Welcome!
This is my blog. There are many others like it, but this one is mine… (Full Metal Jacket)
Hopefully, I will remember to take good care of this blog, and update it often. No promises, as real life tends to get in the way of things such as this.
The bulk of the information found here will be security awareness related, focusing on Vulnerability Management and Incident Response. Going forward I will be trying to include more Privacy and Disaster Recovery items. I will try not to over post with news items, and will seek to post only the news stories that I feel are relevant and important to be aware of. Anyway, poke around, drop me a line, tell me what you think should be here, and maybe what shouldn’t.
Anonymous ‘FFF’ Attack Schedule
Oh, for crying out loud. Why don’t these guys just go away? According to Wired, Anonymous is giving itself a weekly deadline now, a new attack every Friday. How entertaining. Following the Tuesday compromise of tear gas maker Combined Systems’ website, Antisec attacked a Federal Trade Commission webserver which hosts 3 FTC websites. They claim this hack was in opposition of the controversial international ACTA copyright treaty, widely protested around the world for its potential impact on freedom of expression.
Those responsible for this week’s attacks spoke with Wired, and claimed that the attacks renewed a promise, previously noted in the defacement of CSI, and reiterated on the FTC websites, “every Friday will bring a new attack against government and corporate sites under the theme of #FFF” (‘F’ the Feds Friday).
They’ve decided try to balance between protest defacements like these two most recent ones, and posting material that can damage firms and agencies. Jerry Irvine of the National Cyber Security Task Force told the New York Times last week that attacks would become more frequent, describing the collective as “unstoppable,” because of the poor state of online security.
-=[ Busted ]=- Six Trillion In Fake Bonds
On the other side of the pond, a record $6 trillion of fake US Treasury bonds were seized by Italian anti-mafia prosecutors. The bonds were uncovered in hidden compartments in three safety deposit boxes in Zurich. Bloomberg reports that Italian authorities arrested eight people in connection with the probe, dubbed Operation Vulcanica.
The Italian authorities also uncovered fraudulent checks issued through HSBC Holdings in London, and another $2 billion of fake bonds in Rome. Those involved in the financial fraud case were apparently planning to buy plutonium from Nigeria, according to police monitored phone conversations.
Good work guys. I hope they round up all involved, especially those with the plutonium. You know that stuff isn’t going to be used to power wind up toys.
North American Medical Records At Risk
While you are sitting patiently during your typical 5-6 hour emergency room visit, ever wonder just how safe your records are at the doctor’s office? Are ya ready to puke?
91% of small healthcare practices (less than 250 employees) in North America say they have suffered a data breach in the past 12 months.
The Ponemon Institute recently conducted a survey, commissioned by MegaPath, asking more than 700 healthcare organizations’ IT and administrative staff about breaches. Among the findings:
- 70% say their organizations either don’t have or are unsure if they have, sufficient budget to meet governance, risk, and compliance requirements.
- 55% of respondents had to notify patients of a data breach in the previous 12 months.
- 52% of respondents rated their security technology plans as “ineffective”.
- 43% of respondents had experienced medical identity theft in their organizations.
- 31% say management considers data security and privacy a top priority. (69% not so much?)
- 29% say breaches have resulted in medical identity theft.
- More than a third have not assigned responsibility for patient data protection to anyone in particular.
- Approximately half say less than 10% of IT’s budget goes to data security tools.
Data breaches of patient information cost healthcare organizations nearly $6 billion annually, and many breaches go undetected. Protecting patient data appears to remain a low priority for hospitals and doctors’ offices, and these organizations have little confidence in their ability to secure patient records. They are putting individuals at increased risk for medical identity theft, financial theft, and exposure of private information.
Are ya feeling warm and fuzzy yet? Read the whole report.
Canadian’s Online Privacy At Risk
From the “I can’t believe this is Canada” file, the government is pushing a new “lawful access” bill, basically granting the police and government officials the rights and means to freely and on a hunch, spy on your internet usage. Assuming that if you have nothing to hide, you should have no fear of arbitrary search and seizure, of course.
Michael Geist has a good article about the bill and why it is crazy. The insanity first becomes evident when Public Safety Minister Vic Toews tells people “You can stand with us, or you can stand with the child pornographers“. As if everyone with a desire for online privacy and against widespread internet surveillance is somehow automatically “for” child pron! Yep, there is no middle ground here. Line up with the rest of ‘em, mate.
I agree with Tech Dirt’s post, this is totally ridiculous, and a cynical political move that assumes the Canadian public is stupid and will just roll over. I sincerely hope that is not true, that there is enough outcry against this bill that it is thrown out faster than last week’s Metro. Yes, it may be difficult and time consuming to obtain a judge’s consent in the form of a warrant, but you don’t just subtract an individual’s rights from the equation in the name of expediancy and convenience for law enforcement. You cannot and should not assume that the entire public is suspect, and then launch a witch hunt to see who floats and who sinks! Read more »
HSBC Under Investigation For Money Laundering?
Things are not looking good for HSBC bank. A former employee in New York has 1,000 pages of account records he claims are evidence of an international money-laundering scheme involving hundreds of billions of dollars. HSBC is reportedly under investigation by a US Senate committee.
John Cruz delivered the customer account records to WND that he says he pulled from the HSBC computer system (uh-oh, I do believe that this may constitute a crime as well) before he was fired after two years at the bank, for “poor performance”. John claims that he was let go because he insisted on pursuing a personal investigation. Apparently the police were not interested.
The scheme purportedly involved moving money from accounts belonging to fake and real businesses opened in current and previous customer names that the customers were not aware of. Businesses doing thousands of dollars of business annually were transfering millions of dollars through these accounts. Oh I hope this turns out to be something else. John is writing a book about it. We really don’t need another banking scandal right now…
Busy Day For Patches
Happy Valentines Day everyone. Our vendors are bringing us the gifts of security vulnerability patches. Lots of them. Yes, it’s extra work for our IT teams, but removing these vulnerabilities could mean that we all get to keep our jobs, and remain in business. I was hearing on the news today that Nortel is now coming clean regarding the fact that hackers 0wn3d their network for roughly 10 years, with full and complete access to everything.
Wonder how they got that?
Where is Nortel today? Something to think about…
Microsoft released the expected batch of 9 patches:
- MS12-008: Critical Remote Code Execution Vulnerabilities in Windows Kernel-Mode Drivers
- MS12-009: Important Elevation of Privilege Vulnerabilities in Ancillary Function Driver
- MS12-010: Critical Cumulative Security Update for Internet Explorer
- MS12-011: Important Elevation of Privilege Vulnerabilities in Microsoft SharePoint
- MS12-012: Important Remote Code Execution Vulnerability in Color Control Panel
- MS12-013: Critical Remote Code Execution Vulnerability in C Run-Time Library
- MS12-014: Important Remote Code Execution Vulnerability in Indeo Codec
- MS12-015: Important Remote Code Execution Vulnerabilities in Microsoft Visio Viewer 2010
- MS12-016: Critical Remote Code Execution Vulnerabilities in .NET Framework and Silverlight (This one I would recommend holding off on, as Microsoft is expected to re-release after identifying a “metadata (logic) error”.)
Microsoft has also released Update Rollup 1 for Exchange Server 2010 SP2 http://www.microsoft.com/download/en/details.aspx?id=28809 to the Download Center.
Adobe released 2 Security Bulletins:
- APSB12-02: Critical Security update available for Adobe Shockwave Player. This update addresses critical vulnerabilities in Adobe Shockwave Player 11.6.3.633 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.
- APSB12-04: Important Security update available for RoboHelp for Word. This update addresses an important vulnerability in RoboHelp 9 (or 8) for Word on Windows. A specially crafted URL could be used to create a cross-site scripting attack on Web-based output generated using RoboHelp for Word.
There have also been vulnerabilities and patches announced for Mozilla Thunderbird, Firefox, and an as yet unpatched local exploit POC code release for Yahoo Instant Messanger 11.5.
UPDATE: Oracle released also patches fixing 14 vulnerabilities in:
- JDK and JRE 7 Update 2 and earlier
- JDK and JRE 6 Update 30 and earlier
- JDK and JRE 5.0 Update 33 and earlier
- SDK and JRE 1.4.2_35 and earlier
- JavaFX 2.0.2 and earlier
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
Start planning, testing, and patching, folks.
Microsoft February Advance Notification
As usual, Microsoft has released their advance notification summary for patches expected to be released next Tuesday.
There are 7 bulletins addressing Remote Code Execution vulnerabilities, 4 being rated as critical. Generally, the differntiator here has been the availability and ease of building exploit code. That means that time may be a key factor in the escalation of those last 3 bulletins. Prepare to patch these ASAP.
| Bulletin ID | Maximum Severity & Vulnerability Impact | Restart Requirement | Affected Software |
|---|---|---|---|
| Bulletin 1 | Critical Remote Code Execution | Requires restart | Microsoft Windows |
| Bulletin 2 | Critical Remote Code Execution | Requires restart | Microsoft Windows, Internet Explorer |
| Bulletin 3 | Critical Remote Code Execution | Requires restart | Microsoft Windows |
| Bulletin 4 | Critical Remote Code Execution | May require restart | Microsoft .NET Framework, Microsoft Silverlight |
| Bulletin 5 | Important Elevation of Privilege | Requires restart | Microsoft Windows |
| Bulletin 6 | Important Elevation of Privilege | May require restart | Microsoft Office, Microsoft Server Software |
| Bulletin 7 | Important Remote Code Execution | May require restart | Microsoft Windows |
| Bulletin 8 | Important Remote Code Execution | May require restart | Microsoft Windows |
| Bulletin 9 | Important Remote Code Execution | May require restart | Microsoft Office |
Foxconn Hacked
As if it wasn’t toxic enough out there, it looks like we have another group of hackers playing their little games on the Internet. They claim that they are only in it for the thrill of destroying networks and impacting businesses. Their claim to fame target? Foxconn, the Asian firm that is under the microsocope after a NY Times article exposing dismal working conditions and recent deaths of employees.
The Swagg Security group has released information on both Foxconn and its clients, which include Microsoft and Apple, stolen during an attack on the company, through Pastebin and Pirate Bay posts.
“Now as a first impression Swagg Security would rather not deceive the public of our intentions. Although we are considerably disappointed of the conditions of Foxconn, we are not hacking a corporation for such a reason and although we are slightly interested in the existence of an iPhone 5, we are not hacking for this reason. We hack for the cyberspace who share a few common viewpoints and philosophies. We enjoy exposing governments and corporations, but the more prominent reason, is the hilarity that ensues when compromising and destroying an infrastructure”.
The information released contains contact details of a number of Foxconn’s global sales managers, usernames, IP addresses, credentials, and a list of clients’ purchases.
Of Skimmers & Scumbags
A skimming device came off in the hands of a Bank of America customer when she tried to use her debit card at an ATM recently, police said. The man who had planted the credential stealing device appeared and asked for it back. The woman refused to return the card and growled at the man who fled.
Sixth Precinct police are seeking two male suspects in connection with the incident. The first is about 40, stands 5 feet 10 inches tall, and weighs 170 pounds. The second male is about 30, stands 5 feet 8 inches tall, and weighs 160 pounds, police said.
The two suspects face felony forgery charges and up to 15 years in prison. I wouldn’t advise anyone to do this, but that 23 year old woman sure has moxxy. I hope the bank rewards her for her valiant stance. DNAinfo
The reason that I don’t advise people to take this kind of action? Read the article just published in The Compliance Exchange blog about Aaron Hand, already convicted in a $100 million mortgage-fraud scheme and serving a sentence of eight years and four months to 25 years. He was sentenced to 8 - 16 more for plotting to have a key witness in his case killed.
Please remember that these guys mean business, and that there is more than just your current balance at stake. These guys are all in it for the big money payoff. If you find yourself involved in a confrontation or an investigation, a little paranoia is healthy, and caution is not cowardice, in my humble opinion.
2011 PCI Breach Research
There is a very good article regarding research into 2011 breach statistics by Trustwave over at InfoWorld Security Central. A great source for much IT & Security information, by the way. According to the article, hackers infiltrated 312 businesses making off with customer payment-card information. Their primary access point was through 3rd-party vendor remote-access apps, or VPNs setup for remote systems maintenance. Seventy six percent! These external ingress paths introduced security deficiencies that were exploited by attackers.
The vast majority of the 312 companies were retailers, restaurants or hotels, and they came to Trustwave for incident response help after one of the payment-card organizations traced stolen cards back to their businesses, demanding a forensics investigation within a matter of days. Only 16% of the 312 companies detected the breach on their own!
The businesses hit claimed to be compliant with Payment Card Industry (PCI) security standards, when in reality there were gaps. The remote-access provisions were poorly protected by simple, re-used, shared, and seldom changed passwords.
I will leave the most scary statistics, how long the attackers were able to maintain their ownership of the networks in these cases, for you to seek out yourself on the second page of the article. It is not a happy number!
The lesson to take away from this article is, PCI compliance is the bare minimum that an organization should do, and DOES NOT equate to comprehensive security. A PCI-DSS pass score does not ensure actual compliance either. It is a good starting point to ensure that the bare minimum, common sense, security controls are implemented at a single point of time, but good security practices must spread out from the center. If your security efforts don’t include other servers and the workstations that access them AND the Internet, you are not managing security, you are faking it for compliance sake. Russian roullette with a fully loaded gun.
