Toronto Law Firms Targeted

Here is a lesson to us all about the global reach and intent of internet hackers who have an interest in the information assets that we may hold for our own or clients’ interests.  China-based hackers have homed in recently on the offices of Toronto’s Bay Street law firms handling a $40 billion acquisition of the world’s largest potash producer by an Australian mining giant.  Bloomberg has a great article with all of the details, and outlines discussions undertaken by a group of law firms that got together recently to strategize protective and detective techniques.

The hackers in the Toronto case penetrated and combed through one computer network after another, hitting seven different law firms as well as Canada’s Finance Ministry and Treasury Board, seeking to gather detailed intelligence and potentially undermine the deal.  A law firm involved in the deal detected intrusion indicators, including spoofed emails, malicious websites, and network disruptions.  Investigators found spyware designed to capture confidential documents, compiled on a Chinese-language keyboard, and using servers in China involved in the attack.

The investigation linked the intrusions to a Chinese effort to kill the developing acquisition.  Stolen data of this nature can be worth tens of millions of dollars to those involved on either side of the bargaining table, and gives the possesser an unfair advantage in negotiations.  The deal eventually fell apart when the Canadian government declared it wasn’t in the nation’s interest, but the incident highlights the vulnerability of law firm information resources in particular, and the threat of loss of client trust and future business. Continue reading

Insecure Conference Rooms

Weak LinkThe New York Times is reporting that Rapid7 researchers have discovered that they could remotely infiltrate conference rooms in some of the top venture capital, law firms, pharmaceutical and oil companies across North America by simply calling in to unsecured videoconferencing systems found by scanning the internet.

Moore found he was able to listen in on meetings, remotely steer a camera, and zoom in on items in the room to read proprietary information on documents.  Most expensive videoconferencing systems offer encryption, password protection and camera lock down capabiilties, but they found that administrators were setting them up outside of firewalls for convenience, and not properly configuring security features.  Some systems were set up to automatically accept inbound calls, opening the way for anyone to call in and eavesdrop on a meeting.

“These are literally some of the world’s most important boardrooms — this is where their most critical meetings take place — and there could be silent attendees in all of them.”

Time to review your video and conference  call setups, folks.  It would be terrible to find out that privileged client or finiancial information was so easily obtainable AFTER the fact!

Quick Follow-up – Symantec Source Code

Weak LinkJust a quick note to share the updated intell from a previous post; it would appear that Symantec has come clean, the hacker that claimed to have and threatened to release Symantec’s Norton Anti-Virus source code did indeed have it.  However, it is old code, it is not the source code from the current version.  The source code that was exposed was for Symantec Endpoint Protection 11.0, used to prevent outgoing data from being leaked.  It was four years old and had been updated regularly.  The source code for Symantec Antivirus 10.2 is five years old, and has been discontinued and no longer on sale for some time, althoughit is still being serviced and used.

It does make the current product somewhat suspect in my opinion, until Symantec has had a chance to rewrite and release a completely new version.  Having the source code for an application makes it simple to write exploit code to take advantage of the app, to silently turn it off, or to make it do some unexpected things.  The limit is your imagination, really, since A/V software runs so close to the kernel, and has so many privileged hooks.

I can’t say that I’m too happy about this, I am very surprised that the source code was allowed to languish on a 3rd party server, belonging to Indian Military Intelligence.  If you are using either of Symantec’s products, I would suggest you upgrade to the latest version, and pressure the vendor to release a new version that they guarantee is not based on this compromised code-base.

Duqu – The New Stuxnet

Security vendor Kaspersky Labs has identified infections with the new Duqu malware in Sudan and Iran.

Duqu is believed to borrow code and functionality from the Stuxnet industrial sabotage worm.

It is a flexible malware delivery framework whose primary intention is data exfiltration.


The primary Trojan module has three components:

  • a kernel driver, which injects a rogue DLL into system processes
  • the DLL itself, which handles communication with the C&C server and other system operations
  • a configuration file.

It’s secondary module is an information stealing keylogger.

It’s not known when the malware originally appeared in the wild, but the first sample was submitted to the VirusTotal service on Sept. 9 from Hungary.  Kaspersky Labs has identified multiple variants.  Several malware analysts have speculated quite differently as to the make-up and intent of this malware agent.  There are at least 13 different driver files involved, adding to the confusion.  Duqu appears to be intended for targeted attacks on carefully selected victims.  So far there is no indication that any of the victims are linked to nuclear programs, as in the Stuxnet case.

Each Duqu infection has been unique, and contain components with different file names, checksums, and encryption keys, which means that existing detection methods of known DLL files may be challenged to deal with the threat.  Duqu updates itself, changes C&C servers, and installs additional components in order to continue dodging detective controls.

GFI SandBox 3.4 Released

I am a big fan of behavior based malware analysis.   I have assessed several products that claim to use behavioral analysis, most end up as a desktop product that constantly prompts the user to determine whether or not an action is nefarious or not.  I am still waiting for a single vendor to introduce a solid, reliable, and trustworthy antimalware engine that analyzes behaviroal characteristics and makes intelligent decisions regarding applications and communications, while still performing at a decent clip and not hogging all of the PC’s resources, or relying on non-technical users to make security decisions.

Until my dream product materializes, GFI has released GFI SandBox 3.4 (formerly SunBelt’s CWSandBox). The latest update to their malware analysis tool helps security professionals assess suspected files and URLs for potential threats within a controlled environment.   This tool provides quick and safe malicious behavior analysis and reporting.  It enables users to see how potential malware executes, what changes are made during execution, what network traffic is generated, and much more, without risking the loss of data or compromising a network.


Enhancements include:

  • In-depth file analysis – Kernel-level monitoring provides greater confidence when analyzing any file or URL for malicious activity whether in a native or virtual environment.
  • Digital behavior traits – A summary of behavior across multiple platforms alerts users to malicious behavior.  Users can also replicate any system configuration for real world testing.
  • Easier collaboration – Admins can grant access to GFI SandBox to anyone in the organization to review and compare the Digital Behavior Traits of suspect files.
  • Fast malware assessments – Quicker file submissions and shorter analysis times.
  • Detailed reports – Security teams can instantly generate high-level summaries or comprehensive, in-depth analysis reports to share throughout an organization.

Until now, government agencies, threat researchers and large enterprises with their own highly skilled security teams were the only ones capable of purchasing and implementing sandboxing technologies.   While GFI SandBox 3.4 delivers stronger and quicker malware analysis, their focus for the new product is to make advanced malware analysis more accessible to organizations with limited in-house malware expertise, especially in the financial services sector where a lot of malware activity has been seen.  This is a product and technology well worth exploring.

Recent Attacks Due To Common Vulnerabilities

The most recent and brazen security breaches and attacks at the CIA, US Senate, IMF and elsewhere have shown me one thing.  There has been a substantial amount of complacency in the Information Technology and Security fields.  There have been many reasons for skating by; budgets are tight, economy’s bad, no time, no resources, no training…  Businesses large and small have opted to do the bare minimum required by law or industry, expecting that to be enough to keep them out of the press.  I have said it before, and I will say it again, although saying it before has cost me at least one job.

Regulatory Compliance DOES NOT equal Security!!

If you are in the business of securing data that your customers have entrusted you with, and are of the mind that you only need to do what is mandated by Visa, Mastercard, PCI, Policy, or some other established standard on a subset of systems that are directly involved with the sensitive data, you are mistaken, and can expect to spend some time in the media shortly.  In an age where attackers are getting organized, popping up like mushrooms, where the greater challenge no longer appears to be breaking in or getting away with it, but finding enough space to post your 300,000 customer records as evidence of your success, you need to have a solid and enterprise encompassing STRATEGY.

Online attacks have taken on a targeted tone, whether to make quick money, prove a political point, or infiltrate high value and supposedly highly secure systems.  We have been arrogant and comfortable for far, far too long, thinking things were unbreakable, that our monitoring would be enough of a deterrent.  The systems and internetworks are just too complex, too many moving parts, too many variables, too many weak links in the chain.  We have all been lucky, swimming in the shark tank, and now it’s a feeding frenzy in the criminal underground.

A big part of the problem is that employees simply have too much access.  The best thing we can do to secure the enterprise is the same old stuff we’ve been talking about for years.  So what are you doing about these recent attacks? Continue reading