Archive for the ‘Security Reports and Surveys’ Category

Report: Google Hackers Stole Source Code of Global Password System

April 20, 2010

Report: Google Hackers Stole Source Code of Global Password System: “

The hackers who breached Google’s network last year were able to nab the source code for the company’s global password system, according to the New York Times.

The Single Sign-On password system, which Google referred to internally as Gaia, allows users to log into a constellation of services the company offers — GMail, search, business applications and others — using one password.

The hackers, who are still unknown, were able to steal the code after gaining access to the company’s software repository, which stores the crown jewels for its search engine and other programs.

Because the hackers grabbed the software, and do not appear to have grabbed customer passwords, users aren’t directly affected by the theft. But the hackers could study the software for security vulnerabilities to devise ways to breach the system that could later affect users.

Google announced in January that it and numerous other companies had been hacked in a sophisticated attack. The hackers had targeted source code repositories at many of the companies, including Google.

According to the Times, the theft began when an instant message was sent to a Google employee in China who was using Windows Messenger  The message included a link to a malicious website. Once the employee clicked on the link, the intruders were able to gain access to the employee’s computer and from there to computers used by software developers at Google’s headquarters in California.

The intruders seemed to know the names of the Gaia software developers, according to the Times. The intruders had access to an internal Google corporate directory known as Moma, which lists the work activities of every Google employee.

They initially tried to access the programmer’s work computers and ‘then used a set of sophisticated techniques to gain access to the repositories where the source code for the program was stored.’

The Times doesn’t elaborate on the set of sophisticated techniques the hackers used to access the source code, but in March, security firm McAfee released a white paper in relation to the Google hack that describes serious security vulnerabilities it found in softeware configuration management systems (SCMs) used by companies that were targeed in the hacks.

‘[The SCMs] were wide open,’ Dmitri Alperovitch, McAfee’s vice president for threat research told Threat Level at the time. ‘No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways — much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting.’

Many of the companies that were attacked used the same source-code management system made by Perforce, a California-based company, according to McAfee. The paper didn’t indicate, however, whether Google used Perforce or had another system in place with vulnerabilities.

According to McAfee’s earlier report, the malicious website the hackers used in the Google hack was hosted in Taiwan. Once the victim clicked on a link to the site, the site downloaded and executed a malicious JavaScript, with a zero-day exploit that attacked a vulnerability in the user’s Internet Explorer browser.

A binary disguised as a JPEG file then downloaded to the user’s system and opened a backdoor onto the computer and set up a connection to the attackers’ command-and-control servers, also hosted in Taiwan.

From that initial access point, the attackers obtained access to the source-code management system or burrowed deeper into the corporate network to gain a persistent hold.

According to the paper, the hackers were successful at accessing source code because many SCMs are not secured out of the box and do not maintain sufficient logs to help forensic investigators examining an attack.

‘Additionally, due to the open nature of most SCM systems today, much of the source code it is built to protect can be copied and managed on the endpoint developer system,’ the whie paper states. ‘It is quite common to have developers copy source code files to their local systems, edit them locally, and then check them back into the source code tree…. As a result, attackers often don’t even need to target and hack the backend SCM systems; they can simply target the individual developer systems to harvest large amounts of source code rather quickly.’

Alperovitch told Threat Level his company had seen no evidence to indicate that source code at any of the hacked companies had been altered.

(Via Wired: Threat Level.)


Cybercrime losses almost double

March 23, 2010

Cybercrime losses almost double: “

FBI figures show huge rise in online miscreantage

US net crime loss complaints almost doubled in value from $265m in 2008 to reach $560m last year, according to official figures.…

(Via The Register – Security.)

Most Companies Lack Infrastructure to Fight Against the Biggest Cyber Threats

March 23, 2010

Most Companies Lack Infrastructure to Fight Against the Biggest Cyber Threats: “According to Rich Baich, author of the survey’s report, cybercrime menaces to organizations are increasing much faster than companies can tackle them,…”

(Via Computer Crime Research News.)

Adobe predicted as top 2010 hacker target

December 30, 2009

Adobe predicted as top 2010 hacker target: “

McAfee’s crystal ball also reveals Google Chrome dangers

Adobe will overtake Microsoft as the primary target for hackers and virus writers in 2010, net-security firm McAfee predicts.…

Web threats: Why conventional protection doesn’t work

(Via The Register.)

McAfee 2010 Cyber Threat Predictions

December 29, 2009

2010 Threat Predictions

Adobe to become top hacker target for 2010

New McAfee report predicts next year will see Adobe software supplant Microsoft products for the dubious honour

By Phil Muncaster

Security giant McAfee is warning end users and information security professionals to expect an increase in threats to social networks and the emergence of Adobe products as the number one software target for cyber criminals next year.

McAfee’s new 2010 Threat Predictions report warns that Adobe will supplant Microsoft for the first time next year in terms of the number of desktop PCs being attacked.

“In 2009 McAfee Labs saw an increase in attacks targeting client software. The favourite vector among attackers is Adobe products, primarily Flash and Acrobat Reader,” the report noted.

“Using reliable ‘heap spray–like’ and other exploitation techniques, malware writers have turned Adobe apps into a hot target. Further, Flash and Reader are among the most widely deployed applications in the world, which provides a higher return on investment to cyber criminals.”

The report also warns that as user numbers of social networks continue to grow, these sites are likely to experience ever-more sophisticated attacks, with cyber criminals exploiting the inherent trust that users have in their friends on the sites which makes them more likely to click on malicious links.

“As Google and other providers crack down on search engine poisoning, we expect that Twitter and similar services will increase in appeal for such purposes,” the report added.

But it was not all doom and gloom for 2010, with McAfee maintaining that the tide may finally turn in favour of the law enforcers next year.

“The worlds of law enforcement and justice have had about a decade to deal with highly organised and financially motivated cyber criminals. We finally have nearly universal recognition among global governments of the severity of this problem, and we can see significant progress from these years of relationship building, education, and training among international law enforcement organisations,” the report said.

“This progress has been slow in coming but we now see clearly demonstrated to criminals that engaging in cybercrime has become an activity with a rapidly increasing risk of incarceration, regardless of their country of residence.”

Episode 30: Routing Security

December 22, 2009

Episode 30: Routing Security: “

In the 30th episode of Team Cymrus The Who and Why Show, were joined once again by John Kristoff to talk about Router and Routing Security. Well cover some common mistakes folks make, quick wins plus some longer term fixes you might want to implement to secure your networks.
More in
Science & Technology

(Via Uploads by teamcymru.)

Data Breaches Show PCI DSS Ineffective

December 22, 2009

Data Breaches Show PCI DSS Ineffective: “

By Danny Lieberman, Security Expert and Founder of Software Associates

A recent Ponemon survey (pci-dss-survey-key-findings-final4) found 71% of companies don’t consider PCI as strategic, though 79% had experienced a breach.

Are these companies assuming that a data security breach is cheaper than the security?

How should we understand the Ponemon survey.  Is PCI DSS a failure in the eyes of US companies?

Let’s put aside the technical weaknesses, political connotations and commercial aspects of the PCI DSS certification franchise for a second.

Consider two central principles of security – cost of damage and goodness of fit of countermeasures

a) The cost of a data security breach versus the cost of the security countermeasures IS a bona-fide business question.If the cost of PCI certification is going to be 1M for your business and your current Value at Risk is only 100k – then PCI certification is not only not strategic, it is a bad business decision.

b) Common sense says that your security countermeasures should fit your business not a third-party checklist designed by a committee and obsolete by the time it was published.

The fact the Ponemon study shows that 71% of businesses surveyed don’t see PCI as strategic is an indication that 71% have this modicum of common sense.

The other 29% are either naive, ignorant or work for a security product vendor.

Common sense is a necessary but not sufficient condition If you want to satisfy the two principles you have to prove 2 hypotheses: Data loss is currently happening.

* What data types and volumes of data leave the network?
* Who is sending sensitive information out of the company?
* Where is the data going?
* What network protocols have the most events?
* What are the current violations of company AUP?

A cost effective solution exists that reduces risk to acceptable levels.

* What keeps you awake at night?
* Value of information assets on PCs, servers & mobile devices?
* What is the value at risk?
* Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
* How much do your current security controls cost?
* How do you compare with other companies in your industry?
* How would risk change if you added, modified or dropped security controls?

If PCI is a failure, it is  not because it doesn’t prevent credit card theft; there is no such animal as a perfect set of countermeasures.

PCI is a failure because it does not force a business to use it’s common sense and ask these practical, common-sense business questions.

* * *

Stay Informed With ISR News Alerts:


by FeedBurner

* * *

Danny Lieberman is a serial technology innovator and leader – implementing ideas from brain to business. Danny has a graduate degree in solid state physics and has spent most of his adult life developing software. Since 2003 – Danny has been doing data security consulting and data protection/information assurance projects using data loss prevention /extrusion prevention technology.

Software Associates provides enterprise information protection to clients in Europe and the Middle East. His latest venture is MedRep, a professional network for medical representatives and doctors. Feel free to text Danny at any time of day at: +972 54 447 1114 –  he is always looking for interesting projects and ideas.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to

(Via Information Security Resources.)

Readying For A Zero-Day Attack: Expect The Unexpected

December 17, 2009

Readying For A Zero-Day Attack: Expect The Unexpected

In new report, Dark Reading describes methods for managing previously unknown vulnerabilities

By Randy George

Which vulnerabilities are the hardest for an enterprise to manage? None of them are easy, but the ones that are most lethal are the vulnerabilities you don’t know about until an exploit hits. These flaws, known collectively as “zero-day” vulnerabilities, require a special type of vulnerability management.

On the surface, in fact, it may seem that vulnerability management practices are not much use against a zero-day attack, since you can’t “manage” a flaw you don’t yet know about. But there are many steps you can take to prepare for the inevitable zero-day issue, and any good vulnerability management program should outline those steps, and how they will be implemented.

The unfortunate reality is that planning for a zero-day attack is no different or less challenging than planning for a terrorist attack. Because a zero-day attack is by nature taking advantage of an unplugged hole in your defenses that you’re unaware of, you have no choice but to absorb the first punch in this fight should an attacker exploit that particular vulnerability. Mitigating the damage caused by a new exploit is as much about disaster preparedness as it is about vulnerability management, and the best you can hope to do is soften the blow of such an attack when it comes.

Cybercrime Intelligence Report: Cybercriminals use Trojans & money mules to rob online banking accounts

December 15, 2009

FINJAN Cybercrime Intelligence Report

Cybercriminals keep on targeting online customers of banks. They are reaching new levels of sophistication in their attacks. They refine their methods, and search for new ways to maximize their illegal profit while minimizing their chance of detection. In this report, we will show you a recent discovery by our Malicious Code Research Center (MCRC). We will expose the tools and methods a cybergang used to successfully steal 300,000 Euro from German bank accounts during the first 22 days of their cybercrime spree.

Verizon 2009 Data Breach Investigations Supplemental Report

December 13, 2009

Verizon 2009 Data Breach Investigations Supplemental Report

A study conducted by the Verizon Business RISK team.

Verizon Business’s "An Anatomy of a Data Breach" report lists the top 15 most common cyber attack vectors in 2009. Topping the list are keylogging and spyware; backdoor or command and control malware; and SQL injection. Further down on the list are RAM scrapers, attacks that are designed to seek plaintext data from the random access memory of point-of-sale terminals. They have emerged in the wake of the growing use on encryption in the payment card industry. RAM scrapers are often narrowly targeted attacks because they are often "customized to work with specific vendors’ POS systems."