Botnets are the most significant way that companies are having data stolen outside of employee theft. Services, such as viaForensic’s threatForensics, can help to identify botnets.

Four little-known botnets were behind half of all botnet infiltrations in enterprises last year — and the No. 1 botnet hitting corporate networks carried the infamous Zeus crimeware….

Koobface overall had a surprisingly large representation. The worm, typically spread via social networks such as Facebook and MySpace, was the main malware carried by two additional botnets, Koobface.D (5 percent) and Koobface.C (4 percent). The malware was used as a foot in the door to hijack corporate users’ accounts and to spread among other systems within the organization, according to Gunter Ollmann, vice president of research for Damballa.

via The Top 10 Enterprise Botnets – DarkReading.

Companies are not paying enough attention to security. Even if all the usual security mechanisms are in place, there is still no way to avoid all the danger. As this Register article states: “25 [programming] flaws are the cause of almost every major cyber attack in recent history.” One approach is to hold the developers responsible. Another is for companies to take the initiative to employ additional security (i.e. threatForensics).

Computer experts from some 30 organizations worldwide have once again compiled a list of the 25 most dangerous programming errors along with a novel way to prevent them: by drafting contracts that hold developers responsible when bugs creep into applications….

The 25 flaws are the cause of almost every major cyber attack in recent history, including the ones that recently struck Google and 33 other large companies, as well as breaches suffered by military systems and millions of small business and home users….

As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you,” the introduction to Tuesday’s list states.

via Experts reboot list of 25 most dangerous coding errors • The Register.

Application security may still have a ways to go, but Open Source is showing promise…

Despite the relatively gloomy picture of developers still missing the mark initially on security, there were some bright spots in the report: Open-source software isn’t as risky as you’d think, and financial services organizations and government agencies tend to have more secure applications from the get-go; more than half of their apps passed as acceptable in the first submission to testing, according to Veracode’s report.

“The conventional wisdom is that open source is risky. But open source was no worse than commercial software upon first submission. That’s encouraging,” Oberg says. And it was the quickest to remediate any flaws: “It took about 30 days to remediate open-source software, and much longer for commercial and internal projects,” he says.

via State Of Application Security: Nearly 60 Percent Of Apps Fail First Security Test – DarkReading.

A recent article on Law.com (part one of a seven part series) discusses the importance of legal holds for the preservation of electronically stored information (ESI) and other documents.

Why are courts placing so much emphasis on this ministerial step in preservation of issuing a written litigation hold? It appears that patience is running thin for lost ESI in federal court. More importantly, ignorance of litigation hold requirements is no excuse. Also, the days of he-said-she-said litigation hold arguments are numbered. Courts want to see a transparent and credible process by simply looking at a few documents such as the written hold notice, distribution list, follow-up interview reports or logs, as examples.

As articulated by Judge Scheindlin in Pension Committee v. Banc of America, courts definitely do not want to wade through stacks of motions papers and days of hearings to determine if preservation efforts were sufficient to prevent the destruction of ESI and other documents. As a result, it is imperative for an organization to have in place a litigation hold policy and adequate procedures necessary to avoid going down the litigation “detour” of discovery sanctions motions.

via Law.com – Step 1 for Legal Holds: Trigger Events.

This is an interesting and evolving area.  Many of these devices run embedded OS with flash memory so traditional forensic techniques do not work.  However, the Android platform (and other mobile platforms) have similar characteristics and thus the R&D in those areas can be applied to embedded devices.    Moral of the story: if it has data storage or network activity, you’ll find a forensic geek poking around somewhere close by (hint: contact us if you want to discuss):

Attacks against the power grid are likely to rise and intensify during the next 12 months as smart grid research and pilot projects advance, according to utility security experts and a recently published report that analyzes threats to critical infrastructure.

The so-called Project Grey Goose Report on Critical Infrastructure points to state and/or non-state sponsored hackers from the Russian Federation of Independent States, Turkey, and China as the main threats to targeting and hacking into energy providers and other critical infrastructure networks.

via Spike In Power Grid Attacks Likely In Next 12 Months – DarkReading.

Ahhh, nothing like the weekly Adobe zero-day exploit.

This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild (CVE-2009-4324). We are currently investigating this issue and assessing the risk to our customers. We will provide an update as soon as we have more information. Please continue monitoring the Adobe PSIRT blog for the latest information.

via New Adobe Reader and Acrobat Vulnerability – Adobe Product Security Incident Response Team (PSIRT).

Well, it’s nice to see Adobe at the top of the list given all the 0-day exploits.  Bit9 seems to do great work but the white paper is behind a registration firewall (they should just release it, trust me, it’s better that way).  Here’s the results from the press release:

This year Adobe applications top the list with four applications identified in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database:

• Adobe Acrobat
• Flash Player
• Reader
• Shockwave

had vulnerabilities that were rated “High” including ones that allowed remote attackers to execute arbitrary code, trigger memory corruption, denial of services or application crashing.

Other vulnerable applications on the list include:

* Apple Quicktime

* Mozilla Firefox

* Opera

* RealPlayer

* Sun Java

* Trillian

The applications on the list meet the following criteria:

* Runs on Microsoft Windows

* Is well-known in the consumer space and frequently downloaded by individuals

* Is not classified as malicious by enterprise IT organizations or security vendors

* Contains at least one critical vulnerability that was:

o First reported in January 2009 or after

o Registered in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database at http://nvd.nist.gov, and given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS)

o Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists

o The application cannot be automatically and centrally updated via Enterprise tools such as Microsoft SMS & WSUS.

via Bit9 Releases Annual Report on Top Vulnerable Applications in 2009.

More thoughts on our smart grid vulnerability:

However, the smart grid changes all of that. The researchers from IOActive demonstrated that smart grid boxes can be hacked and that they can spread worms. Not only that, the boxes themselves will be connected to every home and be available to anyone. Anyone therefore has access to the smart grid. With tens of millions of the boxes planned to be distributed throughout the United States, potential attackers can easily get their hands on the systems to tear apart and find new vulnerabilities and attacks. More important, when there is a vulnerability found, how will it be mitigated?

There is a perfect storm brewing where the skills and resources required to launch a significant attack is being drastically lower. Depending upon the effects of a possible worm on the smart grid boxes, and the vulnerability of the generators, there can be a combined attack that does have strategic impact.

I Was Wrong: There Probably Will Be an Electronic Pearl Harbor.

I love that “without our knowledge” quote.  Wouldn’t it be nice if companies took the security of your personal data seriously?  If you are a company who wants to try this, take a look at our fraudForensics service…do yourself and your customers a huge favor.

Staff at mobile phone company T-Mobile passed on millions of records from thousands of customers to third party brokers, the firm has confirmed.

Details emerged after the firm alerted the information commissioner, who said his office was preparing a prosecution.

Christopher Graham said brokers had sold the data to other phone firms, who then cold-called the customers as their contracts were due to expire.

A T-Mobile spokesman said the data had been sold “without our knowledge”.

via BBC NEWS | UK | T-Mobile staff sold personal data.

I won’t inundate the blog with Windows exploits but the first zero-day bug is noteworthy.

In a security advisory, Microsoft acknowledged that a bug in SMB (Server Message Block), a Microsoft-made network file- and print-sharing protocol, could be used by attackers to cripple Windows 7 and Windows Server 2008 R2 machines.

via Computerworld > Microsoft confirms first Windows 7 zero-day bug.

On a similar note, security firm Sophos recently tested Windows 7 with 10 viruses on 10/22/2009 and found 80% of them successeded:

On October 22nd, we settled in at SophosLabs and loaded a full release copy of Windows 7 on a clean machine. We configured it to follow the system defaults for User Account Control (UAC) and did not load any anti-virus software.

We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up. Unfortunately, despite Microsoft’s claims, Windows 7 disappointed just like earlier versions of Windows. The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7.