31. January 2010 · Comments Off on Top IT Security Risk stories of the week · Categories: Top Stories · Tags: , ,

Due to time constraints this week, I'm doing a new type of post. Rather than commenting on the stories I find most interesting, I am posting a list of stories I found interesting but without commenting. For each one, I provide the headline linked to the story and the first paragraph or two of the story so you can decide if it's worth reading in it's entirety. 

Monday, January 25, 2010

What's Your DEP and ASLR Status? If you recall, Google says they were attacked by hackers based in China using a zero-day vulnerability in Internet Explorer. That vulnerability affected almost all versions of IE, but the attack was mitigated on some by systemic defenses like DEP and ASLR.

Flaws in the 'Aurora' Attacks  The attackers who unleashed the recent wave of
targeted attacks against Google, Adobe, and other companies, making off
with valuable intellectual property and source code, shocking the
private sector into the reality of the potential threat of
state-sponsored cyberespionage — but they also made a few missteps
along the way that might have prevented far worse damage.

Tuesday, January 26, 2010

'Aurora' code circulated for years on English sites; Where's the China connection?  An error-checking algorithm found in software used to attack Google and other large companies circulated for years on English-speakinglanguage
books and websites, casting doubt on claims it provided strong evidence
that the malware was written by someone inside the People's Republic of

Aurora-style attacks swiped oil field data from energy giants; Social networks implicated in planning Google assault   At least three US oil giants were hit by cyberattacks aimed at
stealing secrets, in the months before the high-profile Operation
Aurora attacks against Google, Adobe et al in December.

Targeted attacks against Marathon Oil, ConocoPhillips, and
ExxonMobil took place in 2008 and followed the same pattern as the
later Aurora assaults. Information harvested by the attacks included
"bid data" that gave information on new energy discoveries, according
to documents obtained by the Christian Science Monitor.

Wednesday, January 27, 2010

Hydraq (aka Aurora) attack's resiliency uncovered   Security researchers continue to peel back the layers on the
Trojan.Hydraq aka Operation Aurora attacks first reported publicly
earlier this month, and the techniques employed by the threat to stay
alive on infected machines were apparently neither cutting-edge, nor
particularly sophisticated.

According to researchers with Symantec — who've published a series of blogs examining various technical elements of the Trojan.Hydraq
campaign — the attack used methods commonly observed in other malware
programs to remain alive inside of the organizations it infiltrated,
restart after systems restart.

Cost of data breaches increased in 2009; Ponemon Institute research says malicious attacks are the most costly breaches   The cost of data breaches continues to rise,
and malicious attacks accounted for more of them in 2009 than in
previous years, according to a study published today.

In conjunction with study sponsor PGP Corp., Ponemon Institute
today released the results of its fifth annual "U.S. Cost of a Data
Breach" report. The news isn't good, according to the research firm's
founder, Larry Ponemon.

Personal data stolen? Don't count on being told promptly  Andrea Rock of Consumer Reports highlights one of the findings of the new Ponemon report: Not only are data breaches from criminal attacks on U.S.-based
companies’ financial and customer data on the rise, but your odds of
being promptly informed if you’re a breach victim aren’t very high,
according to a new data breach report just released by the Ponemon

The rise of point-and-click botnets  This post highlights a graphic from Team Cymru, a group that monitors studies online attacks and other badness in the
underground economy. It suggests an increasing divergence in the way
criminals are managing botnets, those large amalgamations of hacked PCs
that are used for everything from snarfing up passwords to relaying
spam and anonymizing traffic for the bad guys, to knocking the targeted
host or Web site offline.

Where art thou conficker?  Researchers noted this week that the buzzworthy Trojan.Hydraq campaign
that was used to hack Google and some other tech giants employed some
of the same techniques used by our dear old pal Conficker to remain
resident on infected PCs. Which causes one to ponder, what happened to this attack which a
year ago captured the interest of so many people for some particular

Thursday, January 28, 2010

Haiti spam leads to new malware  As rescue efforts continue in Haiti, the world
waits with bated breath for more good news about survivors.
Unfortunately, while most people are thinking of ways to help victims,
cybercriminals are using the tragedy to further their own malicious
causes. Blackhat search engine optimization (SEO) poisoning attacks related to this tragedy have already led to FAKEAV infections. However, the most recent FAKEAV run appears to be only the start of more Haiti-related malware attacks.

Friday, January 29, 2010

The state of computer security in the UK  eSecurity Planet reports: British security consulting firm 7Safe and the University of Bedfordshire have released the UK Security Breach Investigations Report 2010, which looks at the current state of computer security in the UK through an analysis of actual data breaches.

Key findings include the fact that 69 percent of data compromises
occurred in the retail sector, 85 percent of cases resulted in stolen
payment card information, and SQL injection was used in 60 percent of

Simmering over a 'Cyber Cold War'  New reports released this week on recent, high-profile data breaches
make the compelling case that a simmering Cold War-style cyber arms
race has emerged between the United States and China.

A study issued Thursday by McAfee and the Center for Strategic and International Studies
found that more than half of the 600 executives surveyed worldwide said
they had been subject to “stealthy infiltration” by high-level
adversaries, and that 59 percent believed representatives of foreign
governments had been involved in the attacks.

Here is a link to another story about the above mentioned McAfee survey.

CIA, PayPal under bizarre SSL assault   The Central Intelligence Agency, PayPal, and hundreds of other
organizations are under an unexplained assault that's bombarding their
websites with millions of compute-intensive requests.

The "massive" flood of requests is made over the websites' SSL, or
secure-sockets layer, port, causing them to consume more resources than
normal connections, according to researchers at Shadowserver
Foundation, a volunteer security collective. The torrent started about
a week ago and appears to be caused by recent changes made to a botnet known as Pushdo.

Saturday, January 30, 2010

A tad too late, Google begins phase-out of IE6  Not that long after a Google employee running Internet Explorer 6 was hacked, creating an international incident, Google has announced that they will begin withdrawing support for IE6 in their own services.

New security features in Google Chrome  Google has announced a number of security enhancements that are being implemented in Chrome. Some have already been implemented in other browsers, including Firefox and IE and in significant add-ons like NoScript.

A week later, "Operation Aurora," which I discussed in detail here, is still the most important IT security story. PC Magazine provided additional details here.

Early in the week it appeared that the exploit took advantage of a vulnerability in Internet Explorer 6, the version of Microsoft's browser originally released on August 27, 2001. Larry Seltzer blogged about Microsoft's ridiculously long support cycles demanded by corporate customers. Why any organization would allow the use of this nine year old browser is a mystery to me, especially at Google!!

Later in the week, we found out that the exploit could be retooled to exploit IE7 and IE8.

In conclusion, let me restate perhaps the obvious point that a defense-in-depth security architecture can minimize the risk of this exploit:

  • Next Generation Firewall
  • Secure Web Gateway
  • Mail Server well configured
  • Desktop Anti-malware that includes web site checking
  • Latest version of browser, perhaps not Internet Explorer
  • Latest version of Windows, realistically at least XP Service Pack 3, with all patches
  • Database Activity Monitoring
  • Data Loss Prevention
  • Third Generation Security Information and Event Management
16. January 2010 · Comments Off on Google discloses breach and new threat type from China – Advanced Persistent Threats · Categories: Advanced Persistent Threat (APT), Books, Botnets, Breaches, Malware, Phishing, Privacy, Risk Management, Security Management, Trade Secrets Theft · Tags: , , , ,

Earlier this week Google took the unprecedented step of disclosing a breach which does not legally require disclosure. Google's reasons for the disclosure are tightly linked to its concerns about human rights in China and its views on China's reasons for breaching Google's email systems. These last two points are well worth discussing and are being discussed at length all over the blogosphere. However, I am going to focus on the security and disclosure issues.

First regarding disclosure, IT risk reduction strategies greatly benefit from public breach disclosure information. In other words, organizations learn best what to do and avoid overreacting to vendor scare tactics by understanding the threats that actually result in breaches. This position is best articulated by Adam Shostack and Andrew Stewart in their book, "The New School of Information Security."

I blogged about Verizon Business's forensic team's empirical 2009 Data Breach Investigations Supplemental Report here. This report shows cause-and-effect between threat types and breaches. You could not ask for better data to guide your IT risk reduction strategies.

Organizations have been so reluctant to publicly admit they suffered breaches, the Federal and many state governments had to pass laws to force organizations to disclose breaches when customer or employee personal information was stolen.

Regarding the attack itself, it represents a type of attack that is relatively new called "advanced persistent threats" (APT) which in the past had primarily been focused on governments. Now they are targeting companies to steal intellectual property. McAfee describes the combination of spear fishing, zero-day threats, and crafted malware here. The implications:

The world has changed. Everyone’s threat model now needs to be adapted
to the new reality of these advanced persistent threats. In addition to
worrying about Eastern European cybercriminals trying to siphon off
credit card databases, you have to focus on protecting all of your core
intellectual property, private nonfinancial customer information and
anything else of intangible value. 

Gunter Ollman, VP of Research at Damballa, discusses APT's further here, focusing on detecting these attacks by detecting and breaking the Command and Control (CnC) component of the threat. The key point he makes is:

Malware is just a tool. The fundamental element to these (and
any espionage attack) lies with the tether that connects the victim
with the attacker. Advanced Persistent Threats (APT), like their bigger
and more visible brother “botnets”, are meaningless without that tether
– which is more often labeled as Command and Control (CnC).

Jeremiah Grossman points out the implications of Google's breach disclosure for all cloud-based product offerings here, countering Google's announcement of Default https access for Gmail.

Indeed, the threat landscape has changed.

10. January 2010 · Comments Off on Heartland to pay Visa up to $60 million for its 130 million credit card data breach in 2008 · Categories: Breaches, Legal · Tags: , ,

Heartland Payment Systems has agreed to pay up to $60 million to Visa and Visa Issuing banks for its 2008 breach of over 130 million credit card data. The press release offers very little in the way of details and simply says, "Visa will present the details of the settlement in coming days."

A key question is whether this settlement includes the issuing banks' costs for reissuing cards or just losses due to actual card fraud directly related to the illegal use of the stolen card data.

Recently, issuing credit card unions and their insurance company lost a lawsuit they filed against BJ's and its acquiring bank, Fifth Third, for losses they incurred which resulted from BJ's 2004 breach. The key  difference with this settlement is that Visa was directly involved in the negotiations. If Visa were to terminate Heartland's Visa card processing contract, it could be an existential blow to Heartland.

The amount of this settlement blows well past the $12 million CEO Bob Carr said Heartland set aside when he announced the $3.6 million settlement with American Express. Of course, it may be years before we know (if we ever find out) exactly how much Heartland actually has to pay.

05. January 2010 · Comments Off on Adobe PDF exploit detected by only four of 41 anti-virus vendors · Categories: Malware · Tags: ,

The Register is reporting on an "unusually sophisticated attack" on the well known Adobe PDF vulnerability that is caught by only four of 41 anti-virus vendors tested by Virus Total.

As Computerworld and others reported in mid-December, Adobe chose to release the patch to this vulnerability in its normal cycle on January 12, 2010 instead of rushing it out as soon as it was ready.

05. January 2010 · Comments Off on More details on the security risks of IDNs · Categories: Malware, Phishing · Tags: , ,

A few days ago I wrote about the risks of non-ASCII domain names, i.e. International Domain Names (IDNs). Trend Micro's security research group, TrendLabs, has just released a detailed analysis of the security risks of IDNs.

05. January 2010 · Comments Off on Intranets becoming high priority again. What about security? · Categories: Application Security, Next Generation Firewalls · Tags: , ,

ReadWriteEnterprise is reporting, via Jakob Nielsen's annual report, that Intranets, "are becoming a higher priority for organizations. Intranet
teams are growing in size, and the best of them are embracing new
trends such as mobile accessibility and social networking."

Unfortunately there is no mention of security. These intranet applications like SharePoint are not well protected by traditional firewalls. You need to look to "next generation" firewalls, as defined by Gartner, Forrester, and others.

Update: The Gartner link above will only work for Gartner customers unless you want to pay for the report. Fortunately, Palo Alto Networks, a next generation firewall vendor, has posted the full Gartner next generation firewall report.

05. January 2010 · Comments Off on FTC to investigate cloud computing · Categories: Legal, Privacy · Tags: , , ,

ReadWriteEnterprise is reporting via The Hill, that "the Federal Trade Commission (FTC) has opened an investigation into the privacy and security implications of cloud computing."

Given the FTC's aggressive Red Flags Rule program, I would not be surprised if more regulations will be forthcoming. BTW, after many delays, the Red Flags Rule is planned to go into effect on June 1, 2010.

03. January 2010 · Comments Off on BJ’s Wholesale Club and acquiring bank not liable for third party expenses resulting from the 2004 breach · Categories: Breaches, Legal · Tags: , ,

In mid-December, the Massachusetts Supreme Court affirmed the earlier dismissal of the case against BJ's Wholesale Club and its acquiring bank filed by credit card issuing credit unions and their insurance company for expenses incurred as a result of BJ's 2004 breach. Articles here, here, and here review the details.

The key to the dismissal of the lawsuit was the clause in the contract between BJ's and Fifth Third Bank, BJ's acquiring bank, which said, “This agreement is for the benefit of, and may be enforced only by,
(Fifth Third) and (BJ’s) … and is not for the benefit of, and may not
be enforced by, any third party.”

The court is saying that an agreement, in this case, between two parties (merchant and acquiring bank) that is well understood by the court to be part of an overall process (credit card transactions) that includes two other specific third parties (credit card issuing banks and their customers, the credit card holders) can simply agree that the benefit of their agreement does not include these other two third parties.

The opinion goes on to say (page 17) that the plaintiffs could have filed claims against Visa and MasterCard. The implication is that they did not. Why not? Perhaps the issuing banks were concerned that Visa and MasterCard would revoke their contracts to issue credit cards, a far greater loss of fees than the expenses they incurred as a result of the breach.

Or perhaps there is an understanding by issuing banks that in the case of a breach at a merchant, they are liable for their own breach-related expenses. In fact, CUMIS Insurance Society, a plaintiff in the lawsuit, insured these credit unions against losses to due fraudulent transactions.

Clearly these issuing banks bought insurance because they understood their risk and shifted it to the insurance company. Unfortunately for them, they only insured against fraudulent transactions, not the replacement of cards of customers whose credit card information was breached.

Furthermore, page 23 of the opinion states, "they [plaintiffs] continue to participate as issuers in the Visa and MasterCard system and to rely on the regulations [Visa's and MasterCard's] because the system is 99.94 per cent effective." And of course, they buy insurance to cover fraudulent transactions.

In summary, it appears that this judgment and the other similar judgments in similar cases make sense because the losses to credit card issuers and insurance companies are just part of the cost of doing business. Of course the banks and credit unions could get out of the credit card business if their losses become too high. Regarding CUMIS, if it feels its losses are too high, it can either raise its rates or exit the fraudulent credit card transaction insurance market. The bottom line is that the system is working.

02. January 2010 · Comments Off on RAM Scraping – new attack vector · Categories: Malware · Tags: , ,

RAM Scraping is a new type of malware being tracked by the security forensics team at Verizon Business. Good article describing it here.

RAM Scraping attacks were first seen targeting Point-of-Sales terminals as a way to get credit card information. However, as users increase the use of password managers to mitigate the risks of phishing and keyloggers, I can see RAM Scraping attacks increasing in popularity.