Lockheed Martin Breach Update

Jeffrey Carr has done some good research and blogged about what is known so far regarding the Lockheed Martin compromise.  A very good analysis of what appears to have happened using public informaiton sources, and illustrates some of the contradictory information Lockheed has released.  The extent of the RSA SecurID breach appears to be somewhat worse than EMC has reported and EMC still disclaims its role in this attack.

As Jeffrey points out, Lockheed Martin has a history of significant cybersecurity breaches dating back to Titan Rain in 2003, and the F-35 Joint Strike Fighter program in 2009.  They have never publicly acknowledged the F-35 breach and lost a the lawsuit when a jury awarded a multi-million verdict for wrongful termination in the Sandia National Labs incident.

I will continue to watch this situation, and provide links to what I believe are good articles and information.


RSA Breach Notification

Hackers have breached the security arm of EMC, to steal information related to its RSA two-factor authentication products.  The company’s President Art Coviello revealed the sketchy details in an undated letter to customers Thursday.  “Recently, our security systems identified an extremely sophisticated cyberattack in progress being mounted against RSA.”  The vendor does not believe any personal customer or employee information was compromised in the attack.

The attack was categorized as an advanced persistent threat, typically a sophisticated and stealthy attack that is often leveraged in espionage to steal intellectual property.  Neither the letter nor a Securities and Exchange Commission filing identifies what data was stolen, but Coviello said the information obtained by the hackers may aid in circumventing RSA’s SecurID products, which include hardware authentication tokens , software authenticators, authentication agents and appliances.

Speculation indicates that attackers may have gained access to the so-called “seed values” that are used to generate the six-digit PIN that is changed by SecurID tokens every 60 seconds.  Millions of companies worldwide use SecurID to protect access to their sensitive assets, such as web servers, email clients and VPNs.  Other possibilities include the theft of source code that could provide attackers with a treasure map of vulnerabilities to exploit, or the theft of private cryptographic keys that might allow them to imitate RSA servers or register new employee tokens.

Coviello wrote, “We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”  The company plans to “share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem.”  Ironically, RSA has been researching the APT threat for more than a year, in attempts to develop new mitigating technologies.  In an interview last month with SC Magazine at the RSA Conference in San Francisco, RSA CTO Bret Hartman said organizations should accept that they cannot stop an APT attack and should instead focus on early detection, damage containment, and impact reduction.

RSA is strongly urging customers to:

  • Increase focus on security for social media applications and the use of those applications and websites by anyone with access to critical networks.
  • Enforce strong password and pin policies.
  • Follow the rule of least privilege when assigning roles and responsibilities to security administrators.
  • Re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority.
  • Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
  • Pay special attention to security around active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
  • Watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
  • Harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.
  • Examine help desk practices for information leakage that could help an attacker perform a social engineering attack.
  • Update security products and the operating systems hosting them with the latest patches.

Zeus “Mobile” Malware

Researchers from S21sec, a Spanish security company, discovered earlier this month a version of Zeus that identifies the make of mobile phones and their numbers by injecting HTML fields over a bank’s Web page when a user starts a transaction.  Banks are increasingly adopting systems that send a one-time passcode that must be entered in order to complete a transaction, to mobile phones.  Using a person’s mobile phone in two-factor authentication is cheaper than sending out small devices that generate one-time passcodes.  

The attackers will send the victim a text message with a link to a malicious Web site, prompting the user to download an “update” for their device.  The software — which has a valid signing certificate — appears to be legitimate, but the software is designed to intercept and then forward by text message the one-time passcode used in online banking transactions to the attackers’ phone .   The malware is still transmitting data to hackers, although U.K. police have been notified.

Regular Zeus works by capturing the log-in and password of victims’ bank accounts.  With banks using one-time passcodes sent by SMS, Zeus’ operators would have to wait until a victim started an online transaction, received the one-time passcode on their phone and then entered it into the Web browser.  Zeus would have to grab the code and quickly initiate a new transaction before the code expires.  That method requires the attacker to wait until the victim starts a transaction.  The new Zeus mobile component means they automatically receive the one-time passcode without any action by the victim, providing additional time to complete the transaction.

The mobile Zeus malware can infect Symbian Series 60 devices or BlackBerries.  The iPhone is so far not affected.


Identity Management & The Law

According to an article posted on DigitalIDNews, there has been significant work related to the technical exchange of identity information and actual authentication processes.  There has not been a focused look at the legal issues, implications, and liabilities of the parties responsible for properly identifying and authenticating users or customers.

The American Bar Association’s (ABA) Federated Identity Management Legal Task Force has been setup over a year ago to analyze and address legal, privacy and liability issues that arise as Federated ID Management Systems are adopted and deployed.  In identity theft situations, case law is beginning to emerge.  Courts are starting to point the finger at businesses that did not do enough to protect personal information.  Businesses need to meet obligations and properly identify and authenticate individuals, and make sure not to release personal or confidential information.  The Federal Trade Commission has even instituted enforcement actions where businesses did not authenticate customers properly.


DLP – Protecting What Matters Most

Data Loss Prevention (DLP) products exist to help organizations monitor and protect sensitive data.  This data could be customer information, credit card numbers, employee’s personal information, project plans, intellectual property, trade secrets, whatever the crown jewels may be.  If this data were to be lost or stolen, it could create significant legal liability, financial loss, security risks, as well as reputational and regulatory hardships.  DLP keeps sensitive data from falling into the wrong hands.  NetworkWorld has a collection of excellent DLP articles for those that are concerned with the topic.  Find the related items at the end of this entry.

You can put in place all of the intermediary policies and risk mitigating conrols from perimeter to storage server that you can afford.  One thing with technical security controls is almost certain,  a determined attacker will find a way to violate your strongest safeguards.  Filter web traffic and they resort to encryption and obfuscation.  Isolate sensitive systems from the Internet and they plug in a USB drive.  Disable USB support and they reboot a with CD.  Disable CD/DVD booting in CMOS and block the USB ports with super glue and they use a cellphone camera to snap a picture of sensitive material on screen.  Create a policy barring cameras and enforce it, and the attacker will reach for a pencil.  DLP is just shy of a silver bullet from my perspective in Incident Response.  It is a security control that if implemented and managed correctly, protects the data from inappropriate exfiltration. 

Continue reading

Security: Compliance or Protection?

A new report by Forrester Research for Microsoft and RSA finds that even though intellectual property comprises 62% of a company’s data assets, security programs focus on compliance rather than on data protection. 

Key Findings:

  • Secrets comprise two-thirds of the value of firms’ information portfolios
  • Compliance, not security, drives security budgets
  • Firms focus on preventing accidents, but theft is where the money is
  • The more valuable a firm’s information, the more incidents it will have
  • CISOs do not know how effective their security controls actually are

 According to Forrester, corporate security programs are typically divided into two main categories of data types to protect:  

  • Secrets  (product plans, budgets, earnings forecasts, and trade secrets)
  • Custodial Data  (customer, employee,  medical, and payment card information)


CBC – Who’s Minding The Store

Credit card theft is a rampant problem.  As quickly it seems that we develop new ways of protecting credit card data, criminals are developing new techniques to bypass those same security measures.  On Friday March 12th, Marketplace aired a new episode titled “Who’s Minding the Store?” describing some of the new techniques being used to gain access to credit and debit card information.  The episode features computer forensics and security expert Ryan Purita of Sherlock Forensics.

You may be surprised to find out just how easy it is to get credit and debit cards along with other information.  One way is to steal actual point of sales terminals.  These are the machines used to pay for your goods at various retailers, restaurants, and stores.  Once a thief has possession of a PoS terminal, they can access whatever information it contains.  What may shock people is that there are currently no disclosure laws within Canada that require companies to disclose security breaches or data loss.  If your credit card data is stolen from a PoS terminal, you may never know.

Computer forensics and data security are essential to corporations that handle customer’s financial data.  Companies should invest in encryption just as they would with insurance or CCTV systems, according to Purita.   To learn more about these new forms of credit and debit card theft, view the episode online anytime at http://www.cbc.ca/marketplace/.