Amazing story from Reuters.

Note how the breach was reported:

The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review by Reuters of more than 2,000 documents mentioning breach risks since the SEC guidance was published.

The article speculates that penetrating SSL certificates may have been a key target of the attack.  

Until August 2010, VeriSign was one of the largest providers of Secure Sockets Layer certificates, which Web browsers look for when connecting users to sites that begin "https," including most financial sites and some email and other communications portals.

If the SSL process were corrupted, "you could create a Bank of America certificate or Google certificate that is trusted by every browser in the world," said prominent security consultant Dmitri Alperovich, president of Asymmetric Cyber Operations.

This shouldn't surprise anyone.  As we wrote late in 2011, while a growing number of web applications are delivered over the HTTPS protocol (HTTP over SSL), attackers are increasingly focusing their attacks against the various components of SSL. We are seeing a rise in attacks which target the worldwide infrastructure that supports SSL. We expect these attacks to reach a tipping point in 2012 which, in turn, will invoke a serious discussion about real alternatives for secure web communications. The VeriSign attack highlights that the tipping point may have actually arrived in 2011.

So who did it?

The Reuters piece suggests government-sponsored hackers.  Possible.  Another possibility:  private hackers who resell the booty to the governments and enterprises who may want it. 

According to this article:

a bug by the name of Android.Counterclank has infected between 1 million and 5 million Android users as of this afternoon. 

This incident points out the problem of having a decentralized distribution system.  In other words, anyone can disseminate Android applications anywhere--including virus writers.  Without a middleman to ensure consumers can trust the applications being downloaded, expect these type of incidents to grow and continue.  In March 2011, IDC predicted that “Android is poised to take over as the leading Smartphone operating system in 2011 after racing into the number 2 position in 2010.”  Not surprisingly, hackers follow consumers.

By contrast, Apple's centralized iTunes model is proving more secure.  Certainly, there have been incidents, like this iTunes hack, but they aren't commonplace.  Both BlackBerry and Microsoft adhere to a centralized model as well.

Google may need to rethink their distribution model for apps for two reasons:

1. If Android users are forced to install AV while their Apple, Microsoft and BlackBerry friends are just paying for games, it will make for quite a market contrast.
2. If enterprise users experience problems, IT departments may decide to walk away from Android.

This is entertaining.  The gist:

[Anonymous'] disguise is earning big bucks for a major media conglomerate. Warner Brothers, the Time Warner subsidiary who produced the movie, owns the rights to the Guy Fawkes mask – and they earn royalties on every sale. (Obligatory disclaimer: Time Warner is also TIME’s parent company, so in an extremely roundabout way, we’re also profiting from this.) While Time Warner hasn’t released any data related to their earnings from the masks, it’s safe to say that the hundreds of thousands of Guy Fawkes masks sold each year helps to bring sure profit to the company.

The EU has come out with a data protection proposal.

First, the good stuff:

• The new EU privacy law takes a good step forward for privacy.  The ability to control and even delete individual data profiles is a needed move. 
• Unifying laws across the member EU states makes sense.

However, the proposal doesn’t do enough to protect data.  Since it mainly proposes fines, it will not help keep EU citizen data safe from hackers or insiders.  Such approaches have not met with success in the past.  Why?  Fines enable companies to game the system. They can risk a breach without having put in place the basic elements of cyber defense. 

Rather, the EU should put in place fines coupled with a more prescriptive approach, working with industries to identify specific actions firms should take to protect data.  The payment card industry, PCI, adopted this approach through self regulation and has managed to lock down data better than any regulation in existence today.  This prescriptive method makes gaming the system much tougher.  More importantly, by involving the industries and not just spanking them, private enterprise has real skin in the game.

Once again, Anonymous is using the low orbit ion canon (LOIC) to DDoS websites.  This tool was developed by white hat hackers stress test websites.  

Not surprisingly, the tool they are using is exactly the same one used for Operation Payback which took place about a year ago.

Looking at the LOIC downloads so far this year, its clear there has been a sudden, sharp increase in the past few days which coincides with the latest Anonymous campaign (click image to BIGGIFY):

And the top country downloading the attack tool?  The US though not with a huge lead.  France and Brazil are not far behind.  Click image to BIGGIFY:

(NOTE:  These above numbers are current as of 8:30ish AM PST.  The stats will change.)

In addition to the version of LOIC that is downloaded and used locally, several websites have been developed that automatically DDoS simply by loading them.  Here is one example:

Typically, these sites use a JavaScript to iterate attacks.

Rumor has it that hackers have obtained the source code for Symantec’s Norton AV. A posting on pastebin presented the file list and hackers are claiming that they also have the code itself. While the code is not yet out, hackers are saying that it is just a matter of time as they are considering how to best publish this information.

As a major DLP vendor, this is quite embarrassing on Symantec’s part. It’s reasonable to assume that the retrieval of such a list could be a result of the files residing on a test server which was mistakenly exposed, or a posting to FTP which unintentionally became public.  It also seems, if you trust the hackers' boasting, that the code was obtained from the Indian military.  Many governments do require source code from vendors to prove the software isn't spyware.  

If the rumors turn out to be true, the implications of the anti-virus code leakage will not keep the Symantec folks awake too late at night, and certainly not their customers. After all, there isn’t much hackers can learn from the code which they hadn’t known before. Why? Most of the anti-virus product is based on attack signatures. By basing defenses on signatures, malware authors continuously write malware to evade signature detection (in 2007, antivirus could only detect between 20-30% of malware). We noted in our blog on the Black Hole Exploit that only 30% of AV would have been effective. Further, malware versions continuously evolve in such a rate where signatures cannot keep up with them in the first place. The workings of most of the anti-virus’ algorithms have also been studied already by hackers in order to write the malware that defeats them. A key benefit of having the source code could be in the hands of the competitors.

If the source code is recent and hackers find serious vulnerabilities, it could be possible to exploit the actual anti-virus program itself.  But that is a big if and no one but Symantec knows what types of weaknesses hackers could find.

On the very last day of 2011, SANS published a story about automated SQL injection attacks affecting 1M plus websites.  What will be different with SQL injection in 2012?  Nothing.  Perhaps more, perhaps some new attack tools.  But otherwise, it'll look like quite the same.

Since SQL injection continues to be the major tool for data theft, we will try to devote a blog a month to the topic in an effort to eradicate the world of this problem.  Our first entry is a summary of a webinar (registration required) we did late in 2011.  Today's blog uses what we outlined in this webinar with respect to a mitigation checklist (minus the honey-voiced narration).

Here's what any firm that has data flowing in web applications should do in order to protect themselves from SQL injection:

Step 1:  Dork yourself
The first step hackers often take to find vulnerable websites is simply conducting a Google search.  In this case, they search for technical snippets unknowingly left inside of web applications that help indicate there's a vulnerability.  Today, hackers have automated the process, using bots to search for vulnerabilities.  There are also online tools. Last year, we showed how frequent Google Dork searches were taking place (click to BIGGIFY):


As the chart shows, several thousand searches take place per hour.  How does dorking work?  You search for something technical to help find a vulnerability, such as, "nurl:page.php?id=".  A fuller list can be found here.

How do security teams shield themselves from dorking?

Lots of coverage on the WSJ's reporting of the breach at the Chamber of Commerce.

This coincides, ironically, with Rich Mogul's column on data security.  He writes:

To really succeed with data security, we need a foundation of monitoring tools. If you don’t know who is using your data and how, then no amount of encryption, DRM, or filtering will ever really help. 

Rich goes on to recommend a combination of database activity monitoring, data leak prevention and file activity monitoring.  

The Chamber hack is a good example showing the need for file security that Rich articulates:

The intruders used tools that allowed them to search for key words across a range of documents on the Chamber's network, including searches for financial and budget information, according to the person familiar with the investigation. The investigation didn't determine whether the hackers had taken the documents turned up in the searches.

Newt Gingrich's official website is this one:  http://www.newt.org/.

However, someone at the Newt campaign failed to take ownership of all the Newt-related domains. It seems that someone has taken ownership of the www.newtgingrich.com domain and is redirecting visits to negative press articles or websites like Fannie/Freddie Mae or Tiffany's. (These sites are related to some of Newt's political baggage).  Indeed, every time you visit the site, you'r redirected somewhere else. Simply looking at the header response information courtesy FireFox, you see the redirect (click to BIGGIFY):

Again, we see how 2012 will be the first major election year where hacking will be a big, huge factor. Just because this is Newt does not make it a Republican problem only.  All current and future Karl Roves or James Carvilles will need to have a "war room" response for hacking built into the campaign contingency plans.  But the more astute, well-funded campaign managers will bring in a good-quality security team.

Imperva's Noa Bar Yosef assembled a great list of personas to help security teams identify potential security threats.  Today, eWeek published an excellent slideshow detailing the these personas.