Security message fails to get through

NEWS

Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 Web: www.networksecuritynewsletter.com Publisher: Greg Valero E-mail: [email protected] Editor: Steve Mansfield-Devine E-mail: [email protected] Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, Hightower; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production Support Manager: Lin Lucas E-mail: [email protected] Subscription Information An annual subscription to Network Security includes 12 issues and online access for up to 5 users. Prices: 1112 for all European countries & Iran US$1244 for all countries except Europe and Japan ¥147 525 for Japan (Prices valid until 31 December 2011) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 Email: [email protected], or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Network Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

Pre-press/Printed by Mayfield Press (Oxford) Limited

2

Network Security

...Continued from front page leaders, Prime Minister Vladimir Putin and President Dmitry Medvedev, have seen their popularity significantly diminished. Amid claims of election violations, many popular media sites, including those belonging to radio station Ekho Moskvy (Moscow Echo) and news portal Slon.ru, came under what appeared to be a co-ordinated DDoS attack. Also targeted was the LiveJournal service, the most popular blogging platform in Russia, and the site of the election monitoring group Golos. It has also been reported that certain organisations were also targeted by automated telephone diallers that blocked switchboards with calls that played a woman’s voice. “There is the feeling that the Central Election Commission, the prosecutors, and the hackers are acting together,” said Maxim Kashulinsky, general director of Slon.ru, to the Euronews news service. Many of those protesting – and blogging – about the alleged election violations were under no doubt that the aim of the attacks was to silence complaints. Naturally, bloggers and activists took to social media, particularly Twitter, to voice their opinions. But they were drowned out by thousands of Twitter accounts, apparently created before the elections. These have been sending floods of automated anti-protest or pro-Kremlin messages using the #ɬɪɢɭɦɮɚɥɶɧɚɹ (Triumfalnaya) hashtag adopted by the protesters. They have also been flooding Twitter streams with messages carrying other hashtags and keywords used by protesters. TrendLabs noted that these accounts had previously been dormant for months. In South Korea there’s a brewing controversy over an alleged DDoS attack during elections in October. The country’s cyber-terrorism police have arrested a 27 year-old IT professional. Identified only by his last name, Gong worked for a member of the Government and is alleged to have masterminded a DDoS attack on a National Election Commission website, taking down the part of it that helped people locate voting centres. This, it’s claimed, particularly affected young people, who tend to vote on their way to work and who slightly favour the opposition parties.

Three top leaders have resigned their posts from the Government over the affair. But many questions remain over whether the attack actually happened: other parts of the targeted site were unaffected, suggesting technical failure rather than a DDoS attack. Meanwhile, the FBI has warned that cyber-criminals are increasingly using DDoS attacks as a cover for other fraudulent activity. The crooks attempt to take over corporate accounts using a version of the Zeus banking trojan dubbed ‘Gameover’. As soon as the criminals have moved a company’s money out of its bank account, they DDoS the firm to prevent employees accessing online banking and discovering the theft. Finally, Paul Sop of DDoS mitigation firm Prolexic has said that attackers are now directly targeting mitigation technologies. High-packet-per-second SYN and ICMP floods are being used to overwhelm the processing capacity of on-premise equipment designed to protect against DDoS. For more about DDoS attacks and mitigation, see pg.5.

Security message fails to get through

R

ecent reports suggest that the message about security is not getting through to everyone.

Symantec has carried out a survey of Small and Medium-size Businesses (SMBs) and found that half believe they will never be the victims of targeted cyber-attacks and are failing to implement even basic Internet safeguards. It’s not necessarily an awareness problem: more than half are familiar with key threats such as targeted attacks, keystroke logging and the risks of using smartphones for company business. Some 54% said that malware would cause a loss of productivity; 36% understood that hackers could gain access to proprietary information; 46% stated that a targeted attack would cause a revenue loss; and 20% said it would drive customers away. Yet half of the firms felt they would not come under direct attack because they believed themselves to be too small Continued on page 20...

December 2011

CALENDAR ...Continued from page 3 to be of interest to cyber-criminals. Yet, according to data from Symantec.cloud, since the beginning of 2010, 40% of all targeted attacks have been directed at companies with fewer than 500 employees, compared to only 28% directed at large enterprises. In a separate report, Symantec has noted that targeted attacks increased four-fold over the course of 2011 – the firm said it blocked 94 attacks a day in November compared to 25 in January. In November, one in 255 emails contained malware but only one in 8,300 comprised a targeted attack. When it comes to protecting themselves, while two-thirds restrict who has login information, 63% don’t secure machines used for online banking and 9% don’t take any additional precautions for online banking. More than half (61%) don’t use anti-virus on all desktops, and 47% don’t use security on mail servers/services. Symantec’s ‘SMB Threat Awareness Poll’ is here: . Meanwhile, Kaspersky Lab says that fewer than a third (31%) of UK employees are properly informed about IT security risks that could affect them professionally. “Today malware is often highly sophisticated,” said David Emm, senior security researcher at Kaspersky Lab. “In spite of this, cyber-criminals often seek to exploit human weaknesses to spread their code. This should come as no surprise, so it is concerning to see the low level of awareness regarding potential IT security threats.” In addition to establishing clear rules for the use of IT, Kaspersky emphasises that firms need to regularly inform employees about new IT threats and hold regular training workshops to teach small groups of employees how to use IT securely.

Big boost in cybersecurity spending

T

he global cyber-security market was worth $60bn in 2011, according to analysts PwC, with the UK accounting for £3bn of that. And it’s expected to keep growing at 10% for the next three to five years.

20

Network Security

At the same time, the market is undergoing rapid change. In its report, ‘PwC Cyber Security M&A: Decoding deals in the global cyber security industry’, PwC says it’s a highly fragmented market and, coupled with the growth potential created by the burgeoning number of threats, this has prompted a sharp increase in mergers and acquisitions. Total deal activity since 2008 has exceeded $22bn globally, and in the first half of 2011 there were 37 deals worth more than $10bn, a 70% increase compared to the whole of 2010. Since 2008, the total investment in global cyber-security deals has exceeded $22 billion, an average of over $6 billion in each year. And the top 10 deals over the past three years feature only UK and US companies. “Technology and IT companies are making acquisitions to differentiate their offerings while defence firms continue to do deals to diversify away from shrinking defence budgets,” said Barry Jaber, PwC’s UK-based security industry leader. In most regions, the private sector accounts for the majority of cyber-security spending, with the notable exception of the US where the Government is spending almost as much as the private sector. This is due to a strong US technology industry and high defence and intelligence budgets. “Growing threats and awareness, and changes in technology such as mobile devices and cloud computing are key drivers of spending growth in the cybersecurity market,” added Jaber. “This will underpin future deal activity.” Other key drivers underpinning growth in cyber-security spending include: • Increasing threats, both from new actors and new threat vectors. • Greater vulnerabilities due to the more pervasive use of technology, particularly mobile devices and cloud computing. • Increasing awareness by organisations and consumers of the threats and potential threats. • Increasing regulation, including a greater requirement to secure personal data. • Changes in outsourcing; some organisations are increasingly relying on partners for security, while others are growing internal security spending to maintain greater levels of control.

EVENTS CALENDAR January 5–6 2012 ICNCS 2012 (International Conference on Networks and Cyber Security) Vijayawada, India Website: www.icncs.srkit.in/

January 20–25 2012 SANS DoD Cybercrime 2012 Atlanta, US Website: http://www.sans.org/info/89774

January 21–29 2012 SANS North American SCADA 2012 Florida, US Website: www.sans.org/info/85569

January 24–27 2012 Cyber Defence and Network Security 2012 London UK Website: www.cdans.org

January 30–February 4 2012 SANS Monterey 2012 Monterey, US Website: http://www.sans.org/info/85574

20–23 February 2012 HITBGSEC (Hack in the Box Global IT Security Conference) Mumbai, India Website: conference.hitb.org/

27 February–March 2, 2012 RSA Conference 2012 San Francisco, California, US Website: http://bit.ly/rsa2012conf

14–16 March 2012 Black Hat Europe Website: http://www.blackhat.com/html/ bh-eu-12/bh-eu-12-home.html

24–26 April 2012 Infosecurity Europe London UK Website: www.infosec.co.uk/

December 2011