Perimeter
4/2/2010
01:42 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Share -- Or Keep Getting Pwned

Forget the bad guys: Sometimes it seems like the security industry doesn't trust itself. There's too much internal hoarding of intelligence for privacy or competitive reasons and too little sharing of information among researchers, victims, and law enforcement about real attacks. All this does is give the cybercriminals an edge.

Forget the bad guys: Sometimes it seems like the security industry doesn't trust itself. There's too much internal hoarding of intelligence for privacy or competitive reasons and too little sharing of information among researchers, victims, and law enforcement about real attacks. All this does is give the cybercriminals an edge.Take the attacks on Google, Adobe, Intel, and others out of China (a.k.a. "Operation Aurora"). McAfee and other security firms investigating victims' systems each had is own fiefdom of intelligence, occasionally publicly sharing bits of information, like the Internet Explorer zero-day bug used in many of the initial attacks. But did anyone have the whole picture of the attacks?

McAfee published some of its analysis of the malware it found in over a dozen (undisclosed) companies' systems, which was helpful. But McAfee admitted this week that it had misidentified some malware as part of the attack when in fact it was from a separate one. But it didn't go public with that information after Google blogged about "a separate cyber threat" targeting Vietnamese users around the world. Meanwhile, at least one security firm that had spent time analyzing it for clues under the assumption that it was part of the same series of attacks, Damballa, isn't sold that the attacks aren't related.

Maybe McAfee and Damballa should have talked once in a while.

Confused yet?

I understand the business reasons for jealously guarding the information security firms dig up. But with them typically working independently -- with the exception being some botnet-takedown collaboration -- and not sharing their knowledge along the way, it sometimes results in spinning wheels, confusion, and lost momentum. That in turn translates to more time and opportunity for the bad guys to get in or stay in, cash in, and get out.

And there's something really wrong when victim companies are afraid to report an attack to law enforcement. Of course they don't want to go public with a breach unless they have to by law, but many fear public exposure when they go to the feds. And those that have given breach information to the FBI, for instance, traditionally have gotten nothing in return, anyway. But the FBI says all of that is changing, and that they are providing feedback and intelligence to the victims. Whether that convinces wary victims to go to the bureau or not remains to be seen.

The big question here is this: is there anyone looking at the big picture of these real attacks? Connecting the dots, sifting through the chaff, and correlating trends among them should be a priority for victim organizations, researchers, forensics investigators, and law enforcement. Otherwise the bad guys who are infecting companies with banking Trojans, stealing their intellectual property, and converting their enterprise machines into bots, will just keep owning us.

-- Kelly Jackson Higgins, Senior Editor, Dark Reading Follow Kelly (@kjhiggins) on Twitter: http://twitter.com/kjhiggins Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant