The annual FBI computer crime report is out and it reports
that attacks and costs are down as well as that insiders are becoming the
biggest threat. The other important development this week is that some new IE
vulnerabilities have been discovered, and these flaws even affect systems that
have applied the new Windows XP Service Pack 2.

FBI/CSI 2004 cybercrime report

For the past nine years the FBI and the Computer Security
Institute have compiled cybercrime statistics. These statistics provide a good
benchmark to compare the year-to-year changes in the kind of threats
administrators need to focus on. To get the 2004 report, you have to go to the CSI Web site and enter some
registration information in order to receive the document as a PDF download.

The 2004 report concludes that both “the unauthorized use of
computer systems” and the “annual financial loss resulting from security
breaches” have declined, with a shift in the biggest problems being toward
denial of service attacks. If true, that should come as a bit of a relief to
many harried administrators.

The 486 reporting administrators come from a good mix of
employee sizes in private sector and government agencies, with most of the respondents
in the private sector. Thus, the information in this report should be useful
for most IT departments.

There are also useful reports on the amount of money spent
on security by various organizations. Many administrators and IT manager might want
to use those numbers to help gauge the reasonableness of security-focused
budget requests.

In my opinion, some of the most significant findings in the
report include:

  • Viruses
    and insider abuse of Web access are the biggest threats cited in the
    report.
  • One
    very bright spot in the report was that, among the responding organizations,
    99 percent had antivirus software and 98 percent had firewalls.
  • Other
    numbers indicate that data encryption isn’t used nearly as often as would
    be expected, which isn’t comforting.
  • Another
    worrisome trend I gleaned from the reports was that, by far,
    medical-related companies spend the least on security. That may change
    when the recent laws and regulations regarding privacy of medical records
    are more fully implemented.
  • Most
    companies don’t have cybersecurity insurance, something I suspect will
    change in the future.
  • Per-employee
    security costs are highest for small businesses and smallest for very
    large companies. Although that is predictable, it is still important to
    realize.

Latest IE problems

A new Internet Explorer vulnerability has been
discovered and it apparently hasn’t been fixed by Windows XP SP2. Secunia rates
the flaw as highly critical.

The threat relates to the way Windows handles drag-and-drop
operations and can allow a malicious Web site to cause arbitrary code to be
inserted into the Startup folder of a Windows machine. Secunia speculates that
this vulnerability could also be configured to work from a simple click of a
button rather than requiring a drag-and-drop.

This was originally reported by http-equiv, which also
posted a proof-of-concept demonstration (and that is why I’m not providing a
link). The vulnerability is also related to an old cross-site scripting error
that has been addressed by Microsoft.

Applicability

This affects Internet Explorer 5.01, 5.5 and 6.0. As
mentioned above it even affects Windows XP systems with SP2 installed.

Risk level – High to Extreme

Secunia appears to rate threats based on the amount of
damage they could cause and, unlike Microsoft, doesn’t factor in the likelihood
that they will be exploited. That is why this flaw is so highly rated. Also, there
are no mitigating factors.

Fix

Turn off IE’s Active Scripting.

Final word

I believe a lot of the numbers in the 2004 CSI/FBI Computer
Crime Report are on target, mainly because companies will respond to the survey
even if they fail to report crimes to the police. However, I have some serious
questions about the claim that intrusions are down. I suspect that, since the
report mostly looks at occurrences in 2003 or even earlier, next year’s report
may be a little different after all the serious attacks we’ve seen lately.
Although the individual responders aren’t identified, I feel many of them are
shading the numbers a bit and there simply isn’t any way to determine that
except by looking at how quickly worms and other malware spread. Much of the
problem relates to unprotected home systems on broadband connections, but I see
a lot of reports from businesses that experience penetrations and other forms
of attack on a regular basis.

Also, although the survey has collected data from a lot of
businesses, that doesn’t mean it covers the numbers of employees in the same
proportion. It’s easy to forget that many more people in the U.S. work for small
businesses with fewer than 20 employees than work for large corporations. That
can easily skew the results in this report because those small businesses also have
the fewest security resources. In fact, I would actually classify many of the
small businesses that I work with as equivalent to home users when it comes to
security.


Also watch for …

  • Cisco
    IOS 12.0S, 12.2 and 12.3 have an OSPF protocol DoS vulnerability (there’s no
    risk if you don’t have OSPF enabled). This was reported
    by Cisco
    and if your systems are affected, you should definitely get
    the patch.
  • Netscape
    and Mozilla have a SOAP vulnerability in Netscape versions 7.0 and 7.1 and
    Mozilla version 1.6. Mozilla version 1.7.1 is immune. See CAN-2004-0722.
    The exploit was reported to Netscape in March and the patch was inserted
    in the Mozilla source tree in July.
  • Opera version
    7.53 (and earlier) on Windows, Linux, and Macintosh can let attackers
    locate files and directories on your system. Update to version 7.54 or
    newer to fix this problem,
    which was discovered and reported by GreyMagic.
  • Several
    big players have agreed to adopt Microsoft’s Sender ID system that
    identifies e-mail origins. This looks like the best option we currently
    have to reduce phishing and kill off a big source of spam. Sender ID will
    end the use of spoofed addresses but may not do much to stop hijacked
    systems from forwarding malware attacks to addresses harvested from PCs.
    Yahoo is working on its own system called DomainKeys,
    based on encryption. However, Sender ID actually maps the supposed
    originating domain. Neither is a total solution but both could be potent
    new weapons in the fight against Spam.