‘Night Dragon’ Espionage Report

Hackers working in China broke into the computer networks of five multinational oil and gas companies, stealing bidding plans and other critical information, McAfee said in a report.   The attacks have been dubbed “Night Dragon” and the report did not identify the companies that were hacked.  The report did say that another seven or more had also been compromised, but may not have had data stolen.

This issue “speaks to quite a sad state of our critical infrastructure security.  These attacks have involved social engineering, spear-phishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools (RATs) in targeting and harvesting sensitive competitive information.

“These were not sophisticated attacks.  Yet they were very successful in achieving their goals,” said Dmitri Alperovitch, McAfee’s VP of threat research.  The hackers got into the computers either through public websites or through infected emails sent to company executives.  The Night Dragon attacks work through methodical and progressive intrusions.

These basic activities were performed by the Night Dragon operation:

Continue reading

Multiple Breaches Reported

Bad time for data breahces.

Vodafone (Australia) has reported what appears to be an insider breach, terminating an undisclosed number of staff after weekend reports that unauthorised parties obtained log-in details to the telco’s customer database.  Criminal groups were reportedly paying for Vodafone customer information, while other people used the database to “check their spouses’ communications”, according to the initial news reports.  Police have been brought into the investigation.  http://www.itnews.com.au/News/244672,vodafone-sacks-staff-over-alleged-security-breach.aspx

Freedom of Information requests sent by the Yorkshire Post to public organisations revealed a number of serious data breaches, including a doctor accessing a colleague’s medical records at a hospital, a cleaner at a Rotherham hospital viewing a friend’s private medical files,  and a receptionist at a hospital in Sheffield, who collected patients’ personal contact records and used them for a second job as a market researcher.  http://www.kable.co.uk/yorkshire-nhs-police-personal-data-breaches-12jan11

Oh those pesky insiders.  When will they learn?

Also, over the last 2 months, 3 American universities have been cleaning up after data breaches.  The largest at Ohio State University affects 760,000 people.  The University of Wisconsin-Madison’s involved 60,000 people, and a St. Louis University breach affected staff members.  During a “routine” IT security review, Ohio State discovered that unauthorized people had logged onto a server that contained information on current and former faculty, students and staff, applicants, and others with university ties.  http://campustechnology.com/articles/2011/01/12/3-universities-knocked-by-security-breaches.aspx

WikiLeaks – Twitter Link

The US government has served subpoenas seeking personal details of some Twitter users who are believed to have close ties to WikiLeaks.  The US District Court in Virginia is seeking names, addresses, connection records, phone numbers and payment information.

The court order was issued on December 14, 2010, and WikiLeaks was ordered not to reveal that it had been served or being investigated, but the court last week removed those restrictions.  Among those named are Julian Assange, US Army Pfc. Bradley Manning and Birgitta Jonsdottir, a member of Iceland’s Parliament who has allegedly worked with Assange.  Assange has called the court order harassment.

BBC US/Canadian News

Protecting Against Data Leaks

Wikileaks seems to have become a rather quiet issue.  Very little in the press lately, and not much discussion for such a high profile and potentially damaging experience.  In follow-up to “Could it Happen To You“, here are some thoughts on detecting data leakage, and protecting your sensitive data and intellectual property.

You will never completely eliminate the possibility that someone will leak documents to WikiLeaks or any other outside organization, and every organization, even those that operate legitimately and completely above board have SOMETHING to hide.  From the competition, from enemeies, everyyone has intellectual property and those special trade secrets.  The opportunities and methods for extricating information in its various forms are just too diverse.  In order for any organization to function, individuals need to be able to access, copy, manipulate and print information.  There will always be a chance that an individual will intentionally or accidentally make that information available to an unauthorized audience or individual.  It could be as easy as adding the wrong email address on a CC list.  Auto-complete is notorious for making this example more common.

Eliminate Common Means   In incident response, an attacker typically needs 4 things in order to launch a successful attack. 

  1. The opportunity to attack.  This is provided to insiders by having access to data, and poor internal controls.
  2. The ability to attack.  This is provided by the tools and knowledge available to anyone.
  3. The motive to attack.  This could be monetary, moralistic, vengeful, accidental, etc.
  4. The means to complete the attack.  This is the physical or logical device used to move the data.

Continue reading

WikiLeaks – Could It Happen To You?

For enterprise IT managers and security professionals, the on-going WikiLeaks disclosures underscore the information security gaps that exist even when common security controls are in use by large organizations.  It is not necessarily the controls themselves that are flawed, but more often the supporting processes and procedures that were quickly pulled together under pressure, and seldom if ever revisited or audited at a granular level for optimal performance and completeness.

This entire ordeal also serves to highlight the importance of adopting a “trust, but verify” approach to hiring practices and access control.  This means that you need to be just a little bit more paranoid regarding your practices, without distrusting your employees.  Remember that everyone that you hire is human, and that people will make mistakes if mistakes are possible.  They are (hopefully) hired due to their capabilities and experience, but what really separates them from the other candidates that showed up for an interview?  Were you able to validate their claims of reliability and trustworthiness?  Trust that they will exercise good judgement, work towards corporate betterment, but verify that each access to sensitive data or corporate intellectual property is properly justified.   Remove the temptation to go astray, and by all means, let them know that you verify.  Your intentions are to DISCOURAGE criminal or damaging behavior, not ENTRAP those who may err or fall prey to social engineering.

What controls should be in place?  That depends on the type and classification of the information that is at risk.  When it comes to client financial and personal information, it is clear that monitoring, notification and escalation controls are a requirement.  Take a lesson from PCI, even if you don’t adopt it formally.  The PCI DSS is simply basic computer security.  A quick review of the 12 main PCI requirements shows nothing revolutionary, and they offer a solid starting point for virtually any security compliance engagement. 

Continue reading

WikiLeaks To Release US Bank Docs

Reuters has posted that Forbes Magazine reports that the now infamous whistle-blower website, WikiLeaks, plans to release tens of thousands of internal documents from a major US bank early next year.  Describing the release as a “megaleak” involving  a bank that is still doing business, Julian Assange suggests that it will “give a true and representative insight into how banks behave at the executive level in a way that will stimulate investigations and reforms”, comparing the release to the Enron email revelations.

“There will be some flagrant violations, unethical practices that will be revealed, but it will also be all the supporting decision-making structures and the internal executive ethos … and that’s tremendously valuable.  You could call it the ecosystem of corruption, but it’s also all the regular decision making that turns a blind eye to and supports unethical practices: the oversight that’s not done, the priorities of executives, how they think they’re fulfilling their own self-interest,” he said.

Assange also hinted that his group has material on many businesses and governments, including some on pharmaceutical companies, which he did not identify.

Personally, I am of two minds regarding these releases.  I am both skeptical of the quality and reliability of what may or may not be authenic documentation, and concerned about the lack of the affected organizations’ ability to detect and correct the leakage.  The sources of these leaks must be found, but the transparency of all organizations must be increased if there is indeed illegal, illicit or questionably moral activity going on inside.

I find myself suspicious of the intentions of WikiLeaks, and wonder just how it is that it can release damagaing information on such high profile businesses and people without seeming to suffer any serious repercussions.  Why hasn’t the owner and all of his critical staff been “disappeared”?  When I can read in the press how Boris, the Russian mobster can hire North American muscle to intimidate or persuade Security Researchers to go away, and drug cartels can get US and Mexican thugs to take care of their “problems”, how is it that these guys seem so untouchable?

Also, if WikiLeaks could get this information out of a bank, pharmaceutical company or government installation, who’s to say that a competitor or someone with an axe to grind couldn’t do the same?  Own a company?  Work for one that might want to protect its information assets, regardless of the reasons?  Time to Google “Data Leakage Prevention” and start doing your homework.

WikiLeaks info from Bruce Schneier:  http://www.schneier.com/blog/archives/2010/06/wikileaks.html

DLP – Success & Failure

Data Leak Prevention adoption is growing at an estimated 10% a year.  Slower than anticipated by DLP vendors but still fast compared to many other security technologies.  The primary driver for adoption of this technology remains compliance, as is true with most security project funding.  Make sure that when you deploy it, you deploy it with the correct ruleset, a clear definition of what it is meant to accomplish, and consideration for “soft-mode” as an awareness tool.

Quite a few companies that have recently deployed DLP have pulled back on their deployments because of user and management backlash.  This indicates to me that there may have been a lack of planning, and the deployment did not adequately define success factors.  DLP was commonly deployed by these firms as an enforcement tool and not as an awareness tool at all.  When DLP is implemented as an enforcement tool, the controls are black and white, and generally very strict, running the risk of disrupting normal business processes.

The problem DLP is deployed to resolve is the leakage of data to unauthorized recipients.  Most data leaks are not caused by attackers bent on getting access to your corporate data.  The most common source of data leakage, accidental leaks, can be stopped.  To do so one must understand why these leaks occur, then how, and be prepared to accept that some of the responsibility for addressing them lies with IT itself.

Accidental leaks are not simply the result of negligent, stupid, or irresponsible users.  In many cases, leaks occur when authorized users of data choose an insecure means to store or transmit the data in the process of fulfilling a legitimate business process.  They’re doing their jobs the best way that they know how, with the tools that they have available.  Think about the Manager who needs to send her quarterly numbers to an external accounting firm.  She doesn’t have e-mail encryption capabilities or secure FTP at her disposal, and probably doesn’t understand the need for them during this seemingly innocent and quite common communication event.  She sends the confidential information as an attachment by e-mail, like always.  The communication is sent in the clear, across numerous unknown networks, subject to capture, manipulation and abuse.

DLP deployed with a hard rule enforcement policy may serve to exacerbate the problem.  The e-mail is detected and stopped, as designed, due to its sensitive contents.  The Manager wants to do a good job, and doesn’t understand why the accounting firm is not receiving the time-sensitive email that she so dilligently sent.  Perhaps she percieves that IT, who doesn’t understand or care about her dillema, has just put up another hurdle for her to get the required job done, so she tries Hotmail.   IT filters Hotmail, because it is a security and DLP risk.  She tries Instant Messanger, Facebook, RapidShare or whatever other distribution method she can think of.  Whose fault is it if the business doesn’t provide a better way of doing what needs to get done in the course of a business day?

If DLP is deployed as an awareness tool, it can actually identify and help fix these broken processes.  Instead of blocking the original email, educate the user about why certain communication methods are dangerous when sending sensitive information.  Let the user know the dangers and impacts associated with these insecure communications.  Tell them about secure IT services that are provided for this specific purpose, or engage them to identify a specific need, to set in motion the needs analysis and requirements gathering needed for the provisioning or improvement of secure practices and services.  IT will become aware of dangerous practices within the organization for which they have not yet provided better alternatives. 

DLP deployed in “soft-mode” focuses on training and awareness for both IT and the user community.  It allows the identification and development of exceptions and logs the results of various communications so that improvements can be made in their handling.  It is incremental, non-judgmental and business friendly.  Over time, some DLP controls can and should be tightened and restricted, increasing enforcement, but soft-mode should remain a viable option for many types of standard communications.

DLP is about preventing data loss, not blocking the business from moving forward.  Take the opportunity to build an extended or permanent soft-mode period into your DLP project plans.  It can educate your users, getting them thinking about security, while at the same time educating your IT staff about how your business actually functions, getting them thinking about how to provision better, easier to use, and more secure services to the users that they serve.