Data Exfiltration: How Data Gets Out

CIO Magazine has a good article that looks at typical data exfiltration events.  Criminals are increasingly becoming more sophisticated in their methods of both online attack, and data exfiltration.  Data is usually exfiltrated (or exported) by copying the data from the victim system over the network, although removable media or physical theft can also be used.   In 2009, Trustwave investigated over 200 data breaches in 24 different countries.  While the methods used to exfiltrate data from a compromised environment varied, 45% of compromises involved attackers gaining access to a system through a remote access application being used by the victim organization.

Once a foothold is established, attackers often launch network enumeration tools to discover additional targets within the environment and retrieve system information, such as usernames, group privileges, network shares, and available services.  The noise generated by enumeration tools can indicate a pending attack, if  IT and Security staff are listening for it.  Unfortunately, most are not monitoring their systems and networks extensively and fail to observe these indicators.

Once attackers gain access to the target environment, they harvest data using either manual or automated methods.  Using manual processes, potentially valuable databases and documents are located, and searches of the operating system are conducted using specific keywords to further identify data.  Automated methods use custom written malware that takes advantage of flaws found in the applications being used to process confidential data. 

Criminals often used the same remote access application to extract data.  Other existing services, such as native FTP and HTTP client functionality, were also frequently leveraged for data extraction.  When malware is used for data extraction, FTP, SMTP and IRC functionality are regularly observed.  With off-the-shelf malware, such as keystroke loggers, attackers most often use built-in FTP and e-mail capabilities to exfiltrate data.  When e-mail services are employed for extraction, attackers often install a malicious SMTP server directly on the compromised system to ensure the data is properly routed.

Paying close attention to the behaviors of “normal” activity against “standard” systems is the key to identifying a problem before it is too late.  Every anomaly should be viewed with a degree of suspicion and addressed through internal investigation by an expert.

CIO Magazine

TD Bank Worker Charged

The Courier Post Online reports that a former switchboard operator for TD Bank in Mount Laurel provided customer information to accomplices who withdrew more than $200,000 from victims’ accounts.  Talayah Little, 26, of Hainesport, conspired with a co-worker to obtain computerized customer data, such as account and driver’s license numbers.  Other ring members then used the information to make phony photo IDs, which were used by “check runners,” to withdraw funds.  Members of the ring made more than 30 withdrawals, usually requesting between $4,000 and $8,000, in February and March of last year.  Little’s role was brief, largely due to an internal investigation by TD Bank and the efforts of Mount Laurel police.  Once TD Bank determined that the employees were accessing accounts without authorization, the employees were terminated and could no longer provide information to the others involved.

The scheme targeted at least 13 customers, with check runners making withdrawals from Cape May to New York City.  Check runners typically were driven from Philadelphia to TD Banks in New Jersey and New York.  Authorities said Little was recruited into the scheme in January 2009 by a co-conspirator, whose name was not released.  She then enlisted a co-worker, identified in the indictment only as A.W.

Little was indicted Thursday on charges of participating in a conspiracy to commit bank fraud and identity theft.  She is also charged with bank fraud and aggravated identity theft.  If convicted, Little faces a potential maximum sentence of 57 years in jail and a fine of up to $4 million.


Data Breach & Security Incidents Continue

Time is money, but information is a blank cheque.   A number of companies have reported stolen laptops and other breaches of data security, potentially exposing personal information about thousands in recent months.  One financial company said its computer systems had been hacked, a tech company reported a laptop was stolen, and Boston insurance giant John Hancock Financial Services reported that a CD with customers’ personal information was lost.

In November, the state of Massachusetts reported that credit card numbers, medical records, or other personal information from nearly 1 million residents was stolen or exposed from 2007 through late 2009.  Since that time, the state has been notified of at least six data breaches that each potentially affected more than 1,000 residents.

Learning from these past experiences, on March 1, the state enacted new regulations requiring companies to encrypt personal data stored on laptops or sent over the Internet, so that the information would be useless to thieves if it was lost or stolen. 

It is not all FUD (Fear Uncertainty & Doubt).  These are all very real events.  Encrypt those laptops, folks.  And consider the same for your home computers.  Unless of course, you don’t really value your personal information, like tax details, bank accounts, surfing habits and other information that you take for granted, but an informed thief will take for cash. 

Despite increased knowledge about and vigilance around the problem of data theft, breaches and security incidents are still happening.  Just recently, at least 6 companies have reported stolen laptops as the root cause of their security incidents.  Other breaches of data security have potentially exposed the personal information of thousands.  Take a look at some of the biggest recent known data breach cases.

Continue reading

Another VAO Breach

The U.S. Veterans Affairs Office of Inspector General has launched a criminal investigation into a security breach of veterans’ medical information at the Atlanta Veterans Administration Medical Center, according to an internal document.  The inspector general is investigating a report that a physician assistant stored unauthorized clinical information on her personal laptop regarding veterans who were seen at one of the VA specialty clinics.  The document said there are reportedly two sets of patient information involved — one that includes more than 18 years of data, and another that includes up to 3 years of data.

In late December, a physicians assistant revealed to a VA nurse scientist that she had been recording clinical data from patient encounters on her personal laptop.  The worker asked the nurse if she could use the data for “research purposes” not related to the VA.  The nurse replied that such work was not permitted and asked the worker to destroy the data.  After multiple follow-up conversations and receiving no confirmation that she had destroyed the data, the nurse scientist notified the compliance officer of the issue.  The physicians assistant, hired in October of 2oo9, resigned effective Feb. 28 2010.

The inspector general’s office reviewed the personal laptop and found multiple documents on the device that appeared to have come from an unapproved research project.  The results of the investigation and analysis will help determine whether to send notifications and offers of credit protection services to the affected veterans.