the Front 58 Know your Weaknesses Unstructured information (Word documents, e-mails) on mail and file servers on local office LANs as well as WANs Web, e-commerce systems collect personal information and preferences, and utilize technologies such as tracking cookies Backup systems are ‘snapshots’ of the whole network, maintained for years While security/access is based on role, in general within individual systems there is no roles-based access controls that limits what can be seen or accessed A lot of information is ‘portable’ – contained on laptops or PDA’s used by sales and field technicians News from the Front 59 Know your Weaknesses (2) CRM systems contains information about contacts within customers, suppliers, business partners Many businesses have an unrecognized risk with business customers who are unincorporated –personal information is also business information: Credit reports and payment histories in internal systems or shared with or obtained from third parties Leasing and financing data, including personal guarantees Collections information In human resource systems, corporations maintain information about potential candidates (resumes, background checks), employees, and ex-employees Most customer and technical support systems contain a wealth of personal information News from the Front 60 Where technology can’t help Security and privacy are aspects of good governance, and not simply IT issues Enforcing ‘best practices’ is an issue for both IT and the ‘business’ sides Recognized standards that are both measurable and auditable (i.e. creating evidence of compliance) are key to achieving compliance Education and awareness are often the ‘missing’ ingredient to good security and privacy practices, and cannot be overlooked News from the Front 61 Conclusion It’s a battle… Critical to understand the nature of the struggle underway: The ‘opposition’ is organized and capable The stakes are high The battle is on many fronts Necessary to think in terms of strategy and tactics You must act as the customer’s IT department to ensure that you preserve the customer’s confidence in your enterprise News from the Front 63 Appendix A: Presenters’ Background Constantine Karbaliotis, LL.B., CIPP Canadian Senior Compliance Business Specialist called the Bar of the Province of Ontario in 1986 practiced law in the areas of litigation, intellectual property for ten years, arbitration and mediation, teaching at Bar Admission Course and CLE programs Ten years consulting experience with small to large law firms, public legal sector, as well as other public sector and private sector organizations Experience with both document management and privacy, security and project management, government Video Remand and Bail Project – worked for 3 years within Ontario government to establish largest criminal justice video network, won a Diamond award at Showcase 2001 Certified Information Privacy Professional News from the Front 65