Web Browsers Under Siege From Organized Crime

An anonymous reader writes "IBM has released the findings of the 2007 X-Force Security report, a group cataloging online-based threat since 1997. Their newest information details a disturbing rise in the sophistication of attacks by online criminals. According to IBM, hackers are now stealing the identities and controlling the computers of consumers at 'a rate never before seen on the Internet'. 'The study finds that a complex and sophisticated criminal economy has developed to capitalize on Web vulnerabilities. Underground brokers are delivering tools to aid in obfuscation, or camouflaging attacks on browsers, so cybercriminals can avoid detection by security software. In 2006, only a small percentage of attackers employed camouflaging techniques, but this number soared to 80 percent during the first half of 2007.'"

80%...?

[by Anonymous Coward]

Are they saying that antispyware software misses 80% of the spyware?

Firefox? Opera? Safari?

[TFGeditor (737839)]

Okay, I admint I have not (yet) read the article, but experience tells me that 80% likely involves IE at 90 percent or better.

Re:Firefox? Opera? Safari?

[HangingChad (677530)]

...experience tells me that 80% likely involves IE at 90 percent or better.

How is that a troll? He's stating the observation based on his experience.

I did read the article and can't tell, either. My experience coincides with yours. Funny articles are hesitant to spell out the distribution of vulnerabilities. I wonder if they get leaned on by Microsoft's legal department or one of their PR firms?

Just exactly how many of those vulnerabilities are Firefox running on Ubuntu? Or Safari? Or, as usual, is Windows and IE the most attractive attack vector?

Re:Firefox? Opera? Safari?

[WilliamSChips (793741)]

I'm not fully sure but I know every browser has one vulnerability. It's between keyboard and chair.

Re:Firefox? Opera? Safari?

[nbannerman (974715)]

Agreed - this is why I replace all my users with inanimate carbon rods - I haven't had a security problem in months!

Re:

[aztracker1 (702135)]

Though productivity has plummeted...

Re:

[cp.tar (871488)]

I'd like to see you have the nerve and belligerence to walk up to any of these people and say: "you're using IE so therefore you are wrong and stupid", when they are not actually at fault.

Putting aside the fact that I had been aiming for a Funny moderation instead of Insightful, this is one fine leap of logic you're suggesting, and some finely chosen words you're putting in my mouth.

While I did describe mere usage of IE as wrong and stupid, it would not do to assume I said IE users were wrong and stupid.
So please, suppress your righteous indignation.

Oh, BTW:

1. 30 - 50 year old couple with no technically competent friends or family (or kids) using a computer from Dell or a corner store. This is actually a pretty large fraction of 'Net users out there, and they use IE and windows through no fault of their own.

I should consider every usage of any device without proper level of competence wrong and stupid.
Just because people do not get

Re:Firefox? Opera? Safari?

[grcumb (781340)]

...experience tells me that 80% likely involves IE at 90 percent or better.

How is that a troll? He's stating the observation based on his experience.

It's a Troll because anecdotal evidence boils down to pretty much this: "That's what my personal experience leads me to *feel* is true, and here are some numbers (I made up) that *feel* right to quantify my *feelings*."

That is as far from the definition of a troll as can be imagined. Re-read the moderator guidelines about the difference between 'Flamebait', 'Troll', and 'Factually Incorrect'. Attitudes like yours make meta-moderation necessary.

On top of everything else, it's not necessarily even wrong. I can give you 'anecdotal' evidence based on servicing computers for a local user community of about 40,000 people. My observations haven't been formalised or codified in any way, so I can't make any claim to scientific observation, but I can tell you that what I see on a day-to-day basis is relevant and significant.

This is valid and useful information in my professional context. You're implication that anecdote is always based on feeling is, ironically, based on a hunch informed by your own bias.

The linked pdf showed that Firefox had 36 critical security issues versus IE's 28.

If you're so bent on getting good data, by the way, you should know better than to blindly add up vulnerability announcement totals and call that analysis.

Re:

[dynamo (6127)]

This post isn't a troll, IE is.

Re:Firefox? Opera? Safari?

[Farmer Tim (530755)]

I most strongly disagree. IE is flamebait: use it, and you will get burned.

Re:

[FudRucker (866063)]

even though your comment was modded down as a troll, i agree with you wholeheartedly...

Got plugins?

[jschottm (317343)]

The web is not just HTML at this point. Both QuickTime and RealPlayer have had notable exploits in the past few months. Acrobat and Flash have had major security holes as well. Just relying on the fact that you're using Firefox doesn't mean that you're not vulnerable.

The minute that vulnerabilities were monitized...

[DigitalSorceress (156609)]

It seems to me that the moment that organized crime found a way to make money off security vulnerabilities (Spam, ID theft, Ransomware, etc...) the writing was pretty much on the wall (though I'm still trying to figure out what it says). It kind of reminds me of William Gibson's cyberspace: a free-for-all, hostile environment where it was pretty much up to individual users / corporations / governments / whatever to protect themselves through whatever means necessary.

Welcome to the wild, wild net.

That's not the worst of it.

[khasim (1285)]

It kind of reminds me of William Gibson's cyberspace: a free-for-all, hostile environment where it was pretty much up to individual users / corporations / governments / whatever to protect themselves through whatever means necessary.

The problem is that no matter how well YOU protect yourself, other agencies have your personal information in their databases.

What happens if your employer loses a laptop with your SSN, name, etc on it?

Eventually, the criminals are just going to start building a database with whatever information they can find.

Then they'll use that database to take out a second mortgage on your home, purchase a new car and open a few credit cards under your name.

You'll lose more money than you have. And you'll never have a chance to prevent it. Because all the information will be "leaked" from 3rd parties.

Re:That's not the worst of it.

[by Anonymous Coward]

Potentially the problems you state are only the scraps, unfortunately it is getting to where every filing cabinet and vault in the world has multitudes of vacuum pipelines hooked to it and organized crime is working hard on figuring out how to break down the filters and routing on these pipelines and channel the flow to themselves. Think in terms of the old vacuum pipes for paper and money transfers inside old department stores and then expand it world wide, now try to imagine keeping it secure, not just your part of it but everyone's part that you connect to and everyone's part that they connect to ad infitum, welcome to the internet.

Side warning to the F/OSS community: That multitude of eyes may become even more important as we start to wonder, is the Godfather contributing? It doesn't even have to be in terms of direct backdoors, only has to be an exploitable bug which of course don't make the contributor look as bad.

Side warning to the closed source corporations: See above, biggest difference is your paying them too. Think you can hire that many eyes?

Side warning to businesses and individuals: Read the above, look around you, let the paranoia begin.

The internet maybe a highly efficient way of doing business, but it can be an extremely efficient way to steal too. Weigh the KNOWN risk factors, is it really worth it?

Organized crime is only the tip of the iceberg.

We may have to become stainless steel rats just to be free.

Re:That's not the worst of it.

[vertinox (846076)]

Side warning to the F/OSS community: That multitude of eyes may become even more important as we start to wonder, is the Godfather contributing? It doesn't even have to be in terms of direct backdoors, only has to be an exploitable bug which of course don't make the contributor look as bad.

How do know that a low paid programmer at Microsoft hasn't been bribed by organized crime and if so how do you detect the code?

Re:That's not the worst of it.

[TheRealMindChild (743925)]

Then they'll use that database to take out a second mortgage on your home, purchase a new car and open a few credit cards under your name.

I got that one covered. I just haven't paid several bills for a long while now. If someone tries to get credit with my credentials, all they will get is people laughing and pointing at them

Re:

[SCHecklerX (229973)]

It's even easier than that. Every time you pay with your credit card at a restaurant, you are trusting that waiter not to steal your number, or that they don't print a tape with the number on it and put it in the trash unshredded.

Re:

[dave562 (969951)]

the machine uses unencrypted wireless signals

I call BS on this one. I've done a couple of POS implementations for restaurants and all they all used WPA encryption on the devices and the access points were setup to only accept connections from a pre-defined list of MAC addresses. Ya ya, MAC addresses can be spoofed but it is going to take an attacker a long time to hit a restaurant wireless network. The majority of restaurants still swipe the card at the hard wired terminal anyway. The restaurant indus

Re:

[vertinox (846076)]

What happens if your employer loses a laptop with your SSN, name, etc on it?

If you are paranoid like me you will have already called one of three major credit companies (not the free score but Equifax, Experian, or TransUnion) and put a freeze on your credit every 90 days with a fraud alert. Or you can pay one of their subsidaries a monthly fee for any notifications via email or SMS of any changes or requests in your credit (yeah it kind of feels like I'm paying them to solve a problem that is their fault).

Re:The minute that vulnerabilities were monitized.

[KublaiKhan (522918)]

Kinda leads to interesting thoughts...perhaps it may behoove certain of us to act as "night watchmen" for our various neighbourhoods, in the interest of keeping that sort of thing away from our systems.

I know I'm probably going to have to make another scan of my landlady's computer...she falls for half the stuff that comes through, even after my lectures on "DON'T CLICK IT" :-/

Re:The minute that vulnerabilities were monitized.

[gnick (1211984)]

perhaps it may behoove certain of us to act as "night watchmen" for our various neighbourhoods

That's an interesting idea and may function just fine at a land-lady level. But, for some reason, my bank balked at the idea of granting me admin access to their server so that I could make sure that my personal info was secure.

Re:

[KublaiKhan (522918)]

Well, start small, anyway. The bank can afford to make itself secure, but if every computer in the neighbourhood is sending out Russian viagra ads, your bandwidth will suffer--so doing some basic cleaning and firewalling will benefit you bandwidthwise.

Hell, if you're feeling ambitious, you could set up some kind of neighbourhood LAN and get folks to chip in towards a big fat pipe, if you can prove they'll have a safer connection... ;-p

Come to think of it...does anyone know of any successful examples of a "

Drop in vulnerabilities... really?

[grassy_knoll (412409)]

From TFA:

The overall number of vulnerabilities reported for the year went down for the first time in 10 years.

Combined with the comment that camouflaging techniques are used in 80% - 100% of recorded attacks, I wonder if the number of attacks is really going up ( as it has been in the past 10 years ) but detection is getting worse.

Explains the odd attempted breakins..

[downix (84795)]

Over the past 4 weeks I've noticed a rash of almost hourly attempted breakins to our servers.

Here's a sample:
ftp attempts for 5 hours straight:
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - no such user 'Administrator'
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - USER Administrator: no such user found from ::ffff:82.186.102.42 [::ffff:82.186.102.42] to ::ffff:192.168.10.26:21
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - Maximum login attempts (3) exceeded

ssh attempts almost constant since last friday:

Feb 11 01:37:07 localhost sshd[13953]: pam_unix(sshd:auth): check pass; user unknown
Feb 11 01:37:07 localhost sshd[13953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.31.37.13
Feb 11 01:37:07 localhost sshd[13953]: pam_succeed_if(sshd:auth): error retrieving information about user ajith

When I catch them, the majority of the IP #'s match up to systems which have been rootkitted. The stream of odd login names always catches me off guard, sometimes in english, sometimes japanese or chinese. Does anyone know of someone that keeps track of these things, so I can send my logfiles to?

Re:Explains the odd attempted breakins..

[KublaiKhan (522918)]

The folks over here [sans.org] keep track of that sort of thing. You may want to speak with them.

Re:

[sirgoran (221190)]

Whoops!

Sorry, my bad. Thought I was on my server...

Re:Explains the odd attempted breakins..

[cheater512 (783349)]

Your looking for this for your SSH logs: http://denyhosts.sourceforge.net/ [sourceforge.net]
It will automatically detect and block the attackers and optionally add them to a gobal block list.

Re:Explains the odd attempted breakins..

[ssstraub (581289)]

Rootkit Revealer [microsoft.com] (Windows). This was written by Mark Russinovich before he joined Microsoft.

Re:

[bberens (965711)]

Generally, but not always, you can watch outgoing traffic logs on your router to see if there's stuff going on that doesn't make sense. Most people don't have that kind of time. Also, it may be your router which was rootkitted. :)

Beware the"funny" moderation in Organized Crime...

[HairyNevus (992803)]

...It begs the question "how am I funny to you?"

I wonder what the profits look liike.

[kabocox (199019)]

We've seen what kinda of profits spam brings in. I wonder how profitable this is.

Heck, spyware/adware, or some shady P2P programs could have something like this. Reminds me of what happened to http://www.shareaza.com/ [shareaza.com]. It's claimed by a group that be like this. That address used to be shareaza's main site, and it easy for many to not know to go to http://shareaza.sourceforge.net/ [sourceforge.net] for the new updates.

Re:I wonder what the profits look like.

[J0nne (924579)]

That particular domain was basically taken over by the recording industry (the real story is longer [shareazasecurity.be]), although I guess one could say that's organised crime too.

original report

[formant (852164)]

Here is the link to the source : http://www.iss.net/x-force_report_images/2008/index.html/ [iss.net]

Oooo! The X-Force!

[Quiet_Desperation (858215)]

I didn't know IBM hired Rob Liefeld. Did they put Cable in charge of the investigation?

Organized crime, huh? When they hit your browser, does the screen just go black?

Re:

[FudRucker (866063)]

RE:["Organized crime, huh? When they hit your browser, does the screen just go black?"]

well it is called the "Black Market"...

Dat's a nice browser yous got

[gnarlyhotep (872433)]

Be a shame if sumfin' were to happen to it, like.

Lack of Security of any System on the 'Net

[RobBebop (947356)]

stealing the identities and controlling the computers of consumers at 'a rate never before seen on the Internet'.

5%, 25%, 50%? 90%? Are there estimates for the "rate never before seen" that users are having their personal information stolen?

And what personal information is it? To extend the old saying "If it is on the internet, it is public". Well, *all* information you store the computer that you access the internet suffers from this lack of security.

A truly secure user experience would be managing personal data on an unconnected system (or even a private network of systems) and then transferring data from there that needs to make it to the Internet via the Sneakernet [wikipedia.org]. This is how the Department of Defense guarantees the security of Secure Facilities, and it is (unfortunately) the only way to guarantee the security of your own personal information.

But for systems that are on the 'Net, using an OS that doesn't hide/obfuscate fundamental security models is a plus. For example, it is easier for me to shutdown outgoing ports/services on Linux [uic.edu] than on Windows [windowsecurity.com].

As far as browser exploits... one can only hope that developers close off the attack vectors faster than they open new ones.

I've been saying this for a while now

[rufusdufus (450462)]

I've been saying this for years now: antivirus and firewalls cannot protect from sophisticated attacks.

There is only one solution: executable code must be embedded in hardware read-only media and must be reloaded after every session. [today reloading a virtual machine is a good approximation, but this method will succumb under sufficiently sophisticated attack; it really needs to be built into nonflashable rom]

Nobody wants to hear this. I'm not exacty sure why; a little thought should lead anyone with some knowledge of operating systems and hacking to the same conclusion.

Its just going to get worse, with botnets, blackmail and scammers gaining more and more power until we remove the ability of malignent code to survive.

Re:

[hotdiggitydawg (881316)]

Its just going to get worse, with botnets, blackmail and scammers gaining more and more power until we remove the ability of malignent code to survive.

Who gets to define the term "malignant code", and how? There's your barrier right there. One man's malignant code is another man's valid program (ref. Trusted Computing).

New form of stick-up?

[DoofusOfDeath (636671)]

Hand me your cache!

(Sorry - for humor I go for quantity, not quality.)

Kick Windows off the Internet

[EllynGeek (824747)]

I did read the actual report, all 56 pages of it. As usual, Windows' total lack of security guarantees that any random blackhat with a minimum of skill can exploit it. Go ahead and mod me Troll again, you lameass Microsoft-fanboi moderators, but it won't change what the report says- Windows is the problem.

Re:

[gnick (1211984)]

Windows is the problem.

I'm certainly no MS fanboy, I don't consider your original post a Troll, and I won't even argue your 90% speculation. But I can't blame Windows's security for this. When you have 76% of the market share [wikipedia.org], it doesn't seem unreasonable that the blackhats will target you 90% of the time. So, unless their security is head-and-shoulders better than the competition, they will still have the most breaches.

Re:

[RiffRafff (234408)]

Criminals don't steal the most abundant ("popular") car; they steal the easiest. Yet another car analogy, but it works here. Windows' security is knees-and-ankles below the competition. They get targeted first. Otherwise you'd see the Web getting broken everyday, since it's mostly run on Apache with non-Windows servers. IIS and its ilk still get targeted first. Or so has been my observation.

Re:

[gnick (1211984)]

Yet another car analogy, but it works here.

Stealing cars and exploiting computer exploits are completely different situations. Imagine a city where 76% of the population drove Hondas. The other 24% drive a variety of cars of roughly the same value. Each make of car has a different security system. Now, if you can figure out how to get around Honda's security system, 76% of the cars in the city are yours for the taking. If you figure out how to get around Buick's security system, you have your choice of the handful of Buicks driving around.

Desp

Re:

[EllynGeek (824747)]

The old "more market share is why Windows is more attacked" has been so thoroughly debunked you should be ashamed of yourself for parroting it yet again. Please- educate yourself; you reveal that you know little about operating systems when you say that. It's just not true. Well, it's partly true- with the perfect combination of easily exploited and dominant market share, it's a perfect recipe for organized crime and blackhats of all varieties to run rampant. If an open-source Unix-type operating system wer

You know...

[Guppy06 (410832)]

"In 2006, only a small percentage of attackers employed camouflaging techniques, but this number soared to 80 percent during the first half of 2007."

If they're going to hose my Windows boxen and install spurious applications of dubious intent, I find that I prefer if they camouflage their attempts so as not to bother me with constant popups from the system tray telling me to install their spyware to get rid of spyware.

This does not surprise me at all...

[Panaqqa (927615)]

...after all, it was only a matter of time once rootkit source code was published for anyone to grab. From that time onwards, true stealth malware was possible to create without needing to be a security researcher. Combine the ease of integrating someone else's rootkit code into a payload with a vigorous open market for Windows vulnerability information ($25,000 gets you a brand new zero-day exploit) and you reach the situation we have today.

Some people believe the largest botnets out there are ones built with the Storm Worm or other similar exploits. My bet would be that there are plenty larger out there, undetectable because they hide behind rootkits and don't do stupid stuff like turn the box into a spam cannon. And for people who think that the C&C (Command and Control) would be detected, think again: if a rootkit can conceal a file then it can also conceal a process, a named pipe, an interrupt handler, you name it.

... which is why it's a good idea to ...

[WD (96061)]

... secure your web browser [cert.org]. Many browsers are not secure out of the box, which puts you at risk of attack.

How vulnerable am I?

[Repton (60818)]

Consider this hypothetical situation: I'm running Windows XP with no firewall and no antivirus. I'm on broadband and my ADSL modem/router does NAT with no port-forwarding rules set up. I'm fully patched and run out-of-the-box firefox. I don't run executables from untrusted sources, I understand how to treat email attachments, and I'm smart enough not to get caught by phishing.

How vulnerable am I? How likely is it that I will get compromised?

Does the answer change if I'm running fully-patched IE7?