Lockheed Martin Breach Update

Jeffrey Carr has done some good research and blogged about what is known so far regarding the Lockheed Martin compromise.  A very good analysis of what appears to have happened using public informaiton sources, and illustrates some of the contradictory information Lockheed has released.  The extent of the RSA SecurID breach appears to be somewhat worse than EMC has reported and EMC still disclaims its role in this attack.

As Jeffrey points out, Lockheed Martin has a history of significant cybersecurity breaches dating back to Titan Rain in 2003, and the F-35 Joint Strike Fighter program in 2009.  They have never publicly acknowledged the F-35 breach and lost a the lawsuit when a jury awarded a multi-million verdict for wrongful termination in the Sandia National Labs incident.

I will continue to watch this situation, and provide links to what I believe are good articles and information.

 

RSA Breach Notification

Hackers have breached the security arm of EMC, to steal information related to its RSA two-factor authentication products.  The company’s President Art Coviello revealed the sketchy details in an undated letter to customers Thursday.  “Recently, our security systems identified an extremely sophisticated cyberattack in progress being mounted against RSA.”  The vendor does not believe any personal customer or employee information was compromised in the attack.

The attack was categorized as an advanced persistent threat, typically a sophisticated and stealthy attack that is often leveraged in espionage to steal intellectual property.  Neither the letter nor a Securities and Exchange Commission filing identifies what data was stolen, but Coviello said the information obtained by the hackers may aid in circumventing RSA’s SecurID products, which include hardware authentication tokens , software authenticators, authentication agents and appliances.

Speculation indicates that attackers may have gained access to the so-called “seed values” that are used to generate the six-digit PIN that is changed by SecurID tokens every 60 seconds.  Millions of companies worldwide use SecurID to protect access to their sensitive assets, such as web servers, email clients and VPNs.  Other possibilities include the theft of source code that could provide attackers with a treasure map of vulnerabilities to exploit, or the theft of private cryptographic keys that might allow them to imitate RSA servers or register new employee tokens.

Coviello wrote, “We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”  The company plans to “share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem.”  Ironically, RSA has been researching the APT threat for more than a year, in attempts to develop new mitigating technologies.  In an interview last month with SC Magazine at the RSA Conference in San Francisco, RSA CTO Bret Hartman said organizations should accept that they cannot stop an APT attack and should instead focus on early detection, damage containment, and impact reduction.

RSA is strongly urging customers to:

• Increase focus on security for social media applications and the use of those applications and websites by anyone with access to critical networks.
• Enforce strong password and pin policies.
• Follow the rule of least privilege when assigning roles and responsibilities to security administrators.
• Re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority.
• Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
• Pay special attention to security around active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
• Watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
• Harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.
• Examine help desk practices for information leakage that could help an attacker perform a social engineering attack.
• Update security products and the operating systems hosting them with the latest patches.

Zeus “Mobile” Malware

Researchers from S21sec, a Spanish security company, discovered earlier this month a version of Zeus that identifies the make of mobile phones and their numbers by injecting HTML fields over a bank’s Web page when a user starts a transaction.  Banks are increasingly adopting systems that send a one-time passcode that must be entered in order to complete a transaction, to mobile phones.  Using a person’s mobile phone in two-factor authentication is cheaper than sending out small devices that generate one-time passcodes.  

The attackers will send the victim a text message with a link to a malicious Web site, prompting the user to download an “update” for their device.  The software — which has a valid signing certificate — appears to be legitimate, but the software is designed to intercept and then forward by text message the one-time passcode used in online banking transactions to the attackers’ phone .   The malware is still transmitting data to hackers, although U.K. police have been notified.

Regular Zeus works by capturing the log-in and password of victims’ bank accounts.  With banks using one-time passcodes sent by SMS, Zeus’ operators would have to wait until a victim started an online transaction, received the one-time passcode on their phone and then entered it into the Web browser.  Zeus would have to grab the code and quickly initiate a new transaction before the code expires.  That method requires the attacker to wait until the victim starts a transaction.  The new Zeus mobile component means they automatically receive the one-time passcode without any action by the victim, providing additional time to complete the transaction.

The mobile Zeus malware can infect Symbian Series 60 devices or BlackBerries.  The iPhone is so far not affected.

ComputerWorld

Identity Management & The Law

According to an article posted on DigitalIDNews, there has been significant work related to the technical exchange of identity information and actual authentication processes.  There has not been a focused look at the legal issues, implications, and liabilities of the parties responsible for properly identifying and authenticating users or customers.

The American Bar Association’s (ABA) Federated Identity Management Legal Task Force has been setup over a year ago to analyze and address legal, privacy and liability issues that arise as Federated ID Management Systems are adopted and deployed.  In identity theft situations, case law is beginning to emerge.  Courts are starting to point the finger at businesses that did not do enough to protect personal information.  Businesses need to meet obligations and properly identify and authenticate individuals, and make sure not to release personal or confidential information.  The Federal Trade Commission has even instituted enforcement actions where businesses did not authenticate customers properly.

DigitalIDNews

DLP – Protecting What Matters Most

Data Loss Prevention (DLP) products exist to help organizations monitor and protect sensitive data.  This data could be customer information, credit card numbers, employee’s personal information, project plans, intellectual property, trade secrets, whatever the crown jewels may be.  If this data were to be lost or stolen, it could create significant legal liability, financial loss, security risks, as well as reputational and regulatory hardships.  DLP keeps sensitive data from falling into the wrong hands.  NetworkWorld has a collection of excellent DLP articles for those that are concerned with the topic.  Find the related items at the end of this entry.

You can put in place all of the intermediary policies and risk mitigating conrols from perimeter to storage server that you can afford.  One thing with technical security controls is almost certain,  a determined attacker will find a way to violate your strongest safeguards.  Filter web traffic and they resort to encryption and obfuscation.  Isolate sensitive systems from the Internet and they plug in a USB drive.  Disable USB support and they reboot a with CD.  Disable CD/DVD booting in CMOS and block the USB ports with super glue and they use a cellphone camera to snap a picture of sensitive material on screen.  Create a policy barring cameras and enforce it, and the attacker will reach for a pencil.  DLP is just shy of a silver bullet from my perspective in Incident Response.  It is a security control that if implemented and managed correctly, protects the data from inappropriate exfiltration. 

Continue reading →

Security: Compliance or Protection?

A new report by Forrester Research for Microsoft and RSA finds that even though intellectual property comprises 62% of a company’s data assets, security programs focus on compliance rather than on data protection. 

Key Findings:

• Secrets comprise two-thirds of the value of firms’ information portfolios
• Compliance, not security, drives security budgets
• Firms focus on preventing accidents, but theft is where the money is
• The more valuable a firm’s information, the more incidents it will have
• CISOs do not know how effective their security controls actually are

 According to Forrester, corporate security programs are typically divided into two main categories of data types to protect:  

• Secrets  (product plans, budgets, earnings forecasts, and trade secrets)
• Custodial Data  (customer, employee,  medical, and payment card information)

Forrester

CBC – Who’s Minding The Store

Credit card theft is a rampant problem.  As quickly it seems that we develop new ways of protecting credit card data, criminals are developing new techniques to bypass those same security measures.  On Friday March 12th, Marketplace aired a new episode titled “Who’s Minding the Store?” describing some of the new techniques being used to gain access to credit and debit card information.  The episode features computer forensics and security expert Ryan Purita of Sherlock Forensics.

You may be surprised to find out just how easy it is to get credit and debit cards along with other information.  One way is to steal actual point of sales terminals.  These are the machines used to pay for your goods at various retailers, restaurants, and stores.  Once a thief has possession of a PoS terminal, they can access whatever information it contains.  What may shock people is that there are currently no disclosure laws within Canada that require companies to disclose security breaches or data loss.  If your credit card data is stolen from a PoS terminal, you may never know.

Computer forensics and data security are essential to corporations that handle customer’s financial data.  Companies should invest in encryption just as they would with insurance or CCTV systems, according to Purita.   To learn more about these new forms of credit and debit card theft, view the episode online anytime at http://www.cbc.ca/marketplace/.

Data Exfiltration: How Data Gets Out

CIO Magazine has a good article that looks at typical data exfiltration events.  Criminals are increasingly becoming more sophisticated in their methods of both online attack, and data exfiltration.  Data is usually exfiltrated (or exported) by copying the data from the victim system over the network, although removable media or physical theft can also be used.   In 2009, Trustwave investigated over 200 data breaches in 24 different countries.  While the methods used to exfiltrate data from a compromised environment varied, 45% of compromises involved attackers gaining access to a system through a remote access application being used by the victim organization.

Once a foothold is established, attackers often launch network enumeration tools to discover additional targets within the environment and retrieve system information, such as usernames, group privileges, network shares, and available services.  The noise generated by enumeration tools can indicate a pending attack, if  IT and Security staff are listening for it.  Unfortunately, most are not monitoring their systems and networks extensively and fail to observe these indicators.

Once attackers gain access to the target environment, they harvest data using either manual or automated methods.  Using manual processes, potentially valuable databases and documents are located, and searches of the operating system are conducted using specific keywords to further identify data.  Automated methods use custom written malware that takes advantage of flaws found in the applications being used to process confidential data. 

Criminals often used the same remote access application to extract data.  Other existing services, such as native FTP and HTTP client functionality, were also frequently leveraged for data extraction.  When malware is used for data extraction, FTP, SMTP and IRC functionality are regularly observed.  With off-the-shelf malware, such as keystroke loggers, attackers most often use built-in FTP and e-mail capabilities to exfiltrate data.  When e-mail services are employed for extraction, attackers often install a malicious SMTP server directly on the compromised system to ensure the data is properly routed.

Paying close attention to the behaviors of “normal” activity against “standard” systems is the key to identifying a problem before it is too late.  Every anomaly should be viewed with a degree of suspicion and addressed through internal investigation by an expert.

CIO Magazine

Microsoft Shows ID Tools

Microsoft plans to introduce two new software products designed to enhance online identity management. They presented at the RSA Conference 2010 in San Francisco on Tuesday. “Information is the new currency of crime and there’s a lot of information on the Internet,” explains Jules Cohen, director of Trustworthy Computing at Microsoft.

By advancing its vision of End-to-End Trust, Microsoft intends to build a model that demands authentication in the right places without requiring it everywhere, or destroying anonymity. To make that happen, the password has to die and a more secure form of authentication must take its place. That’s where U-Prove comes in. Microsoft acquired U-Prove from Credentica in 2008. U-Prove provides the cryptographic functions necessary to implement cross-domain identity and access management in conjunction with privacy enhancing features like selective information disclosure.

Microsoft is releasing its U-Prove Cryptography specification and its Metasystem Integration specification under the Open Specification Promise, licensed under BSD. Microsoft’s Open Specification Promise represents the company’s commitment to not make patent claims against certain technology implementations involving its intellectual property. It is also releasing code under BSD on its CodeGallery, in the form of a C# and Java crypto SDK. Through Microsoft Connect, it will release its U-Prove Community Technology Preview, including ActiveDirectory Federation Services v2, Windows CardSpace v2, and Windows Identity Foundation.

Microsoft also plans to release Forefront Identity Manager 2010 for enterprises. The conversation that Microsoft wants to have about its identity technology has already led to Germany’s Federal Ministry of the Interior administering an e-government program to issue secure electronic identity cards (eID) starting in November 2010. The German eID project aims to allow students for example, to register for courses, comment on courses, and buy books through Web sites affiliated with universities while providing the minimum required information in a way that can’t be correlated or tracked across different Web sites. The goal is to simplify online identification and authentication while protecting privacy.

InformationWeek

Secure USB Flaw Exposed

A flaw in USB vendor SanDisk’s secure USB technology is leaving multiple devices vulnerable to attack, and has led to the recall and patching of multiple vendors’ secure USB drive products.  The flaw resides in the password-handling process of the encrypted USB keys. 

SanDisk has issued a security alert and updates for multiple Cruzer Enterprise models that fixes the bug in the access-control features.  SanDisk emphasized in their alert that the flaw was not in the device hardware or firmware, but in the application that runs on the host system.

Kingston Technologies, which uses SanDisk software in its products, has recalled 3 of its secure USB drives, warning its customers that data on the encrypted drives could be accessed by seasoned attackers with local access and a specialized tool in their notice. Kingston recommends the drives be physically returned for updates, although they are also reported to be working on a downloadable patch.

Verbatim, which also uses SanDisk technology, has issued an update alert on some of its USB products, as well.

The vulnerability, which was discovered by researchers at German penetration testing firm SySS, would basically provide access to data on the drives if a weakness in the way the software handles passwords was exploited.  The problem lays in the fact that they check passwords using software, and rely on the same underlying master password. They are relying on software on a computer to check if a password is correct.  Vendor IronKey suggests that their devices, which use dedicated hardware components for security measures are the way to go.

Vulnerability finds for secure USB drives have been rare, with the biggest threats to these devices historically being malware contamination.  Some say this newly discovered password-handling flaw is only the tip of the iceberg when it comes to potential bugs that could be found in secure USBs that rely on software controls.  Software-based password validation technology may leave the door open for trouble, as any software element is bound to be subject to flaws.

Affected Devices:

• SanDisk Cruzer Enterprise USB flash drive CZ22 & CZ32
• SanDisk Cruzer Enterprise with McAfee USB flash drive CZ38
• SanDisk Cruzer Enterprise FIPS Edition with McAfee USB flash drive CZ46
• Kingston Technologies DataTraveler BlackBox
• Kingston Technologies DataTraveler Secure”Privacy Edition
• Kingston Technologies DataTraveler Elite”Privacy Edition