Daily Archives: May 8, 2019

2019 Verizon Data Breach Investigations Report (DBIR) Key Takeaways

The 2019 Verizon Data Breach Investigations Report (DBIR) was released today, and I was lucky enough to be handed a hot off the press physical copy while at the Global Cyber Alliance Cyber Trends 2019 event at Mansion House, London. For me, the DBIR provides the most insightful view on the evolving threat landscape, and is the most valuable annual “state of the nation” report in the security industry.

Global Cyber Alliance Cyber Trends 2019

The DBIR has evolved since its initial release in 2008, when it was payment card data breach and Verizon breach investigations data focused. This year’s DBIR involved the analysis of 41,686 security incidents from 66 global data sources in addition to Verizon. The analysed findings are expertly presented over 77 pages, using simple charts supported by ‘plain English’ astute explanations, reason why then, the DBIR is one of the most quoted reports in presentations and within industry sales collateral.

DBIR 2019 Key Takeaways
      • Financial gain remains the most common motivate behind data breaches (71%)
      • 43% of breaches occurred at small businesses
      • A third (32%) of breaches involved phishing
      • The nation-state threat is increasing, with 23% of breaches by nation-state actors
      • More than half (56%) of data breaches took months or longer to discover
      • Ransomware remains a major threat, and is the second most common type of malware reported
      • Business executives are increasingly targeted with social engineering, attacks such as phishing\BEC
      • Crypto-mining malware accounts for less than 5% of data breaches, despite the publicity it didn’t make the top ten malware listed in the report
      • Espionage is a key motivation behind a quarter of data breaches
      • 60 million records breached due to misconfigured cloud service buckets
      • Continued reduction in payment card point of sale breaches
      • The hacktivist threat remains low, the increase of hacktivist attacks report in DBIR 2012 report appears to be a one-off spike

2019 Verizon DBIR Shows Web Applications and Human Error as Top Sources of Breach

Veracode App Sec Verizon DBIR 2019

According to the 2019 Verizon Data Breach Investigations Report, there was a noticeable shift toward financially motivated crime (80 percent), with 35 percent of all breaches occurring as a result of human error, and approximately one quarter of breaches occurring through web application attacks. These attacks were mostly attributable to the use of stolen credentials used to access cloud-based email.

Another fun fact: social engineering attacks are increasingly more successful, and the primary target is the C-suite. These executives are 12x more likely to be targeted than other members of an organization, and 9x more likely to be the target of these social breaches than previous years. Verizon notes that a successful pretexting attack on a senior executive helps them to hit the jackpot, as 12 percent of all breaches analyzed occurred for financially motivated reasons, and their approval authority and privileged access to critical systems often goes unchallenged.

“Typically time-starved and under pressure to deliver, senior executives quickly review and click on emails prior to moving on to the next (or have assistants managing email on their behalf), making suspicious emails more likely to get through,” the Verizon DBIR states. “The increasing success of social attacks such as business email compromises (BECs, which represent 370 incidents or 248 confirmed breaches of those analyzed), can be linked to the unhealthy combination of a stressful business environment combined with a lack of focused education on the risks of cybercrime.”

Retailers Are Most Vulnerable at the Application Layer

The good news for consumers and retailers alike are that the days of POS compromises or skimmers at the gas-pump appear to be numbered, as these card breaches continue to decline in this report. The not-so-good news is that these attacks are, instead, primarily occurring against e-commerce payment applications and web application attacks. Indeed, the report shows that web applications, privilege misuse, and miscellaneous errors make up 81 percent of breaches for retail organizations.

What’s more, 62 percent of breaches and 39 percent of incidents occur at the web application layer. While it is unclear exactly how the web applications were compromised in some cases, it’s assumed that attackers are scanning for specific web app vulnerabilities, exploiting them to gain access, inserting some kind of malware, and harvesting payment card data to create a profit.

The report notes, “We have seen webshell backdoors involved in between the initial hack and introduction of malware in prior breaches. While that action was not recorded in significant numbers in this data set, it is an additional breadcrumb to look for in detection efforts. In brief, vulnerable internet-facing e-commerce applications provide an avenue for efficient, automated, and scalable attacks. And there are criminal groups that specialize in these types of attacks that feast on low-hanging fruit.”

Overall, Veracode’s State of Software Security Vol. 9 shows that retail organizations are quick to fix their flaws, ranking second in this regard as compared to other industries. With this in mind, it may mean that retail organizations need to keep a closer eye on third-party software and open source code in their own applications to ensure they’re not the next to sign a cyberattacker’s paycheck.

At Veracode, we help our customers to ensure that every web application in their portfolio is secure through each stage of the SDLC. Check out this case study to learn about how Blue Prism implemented Veracode Verified to ensure the strength of its application security program and protect its most sensitive data.

Quantifying Measurable Security


With Google I/O this week you are going to hear about a lot of new features in Android that are coming in Q. One thing that you will also hear about is how every new Android release comes with dozens of security and privacy enhancements. We have been continually investing in our layered security approach which is also referred to as“ defense-in-depth”. These defenses start with hardware-based security, moving up the stack to the Linux kernel with app sandboxing. On top of that, we provide built-in security services designed to protect against malware and phishing.
However layered security doesn’t just apply to the technology. It also applies to the people and the process. Both Android and Chrome OS have dedicated security teams who are tasked with continually enhancing the security of these operating systems through new features and anti-exploitation techniques. In addition, each team leverages a mature and comprehensive security development lifecycle process to ensure that security is always part of the process and not an afterthought.
Secure by design is not the only thing that Android and Chrome OS have in common. Both operating systems also share numerous key security concepts, including:
  • Heavily relying on hardware based security for things like rollback prevention and verified boot
  • Continued investment in anti-exploitation techniques so that a bug or vulnerability does not become exploitable
  • Implementing two copies of the OS in order to support seamless updates that run in the background and notify the user when the device is ready to boot the new version
  • Splitting up feature and security updates and providing a frequent cadence of security updates
  • Providing built-in anti-malware and anti-phishing solutions through Google Play Protect and Google Safe Browsing
On the Android Security & Privacy team we’re always trying to find ways to assess our ongoing security investments; we often refer to this as measurable security. One way we measure our ongoing investments is through third party analyst research such as Gartner’s May 2019 Mobile OSs and Device Security: A Comparison of Platforms report (subscription required). For those not familiar with this report, it’s a comprehensive comparison between “the core OS security features that are built into various mobile device platforms, as well as enterprise management capabilities.” In this year’s report, Gartner provides “a comparison of the out-of-the-box controls under the category “Built-In Security”. In the second part, called “Corporate-Managed Security, [Gartner] compares the enterprise management controls available for the latest versions of the major mobile device platforms”. Here is how our operating systems and devices ranked:
  • Android 9 (Pie) scored “strong” in 26 out of 30 categories
  • Pixel 3 with Titan M received “strong” ratings in 27 of the 30 categories, and had the most “strong” ratings in the built-in security section out of all devices evaluated (15 out of 17)
  • Chrome OS was added in this year's report and received strong ratings in 27 of the 30 categories.
Check out the video of Patrick Hevesi, who was the lead analyst on the report, introducing the 2019 report, the methodology and what went into this year's criteria.

You can see a breakdown of all of the categories in the table below:


Take a look at all of the great security and privacy enhancements that came in Pie by reading Android Pie à la mode: Security & Privacy. Also be sure to live stream our Android Q security update at Google IO titled: Security on Android: What's Next on Thursday at 8:30am Pacific Time.

On Abusing Email Validation Protocols for Distributed Reflective Denial of Service

Veracode Research Email Validation Protocols DrDoS

Denial of Service (DoS) attacks are still very much in vogue with cybercriminals. They are used for extortion attempts, to attack competitors or detractors, as an ideological statement, as a service for hire, or simply “for teh lulz.” As anti-DoS methods become more sophisticated so do the DoS techniques, becoming harder to stop or take down by turning into distributed (DDoS) among stolen or hacked end-points. Some DDoS methods even use distributed, public systems that aren’t hacked or stolen, but still offer a means for a reflected attack (DrDoS) such as the widespread Network Time Protocol (NTP) DrDoS attacks seen over the past several years.

In the spirit of discovering and exposing potential future cybercrime methods, this research focuses on determining the viability of DrDoS attacks using public-facing email validation protocols. With knowledge of attack anatomy white hats can better understand the threat landscape while building their unique threat models, and if need be, build and configure defenses against such potential protocol abuses. Fortunately, or unfortunately, depending on your reference point, the findings of this research conclude that these types of attacks are likely not to be a widespread threat given the current sets of in-the-wild email server configurations; though this may change in the future as more systems come online and configuration habits shift.

We know what sort of returns we can get for DDoS leveraging SPF in large part through the work of Douglas Otis. However, given other DDoS vectors available (DNS, NTP, etc.) using SPF alone doesn’t have much of a bite. The idea here was to try and also leverage other email validation protocols that may be configured for a mail server also employing SPF, a stacked attack. Following a review of the DomainKeys Identified Mail (DKIM) protocol RFC it was discovered that there are instances where the specification suggests using reply codes: 4xx, 451/4.7.5, and 550/5.7.x specifically. This suggests mail server configurations that may reply to messages that meet, or fail, certain criteria.

However, of the 20 in-the-wild sample servers (located in the United States, France, Germany, Hungary, and Taiwan), zero responded to invalid DKIM headers. As with the DKIM RFC, the Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol RFC has a configuration suggestion for issuing a 5xy reply code for failed messages as well as a security discussion for External Reporting features of DMARC. Both of these vectors seemed promising for possible exploitation. Of the 20 in-the-wild servers tested, (located in the United States, the United Kingdom, France, Canada, and Switzerland) only four replied with a failure code and zero offered External Reporting services.

While subject to future change, these findings suggest that the current, real-world landscape does not lend itself to leveraging these validation protocols for any serious volume of DrDoS.