14. December 2010 · Comments Off on Network Security Blog » Customer information stolen · Categories: blog · Tags: , , , ,

Network Security Blog » Customer information stolen.

Three database/email server compromises were revealed over the weekend.  A business partner of McDonald’s lost their promotional mailing list, Gawker’s entire user database was compromised and posted, and the DeviantArt user mailing list was also stolen, along with additional user information, again through a partner.  None of these cases involved financial data; none of these would have been covered in any way by the PCI requirements.

So what is the value to the hackers? Martin sums it up nicely:

The danger with the McDonald’s and DeviantArt compromises isn’t the account names, it’s the the potential for phishing and other scams.  The phishers now have a validated list of customers they can target their spam at, quite likely starting with fake alerts about the compromise itself to get users to click on links to malicious sites.  From there, they can move on to lower impact, less obvious attacks, but that’s how I’d start.  The potential of a user trusting an email warning them of danger is quite a bit higher than the other emails.

PS: Walgreen’s customer email list was compromised. Again, no big deal, just email addresses. But as Martin said above, a valid list of email addresses is a great starting point for phishing scams.

03. August 2009 · Comments Off on LoJack-For-Laptops creates rootkit-like BIOS vulnerability · Categories: Breaches, Malware, Risk Management, Security Management, Security Policy · Tags: , , , , , , , ,

Alfredo Ortega and Anibal Sacco, researchers for penetration testing software company Core Security Technologies, demonstrated at Black Hat how Absolute Software's Computrace LoJack For Laptops contains a BIOS rootkit-like vulnerability.The reason this is significant is that about 60% of laptops ship with this installed including those from Dell, HP, Toshiba, and Lenovo. These companies are listed as OEM partners on Absolute's web site.

Here is a good article which describes how LoJack for Laptops works and the vulnerability. Lest you think this is only a Windows issue, the software is also used on Macs, although Apple is not listed as an OEM partner.

In order for this vulnerability to be exploited the bad guy would need physical access to your laptop or remote access with Admin/root privileges. If you are running in User-mode, which should be an enforced policy, the risk drops significantly. The high risk exploits are:

  • A keylogger is installed and used to capture your passwords which, for example, you use to access your bank accounts
  • An agent is installed that enables the bad guy to retrieve whatever data is stored on the system, such as intellectual property, financial records, etc.

There are always trade-offs in technology. By definition, adding features increases the attack surface. The good news is that LoJack for Laptops reduces the risk of disclosing information on lost or stolen laptops. The bad news is that by using it, you are increasing the risk of a rootkit-like attack on the laptop.

03. August 2009 · Comments Off on Vendor “fined” by customer for lax security that resulted in an incident · Categories: Breaches, Risk Management, Security Management, Vendor Liability · Tags: , , , , , , ,

Richard Bejtlich reports on a story that appeared in the Washington Times last week, "Apptis Inc., a military information technology provider, repaid
$1.3 million of a $5.4 million Pentagon contract after investigators
said the company provided inadequate computer security and a
subcontractors system was hacked from an Internet address in China
…"

As Richard said, this may be a first. When is this going to happen in the commercial market?

Detailed
empirical data on IT Security breaches is hard to come by despite laws like
California SB1386.
So
there is much to be learned from Verizon Business’s April 2009 Data Breach
Investigations Report
.

The specific issue I would like to highlight now is the
section on methods by which the investigated breaches were discovered (Discovery
Methods, page 37). 83% were discovered by third parties or non-security employees
going about their normal business. Only 6% were found by event monitoring or
log analysis. Routine internal or external audit combined came in at a rousing
2%.

These numbers are truly shocking considering the amount
of money that has been spent on Intrusion Detection systems, Log Management
systems, and Security Information and Event Management systems. Actually, the
Verizon team concludes that many breached organizations did not invest sufficiently
in detection controls. Based on my experience, I agree.

Given a limited security budget there needs to be a balance
between prevention, detection, and response. I don’t think anyone would argue against
this in theory. But obviously, in practice, it’s not happening. Too
often I have seen too much focus on prevention to the detriment of detection
and response.

In addition, these
numbers point to the difficulties in deploying viable detection controls, as there
were a significant number of organizations that had purchased detection
controls but had not put them into production. Again, I have seen this myself
as most of the tools are too difficult to manage and it’s difficult to implement
effective processes.