Gilbert Verdian - Security Advocate

The other day I was thinking about what is the best way to identify current trends on a macro level, to have an overview and understanding of what is currently happening and more importantly where to focus to mitigate against the risks and threats.

Currently my RSS feeds bring in over 1000 items a day, which is great on a micro level, but I wanted something with a wider view. So decided to try Google Trends and feed it some security keywords which gave some interesting results.

Keyword:

1) Hacking

This show’s Pakistan, India and Indonesia were the top 3 countries who searched for hacking and there’s a small and general increase for the term since 2004. 

2) Zero Day

Zero day (0 day) was almost non-existent before 2004, the increasing trend seems quite accurate as the previously underground term found itself into in the mainstream media. Surprisingly Finland is on top searching for zero day the most, whereas India who topped “hacking” is now listed as number 8. Another noteworthy entry is Romania, which compliments trends of eastern European countries that have been increasing their activity in this area, especially as organised crime is involved.

3) Phishing

Phishing similarly evolved around 2004, with its peak around the middle of 2005. The trend show a slight decline possibly reflecting the increase in user awareness to not click on suspicious links.

4) Botnet

2004 seems to be quite a popular year where botnets also took the stage. The gradual rise in the term searches does reflect the amount of attention in the mainstream about them. The peaks show the main headlines covering stories regarding the popular botnets Storm and Kracken and the law enforcement successes by the FBI and Dutch police. Don’t exactly know why Norway is the top country searching for botnets.

The OS Wars

5) Operating Systems (Linux, XP, Vista, Apple)

This shows the steady decline of XP and Linux, the rise of Vista and OSX (Mac & Leopard revealed an almost zero result so decided to use the term Apple to be more comparable).

6) Linux

Linux searches have surprising been decreasing over the last 4 years. I would have thought with the popularity of ubuntu it will be on the rise. The amount of news stories covering linux in the lower graph seems to be constant.

7) Ubuntu

Showing the unsurprising increase of Ubuntu since 2004. One thing that I find interesting is that Italy is number 1 for Ubuntu searches, open source must be quite popular in Italy.

Apple

Apple has had an expected increase reflective of its increase in market share over the years. The launch of the iPhone has obviously helped with its popularity.

9) BSD

A favourite of mine, showing the enormous decline in popularity of the the *BSD family. Still FreeBSD is on top and Russia and Ukraine are the top countries. My favourite, BSDi, has not been around for quite a while.

10) Unix

Searching for Solaris, AIX and HPUX reveals and overall steady decline in popularity. Solaris and AIX evening out in 2008 and India, Singapore and Japan being the top countries for Solaris.

The Security Vendors

11)  McAfee Vs Symantec

Both companies have been quite close over the years. The next graph details the activity in 2008. Also the Asian countries seem to be on top searching for Symantec.

12) McAfee Vs Symantec 2008

A closer view show’s McAfee was searched the most and it overtook Symantec for the first time. 

In Conlusion

Google trends doesn’t replace hard metrics, threat reports from industry sources,  correlated logs and alerts etc. But it does give you an insight on what people are searching for and from which geographic regions, thus giving you some awareness of what is going on, where to focus your attention on and what to look for to help mitigate threats and risks.

If you have some interesting searches please feel free to link back and display your results.

Came across this Ubuntu drink in a vending machine. Does anyone know what it is or tried it?

Using LinkedIn quite extensively, I created a group for CISA qualified professionals to join.

Please visit the following link stating your ISACA membership number and month & year you qualified for the CISA.

http://www.linkedin.com/e/gis/40405/0142006D7B5F

Upon joining you’ll have the following logo of the CISA letters I made displayed in your profile.

July 2008 - A quick update on the CISA group. We now have over 1300 members in the group! 

The group is still only intended for CISAs, as each application is viewed, please also ensure you have your relevant CISA certification & experience detailed in your profile.

I just received the following email from ecademy.com.  It is an unfortunate tale of the site being hacked, the customer database stolen, the company being sued and as a result of the verdict and legal expenses they have decided to shut down. 

Dear members, clients and guests of our portal,
Over the last few years our portal has helped you to organize your business, find new partners and increase sales.However, all good things end. Many of you know that we have experienced legal problems over the last year. Our competitors from other social networks are trying to take over our client base.
Our website has been hacked and our database was stolen. After that we were taken to court because of identity theft.Unfortunately, legal expenses and unfavorable court verdict with following closure of our bank accounts will lead to closure of our website. All paying members will receive refund starting from March 14th.
Please check attached file for legal information in regards to your account.

Best regards,

The Ecademy TeamEcademy - The Social Network for Business People
Company Registration:3651083 VAT:718 0377 36 

I did a presentation at Infosec 2007 with Symantec at their display. The talk was about current issues faced by organisations ranging from:- Changes in motivation - how monetary gain is evolving threats- Segregated Security functions within organisations that do not work/talk to each other- Burden of regulation and compliance organisations need to adhere to and implement controlsI drew upon the findings from the 2007 Symantec Threat Report, showing how people are after your information (from databases for example) to use for monetary gain. Its not about bragging rights anymore. Here’s the presentation hosted on slideshare:

| View | Upload your own

Seems one of my facebook contacts’ account was compromised either by phishing or key logging… “he” had posted the following URL onto my wall

h11p://www.facebook.com.profile.php.id.371233.cn

He also had the following from another user on his wall

“lol i cant believe these pics got posted….its going to be BADDDD when her boyfriend sees these- h11p://www.facebook.com.profile.php.id.371233.cn”

Of course, the guilty domain is 371233.cn… a whois doesn’t reveal much..

whois 371233.cn
Domain Name: 371233.cn
ROID: 20071101s10001s02380333-cn
Domain Status: ok
Registrant Organization: 小问
Registrant Name: 笑纹
Administrative Email: 24@244.com
Sponsoring Registrar: 北京新网互联科技有限公司
Name Server:ns1.4980603.com
Name Server:ns2.4980603.com
Name Server:ns3.4980603.com
Name Server:ns4.4980603.com
Registration Date: 2007-11-01 23:30
Expiration Date: 2008-11-01 23:30

Then the whois of the hosted server 4980603.com is

Domain Name………. 4980603.com
Creation Date…….. 2007-10-19 18:26:55
Registration Date…. 2007-10-19 18:26:55
Expiry Date………. 2008-10-19 18:26:55
Organisation Name…. xiaowen
Organisation Address. No.323 chang’an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CN

Admin Name……….. top wen
Admin Address…….. No.323 chang’an road
Admin Address……..
Admin Address…….. Beijing
Admin Address…….. 100001
Admin Address…….. BJ
Admin Address…….. CN
Admin Email………. 24@244.com
Admin Phone………. +86.1034546677
Admin Fax………… +86.1067688466

Tech Name………… top wen
Tech Address……… No.323 chang’an road
Tech Address………
Tech Address……… Beijing
Tech Address……… 100001
Tech Address……… BJ
Tech Address……… CN
Tech Email……….. 24@244.com
Tech Phone……….. +86.1034546677
Tech Fax…………. +86.1067688466

Bill Name………… top wen
Bill Address……… No.323 chang’an road
Bill Address………
Bill Address……… Beijing
Bill Address……… 100001
Bill Address……… BJ
Bill Address……… CN
Bill Email……….. 24@244.com
Bill Phone……….. +86.1034546677
Bill Fax…………. +86.1067688466
Name Server………. ns4.4980603.com
Name Server………. ns3.4980603.com
Name Server………. ns2.4980603.com
Name Server………. ns1.4980603.com

The site looks quite convincing to the user, they haven’t updated the year to 2008 yet…

The source of the site is basically the following form…

<form method=”post” action=”login.php”><div id=”loginform”><div class=”form_row clearfix”><label for=”email” id=”label_email”>Email:</label><input type=”text” class=”inputtext” id=”email” name=”email” /></div><div class=”form_row clearfix”><label for=”pass” id=”label_pass”>Password:</label><input type=”password” class=”inputpassword” id=”pass” name=”pass” value=”" /></div><label class=”persistent”><input type=”checkbox” class=”inputcheckbox” onclick=”document.getElementById(”persistent_notification”).style.display=this.checked?”block”:”none”;” id=”persistent” name=”persistent” value=”1″ /><span>Remember me</span></label><div style=”display: none” id=”persistent_notification”><div class=”status”><h2><span id=status_title>By selecting “remember me” you will stay logged into this computer until you click logout. If this is a public computer please do not use this feature.</span></h2></div>
</div><div id=”buttons” class=”form_row clearfix”><label></label><input type=”submit” value=”Login” name=”login” id=”login” onclick=”this.disabled=true; this.form.submit();” class=”inputsubmit” /> or <strong><a id=reg_btn_link href=”https://www.facebook.com/r.php?” >Sign up for Facebook</a> </strong></div><p class=”reset_password form_row”><label></label><a href=”http://www.facebook.com/reset.php”>Forgot your password?</a></p></div></form>

There’s also a reference to an internal IP…

<span title=”10.1.227.120″>20</span><span title=”19192216″>07</span>

Anyone else seen this?

Funny that, bad behaviour picked up something and started denying logins from all different ips… just kept getting the following denied message…

Had to get in there manually and remove bad behaviour… will have a look at it on the weekend…

At least I know it’s working

I have recently joined Ernst & Young in London after almost 6 years at CSC in Sydney and the UK. Apologies for the lack of updates on the blog, took some time out and travelled around Europe before starting at EY.

Things are back on track and am looking forward to talking about security, from the front line.

The CISSP certification is seen as a standard for security professionals. The exam is based on the following 10 domains:
- Domain 1 Security Management Practices
- Domain 2 Security Architecture and Models
- Domain 3 Preventive Maintenance
- Domain 4 Application Development Security
- Domain 5 Operations Security
- Domain 6 Physical Security
- Domain 7 Cryptography
- Domain 8 Telecommunications, Network, and Internet Security
- Domain 9 Business Continuity Planning
- Domain 10 Law, Investigations, and Ethics

The exam is multiple choice, 250 questions which you have 6 hours to complete. So it is quite a highly sort after certification to have.

To validate people who claim to be certified, the ISC2 have set up the following Certification Verification Site.

If a person has a valid certification, the output will look like this: