In the Verizon DBIR report they have an interesting graph on page 26. It shows the percentage of malware infections that have been customized. (That is to say that the malware itself is customized). In 2005-2007 the percentage held steady between 21%-28%. In 2008 is jumped to 59% and in 2010 is it still high at 54%. Perhaps not surprisingly, even though only half of the malware is customized, that half is responsible for 97% of the stolen records. Presumably non-customized malware and all other methods are responsible for the remaining 3%. Why the huge discrepancy? It’s easy – antivirus. Non-customized malware gets detected, customized doesn’t. This just goes back to something many people have started to feel in the last few years – antivirus is inherently flawed, and we’re starting to see it’s flaws. Blacklisting is inherent a losing battle, because there will always be new bad things, and there will always be something you didn’t think of. Whitelisting may seem like a pain at first, but in the long run it’s almost always easier and more efective.

I just got a spam email from a company trying to sell me something-or-other for email that included the following quote:

“Most organizations are struggling with the rising tide of email attachments, which can rapidly consume all available email storage when left unchecked.”

They attributed this quote to Matthew Cain, which I can’t verify, but my only response is: Really? I mean really? In this day and age? Are you sure this quote isn’t from…. 19992?

It’s amazing how quickly something can go from “brand new” to “mandatory reading’, but that’s exactly what the Verizon Data Breach Investigations Report has become in its short existence. The 2010 report has been released. The total number of cases analyzed since the inception of the report is now over 900, and is easily the largest data set to date.

In the previous post I mentioned multi-domain certificates but not wildcard certificates as a solution to the problem. The reason I didn’t mention wildcard certificates is because they have their own inherent security risks. If one subdomain is compromised, all subdomains may be compromised. (Verisign even states this clearly on their page on wildcard certificates.)

When it comes to preventing users from entering their data into fake websites, the main defense people always rely upon is user training. We’ve tried for years to train users to always look for the little lock icon that indicates the site is using SSL. Now we’re starting to train them to look for the EV cert. Browser makers have gotten much better about making it more difficult for a user to bypass certificate errors. One of the biggest mistakes an entity can make is accidentally training their users for bad behavior, such as accepting certificate errors. Unfortunately, that is exactly what many people are doing. Many times someone will buy a certificate with their main www domain – for example www.bankofamerica.com, and forget about the domain bankofamerica.com. While the difference may seem trivial, any user that enters https://bankofamerica.com into their browser will be met with a certificate error, which they will ultimately have to accept if they want to continue. This is bad practice all around.

To prove my point, I decided to look at the 10 largest banks in the US and discovered that four of the ten exhibited this flaw. (Bank of NY Mellon does not seem to have a login on their main domain, and therefore don’t utilize SSL period). One would think that for a large financial institution like one of these, getting a multiple domain certificate would be a simple task, but apparently they never thought to do it. In the mean time, they’re training their users for poor security practices.