http://www.smh.com.au/articles/2004/03/01/1077989482304.html [Funny thing is I used to get the mi2g news alerts all the time, but it abruptly stopped because they either got sick of me replying back asking where the hell they got their numbers from and mailing again a few days later wondering where my answer was, or they figured that I wasn't part of the media sheep that took their press releases on its face value and printed it as news. More backround on mi2g at: http://www.attrition.org/errata/charlatan.html#mi2g - WK] By Sam Varghese March 1, 2004 In what appears to be an econometric approach to the analysis of server compromises and website defacement, a London-based group is claiming that Linux is the most breached online server and the BSDs and Mac OSX the safest. mi2g, which describes itself as a digital risk specialist, claimed that the number of successful attacks against Windows servers had also fallen - but said it had not taken into account the numerous malware attacks against this operating system. Additionally, mass website defacements were counted as multiple attacks - as many as the websites involved. As to the reason for leaving out malware as a source of server or website compromise, the group's Intelligence Unit said: "The recent global malware epidemics have targeted the Windows OS and have not caused any significant economic damage to systems running Open Source including Linux, BSD and Mac OS X. Therefore, the mi2g Intelligence Unit study has been limited to overt digital attacks perpetrated by hackers, who target all flavours of Operating Systems." The group said it had analysed 17,074 successful digital attacks against online servers and networks in January 2004, with Linux accounting for 13,654 breaches, and Windows for 2005 followed by BSD and Mac OS X with 555 breaches worldwide. Asked about the reasoning behind its decision to treat mass website defacements as multiple attacks, a spokesperson said: "Mass website attacks are counted as multiple attacks because although there is a single action on the part of the attacker, economic damage is always done to multiple victims. Where the attack succeeds in reaching connected middle-layer and back end servers then in each attacked website's case, those back end systems are also unique." The company estimated the overall economic damage from hacker perpetrated overt, covert and DDoS digital attacks worldwide as being between $US2.34 billion and $2.86 billion worldwide. In the past, estimates made by mi2g have been questioned - for example, the figure of $US38.5 billion it advanced as a figure for the damage wrought by the MyDoom worm, was termed "absurd" by Rob Rosenberger, the editor of Vmyths, a site dedicated to the eradication of computer virus hysteria. The questions asked of mi2g and the company's answers are given below in full: A total of 17,000-odd "successful digital attacks" are mentioned. From where were the details of these attacks obtained - from Zone-H.org? "mi2g is principally reliant on data for SIPS and EVEDA from a number of sources: "1. Personal relationships at CEO, CFO, CIO, CISO level within the banking, insurance and reinsurance industry in Europe, North America and Asia. We have been involved in pioneering cyber liability insurance cover for Lloyd's of London syndicates which has given us access to case histories since the mid 1990s. "2. Monitoring hacker bulletin boards and hacker activity. We have several white hat hackers who we use for penetration testing and developing our Bespoke Security Architecture that feed digital risk information through to us on a continuous basis including vulnerabilities, exploits and the latest serious attacks they are aware of. "3. We maintain anonymous communication channels with a large number of black hat hacker groups. "Cases of systems attacked are systematically screened by Intelligence Unit personnel to ascertain hacker motivation and country of origin. Domain specific knowledge such as hacker contact details and the relationships between hacker groups are extracted automatically. "EVEDA collects its information from a variety of open sources and calculates the economic damage associated with a particular digital attack based on a unique set of algorithms developed by the mi2g SIPS team in conjunction with risk analysts and economists." If a mass defacement of a server occurs - and by this I mean if a single server hosting 100 websites is penetrated due to a vulnerability in a Perl or PHP script for example - how many digital attacks does that comprise according to your intelligence unit? "Mass website attacks are counted as multiple attacks because although there is a single action on the part of the attacker, economic damage is always done to multiple victims. Where the attack succeeds in reaching connected middle-layer and back end servers then in each attacked web site's case, those back end systems are also unique. "When insurance cover for cyber liability was pioneered it was originally conceived around single IP addresses. Later on, technology allowed multiple domain hosting to be achieved with the same IP address, to the point that "1000's" of sites can all now be located on the same IP. "An insurance company has to pay those "1000" companies when a denial of service, business interruption, customer or supplier liability insurance claim is invoked as a direct result of vandalism or other criminal activities. "These days insurance policies are structured around profit centres and domains rather than just on IP addresses. Each attack incident, if verified, is classed as a unique attack regardless of whether it occurred repeatedly, ie, once every two days or once every month and regardless of whether it was part of a mass attack or not. "The liabilities for each of the "1000" attacks will tend to spread across the customers and suppliers of each profit centre entity. So, it is inconceivable that it can be treated as one single attack from an insurance customer perspective." How can a study on operating system safety exclude malware attacks when they are a major source of security breaches and practically all occur due to a high level of integration between applications and the core operating system? "With most of these malware attacks the main points of vulnerability that are exploited are social engineering based, ie, targeting the gullible users who may open executable attachments. That coupled with the dominance of a particular operating system can lead to very damaging malware epidemics. "The security of an operating system itself however, is best measured in terms of the use of remote exploits to control that operating system, which are rarely used by most of the email borne malware that has caused most of the damage in January and August, the months that were referenced in the specific study you mention." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Mar 01 2004 - 05:31:37 PST