How Do Compromises Happen?

Have you ever received a letter or an e-mail informing you that your personal information may have gotten into the wrong hands?   Or perhaps a media report alerted you to a security breach at a company you do business with.  Here are just a few ways that security breaches have occurred:

• School computer files containing personal information, including Social Insurance Numbers, are hacked.
• An email, inadvertently sent out to a third-party service provider containing too much information.
• A bank’s computer back-up tape with customer account data has been lost while being shipped to a storage facility.
• A dishonest healthcare employee has sold computer files containing patients’ records, including SIN and DoB.
• An overworked IT Analyst takes shortcuts around Change and Configuration Management processes in the server room in order to save time and money.
• End users click on links or open attachments that appear to come from someone known and trusted.
• Imposters have established accounts with a large information broker enabling members of an international crime ring to obtain thousands of comprehensive consumer profiles, including SIN and DoB.
• A company laptop is stolen from the back seat of an employee’s car. It contains account data on thousands of customers.
• Offering good customer service to a caller who is having trouble with their account.
• Advertsing space is sold to a malicious software distributor.  The malware laced ads are carried by legitimate and popular websites.

There are certainly more potential security breaches out there than are those listed there.  Compromise can occur in so many ways.  A compromise can even occur just by surfing the web to a reputable and legitimate website that serves up ads.  The list goes on.  It can happen to anyone, and it is happening all the time.  Even I (security aware as I am) am guilty of at least one of these examples myself.

Your information can be inadvertently compromised without your involvement or knowledge.  Chief of Security at Symantec’s Australian offices, Craig Scroggie learned this lesson recently.  His credit card data was leaked via email when a restaurant attempted to send out its summer menu to its registered clients.  Instead of attaching the menu, it sent out the entire client database, unencrypted.  Scroggie found out about the breach after a follow-up email was sent informing him of the incident.  He had deleted the original email because he did not want to read the menu.  After being informed, he recovered it to see what details were exposed.

If the business that leaks your information is not regulated and mandated to advise you of when that takes place, do you think that they will risk the embarrassment, liability and potential costs of telling you about it?  Most are unfortunately going to keep mum, and ignore the issue, unless it is somehow traced back to them.  Oh, and it eventually will be, so you company owners who put off the added expense of good security, or hide a breach when it happens, be ready.  It’s really just a matter of time before your business gets a visit from the cops.

If enough people are compromised, you just have to look for common transactions.  If 100 people have records showing that transactions took place at one store or restaurant on all of their credit cards, and then shortly after all of the cards were used illegally, there is an interesting clue to follow-up on.  You are better off preparing a breach notification policy now, just in case you need it later on.  That way, the decision about what to do, and who to call has already been made.  No one needs to make a bad descision to save their job or to deflect reputational damage to the company.  Better to be upfront and honest than to be considered incompetent or complicit.

Here are some useful resources:

• Recommended Practices on Notification of Security Breach Involving Personal Information www.oispp.ca.gov/consumer_privacy/pdf/secbreach.pdf
• Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace www.privacyrights.org/ar/PreventITWorkplace.htm
• Better Business Bureau’s Security & Privacy Made Simpler www.bbb.org/securityandprivacy.

There Really Is NO Dislike Button!

How many times have you wished that FaceBook had a “dislike” button?.  Well, I know that there have been many times when I wanted one, and my wife mentioned the same thing just yesterday.  Want to guess what hackers are targetting next?  At some point in time, you are going to see a message posted on your wall, offering you the opportunity to install a Dislkie Button.  Don’t frickin’ believe it!  If FaceBook were to introduce such a feature, it will be amid a big media fanfare, and with mucho publicity.  Not some scurvy little wall posting out of the blue.

This is not a new scam, it has been around since 2010, as evidenced in this MSNBC article, it’s just being revived and making the rounds once again.  Clicking on the link within the bogus message will cause the same consequences whcih you might have experienced with the “Check who is visiting your profile” scam.  The link contains obfuscated javascript, and will be posted on the walls of random friends, continuing the infection cycle.

Trust everyone at your FaceBook table, but always remember to cut the cards.

PM Challenges

I was at yet another interview last week, and one of the questions posed to me by the interviewer was “What was the greatest challenge that you faced as a Project Manager?”  I stated that I would answer that question in two parts.  Firstly, the single greatest challenge that I have faced as a Project Manager has been attaining good knowledge transfer from the project team Subject Matter Experts (SME) to the operations teams.  Most of the larger projects that I have been engaged with have required parachuting in an expert or team of experts due to the amount of research and experience that can be provided quickly.

The SMEs move the project along in a timely fashion, answering questions and solutioning problems with the wisdom that they have gained or the network of connections that they have built performing similar work over a period of time.  There is generally some aspect of the project that was given short shrift or took longer than expected, that gobbles up cycles unexpectedly.  This always nibbles into a couple of areas that sit on the final edge of project closure.  End-user training and knowledge transfer.

Hmmm, training and knowledge transfer…  Aren’t these the same thing?  No, they are not.  Training, and especially end-user training is designed to provide an introduction to the new program or tool, and demonstrate how to perform the simple, basic, day-to-day operations that the program or tool was designed to perform.  Knowledge transfer is the transfer of knowledge from one part or member of an organization to another member or organizational part.  This knowledge consists of how the architecture was designed, what are its full capabilities, how was future enhancement conceived, what is the development roadmap, how does the system and its component processes integrate with others, where can one go for assistance or guidance, and other questions that make up “professional wisdom”.  Knowledge transfer seeks to organize, create, capture or distribute knowledge and ensure its availability for future users.

I believe that it is imperative that a knowledge transfer plan be developed at an early stage in the project life cycle, so that the critical knowledge components are identified.  Success can then be measured against this list in order to avoid premature project closure.  If you don’t make this investment up front, expect to spend up to several years building this knowledge base.

The second item that I discussed was probably what the interviewer was actually looking for, something more tactical than strategic.  I spoke about gaining management buy-in for security based projects.  Security based projects have little to no actual, demonstrable return on investment, making them very hard to sell to upper management.  Their focus tends to be on the bottom line, and they have the board and share-holders to answer to for their spending decisions.  I have gained buy-in by offering up several points for persuasion that are commonly used by vendors and solution providers.  FUD factor.  FUD meaning Fear, Uncertainty, and Doubt.  These 3 words have been dragged through the mud in the media.  However, when discussing security, they have their place.  Security has so few metrics, and the metrics that do exist mean little to executive management staff who have little exposure to security risk management theory.  My arguments boil down to hanging on to the money you have already earned is more effective than trying to earn more.

Second interview scheduled for next week, so I guess one of those responses was correct…

Beware PIN Pad Swapping

According to an article on The Star Pheonix website, police have released surveillance images of a number of suspects behind a recent series of fraudelent pin pad switches in Saskatoon.

Six businesses in Saskatoon have recently had their pin pads switched with units containing a skimming device allowing the scammers to gather account numbers and passwords of anyone who uses the non-chip type keypad.

The men are likely from out-of-province, travelling to  different cities to conduct skimming activities.  Police believe at least four men are involved in the operation.

Anyone who has had their debit or credit cards compromised are encouraged to  contact their financial institution and the local police.  Anyone with information about this or any other crime is asked to contact Crime Stoppers at  1-800-222-8477.

Related Items:

• http://www.police.saskatoon.sk.ca/index.php?loc=headlines.php&news_id=2011196
• http://www.police.saskatoon.sk.ca/index.php?loc=headlines.php&news_id=2011231
• http://www.newstalk650.com/story/20110509/50760
• http://www.ic.gc.ca/eic/site/oca-bc.nsf/eng/ca01834.html
• http://pinpadsecurity.com/
• http://www.interac.ca/pdf/PreventFraud.pdf

Common Vulnerability Reporting Format 1.0 Released

A major gap has existed for years in vulnerability standardization: there is no standard framework for the creation of vulnerability reporting documentation.

The information security community has made significant progress in areas including categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposures (CVE) database and the Common Vulnerability Scoring System (CVSS), a lack of standardization is evident in every vulnerability report, best practice document, or security bulletin released by any vendor or coordinator.

This white paper proposes CVRF version 1.0, a common and consistent framework for exchanging any security-related documentation.  The Common Vulnerability Reporting Framework is an XML-based language that will enable different stakeholders across different organizations to share critical security-related information in a common format, speeding up information exchange and digestion.

The XML-based framework of CVRF predefines a large number of fields, with extensibility and robustness in mind.  These fields are consistent in naming and data type, so any organization that adopts and understands CVRF can produce documents easily, or read documents that another CVRF-equipped organization has produced.

Vulnerability researchers, vendors, security analysts and incident responders worldwide can all write CVRF documents to share critical information.  Widespread adoption of CVRF will accelerate information exchange and incident resolution as a result.

Microsoft Security Intelligence Report (vol 10)

Microsoft has released volume 10 of their Security Intelligence Report, covering 2010.

The SIR is the results of an  investigation of the threat landscape, analyzing exploits, vulnerabilities, and malware based on data from over 600 million systems worldwide, internet services, and Microsoft  Security Centers.  In SIRv10, Microsoft presents a short video that  calls attention to the second most commonly detected fake anti-virus software:  Win32/FakePAV.   The video describes how Win32/FakePAV steals credit card  information, and then shows how to remove the trojan.

In addition to the Win32/FakePAV feature, they continue to highlight the ongoing threat of botnets in “Battling Botnets,” which was  released in 2010.

Key Findings:

• Application versus operating system or web browser vulnerabilities continued to account for the majority of vulnerabilities in 2010.
• The total number of application vulnerabilities declined 22.2% from 2009.
• Vulnerability disclosures for Microsoft products increased slightly in 2010 but have generally remained stable over the past several periods.
• Exploitation thru Java is rising since Q2 2010.  Exploitation on the Java platform far exceeds Adobe software and OS platforms.
• Malicious IFrames account for a large number of attacks over HTTP, likely indicating the effect of hijacked and compromised websites.
• Conficker is the most active malware family in the Enterprise environment and only 9th in the general Internet environment.
• JS/Pornpop is the most active malware family on the non-corporate Internet environment.
• Phishing sites targeting social networks are increasing and they are effective in getting themselves presented to victims.
• Overall OS level vulnerability counts is steady and browser vulnerability count is increasing slower.

Download and read this interesting report.

FCC To Offer SMBs Advice With Security

Data breaches and other cyber security threats pose a serious risk for all businesses, large and small, but many business owners are not aware of the full extent of the dangers lurking on the wire.  Criminals are switching some of their focus towards targeting small business networks, intellectual property and customers’ information as larger companies increase their security capabilities.  The  average cost of an online attack is around $200,000, according to a recent study by security software company Symantec.

Raising awareness of a real threat to the vitality of all businesses is an important but difficult task.  The Federal Communications Commission is launching an initiative to help small businesses understand the risks associated with using the Internet as a business and communication medium.  The commission on Monday unveiled a new website, “Cybersecurity for Small Business,” and a tipsheet of actions for small  businesses to better protect themselves.

“It’s a culture change. It’s going to take a long time,” , VP of national security and  emergency preparedness for the U.S. Chamber of Commerce Ann Beauchesnesaid said.  “Basically the message for small businesses is, yes, the Internet’s a great tool  but you need to protect yourselves.”  Eliminating the risk of online attacks is virtually impossible, so it is vital to minimize the risks that could lead to a breach.  It has been easy for people to ignore online security issues, because attacks have been focused on the larger organizations, and the security issues are technical and complicated.  The FCC’s measures will help empower people to understand that they can tackle these problems.

News of these security issues should be nothing new for SMBs, the catstrophic results have been all over the mainstream press, and the warnings have been posted all over the Internet on blogs like this one.  It is about time that formal governing bodies sat up and took action.  I applaud the FCC for this effort, and hope that legislation proposed by Barrack Obama and others starts the ball rolling in the US.  This website may offer simple and basic security advice, but it is a start.  The Canadian government and businesses had better take notice and start studying the lessons learned that have driven the US to at least scratch a line in the sand, dotted and snaggle-toothed as it may be.

I know that there will be cries of “Oh no, the government can’t control the Internet, FREE SPEECH!”  Well, nobody else is fixing it, so if you can’t control it, big brother will do it for you.  I’m personally sick and tired of allowing these lawless, callous, malicious and uncaring indivduals from crapping in my online sandbox and getting away with it.  I’ve seen some of the damage that they can do, and no one is immune to the effects.  Family members have had accounts drained, friends have experienced ID-Theft.  Small business owners have had their systems hacked, and folded up shop as a result.  Canadian government, BRING IT ON!  Let’s clean up our sandbox too.

Proceedings of the FCC Roundtable are available here.

QakBot Infects Mass. Websites

Personal information about an unknown number of Massachusetts residents may have been stolen from the Massachusetts Executive Office of Labor and Workforce Development, after hundreds of the agency’s computers were infected with malware.  Anyone who conducted business from April 19 – May 13 requiring that a staff person access thier file on-line with DCS, DUA or at a One Stop Career Center should take the  precautions found at http://1.usa.gov/jcLaDY.

About 1,500 computers at the state’s One Stop Career Centers and other departments were infected with W32.QAKBOT, designed to allow remote control and to steal information.  There is a possibility that as a result of the infection, the virus collected confidential claimant or employer information. This information may include names, Social Security Numbers, Employer Identification Numbers, email addresses and residential or business addresses.  It is possible that bank information of employers was also transmitted.  About 1,200 of 180,000 employers that manually file with the agency may be impacted by the data breach, however the agency has no way to verify this number.

The agency first detected the malware on April 20th, and took immediate steps to contain and remove the infection.  Yesterday, the agency said that the virus was not remediated as originally believed, and that persistence of the malware resulted in a data breach.  “We were targeted by criminal hackers who penetrated our system with a new strain of a virus,” reports the secretary of labor and workforce development in a statement released this afternoon.  “All steps possible are being taken to avoid any future recurrence.”

Government Press Release

GEEK.COM Hacked, Serves Malware

Geek.com, one of the Web’s oldest and most popular tech sites, has been hacked and was serving malware to visitors.  According to Zscaler’s blog, many areas on Geek.com, including articles and the site’s main pages like home, and about us, are infected with malicious iFrames pointing to different malicious sites.  Hackers injected a malicious HTML iFrame into legitimate pages on the site.

One example is the iFrame injected into a May 13th article about Call of Duty: Modern Warfare 3, which redirects visitors to an exploit kit.  Upon visiting the page, heavily obfuscated JavaScript is returned which will try to determine what versions of certain programs users have installed on their computers, and then serve up exploits for vulnerabilities in those products.  As of 6:14am, the malware was still present in some forum postings.

Many legitimate websites are being compromised by taking advantage of poor coding practices in web applications.  Attackers are on the lookout for popular websites or news sites to use as launchpads for their attacks.  Web users need to be aware that no web site is a safe web site.

Mandiant Intelligent Response v.2.0 Released

Mandiant has just announced the release of Mandiant Intelligent Response (MIR) v.2.0, featuring powerful, host-based incident response capabilities for enterprises.  You may not have heard of Mandiant, unless you are currently involved in Security Incident Response.  Mandiant is a leading provider of incident response and computer forensics solutions and services.  Headquartered in Alexandria, Va., with offices in New York, Los Angeles and San Francisco, Mandiant provides products, professional services and education to Fortune 500 companies, financial institutions, government agencies, domestic and foreign police departments and leading U.S. law firms.

Mandiant believes as I do, that an incident within your organization WILL take place, regardless of the efforts that are put in place to mitigate, prevent and detect threat events.  Many security safeguards simply cannot keep pace with today’s modern, mult-faceted, targeted attacks.  Many organizations rely exclusively on inadequate, out-dated, and ineffective preventive measures and do not plan for the eventuality of compromise.  MIR 2.0 extends beyond traditional threat detection products to protect enterprise assets and tackle unpredictable events.  Intelligent Response lowers risk by decreasing response time after a breach, and ensures containment by identifying every host compromised in an attack.  Security teams can respond remotely to any host in minutes rather than hours, improving containment, reducing an attacker’s window of opportunity, and speeding the organization’s return to normal business operations.

MIR 2.0 is fueled by Indicators of Compromise, (many of my colleagues will remember my nagging talks about precursors and indicators…) XML-based descriptors of malicious activity that allow an organization to sweep tens of thousands of endpoints in search of compromised hosts.  Mandiant’s IoCs are developed through a combination of external and internal intelligence sources, enabling organizations to benefit from threat intelligence derived from breaches in other environments.

MIR 2.0 features and benefits include:

Continue reading →