26. March 2010 · Comments Off on HSBC database breach highlights need for better database security · Categories: Breaches, Database Activity Monitoring · Tags:

Dark Reading is reporting more details are emerging about the HSBC database breach where it now appears that data on 25% of HSBC's private clients' accounts were stolen by a "privileged" user.

Click on the Database Activity Monitoring Category on the right for my other posts about the need for Database Activity Monitoring.

26. March 2010 · Comments Off on TJX hacker sentenced to 20-year prison term · Categories: Breaches, Legal · Tags: , , , , , , ,

The IDG News Service is reporting:

Hacker mastermind Albert Gonzalez was sentenced Thursday in U.S.
District Court to two concurrent 20-year stints in prison for his role
in what prosecutors called the "unparalleled" theft of millions of
credit card numbers from major U.S. retailers.

The retailers who suffered breaches were TJX, Office Max, DSW, and Dave & Buster's. Gonzalez was also involved in the well known breaches at Heartland Payment Systems, Hannaford Supermarkets and 7-Eleven chains.

I applaud the stiff sentence, but I don't think this will have much effect on reducing cyber crime for two reasons:

  • The percentage of cyber criminals who are caught is very low.
  • Much of the activity now is coming from parts of the world where getting cooperation from local governments is difficult. In fact, some believe the governments are abetting the criminals.

Read more of the details here.

21. March 2010 · Comments Off on Vulnerability-based Signatures Are Needed To Defend Against Operation Aurora Variations · Categories: Malware · Tags: , , ,

NSS Labs recently tested seven anti-malware products against the actual and variations of the Operation Aurora attack which was successful against Google, Adobe, and as many as 100 other companies. Six out of seven were successful against the specific attack, but only one provided protection against the variations.

NSS Labs points out that only "vulnerability-based" protection can protect against variations of a specific attack. Here are their key findings:

  • Endpoint security products need to focus more on vulnerability protection. Rather than reactively blocking individual attacks, security product vendors should minimize their customers' risk of exposure by insulating them from the vulnerability.
  • An approach based on preventing specific exploits or malware is less desirable due to the reactive nature of identifying exploits and malicious payloads, as well as the nearly infinite methods to evade detection. Only one of the seven endpoint security products tested demonstrated a focus on the vulnerability and blocked more than one exploit variant.

The report provides a comprehensive description of the vulnerability, the Operation Aurora attack, and specific descriptions of exploit-based vs. vulnerability-based signatures.

Click here to read the whole report and find out which vendor has vulnerability-based signature(s) that were able to cope with Operation Aurora variations.

Brian Krebs wrote another article about the rising number of E-Banking funds transfer fraud incidents where the Zeus trojan/botnet is used to compromise end point systems. The man-in-the-browser (MITB) exploit is a version of the classic man-in-the-middle (MITM) attack where the user’s bank credentials are stolen without the user realizing it. In fact, the Zeus trojan goes on “to control what the user sees on his or her browser.”

One is left to ask, is there is no “inline” defense against the Zeus trojan? In other words, is there no end point anti-malware product that can successfully defend against morphing trojans/botnets like Zeus?

It appears that the best choices at present are:

  • Use a dedicated PC, preferably one that boots from a CD, to do your online banking
  • Depend on your bank to:
    • Use behavior anomaly detection systems to catch/stop fraudulent transactions
    • Refund fraudulent transactions after the fact

Alternatively from a bank process perspective, why not require a 48 hour waiting period between the time a new payee is created and the time a payment can be made to that new payee?

In addition, the bank could add another step to the “add a payee process” where the bank sends an email or even hard copy notification of the new payee to the user (payer) and the user has to call from a known home phone number to verify the new payee.

Clearly these steps would add a level of inconvenience to online banking, but that has to be weighed against the costs of reimbursing consumer and corporate customer losses. If the lawsuits in progress are adjudicated in favor of the corporations suing their banks, we may very well see these or other changes.

13. March 2010 · Comments Off on Latest Zeus Trojan software release added hardware-based anti-piracy control · Categories: Botnets, Innovation, Malware · Tags: , ,

The Register reports:

The latest version of the Zeus do-it-yourself crimeware kit goes to
great lengths to thwart would-be pirates by introducing a
hardware-based product activation scheme similar to what's found in
Microsoft Windows.

The newest version with bare-bones capabilities starts at $4,000 and
additional features can fetch as much as $10,000. The new feature is
designed to prevent what Microsoft refers to as "casual copying"
by ensuring that only one computer can run a licensed version of the
program. After it is installed, users must obtain a key that's good for
just that one machine.

To state the obvious, if anyone needed a reminder, the crimeware software industry is big business and maturing. 

In addition The Register reported:

The latest version of Zeus is 1.3.3.7, SecureWorks researcher Kevin Stevens told El Reg.
But the authors are already busy working on version 1.4, which is being
beta tested. It offers polymorphic encryption that allows the trojan to
re-encrypt itself each time it infects a victim, giving each one a
unique digital fingerprint. As a result, anti-virus programs, which
already struggle mightily to recognize Zeus infections, have an even harder time detecting the menace.

No information was provided as to where you could submit your feature requests.

13. March 2010 · Comments Off on LifeLock pays $12 million to settle charges of false and deceptive claims · Categories: Identity Theft · Tags: ,

SC Magazine reports:

LifeLock will pay $11 million to the Federal Trade Commission (FTC)
and $1 million to a group of 35 state attorneys general to settle
charges that the Tempe, Ariz.-based company made false claims about its
identity theft products.

The FTC contended that LifeLock's claims
were "deceptive" because the fraud alerts it places on customers'
credit files can only protect against certain types of identity theft,
such as new account fraud, which occurs when an ID thief opens up new
financial accounts by using the victim's name and Social Security
number.

In addition, ironically:

LifeLock, which bills itself as "#1 in identity theft protection," has
gained national notoriety with commercials that show Davis' Social
Security number on the side of a truck, while Davis tells the audience
that he is confident his company's services will protect him – and
potential customers – from having their identity stolen. But Davis
reportedly has been a victim of ID theft.

As I have said before, Identity Theft is a real problem. To protect yourself, start by reviewing the offerings of the three credit agencies Equifax, Experian, and TransUnion.


CSOonline published an article entitled, "What Are the Most Overrated Security Technologies?" At the head of the list are, no surprise, Anti-Virus and Firewalls.

Anti-Virus – signature based anti-virus products simply cannot keep up with the speed and creativity of the attackers. What's needed is better behavior anomaly based approaches to complement traditional anti-virus products.

Firewalls – The article talks about the disappearing perimeter, but that is less than half the story. The bigger issue is that traditional firewalls, using stateful inspection technology introduced by Check Point over 15 years ago, simply cannot control the hundreds and hundreds of "Web 2.0" applications. I've written about or referenced "Next Generation Firewalls" here, here, here, here, and here.

IAM and multi-factor authentication – Perhaps IAM and multi-factor authentication belong on the list. But the rationale in the article was vague. The biggest issue I see with access management is deciding on groups and managing access rights. I've seen companies with over 2,000 groups – clearly an administrative and operational nightmare  I see access management merging with network security as network security products become more application, content, and user aware. Then you can start by watching what people actually do in practice rather than theorize about how groups should be organized.

NAC – The article talks about the high deployment and ongoing administrative and operational costs outweighing the benefits. Another important issue is that NAC does not address the current high risk threats. The theory in 2006, somewhat but not overly simplified, was that if we checked the end point device to make sure its anti-virus signatures and patches were up-to-date before letting it on the network, we would reduce worms from spreading.

At present in practice, (a) worms are not major security risk, (b) while patches are important, up-to-date anti-virus signatures does not significantly reduce risk, and (c) an end point can just as easily be compromised when it's already on the network.

A combination of (yes again) Next Generation Firewalls for large locations and data centers, and cloud-based Secure Web Gateways for remote offices and traveling laptop users will provide much more effective risk reduction.

13. March 2010 · Comments Off on Verizon Business extends its thought leadership in security incident metrics · Categories: Breaches, Research, Risk Management, Security Management, Theory vs. Practice · Tags: , ,

The Verizon Business Security Incident Response team, whose yearly published Data Breach Investigations Reports I've written about here, has has extended its thought leadership in security incident metrics with the release of its Incident Sharing Framework. Their purpose is to enable those responsible for incident response to "create data sets that can be used and compared because of their
commonality. Together, we can work to eliminate both equivocality (sic) and
uncertainty, and help defend the organizations we serve." The document can be found here.

Of course Verizon Business is a for-profit organization and the license terms are as follows:

Verizon grants you a limited, revocable, personal and nontransferable license to use the Verizon Incident Sharing Framework for purposes of collecting, organizing and reporting security incident information for non-­‐commercial purposes.

Nevertheless, I do hope that this or an alternative incident sharing framework becomes an industry standard which enables the publishing and sharing of a larger number incidents from which we can all learn and improve our security policies and processes.