The 2013 Threat Report from the Websense® Security Labs™ is now available.

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

Creating the report began with the Websense ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including Websense ACE (Advanced Classification Engine), which applied over 10,000 different analytics.

Here is a sampling of key findings from this year's report:

1. Web Security. The web became significantly more malicious in 2012, both as an attack vector and as the primary support element of attacks originating through social media, mobile devices, and email. Researchers measured an alarming 600 percent increase in the use of malicious web links through all vectors.
2. The Social Web. Malicious content was hidden within social media behind shortened web links 32 percent of the time. Social media attacks took advantage of the confusion of new features, changing services and unsophisticated users.
3. Mobile Security. A study of last year's malicious apps revealed how they often abuse permissions; especially in the use of SMS communications, something very few legitimate apps do. Risks also increased as mobile devices were used for social media and web surfing more often than actually making a phone call.
4. Email Security. Only 1 in 5 emails sent were legitimate, as spam increased to 76 percent of email traffic, and 92% of spam included links to potentially malicious content. Phishing threats delivered via email also grew.
5. Malware Behavior. Forensic analysis identified that registry modification behavior in malware has declined to 7.7%. Once a key indicator of malicious behavior, malware has now become increasingly Internet-connected. Half of all malware that used the Internet for communications and downloaded additional malicious executables to extend their attack capabilities in the first 60 seconds.
6. Data Theft. Key changes in data theft targets and methods took place last year. Reports of intellectual property (IP) theft increased, and theft of credit card numbers and other Personally Identifiable Information (PII) continued to grow. Hacking, malware and other cyber-threats continued to be common methods of attack. However, some of the largest thefts involved physical penetration of security as well, often by willful employees.

Because today's attacks occur in multiple stages through numerous vectors, the report includes an appendix on The Seven Stages of Advanced Threats. This methodology for analyzing and classifying cyber-attacks provides a useful framework for organizations to assess their current defenses against their security profile, identify weaknesses and develop a more comprehensive strategy for withstanding next-generation attacks. A summary of the Websense 2013 Security Predictions report is also included for planning purposes.

Click for a video introduction or download a copy of the 2013 Threat Report.

LinkedIn is investigating reports that approximately 6.4 million user passwords have been posted on the Web. While the breach is still unconfirmed by LinkedIn (as of the time that we wrote this blog), they have acknowledged on their Twitter feed that their investigations have begun.

If you're a LinkedIn user, Websense® Security Labs™ recommends that you change your password immediately to help prevent your password from falling into the wrong hands.

After retrieving the password files that are being distributed on forums in the .ru TLD space, it appears that the passwords are hashed. However, based on samples seen by us, it has not been computationally difficult to translate them into clear text. Our initial investigations reveal that a password of "linkedin" features heavily.

It is uncertain how the hackers retrieved the stolen passwords; however, the passwords that users are finding in the hashed files do appear to be real.  We have identified the locations of several such password files and have classified those locations as Hacking.

So you may be asking how this list of stolen passwords can be used by a hacker?

The most potentially damaging combination would be using the corresponding username in conjunction with the stolen password. With this combination, you can imagine how a hacker may access an individual's LinkedIn account.

Once access to LinkedIn is obtained, or any social network for that matter, it could be possible to send direct messages to contacts within the network or to potentially auto-post on related social networks, thus harming the reputation of the individual or the business they may represent.

Now that hackers have a long list of potential passwords used, brute force attacks could become easier to conduct as a result of having this intelligence.

Even if these reports remain unconfirmed, it is definitely a good time to adopt sound practices around password security to help protect against malicious activity.

We in the Security Labs would like to offer the following recommendations:

• Change your password regularly.
• Ensure your password is suitably complex both in content and length; using a combination of numeric and alphabetic characters is a wise idea, as is mixing upper and lowercase characters with punctuation marks. Longer passwords are preferable.
• Do not use the same password across multiple services.
• If the website you are connecting to has the option of using the HTTPS protocol, as opposed to HTTP, make use of that.

First it was the Cheesecake Factory; now, it’s Timeline. Facebook, like many other social networking companies, is experiencing some user dissatisfaction, and scammers are taking advantage of anti-Timeline sentiment. According to Insidefacebook, scammers are creating pages that assure the public that by “liking” the page, watching the linked video, downloading a certain browser application, or inviting their friends to the page, they will be allowed to opt out of Timeline.

These pages all ask readers to "Like" the account, and some even ask them to subscribe. Some pages ask readers to install a browser application; Google Chrome and Firefox are common targets of such scams. Though some Facebook pages may look harmless, remember that being cautious is the best way to prevent potential data loss.

Timeline was introduced by Mark Zuckerberg during the F8 developer conference. There, he announced that the beta version of the interface would be available to Facebook users on September 22nd. 

So, what is Timeline? Facebook engineers implemented an algorithm that gathers all of your Facebook activity and organizes it based on what it deems important: your birth, high school graduation, first job, wedding, special events, and so on. The Timeline profile page is divided into two columns that contain recent photos, games, posts, and other activity. Since the algorithm decides what is relevant and what is not, there is a chance an event or a post you think is relevant might not show up in Timeline.  But fear not, the new page layout will allow editing so that users can manually change what information is shared or deemed important. 

Facebook employee Paul McDonald explains that Timeline allows users to add details of their lives before Facebook was created, providing an easy way to rediscover things once shared in real life. You have seven days to review and modify the timeline before it goes live and anyone else can see it. 

As long as Facebook remains the top social networking site, scammers will use new and innovative methods to try to steal and exploit user information, but rest assured that ACE  (Advanced Classification Engine) protects our customers from such scams.

Last week, China's largest software programmers' Web site CSDN (China Software Developer Network) was hacked, and account information for more than 6 million users was leaked and quickly spread via the Internet. One day later, Tianya, the biggest Chinese online forum, was reportedly hacked for the account information of 40 million users. This cyber attack has continued, with several well-known sites like the Duowan game, the 7k7k game, the e-commerce sites 360buy and Dangdang, some popular social networking and dating sites being hacked and user data leaked. Some sites' databases have been published on the Internet and can be easily downloaded.

Part of the CSDN leaked database download is shown here:

This incident is the largest data leak ever in China. The public databases contained personal account information, including user names, passwords, and email addresses. This data leak has caused great concern among millions of Chinese "netizens," especially those who use the same user name and password to access multiple Web sites. Clearly, this practice increases risk for these users, as criminals can easily use information from 1 account to log in to a user's other accounts to obtain even banking information.

CSDN and Tianya have since admitted that a user account data leak occurred, but the root cause and scale of the leaks are still under investigation. Both organizations have issued public apologies to users and urged them to change their passwords immediately. They have also asked the police for help.

A contributing factor to the severity of the data leaks is that much of the user information stored in the companies' databases was in plain text with no encryption. CSDN has admitted that old passwords in a backup file were saved in plain text until the year 2009, when they started to encrypt all user information. Unfortunately, the plain text personal data leaked to criminals affected millions of users and will certainly raise great concerns about Web security in the future. 

In an analysis of this data leak, some experts conclude that it was the result of a professional hacker attack technique called "Drag Database." In this technique, hackers first try to exploit the vulnerabilities of a target site. They then inject a Trojan to compromise the site and get the administrator authority to export the user database table, which they either store for future use or upload to the Internet for others to download. This underground industry can earn huge profits for hackers. 

This incident taught a profound lesson to both the Internet industry and individual Internet users. Users should enhance the protection of their personal account information by setting complicated passwords that are hard to crack and changing those passwords regularly. Internet companies should strengthen their user data management, and improve security guarantees and emergency response capabilities.

Websense made five predictions for security trends in the year 2011, and this huge data leak exactly matched the third prediction in that list:

Prediction #3: Status update: More corporate data breaches will occur over social media channels. 

• Search poisoning won’t be limited to Google, it will migrate to Facebook. Hackers will manipulate Facebook search algorithms to trick users into visiting fake brand and celebrity pages and increase exposure to malware.

• Employees will post confidential corporate data to public pages.

• Social media users will also be vulnerable to spam and malicious data-stealing content.

Websense security products can protected customers from this kind of data leakage incidents through our DLP(Data Loss Prevention) technology and TRITON™ solutions.

On Friday 1 April 2011, Epsilon, a marketing services firm, notified their customers of "unauthorised entry into email system".  Their press release can be seen here.

The press release advises that the information stolen during the attack included only customer email addresses and customer names and didn't include any other personal or financial information. In the wrong hands, however, even this limited amount of information can have consequences for those to whom the data pertains.  We shall explore some typical scenarios below.

What does this mean to Epsilon's customers?

Many well-known brands in the hotel and leisure, entertainment, and retail industries (to name but a few) use Epsilon's services to send marketing emails to their customer base.  It would appear that the list of customer contacts were the very information that was stolen, and we are starting to see that affected businesses are advising their customers of the issue.  We commend them for doing so.

What does this mean to you as a customer of one of Epsilon's clients?

It has been proven that attackers have better success rates when they know more about the victims they are targeting. In these cases, the attackers may use knowledge around the inclusion into one or many of these services to lure them. Additionally lures may include details that use this event to entice users. So it's very likely that we will see spear-phishing attacks sent to these email addresses; spam/malicious emails where the language and layout is very targeted to the victim. An attacker with this information might for example know which hotel chain you prefer, which bank you use and your favorite electronic store.

 
In addition, attackers may use this breach to gain other pieces of valuable information from the victims such as: bank details, passwords for accounts, and other sensitive pieces of information by creating very specific and targeted emails.

 
Our ThreatSeeker® Network is scanning for attacks in the wild that are using the stolen data to lure victims, and we will update this blog when we find these attacks.

Brian Krebs has a timeline of when companies disclosed this data breach at his website Krebsonsecurity.  A number of high-profile global clients have been affected.