Toronto Law Firms Targeted

Here is a lesson to us all about the global reach and intent of internet hackers who have an interest in the information assets that we may hold for our own or clients’ interests.  China-based hackers have homed in recently on the offices of Toronto’s Bay Street law firms handling a $40 billion acquisition of the world’s largest potash producer by an Australian mining giant.  Bloomberg has a great article with all of the details, and outlines discussions undertaken by a group of law firms that got together recently to strategize protective and detective techniques.

The hackers in the Toronto case penetrated and combed through one computer network after another, hitting seven different law firms as well as Canada’s Finance Ministry and Treasury Board, seeking to gather detailed intelligence and potentially undermine the deal.  A law firm involved in the deal detected intrusion indicators, including spoofed emails, malicious websites, and network disruptions.  Investigators found spyware designed to capture confidential documents, compiled on a Chinese-language keyboard, and using servers in China involved in the attack.

The investigation linked the intrusions to a Chinese effort to kill the developing acquisition.  Stolen data of this nature can be worth tens of millions of dollars to those involved on either side of the bargaining table, and gives the possesser an unfair advantage in negotiations.  The deal eventually fell apart when the Canadian government declared it wasn’t in the nation’s interest, but the incident highlights the vulnerability of law firm information resources in particular, and the threat of loss of client trust and future business. Continue reading →

Insecure Conference Rooms

The New York Times is reporting that Rapid7 researchers have discovered that they could remotely infiltrate conference rooms in some of the top venture capital, law firms, pharmaceutical and oil companies across North America by simply calling in to unsecured videoconferencing systems found by scanning the internet.

Moore found he was able to listen in on meetings, remotely steer a camera, and zoom in on items in the room to read proprietary information on documents.  Most expensive videoconferencing systems offer encryption, password protection and camera lock down capabiilties, but they found that administrators were setting them up outside of firewalls for convenience, and not properly configuring security features.  Some systems were set up to automatically accept inbound calls, opening the way for anyone to call in and eavesdrop on a meeting.

“These are literally some of the world’s most important boardrooms — this is where their most critical meetings take place — and there could be silent attendees in all of them.”

Time to review your video and conference  call setups, folks.  It would be terrible to find out that privileged client or finiancial information was so easily obtainable AFTER the fact!

Quick Follow-up – Symantec Source Code

Just a quick note to share the updated intell from a previous post; it would appear that Symantec has come clean, the hacker that claimed to have and threatened to release Symantec’s Norton Anti-Virus source code did indeed have it.  However, it is old code, it is not the source code from the current version.  The source code that was exposed was for Symantec Endpoint Protection 11.0, used to prevent outgoing data from being leaked.  It was four years old and had been updated regularly.  The source code for Symantec Antivirus 10.2 is five years old, and has been discontinued and no longer on sale for some time, althoughit is still being serviced and used.

It does make the current product somewhat suspect in my opinion, until Symantec has had a chance to rewrite and release a completely new version.  Having the source code for an application makes it simple to write exploit code to take advantage of the app, to silently turn it off, or to make it do some unexpected things.  The limit is your imagination, really, since A/V software runs so close to the kernel, and has so many privileged hooks.

I can’t say that I’m too happy about this, I am very surprised that the source code was allowed to languish on a 3rd party server, belonging to Indian Military Intelligence.  If you are using either of Symantec’s products, I would suggest you upgrade to the latest version, and pressure the vendor to release a new version that they guarantee is not based on this compromised code-base.

http://news.cnet.com/8301-1009_3-57353814-83/that-stolen-symantec-source-code-its-for-older-enterprise-products/

OpenSource DLP Releases New Version

The OpenSource (as in FREE!!!) Data Leakage Protection team has released version 0.4.3 recently.  I first blogged about this product back in May 2010.  If you are running this app, or are looking for an on the cheap solution to DLP, might want to wander over and have a look.

Duqu – The New Stuxnet

Security vendor Kaspersky Labs has identified infections with the new Duqu malware in Sudan and Iran.

Duqu is believed to borrow code and functionality from the Stuxnet industrial sabotage worm.

It is a flexible malware delivery framework whose primary intention is data exfiltration.

.

The primary Trojan module has three components:

• a kernel driver, which injects a rogue DLL into system processes
• the DLL itself, which handles communication with the C&C server and other system operations
• a configuration file.

It’s secondary module is an information stealing keylogger.

It’s not known when the malware originally appeared in the wild, but the first sample was submitted to the VirusTotal service on Sept. 9 from Hungary.  Kaspersky Labs has identified multiple variants.  Several malware analysts have speculated quite differently as to the make-up and intent of this malware agent.  There are at least 13 different driver files involved, adding to the confusion.  Duqu appears to be intended for targeted attacks on carefully selected victims.  So far there is no indication that any of the victims are linked to nuclear programs, as in the Stuxnet case.

Each Duqu infection has been unique, and contain components with different file names, checksums, and encryption keys, which means that existing detection methods of known DLL files may be challenged to deal with the threat.  Duqu updates itself, changes C&C servers, and installs additional components in order to continue dodging detective controls.

• Kaspersky SecureList Part 1
• Kaspersky SecureList Part 2

GFI SandBox 3.4 Released

I am a big fan of behavior based malware analysis.   I have assessed several products that claim to use behavioral analysis, most end up as a desktop product that constantly prompts the user to determine whether or not an action is nefarious or not.  I am still waiting for a single vendor to introduce a solid, reliable, and trustworthy antimalware engine that analyzes behaviroal characteristics and makes intelligent decisions regarding applications and communications, while still performing at a decent clip and not hogging all of the PC’s resources, or relying on non-technical users to make security decisions.

Until my dream product materializes, GFI has released GFI SandBox 3.4 (formerly SunBelt’s CWSandBox). The latest update to their malware analysis tool helps security professionals assess suspected files and URLs for potential threats within a controlled environment.   This tool provides quick and safe malicious behavior analysis and reporting.  It enables users to see how potential malware executes, what changes are made during execution, what network traffic is generated, and much more, without risking the loss of data or compromising a network.

.

Enhancements include:

• In-depth file analysis – Kernel-level monitoring provides greater confidence when analyzing any file or URL for malicious activity whether in a native or virtual environment.
• Digital behavior traits – A summary of behavior across multiple platforms alerts users to malicious behavior.  Users can also replicate any system configuration for real world testing.
• Easier collaboration – Admins can grant access to GFI SandBox to anyone in the organization to review and compare the Digital Behavior Traits of suspect files.
• Fast malware assessments – Quicker file submissions and shorter analysis times.
• Detailed reports – Security teams can instantly generate high-level summaries or comprehensive, in-depth analysis reports to share throughout an organization.

Until now, government agencies, threat researchers and large enterprises with their own highly skilled security teams were the only ones capable of purchasing and implementing sandboxing technologies.   While GFI SandBox 3.4 delivers stronger and quicker malware analysis, their focus for the new product is to make advanced malware analysis more accessible to organizations with limited in-house malware expertise, especially in the financial services sector where a lot of malware activity has been seen.  This is a product and technology well worth exploring.

Recent Attacks Due To Common Vulnerabilities

The most recent and brazen security breaches and attacks at the CIA, US Senate, IMF and elsewhere have shown me one thing.  There has been a substantial amount of complacency in the Information Technology and Security fields.  There have been many reasons for skating by; budgets are tight, economy’s bad, no time, no resources, no training…  Businesses large and small have opted to do the bare minimum required by law or industry, expecting that to be enough to keep them out of the press.  I have said it before, and I will say it again, although saying it before has cost me at least one job.

Regulatory Compliance DOES NOT equal Security!!

If you are in the business of securing data that your customers have entrusted you with, and are of the mind that you only need to do what is mandated by Visa, Mastercard, PCI, Policy, or some other established standard on a subset of systems that are directly involved with the sensitive data, you are mistaken, and can expect to spend some time in the media shortly.  In an age where attackers are getting organized, popping up like mushrooms, where the greater challenge no longer appears to be breaking in or getting away with it, but finding enough space to post your 300,000 customer records as evidence of your success, you need to have a solid and enterprise encompassing STRATEGY.

Online attacks have taken on a targeted tone, whether to make quick money, prove a political point, or infiltrate high value and supposedly highly secure systems.  We have been arrogant and comfortable for far, far too long, thinking things were unbreakable, that our monitoring would be enough of a deterrent.  The systems and internetworks are just too complex, too many moving parts, too many variables, too many weak links in the chain.  We have all been lucky, swimming in the shark tank, and now it’s a feeding frenzy in the criminal underground.

A big part of the problem is that employees simply have too much access.  The best thing we can do to secure the enterprise is the same old stuff we’ve been talking about for years.  So what are you doing about these recent attacks? Continue reading →

Cloud Computing Challenges & Rewards

It’s Friday, and I finally don’t have an interview scheduled.  Time to post another long winded entry.  Someone ought to hire me and take away all this free time…  (My golf-pro career move didn’t fly well with the wife…)   Let’s talk about cloud computing again.

Cloud computing is a technological advance that can bring great benefits to almost any business.  Like all major shifts in technology, adoption of cloud computing brings with it inherent risks.  My opinion on cloud computing thus far is based on reading, discussion with others, and some limited observation.  I have not implemented a cloud solution, audited a cloud environment, or managed a cloud environment.  Yet.  I have been observing the technology as it has developed for the past 6 years or so, and although I do not consider myself an expert by any means, I have an understanding of the concepts and have formed an opinion.

Over the past few years, I have talked to a lot of people involved in the cloud computing and virtualization space, mostly but not entirely from a security point of view.  Many of these folks are focused on maturing the technology, scoping the solutions available, and solving the challenges for Enterprise cloud computing adoption.  I have summarized these interactions here, and will add to them as I continue to learn and understand cloud computing better.

What Is Cloud Computing

The biggest challenge for cloud computing adoption as I see it remains the fact that it is just so hard to grasp.  IT is used to protecting a perimeter and touching a server farm.  With cloud, you can’t just head on down to the server room and visit the farm to reassure yourself that all is well.  For the IT folks like me that majored in the “buck stops here” school of IT management, where command and control of the IT infrastructure are the core of the security mind-set, handing over the keys to the kingdom to some third party is initially viewed as an act of treason. Continue reading →

77% of Organizations Lost Data in 2010

According to Check Point and the Ponemon Institute, 77% of global organizations experienced data loss in the last year.  Key findings from the report, Understanding Security Complexity in 21^stCentury IT Environments, show customer information was the most common type of data to be compromised at 52%, in addition to intellectual property (36%), employee information (36%) and consumer information (35%).  Either the numbers or the security practices are very, very wrong here.  From what I have seen, I don’t think it is the numbers.

With the adoption of Web 2.0 applications and more mobile devices connecting to the network, organizations are challenged with enforcing better data security and Governance, Risk and Compliance (GRC) requirements.  The primary cause for data loss resulted from lost or stolen equipment, followed by network attacks, insecure mobile devices, file-sharing applications and accidentally sending emails to the wrong recipient.  49% of all respondents believe their employees have little or no awareness about data security, compliance and policies.

Data Loss Prevention (DLP) from intentional and accidental disclosure remains a top information security challenge.  It’s important for businesses to understand the key issues driving data loss and establish a set of security best practices to prevent a breach.  In order to move data loss from detection to prevention, businesses should integrate more user awareness and establish processes to gain more visibility and control of information assets. Continue reading →

Facebook Facial Recognition

Facebook has quietly enabled facial recognition software on their social networking site, alarming some privacy advocates and users alike.  The site has covertly deployed the feature on millions of user accounts around the world, without giving any notice.  Unless you seek out and disable the feature, each time one of your Facebook friends uploads a photograph, Facebook will try to determine who is in the picture.  If it makes a positive ID, your friends will be urged to tag you, confirming your presence in the photograph.

That’s a nifty tool, and can be a real time saver for those that want to tag folks in all of their pictures for memory sake.  There are considerations though, if someone doesn’t want to be tagged, or have their presence at a function, event, particular venue, or meeting commonly known.  To some of us apparently, what happens in ____, stays in _____.

If you are concerned about your privacy, check your privacy settings to disable the feature.