Web Browsers Under Siege From Organized Crime 168
An anonymous reader writes "IBM has released the findings of the 2007 X-Force Security report, a group cataloging online-based threat since 1997. Their newest information details a disturbing rise in the sophistication of attacks by online criminals. According to IBM, hackers are now stealing the identities and controlling the computers of consumers at 'a rate never before seen on the Internet'. 'The study finds that a complex and sophisticated criminal economy has developed to capitalize on Web vulnerabilities. Underground brokers are delivering tools to aid in obfuscation, or camouflaging attacks on browsers, so cybercriminals can avoid detection by security software. In 2006, only a small percentage of attackers employed camouflaging techniques, but this number soared to 80 percent during the first half of 2007.'"
The minute that vulnerabilities were monitized... (Score:5, Interesting)
Welcome to the wild, wild net.
Drop in vulnerabilities... really? (Score:5, Interesting)
Combined with the comment that camouflaging techniques are used in 80% - 100% of recorded attacks, I wonder if the number of attacks is really going up ( as it has been in the past 10 years ) but detection is getting worse.
Explains the odd attempted breakins.. (Score:5, Interesting)
Here's a sample:
ftp attempts for 5 hours straight:
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - no such user 'Administrator'
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - USER Administrator: no such user found from
Feb 12 10:27:02 localhost proftpd[24841]: localhost.localdomain (::ffff:82.186.102.42[::ffff:82.186.102.42]) - Maximum login attempts (3) exceeded
ssh attempts almost constant since last friday:
Feb 11 01:37:07 localhost sshd[13953]: pam_unix(sshd:auth): check pass; user unknown
Feb 11 01:37:07 localhost sshd[13953]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.31.37.13
Feb 11 01:37:07 localhost sshd[13953]: pam_succeed_if(sshd:auth): error retrieving information about user ajith
When I catch them, the majority of the IP #'s match up to systems which have been rootkitted. The stream of odd login names always catches me off guard, sometimes in english, sometimes japanese or chinese. Does anyone know of someone that keeps track of these things, so I can send my logfiles to?
I wonder what the profits look liike. (Score:3, Interesting)
Heck, spyware/adware, or some shady P2P programs could have something like this. Reminds me of what happened to http://www.shareaza.com/ [shareaza.com]. It's claimed by a group that be like this. That address used to be shareaza's main site, and it easy for many to not know to go to http://shareaza.sourceforge.net/ [sourceforge.net] for the new updates.
Re:Firefox? Opera? Safari? (Score:4, Interesting)
How is that a troll? He's stating the observation based on his experience.
I did read the article and can't tell, either. My experience coincides with yours. Funny articles are hesitant to spell out the distribution of vulnerabilities. I wonder if they get leaned on by Microsoft's legal department or one of their PR firms?
Just exactly how many of those vulnerabilities are Firefox running on Ubuntu? Or Safari? Or, as usual, is Windows and IE the most attractive attack vector?
Re:Explains the odd attempted breakins.. (Score:1, Interesting)
Re:The minute that vulnerabilities were monitized. (Score:2, Interesting)
I know I'm probably going to have to make another scan of my landlady's computer...she falls for half the stuff that comes through, even after my lectures on "DON'T CLICK IT"
I've been saying this for a while now (Score:4, Interesting)
There is only one solution: executable code must be embedded in hardware read-only media and must be reloaded after every session. [today reloading a virtual machine is a good approximation, but this method will succumb under sufficiently sophisticated attack; it really needs to be built into nonflashable rom]
Nobody wants to hear this. I'm not exacty sure why; a little thought should lead anyone with some knowledge of operating systems and hacking to the same conclusion.
Its just going to get worse, with botnets, blackmail and scammers gaining more and more power until we remove the ability of malignent code to survive.
Re:The minute that vulnerabilities were monitized. (Score:2, Interesting)
Hell, if you're feeling ambitious, you could set up some kind of neighbourhood LAN and get folks to chip in towards a big fat pipe, if you can prove they'll have a safer connection...
Come to think of it...does anyone know of any successful examples of a "co-op" pseudo-ISP like that that already exists?
Re:I've been saying this for a while now (Score:2, Interesting)
It _is_ true that the NES is impervious to attack. (Score:2, Interesting)
How many ROM slots am I supposed to have on my desktop machine? Three, maybe four? So, let's see, I can listen to music, browse the web, have a chat program open, and if I've got a sweet computer, I can also use my calculator application! If I can find all the cartridges on my desk!
Software updates (er, hardware updates?) can now only be obtained conveniently at your nearest MicroCenter or Fry's. F/OSS software^Whardware^Wsecure-read-only-executable updates can be easily obtained by mailing a SAS, padded envelope to the appropriate developer (who now needs a commercial source of ROMs, and a machine to print them, along with the time to do so), who will happily mail you back your ROM just as soon as he or she gets around to it, for a small fee to cover the cost of the media (oops, I guess it's just OSS now!). Old copies of softw^Whardwa^Wwhatever can be conveniently recycled at almost no cost to the user by returning them to the developer.
Do embedded video players count as "executable code"? Congratulations, YouTube is now NetFlix. Welcome back, text-only Web pages. Goodbye, everything that makes the Web useful and interesting.
And you don't understand why nobody thinks it's a good idea?
Re:Firefox? Opera? Safari? (Score:1, Interesting)
It's a Troll because anecdotal evidence boils down to pretty much this: "That's what my personal experience leads me to *feel* is true, and here are some numbers (I made up) that *feel* right to quantify my *feelings*."
The linked pdf showed that Firefox had 36 critical security issues versus IE's 28.
Given that modern OSes protect against low-level access violations, I think you can answer your question by looking at the security fault type: 22 of IE's and 12 of FF's were memory corruption or buffer overrun issues, which I'm guessing ought to be caught by the underlying OS. FF had 11 Security Zone Bypasses, of which IE had none, and FF had 13 "Other" critical security issues, versus IE's 6.
Security Zone Bypass is just one type of an elevation of privilege attack. And "Other" doesn't really tell us much, but let's assume that all "Other" vulnerabilities are Bad.
FF, then, had 24 critical security issues that wouldn't necessarily be caught by modern OS memory protection schemes common to both Windows and Linux, to IE's 6.
Hey, I'm no MS fanboy, but the above is what I managed to take home from the article.
Re:Firefox? Opera? Safari? (Score:5, Interesting)
That is as far from the definition of a troll as can be imagined. Re-read the moderator guidelines about the difference between 'Flamebait', 'Troll', and 'Factually Incorrect'. Attitudes like yours make meta-moderation necessary.
On top of everything else, it's not necessarily even wrong. I can give you 'anecdotal' evidence based on servicing computers for a local user community of about 40,000 people. My observations haven't been formalised or codified in any way, so I can't make any claim to scientific observation, but I can tell you that what I see on a day-to-day basis is relevant and significant.
This is valid and useful information in my professional context. You're implication that anecdote is always based on feeling is, ironically, based on a hunch informed by your own bias.
If you're so bent on getting good data, by the way, you should know better than to blindly add up vulnerability announcement totals and call that analysis.
Re:That's not the worst of it. (Score:1, Interesting)