The MetaData Threat

There is a lot of attention paid these days to the end result of an attack.  The media and bloggers like myself tend to use the sensational impacts of a data breach to get the security message across.  It isn’t safe enough out there to go strolling through the internet with no clothes on.  Pack some bullet-proof pants.

One way to protect yourself from data breach is to eliminate metadata from your personal and business documents.  What the heck is metadata, you may ask, and why is it a threat?  Let’s find out…

When you create any kind of document, it will typically contain some hidden data elements.  When you fire up Microsoft Word, or some similar package, save your draft document, and re-open it at some later point in time to edit, refine and re-save it, you update the hidden metadata.  Text and even comments that you have deleted or changed are not completely removed when you hit delete.  Many of your changes remain hidden away within the file, and can be recalled and read using the right tools.  There are also a number of “attributes” that the document quietly stores in special fields for tracking purposes.  Things like, original author, last 10 saves, original and edit dates, storage location, etc.  Office documents often contain the complete path to the folder in which the file was located during edits and saves, providing the Windows logon name, project names, server names, operating system, and software version used, etc.  In some cases, even information on printers and internally used domain names is available.  This is metadata.

Some file formats are more revealing than others.  Testing shows that PowerPoint files retain more information than PDF files, partly due to the fact that some metadata is discarded during format conversion.  The PDF format is generally considered a more “permanent” format than DOC.  Metadata elements are not necessarily completely removed when a document is converted to PDF format as is commonly thought.  Any metadata from photographs embedded in documents can be very revealing, even if the image is masked or blacked out in the document.  EXIF data usually contains a thumbnail of the original photograph, which often fails to reflect any changes made to the image in the document.  Deliberately obscured areas of a photograph may be clearly visible in the thumbnail.

These bits of information can aid an attacker in discovery efforts when they are attempting to learn about your environment, or preparing a targeted attack plan.  The information contained in a single document may not be enough to build a targeted attack strategy, however, the more intelligence an attacker has, the more likely an attack will succeed.  With enough pieces to the puzzle, it is possible to see a picture from which points of interest can be identified.  This information is useful for carrying out targeted technical or social engineering attacks, allowing attackers to assess the potential vulnerability of a system, targeting a specific user with an exploit for their specific platform or software version.

The best way to protect yourself from this kind of reconnaissance is to remove metadata from your shared or published files as completely as possible, or to fill the metadata spaces with decoy data.  Microsoft has published instructions for manual metadata removal, but I like to use third-party tools to automate and validate these efforts.

More Metadata Removal Information:

Hacker Claims To Have Sony Credit Card Data

A hacker claiming to have credit card info stolen from Sony’s PlayStation Network is trying to sell the data on underground forums, but the claims have not been confirmed.  Sony has contracted an outside security firm to investigate the intrusion on its network, and has stated emphatically that their credit card data was encrypted, reiterating that it had no evidence the data was stolen.

A researcher with TrendMicro, tweeted Thursday that he had seen discussions in online forums where hackers were offering to sell a database of 2.2 million Sony customer credit card numbers stolen during the attack.  Sony was supposedly offered a chance to buy the records back, but didn’t take the bait.  The person claiming to have the records says it contains first names, last names, addresses, phone numbers, email addresses, passwords, dates of birth, credit card numbers, CVV2 data, and expiry dates.  Those last 2 are definitely problematic if true.

The information may already be circulating among the criminal underground as reports have been made by Sony customers about fraudulent charges appearing on credit cards they have used for the PlayStation service.

Verizon Data Breach Report Published

Verizon has published its 2011 data breach investigations report showing that the number of security incidents investigated has increased by 4 times from the last report, while the number of compromised records has dramatically decreased.  This report could have sounded like a good news story and given us all a sense of improving security.  Unlike previous years, there wasn’t a major incident in the period of this report.  What I see from this development is confirmation that criminals are now effectively targeting smaller and mid-sized companies, and compromising smaller databases.  It should be noted that not every data loss incident was investigated, reported by the impacted business, and reported on by the media.

Why now target smaller companies?  As I’ve said before, it’s simply easier to attack smaller companies because larger ones have the resources to be better defended and security aware, and big reputations to protect.  For those people that have had their information compromised, it doesn’t matter if the breach was the result of a security lapse in a large or a small company.  The result is the same; they face being the victim of serious fraud.

Smaller organizations need to take data protection just as seriously as the big boys.  This means adopting PCI compliance as a starting point, use self assessment against security standards, extending security to the desktop, filtering web content for malware, and  encrypting data where it is required.  It’s also important to reduce the amount of customer information being gathered during transactions and stored at POS.  “If you don’t have it, you can’t lose it”.

Of course, the back end of 2011 looks like it will return to the the large data breach norm with  the Sony incident, demonstrating that even the largest of companies are still open to attack.  The Verizon report indicates that attacks and data breaches are more a question of “when-not-if” an internet connected company will be affected.  Companies can no longer place their heads in the sand regarding the risks posed by connecting to or doing business over the internet.  Check and double-check both logical a physical security around sensitive information, and all of the avenues of access to it.  If you want to play in the sandbox, you need to have the basic protections.  There are things in the sand that will eat you alive…

FBI Warning On Wire Transfers

The FBI has warned US banks to watch out for large wire transfers sent to accounts registered to companies located in Chinese port cities near the Russian border.  They are investigating 20 cases where bank accounts of small and midsize US businesses were hijacked to initiate transfers to company bank accounts based in the Heilongjiang province.

Losses between March 2010 and April of this year have totaled about $11 million.  Attempted transfers reached roughly $20 million, according to the alert.  The unauthorized wire transfers range from $50,000 to $985,000, and in most cases, they tend to be above $900,000.  The attackers have been most successful receiving funds when transfering under $500,000.

A targeted business will generally receive a phishing email, attempting to trick the recipient into clicking on a link, taking them to a malicious website, which installs malware designed to steal banking credentials.  The malware agent, typically Zeus, SpyBot or, waits for the victim to login to their business bank account, captuing their credentials, then redirects them to a site that falsely informs them that their bank site is currently offline.  The attackers log into the vitim’s account and initiate large wire transfers to accounts under their control, usually hosted in New York.

Money is moved from those NY accounts to Chinese bank accounts belonging to what appear to be legitimate businesses using the name of a Chinese port city and words such as “economic and trade,” “trade,” and “LTD.”

Sony Faces Breach Backlash

According to Information Week, the gamers of the world have begun to speak out and take action, thrusting the pointy end of the stick at Sony.  One person has launched a lawsuit against Sony over the data breach in which the personal details of more than 70 million PlayStation Network and Qriocity users were stolen, and analysts estimate the hammered company could lose billions of dollars from this debacle.

Sony has admitted that extensive amounts of sensitive personal data were compromised, including name, physical address, email address, birth date, PlayStation Network/Qriocity password and login, handle/PSN online ID, and may have also stolen purchase history info, billing addresses, and password security questions.  Sony so far has said that there is no evidence of credit card data theft.  A complaint filed in the Federal Court in San Francisco accuses the company of failing to protect user data, and Sony is also accused of failure to comply with PCI standards.

Alabama resident Kristopher Johns is seeking to represent all affected users.  The lawsuit seeks reimbursement for any losses that may result from the theft of credit card data, refunds for services, and of course, punitive damages.  The lawsuit says that Sony “failed to provide prompt and adequate warnings of security breaches, and unreasonably delayed bringing the PSN service back on line”.

  • SMH has a news video from Australia posted.
  • Wired has some put up an article speculating about potential suspects.
  • C-Net has posted 5 good questions that Sony needs to address in the near-term.

Multiple Cisco Vulnerabilities

Cisco has released several updates and security advisories for some of their products.

Their Wireless LAN Controller (WLC) product family (version 6.0 or later) is affected by a Denial of Service (DoS) vulnerability where an unauthenticated attacker could cause a device to reload by sending a series of ICMP packets.  There are no available workarounds to mitigate this vulnerability and Cisco has released free software updates to address it.

The advisory is posted at:

Products Affected:

  • Cisco 2100 Series Wireless LAN Controllers
  • Cisco WLC526 Mobility Express Controller (AIR-WLC526-K9)
  • Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs)
  • Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs)

If you use these wireless controllers, I would recommend testing and patching sooner rather than later.  DoS attacks at this level do not generally expose data or offer compromise exposure, but they can be annoying, debiltating to normal business, and should be avoided whenever possible.

Cisco Unified Communications Manager (previously known as Cisco CallManager) contains the following vulnerabilities:

  • 3 denial of service (DoS) vulnerabilities that affect Session Initiation Protocol (SIP) services commonly used in VoIP.
  • 1 Directory transversal vulnerability.
  • 2 SQL injection vulnerabilities.

Cisco has released free software updates to address the last 3 vulnerabilities.  There is a workaround for the SIP DoS vulnerabilities.

The advisory is posted at:

Products Affected:

  • Cisco Unified Communications Manager 6.x, 7.x, & 8.x

All of these vulnerabilities have functional exploitability, but no indication of in the wild use.  Successful exploitation of the vulnerabilities could result in the interruption of services, privilege escalation and potential data modification.  In the case of DoS attacks, the affect UCM processes will restart, but repeated attacks may result in a sustained DoS condition.  If you use one of these products, test and deploy these patches ASAP.  The SQL injection vulnerabilities, “failure to prohibit uploading of files”, and “database security issue” are particularly worrisome.

Sony Breach Follow-up

So, Sony has had a breach.  Security researchers say this may be the largest theft of identity data on record.  Some of my friends have expressed concerns because they and their kids have accounts on Sony’s PlayStation website.  From what I have heard, 1 million Canadians may be impacted by this attack.

What can they expect?




What is known:

  • There is no law in place that forces the company to tell customers about the breach.
  • The hack took place April 17 -19, and notification was delayed.
  • Passwords, logon information, email addresses and personal details were exposed.
  • Credit card details MAY have been compromised.

Suspected Impacts:

  • The criminals had time to make use of or sell credit card information.
  • Passwords are notorious for being used on multiple websites.
  • Login details are also commonly re-used.
  • Email addresses being exposed will very likely be used in spear phishing campaigns.
  • Personal information may be used to fine tune spear phishing attacks and identity theft.

I think that the risk posed by credit card fraud is pretty self-explanatory.  If the information MAY have been exposed, it probably was.

Spear phishing is an attack used to bait a user into clicking a link or opening an attachment in email, just like in a typical phishing attack that comes in the form of spam emails.  What sets it apart is that the attacker has some knowledge of, or information about, the target of the attack.  The attacker learns the targets’ likes, dislikes, interests and “hot items” that might cause them to trust, be curious, or react to their message.  They may use the Sony breach for instance, and send fake emails purporting to be from Sony, a news organization, an investigator, a lawyer associated with Sony, a subsidiary, or whatever creative device they can concoct.  Their message will entice the target to take some action that allows them to further defraud or abuse them, like install malware, gather more information about them, get passwords, or financial intelligence.  The ultimate target is generally financial gain.

What should you do?

  • Personally, if I had a credit card that I had registered with the Sony network, I would be cancelling that card.  Now.  I can hear the litany of “over reacting”, “tin-foil hatter” and “nonsense”, but that is what I recommend, take it or leave it.  Let me adjust my cap.  Your credit history, time, and money are better spent ordering a new card than dealing with the fallout of financial loss, explaining and fixing the situation for days, weeks, or even years to come.  Don’t be lazy, do it now.  At least call your bank and ask THEM what action they recommend.
  • Mind your bank account.  As Police Detective Superintendent Col Dyson said in a phone interview with reporter Asher Moses, “If you’re armed with enough personal information you could basically do  anything that the legitimate person could do themselves” including obtain various forms of credit, target their banking accounts, or steal their identity.
  • If you have an account on Sony’s network, change the password ASAP, and while you are waiting for Sony to come back online, change any accounts elsewhere that share the same login and/or password information.  And shame on you.  Don’t do it again!  I know, I know, I have a zillion passwords too.  Guess what?  There’s an app for that!  Invest in a password organizer that allows you to store and ENCRYPT all of your passwords.  then you only need to remember one. Many good ones are free, and can reside on your mobile device of choice.
  • Be especially wary of emails bearing links or attachments.  If you are deathly curious, open the attachment or link ONLY in a sacrificial environment.  To me, that means you setup a separate PC just for the occasion.  That old clunker you rest your feet on under your desk will do.  Setup a locked down O/S on it.  Add VMware.  Lock down the VM.  Copy the link/attachment to USB and examine it in the VM.  Afterwards, nuke the whole setup.  Do not trust it again.  Wipe the disk and start fresh again next time.  If you were clever, you would have installed Comodo Time Machine or something similar to save time in this regard.  If that’s all too much for you, -=[DELETE]=- works just nicely, thank you…
  • Pressure Sony to provide credit and ID monitoring services.  If your personal information was compromised because of their network breach, you have a right to expect certain remedies, and in my opinion, this is one such remedy that you should demand.

Just my 2¢, collect the whole dime.