The U.S. Federal Trade Commission has notified nearly 100
organizations that data from their networks has been found on
peer-to-peer file-sharing networks, the agency said on Monday.
The FTC notices went to private and public entities, including schools
and local government agencies and organizations with as few as eight
employees to as many as tens of thousands, the FTC said in a statement.
The sensitive information about customers and employees that was leaked
could be used to commit identity fraud, conduct corporate espionage,
and for other crimes.
Unfortunately file sharing based on peer-to-peer technology is only a part of the problem. Some firewalls and most intrusion prevention systems (IPSs) can block peer-to-peer file sharing. However, the problem is actually much worse – the growth of browser-based file sharing applications designed to bypass most firewalls and IPSs.
Palo Alto Networks, a next-generation (as defined by Gartner) firewall vendor, recognizes and can control or block 88 different file sharing sharing applications. Of these, 40 use peer-to-peer technology, 39 are browser-based, and 9 are client-server. Therefore if your network security infrastructure can control or block peer-to-peer file sharing, you are solving less than half the problem.
For more information about the hundreds of applications that ought to be controlled or blocked, go to Palo Alto Network's Applipedia.
An amusing image from Adam Shostack's blog to help you understand when to use pie charts, i.e. never. The yellow = the pie not eaten, the silver = the pie that's been eaten.
For each weakness this report provides a Description, Prevention and Mitigation techniques, and links to more reference material. This is well worth reading.
While the term, Advanced Persistent Threat (APT) is not a new term, it is being used much more often since the breach announcement Google made in January. I wrote about it here and here.
Mandiant, a security consulting firm, defines the APT "as a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years. The vast majority of APT activity observed by MANDIANT has been linked to China." You can read more about what they have to say here.
Mandiant did a webinar on February 18 called Malware Behaving Badly, in which they compared Mass Malware Threats to Advanced Persistent Threats. As of today, Feb 20, Mandiant has not posted the webinar on its site.
Richard Bejtlich defined APT in this January 16, 2010 blog post:
Advanced means the adversary can operate in the full
spectrum of computer intrusion. They can use the most pedestrian
publicly available exploit against a well-known vulnerability, or they
can elevate their game to research new vulnerabilities and develop
custom exploits, depending on the target's posture.
Persistent
means the adversary is formally tasked to accomplish a mission. They
are not opportunistic intruders. Like an intelligence unit they receive
directives and work to satisfy their masters. Persistent does not
necessarily mean they need to constantly execute malicious code on
victim computers. Rather, they maintain the level of interaction needed
to execute their objectives.
Threat means the
adversary is not a piece of mindless code. This point is crucial. Some
people throw around the term "threat" with reference to malware. If
malware had no human attached to it (someone to control the victim,
read the stolen data, etc.), then most malware would be of little worry
(as long as it didn't degrade or deny data). Rather, the adversary here
is a threat because it is organized and funded and motivated. Some
people speak of multiple "groups" consisting of dedicated "crews" with
various missions.
Bejtlich goes on to itemize APT objectives, which interestingly does not include stealing money:
Political objectives that include continuing to suppress its own population in the name of "stability."
Economic objectives
that rely on stealing intellectual property from victims. Such IP can
be cloned and sold, studied and underbid in competitive dealings, or
fused with local research to produce new products and services more
cheaply than the victims.
Technical objectives that
further their ability to accomplish their mission. These include
gaining access to source code for further exploit development, or
learning how defenses work in order to better evade or disrupt them.
Most worringly is the thought that intruders could make changes to
improve their position and weaken the victim.
Mike Cloppert, a security engineer at Lockheed Martin, wrote about APTs in mid-2009 in his Security Intelligence series of blog posts. In Security Intelligence: Introduction (pt 1), he defines APT as "any sophisticated adversary engaged in information warfare in support of long-term strategic goals." Note his focus on the adversary and goals rather than just the techniques.
In summary then, APTs do represent techniques that are more difficult to detect because the adversary, when faced with an above average defense, does not move on to a weaker target. The adversary is persistent and will escalate tactics. Second the focus is on stealing intellectual property rather than money to advance the adversary's strategic technical, economic, political, and military goals.
Trustwave's recently published 2010 Global Security Report shows that the top two attack vectors, by far, resulting in breaches are Remote Access Applications and Third Party Connections. Here is the list of the top five:
> 95% Remote Access Application
> 90% Third Party Connection
> 15% SQL Injection
> 10% Exposed Services
< 5% Remote File Inclusion
Clearly for each breach they investigated, there was more than one attack vector. It's also important to note that 98% of their investigations were on Payment Card Data breaches. No surprise since Trustwave is focused primarily on PCI compliance. The report does not indicate what percentage of the breaches occurred at organizations for which Trustwave was the QSA.
Regardless of these caveats, I believe it is worthwhile to note the total dominance of Remote Access Application and Third Party Connections.
It is imperative that organizations upgrade their firewalls to provide network segmentation (zoning) and to be able to recognize and control the use of most major application categories including Remote Access Applications.
Unfortunately you will have to register here to get the full report.
IEEE Spectrum published an article about three techniques for hiding information in VoIP calls, thus showing again that bits are bits.
Hiding secret messages in MP3 or video files has been done for many years. From the bad guys perspective, there is the problem that copies of these files are left on many servers when they are transmitted by email for example, and therefore can be investigated after the actual transmission is completed.
Hiding information in the VoIP protocol itself leaves nothing behind to be investigated.
DarkReading published a good article about breaches caused by malicious insiders who get direct access to databases because account provisioning is poor and there is little or no database activity monitoring.
There are lots of choices out there for database activity monitoring but only three methods, which I wrote about here. I wrote about why database security lags behind network and end-point security here.
The February 2010 issue of Information Security magazine has a face-off between Bruce Schneier, the realist, and Marcus Ranum, the dreamer, on the topic of anonymity on the Internet.
Schneier says attempting to eliminate anonymity cannot work. More importantly, he goes on to say:
"Mandating
universal identity and attribution is the wrong goal. Accept that there
will always be anonymous speech on the Internet. Accept that you'll
never truly know where a packet came from. Work on the problems you can
solve: software that's secure in the face of whatever packet it
receives, identification systems that are secure enough in the face of
the risks. We can do far better at these things than we're doing, and
they'll do more to improve security than trying to fix insoluble
problems."
American Medical News reported today (Feb 1, 2010) that the first lawsuit has been filed by a state Attorney General for a personal medical information privacy violation under the HITECH Act. The HITECH Act, part of the 2009 stimulus bill, was designed to strengthen HIPAA, which until then had limited penalties for violations.
If the HITECH Act itself was not enough of a wake up call, this lawsuit surely ought to be.
