Web Browsers Under Siege From Organized Crime

An anonymous reader writes "IBM has released the findings of the 2007 X-Force Security report, a group cataloging online-based threat since 1997. Their newest information details a disturbing rise in the sophistication of attacks by online criminals. According to IBM, hackers are now stealing the identities and controlling the computers of consumers at 'a rate never before seen on the Internet'. 'The study finds that a complex and sophisticated criminal economy has developed to capitalize on Web vulnerabilities. Underground brokers are delivering tools to aid in obfuscation, or camouflaging attacks on browsers, so cybercriminals can avoid detection by security software. In 2006, only a small percentage of attackers employed camouflaging techniques, but this number soared to 80 percent during the first half of 2007.'"

80%...?

Are they saying that antispyware software misses 80% of the spyware?

Firefox? Opera? Safari?

[TFGeditor]

Okay, I admint I have not (yet) read the article, but experience tells me that 80% likely involves IE at 90 percent or better.

Re:Firefox? Opera? Safari?

[WilliamSChips]

I'm not fully sure but I know every browser has one vulnerability. It's between keyboard and chair.

Re:Firefox? Opera? Safari?

[cp.tar]

Though when you go to absolutely legitimate site (that has been infected just last night) with IE and through many of its holes you now got a trojan installed on your machine, how is that a user's fault? Apart from using IE this user did absolutely nothing wrong or stupid.

I should say that using IE is wrong and stupid enough.

That's not the worst of it.

[khasim]

It kind of reminds me of William Gibson's cyberspace: a free-for-all, hostile environment where it was pretty much up to individual users / corporations / governments / whatever to protect themselves through whatever means necessary.

The problem is that no matter how well YOU protect yourself, other agencies have your personal information in their databases.

What happens if your employer loses a laptop with your SSN, name, etc on it?

Eventually, the criminals are just going to start building a database with whatever information they can find.

Then they'll use that database to take out a second mortgage on your home, purchase a new car and open a few credit cards under your name.

You'll lose more money than you have. And you'll never have a chance to prevent it. Because all the information will be "leaked" from 3rd parties.

Re:That's not the worst of it.

Potentially the problems you state are only the scraps, unfortunately it is getting to where every filing cabinet and vault in the world has multitudes of vacuum pipelines hooked to it and organized crime is working hard on figuring out how to break down the filters and routing on these pipelines and channel the flow to themselves. Think in terms of the old vacuum pipes for paper and money transfers inside old department stores and then expand it world wide, now try to imagine keeping it secure, not just your part of it but everyone's part that you connect to and everyone's part that they connect to ad infitum, welcome to the internet.

Side warning to the F/OSS community: That multitude of eyes may become even more important as we start to wonder, is the Godfather contributing? It doesn't even have to be in terms of direct backdoors, only has to be an exploitable bug which of course don't make the contributor look as bad.

Side warning to the closed source corporations: See above, biggest difference is your paying them too. Think you can hire that many eyes?

Side warning to businesses and individuals: Read the above, look around you, let the paranoia begin.

The internet maybe a highly efficient way of doing business, but it can be an extremely efficient way to steal too. Weigh the KNOWN risk factors, is it really worth it?

Organized crime is only the tip of the iceberg.

We may have to become stainless steel rats just to be free.

Re:That's not the worst of it.

[SCHecklerX]

It's even easier than that. Every time you pay with your credit card at a restaurant, you are trusting that waiter not to steal your number, or that they don't print a tape with the number on it and put it in the trash unshredded.

Re:That's not the worst of it.

[vertinox]

Side warning to the F/OSS community: That multitude of eyes may become even more important as we start to wonder, is the Godfather contributing? It doesn't even have to be in terms of direct backdoors, only has to be an exploitable bug which of course don't make the contributor look as bad.

How do know that a low paid programmer at Microsoft hasn't been bribed by organized crime and if so how do you detect the code?

Re:That's not the worst of it.

[ardent99]

Eventually, the criminals are just going to start building a database with whatever information they can find.

This is really important. There are a lot of people who argue that if you have nothing to hide, you don't need to worry about the government tracking your information. This argument tends to have the implicit assumption that the government has your best interests at heart and wouldn't [fill in your worst abuse here]. However, even if you believe this, clearly it is not true about criminals. It is becoming rapidly evident that no organization, including the government, can stop data leaks when arbitrary means to get it are used. Employees and systems are fooled, phished, socially engineered, stolen from, and mess up on a regular and frequent basis. If your information gets out there, it can be gotten.

And if all the information gathered from small leaks in many places were accumulated and mined in one nefarious database, run by someone whose main purpose was to screw over as many people as possible, it would be a huge danger. There would be no "unsubscribe", or "do not call" or FOIA requests that can help you, and no morals to control behavior. Information cannot be revoked.

They only way to defend yourself is to create as many obstacles as possible to collecting and coalescing the information in the first place. Even people you trust can accidentally lose control of the information.

This is the best argument yet for why it *does* matter that you minimize what information is known about you, no matter who it is or for what purpose, no matter how benign it may seem.

Lack of Security of any System on the 'Net

[RobBebop]

stealing the identities and controlling the computers of consumers at 'a rate never before seen on the Internet'.

5%, 25%, 50%? 90%? Are there estimates for the "rate never before seen" that users are having their personal information stolen?

And what personal information is it? To extend the old saying "If it is on the internet, it is public". Well, *all* information you store the computer that you access the internet suffers from this lack of security.

A truly secure user experience would be managing personal data on an unconnected system (or even a private network of systems) and then transferring data from there that needs to make it to the Internet via the Sneakernet. This is how the Department of Defense guarantees the security of Secure Facilities, and it is (unfortunately) the only way to guarantee the security of your own personal information.

But for systems that are on the 'Net, using an OS that doesn't hide/obfuscate fundamental security models is a plus. For example, it is easier for me to shutdown outgoing ports/services on Linux than on Windows.

As far as browser exploits... one can only hope that developers close off the attack vectors faster than they open new ones.

Re:The minute that vulnerabilities were monitized.

[gnick]

perhaps it may behoove certain of us to act as "night watchmen" for our various neighbourhoods That's an interesting idea and may function just fine at a land-lady level. But, for some reason, my bank balked at the idea of granting me admin access to their server so that I could make sure that my personal info was secure.

Kick Windows off the Internet

[EllynGeek]

I did read the actual report, all 56 pages of it. As usual, Windows' total lack of security guarantees that any random blackhat with a minimum of skill can exploit it. Go ahead and mod me Troll again, you lameass Microsoft-fanboi moderators, but it won't change what the report says- Windows is the problem.

Re:Kick Windows off the Internet

[EllynGeek]

The old "more market share is why Windows is more attacked" has been so thoroughly debunked you should be ashamed of yourself for parroting it yet again. Please- educate yourself; you reveal that you know little about operating systems when you say that. It's just not true. Well, it's partly true- with the perfect combination of easily exploited and dominant market share, it's a perfect recipe for organized crime and blackhats of all varieties to run rampant. If an open-source Unix-type operating system were dominant, we would not be seeing all the spam, malware, and botnets that feast unhindered on Windows. The Internet would be a lot safer and a lot less polluted.

The fact is that Windows' sieve-like architecture welcomes malware into the guts of the operating system, while hindering users at every turn, and tight integration with applications and server stacks guarantees that the most peripheral exploits will find a red carpet into the core of the operating system. This is not true of Unix-type operating systems, which are inherently far more secure. Windows' dominant market share ensures that the damage- billions of dollars wasted on extra bandwidth, "security" applications, abuse desks, fraud and identity theft, and so forth- is pandemic. Windows is impossible to secure. It will take a ground-up rewrite to fix it.

There are fundamental differences in culture- in the Unix world, or at least in the open source part of it (Linux, FreeBSD, OpenBSD, NetBSD, OpenSolaris), vulnerabilities are not denied or hidden, but are out in the open and dealt with. It's been proven over and over that openness = stronger security. Two good examples are OpenSSH and OpenSSL. Both are open source, both are used universally in all kinds of applications, such as secure remote sessions and Web applications. Their code is wide open and they are thoroughly documented. Anyone can study their inner workings. Are they successfully exploited? No.

This article is a good start for understanding the fundamental architectural differences: http://www.theregister.co.uk/security/security_report_windows_vs_linux/

Got plugins?

[jschottm]

The web is not just HTML at this point. Both QuickTime and RealPlayer have had notable exploits in the past few months. Acrobat and Flash have had major security holes as well. Just relying on the fact that you're using Firefox doesn't mean that you're not vulnerable.