Chad Perrin: SOB

2 April 2007

Security Analysis: Symantec ISTR XI (Executive Summary)

Filed under: Security — apotheon @ 12:31

This is a quick analysis of the executive summary of Symantec’s Internet Security Threat Report, volume XI. I will be providing analysis of further content of the ISTR XI on a (hopefully) daily basis, until I decide I’m finished.

Symantec identifies the following trends in its executive summary, with links to details further down the page:

  • Data theft and leakage is on the rise. That’s an easy — even facile — conclusion to reach. Anyone that has been following IT industry news might come to the same conclusion, based on the number of reports of data theft and leakage in all sectors of the industry. [more]
  • Organizationally targeted malicious code for data theft is on the rise. This is obscured slightly in Symantec’s phrasing, which emphasizes financial gain as the motivation for this organizationally targeted code while deemphasizing the data theft aspect. The key point here, I think, is simply that it’s designed for data theft. Under such circumstances, there’s little doubt that the data theft is intended for financial gain. [more]
  • Malicious activity is moving from direct exploits of high severity vulnerabilities to gateway exploits of medium severity vulnerabilities. The implications of this statement range far and wide for effective security assurance practices, particularly as the barely security conscious mainstream IT industry is concerned. [more]
  • Previously separate categories of malicious activity are being combined for greater effect. Symantec recorded it, which provides a useful confirmation of expectations, but it isn’t in any way surprising that this is occurring — it is instead simply exactly what one should have expected from a maturing industry’s darker side. One of the most notable effects of this is an increasing sophistication of exploit paths leading to “owning the box” via privilege escalation. Another is the assembling of “bot armies” to achieve security penetration for data theft.

Further Explication:

Here, you’ll see additional information related to the above bullet-points, for greater depth of analysis.

Data theft and leakage: While reports of data theft and leakage are on the rise, there’s little evidence available to me to suggest that the actual incidence of it is actually increasing its statistical share of malicious computer activity. Organizations that have been subject to such failures of data security should be expected to be loath to admit such errors, especially with the increasing climate of hostility of both the general public and legislators toward these failures. Most of the thefts and leaks that I have encountered were the result of second- or third-party disclosure. Examples include breaking news of leaks by investigative reporters, regulatory compliance notification of people affected by leaks (as in the case of the stolen Veterans Administration laptop), and public disclosure of leaks in a newsworthy fashion by people incidentally affected (such as when Gordon Lyon, aka Fyodor Dostoyevsky, was the victim of customer abuse by his domain registrar consequent to a data security breach at MySpace).

I believe that such activities are, indeed, on the rise — I do not dispute Symantec’s finding in this case, in part because I’m at least somewhat in agreement. It’s very much a heuristic sort of agreement, however, rather than one based on empirical, verifiable evidence. I suspect Symantec benefits from a far greater body of supporting anecdotal evidence than me without fundamentally affecting the heuristic, inexact value of the conclusion. Individual, private data is by far the most widely reported form of data theft in trade press media, to the extent that the most egregious examples often see further reporting in mainstream media as incidents related to “identity theft”. This greater frequency of reports can be in part laid at the feet of the increasingly tech-aware public — always a couple decades behind the actual technology — and regulatory compliance measures (also usually a couple decades behind) that legally compel notification of at-risk individuals in such cases. Meanwhile, compromise of such impersonal data as corporate trade secrets is a relatively quiet front in public disclosure circles, though such data security breaches will likely also see increases as legislation catches up with the realities of corporate fiscal responsibility to shareholders (unless boards can arrange for disclosures to be effectively limited to the board of directors).

Between changing demands of regulatory compliance, increasing public awareness of the dangers of data theft, and the logical motivation of organizations to minimize public relations exposure, the actual frequency of such occurrences in the 01 July through 31 December, 2006, period comparative to previous six-month periods is significantly subject to dispute. Leakage not associated with positively pursued theft is probably not an indicator of increasing security failure trends, however, as logic dictates that with the progress of time organizations are more likely to improve data security policies — rather, increased reporting of leaks is almost certainly related to increased awareness of the dangers of data security failures.

Organizational targeting of malicious code: This is perhaps the strongest indicator of an actual increase in data theft incidents. Malicious code that targets specific organizations for illegally harvesting financially valuable data is a sign that the information technology industry is maturing. In this case, the notable indicator of industry maturity is the maturation of malicious, criminal activity significantly beyond the playful and into the purely commercial. Security cracking is no longer merely a field of activity unto itself, but is a carefully organized part of a larger, lucrative whole, where computers and networks are merely another resource in the profitable criminal activity ecosystem.

Additional signs of maturity are attendant upon this trend. For instance, a greater sophistication is shown in the intent and planning of criminal activities that use relatively low risk means of gathering resources that are of great value in criminal activities in large, one-shot operations that minimize the exposure of the perpetrators. This trend is a bit more believably measurable than the previous, encompassing trend, as it can be verified by a statistically significant collection of intercepted malicious code, rather than mostly through self-reporting and third-party disclosure.

Gateway exploits of medium severity vulnerabilities: As the criminal sophistication of security crackers increases, so too will their technical sophistication increase. In this case, however, the advances can largely be attributed to the changing security landscape of a directly competitive arms race between malicious security crackers on one hand, and on the other both the changing tactics of security service providers and the increasing relevance of more architecturally secure operating platforms. As the difficulty of keeping up with centralized security for operating systems and other platform single points of failure increases, due to rapid changes in the state of the art defensive security practices, security crackers should be expected to shift attention and efforts to exploiting peripheral, third-party software as the low-hanging fruit. While this sort of exploit does not provide the same direct and dramatic benefits as a core platform exploit, it does grant a foothold that can then be leveraged through vulnerability interactions and, more importantly, privilege escalation.

Privilege escalation is, historically, a largely ignored aspect of core system security. On one hand, the strong architectural security characteristics of Unix-like operating systems provide a decreased likelihood of very damaging core platform security vulnerabilities as compared with common end-user oriented desktop operating systems such as older Microsoft Windows and MacOS “classic” releases, and the general lack of malicious security cracker activity in the enterprise back end has resulted in a low incidence of exploits. On the other hand, the significantly poorer architectural security characteristics of older MS Windows and MacOS “classic” releases has provided the lightning rod for malicious security cracker activity, particularly with the single-user security model lacking any (effective) privilege separation on such systems.

The trend for Microsoft Windows in recent years has been to couple minor improvements in privilege separation with massive security interdiction efforts — not architectural security improvement, but imposition of a dizzying array of layered-on threat detection and redirection, not very difficult to circumvent but changing at such a rapid, and accelerating, rate that keeping up with the current security profile and exploits for a given vintage of MS Windows has become something of a field of expertise all its own. Meanwhile, MacOS has moved to a Unix-like core platform so that architectural security characteristics have been greatly improved. The increasing prevalence of Unix-like OSes in end-user deployment, between MacOS X and popular desktop Linux distributions including massive governmental migration projects, is beginning to bring Unix-like system exploits more into the mainstream where vulnerabilities can be identified and targeted effectively. Add all of this together, and you begin to see a glaring truth: The much-neglected issue of privilege escalation will become increasingly relevant in the future.

The most obvious sign of neglect of the issue of privilege separation on the Microsoft Windows platform is simply the complete failure of Microsoft to achieve true privilege separation in any operating system release over the nearly thirty years of its involvement in the OS business. Due in large part to the closed source, trade secret nature of Microsoft’s business model, there is no way at this time for me to be sure of the current state of privilege separation in MS Windows Vista, but secondary and tertiary indicators (such as the complete lack of any press releases indicating a fundamental shift) suggest that Vista, too, fails the smell test in this regard. In the MacOS X world, the biggest indicator is the monolithic, integrated user environment lacquered over the Unix-like core platform, which provides a great deal of traction for gateway exploits that may then be turned into complete system exploits by privilege escalations. Finally, even the open source unix world displays major indicators of the neglect of privilege escalation issues, perhaps the most obvious being the sudo-only administrative access security model of new Linux distributions such as Ubuntu — which provides an easy, straightforward, difficult-to-ignore path to privilege escalation. All of these signs of neglect need to be addressed for truly conscientious security policy to take effect, and (unsurprisingly) the technical difficulty of addressing these issues increases as one recedes from a Unix-like system architecture.

Symantec’s analysis of this trend is certainly related to a simple statistical measure of types of vulnerabilities discovered and exploits that have arisen “in the wild”. The analysis is almost surely among the most accurate information Symantec can provide, given its methodologies and available data, but its discussion of the implications of this trend falls well short of the mark for effective and useful analysis, as Symantec generally fails to tie trends together in a complete malicious computer activity system of behaviors.


This has been the first installment in my security analysis of the Symantec Internet Security Threat Report, volume XI. This is a series of daily posts collected under the SOB category Security. You may follow this series (and further security-specific posts) via RSS using the Security Category RSS Feed.

Next, I will delve into Symantec’s “Executive Summary Highlights” in brief.

April Fool . . . an hour later

Filed under: Metalog — apotheon @ 12:01

Fooled ya. No Symantec security report stuff for 01 April. You’ll have to wait for some time 02 April.

Actually, I just punked out on you. I had beer instead.

edit: By “an hour later” I meant “an hour after midnight”. Obviously, the weblog doesn’t track Daylight Saving Time, so it shows merely a minute past midnight as the post date/time for this. Eh.

All original content Copyright Chad Perrin: Distributed under the terms of the Open Works License