Les Dernières Tendances en Matière de Piratage
Les Dernières Tendances en Matière de Piratage
Les Dernières Tendances en Matière de Piratage
2011 Trends
Volume 17 Published April 2012
Paul Wood Executive Editor Manager, Cyber Security Intelligence Security Technology and Response Gerry Egan Sr. Director, Product Management Security Technology and Response Kevin Haley Director, Product Management Security Technology and Response Tuan-Khanh Tran Group Product Manager Security Technology and Response Orla Cox Sr. Manager, Security Operations Security Technology and Response Hon Lau Manager, Development Security Technology and Response Candid Wueest Principal Software Engineer Security Technology and Response David McKinney Principal Threat Analyst Security Technology and Response Tony Millington Associate Software Engineer Security Technology and Response Benjamin Nahorney Senior Information Developer Security Technology and Response Joanne Mulcahy Technical Product Manager Security Technology and Response John Harrison Group Product Manager Security Technology and Response Thomas Parsons Director, Development Security Technology and Response Andrew Watson Sr. Software Engineer Security Technology and Response
Mathew Nisbet Malware Data Analyst Security Technology and Response Nicholas Johnston Sr. Software Engineer Security Technology and Response Bhaskar Krishnappa Sr. Software Engineer Security Technology and Response Irfan Asrar Security Response Manager Security Technology and Response Sean Hittel Principal Software Engineer Security Technology and Response Eric Chien Technical Director Security Technology and Response Eric Park Sr. Business Intelligence Analyst Anti-Spam Engineering Mathew Maniyara Security Response Analyst Anti-Fraud Response Olivier Thonnard Sr. Research Engineer Symantec Research Laboratories Pierre-Antoine Vervier Network Systems Engineer Symantec Research Laboratories Martin Lee Sr. Security Analyst Symantec.cloud Daren Lewis Principal Strategic Planning Specialst Symantec.cloud Scott Wallace Sr. Graphic Designer
Symantec Corporation
Table Of COnTenTs
Introduction .......................................................... 5 2011 By Month .................................................... 6 2011 In Numbers ............................................... 9 Executive Summary ..................................... 12 Safeguarding Secrets: Industrial Espionage In Cyberspace ................................................... 14
Cyber-Espionage In 2011 ........................................14 Advanced Persistent Threats ..................................15 Targeted Attacks .......................................................16 Case Study .................................................................16 Where Attacks Come From ......................................19
Consumerization And Mobile Computing: Balancing The Risks And Benefits In The Cloud....................... 25
Risks With Bring Your Own Device.......................25 Threats Against Mobile Devices .............................25 Consumerization Of It And Cloud Computing .....26 Quick Response (QR) codes ....................................27 What Mobile Malware Does With Your Phone .....27 Confidence In The Cloud: Balancing Risks ...........28
Symantec Corporation
Best Practice Guidelines For Businesses ................................................. 44 Best Practice Guidelines For Consumers ................................................ 46 More Information .......................................... 48 About Symantec.............................................. 48 Endnotes............................................................... 49
figures
Figure 1 Figure 10
Targeted attacks Trend showing average number Of attacks identified each Month, 2011 .........15
Figure 2
average number Of Malicious Web sites identified Per Day, 2011 ................................................33
Figure 14
rise in email-borne bredolab Polymorphic Malware attacks Per Month, 2011 ................................35
Figure 16
Symantec Corporation
Introduction
ymantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 64.6 million attack sensors and records thousands of events per second. This network monitors attack activity in more than 200 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Threat Management System, Symantec Managed Security Services and Norton consumer products, and other third-party data sources. In addition, Symantec maintains one of the worlds most comprehensive vulnerability databases, currently consisting of more than 47,662 recorded vulnerabilities (spanning more than two decades) from over 15,967 vendors representing over 40,006 products. Spam, phishing and malware data is captured through a variety of sources, including the Symantec Probe Network, a system of more than 5 million decoy accounts; Symantec.cloud and a number of other Symantec security technologies. Skeptic, the Symantec.cloud proprietary heuristic technology is able to detect new and sophisticated targeted threats before reaching customers networks. Over 8 billion email messages and more than 1.4 billion Web requests are processed each day across 15 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and more than 50 million consumers. These resources give Symantecs analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises and consumers the essential information to secure their systems effectively now and into the future.
Symantec Corporation
2011 BY MONTH
MOBILE THREATS
HACKS
BOTNET TAKEDOWNS
THREAT SPECIFIC
SOCIAL NETWORKING
JANUARY
Applications bundled with Android. Geinimi back door appear in unregulated Android marketplaces.
MARCH
Microsoft and US law enforcements take down the Rustock botnet.
Spammers exploit Japanese Earthquake with 419 scams, fake donation sites, and malicious attachments. Hackers take Googles tool for removing Android.Rootcager and repackage it with a new trojan, Android.Bgserv. Comodo Registration Authorities, InstantSSL.it and GlobalTrust.it hacked. Fake certificates for the likes of Google, Hotmail, Yahoo!, Skype, and Mozilla created.
FEBRUARY
Security firm HBGary Federal hacked by Anonymous.
Android.Pjapps, another Androidbased back door trojan, appears in unregulated Android marketplaces.
APRIL
Sony discovers that Playstation Network has been compromised by hackers. Shuts down service while security is restored.
Spammers target unrest in Egypt and Libya with 419 scams and targeted attacks.
Symantec Corporation
JUNE
LulzSec hacks Black & Berg Cybersecurity Consulting, refuses $10k previously offered as prize. LulzSec hacks US Senate, CIA, FBI affiliates in response to US Government declaring cyberattacks could be perceived as an act of war. Operation AntiSec begins, hackers are encouraged to attack government web sites, publish data found. LulzSec finds itself the victim of an attack by TeaMp0isoN/th3j35t3r, who feels the group receives an unjust amount of attention.
Malware found registering Facebook applications. FBI awarded court order to shut down the Coreflood botnet by sending a delete command (included in the threats design) to compromised computers. Spammers and FakeAV peddlers use British Royal Wedding for campaigns and SEO poisoning.
MAY
JULY
Microsoft offers $250,000 reward for information leading to the arrest of the Rustock creators.
AUGUST
Trojan.Badminer discovered, offloads bitcoin mining to the GPU (Graphics Processing Unit).
Symantec Corporation
DECEMBER
Stratfor global affairs analysis company hacked.
SEPTEMBER
Spammers exploit the tenth anniversary of 9/11 to harvest email addresses.
OCTOBER
W32.Duqu officially discovered. May be threat Iran publicized in April.
Attackers behind Blackhole exploit kit kick-off spam campaign surrounding Steve Jobs death.
Nitro Attacks whitepaper released, detailing a targeted attack against the chemical sector. Java becomes most exploited software, surpassing Adobe and Microsoft, according to Microsoft Security Intelligence Report, volume 11. Libyan leader Muammar Gadhafis death leads to spam campaign spreading malware.
Symantec Corporation
2011 IN NUMBERS
S TACK AT
AL OT T
CKED IN
20 11
2 1
62
Billion in 2010
ESTIMATED
GLOBAL SPAM
PER DAY
4, 59 5
42
Billion in 2011
IDENTITIES
1.1 MILLION
PER BREACH
PHISHING
RATE
OVERALL
299
IN
EXPOSED
Symantec Corporation
TARGETED ATTACKS
SmallMedium Business
Big Business
OF MAILBOXES TARGETED FOR ATTACK ARE HIGH-LEVEL EXECUTIVES, SENIOR MANAGERS AND PEOPLE IN R&D
50%
42%
50% 18%
4,989
V NEW U L N E R A B I L I T I E S
Small Business
12500
EMPLOYEES
2010
2500+
3,065,030
2011
4,500,000
BOT ZOMBIES
% OF ALL SPAM
-34%
8 NEW ZERO-DAY
VULNERABILITIES
4 MON
5 TUE
LAUNCH DAY
OVERALL RATE
SPAM
2010 86% 2011 75%
55,294
42,926
IN 2010
EMAIL VIRUS
1 IN 239
Symantec Corporation
OVERALL RATE
11
Executive Summary
ymantec blocked more than 5.5 billion malicious attacks in 20111; an increase of more than 81% from the previous year. This increase was in large part a result of a surge in polymorphic malware attacks, particularly from those found in Web attack kits and socially engineered attacks using email-borne malware. Targeted attacks exploiting zero-day vulnerabilities were potentially the most insidious of these attacks. With a targeted attack, it is almost impossible to know when you are being targeted, as by their very nature they are designed to slip under the radar and evade detection. Unlike these chronic problems, targeted attacks, politically-motivated hacktivist attacks, data breaches and attacks on Certificate Authorities made the headlines in 2011. Looking back at the year, we saw a number of broad trends, including (in roughly the order they are covered in the main report):
12
Symantec Corporation
Website owners recognized the need to adopt SSL more broadly to combat Man-In-The-Middle (MITM) attacks, notably for securing non-transactional pages, as exemplified by Facebook, Google, Microsoft, and Twitter adoption of Always On SSL3.
Certificate Authorities And Transport Layer Security (TLS) V1.0 Are Targeted As SSL Use Increases
High-profile hacks of Certificate Authorities, providers of Secure Sockets layer (SSL) Certificates, threatened the systems that underpin trust in the internet itself. However, SSL technology wasnt the weak link in the DigiNotar breach and other similar hacks; instead, these attacks highlighted the need for organizations in the Certificate Authority supply chain to harden their infrastructures and adopt stronger security procedures and policies. A malware dependent exploit concept against TLS 1.0 highlighted the need for the SSL ecosystem to upgrade to newer versions of TLS, such as TLS 1.2 or higher.
Symantec Corporation
13
Targeted attacks use customized malware and refined targeted social engineering to gain unauthorized access to sensitive information. This is the next evolution of social engineering, where victims are researched in advance and specifically targeted.
Cyber-Espionage In 2011
he number of targeted attacks increased dramatically during 2011 from an average of 77 per day in 2010 to 82 per day in 2011. And advanced persistent threats (APTs) attracted more public attention as the result of some well publicized incidents. Targeted attacks use customized malware and refined targeted social engineering to gain unauthorized access to sensitive information. This is the next evolution of social engineering, where victims are researched in advance and specifically targeted. Typically, criminals use targeted attacks to steal valuable information such as customer data for financial gain. Advanced persistent threats use targeted attacks as part of a longer-term campaign of espionage, typically targeting highvalue information or systems in government and industry.
In 2010, Stuxnet grabbed headlines. It is a worm that spreads widely but carried a specialized payload designed to target systems that control and monitor industrial processes, creating suspicion that it was being used to target nuclear facilities in Iran. It showed that targeted attacks could be used to cause physical damage in the real world, making real the specter of cyber-sabotage. In October 2011, Duqu came to light5. This is a descendent of Stuxnet. It used a zero-day exploit to install spyware that recorded keystrokes and other system information. It presages a resurgence of Stuxnet-like attacks but we have yet to see any version of Duqu built to cause cyber-sabotage. Various long term attacks against the petroleum industry, NGOs and the chemical industry6 also came to light in 2011. And hactivism by Anonymous, LulzSec and others dominated security news in 2011.
14
Symantec Corporation
Figure 1
Targeted Attacks Trend Showing Average Number Targeted Attacks Trend ShowingMonth, 2011 Of Attacks Identified Each Average Number
Of Attacks Identified Each Month, 2011
180 160 140 120 100 80 60 40 20
154
2011
26
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
3 4 5
They aim to gather high-value, national objectives such as military, political or economic intelligence. They are well-funded and well-staffed, perhaps operating with the support of military or state intelligence organizations. They are more likely to target organizations of strategic importance, such as government agencies, defense contractors, high profile manufacturers, critical infrastructure operators and their partner ecosystem.
The hype surrounding APTs masks an underlying reality these threats are, in fact, a special case within the much broader category of attacks targeted at specific organizations of all kinds. As APTs continue to appear on the threat landscape, we expect to see other cybercriminals learn new techniques from these attacks. For example, were already seeing polymorphic code used in mass malware attacks and we see spammers exploit social engineering on social networks. Moreover, the fact that APTs are often aimed at stealing intellectual property suggests new roles for cybercriminals as information brokers in industrial espionage schemes. While the odds of an APT affecting most organizations may be relatively low, the chances that you may be the victim of a targeted attack are, unfortunately, quite high. The best way to prepare for an APT is to ensure you are well defended against targeted attacks in general.
1 2
They use highly customized tools and intrusion techniques. They use stealthy, patient, persistent methods to reduce the risk of detection.
Symantec Corporation
15
Figure 2
Targeted Email Targeted Email Attacks, Attacks, By Top-Ten Industry By Top-ten Industry Sectors, 2011 Sectors, 2011
Retail
3%
Targeted Attacks
Targeted attacks affect all sectors of the economy. However, two-thirds of attack campaigns focus on a single or a very limited number of organizations in a given sector and more than half focus on the defense and aerospace sector, sometimes attacking the same company in different countries at the same time. On average they used two different exploits in each campaign, sometimes using zeroday exploits to make them especially potent.
Education
3%
Non Profit
4%
Chemical Pharmaceutical
6%
IT Services
6%
Case Study
2011
14%
In 2011, we saw 29 companies in the chemical sector (among others) targeted with emails that appeared to be meeting invitations from known suppliers. These emails installed a wellknown backdoor trojan with the intention of stealing valuable intellectual property such as design documents and formulas.
Finance Manufacturing
15%
16
Symantec Corporation
It is, however, a mistake to assume that only large companies suffer from targeted attacks. In fact, while many small business owners believe that they would never be the victim of a targeted attack, more than half were directed at organizations with fewer than 2,500 employees; in addition, 17.8% were directed at companies with fewer than 250 employees. It is possible that smaller companies are targeted as a stepping-stone to a larger organization because they may be in the supply chain or partner ecosystem of larger, but more well-defended companies. While 42% of the mailboxes targeted for attack are high-level executives, senior managers and people in R&D, the majority of targets were people without direct access to confidential information. For an attacker, this kind of indirect attack can be highly effective in getting a foot in the door of a well-protected organization. For example, people with HR and recruitment responsibilities are targeted 6% of the time, perhaps because they are used to getting email attachments such as CVs from strangers.
Figure 3
50%
50% 1-2500 9%
2500 2000
5% 8% 10%
1500 1000
18%
500
1-250
251-500
501-1000
1001-1500
1501-2500
2501+
Symantec Corporation
17
Figure 4
Sales 12%
Media 10%
Primary Assistant 6%
Recruitment 6%
18
Symantec Corporation
Source: Symantec
Symantec Corporation
19
Despite the media interest around these breaches, old-fashioned theft was the most frequent cause of data breaches in 2011.
DATA USER IDS DATES OF BIRTH
DATES OF BIRTH
BANKING INFO
PASSWORDS
CREDIT CARD NUMBERS Names PURCHASES IP ADDRESSES USER IDS Names ACCOUNT INFO SOCIAL SECURITY #s BANKING ACCOUNT INFO BANKING INFO DATES OF BIRTH USER IDS SOCIAL SECURITY NUMBERS MEDICAL RECORDS Names
EMAIL CONTACTS
IP ADDRESSES ACCOUNT INFO SOCIAL SECURITY NUMBERSNames DATES OF BIRTH BANKING MEDICAL RECORDS SOCIAL SECURITY NUMBERS MEDICAL RECORDS
ADDRESS IP ADDRESSES
SS#
DATES OF BIRTH CREDIT CARD NUMBERS SOCIAL SECURITY NUMBERS BANKING INFO
EMAIL CONTACTS DATES OF BIRTH DATA
PASSWORDS
Names
IP ADDRESSES
EMAIL ADDRESS
MEDICAL RECORDS
Names
ACCOUNT INFO
olitical activism and hacking were two big themes in 2011; themes that are continuing into 2012. There were many attacks last year that received lots of media attention. Hacking can undermine institutional confidence in a company, and loss of personal data can result in damage to an organizations reputation. Although not the most frequent cause of data breaches, hacking attacks had potentially the greatest impact and exposed more than 187.2 million identities, the greatest number for any type of breach in 2011, analysis from the Norton Cybercrime Index revealed. Despite the media interest around these breaches, old-fashioned theft was the most frequent cause of data breaches in 2011.
20
Symantec Corporation
Figure 6
74
2011
MILLION
35 22
DEC
the per capita cost of a breach was USD $194 and an average incident costs USD $5.5 million in total. Echoing the Norton Cybercrime Index data above, the Ponemon study also found that negligence (36% of cases in the UK and 39% in the US) and malicious or criminal attacks (31% in the UK and 37% in the US) were the main causes. The studys findings revealed that more organizations were using data loss prevention technologies in 2011 and that fewer records were being lost, with lower levels of customer churn than in previous years. Taking steps to keep customers loyal and repair any damage to reputation and brand can help reduce the cost of a data breach.
Symantec Corporation
21
22
43 % He al th ca re
Figure 7
Symantec Corporation
2011
44 %
2011
Figure 8
AUGUST
Fraudulent certificates from the DigiNotar compromise are discovered in the wild. Hacker (dubbed ComodoHacker) claims credit for Comodo and DigiNotar attacks and claims to have attacked other certificate authorities as well. Hacker claims to be from Iran.
SEPTEMBER
Security researchers demonstrate B rowser Exploit Against SSL/TLS (BEAST for short) 15, a technique to take advantage of a vulnerability in the encryption technology of TLS 1.0, a standard used by Browsers, Servers and Certificate Authorities. GlobalSign attacked, although the Certificate Authority was not breached, their web server was compromised16, but nothing else17. ComodoHacker claims credit for this attack as well. Dutch government and other Diginotar customers suddenly had to replace all Diginotar certificates as the major Web browser vendors removed Diginotar from their trusted root stores18. DigiNotar files for bankruptcy.
8
MARCH
An attack compromised the access credentials of a Comodo partner in Italy and used the partners privileges to generate fraudulent SSL certificates10.
MAY
NOVEMBER
It was reported that another Comodo partner was hacked: ComodoBR in Brazil11.
10
JUNE
3 4
StartCom, the CA operating StartSSL was attacked unsuccessfully in June12. Diginotar was hacked in June. But no certificates were issued at first13.
Digicert Sdn. Bhd. (Digicert Malaysia) an intermediate certificate authority that chained up to Entrust (and is no relation to the well-known CA, Digicert Inc.) issued certificates with weak private keys and without appropriate usage extensions or revocation information. As a result Microsoft, Google and Mozilla removed the Digicert Malaysia roots from their trusted root stores19. This was not as the result of a hacking attack; this was a result of poor security practices by Digicert Sdn. Bhd.
JULY
An internal audit discovered an intrusion within DigiNotars infrastructure indicating compromise of their cryptographic keys. Fraudulent certificates are issued as a result of the DigiNotar hack for Google, Mozilla add-ons, Microsoft Update and others14.
These attacks have demonstrated that not all CAs are created equal. These attacks raise the stakes for Certificate Authorities and require a consistently high level of security across the industry. For business users, they underline the importance of choosing a trustworthy, well-secured Certificate Authority. Lastly, consumers should be using modern up-to-date browsers and become more diligent about checking to verify that sites they visit are using SSL issued by a major trusted CA and we have included some advice in the best practices section at the end of this report.
Symantec Corporation
23
On SSL. Online Trust Alliance 20 endorses Always On SSL, a new approach to implementing SSL across a website. Companies like Facebook21, Google, PayPal, and Twitter22 are offering users the option of persistent SSL encryption and authentication across all the pages of their services (not just login pages). Not only does this mitigate man-in-themiddle attacks like Firesheep23, but it also offers end-to-end security that can help secure every Web page that visitors to the site use, not just the pages used for logging-in and for financial transactions. EV SSL Certificates offer the highest level of authentication and trigger browsers to give users a very visible indicator that the user is on a secured site by turning the address bar green. This is valuable protection against a range of online attacks. A Symantec sponsored consumer survey of internet shoppers in Europe, the US and Australia showed the SSL EV green bar increases the feeling of security for most (60%) shoppers24. Conversely, in a US online consumer study, 90% of respondents would not continue a transaction if they see a browser warning page, indicating the absence of a secure connection25. The CA/Browser Forum released Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, the first international baseline standard for the operation of Certification Authorities (CAs) issuing SSL/TLS digital certificates natively trusted in browser software. The new baseline standard was announced in December 2011 and goes into effect July 1, 2012.
High profile thefts of code signing private keys highlighted the need for companies to secure and protect their private keys if they hold digital certificates26. Stealing code signing keys enables hackers to use those certificates to digitally sign malware and that can help to make attacks using that malware much harder to recognize. That is exactly what happened with the Stuxnet and Duqu attacks. This technology is gaining momentum as a method of preserving the integrity of the domain name system (DNS). However, it is not a panacea for all online security needs, it does not provide website identity authentication nor does it provide encryption. DNSSEC should be used in conjunction with Secure Sockets Layer (SSL) technology and other security mechanisms.
DNSSEC.
Legal requirements.
Many countries, including the EU Member States27 and the United States (46 states)28 have at least sectoral data breach notification legislation, which means that companies must notify authorities and, where appropriate, affected individuals if their data is affected by a data breach. As well as a spur to encourage other territories with less regulation, these requirements can reassure users that in the event of a breach they will be quickly notified and will be able take some action to mitigate against potential impact, including changing account passwords.
24
Symantec Corporation
Over the past ten years we have seen a proliferation of mobile devices but there has not yet been a corresponding rise in mobile threats on the same level as we have seen in PC malware.
Consumerization And Mobile Computing: Balancing The Risks And Benefits In The Cloud
mployees are increasingly bringing their own smartphones, tablets or laptops to work. In addition, many companies are giving employees an allowance or subsidy to buy their own computer equipment. These trends, known as bring your own device, present a major challenge to IT departments more used to having greater control over every device on the network. There is also the risk that a device owned by an employee might be used for non-work activity that may expose it to more malware than a device strictly used for business purposes only.
The proliferation in mobile devices in the home and in business has been fueled in large part by the growth in cloud-based services and applications, without access to the Internet many mobile devices lack a great deal of the functionality that has made them attractive in the first place.
Symantec Corporation
25
Figure 9
Total Mobile Malware Family Count2010-2012 Total Mobile Threat Family Count From 2010-2012
100 JAN 80 60 40 20 2010 DEC JAN 2011
DEC
67
Unlike closed systems such as Apples iPhone, Android is a relatively open platform. It is easier for developers, including malware writers, to write and distribute applications. In 2011, we saw malware families, such as Opfake; migrate from older platforms to Android. The latest strains of Opfake have used server-side polymorphism in order to evade traditional signature-based detection. Without a single Android marketplace for apps and central control over what is published, it is easy for malware authors to create trojans that are very similar to popular apps, although Android users must explicitly approve the set of permissions that is outlined for each app. Currently, more than half of all Android threats collect device data or track users activities. Almost a quarter of the mobile threats identified in 2011 were designed to send content and one of the most popular ways for phone malware authors to make money is by sending premium SMS messages from infected phones. This technique was used by 18% of mobile threats identified in 2011. Increasingly, phone malware does more than send SMS. For example, we see attacks that track the users position with GPS and steal information. The message that is coming through loud and clear is that the creators of these threats are getting more strategic and bolder in their efforts. People regard their phones as personal, private, intimate parts of their life and view phone attacks with alarm. The motivations for such attacks are not always monetary: in this example, it was about gathering intelligence and personal information. Mobile threats are now employing server-side polymorphic techniques and the number of variants of mobile malware attacks is currently rising faster than the number of unique families of mobile malware. Monetization is still a key driver
behind the growth in mobile malware and the current mobile technology landscape provides some malicious opportunities; however, there are none at the same revenue scale achievable in Windows, yet.
26
Symantec Corporation
QR codes have sprung up everywhere in the last couple of years. They are a way for people to convert a barcode into a Web site link using a camera app on their smartphone. Its fast, convenient and dangerous. Spammers are already using it to promote black-market pharmaceuticals and malware authors have used it to install a trojan on Android phones. In combination with link shortening, it can be very hard for users to tell in advance if a given QR code is safe or not, so consider a QR reader that can check a Web sites reputation before visiting it. Once the bait has been taken the victim must be reeled in. The next step in these attacks fools the user into taking an action to propagate the threat, for example installing an app, downloading update to your video software or clicking on a button to prove youre human. The attackers persuade their victims to infect themselves and spread the bait to everyone in their social circles. It must be stated that this is not just a Facebook issue; variations of these threats run on all social media platforms. The number of threats on each of these platforms is directly proportional to the number of users on these sites. It is not indication of the security or safety of a site.
Collect Data
28%
25%
Track User
Send Content
24%
Traditional Threats
16%
Change Settings
7%
Symantec Corporation
27
Many companies are keen to adopt cloud computing. However, it is not without its risks.
01001 01 010001 010 10 1010010001 01010 1001 01010 010 010100010010010
01010010 010100101
0101010001 1010
010010 010010000 1010101010
0101101 010001000 00101 01 0100101 010 01010010 01010 0100010 0101 0100 01 010010 010 01001 010 1001 0101001 01101 01001001 0100 101 0 101010000 10 101001 10010 1 0100101110010 01001 01001 010 0101 01001 01 01010 001010 010 0101000101010 01010 010 101001 01010 00 010010 010010 0100010110010010
101001 01011010010 01001 010 10010 10010 1001011110 10 1001 010010 100101 101010 10
01001 010 1001 01001 01 01001 00100100101 0101000 1010 1001 01001 010 0 1001001 01 01001 01010 010010 1001 010 01 01001 01001 10100100010001010 01001 10100100101001 1010 1001 01001 010 01001 010 1001 0101 1001 1010 010010 10101 1010 01010010
0100100 010 01
0100100 0100010001
4 5
Lack of vendor validation is the service reputable and secure? Can the users easily transfer their data to another vendor should the need arise? Public and private cloud providers depend on system availability and strong service level agreements (SLAs) can help to promote high availability. Secure access control over company data stored on third party systems. Does the service offer control over how the data is stored and how it can be accessed? If the service is unavailable for any reason, the company may be unable to access its own data. Are there legal risks and liabilities that may arise as a result of vendor terms and conditions? Always make sure the terms and conditions are clear and service level performance can be monitored against the agreed SLAs.
7 8
Security and compliance - the interfaces between users, endpoints and backend systems all need to be secure with appropriate levels of access control in place. Is data encrypted as it is transferred over the internet? Non-compliance with data protection regulations for example, if the data is hosted overseas, from a European standpoint this could result in a breach of privacy legislation.
2 3
IT managers and CISOs can address these concerns by validating an approved list of cloud applications in the same way that they would authorize on-premise software. This needs to be backed-up with the appropriate acceptable usage policies, employee training and, if necessary, enforcement using Web site access control technology. In addition, where employees access consumer sites for business use, such as using social networking services for marketing, companies need to protect users against potential attacks from Web-hosted malware and spam.
28
Symantec Corporation
The proportion of phishing emails varied considerably by company size with the smallest and largest companies attracting the most, but the proportion of spam was almost identical for all sizes of business.
Spam In 2011
In 2011, we saw spam, phishing and 419 scams exploit political unrest (e.g. the Arab spring), the deaths of public figures (e.g. Muammar Gadhafi, Steve Jobs and Amy Winehouse) and natural disasters (e.g. the Japanese tsunami). They are the same topics that newspapers cover and for the same reasons: they attract readers attention. Unlike spam, phishing activity continued to rise (up to 0.33% or 1 in 298.0 of all email in 2011, from 0.23% or 1 in 442.1 in 2010). The proportion of phishing emails varied considerably by company size with the smallest and largest companies attracting the most, but the proportion of spam was almost identical for all sizes of business.
espite a significant drop in email spam in 2011 (dropping to an average of 75.1% of all email in 2011 compared with 88.5% in 2010), spam continues to be a chronic problem for many organizations and can be a silent-killer for smaller businesses, particularly if their email servers become overwhelmed by millions of spam emails each day. With the power of botnets, robot networks of computers infected with malware and under the control of cybercriminals, spammers can pump out billions of spam emails every day, clogging-up company networks and slowing down communications. There were, on average, 42 billion spam messages a day in global circulation in 2011, compared with 61.6 billion in 2010.
Symantec Corporation
29
Figure 11
Percentage Of Email Identified As Spam, 2011 Percentage Of Email Identified As Spam, 2011
JAN
100% 90 80 70 60 50 40 30 20 10
Source: Symantec Source: Symantec
2010
DEC JAN
2011
DEC
68%
30
Symantec Corporation
Figure 12
39.6% PHARMACEUTICAL -34.4% 18.6% WATCHES/JEWELRY 6.5% 12.1% 14.7% SEXUAL/DATING 3.3% 11.4% UNSOLICITED NEWSLETTERS 74%
NEWS!
.8%
10.1% 9.3%
7.9% CASINO/GAMBLING .9% 3.5% DIET/WEIGHT LOSS .5% 3% 3% MALWARE .5% 2.5% 2.8% UNKNOWN/OTHER .5% 2.3% 1.8% SCAMS/FRAUD/419S .5% 1.3% .8% SOFTWARE -.6%
Source: Symantec.cloud
7.0%
1.4%
Symantec Corporation
31
Symantecs cloud-based technology and reputation systems can also help to identify and block new and emerging attacks that havent been seen before, such as new targeted attacks employing previously unknown zero-day exploits.
Malware In 2011
y analyzing malicious code we can determine which threats types and attack vectors are being employed. The endpoint is often the last line of defense, but it can often be the first-line of defense against attacks that spread using USB storage devices, insecure network connections and compromised, infected websites. Symantecs cloud-based technology and reputation systems can also help to identify and block new and emerging attacks that havent been seen before, such as new targeted attacks employing previously unknown zero-day exploits. Analysis of malware activity trends both in the cloud and at the endpoint can help to shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers. Corresponding to their large internet populations, the United States, China and India remained the top sources for overall malicious activity. The overall average proportion of attacks originating from the United States increased by one percentage point compared with 2010, while the same figure for China saw a decrease by approximately 10 percentage points compared with 2010. The United States was the number one source of all activities, except for malicious code and spam zombies, where India took first place. Around 12.6% of bot activity originated in the USA as did 33.5% of web-based attacks, 16.7 % of network attacks and 48.5% of phishing websites.
32
Symantec Corporation
Website Malware
Drive-by attacks continue to be a challenge for consumers and businesses. They are responsible for hundreds of millions of attempted infections every year. This happens when users visit a website that is host to malware. It can happen when they click on a link in an email or a link from social networking site or they can visit a legitimate website that has, itself, been infected. Attackers keep changing their technique and they have become very sophisticated. Badly-spelled, implausible email has been replaced by techniques such as clickjacking or likejacking where a user visits a website to watch a tempting video and the attackers use that click to post a comment to all the users friends on Facebook, thereby enticing them to click on the same malicious link. As result, Facebook has implemented a Clickjacking Domain Reputation System that has eliminated the bulk of clickjacking attacks by asking a user to confirm a Like before it posts, if the domain is considered untrusted. Based on Norton Safe Web32 data Symantec technology that scans the Web looking for websites hosting malware weve determined that 61% of malicious sites are actually regular Web sites that have been compromised and infected with malicious code.
It is interesting to note that Web sites hosting adult/pornographic content are not in the top five, but ranked tenth. The full list can be seen in figure 16. Moreover, religious and ideological sites were found to have triple the average number of threats per infected site than adult/pornographic sites. We hypothesize that this is because pornographic website owners already make money from the internet and, as a result, have a vested interest in keeping their sites malware-free its not good for repeat business.
Figure 13
Average Number Of Malicious Web Sites IdentifiedBlocked Per Day Per Day, 2011 Web Sites
10,000
9,314
8,000
2011 2010
6,051
6,000
4,000 2,000
JAN
JUL
Symantec Corporation
33
In 2011, the Symantec VeriSign website malware scanning service33 scanned over 8.2 Billion URLs for malware infection and approximately 1 in 156 unique websites were found to contain malware. Websites with vulnerabilities are more risk of malware infection and Symantec began offering its SSL customers a website vulnerability assessment scan from October 2011. Between October and the end of the year, Symantec identified that 35.8% of websites had at least one vulnerability and 25.3% had a least one critical vulnerability.
file attachments include malicious code that takes advantage of vulnerabilities in the parent applications, and at least two of these attacks have exploited zero-day vulnerabilities in Adobe Reader. Malware authors rely on social engineering to make their infected attachments more clickable. For example, recent attacks appeared to be messages sent from well-known courier and parcel delivery companies regarding failed deliveries. In another example, emails purporting to contain attachments of scanned images sent from network-attached scanners and photocopiers. The old guidance about not clicking on unknown attachments is, unfortunately, still relevant. Moreover, further analysis revealed that 39.1% of email-borne malware comprised hyperlinks that referenced malicious code, rather than malware contained in an attachment. This is an escalation on the 23.7% figure in 2010, and a further indication that cybercriminals are attempting to circumvent security countermeasures by changing the vector of attacks from purely email-based, to using the Web.
Email-Borne Malware
The number of malicious emails as a proportion of total email traffic increased in 2011. Large companies saw the greatest rise, with 1 in 205.1 emails being identified as malicious for large enterprises with more than 2,500 employees. For small to medium-sized businesses with up to 250 employees, 1 in 267.9 emails were identified as malicious. Criminals disguise the malware hidden in many of these emails using a range of different attachment types, such as PDF files and Microsoft Office documents. Many of these data
Figure 14
Ratio of malware in email traffic, 2011 2011 Ratio Of Malware In Email Traffic,
1 in 0 1 in 50
2010
2011
JAN
DEC JAN
Source: Symantec.cloud Source: Symantec
DEC
34
Symantec Corporation
Rise in email-borne Bredolab polymorphic malware Rise In Email-Borne Bredolab Polymorphic attacks per month, 2011
Figure 15
100,000 90,000 80,000 70,000 60,000 50,000 40,000 30,000 20,000 10,000 MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
Polymorphic Threats
Polymorphic malware or specifically, server-side polymorphism is the latest escalation in the arms race between malware authors and vendors of scanning software. The polymorphic technique works by constantly varying the internal structure or content of a piece of malware. This makes it much more challenging for traditional pattern-matching based antimalware to detect. For example, by performing this function on a Web server, or in the cloud, an attacker can generate a unique version of the malware for each attack. In 2011, the Symantec.cloud email scanner frequently identified a polymorphic threat, Trojan.Bredolab, in large volumes. It accounted for 7.5% of all email malware blocked, equivalent to approximately 35 million potential attacks throughout the whole year. It used a range of techniques for stealth including server-side polymorphism, customized packers, and encrypted communications. Figure 15 below, illustrates this rise in Bredolab polymorphic malware threats being identified using cloud-based technology. This chart shows detection for emails that contained a document-style attachment purporting to be an invoice or a receipt, and prompting the user to open the attachment.
Symantec Corporation
35
Blogs/Web Communications
19.8%
15.6%
Business/ Economy
10.0%
Shopping
7.7%
Education/ Reference
6.9%
VOLUME 1
VOLUME 2
6.9%
3.8%
Automotive
3.8%
2.7%
10
Pornography
2.4%
Source: Symantec
36
Symantec Corporation
Exploiting The Web: Attack Toolkits, Rootkits And Social Networking Threats
Attack toolkits, which allow criminals to create new malware and assemble an entire attack without having to write the software from scratch, account for nearly two-thirds (61%) of all threat activity on malicious websites. As these kits become more widespread, robust and easier to use, this number is expected to climb. New exploits are quickly incorporated into attack kits. Each new toolkit version released during the year is accompanied with increased malicious Web attack activity. As a new version emerges that incorporates new exploit functionality, we see an increased use of it in the wild, making as much use of the new exploits until
potential victims have patched their systems. For example, the number of attacks using the Blackhole toolkit, which was very active in 2010, dropped to a few hundred attacks per day in the middle of 2011, but re-emerged with newer versions generating hundreds of thousands of infection attempts per day towards the end of the year. On average, attack toolkits contain around 10 different exploits, mostly focusing on browser independent plug-in vulnerabilities like Adobe Flash Player, Adobe Reader and Java. Popular kits can be updated every few days and each update may trigger a wave of new attacks. They are relatively easy to find and sold on the underground black market and web forums. Prices range from $40 to $4,000.
Symantec Corporation
37
Figure 17
Source: Symantec
38
Symantec Corporation
Rootkits
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality. Rootkits have been around for some timethe Brain virus was the first identified rootkit to employ these techniques on the PC platform in 1986and they have increased in sophistication and complexity since then. Rootkits represent a small percentage of attacks but they are a growing problem and, because they are deeply hidden, they can be difficult to detect and remove. The current frontrunners in the rootkit arena are Tidserv, Mebratix, and Mebroot. These samples all modify the master boot record (MBR) on Windows computers in order to gain control of the computer before the operating system is loaded. Variants of Downadup (aka Conficker), Zbot (aka ZeuS), as well as Stuxnet all use rootkit techniques to varying degrees. As malicious code becomes more sophisticated it is likely that they will increasingly turn to rootkit techniques to evade detection and hinder removal. As users become more aware of malicious code that steals confidential information and competition among attackers increases, it is likely that more threats will incorporate rootkit techniques to thwart security software.
by friends. More than half of all attacks identified on social networking Web sites were related to malware hosted on compromised Blogs/Web Communications Web sites. This is where a hyperlink for a compromised Web site was shared on a social network. It is also increasingly used for sending spam messages for the same reasons. All social media platforms are being exploited and in many different ways. But Facebook, as the most popular, provides some excellent examples on how social engineering flourishes in social media. Criminals take advantage of peoples needs and expectations. For example, Facebook doesnt provide a dislike button or the ability to see who has viewed your profile, so criminals have exploited both concepts.
Symantec Corporation
39
vulnerability is a weakness, such as a coding error or design flaw that allows an attacker to compromise availability, confidentiality, or integrity of a computer system. Early detection and responsible reporting helps to reduce the risk that a vulnerability might be exploited before it is repaired.
Number Of Vulnerabilities
We identified 4,989 new vulnerabilities in 2011, compared to 6,253 the year before. (See Appendix D for more historical data and details on our methodology.) Despite this decline, the general trend over time is still upward and Symantec discovered approximately 95 new vulnerabilities per week.
Figure 18
4,842 4,644
5,562 4,814
6,253 4,989
2006
2007
2008
2009
2010
2011
40
Symantec Corporation
Figure 19
Browser Vulnerabilities In 2010 And 2011 Browser vulnerabilities in 2010 and 2011
Opera
2010 2011
They are cheaper to attack. Criminals have to pay a premium on black market exchanges40 for information about newer vulnerabilities but they can buy malware off the shelf to target old ones. Attacking newer vulnerabilities may attract more attention than going after older, well-known weaknesses. Some online criminals prefer a lower profile. There is a still a large pool of potential victims because a proportion of the user base cant, wont or dont install patches or install a current and active endpoint security product.
150
200
Symantec Corporation
41
Figure 20
Ac tiv e
X
TOTAL 308
100%
2011 2010
10% 10%
<1%
20% 18%
19% 21%
20% 17%
29% 34%
346
Source: Symantec
Source: Symantec
42
Symantec Corporation
wise man once said, Never make predictions, especially about the future. Well, this report has looked back at 2011 but in the conclusion wed like to take a hesitant peak into the future, projecting the trends we have seen into 2012 and beyond.
Targeted
attacks and APTs will continue to be a serious issue and the frequency and sophistication of these attacks will increase. and exploits developed for targeted attacks will trickle down to the broader underground economy and be used to make regular malware more dangerous. authors and spammers will increase their use of social networking sites still further.
CA/Browser Forum42 will release additional security standards for companies issuing digital certificates to secure the internet trust model against possible future attacks. and cloud computing will continue to evolve, perhaps changing the way we do business and forcing IT departments to adapt and find new ways to protect end users and corporate systems. authors will continue to explore ways to attack mobile phones and tablets and, as they find something effective and money-making, they will exploit it ruthlessly. 2011, malicious code targeting Macs was in wider circulation as Mac users were exposed to websites that were able to drop trojans. This trend is expected to continue through 2012 as attack code exploiting Macs becomes more integrated with the wider web-attack toolkits. external threats will continue to multiply, the insider threat will also create headlines, as employees act intentionally and unintentionally to leak or steal valuable data. foundation for the next Stuxnet-like APT attack may have already been laid. Indeed Duqu may have been the first tremors of a new earthquake, but it may take longer for the aftershock to reach the public domain.
Consumerization
Malware In
While The
Symantec Corporation
43
control settings that prevent and limit the types of USB devices to be used.
Always On SSL;
your website daily for malware; assessing your website for vulnerabilities;
Regularly Choosing
SSL Certificates with Extended Validation to display the green browser address bar to website users; recognized trust marks in highly visible locations on your website to inspire trust and show customers your commitment to their security.
Displaying
intrusion prevention that protects against unpatched vulnerabilities from being exploited, protects against social engineering attacks and stops malware from reaching endpoints; protection for protection against obfuscated Webbased attacks; cloud-based malware prevention to provide proactive protection against unknown threats;
Make sure to get your digital certificates from an established, trustworthy certificate authority who demonstrates excellent security practices. Protect your private keys: Implement strong security practices to secure and protect your private keys, especially if you use digital certificates. Symantec recommends that organizations:
Use
separate Test Signing and Release Signing infrastructures, keys in secure, tamper-proof, cryptographic hardware devices, and physical security to protect your assets from theft.
Browser
Store
Consider File
Implement
and Web-based reputation solutions that provide a risk-and-reputation rating of any application and Web site to prevent rapidly mutating and polymorphic malware; prevention capabilities that look at the behavior of applications and malware and prevent malware; control settings that can prevent applications
Behavioral
Application
44
Symantec Corporation
Ensure That You Have Infection And Incident Response Procedures In Place:
Ensure
that you have your security vendors contact information, know who you will call, and what steps you will take if you have one or more infected systems; that a backup-and-restore solution is in place in order to restore lost or compromised data in the event of successful attack or catastrophic data loss; use of post-infection detection capabilities from Web gateway, endpoint security solutions and firewalls to identify infected systems; infected computers to prevent the risk of further infection within the organization; network services are exploited by malicious code or some other threat, disable or block access to those services until a patch is applied; a forensic analysis on any infected computers and restore those using trusted media.
Ensure
Make
Isolate If
Perform
not open attachments unless they are expected and come from a known and trusted source, and do not execute software that is downloaded from the Internet (if such actions are permitted) unless the download has been scanned for viruses; cautious when clicking on URLs in emails or social media programs, even when coming from trusted sources and friends; not click on shortened URLs without previewing or expanding them first using available tools and plug-ins; that users be cautious of information they provide on social networking solutions that could be used to target them in an attack or trick them to open malicious URLs or attachments;
Be
Do
Recommend
Symantec Corporation
45
Be
suspicious of search engine results and only click through to trusted sources when conducting searchesespecially on topics that are hot in the media; Web browser URL reputation plug-in solutions that display the reputation of Web sites from searches; download software (if allowed) from corporate shares or directly from the vendors Web site; Windows users see a warning indicating that they are
infected after clicking on a URL or using a search engine (fake antivirus infections), have users close or quit the browser using Alt-F4, CTRL+W or the task manager.
Advise
Deploy Only If
users to make sure they are using a modern browser and operating system and to keep their systems current with security updates. users to look for a green browser address bar, HTTPS, and trust marks on any websites where they login or share any personal information.
Instruct
capability of your programs, if available. Running out-of-date versions can put you at risk from being exploited by Web-based attacks.
(file and heuristic based) and malware behavioral prevention can prevents unknown malicious threats from executing; firewalls will block malware from exploiting potentially vulnerable applications and services running on your computer; prevention to protection against Web-attack toolkits, unpatched vulnerabilities, and social engineering attacks; protection to protect against obfuscated Webbased attacks; tools that check the reputation and trust of a file and Web site before downloading; URL reputation and safety ratings for Web sites found through search engines. options for implementing cross-platform parental controls, such as Norton Online Family43.
Bidirectional
Intrusion
Browser
free, cracked or pirated versions of software can also contain malware or include social engineering attacks that include programs that try to trick you into thinking your computer is infected and getting you to pay money to have it removed. careful which Web sites you visit on the Web. While malware can still come from mainstream Web sites, it can easily come from less reputable Web sites sharing pornography, gambling and stolen software. end-user license agreements (EULAs) carefully and understand all terms before agreeing to them as some security risks can be installed after an end user has accepted the EULA or because of that acceptance.
Be
Reputation-based
Read
Consider
Keep Up To Date:
Keep virus definitions and security content updated at least daily if not hourly. By deploying the latest virus definitions, you can protect your computer against the latest viruses and malware known to be spreading in the wild. Update your operating system, Web browser, browser plug-ins, and applications to the latest updated versions using the automatic updating
that passwords are a mix of letters and numbers, and change them often. Passwords should not consist of words from the dictionary. Do not use the same password for multiple applications or Web sites. Use complex passwords (upper/lowercase and punctuation) or passphrases.
46
Symantec Corporation
cautious when clicking on URLs in emails, social media programs even when coming from trusted sources and friends. Do not blindly click on shortened URLs without expanding them first using previews or plug-ins. not click on links in social media applications with catchy titles or phrases even from friends. If you do click on the URL, you may end up liking it and sending it to all of your friends even by clicking anywhere on the page. Close or quit your browser instead. a Web browser URL reputation solution that shows the reputation and safety rating of Web sites from searches. Be suspicious of search engine results; only click through to trusted sources when conducting searches, especially on topics that are hot in the media.
Do
Use
Be
suspicious of warnings that pop-up asking you to install media players, document viewers and security updates; only download software directly from the vendors Web site.
disclose any confidential personal or financial information unless and until you can confirm that any request for such information is legitimate. your bank, credit card, and credit information frequently for irregular activity. Avoid banking or shopping online from public computers (such as libraries, Internet cafes, etc.) or from unencrypted Wi-Fi connections.
Review
Use
HTTPS when connecting via Wi-Fi networks to your email, social media and sharing Web sites. Check the settings and preferences of the applications and Web sites you are using. for the green browser address bar, HTTPS, and recognizable trust marks when you visit websites where you login or share any personal information.
Look
Configure
your home Wi-Fi network for strong authentication and always require a unique password for access to it.
Symantec Corporation
47
More Information
Symantec.cloud Symantec Internet
Security Threat Report Resource Page: http://www.symantec.com/threatreport/ Threat Explorer: http://us.norton.com/security_response/threatexplorer/ Cybercrime Index: http://us.norton.com/cybercrimeindex/
Norton
Norton
About Symantec
Symantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Headquartered in Mountain View, Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com.
48
Symantec Corporation
Endnotes
1 NB. This figure includes attack data from Symantec.cloud for the first time. Excluding these figures for comparison with 2010, the total figure would be 5.1 billion attacks. 2 Gartner Press Release, Gartner Says Consumerization Will Drive At Least Four Mobile Management Styles, November 8, 2011. http://www.gartner.com/it/page.jsp?id=1842615 3 https://otalliance.org/resources/AOSSL/index.html 4 http://www.nortoncybercrimeindex.com/ 5 http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf 6 http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf 7 http://www.cabinetoffice.gov.uk/sites/default/files/resources/WMS_The_UK_Cyber_Security_Strategy.pdf 8 http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon-cost-of-a-data-breach-2011 9 2011 Cost of Data Breach Study: United Kingdom, Ponemon Institute, March 2012 10 Certificate Authority hacks (Comodohacker), breaches & trust revocations in 2011: Comodo (2 RAs hacked), https:// www-secure.symantec.com/connect/blogs/how-avoid-fraudulent-ssl, http://www.thetechherald.com/articles/ InstantSSL-it-named-as-source-of-Comodo-breach-by-attacker/13145/ 11 http://www.theregister.co.uk/2011/05/24/comodo_reseller_hacked/ 12 StartCom attacked, http://www.internet-security.ca/internet-security-news-archives-031/security-firm-start-sslsuffered-a-security-attack.html, http://www.informationweek.com/news/security/attacks/231601037 13 http://www.theregister.co.uk/2011/09/06/diginotar_audit_damning_fail/ 14 DigiNotar breached & put out of business, https://www-secure.symantec.com/connect/blogs/why-your-ca-matters, https://www-secure.symantec.com/connect/blogs/diginotar-ssl-breach-update , http://www.arnnet.com.au/article/399812/comodo_hacker_claims_credit_diginotar_attack/, http://arstechnica.com/security/news/2011/09/comodo-hacker-i-hacked-diginotar-too-other-cas-breached.ars, http://www.darkreading.com/authentication/167901072/ security/attacks-breaches/231600865/comodo-hacker-takes-credit-for-massive-diginotar-hack.html http://www. pcworld.com/businesscenter/article/239534/comodo_hacker_claims_credit_for_diginotar_attack.html 15 Attacks & Academic proof of concept demos: BEAST (http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html) and TLS 1.1/1.2, THC-SSL-DOS, LinkedIn SSL Cookie Vulnerability (http://www.wtfuzz.com/blogs/ linkedin-ssl-cookie-vulnerability/), 16 http://www.itproportal.com/2011/09/13/globalsign-hack-was-isolated-server-business-resumes/ 17 http://www.theregister.co.uk/2011/09/07/globalsign_suspends_ssl_cert_biz/ 18 http://www.pcworld.com/businesscenter/article/239639/dutch_government_struggles_to_deal_with_diginotar_ hack.html 19 http://www.theregister.co.uk/2011/11/03/certificate_authority_banished/ 20 https://otalliance.org/resources/AOSSL/index.html 21 http://blog.facebook.com/blog.php?post=486790652130 22 http://blog.twitter.com/2011/03/making-twitter-more-secure-https.html 23 http://www.symantec.com/connect/blogs/launch-always-ssl-and-firesheep-attacks-page 24 Symantec-sponsored consumer web survey of internet shoppers in the UK, France, Germany, Benelux, the US, and
Symantec Corporation
49
Australia in December 2010 and January 2011 (Study conducted March 2011). 25 http://www.symantec.com/about/news/release/article.jsp?prid=20111129_01 26 http://www.symantec.com/connect/blogs/protecting-digital-certificates-everyone-s-responsibility/ 27 http://www.enisa.europa.eu/act/it/library/deliverables/dbn/at_download/fullReport 28 http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/ tabid/13489/ 29 AMD 2011 Global Cloud Computing Adoption, Attitudes and Approaches Study, http://www.slideshare.net/ AMDUnprocessed/amd-cloud-adoption-approaches-and-attitudes-research-report 30 Appendix C: Spam and Fraud Activity Trends 31 http://www.symanteccloud.com/en/gb/mlireport/MLI_2011_05_May_FINAL-en.pdf 32 For more information on Norton Safe Web, please visit http://safeweb.norton.com 33 For more information on the Symantec website vulnerability assessment service: http://www.symantec.com/theme. jsp?themeid=ssl-resources 34 Further information can be found in Appendix C: Spam and Fraud Activity Trends 35 http://krebsonsecurity.com/tag/weyland-yutani-bot/ 36 For more on Stuxnet see: http://www.symantec.com/connect/blogs/hackers-behind-stuxnet and http://www.youtube. com/watch?v=cf0jlzVCyOI 37 CVE-2008-4250 See http://www.securityfocus.com/bid/31874 38 61.2 million attacks were identified against Microsoft Windows RPC component in 2011, and were mostly using the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). See http://www. securityfocus.com/bid/31874 39 Appendix D: Vulnerability Trends: Figure D.3 40 See http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/231900575/ more-exploits-for-sale-means-better-security.html 41 CVE-2011-2462 See Adobe Security Advisory: http://www.adobe.com/support/security/advisories/apsa11-04.html. Attack volume data from Symantec.cloud between 1 December 2011 and 16 December 2011. 42 http://www.cabforum.org/ 43 For more information about Norton Online Family, please visit https://onlinefamily.norton.com/
50
Symantec Corporation
Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. Symantec makes this document available AS-IS, and makes no warranty as to its accuracy or use. The information contained in this document may include inaccuracies or typographical errors and may not reflect the most current developments, and Symantec does not represent, warrant, or guarantee that it is complete, accurate, or up-to-date, nor does Symantec
offer any certification or guarantee with respect to any opinions expressed herein or any references provided. Changing circumstances may change the accuracy of the content herein. Opinions presented in this document reflect judgment at the time of publication and are subject to change. Any use of the information contained in this document is at the risk of the user. Symantec assumes no responsibility for errors, omissions, or damages resulting from the use of or reliance on the information herein. Symantec reserves the right to make changes at any time without prior notice.
About Symantec
Symantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Headquartered in Mountain View, Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com.
For specific country offices and contact numbers, please visit our website. For product information in the U.S., call toll-free 1 (800) 745 6054.
Symantec Corporation World Headquarters 350 Ellis Street Mountain View, CA 94043 USA +1 (650) 527 8000 1 (800) 721 3934 www.symantec.com
Copyright 2012 symantec Corporation. all rights reserved. symantec, the symantec logo, and the Checkmark logo are trademarks or registered trademarks of symantec Corporation or its affiliates in the u.s. and other countries. Other names may be trademarks of their respective owners. 04/12 21239364