07.29.2010 | STERLING, VA
TOPICAL RESEARCH PAPERS
TOPICAL RESEARCH PAPERS
TOPICAL RESEARCH PAPERS
iDefense Labs delivers topical papers monthly as a PDF file attachment to an e-mail and via secure conference call. These reports contain in-depth analysis on a specific issue related to cyber security. Report topics are determined approximately two weeks before publication. Click on the paper title to request a sample research report - please note that we do require that you supply a valid corporate e-mail address.
>> 06.04.09 : Cloud Computing: Enterprise Risks & Mitigation Strategies
>> 03.25.09 : Mobile Security: New Risks, Old Consequences
>> 12.17.08 : 2008 Cyber Trends and 2009 Predictions
Throughout the past decade, cyber threats have evolved from rare oddities to major risks to the security of enterprises and governments. In terms of frequency, ubiquity, sophistication, diversity and severity, the malicious use of information technology has surpassed a tipping point in its maturation, and now no organization in the developed world remains unaffected, much less safe. Moreover, preventive and defensive capabilities are evolving less rapidly than the threats, which are now sustained by robust, global black markets and by ambitious government espionage programs. Looking forward, 2009 will erase any lingering doubt as to the full significance of these problems and the difficulties of addressing them. The purpose of this report is to provide insight to what 2009 will bring.
>> 11.05.08 : Taking Virtual Worlds Seriously: Implications to the Intelligence Community
Given the anticipated pervasiveness of online environments, the US government should spend some portion of its resource budget to monitor, track and understand how multi-user online environments (MOEs) progress over the next 5-10 years and to actively engage these environments in ways beneficial to its intelligence mission. A migration toward virtual environments as a way to exist on the Internet among the general populace will likely precede the adoption of this medium by nefarious organizations and individuals, groups and others. If they act quickly, US intelligence and homeland security organizations can prepare themselves to be ready to operate within these new environments when the appropriate time arises.
>> 10.08.08 : The Cyber Threat Landscape of Brazil
Unlike its more dynamic counterparts, the cyber threat environment of Brazil is characterized by a highly specialized, ultra-specific focus on fraud conducted via banking Trojans disseminated by sophisticated phishing attacks. Almost all visible cyber criminal activity in Brazil is financially motivated and focuses on banking Trojans targeting Brazilian banks and phishing techniques for distributing these Trojans. As a result, Brazil is now home to some of the world's most skilled Trojan authors and most innovative fraudsters. Indeed, the ease with which cyber criminals are able to steal from Brazilian banking customers is a key reason for the relative paucity of other cyber threat categories in the country. The Brazilian security community has adapted accordingly, with Brazilian banks emerging as a leader in tracking and combating Trojans; however, this hyper-specialization of Brazilian computer security is not without its drawbacks. The private sector in Brazil lacks a strong culture of intellectual property protection, and it does not prioritize corporate espionage as a significant threat. Public cyber crime authorities also find it difficult to manage the sheer volume and sophistication of the country's information security environment. However, this is not for any lack of expertise or professionalism; rather, inadequate legislation and a lack of material resources handicap the efforts of otherwise able Brazilian law enforcement professionals.
>> 09.10.08 : Detecting and Tracking Trojan Horse Command-and-Control Servers
Information-stealing Trojan horse programs quietly infect systems, capture valuable information and transmit it back to a central command-and-control (C&C) server. While some attackers create custom Trojans for specific purposes, less-technical criminals use simple toolkits to create binaries for their own use. These toolkits generate slight variations on a single Trojan that report to different C&C servers but use the same mechanisms to capture and report data. It is possible to detect communications between Trojans and C&C servers using a network-based intrusion detection system (IDS). Deploying signatures that detect this traffic across many monitored networks allows analysts to determine which networks most commonly host C&C servers. Clusters of these servers can indicate the existence of a rogue network that specializes in serving malicious content. Locating these clusters can further increase the security of the network by monitoring any traffic destined to it, any of which is highly suspicious.
>> 08.06.08 : A Nodal Analysis of Islamic Extremist Websites
Since the beginning of the 21st century, the use of Internet technology by Islamic extremist-oriented terrorists to further their ideological and political goals has expanded greatly, in many ways mirroring the drastic expansion of worldwide Internet usage itself. A number of trends in the worldwide Islamic extremist-oriented terrorist movement and its evolving Internet presence are increasingly attracting the attention of iDefense analysts. Foremost among these is the rising interest in computer hacking and cyber warfare among terrorists, as evidenced by ongoing discussions into this subject on chat forums frequented by people with terrorist sympathies and hacking interests. This report contains a detailed survey of the Internet's largest and most prominent Arabic-language terrorist chat forum sites. It samples the content of each site's most active forum section in detail, provides a general survey of each site's other noteworthy forum sections, examines the links and affiliations of each site with various terrorist organizations and movements, and also takes a look at some of the influential and noteworthy members on each forum. Particular attention is also paid to specific hacker-oriented forum sections, the interests of their members and indications of any hacking and cyber terrorism discussions found elsewhere on the forums.
>> 07.09.08 : Cyber Fraud Trends 2008
Financial institutions worldwide face an ever-increasing number of malicious code and phishing attacks that adapt and mature constantly. Regulators and industry promote authentication as panacea while the crooks are developing and deploying highly specialized Trojans designed to target and circumvent multifactor authentication schemes. Hijacking transactions that a user has initiated and authorized is the newest of these targeted threats. This technique has been discussed theoretically for some time but has now left the malware labs and is actively being used in real world attacks. Technology and implementation are important factors for the effectiveness of multifactor authentication schemes and even strong technologies with correct implementations that thwart transaction-hijacking attempts have weaknesses that might constitute a surface for future attack scenarios.
>> 06.04.08 : BBB: A Threat Analysis of Targeted Spear-Phishing Attacks
Since February 2007, organized groups of cyber criminals have launched more than 50 waves of highly targeted cyber fraud scams, impacting corporations and governments alike. These attacks use a social engineering technique, called "spear phishing" and sometimes "whaling," to trick a user into installing malicious code, which allows the attacker to collect valuable data from the compromised computer.
Organizations of all types and sizes must immediately deal with the risks these attacks pose to internal staff and customers, each for their own reasons. Financial institutions face special risks from these attacks due to the specific and aggressive targeting of their customers and applications, while government and contracting organizations stand to leak vital strategic and national defense data.
Because these fraudsters target specific corporate employees with high levels of access, and because they aggressively use the stolen information, these types of attacks are more dangerous than conventional Internet fraud schemes.
>> 05.07.08 : IFrame Attacks - An Examination of the Business of IFrame Exploitation
When users open a Web page with Internet Explorer, Firefox or any other Web browser, they only notice the page they typed in the address bar. Regular users rarely realize that, to resolve some pages completely, their computers must connect to other, often unknown websites. Few users are aware of these in-line frames, or "IFrames," since they are transparent to everyday users. Browsers use IFrames to load another website into the one the user knows they are viewing. A design feature of the Web browsing experience, through many popular browsers, IFrames were not designed for malicious purposes, but their simplicity has made them ideal attack vectors for malicious interests.
The actors behind IFrame exploitation attacks are working very hard to make the largest amount of money, in the shortest amount of time, and without getting caught. Every technical aspect of these attacks represents a convenient way to carry out widespread attacks for maximum profit and minimal exposure. While most readers might not necessarily understand the technical aspects of these attacks, they should still have a conceptual understanding of both the technology and the fraudsters behind this new brand of online theft costing millions of dollars per year. These groups continue to find ways to attack businesses and their consumers to collectively steal billions of dollars per year. Phishing attacks that use social engineering are successful, but have many technological roadblocks to deal with. By using malicious codes, mostly Trojan horses, to steal banking credentials and perform transaction hijacking attacks, malicious actors can target a wider group of banking customers and steal more data. Exploiting vulnerabilities through IFrames is simply the technological means to carry out these attacks.
>> 04.02.08 : SilentBanker Unmuted
Silentbanker is a serious threat, as most banking Trojans are. Silentbanker uses a variety of common techniques including cookie stealing, form grabbing, certificate stealing, HTML injection and HTML replacement. However, Silentbanker's automatic transaction hijacking capability, which are the primary concern for most customers, currently targets E-gold customers only and presents functionality that was present in other Trojans nearly two years before Silentbanker's discovery.
Silentbanker's primary threat comes not from its features, which are reminiscent to that of nearly a dozen other banking Trojan families, but rather from the overall threat of the attackers responsible for it. iDefense has attributed every attack since May to the same group of attackers, meaning this Trojan is not likely a free-standing toolkit for resale. This single group of attackers has added new targets over time, with the latest target list more than 10 times larger than their initial list. The attackers have also managed to add new domains and frequent rebuilds to keep this attack alive and undetected. In January 2008, the attackers launched a new version of the Trojan with a huge set of code revisions, revealing that the project has not reached any type of plateau. The last piece of the puzzle, which also contributes to the overall uncertainty, is the number of infected users. iDefense has been unable to recover any stolen credentials and has no gauge of how many users are infected.
>> 02.20.08 : Banking Trojans: An Overview
This report aims to familiarize users with different techniques and the toolkits that utilize them. Although toolkits are examined to show the ease of attacks, this is not the sole purpose of this report. Because of the knowledge of the overall landscape of banking Trojans, organizations can make specific decisions and mitigation strategies. This report will show that auto-transaction malicious code is used in the wild, and that although multiple-factor authentication is important, many techniques are being circumvented. Most importantly the mitigation section will describe little-known techniques to identify potentially infected users with the goal of preventing loss from a variety of banking Trojan families.
>> 01.09.08 : 2008 Cyber Threats and Trends
Throughout the past decade, cyber threats have evolved from rare oddities to major risks to the security of enterprises and governments. In terms of frequency, ubiquity, sophistication, diversity and severity, the malicious use of information technology has passed a tipping point in its maturation curve, and now no organization in the developed world remains unaffected, much less safe. Moreover, preventive and defensive capabilities are evolving far less rapidly than the threats, which are now sustained by robust, global black markets and by ambitious government espionage programs. This means that things will grow much worse before they get better. The information security community and a few key commercial sectors, such as finance, have for several years anticipated this distressing state of affairs, and were often ignored, but 2007 forced a rude awakening upon policymakers, the media and, thus, the general public. Looking forward, 2008 will erase any lingering doubt as to the full significance of these problems and the difficulties of addressing them. The purpose of this report is to provide insight to what 2008 will bring.
>> 12.12.07 : Web-Based Fraud: Principles, Trends and Mitigation Techniques
Online financial cyber crime has increased exponentially in the past four years, forming the foundation of a trend that shows no signs of abating. What began with simple 419 scams and rudimentary phishing has grown into a highly complex underground economy generating professional-quality software tools, legitimate businesses that provide protection to cyber criminals, sophisticated stock-manipulation schemes, and, most tellingly, a sense of community among the criminals. The global total of criminal gain from cyber fraud is impossible to estimate precisely, but most indicators suggest it stands in the high tens of billions of dollars, perhaps in the hundreds.
This report seeks to better inform organizations as to the state of the threats present in the cyber fraud underground. This report provides a conceptual model with which to analyze the fraud underground, and puts this model into practice by assessing the current state of the carding underground, phishing, pharming, Trojans, toolkits and pump-and-dump scams, to name only a few.
>> 11.07.07 : IPv6 - Risks & Ramifications of a Potential Disruptor
While the various modifications and improvements to IPv4 have served the Internet well, these stop gaps can only go so far. Fortunately, IPv6 is finally maturing and provides some much needed functionality that will undoubtedly facilitate growth and innovation. Now that more products include IPv6 functionality, the technology is slowly becoming a reality. While this is a slow process, it will be moved along with the US Government's mandate that organizations implement IPv6 by 2008; the mandate even includes organizations that do not have external factors forcing an upgrade.
While delaying deployment may lead to missed opportunities, completely disregarding the technology can have serious security ramifications. Most networks are partially IPv6-capable whether or not network managers are aware of it, and IPv4 networks left unprepared are vulnerable to attackers. So, for those considering upgrading to IPv6, there are a number of issues to consider before taking the plunge. Organizations must remember that platform upgrades of this scale will cause disruptions. In addition, an upgrade could cause confusion, resulting in security holes that attackers will certainly try to exploit. These are just some of the issues network managers and implementation specialists must consider, which makes it imperative they have a solid understanding of this new protocol. From a strategic standpoint, IPv6 facilitates a paradigm shift toward increasingly distributed, end-to-end communications, changing the threat landscape and requiring similarly distributed security. This report provides an overview of IPv6 and discusses the risks associated with its implementation.
>> 10.03.07 : Cyber Espionage: China and the Network Crack Program Hacker Group
In the Summer of 2006, the Network Crack Program Hacker group, the NCPH, conducted a series of cyber attacks that targeted multiple US Government institutions. In the end, the NCPH siphoned millions of unclassified government documents back to China. This presentation will explain how they did it, why they did it and will profile how the group operates.
>> 09.05.07 : Predicting Disruptive Technologies over the next 5 years
Disruptors, understood as radical shifts in technological or behavioral trend-line trajectories, are considered "disruptive" largely because they are unforeseeable or else, if somewhat foreseeable, cannot be modeled precisely enough to facilitate control over the process. With this in mind this report analyses numerous and varied potential disruptors, some of which may never come to fruition. Thus, each section explicitly acknowledges the level of confidence with which analysts estimate each disruptor's potential impact; some will be almost sure to occur, others less likely and still others of uncertain likelihood. In this way, decision makers can allocate resources according not only to the potential impact, but also considering the likelihood of its occurrence.
>> 08.08.07 : Uncovering Online Fraud Rings: The Russian Business Network
The Russian Business Network (RBN) developed into its current incarnation as "the baddest of the bad" Internet service provider (ISP) in June 2006. Before then, much of the malicious code currently hosted on RBN servers was located on the IP block of another St. Petersburg ISP, the now-defunct ValueDot. Like ValueDot before it, but unlike many ISPs that host predominately legitimate items, RBN is entirely illegal. VeriSign iDefense research identified phishing, malicious code, botnet command-and-control (C&C), and denial of service (DoS) attacks on every single server owned and operated by RBN.
>> 07.11.07 : Motives, Methods and Mitigation of Insider Threats
Although security plans are usually designed to look outward to mitigate threats and attacks from the Internet, they often fail to address the more likely attack vector - the malicious insider. This report examines the anatomy of the insider threat - what makes the malicious insider tick, how they often hit and what organizations can do to prevent damage or loss. A heavy focus upon the impact to financial and retail organizations is included in this research.
>> 06.13.07 : Wicked Rose and the NCPH Hacking Group
More than 35 zero-day targeted attacks and related exploit codes emerged during the summer of 2006. Wicked Rose is the Chinese hacker responsible for developing the infamous GinWui rootkit used in the earliest attacks. This VeriSign-iDefense exclusive report provides participants with an in-depth view into the means, motives and culture of Wicked Rose's NCPH hacking group, including photos of the individual hackers. This is a story you won't read about anywhere else, revealing the intimate details of some of the most sophisticated targeted attacks to date.
>> 05.16.07 : Security Advancements in Microsoft Windows Vista and IE7
Microsoft Corp. released beta versions of its new Windows Vista operating system and version 7.0 of its Internet Explorer Web browser in 2005. However, the new products have yet to be released commercially. This presentation will focus on the new security features planned for these two new products, explaining how these features will benefit the overall security of the Windows platform and potential problems they may introduce. Emphasis will be placed on how vulnerabilities in earlier versions of Windows led Microsoft to implement these features and change the way the company approaches software security.
>> 04.18.07 : What You Need to Know about Data Execution Prevention (DEP)
According to Microsoft, Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. When designing a multi-tier security plan, DEP can play an important role in preventing exploitation and is enforced by hardware and software in Windows XP Service Pack 2. In this presentation, iDefense will discuss the history of DEP, its advantages and availability in modern operating systems and, most importantly, the limitations and drawbacks of deploying it.
>> 03.21.07 : Instant Messaging and Network Security
Publicly available instant-messaging services grow more popular with corporate users every day. With the ability to communicate and multitask with many users instantaneously, "IM" applications and online services have become a popular method of business communication. As its popularity grows, so does the risk of IM-specific cyber threats. Any organization using a publicly available service that relies on servers hosted outside that organization must take this into account when assessing the security posture of its corporate network. This report examines the risks involved in using third-party IM services in general, and specific threat issues related to proprietary information leaks, malicious codes, vulnerabilities and general security concerns associated with each of the most popular messaging platforms.
>> 02.21.07 : Distributed Denial-of-Service Attacks: Latest Motivations and Methods
The distributed denial of service (DDoS) attack is among the most potentially costly and intractable cyber threats facing technology-dependent companies today. DDoS attacks are also more frequent, larger and more costly than ever before, and the number of available "zombie" computers in the wild is greater than ever. The commanders of bot armies are more numerous, more sophisticated, harder to identify and have better tools than at any time in the past, and these trends will continue for the foreseeable future. This report discusses why and what DDoS mitigation and prevention strategies are used to keep technology-driven organizations in business today, and how early DoS attacks evolved into present-day techniques.
>> 01.10.07 : Preventing Malicious Code from "Phoning Home"
Modern malicious codes often have the capability to send spam, act as a proxy, download and execute additional malicious codes and other functionality, all while acting as a node in a large, centrally managed botnet. These botnets require command channels to communicate to their owners, and these channels almost always use outbound connections from the bot to bypass firewalls that prevent incoming connections. The traditional approach of blocking all inbound connections except for specific hosts in a "demilitarized zone," combined with allowing only certain outbound access (such as that required for e-mail and Web access) is effective against many malicious codes, but still has its limitations. This presentation will discuss motivations, covert channel methods and ways to mitigate such traffic going forward.
>> 12.13.06 : Major Threats and Trends Impacting the Cyber Security Landscape in 2007
What will the cyber security landscape reveal for 2007? Will it be new mobile malicious code threats? Will it be sophisticated bots or multi-variant malicious code attacks? What about the impact of Vista and Internet Explorer 7? Having performed an extensive review of 2006 cyber security threats, iDefense reviews the top trends, including zero-day and targeted attacks of 2006, to identify the most likely threats to emerge in 2007.
>> 11.29.06 : What You Need to Know about Data Execution Prevention (DEP)
According to Microsoft, Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. When designing a multi-tier security plan, DEP can play an important role in preventing exploitation and is enforced by hardware and software in Windows XP Service Pack 2. In this presentation, iDefense will discuss the history of DEP, its advantages and availability in modern operating systems and, most importantly, the limitations and drawbacks of deploying it.
>> 11.08.06 : Instant Messaging Threats
Publicly available instant-messaging services grow more popular with corporate users every day. With the ability to communicate and multitask with many users instantaneously, "IM" applications and online services have become a popular method of business communication. As its popularity grows, so does the risk of IM-specific cyber threats. Any organization using a publicly available service that relies on servers hosted outside that organization must take this into account when assessing the security posture of its corporate network. This report examines the risks involved in using third-party IM services in general, and specific threat issues related to proprietary information leaks, malicious codes, vulnerabilities and general security concerns associated with each of the most popular messaging platforms.
>> 10.04.06 : Mobile Malicious Code: What Lies Ahead?
Wireless solutions, especially cellular "smartphones," are experiencing steady growth worldwide. Concurrently, new technologies are being developed to cater to this new area of opportunity for commercial gain. Roaming cellular solutions have quickly evolved into smartphones that include camera phones, full color, video games and more. As mobile communication use increases and evolves, valuable information assets also increase. Thus, an environment for abuse and criminal attack opportunities is created.
This report asks, how does mobile malicious code compare to desktop malicious code in terms of functionality and capabilities? Are there specific vulnerabilities of specific phones or operating systems that are more vulnerable to attack? What about Java 2 Micro Edition (J2ME) featured phones? Are they vulnerable to attack? Finally, what are the best security practices and mitigation for dealing with mobile malicious code today?
>> 09.20.06 : Attacking the Code: Source Code Auditing
Source code auditing has always been considered an art form that many have wished to learn. The purpose of this presentation is to unveil the techniques and methodologies behind efficient source code auditing. Examples of common programming mistakes found in real-world applications are included with detailed analysis of the problems surrounding the vulnerabilities. The presentation also aims to provide new techniques to beginning and experienced code auditors to help improve on their current skills.
>> 09.06.06 : Malicious Code Year-to-Date Trends
iDefense identified an initial drop in documented malicious code threats starting in January 2006. This trend has continued and, by this summer, has gained some media exposure. iDefense has analyzed aggregate reports to date to provide an exclusive view that attempts to assess not only why the drop in malcode has occurred, but how it has actually increased risk.
>> 08.09.06 : An Analysis of New Security Features Within Microsoft Vista and Internet Explorer 7
Microsoft Corp. released beta versions of its new Windows Vista operating system and version 7.0 of its Internet Explorer Web browser in 2005. However, the new products have yet to be released commercially. This presentation will focus on the new security features planned for these two new products, explaining how these features will benefit the overall security of the Windows platform and potential problems they may introduce. Emphasis will be placed on how vulnerabilities in earlier versions of Windows led Microsoft to implement these features and change the way the company approaches software security.
>> 07.19.06 : Voice-over-Internet Protocol (VoIP) Vulnerabilities
One technology that has experienced a recent explosive growth is Internet Protocol Telephony, better known as Voice over Internet Protocol (VoIP), which effectively integrates data and voice communications. VoIP has already proven a cost-effective solution for individuals and corporations that already have perpetual high-speed Internet connections. VoIP will be the only communications medium available for voice traffic in the foreseeable future, and the current movement toward integrating voice and data traffic is indeed inexorable. However, VoIP technology is immature and is thus another factor to consider on an otherwise burdened infrastructure. This report attempts to determine and enumerate the nature of the security and safety threats putting today's corporate VoIP networks at risk. It illustrates the rapidly increasing rate of exploitation and attack vectors, describing attacks that are both general (directed against the Internet backbone of the VoIP network) and specific (targeted toward specific VoIP implementations).
>> 06.21.06 : Emerging Economic Models for Vulnerability Research
There are few who would argue that there is not economic value in the discovery of security vulnerabilities. Evidence of this can be seen in the many business models that are emerging to profit from this knowledge. The question that remains is how do these economic models impact those who are affected by the vulnerabilities themselves? This paper looks at economic vulnerability models that exist in the market today and analyzes how they affect vendors, end users and vulnerability researchers. The markets addressed include the government, open, underground, auction and vendor markets. Each of these models are defined, including their expenses, revenues and challenges. The impact and implications of each model are also investigated. Finally, the paper examines how each of the models affects these various actors and project the future of the market to see how the models that exist today will help to shape and drive the future of vulnerability research.
>> 06.14.06 : Assessing Geographic Trends and Threats
Geopolitical hotspots can be identified through a multitude of factors, including the demographics of a given country or location. It is common to hear various organizations identify areas most commonly infected with malicious code, countries most prevalent for hosting phishing attacks on servers, and so on. Are these counties truly the geopolitical hotspots of the Internet for attacks? This article takes a discerning look into the demographics of the Internet for top countries and correlates data to recent reports of geopolitical hotspots.
>> 05.24.06 : Metafisher Trojan Activity
The Metafisher family of Trojans shows an unprecedented level of sophistication in the malicious code arena. This phishing attack is carried out using a botnet, which is controlled though a Web-based command-and-control server. This structure gives the operators of this botnet the ability to control numbers of bots in several orders of magnitudes greater than that of a traditional IRC-based control structure. But Metafisher is more that just a Trojan/Bot; it is in fact a professionally built suite of tools with a user-friendly administration interface and a solid software lifecycle management comparable to many professional software products. This fact suggests that Metafisher is being developed and sold as a phishing toolkit to interested third parties. This report will explore these facts in greater detail and explain the implications of MetaFisher-related criminal activity.
>> 05.10.06 : IDS Evasion Techniques and How to Prevent Them
Intrusion Detection Systems (IDS) detect inappropriate, incorrect or anomalous host or network activity. This presentation provides information about common techniques used to evade IDS detection. The goal is to answer the question: To what extent should network administrators rely upon IDS detection systems for security and advanced warnings of attacks?
>> 04.26.06 : The Evolution and Current State of DDoS Attacks
The distributed denial of service (DDoS) attack is among the most potentially costly and intractable cyber threats facing technology-dependent companies today. DDoS attacks are also more frequent, larger and more costly than ever before, and the number of available "zombie" computers in the wild is greater than ever. These trends will continue for the foreseeable future. This presentation discusses why and what DDoS mitigation and prevention strategies are used to keep technology-driven organizations in business today, and how early DoS attacks evolved into present-day techniques.
>> 04.26.06 : IE vs. Firefox: A Vulnerability Comparison
As the number of vulnerabilities in Microsoft Corp.'s Internet Explorer (IE) continues to climb, users are looking elsewhere for a safer Web browsing solution. Competing Web browser developers are taking advantage of IE's security shortcomings to gain market share on Microsoft. One such entity, The Mozilla Organization, has experienced great success with the release of its Firefox browser.
iDefense analysts issued a paper Sept. 30, 2005, showing that the number of vulnerabilities in both IE and Firefox are climbing, and that malicious codes are taking advantage of these issues to infect and spread across the Internet. As these threats mount, users are left waiting for patches, updating anti-virus signatures, and continually looking for a more secure solution. Both Microsoft and Mozilla are taking measures to secure their respective products, each with mixed success. This paper, with metrics updated as of April 26, 2006, compares and contrasts these two browsers and their respective futures from a security perspective.
>> 04.12.06 : Security of the Google Desktop Toolbar
By installing and using the Google Desktop Toolbar, a user can search the files stored on his local computer and the Internet simultaneously. Using advanced features of this product, it is even possible to search other computers that run the Google Desktop software. It is this feature that has caused concern among security researchers. This presentation will examine the installation and operation of Google Desktop Search in order to determine the efficacy of this product. It will examine the security weaknesses and vulnerabilities that exist in the latest version of Google Desktop Search and how these issues can be somewhat mitigated using reasonable security policies.
>> 03.29.06 : Money Mules: Sophisticated Global Cyber Criminal Operations
Criminals are stealing thousands of credit cards and banking account credentials daily through phishing attacks, Trojan horse attacks and other attack vectors. Thousands of dollars daily are then laundered to offshore banking accounts through dozens of countries by "money mules," or phishing money launderers. Cyber-fronts are created to solicit, hire and exploit these money mules within multiple countries, and they can make as much as $10,000 or more in a month for part time work. This report will take a look inside the world of money mule operations and provide several examples of business fronts and job offers.
>> 03.15.06 : Social Engineering: The Effect on Information Security
Researchers have often pointed to human users as the weakest and most commonly exploited attack vector. Although social engineering tactics have evolved, they remain simple and effective. In this report, iDefense explores the extent to which such targeted trickery affects the security environment today, and how it will continue to impact information security in the future.
>> 03.01.06 : Sober Worm Post-Mortem
Sober was the most prevalent e-mail worm of 2005. The carefully planned and coordinated attack started in early November 2005 and lasted until Jan. 6, 2006. In this presentation, iDefense will examine the progression of the Sober attacks and the techniques the worm used to both infect its hosts and spread to others. iDefense will also cover the impact that these attacks had on key corporate infrastructure and the future of the Sober worm itself.
>> 02.15.06 : Rootkits and Other Concealment Techniques in Malicious Code
In order for malicious code to provide its author with some benefit, it must be successful in four areas: propagation, infection, malicious actions and persistence. With the advent of multi-tasking computers, the increased popularity of networking in general, and the Internet in particular, the tools and techniques used by malicious code authors have improved considerably. This report will focus on these tools and techniques, concentrating on the evasion of first-line defenses, autostart considerations and rootkits.
>> 02.01.06 : The Rise of Online Islamic Extremist Propaganda
Numerous recent media articles have noted that al Qaeda is improving its information operations tactics through the use of the Internet, providing a means of anonymous communication and the dissemination of news on the group's military successes. This report will reveal the frequent presence of Islamist Extremist Propaganda online and provide a clearer understanding of the different forms of IEP, based on the specific objective and approach of each type.
>> 01.18.06 : 2005: Intelligence Year-in-Review
What will 2006 bring in terms of new threats and attacks? iDefense takes a look back at historical indicators and warnings to accurately predict major threats in 2006. Topics include an overview of malcode and vulnerability activity for 2005 and selected indicators and warnings. The presentation culminates with several notable examples of criminals launching code for cash in 2005 and how that will greatly impact the threat landscape in 2006.
>> 01.05.06 : Top 10 Spyware Applications
As most people herald the arrival of 2006 with fanfare, the creators of spyware and adware applications continue inexorably toward the goal of maximizing revenue from their creations. The automatons that they set into motion do not take holiday breaks, preferring instead to lie in wait for the next user gullible enough to download, install and use the malicious software and provide financial benefit to the spyware distributors. Spyware is a perfect example of the growing trend in which questionable entities exploit the Internet for financial gain. The last few years have proven that malicious code, and its cousins adware and spyware, have become the raison d'etre for many computer professionals. Additionally, the fine line between the malicious code camp (writing and distributing worms, viruses, Trojan horses and combinations thereof) and that of adware and spyware (writing code that is "questionable" at the least) is blurring, and successful techniques used by one faction are often, and quickly, incorporated into the products of the other. There is even a fast-growing trend of adware and spyware being deployed by means of malicious code droppers and websites - all in the pursuit of easy money.
>> 12.15.05 : Exploitation Frameworks
The iDefense exploitation framework comparison is a comprehensive review of the features included in the CORE IMPACT, Immunity's Canvas and Metasploit exploitation frameworks. Typically, corporations use these frameworks to perform penetration testing on their internal systems. However, hackers also frequently take advantage of the automated test-and-penetrate mechanisms that these frameworks offer. In its report, iDefense compares these frameworks to determine which is the most useful in a corporate setting and which might prove the most significant threat to vulnerable networks.
>> 11.04.05 : Targeted Malicious Code Attacks
Recent news stories about a report from the UK National Infrastructure Security Coordination Centre (NISCC), followed by a similar but separate CERT advisory, have generated much concern about targeted attacks, including their likelihood and potential impact. This report overviews targeted attacks, select examples to date, exploits and code utilized in targeted attacks, likelihood and impact, and mitigation measures. A targeted attack focuses on a specific sector, organization or individual.
>> 10.06.05 : Threat Assessment: Outsourcing to India
This iDEFENSE Focused Intelligence Report discusses a recent rash of insider data thievery in the Indian business process outsourcing (BPO) sector, and assesses the reaction of the Indian government and private sector regulators. The report argues that much of the media coverage about data theft incidents should not be taken at face value, and that, in principle, the Indian reaction is generally promising although its success will depend ultimately upon rigorous and measured implementation.
>> 09.01.05 : Malicious Codes Targeting Internet Explorer
Microsoft Corp.'s Internet Explorer (IE) has been around for more than a decade. Since its inclusion with the Windows Operating System, IE has rapidly gained popularity, having overtaking its competitors and become the most widely used Web browser on the Internet. IE use has continued to grow almost unchallenged for the last several years. Recently, however, as online security has become a greater concern to the Internet community, many users have started switching to alternative browsers that offer greater security measures by default. In spite of this, IE still commands 88.86 percent of the market share, according to one source1; this is especially true in enterprise settings.
While most software packages contain vulnerabilities that can be exploited, very few applications have been specifically targeted by such a diverse variety of attacks as Internet Explorer. The number of Trojan horses, viruses, worms, phishing attacks, and spyware and adware applications that have specifically targeted this application in the last few years is greater than ever. This report provides an in-depth examination of the components of the Internet Explorer browser that have been exploited by malicious code.
>> 08.18.05 : The Evolution of Blended Threats
As the days of single purpose malicious code dissipate, threats that are more complicated have emerged. The payload of these "blended threats" allows for malware propagation via a number of attack vectors, thereby extending the scope of their infection. These threats have become a system administrator's nightmare, continuing to circumvent employed protection mechanisms and cause havoc to the targeted network. The intent of these new threats has become more malicious as well. Rather than simply deleting an infected system, many blended threats employ stealthy tactics to steal sensitive personal, financial and corporate information for potential sale on the black market.
In addition to infecting systems through traditional mediums, blended threats are targeting the newest technologies. As detection and prevention technologies increase in complexity, blended threats are starting to target newer mediums such as cell phones, PDAs and the VoIP-enabled devices. With malicious code authors constantly designing more innovative code, there exists an increasing need to thwart such malware. The underlying components of this continuing battle are what will be discussed in this paper.
>> 08.03.05 : Spyware Attack Vectors: Mitigating the Threat
In 2004, the spyware industry earned over 2 billion dollars through the distribution and installation of applications that are designed to monitor and report on the activities of its victims. Conversely, the corporate anti-spyware industry earned an estimated 100 million dollars, and is projected to reach 1.2 billion dollars in revenue by the year 2010. This battle between the spyware and anti-spyware industries is certainly costing those caught in the middle - the computer end users - from both sides, and has become the equivalent of an excise tax on Internet use.
A recent survey of the "best" anti-spyware products demonstrated that no one package can remove all spyware, which often forces those in the middle to purchase more than one solution. Also adding to the aggregate cost of the spyware pandemic are regulations such as the Sarbanes-Oxley Act of 2002 - Section 404 (SOX 404), the Gramm-Leach-Bliley Act of 1999 (GLBA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), all of which place the onus of securing data squarely on the shoulders of the corporations housing such data, without consideration for potential intrusions caused by legitimate or illegitimate spyware applications. As such, a breech of these regulations may result in even further financial loss.
In this report, iDEFENSE will examine the lure of spyware to the advertising industry, the history and evolution of spyware (including its distribution methodologies), and the benefits of using various mitigation strategies to reduce the threat and financial impact of a spyware compromise.
>> 07.21.05 : Phishing and Pharming: Mitigating the Threat
Simply put, phishing refers to the practice of sending victims e-mails purporting to be from a legitimate company, urging them to go to a specified website and update their account information. The website in question resembles the legitimate company's website but is, in fact, created by the phisher and used to capture account information entered by victims. The information is then used to steal unwitting victims' identity.
By contrast, pharming involves altering the victim's DNS cache, typically via malicious code such as an Internet worm, to automatically redirect victims to a fraudulent website when they attempt to access a legitimate website. This attack is more dangerous than phishing because victims have no reason to believe that they are at a fraudulent website since the browser's address window displays the legitimate website's URL. However, this form of attack is still quite rare, and media coverage may be overstating the issue.
>> 06.29.05 : Comparative Analysis: Security of Enterprise Web-Based E-Mail Interfaces
Enterprise e-mail applications have been around for years. However, as organizations seek to better leverage home user productivity, it has become necessary to provide those users with the ability to access e-mail in a manner to which they are accustomed. To meet this challenge, a number of vendors have released web-based interfaces for their enterprise e-mail applications that allow remote users to use broadband connections to access e-mail via the Internet. While convenient, the availability of such web-based interfaces introduces a host of potential security issues for decentralized organizations that employ such applications for remote communication.
This report analyzes the web-based interfaces of the following three most widely used enterprise-level collaboration suites:
>> 06.17.05 : Web Browser Security
As the number of vulnerabilities in Microsoft Corp.'s Internet Explorer (IE) continues to climb, users are looking elsewhere for a safer web browsing solution. Competing web browser developers are taking advantage of IE's security shortcomings to gain market share on Microsoft. One such entity, The Mozilla Organization, has experienced great success with the release of its Firefox browser.
iDEFENSE analysis shows that the number of vulnerabilities in both IE and Firefox are climbing, and that malicious codes are taking advantage of these issues to infect and spread across the Internet. As these threats mount, users are left waiting for patches, updating anti-virus signatures, and continually looking for a more secure solution. Both Microsoft and Mozilla are taking measures to harden their respective products, each with mixed success. This paper will compare and contrast these two browsers and their respective futures from a security perspective.
>> 05.20.05 : Mitigating the Threat from Keyloggers
Keyloggers are a real and growing threat to financial institutions and their customers. Malicious code authors are releasing Trojan horses with more sophisticated and powerful keylogging components and increasingly attacking customers of banks outside of traditionally targeted countries. Keylogging software that can be used to illicitly obtain financial information is inexpensive and available from a wide variety of online stores. This year, keylogging devices were used as an essential component in the largest attempted bank robbery in history. Consequently, understanding how to identify and counter keyloggers is essential knowledge for any IT security professional.
In this Focused Intelligence Report, iDEFENSE lays out the three types of keyloggers - hardware, software and malcode - and describes their likely future development. Also discussed are common strategies for mitigating the threat from each type of keylogger.
>> 06.04.09 : Cloud Computing: Enterprise Risks & Mitigation Strategies
11:00 AM EDT: In recent years, the concept of cloud computing has become a more viable enterprise solution for dealing with complex infrastructures, data retention and software licensing. Today, corporations and governmental agencies are beginning to use cloud computing as a means of reducing network and software costs while providing the same, and sometimes greater, level of service to their employees. Cloud computing does come with a certain level of risk that companies must assess, however. Organizations that leverage cloud computing must fully understand the implications of moving their data and resources out of their locally controlled infrastructure. In this webinar, analysts from iDefense will discuss:
- The concepts behind cloud computing
- The risks enterprises should consider before using cloud computing
- A sampling of mitigation strategies for the risks of cloud computing
>> 03.25.09 : Mobile Security: New Risks, Old Consequences
11:00 AM EDT: New mobile device services and payment systems have become popular targets for attackers as use of these services and systems increases around the world. The compromise of mobile devices can introduce new risks and reintroduce old consequences. The introduction of a variety of mobile payment systems and user-generated applications have made mobile devices an attractive target for hackers. Existing mobile banking environments like Japan and South Korea reveal insights into the possible future of mobile banking and threats to mobile devices in other countries that are just beginning to introduce mobile ;banking and payment systems. In this webinar, analysts from iDefense will discuss the weaknesses that have allowed mobile malicious code to spread in the past, how attackers may abuse these systems in the future and what organizations can do to protect mobile users.
The introduction of a diversity of mobile payment systems and traditional threats applied to mobile devices makes such devices attractive targets for hackers. This presentation offers detail on:
- The weaknesses that have allowed mobile malicious code to spread in the past
- How attackers may abuse mobile device services and payment systems in the future—existing mobile banking environments like Japan and South Korea reveal insights into the possible future of mobile banking and threats to mobile devices in other countries that are just beginning to introduce these systems
- What organizations can do to protect mobile users
>> 12.17.08 : 2008 Cyber Trends and 2009 Predictions
Throughout the past decade, cyber threats have evolved from rare oddities to major risks to the security of enterprises and governments. In terms of frequency, ubiquity, sophistication, diversity and severity, the malicious use of information technology has surpassed a tipping point in its maturation, and now no organization in the developed world remains unaffected, much less safe. Moreover, preventive and defensive capabilities are evolving less rapidly than the threats, which are now sustained by robust, global black markets and by ambitious government espionage programs. Looking forward, 2009 will erase any lingering doubt as to the full significance of these problems and the difficulties of addressing them. The purpose of this report is to provide insight to what 2009 will bring.
>> 11.05.08 : Taking Virtual Worlds Seriously: Implications to the Intelligence Community
Given the anticipated pervasiveness of online environments, the US government should spend some portion of its resource budget to monitor, track and understand how multi-user online environments (MOEs) progress over the next 5-10 years and to actively engage these environments in ways beneficial to its intelligence mission. A migration toward virtual environments as a way to exist on the Internet among the general populace will likely precede the adoption of this medium by nefarious organizations and individuals, groups and others. If they act quickly, US intelligence and homeland security organizations can prepare themselves to be ready to operate within these new environments when the appropriate time arises.
>> 10.08.08 : The Cyber Threat Landscape of Brazil
Unlike its more dynamic counterparts, the cyber threat environment of Brazil is characterized by a highly specialized, ultra-specific focus on fraud conducted via banking Trojans disseminated by sophisticated phishing attacks. Almost all visible cyber criminal activity in Brazil is financially motivated and focuses on banking Trojans targeting Brazilian banks and phishing techniques for distributing these Trojans. As a result, Brazil is now home to some of the world's most skilled Trojan authors and most innovative fraudsters. Indeed, the ease with which cyber criminals are able to steal from Brazilian banking customers is a key reason for the relative paucity of other cyber threat categories in the country. The Brazilian security community has adapted accordingly, with Brazilian banks emerging as a leader in tracking and combating Trojans; however, this hyper-specialization of Brazilian computer security is not without its drawbacks. The private sector in Brazil lacks a strong culture of intellectual property protection, and it does not prioritize corporate espionage as a significant threat. Public cyber crime authorities also find it difficult to manage the sheer volume and sophistication of the country's information security environment. However, this is not for any lack of expertise or professionalism; rather, inadequate legislation and a lack of material resources handicap the efforts of otherwise able Brazilian law enforcement professionals.
>> 09.10.08 : Detecting and Tracking Trojan Horse Command-and-Control Servers
Information-stealing Trojan horse programs quietly infect systems, capture valuable information and transmit it back to a central command-and-control (C&C) server. While some attackers create custom Trojans for specific purposes, less-technical criminals use simple toolkits to create binaries for their own use. These toolkits generate slight variations on a single Trojan that report to different C&C servers but use the same mechanisms to capture and report data. It is possible to detect communications between Trojans and C&C servers using a network-based intrusion detection system (IDS). Deploying signatures that detect this traffic across many monitored networks allows analysts to determine which networks most commonly host C&C servers. Clusters of these servers can indicate the existence of a rogue network that specializes in serving malicious content. Locating these clusters can further increase the security of the network by monitoring any traffic destined to it, any of which is highly suspicious.
>> 08.06.08 : A Nodal Analysis of Islamic Extremist Websites
Since the beginning of the 21st century, the use of Internet technology by Islamic extremist-oriented terrorists to further their ideological and political goals has expanded greatly, in many ways mirroring the drastic expansion of worldwide Internet usage itself. A number of trends in the worldwide Islamic extremist-oriented terrorist movement and its evolving Internet presence are increasingly attracting the attention of iDefense analysts. Foremost among these is the rising interest in computer hacking and cyber warfare among terrorists, as evidenced by ongoing discussions into this subject on chat forums frequented by people with terrorist sympathies and hacking interests. This report contains a detailed survey of the Internet's largest and most prominent Arabic-language terrorist chat forum sites. It samples the content of each site's most active forum section in detail, provides a general survey of each site's other noteworthy forum sections, examines the links and affiliations of each site with various terrorist organizations and movements, and also takes a look at some of the influential and noteworthy members on each forum. Particular attention is also paid to specific hacker-oriented forum sections, the interests of their members and indications of any hacking and cyber terrorism discussions found elsewhere on the forums.
>> 07.09.08 : Cyber Fraud Trends 2008
Financial institutions worldwide face an ever-increasing number of malicious code and phishing attacks that adapt and mature constantly. Regulators and industry promote authentication as panacea while the crooks are developing and deploying highly specialized Trojans designed to target and circumvent multifactor authentication schemes. Hijacking transactions that a user has initiated and authorized is the newest of these targeted threats. This technique has been discussed theoretically for some time but has now left the malware labs and is actively being used in real world attacks. Technology and implementation are important factors for the effectiveness of multifactor authentication schemes and even strong technologies with correct implementations that thwart transaction-hijacking attempts have weaknesses that might constitute a surface for future attack scenarios.
>> 06.04.08 : BBB: A Threat Analysis of Targeted Spear-Phishing Attacks
Since February 2007, organized groups of cyber criminals have launched more than 50 waves of highly targeted cyber fraud scams, impacting corporations and governments alike. These attacks use a social engineering technique, called "spear phishing" and sometimes "whaling," to trick a user into installing malicious code, which allows the attacker to collect valuable data from the compromised computer.
Organizations of all types and sizes must immediately deal with the risks these attacks pose to internal staff and customers, each for their own reasons. Financial institutions face special risks from these attacks due to the specific and aggressive targeting of their customers and applications, while government and contracting organizations stand to leak vital strategic and national defense data.
Because these fraudsters target specific corporate employees with high levels of access, and because they aggressively use the stolen information, these types of attacks are more dangerous than conventional Internet fraud schemes.
>> 05.07.08 : IFrame Attacks - An Examination of the Business of IFrame Exploitation
When users open a Web page with Internet Explorer, Firefox or any other Web browser, they only notice the page they typed in the address bar. Regular users rarely realize that, to resolve some pages completely, their computers must connect to other, often unknown websites. Few users are aware of these in-line frames, or "IFrames," since they are transparent to everyday users. Browsers use IFrames to load another website into the one the user knows they are viewing. A design feature of the Web browsing experience, through many popular browsers, IFrames were not designed for malicious purposes, but their simplicity has made them ideal attack vectors for malicious interests.
The actors behind IFrame exploitation attacks are working very hard to make the largest amount of money, in the shortest amount of time, and without getting caught. Every technical aspect of these attacks represents a convenient way to carry out widespread attacks for maximum profit and minimal exposure. While most readers might not necessarily understand the technical aspects of these attacks, they should still have a conceptual understanding of both the technology and the fraudsters behind this new brand of online theft costing millions of dollars per year. These groups continue to find ways to attack businesses and their consumers to collectively steal billions of dollars per year. Phishing attacks that use social engineering are successful, but have many technological roadblocks to deal with. By using malicious codes, mostly Trojan horses, to steal banking credentials and perform transaction hijacking attacks, malicious actors can target a wider group of banking customers and steal more data. Exploiting vulnerabilities through IFrames is simply the technological means to carry out these attacks.
>> 04.02.08 : SilentBanker Unmuted
Silentbanker is a serious threat, as most banking Trojans are. Silentbanker uses a variety of common techniques including cookie stealing, form grabbing, certificate stealing, HTML injection and HTML replacement. However, Silentbanker's automatic transaction hijacking capability, which are the primary concern for most customers, currently targets E-gold customers only and presents functionality that was present in other Trojans nearly two years before Silentbanker's discovery.
Silentbanker's primary threat comes not from its features, which are reminiscent to that of nearly a dozen other banking Trojan families, but rather from the overall threat of the attackers responsible for it. iDefense has attributed every attack since May to the same group of attackers, meaning this Trojan is not likely a free-standing toolkit for resale. This single group of attackers has added new targets over time, with the latest target list more than 10 times larger than their initial list. The attackers have also managed to add new domains and frequent rebuilds to keep this attack alive and undetected. In January 2008, the attackers launched a new version of the Trojan with a huge set of code revisions, revealing that the project has not reached any type of plateau. The last piece of the puzzle, which also contributes to the overall uncertainty, is the number of infected users. iDefense has been unable to recover any stolen credentials and has no gauge of how many users are infected.
>> 02.20.08 : Banking Trojans: An Overview
This report aims to familiarize users with different techniques and the toolkits that utilize them. Although toolkits are examined to show the ease of attacks, this is not the sole purpose of this report. Because of the knowledge of the overall landscape of banking Trojans, organizations can make specific decisions and mitigation strategies. This report will show that auto-transaction malicious code is used in the wild, and that although multiple-factor authentication is important, many techniques are being circumvented. Most importantly the mitigation section will describe little-known techniques to identify potentially infected users with the goal of preventing loss from a variety of banking Trojan families.
>> 01.09.08 : 2008 Cyber Threats and Trends
Throughout the past decade, cyber threats have evolved from rare oddities to major risks to the security of enterprises and governments. In terms of frequency, ubiquity, sophistication, diversity and severity, the malicious use of information technology has passed a tipping point in its maturation curve, and now no organization in the developed world remains unaffected, much less safe. Moreover, preventive and defensive capabilities are evolving far less rapidly than the threats, which are now sustained by robust, global black markets and by ambitious government espionage programs. This means that things will grow much worse before they get better. The information security community and a few key commercial sectors, such as finance, have for several years anticipated this distressing state of affairs, and were often ignored, but 2007 forced a rude awakening upon policymakers, the media and, thus, the general public. Looking forward, 2008 will erase any lingering doubt as to the full significance of these problems and the difficulties of addressing them. The purpose of this report is to provide insight to what 2008 will bring.
>> 12.12.07 : Web-Based Fraud: Principles, Trends and Mitigation Techniques
Online financial cyber crime has increased exponentially in the past four years, forming the foundation of a trend that shows no signs of abating. What began with simple 419 scams and rudimentary phishing has grown into a highly complex underground economy generating professional-quality software tools, legitimate businesses that provide protection to cyber criminals, sophisticated stock-manipulation schemes, and, most tellingly, a sense of community among the criminals. The global total of criminal gain from cyber fraud is impossible to estimate precisely, but most indicators suggest it stands in the high tens of billions of dollars, perhaps in the hundreds.
This report seeks to better inform organizations as to the state of the threats present in the cyber fraud underground. This report provides a conceptual model with which to analyze the fraud underground, and puts this model into practice by assessing the current state of the carding underground, phishing, pharming, Trojans, toolkits and pump-and-dump scams, to name only a few.
>> 11.07.07 : IPv6 - Risks & Ramifications of a Potential Disruptor
While the various modifications and improvements to IPv4 have served the Internet well, these stop gaps can only go so far. Fortunately, IPv6 is finally maturing and provides some much needed functionality that will undoubtedly facilitate growth and innovation. Now that more products include IPv6 functionality, the technology is slowly becoming a reality. While this is a slow process, it will be moved along with the US Government's mandate that organizations implement IPv6 by 2008; the mandate even includes organizations that do not have external factors forcing an upgrade.
While delaying deployment may lead to missed opportunities, completely disregarding the technology can have serious security ramifications. Most networks are partially IPv6-capable whether or not network managers are aware of it, and IPv4 networks left unprepared are vulnerable to attackers. So, for those considering upgrading to IPv6, there are a number of issues to consider before taking the plunge. Organizations must remember that platform upgrades of this scale will cause disruptions. In addition, an upgrade could cause confusion, resulting in security holes that attackers will certainly try to exploit. These are just some of the issues network managers and implementation specialists must consider, which makes it imperative they have a solid understanding of this new protocol. From a strategic standpoint, IPv6 facilitates a paradigm shift toward increasingly distributed, end-to-end communications, changing the threat landscape and requiring similarly distributed security. This report provides an overview of IPv6 and discusses the risks associated with its implementation.
>> 10.03.07 : Cyber Espionage: China and the Network Crack Program Hacker Group
In the Summer of 2006, the Network Crack Program Hacker group, the NCPH, conducted a series of cyber attacks that targeted multiple US Government institutions. In the end, the NCPH siphoned millions of unclassified government documents back to China. This presentation will explain how they did it, why they did it and will profile how the group operates.
>> 09.05.07 : Predicting Disruptive Technologies over the next 5 years
Disruptors, understood as radical shifts in technological or behavioral trend-line trajectories, are considered "disruptive" largely because they are unforeseeable or else, if somewhat foreseeable, cannot be modeled precisely enough to facilitate control over the process. With this in mind this report analyses numerous and varied potential disruptors, some of which may never come to fruition. Thus, each section explicitly acknowledges the level of confidence with which analysts estimate each disruptor's potential impact; some will be almost sure to occur, others less likely and still others of uncertain likelihood. In this way, decision makers can allocate resources according not only to the potential impact, but also considering the likelihood of its occurrence.
>> 08.08.07 : Uncovering Online Fraud Rings: The Russian Business Network
The Russian Business Network (RBN) developed into its current incarnation as "the baddest of the bad" Internet service provider (ISP) in June 2006. Before then, much of the malicious code currently hosted on RBN servers was located on the IP block of another St. Petersburg ISP, the now-defunct ValueDot. Like ValueDot before it, but unlike many ISPs that host predominately legitimate items, RBN is entirely illegal. VeriSign iDefense research identified phishing, malicious code, botnet command-and-control (C&C), and denial of service (DoS) attacks on every single server owned and operated by RBN.
>> 07.11.07 : Motives, Methods and Mitigation of Insider Threats
Although security plans are usually designed to look outward to mitigate threats and attacks from the Internet, they often fail to address the more likely attack vector - the malicious insider. This report examines the anatomy of the insider threat - what makes the malicious insider tick, how they often hit and what organizations can do to prevent damage or loss. A heavy focus upon the impact to financial and retail organizations is included in this research.
>> 06.13.07 : Wicked Rose and the NCPH Hacking Group
More than 35 zero-day targeted attacks and related exploit codes emerged during the summer of 2006. Wicked Rose is the Chinese hacker responsible for developing the infamous GinWui rootkit used in the earliest attacks. This VeriSign-iDefense exclusive report provides participants with an in-depth view into the means, motives and culture of Wicked Rose's NCPH hacking group, including photos of the individual hackers. This is a story you won't read about anywhere else, revealing the intimate details of some of the most sophisticated targeted attacks to date.
>> 05.16.07 : Security Advancements in Microsoft Windows Vista and IE7
Microsoft Corp. released beta versions of its new Windows Vista operating system and version 7.0 of its Internet Explorer Web browser in 2005. However, the new products have yet to be released commercially. This presentation will focus on the new security features planned for these two new products, explaining how these features will benefit the overall security of the Windows platform and potential problems they may introduce. Emphasis will be placed on how vulnerabilities in earlier versions of Windows led Microsoft to implement these features and change the way the company approaches software security.
>> 04.18.07 : What You Need to Know about Data Execution Prevention (DEP)
According to Microsoft, Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. When designing a multi-tier security plan, DEP can play an important role in preventing exploitation and is enforced by hardware and software in Windows XP Service Pack 2. In this presentation, iDefense will discuss the history of DEP, its advantages and availability in modern operating systems and, most importantly, the limitations and drawbacks of deploying it.
>> 03.21.07 : Instant Messaging and Network Security
Publicly available instant-messaging services grow more popular with corporate users every day. With the ability to communicate and multitask with many users instantaneously, "IM" applications and online services have become a popular method of business communication. As its popularity grows, so does the risk of IM-specific cyber threats. Any organization using a publicly available service that relies on servers hosted outside that organization must take this into account when assessing the security posture of its corporate network. This report examines the risks involved in using third-party IM services in general, and specific threat issues related to proprietary information leaks, malicious codes, vulnerabilities and general security concerns associated with each of the most popular messaging platforms.
>> 02.21.07 : Distributed Denial-of-Service Attacks: Latest Motivations and Methods
The distributed denial of service (DDoS) attack is among the most potentially costly and intractable cyber threats facing technology-dependent companies today. DDoS attacks are also more frequent, larger and more costly than ever before, and the number of available "zombie" computers in the wild is greater than ever. The commanders of bot armies are more numerous, more sophisticated, harder to identify and have better tools than at any time in the past, and these trends will continue for the foreseeable future. This report discusses why and what DDoS mitigation and prevention strategies are used to keep technology-driven organizations in business today, and how early DoS attacks evolved into present-day techniques.
>> 01.10.07 : Preventing Malicious Code from "Phoning Home"
Modern malicious codes often have the capability to send spam, act as a proxy, download and execute additional malicious codes and other functionality, all while acting as a node in a large, centrally managed botnet. These botnets require command channels to communicate to their owners, and these channels almost always use outbound connections from the bot to bypass firewalls that prevent incoming connections. The traditional approach of blocking all inbound connections except for specific hosts in a "demilitarized zone," combined with allowing only certain outbound access (such as that required for e-mail and Web access) is effective against many malicious codes, but still has its limitations. This presentation will discuss motivations, covert channel methods and ways to mitigate such traffic going forward.
>> 12.13.06 : Major Threats and Trends Impacting the Cyber Security Landscape in 2007
What will the cyber security landscape reveal for 2007? Will it be new mobile malicious code threats? Will it be sophisticated bots or multi-variant malicious code attacks? What about the impact of Vista and Internet Explorer 7? Having performed an extensive review of 2006 cyber security threats, iDefense reviews the top trends, including zero-day and targeted attacks of 2006, to identify the most likely threats to emerge in 2007.
>> 11.29.06 : What You Need to Know about Data Execution Prevention (DEP)
According to Microsoft, Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. When designing a multi-tier security plan, DEP can play an important role in preventing exploitation and is enforced by hardware and software in Windows XP Service Pack 2. In this presentation, iDefense will discuss the history of DEP, its advantages and availability in modern operating systems and, most importantly, the limitations and drawbacks of deploying it.
>> 11.08.06 : Instant Messaging Threats
Publicly available instant-messaging services grow more popular with corporate users every day. With the ability to communicate and multitask with many users instantaneously, "IM" applications and online services have become a popular method of business communication. As its popularity grows, so does the risk of IM-specific cyber threats. Any organization using a publicly available service that relies on servers hosted outside that organization must take this into account when assessing the security posture of its corporate network. This report examines the risks involved in using third-party IM services in general, and specific threat issues related to proprietary information leaks, malicious codes, vulnerabilities and general security concerns associated with each of the most popular messaging platforms.
>> 10.04.06 : Mobile Malicious Code: What Lies Ahead?
Wireless solutions, especially cellular "smartphones," are experiencing steady growth worldwide. Concurrently, new technologies are being developed to cater to this new area of opportunity for commercial gain. Roaming cellular solutions have quickly evolved into smartphones that include camera phones, full color, video games and more. As mobile communication use increases and evolves, valuable information assets also increase. Thus, an environment for abuse and criminal attack opportunities is created.
This report asks, how does mobile malicious code compare to desktop malicious code in terms of functionality and capabilities? Are there specific vulnerabilities of specific phones or operating systems that are more vulnerable to attack? What about Java 2 Micro Edition (J2ME) featured phones? Are they vulnerable to attack? Finally, what are the best security practices and mitigation for dealing with mobile malicious code today?
>> 09.20.06 : Attacking the Code: Source Code Auditing
Source code auditing has always been considered an art form that many have wished to learn. The purpose of this presentation is to unveil the techniques and methodologies behind efficient source code auditing. Examples of common programming mistakes found in real-world applications are included with detailed analysis of the problems surrounding the vulnerabilities. The presentation also aims to provide new techniques to beginning and experienced code auditors to help improve on their current skills.
>> 09.06.06 : Malicious Code Year-to-Date Trends
iDefense identified an initial drop in documented malicious code threats starting in January 2006. This trend has continued and, by this summer, has gained some media exposure. iDefense has analyzed aggregate reports to date to provide an exclusive view that attempts to assess not only why the drop in malcode has occurred, but how it has actually increased risk.
>> 08.09.06 : An Analysis of New Security Features Within Microsoft Vista and Internet Explorer 7
Microsoft Corp. released beta versions of its new Windows Vista operating system and version 7.0 of its Internet Explorer Web browser in 2005. However, the new products have yet to be released commercially. This presentation will focus on the new security features planned for these two new products, explaining how these features will benefit the overall security of the Windows platform and potential problems they may introduce. Emphasis will be placed on how vulnerabilities in earlier versions of Windows led Microsoft to implement these features and change the way the company approaches software security.
>> 07.19.06 : Voice-over-Internet Protocol (VoIP) Vulnerabilities
One technology that has experienced a recent explosive growth is Internet Protocol Telephony, better known as Voice over Internet Protocol (VoIP), which effectively integrates data and voice communications. VoIP has already proven a cost-effective solution for individuals and corporations that already have perpetual high-speed Internet connections. VoIP will be the only communications medium available for voice traffic in the foreseeable future, and the current movement toward integrating voice and data traffic is indeed inexorable. However, VoIP technology is immature and is thus another factor to consider on an otherwise burdened infrastructure. This report attempts to determine and enumerate the nature of the security and safety threats putting today's corporate VoIP networks at risk. It illustrates the rapidly increasing rate of exploitation and attack vectors, describing attacks that are both general (directed against the Internet backbone of the VoIP network) and specific (targeted toward specific VoIP implementations).
>> 06.21.06 : Emerging Economic Models for Vulnerability Research
There are few who would argue that there is not economic value in the discovery of security vulnerabilities. Evidence of this can be seen in the many business models that are emerging to profit from this knowledge. The question that remains is how do these economic models impact those who are affected by the vulnerabilities themselves? This paper looks at economic vulnerability models that exist in the market today and analyzes how they affect vendors, end users and vulnerability researchers. The markets addressed include the government, open, underground, auction and vendor markets. Each of these models are defined, including their expenses, revenues and challenges. The impact and implications of each model are also investigated. Finally, the paper examines how each of the models affects these various actors and project the future of the market to see how the models that exist today will help to shape and drive the future of vulnerability research.
>> 06.14.06 : Assessing Geographic Trends and Threats
Geopolitical hotspots can be identified through a multitude of factors, including the demographics of a given country or location. It is common to hear various organizations identify areas most commonly infected with malicious code, countries most prevalent for hosting phishing attacks on servers, and so on. Are these counties truly the geopolitical hotspots of the Internet for attacks? This article takes a discerning look into the demographics of the Internet for top countries and correlates data to recent reports of geopolitical hotspots.
>> 05.24.06 : Metafisher Trojan Activity
The Metafisher family of Trojans shows an unprecedented level of sophistication in the malicious code arena. This phishing attack is carried out using a botnet, which is controlled though a Web-based command-and-control server. This structure gives the operators of this botnet the ability to control numbers of bots in several orders of magnitudes greater than that of a traditional IRC-based control structure. But Metafisher is more that just a Trojan/Bot; it is in fact a professionally built suite of tools with a user-friendly administration interface and a solid software lifecycle management comparable to many professional software products. This fact suggests that Metafisher is being developed and sold as a phishing toolkit to interested third parties. This report will explore these facts in greater detail and explain the implications of MetaFisher-related criminal activity.
>> 05.10.06 : IDS Evasion Techniques and How to Prevent Them
Intrusion Detection Systems (IDS) detect inappropriate, incorrect or anomalous host or network activity. This presentation provides information about common techniques used to evade IDS detection. The goal is to answer the question: To what extent should network administrators rely upon IDS detection systems for security and advanced warnings of attacks?
>> 04.26.06 : The Evolution and Current State of DDoS Attacks
The distributed denial of service (DDoS) attack is among the most potentially costly and intractable cyber threats facing technology-dependent companies today. DDoS attacks are also more frequent, larger and more costly than ever before, and the number of available "zombie" computers in the wild is greater than ever. These trends will continue for the foreseeable future. This presentation discusses why and what DDoS mitigation and prevention strategies are used to keep technology-driven organizations in business today, and how early DoS attacks evolved into present-day techniques.
>> 04.26.06 : IE vs. Firefox: A Vulnerability Comparison
As the number of vulnerabilities in Microsoft Corp.'s Internet Explorer (IE) continues to climb, users are looking elsewhere for a safer Web browsing solution. Competing Web browser developers are taking advantage of IE's security shortcomings to gain market share on Microsoft. One such entity, The Mozilla Organization, has experienced great success with the release of its Firefox browser.
iDefense analysts issued a paper Sept. 30, 2005, showing that the number of vulnerabilities in both IE and Firefox are climbing, and that malicious codes are taking advantage of these issues to infect and spread across the Internet. As these threats mount, users are left waiting for patches, updating anti-virus signatures, and continually looking for a more secure solution. Both Microsoft and Mozilla are taking measures to secure their respective products, each with mixed success. This paper, with metrics updated as of April 26, 2006, compares and contrasts these two browsers and their respective futures from a security perspective.
>> 04.12.06 : Security of the Google Desktop Toolbar
By installing and using the Google Desktop Toolbar, a user can search the files stored on his local computer and the Internet simultaneously. Using advanced features of this product, it is even possible to search other computers that run the Google Desktop software. It is this feature that has caused concern among security researchers. This presentation will examine the installation and operation of Google Desktop Search in order to determine the efficacy of this product. It will examine the security weaknesses and vulnerabilities that exist in the latest version of Google Desktop Search and how these issues can be somewhat mitigated using reasonable security policies.
>> 03.29.06 : Money Mules: Sophisticated Global Cyber Criminal Operations
Criminals are stealing thousands of credit cards and banking account credentials daily through phishing attacks, Trojan horse attacks and other attack vectors. Thousands of dollars daily are then laundered to offshore banking accounts through dozens of countries by "money mules," or phishing money launderers. Cyber-fronts are created to solicit, hire and exploit these money mules within multiple countries, and they can make as much as $10,000 or more in a month for part time work. This report will take a look inside the world of money mule operations and provide several examples of business fronts and job offers.
>> 03.15.06 : Social Engineering: The Effect on Information Security
Researchers have often pointed to human users as the weakest and most commonly exploited attack vector. Although social engineering tactics have evolved, they remain simple and effective. In this report, iDefense explores the extent to which such targeted trickery affects the security environment today, and how it will continue to impact information security in the future.
>> 03.01.06 : Sober Worm Post-Mortem
Sober was the most prevalent e-mail worm of 2005. The carefully planned and coordinated attack started in early November 2005 and lasted until Jan. 6, 2006. In this presentation, iDefense will examine the progression of the Sober attacks and the techniques the worm used to both infect its hosts and spread to others. iDefense will also cover the impact that these attacks had on key corporate infrastructure and the future of the Sober worm itself.
>> 02.15.06 : Rootkits and Other Concealment Techniques in Malicious Code
In order for malicious code to provide its author with some benefit, it must be successful in four areas: propagation, infection, malicious actions and persistence. With the advent of multi-tasking computers, the increased popularity of networking in general, and the Internet in particular, the tools and techniques used by malicious code authors have improved considerably. This report will focus on these tools and techniques, concentrating on the evasion of first-line defenses, autostart considerations and rootkits.
>> 02.01.06 : The Rise of Online Islamic Extremist Propaganda
Numerous recent media articles have noted that al Qaeda is improving its information operations tactics through the use of the Internet, providing a means of anonymous communication and the dissemination of news on the group's military successes. This report will reveal the frequent presence of Islamist Extremist Propaganda online and provide a clearer understanding of the different forms of IEP, based on the specific objective and approach of each type.
>> 01.18.06 : 2005: Intelligence Year-in-Review
What will 2006 bring in terms of new threats and attacks? iDefense takes a look back at historical indicators and warnings to accurately predict major threats in 2006. Topics include an overview of malcode and vulnerability activity for 2005 and selected indicators and warnings. The presentation culminates with several notable examples of criminals launching code for cash in 2005 and how that will greatly impact the threat landscape in 2006.
>> 01.05.06 : Top 10 Spyware Applications
As most people herald the arrival of 2006 with fanfare, the creators of spyware and adware applications continue inexorably toward the goal of maximizing revenue from their creations. The automatons that they set into motion do not take holiday breaks, preferring instead to lie in wait for the next user gullible enough to download, install and use the malicious software and provide financial benefit to the spyware distributors. Spyware is a perfect example of the growing trend in which questionable entities exploit the Internet for financial gain. The last few years have proven that malicious code, and its cousins adware and spyware, have become the raison d'etre for many computer professionals. Additionally, the fine line between the malicious code camp (writing and distributing worms, viruses, Trojan horses and combinations thereof) and that of adware and spyware (writing code that is "questionable" at the least) is blurring, and successful techniques used by one faction are often, and quickly, incorporated into the products of the other. There is even a fast-growing trend of adware and spyware being deployed by means of malicious code droppers and websites - all in the pursuit of easy money.
>> 12.15.05 : Exploitation Frameworks
The iDefense exploitation framework comparison is a comprehensive review of the features included in the CORE IMPACT, Immunity's Canvas and Metasploit exploitation frameworks. Typically, corporations use these frameworks to perform penetration testing on their internal systems. However, hackers also frequently take advantage of the automated test-and-penetrate mechanisms that these frameworks offer. In its report, iDefense compares these frameworks to determine which is the most useful in a corporate setting and which might prove the most significant threat to vulnerable networks.
>> 11.04.05 : Targeted Malicious Code Attacks
Recent news stories about a report from the UK National Infrastructure Security Coordination Centre (NISCC), followed by a similar but separate CERT advisory, have generated much concern about targeted attacks, including their likelihood and potential impact. This report overviews targeted attacks, select examples to date, exploits and code utilized in targeted attacks, likelihood and impact, and mitigation measures. A targeted attack focuses on a specific sector, organization or individual.
>> 10.06.05 : Threat Assessment: Outsourcing to India
This iDEFENSE Focused Intelligence Report discusses a recent rash of insider data thievery in the Indian business process outsourcing (BPO) sector, and assesses the reaction of the Indian government and private sector regulators. The report argues that much of the media coverage about data theft incidents should not be taken at face value, and that, in principle, the Indian reaction is generally promising although its success will depend ultimately upon rigorous and measured implementation.
>> 09.01.05 : Malicious Codes Targeting Internet Explorer
Microsoft Corp.'s Internet Explorer (IE) has been around for more than a decade. Since its inclusion with the Windows Operating System, IE has rapidly gained popularity, having overtaking its competitors and become the most widely used Web browser on the Internet. IE use has continued to grow almost unchallenged for the last several years. Recently, however, as online security has become a greater concern to the Internet community, many users have started switching to alternative browsers that offer greater security measures by default. In spite of this, IE still commands 88.86 percent of the market share, according to one source1; this is especially true in enterprise settings.
While most software packages contain vulnerabilities that can be exploited, very few applications have been specifically targeted by such a diverse variety of attacks as Internet Explorer. The number of Trojan horses, viruses, worms, phishing attacks, and spyware and adware applications that have specifically targeted this application in the last few years is greater than ever. This report provides an in-depth examination of the components of the Internet Explorer browser that have been exploited by malicious code.
>> 08.18.05 : The Evolution of Blended Threats
As the days of single purpose malicious code dissipate, threats that are more complicated have emerged. The payload of these "blended threats" allows for malware propagation via a number of attack vectors, thereby extending the scope of their infection. These threats have become a system administrator's nightmare, continuing to circumvent employed protection mechanisms and cause havoc to the targeted network. The intent of these new threats has become more malicious as well. Rather than simply deleting an infected system, many blended threats employ stealthy tactics to steal sensitive personal, financial and corporate information for potential sale on the black market.
In addition to infecting systems through traditional mediums, blended threats are targeting the newest technologies. As detection and prevention technologies increase in complexity, blended threats are starting to target newer mediums such as cell phones, PDAs and the VoIP-enabled devices. With malicious code authors constantly designing more innovative code, there exists an increasing need to thwart such malware. The underlying components of this continuing battle are what will be discussed in this paper.
>> 08.03.05 : Spyware Attack Vectors: Mitigating the Threat
In 2004, the spyware industry earned over 2 billion dollars through the distribution and installation of applications that are designed to monitor and report on the activities of its victims. Conversely, the corporate anti-spyware industry earned an estimated 100 million dollars, and is projected to reach 1.2 billion dollars in revenue by the year 2010. This battle between the spyware and anti-spyware industries is certainly costing those caught in the middle - the computer end users - from both sides, and has become the equivalent of an excise tax on Internet use.
A recent survey of the "best" anti-spyware products demonstrated that no one package can remove all spyware, which often forces those in the middle to purchase more than one solution. Also adding to the aggregate cost of the spyware pandemic are regulations such as the Sarbanes-Oxley Act of 2002 - Section 404 (SOX 404), the Gramm-Leach-Bliley Act of 1999 (GLBA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), all of which place the onus of securing data squarely on the shoulders of the corporations housing such data, without consideration for potential intrusions caused by legitimate or illegitimate spyware applications. As such, a breech of these regulations may result in even further financial loss.
In this report, iDEFENSE will examine the lure of spyware to the advertising industry, the history and evolution of spyware (including its distribution methodologies), and the benefits of using various mitigation strategies to reduce the threat and financial impact of a spyware compromise.
>> 07.21.05 : Phishing and Pharming: Mitigating the Threat
Simply put, phishing refers to the practice of sending victims e-mails purporting to be from a legitimate company, urging them to go to a specified website and update their account information. The website in question resembles the legitimate company's website but is, in fact, created by the phisher and used to capture account information entered by victims. The information is then used to steal unwitting victims' identity.
By contrast, pharming involves altering the victim's DNS cache, typically via malicious code such as an Internet worm, to automatically redirect victims to a fraudulent website when they attempt to access a legitimate website. This attack is more dangerous than phishing because victims have no reason to believe that they are at a fraudulent website since the browser's address window displays the legitimate website's URL. However, this form of attack is still quite rare, and media coverage may be overstating the issue.
>> 06.29.05 : Comparative Analysis: Security of Enterprise Web-Based E-Mail Interfaces
Enterprise e-mail applications have been around for years. However, as organizations seek to better leverage home user productivity, it has become necessary to provide those users with the ability to access e-mail in a manner to which they are accustomed. To meet this challenge, a number of vendors have released web-based interfaces for their enterprise e-mail applications that allow remote users to use broadband connections to access e-mail via the Internet. While convenient, the availability of such web-based interfaces introduces a host of potential security issues for decentralized organizations that employ such applications for remote communication.
This report analyzes the web-based interfaces of the following three most widely used enterprise-level collaboration suites:
- Microsoft Outlook Web Access (OWA) for Exchange Server
- IBM Domino Web Access for Lotus Domino
- Novell GroupWise WebAccess
>> 06.17.05 : Web Browser Security
As the number of vulnerabilities in Microsoft Corp.'s Internet Explorer (IE) continues to climb, users are looking elsewhere for a safer web browsing solution. Competing web browser developers are taking advantage of IE's security shortcomings to gain market share on Microsoft. One such entity, The Mozilla Organization, has experienced great success with the release of its Firefox browser.
iDEFENSE analysis shows that the number of vulnerabilities in both IE and Firefox are climbing, and that malicious codes are taking advantage of these issues to infect and spread across the Internet. As these threats mount, users are left waiting for patches, updating anti-virus signatures, and continually looking for a more secure solution. Both Microsoft and Mozilla are taking measures to harden their respective products, each with mixed success. This paper will compare and contrast these two browsers and their respective futures from a security perspective.
>> 05.20.05 : Mitigating the Threat from Keyloggers
Keyloggers are a real and growing threat to financial institutions and their customers. Malicious code authors are releasing Trojan horses with more sophisticated and powerful keylogging components and increasingly attacking customers of banks outside of traditionally targeted countries. Keylogging software that can be used to illicitly obtain financial information is inexpensive and available from a wide variety of online stores. This year, keylogging devices were used as an essential component in the largest attempted bank robbery in history. Consequently, understanding how to identify and counter keyloggers is essential knowledge for any IT security professional.
In this Focused Intelligence Report, iDEFENSE lays out the three types of keyloggers - hardware, software and malcode - and describes their likely future development. Also discussed are common strategies for mitigating the threat from each type of keylogger.
Research Papers: 