2006 Year in Review for Information Security: January Recap
Summary: We are bombarded with so much information, it can be hard to keep track of the important trends in IT Security. This article, the first of a series of 12, is primarily based on the “Top of the News” from SANS NewsBites. The idea is to review some of the most important stories from 2006 to make sure we are grounded with the knowledge we need as we move into the future.
NOTE: this is not just a rehash of NewsBites, I have taken the time to research additional information to bring the stories to closure.
The dominant trends in information security in 2006 – January are:Crime continues to increase
Deterrence, people who do bad things actually got caught
Security keeps becoming a harder and harder problem
Data Records, many companies lost data
Privacy Government vs. Citizen's needs
The governments of the world are still passing legislation to help us
The government is struggling with IT and IT security
The patch of the month
I tried to follow up on this. The survey is based on data from The Internet Crime Complaint Center (IC3) and I have a call in to their press department. If we get further information about a 2006 survey we will update this article.
The Financial Services Authority (FSA) in the United Kingdom has called on banks to increase security measures to protect customer accounts. FSA reports that online bank fraud tripled in the first half of 2005 compared with the same period in 2004. Lloyds issued 30,000 security devices to customers in a pilot project.
A federal judge has ordered Christopher William Smith to pay America Online (AOL) more than US$5 million in damages and legal fees for sending billions of spam messages advertising fake drugs. AOL filed a lawsuit against Smith in 2004 under the CAN-SPAM Act. Smith is also awaiting trial on criminal charges of violating federal drug laws.
In November 2006, he was convicted of illegally selling drugs over the internet and faces a mandatory sentence of 20 years.
ChoicePoint consumer record database security breach by Nigerian national Olatunji Oluwatosin led to massive data theft that compromised the personal data of 145,000 people. Oluwatosin will be sentenced on February 10, 2006; he is already serving a 16-month prison term for an earlier felony count of identity theft. Where did ChoicePoint get all that data? From public records such court rulings, driver records and real estate details, as well as credit bureaus.
March - ChoicePoint must pay fines of US$15 million, the largest civil penalty in US history. US$10 million is an FTC fine, the additional US$5 million is designated for customer compensation. Under the terms of the settlement, ChoicePoint must also undergo independent security audits every two years until 2026. The US Securities and Exchange Commission (SEC) is looking into share trades made by ChoicePoint CEO Derek V. Smith and COO Doug Curling both of whom allegedly made considerable profits in the months following their knowledge of the security breach but before it became public.
An Australian court has ordered Brad Norrish and Chesley Rafferty to pay AU$2.3 (US$1.72 million) million in damages and legal fees for running a domain registration scam that targeted as many as 50,000 UK website owners. They were able to get their data using the whois service. Then they sent notices to the owners telling them their domains needed to be renewed. Norrish declared bankruptcy.
Robert Kramer, the owner of an Iowa-based Internet services company, has been awarded a US$11.2 billion judgment against spammer James McCalla who is also prohibited from accessing the Internet for three years. Kramer is some sort of anti-spam superhero figure, who previously won $1bn against Cash Link Systems, AMP Dollar Savings and TEI Marketing Group.
Fortunately, the SANS SCORE project has posted a checklist and the Center for Internet Security has a benchmark for 8 and 9 as well.
The destructive worm of the month for January 2006 was clearly "Blackworm" or more correctly, CME 24. It infected about 300,000 systems based on analysis of logs from the counter web site used by the worm to track itself. This worm is different and more serious than other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.
The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').CME-24 makes infected computers visit an online counter; the ISP is monitoring the counter traffic and sending warnings to users whose computers visit the counter website. CME-24 carries a malicious payload; on February 3, it is programmed to destroy files on infected PCs.
[Guest Editor's Notes: Ed Skoudis points us to the new Common Malware Enumeration Site for a list of all the names of this beast:
According to Caida, between 469,507 and 946,835 computers in more than 200 countries were infected by the Nyxem virus between January 15 23:40:54 UTC 2006 and Wednesday February 1 05:00:12 UTC.
The most amazing statistic? We know about how many computers were infected due to the online counter, we know many files had to be destroyed on February 3, 2006, but we have no idea what the number is.
A proof-of-concept exploit for a zero-day vulnerability in the Winamp 5.12 music player is circulating on the Internet. By tricking Winamp users into downloading a malicious playlist with a filename in excess of approximately 1,040 bytes, attackers could take control of vulnerable PCs. No patch is presently available.
One of the most important themes of 2006 was the widespread emergence of zero day attacks.
A Rhode Island government web site, www.RI.gov, was reportedly the target of cyber thieves, who stole credit card information belonging to people who had conducted online business with Rhode Island state agencies. The breach was discovered through routine security procedures; measures have been taken to close the hole the thieves exploited.
March – Google’s case was upheld in court, they did provide data on 50,000 specific URLs.
Google plans to release Google.cn in China, a version of its search engine that filters content that the country's government would find objectionable. Google officials say the choice to censor content was a difficult one, yet one that best serves the interests of its customers in China. Google says users will be informed when their search results have been censored. Google will not offer email, blogging or chat room services in China to avoid the possibility that the government could demand customers' personal data.
January, the recently enacted Violence Against Women and Department of Justice Reauthorization Act contains a clause that makes it a crime to post "annoying messages or send annoying email" without disclosing one's true identity.
The UK Home Office has introduced legislation that would increase penalties for those convicted of cyber crimes. The fifth section of the proposed Police and Justice Bill would revise the Computer Misuse Act and provide for a maximum prison sentence of 10 years "for individuals maliciously impairing the operation of a computer or hindering or preventing the access to programs or data." The present maximum penalty for breaking into a system is five years in prison. It appears the bill would include denial-of-service attacks, which are not currently addressed under the CMA.
The eOffer/eMod web site, which is used by vendors to bid on government contracts through the General Services Administration (GSA), has been closed to address security concerns.
Microsoft Releases Out-of-Cycle Patch for WMF Flaw