Data and identity theft are far and away the growth sectors among the criminal underground, according to Symantec’s 11th Internet Security Threat Report. The U.S. rates as the most popular target for theft.
Every day, Symantec “It was surprising how brazen they are,” Alfred Huger, vice president of engineering at the Symantec Security Response team, told internetnews.com. “We got the impression there were bulk buyers, while others bought singly. And we saw the same people on multiple servers, so the community is big enough that they know to shop around for a deal.” Symantec monitored 330 servers, the bulk of which were in the U.S. The report stated that 51 percent of all known underground economy servers were located within the U.S., with Sweden coming in second at 15 percent. The identity bundles consisted of a name, address, Social Security number, and at least one bank or credit card account. Prices ranged from $14 to $18 per identity. Other goodies for sale included Skype accounts, accounts to the online game World of Warcraft, online banking accounts with a guaranteed $9,900 balance, and PayPal accounts with balances. In all, Huger said Symantec watched more than 5,000 transactions. The report clearly shows the U.S. has a bull’s eye painted on it. A whopping 86 percent of stolen credit cards were from U.S. banks, with U.K. credit cards coming in second at seven percent. Other statistics from the report: The Web remains the single biggest point of weakness, with 66 percent of all vulnerabilities related to Web technologies, such as e-commerce and Web forums. “It’s pretty safe to say that the most insecure software we see today is Web software, and I think it’s because of ease of use,” said Huger. “These new languages like Ruby and Perl and PHP are great, they’re easy to use, and it makes them accessible. But it also brings people to the game don’t know how to program securely.” Far more interesting, though, was the turnaround rate when vulnerabilities were found. Microsoft Microsoft had 39 OS-related vulnerabilities in the second half of 2006 and issued a fix on average within 21 days. Sun, by contrast, had 63 issues and took 122 days. Apple had 43 problems and took on average 66 days to issue a fix. But before we go on thinking every server is being hacked, Huger points out that only 13 percent of all data loss last year was due to hacking, which 54 percent was due to physical theft or loss of hardware, like the increasing number of laptops that are performing a vanishing act. Another 28 percent were due to sloppy or poor policy, like AOL releasing subscriber search records. Still, Huger is optimistic. “Ten years ago, virus writers existed in very succinct privacy. It was very difficult to get access to them. In this game we’re watching what they are doing, how they are doing business. The stakes are higher but we are certainly better prepared to deal with it,” he said. scans the Internet, taking in several terabytes of data, to find “wild” viruses. But it also monitors the underground economy where identity “packages” are sold. According to the report, which covered malware
has the reputation for having an operating system that’s about as secure as kiddie gate, but Sun Microsystems
actually was worse in both the number of problems and rate of repair.