tlb
Volume 5, Number 10 -- March 11, 2008

Surf's Up for Web-Based Organized Crime, IBM X-Force Says

Published: March 11, 2008

by Alex Woodie

If you've noticed that attempts to steal your identity and your money on the Web have grown more sophisticated in recent months, you're not alone. In its analysis of thousands of attacks, IBM's X-Force security group confirmed that the underground criminal economy made a lot of headway last year in its quest to exploit software and human vulnerabilities in its pursuit of ill-gotten gains off the Net.

In its annual report on the state of information security, the X-Force team at Internet Security Systems (ISS) describes the trends shaping security for 2007, and what managers, administrators, and programmers should look for as they work to minimize their exposure for 2008. The group relies heavily on statistics to prove its point, and the report is chock full of statistics of all shapes and sizes.

But the most surprisingly statistic concerns software vulnerabilities. During 2007, the number of newly reported vulnerabilities actually decreased compared to the previous year, the first time in modern history (read: since 2000) that's happened. The 6,437 vulnerabilities reported last year corresponded with a 5 percent decline from 2006, following two years of 40 percent growth in vulnerabilities, according to X-Force.

X-Force said the drop could represent "an anomaly, a statistical correction, or a new trend in the amount of disclosures." Compared to the historical norm of 27 percent growth in new vulnerabilities each year (according to X-Force), perhaps the market could not sustain the pace set during the vulnerability bubble years of 2005 and 2006. Despite the overall drop in vulnerabilities, the number of critical "high priority" vulnerabilities increased by about 28 percent in 2007. However, that, too, could reflect a market correction, as 2006 was a slow year for critical vulnerabilities, in relative terms. Critical vulnerabilities accounted for about 22 percent of all vulnerabilities in 2007. Compared to years from 2000 to 2004, when critical vulnerabilities accounted for about 35 percent of all flaws, the Internet today is awash in low-to-mid-grade vulnerabilities.

So, if overall vulnerabilities are down, and high impact vulnerabilities are trending below historical averages, what's the big fuss over Internet security? If there are fewer critical vulnerabilities, isn't the Net becoming safer?

No way, according to X-Force. For one thing, only half of the vulnerabilities discovered can even be patched, the group says. And while Microsoft takes a lot of heat for its highly public flaws, it only accounted for 3.7 percent of all vulnerabilities reported in 2007. The five vendors responsible for the most vulnerabilities--Microsoft, Apple, Oracle, IBM, and Cisco, in decreasing order--accounted for only 13.6 percent of all the vulnerabilities in 2007, reflecting a healthy diversity in the market for security flaws.

Vulnerabilities may be decreasing, but the criminal underworld is making better use of them. A big reason for this is the increasing popularity of exploit toolkits, which are applications sold on the black market that allow the even least sophisticated criminals to launch attacks on people's Web browsers and steal their information. While X-Force says the total number of toolkit-using pirates on the Web is unknown (they're increasingly using "obfuscation" techniques to camouflage their activities), several finds on online file storage sites leads it to suspect exploit toolkit piracy is widespread, it says.

These toolkits are able to run through several routines before finding an unpatched vulnerability on a person's Web browser, which means being protected from the latest critical bug in Firefox or IE doesn't guarantee protection. You have to be protected from ALL vulnerabilities, including old ones and ones that haven't been disclosed publicly yet. With thousands of vulnerabilities to choose from, the law of large numbers tips the balance heavily in favor of the pirates, who only have to find one unpatched vulnerability to have their way with your computer from their secure, undisclosed location.

While the number of vulnerabilities is down, the amount of malware polluting the Internets is way up. X-Force analyzed 410,000 new malware samples during 2007, a 30 percent increase over 2006. Trojans saw a big comeback in 2007 compared to 2006, which was "the year of the drive-by downloader."

But just as the Internet's upstanding citizens are promoting "mash-ups" using Web 2.0 technologies, so, too, are the Net's denizens of evil getting creative with their programming. "The classic categories of virus, worm, spyware, and backdoor are becoming largely irrelevant. Modern malware is now the digital equivalent of the Swiss Army knife," X-Force writes.

Last year's big breadwinner for the Web's underworld, the Storm Worm, was a good example of this creativity at work, says Kris Lamb, operations manager for research and development at ISS. "The Storm Worm provides a microcosm of the kinds of threats users faced in 2007," he says. "All in all, the exploits used to spread Storm Worm are a blend of the various threats tracked by X-Force, including spam, phishing, and drive-by-downloads by way of Web browser exploitation."

On the bright side, X-Force reports that spam was way down in 2007, largely due to a sudden decrease in image-based spam during the second quarter. Spammers attempted to fill the void with PDF- and MP3-based spam, but these ultimately failed, and spammers gave up on them, according to X-Force, which said it could be considered "a win for the security industry." The only meaningful statistic that X-Force had regarding phishing was that phishing represents about 1 percent of spam.

While spam is on the run, security professionals should be careful to keep up the vigilance. The Internet continues to attract criminals, con artists, and ne'er-do-wells like flies to excrement, and will continue to do so for some time.

"Never before have such aggressive measures been sustained by Internet attackers towards infection, propagation, and security evasion," Lamb says. "While computer security professionals can claim some victories, attackers are adapting their approaches and continuing to have an impact on users' experiences."


RELATED STORIES

Bleak Outlook for Information Security, According to Researchers

In Search Of a More Secure Internet

Security Attacks and Breaches on the Rise

MPack Hacker Tool Claims 10,000 Compromised Web Sites

IBM X-Force Says For-Profit Cyber Attacks to Increase in 2007


                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
VIBRANT TECHNOLOGIES

HP, IBM and Sun Server Deals via RSS

                                                  · Subscribe to our Specials via RSS
                                                  · Up to 80% off manufacturer's list price
                                                  · Multi-million dollar inventory

We Buy & Sell new and remarketed servers,
upgrades, peripherals and parts.

HP Proliant, IBM xSeries, IBM pSeries, RS6000,
HP Integrity, Sun Microsystems, Cisco, more…
888-443-8606

View or Subscribe to:
Special Offers on Servers and Upgrades
Editor: Timothy Prickett Morgan
Contributing Editors: Dan Burger, Joe Hertvik, Kevin Vandever,
Shannon O'Donnell, Victor Rozek, Hesh Wiener, Alex Woodie
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Storix:  Easily recover an entire system onto dissimilar hardware with SBAdmin for Linux and AIX
COMMON:  Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
NowWhatJobs.net:  NowWhatJobs.net is the resource for job transitions after age 40
 

IT Jungle Store Top Book Picks

Getting Started with PHP for i5/OS: List Price, $59.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
IBM Readies Big Power6 Boxes, New X64 Servers

System i Security: Lots of Room for Improvement

Server Virtualization and Consolidation Require More Resiliency

Thermometer Money: Changing a Business Partner Paradigm

Arrow Buys French Midrange Distributor

Four Hundred Stuff
Centerfield Adds More Smarts to Database Performance Suite

Aura Equipments Pushes i5/OS-Excel Integration

Innovatum Adds Biometric Authentication to Improve Compliance 'Auditability'

Surf's Up for Web-Based Organized Crime, IBM X-Force Says

WorksRight Gains USPS Certification, Launches New Product

Big Iron
IBM Launches 64-Way z10 Enterprise Class Mainframe Behemoth

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
Performance Advice from a Mysterious Friend

Don't Let SQL Name Your Baby, Take 2

Admin Alert: When System i Ethernet Cards Stop Broadcasting

System i PTF Guide
March 1, 2008: Volume 10, Number 9

February 23, 2008: Volume 10, Number 8

February 16, 2008: Volume 10, Number 7

February 9, 2008: Volume 10, Number 6

February 2, 2008: Volume 10, Number 5

January 26, 2008: Volume 10, Number 4

The Windows Observer
Ballmer Shrugs Off $1.4 Billion Fine from EU

Linux and Windows Server Sales Outpace the Market in Q4

Microsoft Touts Speed, Simplicity of Windows Server 2008

SMBs Get the MOS Attention From Microsoft

Yahoo Says Microsoft Bid is Hurting Business

The Unix Guardian
AMD Says Barcelona Bug Is Fixed, Almost Ready to Ramp

Linux and Windows Server Sales Outpace the Market in Q4

MetaRAM Quadruples DDR2 Memory Capacity in Servers

Mad Dog 21/21: Plane's Peeking

Infinite Software Partners with HP, Acquires Altos Technology Group

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

Bytware
nuBridges
Egenera
Guild Companies
Vibrant Technologies


Printer Friendly Version


TABLE OF CONTENTS
AMD Says Barcelona Bug Is Fixed, Almost Ready to Ramp

HPC Sales Account for Most of 2007's Server Sales Growth

IBM Readies Big Power6 Boxes, New X64 Servers

Canonical Ships Landscape System Management Tool for Ubuntu

Surf's Up for Web-Based Organized Crime, IBM X-Force Says

But Wait, There's More:
SAP Shows Prototype X64-Linux-ERP Bundles . . . Linux Market to Triple by 2012 . . . SCO and New Sugar Daddy File Bankruptcy Reorganization Plan . . . Arrow Buys French Midrange Distributor . . . IBM Slashes Prices on Blade Server I/O Virtualization Software . . .

The Linux Beacon

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement