Brian Pennington

A blog about Cyber Security & Compliance


March 2012

2012 Application Security Gap Study: A Survey of IT Security & Developers

In this Security Innovation sponsored Ponemon study 567 IT security practitioners were asked about the following topics:

  • Application security processes considered most effective
  • Adoption and use of technologies that are affecting the state of application security
  • Gaps between people, process and technology and the affect they have on the enterprise
  • Different perceptions security and development practitioners have about application maturity, readiness and accountability
  • Threats to the application layer, including emerging platforms
  • Application-layer links to data breaches

Key findings from the research include:

  • 12% of security personnel responded that all of their organization’s applications meet regulations for privacy, data protection and information security. And 15% of developers feel the same way
  • 44% of the developers surveyed stated there is absolutely no collaboration between their development organization and the security organization when it comes to application security
  • 71% of developers feel security is not adequately addressed during the software development life cycle. And 51% of the security respondents feel the same way
  • 51% of developers and the same percentage of security personnel say their organizations do not have a training program on application security
  • 60% of security respondents and 65% of developers stated that they do not test mobile applications in the production, development or Q/A processes

Based on the research findings, Ponemon organised the key findings according to the following five themes:

  1. Application security is often not a priority
  2. There is uncertainty about how to fix vulnerable code in critical applications
  3. A lack of knowledge about application security is resulting in a high rate of data breaches
  4. Developers and security practitioners have different perceptions about accountability and collaboration to improve application security
  5. Mobile technology and social media platforms are putting organizations at risk

1. Application security is not a priority

The one area both security and developers agree upon is the lack of resources for application security.

  • 63% state that application security consumes 20% or less of their overall IT security budget
  • 64% of security practitioners state they either have no process, such as systems development life cycle (SDLC) at all, or an inefficient ad-hoc process for building security into their applications
  • 79% of developers say they either have no process or an inefficient, ad-hoc process for building security into their applications
  • 71% of developers believe security is not adequately addressed during the software development life cycle, 51% of the security respondents agree. In many cases, security is built in during the post-launch phase of the software development cycle and bugs are fixed during the launch phase.
  • Typically organizations are waiting for the launch phase or post-launch phase to address security issues in application development with 57% of security practitioners and 76% of developers say this is the case in their organizations
  • 36% of security practitioners and 16% of developers say it is addressed early in the application development life-cycle
  • 57% of security practitioners and 76% of developers believe the launch phase and the post-launch phase is when patching and fixing bugs becomes the most costly and time consuming

2. There is uncertainty about how to fix vulnerable code in critical applications

  • 47% of developers and 29% of security practitioners say their organization has no mandate to remediate vulnerable code
  • 9% of developers say it is driven through the security organization, where the development of organization remediates according to best practices. However, more of the security practitioners believe this to be the case.
  • 51% of both developers and security practitioners say their organizations do not have training in application security
  • 22% of security practitioners say their organization have a fully deployed program compared to 11% of developers
  • When asked what the development team uses to ensure they are successful in remediating potentially vulnerable code or fixing bugs 46% of security respondents and 51% say they predominantly use homegrown solutions to remediate vulnerable code. Less than half of both security and developers cite the successful use of other methods

3. A lack of knowledge about application security is resulting in a high rate of data breaches

  • comprised or hacked applications have caused at least one data breach in 68% of the developers’ organizations and 47% of the security practitioners’ organizations over the past 24 months
  • 19% of security practitioners and 16% of developers are not sure if they had a data breach as a result of an application being compromised or hacked

A lack of compliance with regulations could also contribute to the high occurrence of data breaches

  • 12% of security personnel say that all their organization’s applications meet regulations for privacy, data protection and information security and only 15% of developers believe their organizations are in compliance

4. Developers and security practitioners have different perceptions about accountability and collaboration to improve application security

A lack of collaboration between developers and security practitioners in order to improve application security practices is putting data at risk

  • 44% of developers say there is absolutely no collaboration between their function and the security function regarding application security
  • 12% of security practitioners say there is significant collaboration and 69% say there is at least some collaboration exists with the developers.
  • 28% believe the CISO should be primarily responsible for ensuring security in the application development life cycle in their organization
  • 42% of development respondents from the sample stated that no one person within their organization has primary responsibility for ensuring security in the application development life cycle

5. Mobile technology and Web 2.0 attacks put organizations at risk

  • 39% of developers and 30% of security practitioners believe the most serious threat to application security in the next 12 to 24 months. The next most significant threat is attacker infiltration through Web 2.0 applications.
  • 51% of developers and 40% of security respondents say insecure mobile applications will disrupt business operations at their organizations
  • 42% of developers and 33% of security practitioners worry about insecure applications

The study has produced several startling facts especially after so many Data Breaches in 2011 and the consistent message under PCI DSS requirement 6 as well as the Data Protection laws have been making developers and companies looking at the issue.


PCI Security Standards Council pushing for feedback as window starts to close

The Payments Security Council (PCI) Security Standards Council (PCI SSC) called upon its global constituents to submit feedback for development of the next version of the PCI Data Security Standard (DSS) and PA-DSS.

As part of the three-year life-cycle for standards development, the official feedback period, which opened in November 2011, will be closing on April 15, 2012.

To make it even easier to submit feedback, the process has been streamlined and simplified, with a readily accessible tool that can be accessed online at

“Feedback is the lifeblood of the standards development process,” said Bob Russo, general manager of the Council

“We’ve had great participation so far, but we want to ensure that the standards continue to be the most effective set of best practices against payment data breaches. We can only evolve these best practices through the experience and feedback of our stakeholders.”


2,000 lost Medical Records leads to an investigation by the Information Commissioner

Pharmacyrepublic Limited lost around 2000 patients personal details when a computer was stolen from their premises.

Pharmacyrepublic Limited contacted the ICO in September 2011 to report the theft of a Patient Medication Record (PMR) system. The system contained details of the medicine handed out to patients at one of its pharmacies, and was stolen while the pharmacy was being transferred to another provider. The system was supplied by another firm and Pharmacyrepublic failed to ensure that the system was securely returned to the company before leaving the premises.

The ICO’s investigation found that the system contained a limited amount of sensitive information relating to the medicine being administered to the pharmacies’ patients. The system was used to identify any problems when multiple drugs were administered to the same patient. The data hasn’t been recovered.

Stephen Eckersley, the ICO’s Head of Enforcement said:

“It is important that companies have measures in place to keep personal information secure at all times. If a company is vacating premises then they should ensure that any equipment used to store peoples’ data is handled correctly. In this case the system should have been returned to the wholesaler safely and securely.

“This incident should act as a warning to all healthcare providers – your data protection obligations do not end while the personal information of your patients remains on site and in your control.”

Personal Health Information(PHI)  is a growing issue as pharmaceutical companies invest more and more money in clinical trials. In the US PHI is specifically covered by the Health Insurance Portability and Accountability Act (HIPAA) and in the UK and Europe it is handled by Data Protection Acts. An overview of PHI protection and governance is here.


Verizon 2012 Data Breach Investigation Report – a summary with a PCI DSS view point

The 2012 Verizon Breach Investigation Report is out and I have attempted to summaries all 80 pages below.

The study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit, and United States Secret Service.

The introduction states,

The online world was rife with the clashing of ideals, taking the form of activism, protests, retaliation, and pranks. While these activities encompassed more than data breaches (e.g., DDoS attacks), the theft of corporate and personal information was certainly a core tactic. This re-imagined and re-invigorated specter of “hacktivism” rose to haunt organizations around the world. Many, troubled by the shadowy nature of its origins and proclivity to embarrass victims, found this trend more frightening than other threats, whether real or imagined. Doubly concerning for many organizations and executives was that target selection by these groups didn’t follow the logical lines of who has money and/or valuable information. Enemies are even scarier when you can’t predict their behavior.

It wasn’t all protest and lulz, however. Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets. Much less frequent, but arguably more damaging, were continued attacks targeting trade secrets, classified information, and other intellectual property. We certainly encountered many faces, varied tactics, and diverse motives in the past year, and in many ways, the 2012 Data Breach Investigations Report (DBIR) is a recounting of the many facets of corporate data theft.

It wasn’t all protest and lulz, however. Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets

Who is behind the data breaches? See below:

98% stemmed from external agents (+6%)
4% implicated internal employees (-13%)
<1% committed by business partners (<>)
58% of all data theft tied to activist groups
  • Outsiders are still dominating the scene of corporate data theft
  • Organized criminals were up to their typical misdeeds and were behind the majority of breaches in 2011
  • Activist groups created their fair share of misery and mayhem last year as well and they stole more data than any other group. Their entrance onto the stage also served to change the landscape somewhat with regard to the motivations behind breaches
  • Insider incidents declined yet again this year to a comparatively scant 4%

How do breaches occure?

81% utilized some form of hacking (+31%)
69% incorporated malware (+20%)
10% involved physical attacks (-19%)
7% employed social tactics (-4%)
5% resulted from privilege misuse (-12%)
  • Incidents involving hacking and malware were both up considerably last year, with hacking linked to almost all compromised records.

What commonalities exist?

79% of victims were targets of opportunity (-4%)
96% of attacks were not highly difficult (+4%)
94% of all data compromised involved servers (+18%)
85% of breaches took weeks   or more to discover (+6%)
92% of incidents were discovered by a third party (+6%)
97% of breaches were avoidable through simple or intermediate   controls (+1%)
96% of victims subject to PCI DSS had not achieved compliance (+7%)
  • Findings from the past year continue to show that target selection is based more on opportunity than on choice. Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack.
  • Whether targeted or not, the great majority of victims succumbed to attacks that cannot be described as highly difficult. Those that were on the more sophisticated side usually exhibited this trait in later stages of the attack after initial access was gained.
  • Most breaches were avoidable without difficult or expensive countermeasures. Low levels of PCI DSS adherence highlight a plethora of issues across the board for related organizations.

While at least some evidence of breaches often exists, victims don’t usually discover their own incidents.

Percent of relevant organizations in compliance with PCI DSS requirements based on post-breach reviews conducted by Verizon IR team is below

PCI DSS details from the report

  • Low levels of PCI DSS adherence highlight a plethora of issues across the board for related organizations
  • 96% of victims subject to PCI DSS had not achieved compliance
  • organizations both large and small seem to struggle the most with requirements 3, 7, 10, and 11.
  • When looking at the numbers on a year-over-year basis they see mixed progress:
      • Improved, Requirements 1, 2, 6, 7, and 9
      • Declined, Requirements 3, 5, 8, and 11
      • Remained the same, Requirements 4, 10, and 12
  • The most significant improvement was Requirement 1 (+11%) “Install and maintain a firewall configuration to protect data.”
  • The most significant decline was Requirement 5 (-24%) “Use and regularly update anti-virus software”.

Verizon’s conclusions and recommendations

“Creating a list of solid recommendations gets progressively more difficult every year we publish this report. Think about it; our findings shift and evolve over time but rarely are they completely new or unexpected. Why would it be any different for recommendations based on those findings? Sure, we could wing it and prattle off a lengthy list of to-dos to meet a quota but we figure you can get that elsewhere. We’re more interested in having merit than having many.”

See the Verizon 2011 Payment Industry Compliance Report summary here


UK Card Fraud losses fall because of technology and risk awareness

The UK Card Association along with the Cheque & Credit Clearing Company, Financial Fraud Action UK and other industry groups has produced their report on UK fraud activities during 2011.

The results released in March 2012 show, Fraud losses on UK cards fell 7% from £365.4m in 2010 to £341.0m in 2011, a ten year low.

The reductions have been attributed to the efforts of the industry to “deter, detect and prosecute fraudsters”.

Card Scheme initiatives have been noted as working, for example:

  • MasterCard SecureCode
  • Verified by Visa
  • American Express SafeKey

Awareness and technology have combined to improve fraud protection by:

  • Offering advice to retailers and consumers
  • Improved the sharing of fraud data and intelligence within the industry
  • Sharing fraud data with law enforcement
  • Chip and PIN equipment
  • Fraud detection tools

Payment Card Industry Compliance was not mentioned in the release but from experience the majority of awareness campaigns, training and policies implementations by Merchants have resulted from the mandates of PCI DSS.

Of interest is the switch in direction by the fraudsters to older fraudulent methods e.g. telephone and cheques, see the exact numbers at the end of the post.

Melanie Johnson, Chair of The UK Cards Association comments:

Driving down fraud and keeping cards safe continues to be a priority for the industry. This is the third year card fraud losses have fallen – clear proof that our endeavours to fight fraud are packing a punch. Customers have also played their part in driving down losses by taking heed of advice about looking after their personal and financial details. Fortunately, they can always be confident that if they are the innocent victim of fraud, they have excellent fraud protection that they don’t get if they use cash.”

DCI Paul Barnard who heads up the industry-sponsored police squad, the Dedicated Cheque and Plastic Crime Unit says:

As technological advances have made our payments more secure, we’ve seen a spike in more simplistic crimes. Many scams involve customers being conned into handing over their cards and PINs, or their telephone banking security details by someone calling, pretending to be their bank or police. Our appeal to the public is to be wary of any unsolicited phone calls or emails. Never hand over your card and PIN or bank security details in full as neither your bank or the police will ever ask you for these.”

UK Fraud broken down by type over the past 5 years is shown below:

Card Fraud Type on UK-issued credit & debit cards 2007 2008 2009 2010 2011 % +/- 10/11
Telephone,   internet and mail order fraud (card-not-present fraud) £290.5m £328.4m £266.4M £226.9m £220.9m -3%
Counterfeit   (skimmed/cloned) fraud £144.30 £169.8m £80.9m £47.6m £36.1m -24%
Fraud on lost or stolen cards £56.2m £54.1m £47.7m £44.4m £50.1m 13%
Card ID theft £34.1m £47.4m £38.2m £38.1m £22.5m -41%
Mail non-receipt £10.2m £10.2m £6.9m £8.4m £11.3m 34%
TOTAL £535.2m £609.9m £440.0m £365.4m £341.0m -7%

See a summary of the 2010 figures here.


RSA’s March Online Fraud Report

In their March Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.

As well as the usual interesting statistics on fraudulent activity this report sheds light on the changes to the Zeus and Citadel Trojans as cybercriminals “migrating” from one Trojan botnet to another.

FraudAction Research Lab has recently analyzed a Zeus variant downloading an additional Trojan into infected PCs by fetching a Citadel Trojan. RSA is witness to many Zeus botmasters who upgraded and moved up to Ice IX neighborhoods, and now, Citadel infrastructures.

RSA researchers have studied a Zeus variant that runs on infected machines, seconds later calling for a download of an additional Trojan: a Citadel v1.3.2.0 variant. Although the Lab already saw Zeus botnets replaced by Ice IX botnets, this is one of the first instances analyzed of the Trojan calling for a Citadel replacement onto the infected PC.

The addition of a Citadel variant is a little peculiar on one hand because that creates two parallel infections on the same bot. On the other hand, it is quite logical if the botmaster intends to gradually move the botnet to the new domain and work with the Citadel Trojan instead.


Is Zeus’ time in the cybercrime arena up? That is very possible. Today’s Zeus-based codes can no longer be named “Zeus”. The last real Zeus was, Zeus Even the v2.1.0.1 development was upgraded by someone outside the original team.

Citadel, Ice IX, Odin, and any other code based on the old king’s exposed source code will each have their own name. It’s only a matter of time before botmasters will move away from Zeus to Trojans for which the development of upgrades and new features continue to thrive. We will likely see less of Zeus on the monthly charts – although its offspring will live on.

Phishing Attacks per Month

While 2012 kicked off with an increase of over 40% in global phishing attacks, February marked a 30% drop – with only 21,030 phishing attacks detected. After five consecutive months of being heavily targeted, the UK finally got replaced by the U.S. as the country enduring the most phishing volume.

Number of Brands Attacked

A total of 281 brands were targeted by phishing attacks in February. Of those targeted brands, 53% endured less than five attacks (150 brands) and 47% endured five attacks or more (131 brands).

US Bank Types Attacked

U.S. nationwide brands and regional banks both saw an eight percent increase in phishing attacks in February while credit unions saw a 16% drop in attacks.

Top Countries by Attack Volume

Following five consecutive months during which the UK topped the chart as the country that absorbed the highest volume of phishing, the U.S. topped the chart once again in February with 35% of global phishing volume. Just as surprising, Canada made an unexpected leap. After accounting for only 4% of worldwide attacks in January, Canada accounted for a 27% of the world’s phishing attacks in February.

Top Countries by Attacked Brands

The U.S. and UK remained the countries with the highest number of attacked brands in February with 42%, followed by Australia, India, Italy and Canada who together accounted for 17% of attacked brands.

Top Hosting Countries

The share of phishing attacks hosted by the U.S. dropped significantly this month, falling from 82% in January to 46% in February. In January, six countries accounted for hosting about 90% of global phishing attacks, while in February, we witnessed 17 countries share that same portion of hosting.

See the full report on the RSA website.

Previous RSA Online Fraud Report Summaries:

  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.


PCI Security Standards Council continues focus on mobile payment acceptance security

The PCI Security Standards Council (PCI SSC) is participating in a Congressional hearing titled “The Future of Money: How Mobile Payments Could Change Financial Services,” held by the Subcommittee on Financial Institutions and Consumer Credit.

Representatives include the:

  • Atlanta Federal Reserve
  • MasterCard
  • Smart Card Alliance
  • The Consumer Union

The PCI Security Standards Council Chief Technology Officer Troy Leach served as an expert panelist, providing insight into security considerations when it comes to payment acceptance using mobile technology, as well as the Council’s work to date and future plans in this area.

The hearing is the first in a series of three designed to examine the technology:

  • by which mobile transactions are conducted
  • identify potential security problems
  • regulatory barriers that consumers, merchants, and financial institutions might face when using mobile payment services
  • consider whether statutory changes are necessary as mobile payment systems become more widely available and are increasingly used.

Participation in the hearing comes as part of the Council’s and its stakeholders’ focused efforts in the area of mobile acceptance security.

The area of mobile payments includes two different environments for the use of mobile devices:

  1. merchant acceptance applications, phones, tablets and other mobile devices are used by merchants as point-of-sale terminals in place of traditional hardware terminals
  2. consumer facing applications where the phone is used in place of a traditional payment card by a consumer to initiate payment

The Council’s security efforts to date in this area have been concentrated on the first environment, securing the use of mobile devices as a point of sale acceptance tool.

 “Mobile technology offers exciting potential to the payments space,”

said Troy Leach, chief technology officer, PCI Security Standards Council.

 “To help realize this securely, the Council is working with its global stakeholders to develop the industry standards and resources necessary for the protection of cardholder data across all payments channels, and for the reduction of fraud for consumers and businesses globally.”

In 2011, the Council issued guidance on the types of payment applications that can allow organizations to accept and process payments securely using mobile technology, including a checklist resource to help explain simply and succinctly to anyone currently considering mobile acceptance solutions which types of application support PCI Standards.

The Council also identified the types of applications that fall short of security standards for secure mobile acceptance. In collaboration with industry subject matters experts, including software application developers, the Council is continuing to examine this area to determine whether the inherent risk of card data exposure in these applications can be addressed by existing PCI Standards, or whether additional guidance or requirements must be developed.

Compliance by device vendors with these requirements now allows merchants to use plug in devices with mobile phones to swipe cards securely by first encrypting the data at the point that the card is swiped to minimize risk by making it unreadable. The mobile device acts as a conduit and has no ability to decrypt the encrypted data.

In the coming months the Council plans to release specific guidance for merchants on how to effectively use these security requirements in conjunction with encryption technology to more easily and securely accept payments using mobile technology.

Later this year the Council will also produce a best practices document for securing mobile payment transactions.

PCI and mobile payment security will be a topic of discussion at the Council’s Annual Community Meetings scheduled for

  • September 12-14 in Orlando, Florida
  • October 22-24 in Dublin, Ireland – if you are going to Dublin see you there


Police fined by the Information Commissioner. If the Police can lose sensitive that then anyone can.

Lancashire Constabulary

The Lancashire Constabulary has been fined £70,000 by the Information Commissioner’s Office (ICO) after papers containing sensitive information about a 15 year old girl. This is the first penalty the ICO has served to a police force.

The missing person’s report was discovered by a member of the public on 23 July 2011. The report had previously been used by an officer trying to locate the missing youth and is thought to have been left in a police vehicle from which it appears to have fallen onto the floor several days later.

The document included the girl’s age, address, contact information and sexuality and also mentioning that she’d previously been raped. Personal details relating to 14 other individuals – including the girl’s original attacker – were also included in the report.

Steve Eckersley, Head of Enforcement said:

“The fact that information as sensitive as this could go missing without anybody realising is extremely worrying, and shows that Lancashire Constabulary

failed to have the necessary governance, policies and suitable training in place to keep the personal information they handle secure.

“The loss of this information and the news that it had been leaked to a local newspaper is likely to have been extremely distressing for all involved.

“While we are pleased that Lancashire Constabulary has agreed to take action to make sure people’s information is safe, it is vitally important that police forces have effective data protection policies in place for electronic and paper based systems, if they are to operate with the trust and confidence of the public they serve. This includes keeping a record of where personal information is being stored and used.”

The ICO’s investigation found that the Lancashire Constabulary did not record when sensitive personal information was taken outside of the police station. Officers were not provided with secure bags for storing personal information and received no specific training on how to look after hard copy documents outside the station.


RSA’s February Online Fraud Report

In their February Online Fraud Report RSA shed light on one of the latest Fraud-as-a-Service (FaaS) offerings to be purveyed in the criminal underground, a new release of the “Darkness”, aka “Optima,” DDoS bot crimeware; a commercially available toolkit that not only allows fraudsters to launch DDoS attacks at a target of their choice, but which has also been enhanced with several Trojan-like functionalities.

The ‘Darkness’ DDoS bot is used to perpetrate DDoS attacks by flooding targeted websites with junk traffic originating from unwitting users’ systems. The first version of Darkness saw light in March 2009, and according to the Russian-based fraudster who posted the ad and claims to manage the Darkness “project,” the latest release contains several improvements such as enhanced flooding capabilities, an improved password grabber module, and a new module that installs SOCKS5 on victims’ systems. The vendor behind the ad claims to have been “verified” within Russian-speaking forums, and offers interested parties links to reviews of his product.

Darkness was originally coded to be the DDoS weapon of choice, but since then, several new modules have been authored for the bot, bestowing it with Trojan-like functionalities. And much like Trojan authors, Darkness’ coders have established a few security mechanisms to hinder their product’s operations from being shut down. Demonstrating the invisible hand of the market forces that govern the underground supply chain, this latest criminal offering is being rolled out in the fraudster community following a year that has been replete with numerous hacktivist DDoS attacks.

The business of selling the Darkness bot

The Darkness bot is sold as a compiled binary, for which the customer can define three Command & Control (C&C) server domains  in order to ensure operational continuity in the event of a server takedown (by LE, ISPs, CERTs, etc.).

Darkness is sold as a FaaS offering with a customer receiving a complete, fully operational administration panel on the C&C domains of his choice.

While a “Minimum” package containing the DDoS bot binary is sold for $330, a “Brilliant” package offered for $850 includes unlimited free updates, a full set of modules and unlimited ‘free’ recompiles (“rebuilds”). Further demonstrating the FaaS business model, additional services and bot features are sold separately:

  • The Darkness bot’s source code (version 10) – $3,500-$5,000
  • Individual rebuilds – $35
  • Bot updates – $85
  • Socks5 module – $250
  • Key logger module – $55
  • Password grabber – $50
  • Hosts file editor – $35

After paying for the bot’s setup, all a fraudster would have to do is infect victims’ systems using an exploit kit of his choosing. As soon as a system is infected, it appears on the customer’s web panel, with such details as country, IP address, OS, and user privileges (admin vs. user account). According to the ad, “Excellent bilingual support (Ru, Eng)” is provided.

Interestingly, to avoid liability issues, the writer of the ad disclaims any use of the Darkness bot for purposes other than IT testing.

DDoS functionality

The Darkness bot offers four types of DDoS attacks:

  1. HTTP: An attack method whereby bots flood a targeted website’s resources by sending it an overwhelming number of standard HTTP (HyperText Transfer Protocol) requests.
  2. ICMP: An attack whereby bots send data packets over the ICMP protocol (Internet Control Message Protocol), and flood all the systems operating behind a network by targeting a range of IP addresses  instead of a single IP or domain. This method exploits network devices that have not been properly configured to thwart this kind of attack.
  3. SYN: An attack that initiates a great number of TCP connections, which can only be established when a three-way handshake between two systems (a client and server) has been completed. SYN attacks drain a targeted site’s resources by initiating numerous TCP connections, but never properly completing the three-way handshake. This results in the targeted site (server) needlessly ‘waiting’ for an acknowledgement (by the client) of the new TCP connection and its being rendered unavailable for legitimate traffic.
  4. UDP: Attacks deploying  the UDP protocol (User Datagram Protocol) rely on the fact that for every erroneous  UDP packet  sent to a given resource, an ICMP Destination Unreachable packet needs to be returned, serving as an “Error, Return to Sender” message. Flooding the targeted site with incoming UDP packets  results in a counter- flood of outgoing  ICMP Destination Unreachable packets, which ultimately render the site unavailable to legitimate users.

According to a Darkness ad reported in 2010, an average website can be brought down using only 30 infected systems (bots), while 1,000 would be required for large website. The writer of the Darkness ad further claims that a high-profile website like (Russian social network), which in November 2010 reported 100 million users, would require 15,000-20,000 bots.

Trojan-like modules

Modules added to the latest release of the Darkness bot (version 10), enhance the code with functionalities typical of Trojan codes, and are sold separately much like commercial Trojan add-ons:

  • Mini-Loader Function: The ad mentions that the bot has a “Mini-Loader function: it’s possible to load your  EXE files to the bots.” Thanks to this functionality, fraudsters looking to download a financial Trojan to an already-infected system can easily do so.
  • SOCKS5 Backconnect Module: SOCKS5 modules are often installed on victims’ systems by financial Trojans, enabling fraudsters to exploit users’ systems as proxies; a feature that allows fraudsters to ‘backconnect’ from a Command & Control server to a targeted website via the victim’s system. This module enables fraudsters to access a site while appearing to operate from the victim’s IP address.
  • Password Grabber Module: The password grabber offered by the bot’s vendor can grab passwords from 14 different applications, including various FTP sites, instant- messaging programs, and webmail programs, as well various online forms.
  • Hosts File Editor Module: This functionality enables botmasters to reroute victims to malicious websites by editing their hosts file, which is a local file that serves as the first point of reference when a user’s system searches for an internet resource, such as a domain or IP address. Brazilian Banker Trojans often edit victims’ hosts files to reroute them to phishing pages that mimic targeted banks’ websites.
  • Key logger Module: This module enables Darkness operators to log all the keystrokes entered online by their victims – a feature that is rarely used by today’s advanced Trojans, given their ability to intercept all HTTP and HTTPs communications (for example, the Zeus Trojan and its derivatives no longer keylog at all.)

Security countermeasures

Darkness’ coders have invested some effort in attempting to conceal their product’s operation. As mentioned above, each Darkness binary can be configured with up to three different C&C server domains, enabling backup of the bot’s resources in the event of a domain’s suspension or a server takedown. In addition, they claim that the bot can bypass Windows’ firewall, and that it employs “some trick to bypass DDoS Protections.” While the ad claims that Darkness’ processes and resources remain invisible to the user, a previous version of the bot has reportedly failed to disguise its processes.

DDoS attacks and hacktivism

This latest criminal offering is being rolled out in the fraudster community following a year that has been replete with numerous hacktivist DDoS attacks initiated by various groups such as Anonymous, TeamPoison, AntiSec, LulzSec, and others. In 2011, high-profile victims of DDoS attacks waged by hacktivist groups included: Sony’s Playstation Network, the CIA’s website, the FBI, UK tabloid The Sun, the Spanish Police, and the government websites of Egypt, Tunisia and Turkey.

The latest set of DDoS attacks was launched last month by Anonymous (January 19, 2012), its victims comprising proponents of the controversial SOPA and PIPA bills, including the Recording Industry Association of America (RIAA), Motion Picture Association of America (MPAA), Broadcast Music, Inc. (BMI), and the FBI.

The weapon of choice for some of these attacks was Low Orbit Ion Cannon (LOIC), a free open-source program that can also serve legitimate purposes, such as testing the durability of an Internet resource in the event of a DDoS attack.  To launch an orchestrated attack that leverages their power as a community, fraudsters installed the program on their system, willingly forming a large botnet that was controlled by a central Command & Control server. At a predefined time, the C&C server issued a command to the fraudsters’ systems to start flooding victim sites with junk traffic, resulting in their temporary ‘denial of service.’

Aligning itself with the invisible hand of demand, the “Darkness” bot satisfies fraudsters’ increasing motivation to unite against perceived foes, while also fulfilling a role of a user- friendly malware kit.

And “Darkness” is not the only Trojan kit from which fraudsters can launch DDoS attacks. In March 2011, the FraudAction Research Lab reported  on a DDoS plugin traced in a variant of the SpyEye Trojan. The DDoS plugin, however, is not sold as part of the SpyEye Trojan kit, but rather it was privately developed by an individual botmaster. Recent versions of the SpyEye builder are sold with a Software Development Kit (SDK) to facilitate the development of new modules by individual botmasters.

In light of a growing interest in the underground to launch DDoS attacks against financial institutions, data security companies, law enforcement agencies, and various government bodies, we are likely to see a growing number of DDoS-enabling modules and malware kits offered in the underground market in the near future.

Phishing Attacks per Month

The year 2012 has started off with a 42% increase in the number of phishing attacks launched, with 29,974 unique attacks identified by RSA in January. Last month also saw an increase in the total number of brands attacked and the number of attacks endured by individual brands.

Number of Brands Attacked

A total of 281 brands were targeted by phishing attacks in January, marking a 10% increase from the number of targets recorded in December 2011.

US Bank Types Attacked

Nationwide U.S. brands accounted for 68% of the brands targeted in the U.S. financial sector, marking a 14% decrease from December 2011. Also in January, the portion of targeted U.S. credit union brands increased 13% and U.S. regional bank brands increased 4%.

Top Countries by Attack Volume

The UK has remained the country targeted by the highest volume of phishing attacks for the fifth consecutive month with a 10% increase since last month. In total, the UK was targeted by 60% of the world’s phishing attacks in January. While the U.S. saw a 5% decrease in the volume of attacks, the volume targeting Canada increased by 2%. The countries that have consistently suffered the largest volume of phishing attacks over the past year have been the UK, U.S., Canada, and the Netherlands.

Top Countries by Attacked Brands

Combined, U.S. and UK brands accounted for 44% of January’s phishing attacks. Twenty-one (21) other countries absorbed a combined portion of 56% of the world’s attacks, with each country accounting for one to 4% of the world’s targeted brands.

Top Hosting Countries

In January, U.S.-based hosting entities exceeded their normal share of phishing attacks, hosting 82% of worldwide phishing attacks as compared to 50 – 70% of attacks in a typical month.

Previous RSA Online Fraud Report Summaries:

  • The RSA January Online Fraud Report Summary is here.
  • The RSA December Online Fraud Report Summary is here.
  • The RSA November Online Fraud Report Summary is here.
  • The RSA October Online Fraud Report Summary is here.
  • The RSA September Online Fraud Report Summary is here.


School boy error at a University

How many other people will have done this? Taken a screenshot for training purposes, to demonstrate a technical error, share a section of a document, etc. and how many people have inadvertently included another application, image or data without realising or not thinking it was important.

What ever the reason, if we include Personal information in those screen shots and wrongly share them we could be breaching the Data Protection Act.

This happened at Durham University after disclosing personal information in screenshots used to demonstrate the use of University systems in training material on a website. The information included the details of up to 177 former students and staff.

Steve Eckersley, Head of Enforcement said:

“All documents should be checked for personal information before being made available on a website. This case also highlights the importance of organisations having comprehensive data protection training in place for all staff.

“It is vital that schools, colleges and universities introduce robust systems to handle their pupils’ information on electronic and paper based systems in compliance with the Data Protection Act and we will continue to work with those in the education sector to ensure they are keeping young peoples’ details secure.”

Blog at

Up ↑

%d bloggers like this: