The annual FBI computer crime report is out and it reports that attacks and costs are down as well as that insiders are becoming the biggest threat. The other important development this week is that some new IE vulnerabilities have been discovered, and these flaws even affect systems that have applied the new Windows XP Service Pack 2.
FBI/CSI 2004 cybercrime report
For the past nine years the FBI and the Computer Security Institute have compiled cybercrime statistics. These statistics provide a good benchmark to compare the year-to-year changes in the kind of threats administrators need to focus on. To get the 2004 report, you have to go to the CSI Web site and enter some registration information in order to receive the document as a PDF download.
The 2004 report concludes that both "the unauthorized use of computer systems" and the "annual financial loss resulting from security breaches" have declined, with a shift in the biggest problems being toward denial of service attacks. If true, that should come as a bit of a relief to many harried administrators.
The 486 reporting administrators come from a good mix of employee sizes in private sector and government agencies, with most of the respondents in the private sector. Thus, the information in this report should be useful for most IT departments.
There are also useful reports on the amount of money spent on security by various organizations. Many administrators and IT manager might want to use those numbers to help gauge the reasonableness of security-focused budget requests.
In my opinion, some of the most significant findings in the report include:
- Viruses and insider abuse of Web access are the biggest threats cited in the report.
- One very bright spot in the report was that, among the responding organizations, 99 percent had antivirus software and 98 percent had firewalls.
- Other numbers indicate that data encryption isn't used nearly as often as would be expected, which isn't comforting.
- Another worrisome trend I gleaned from the reports was that, by far, medical-related companies spend the least on security. That may change when the recent laws and regulations regarding privacy of medical records are more fully implemented.
- Most companies don't have cybersecurity insurance, something I suspect will change in the future.
- Per-employee security costs are highest for small businesses and smallest for very large companies. Although that is predictable, it is still important to realize.
Latest IE problems
A new Internet Explorer vulnerability has been discovered and it apparently hasn't been fixed by Windows XP SP2. Secunia rates the flaw as highly critical.
The threat relates to the way Windows handles drag-and-drop operations and can allow a malicious Web site to cause arbitrary code to be inserted into the Startup folder of a Windows machine. Secunia speculates that this vulnerability could also be configured to work from a simple click of a button rather than requiring a drag-and-drop.
This was originally reported by http-equiv, which also posted a proof-of-concept demonstration (and that is why I'm not providing a link). The vulnerability is also related to an old cross-site scripting error that has been addressed by Microsoft.
This affects Internet Explorer 5.01, 5.5 and 6.0. As mentioned above it even affects Windows XP systems with SP2 installed.
Risk level – High to Extreme
Secunia appears to rate threats based on the amount of damage they could cause and, unlike Microsoft, doesn't factor in the likelihood that they will be exploited. That is why this flaw is so highly rated. Also, there are no mitigating factors.
Turn off IE's Active Scripting.
I believe a lot of the numbers in the 2004 CSI/FBI Computer Crime Report are on target, mainly because companies will respond to the survey even if they fail to report crimes to the police. However, I have some serious questions about the claim that intrusions are down. I suspect that, since the report mostly looks at occurrences in 2003 or even earlier, next year's report may be a little different after all the serious attacks we've seen lately. Although the individual responders aren't identified, I feel many of them are shading the numbers a bit and there simply isn't any way to determine that except by looking at how quickly worms and other malware spread. Much of the problem relates to unprotected home systems on broadband connections, but I see a lot of reports from businesses that experience penetrations and other forms of attack on a regular basis.
Also, although the survey has collected data from a lot of businesses, that doesn't mean it covers the numbers of employees in the same proportion. It's easy to forget that many more people in the U.S. work for small businesses with fewer than 20 employees than work for large corporations. That can easily skew the results in this report because those small businesses also have the fewest security resources. In fact, I would actually classify many of the small businesses that I work with as equivalent to home users when it comes to security.
Also watch for …
- Cisco IOS 12.0S, 12.2 and 12.3 have an OSPF protocol DoS vulnerability (there's no risk if you don't have OSPF enabled). This was reported by Cisco and if your systems are affected, you should definitely get the patch.
- Netscape and Mozilla have a SOAP vulnerability in Netscape versions 7.0 and 7.1 and Mozilla version 1.6. Mozilla version 1.7.1 is immune. See CAN-2004-0722. The exploit was reported to Netscape in March and the patch was inserted in the Mozilla source tree in July.
- Opera version 7.53 (and earlier) on Windows, Linux, and Macintosh can let attackers locate files and directories on your system. Update to version 7.54 or newer to fix this problem, which was discovered and reported by GreyMagic.
- Several big players have agreed to adopt Microsoft's Sender ID system that identifies e-mail origins. This looks like the best option we currently have to reduce phishing and kill off a big source of spam. Sender ID will end the use of spoofed addresses but may not do much to stop hijacked systems from forwarding malware attacks to addresses harvested from PCs. Yahoo is working on its own system called DomainKeys, based on encryption. However, Sender ID actually maps the supposed originating domain. Neither is a total solution but both could be potent new weapons in the fight against Spam.