Beware Toxic Resumes

The US Internet Crime Complaint Center issued a warning that hackers are searching the internet for online job postings, and responding with booby-trapped resumes.  Recently, more than $150,000 was stolen from a US business via unauthorised wire transfer as a result of an e-mail attachment that contained malware.  In that particular case, the malware was embedded in an e-mail response to a job posting the business had placed on an employment website.  The malware allowed the attacker to obtain the online banking credentials of a person authorised to conduct financial transactions within the company.

Gov Website Access For Sale

Researchers from Imperva’s Hacker Intelligence Initiative have found a number of .mil, .gov and .edu web sites have been hacked using SQL injection vulnerabilities, with access up for sale, cheap.  The hacker claims to have control over a number of important websites, including the U.S. Army’s Communications-Electronics Command (CECOM) and other military sites, government sites, and those belonging to universities.    Administrative access to these sites is being sold for as low as $33 to $499 each. 

The hacker is also selling entire databases of personal information stolen from the websites for $20 per thousand records, data could be used by fraudsters to break into online accounts.

When Is A Malware Event A “Security Breach”?

Recent data breaches at 2 banks underscore what has always been a thorny issue for companies that collect and manage sensitive information:  When does a compromised PC constiture a data breach?

According to ComputerWorld’s Robert McMillan, One bank recently detected traffic destined to an unusual IP address, and discovered a keylogger installed on a company laptop.  It notified 50 customers that their data may have been exposed.  Another bank found that a compromised laptop had been used as a jump-off point for an attacker to access a customer database containing credit card, SSN and other sensitive information.  514 credit cards are being re-issued in that case.

The actions taken by these banks are admirable, and errs on the side of caution.  It is not uncommon for companies large and small to detect a malware infection and simply wipe the system, eliminating the symptoms while not addressing the potential exposure of their customers’ information or uncovering the how and why the attack was successful.  Forensic examinations are hard work, and time consuming.  But so is rebuilding your reputation.  There is the spectre of liability to deal with.  What few incidents are reported is generally a small percentage of what is actually taking place.

These 2 examples are BANKS.  Banks have large IT and security budgets, and employees are generally more security aware than most businesses.  So, how are these systems getting compromised?  Pure speculation from this point on, but;

  • Both systems noted appear to be transient laptops.  They often leave the comfortable security controls present within the company perimeter.
  • Were they patched against all known Operating System and application vulnerabilities?  Laptops are the hardest systems to keep patched due to their mobility.
  • Anti-virus is pretty common, but so is the practice of providing laptop users with admin privileges.  They can interfere with updates, scans, and can also be used to the attackers’ advantage when installing malware.
  • Web content filtering is one of the controls that is usually in place at a large financial institution, but is probably not present on the home-user LAN or while on the commuter train.  Drive-by web attacks are very very common these days.
  • While in transit, it is also possible that the laptop owner could have used a “free wireless” connection to maintain connectivity.  This is a common, and extremely dangerous practice, as you are trusting a middle-man that is providing something for no obvious gain, to handle and potentially capture all of your communications.
  • The possibility of unapproved software downloads, installations, and even allowing family members to use the equipment could have resulted in a Trojan.
  • There is also the potential that the users themselves were involved or complicit in the installation of the malware.  Unsavory, but not unheard of.

The possibilities are virtually endless.  Be aware of the risks and take reasonable precautions to counter the likely threats in your organization.  In this day and age, any time there is malware that makes any kind of outbound communication attempt, an investigation should be made as to where, why and what was communicated, as well as how the malware got onto the system.  In my humble opinion, if data was moved outside of the company, it should be considered a breach.  These guys made the right call.

There is much more information contained in this interesting article.  Read it and start making Incident Response plans that go beyond the standard “Got malware?  Nuke it!!” discover what data might have been compromised, and act accordingly.

Stats Canada Security Breaches

Stats Canada is taking some heat from the Toronto Sun today.  “Internal reports obtained through Access to Information reveal a number of incidents in the past five years where the federal information-gathering agency has probed and quietly done damage control on security lapses.”




Recent Examples:

  • OCT. 2010: Purolator envelope containing 11 unencrypted, non-password-protected CDs for the Vital Statistics Program in Alberta addressed to Ottawa head office sent July 9, 2010 is discovered missing. It contains more than 21,000 electronic images of confidential information about individual birth, death, stillbirth and marriage registrations. It is found Nov. 30, 2010 locked in a rarely-used filing cabinet.
  • SEPT. 2009: Stats Can library’s password access protocol constitutes “major security breach.”
  • DEC. 2008: A briefcase with documents and personal notes is stolen from the car of an interviewer from Quebec. Confidential addresses of respondents were included.
  • JULY 2008: An error in transmission meant e-mails of 108 subscribers of Health Reports notifications were “inadvertently revealed” to all recipients of message – constituting a breach of Privacy Act and Stats Can policy.
  • JUNE 2008: Stats Can is informed that on Feb. 12, 2008 Surrey RCMP and Canada Post recovered completed 2006 census questionnaires from a private residence in a bust of a major identity theft ring. Other items included equipment related to credit card/ID theft, drivers’ licences, 3,000 pieces of stolen mail, government-issued cheques, fake currency and more than 100 CDs with thousands of personal data profiles. Census questionnaires were not in the hands of census staff – it is believed they were obtained by tipping mailboxes or break-ins to homes and cars.
  • AUG. 2007: A laptop containing personal information about individuals who participated in the Labour Force Survey or Canadian Community Health Survey is stolen from the residence of an employee in Abbotsford, BC. Password was written on a sticky note stored in laptop case. Police called, affected people are informed and interviewer receives verbal reprimand.
  • JUNE 2007: Laptop with three completed household spending surveys stolen in home break-in in Delta, B.C.
  • MARCH 2007: Edmonton regional office reports two laptop thefts from field interviewers’ vehicles. Staff are reminded about protocol for securing material.
  • MARCH 2007: Privacy Commissioner’s office advised of inadvertent disclosure and loss of personal info after surplus filing cabinets with Records of Employment about 66 2006 census workers were sold at a Crown Assets Auction in Edmonton. Affected individuals are contacted and Stats Can implements more stringent procedures to avoid a recurrence.
  • JULY 2006: Enumerator leaves completed questionnaire instead of blank at Scarborough, Ont. respondent’s home.
  • APRIL 2005: Blank forms faxed to a business include additional pages of confidential information related to two other businesses. Staff receive retraining and posters/notices are displayed as reminders.
  • FEB. 2005: Marketing information collected for one user is reviewed by another user and possibly four other unknown individuals in a Corporations Returns Act survey.
  • FEB. 2005: Laptop being shipped from Williams Lake, B.C. to Edmonton containing 23 Survey of Household Spending cases – including 11 completed ones – goes missing. A flurry of e-mails ensues among senior managers at Stats Can and officials “pester” Canada Post to find the lost item. Confidential statistical info is encrypted. Laptop is found two weeks later.

Protecting Against Data Leaks

Wikileaks seems to have become a rather quiet issue.  Very little in the press lately, and not much discussion for such a high profile and potentially damaging experience.  In follow-up to “Could it Happen To You“, here are some thoughts on detecting data leakage, and protecting your sensitive data and intellectual property.

You will never completely eliminate the possibility that someone will leak documents to WikiLeaks or any other outside organization, and every organization, even those that operate legitimately and completely above board have SOMETHING to hide.  From the competition, from enemeies, everyyone has intellectual property and those special trade secrets.  The opportunities and methods for extricating information in its various forms are just too diverse.  In order for any organization to function, individuals need to be able to access, copy, manipulate and print information.  There will always be a chance that an individual will intentionally or accidentally make that information available to an unauthorized audience or individual.  It could be as easy as adding the wrong email address on a CC list.  Auto-complete is notorious for making this example more common.

Eliminate Common Means   In incident response, an attacker typically needs 4 things in order to launch a successful attack. 

  1. The opportunity to attack.  This is provided to insiders by having access to data, and poor internal controls.
  2. The ability to attack.  This is provided by the tools and knowledge available to anyone.
  3. The motive to attack.  This could be monetary, moralistic, vengeful, accidental, etc.
  4. The means to complete the attack.  This is the physical or logical device used to move the data.

Continue reading

‘Tis The Season To Be “0wned-&-Exposed”

This time of year, criminals rely on IT vacation plans and public holidays to provide the opportunity to attack targets and to extend their reach within compromised sites.  This holiday season has been no exception.  Over the weekend, a number of sites got “Owned and Exposed”.  

It should be noted that the site used to distribute the popular backtrack Linux distribution, as well as the Ettercap project were breached.  It is not completely clear how long ago these sites were originally compromised and if any of the tools were altered.

In the second issue of the online hacker magazine (e-zine) “Owned and Exposed,” the attackers listed, ettercap, exploit-db, backtrack, inj3ct0r, and free-hack as victims.  Free-hack was taken down for being “lame script kiddies,” while the other sites had criminal ties or were considered security experts who “fail so hard at security that we wonder why people really take their training courses”.

Exploit-db’s administrator said that damage was limited to posting the e-zine in the “papers” section. shares a subnet and administrator with exploit-db.  The same root account and password was used for all Web scripts, WordPress installations and MySQL databases, making it easy prey., a German online forum dedicated to helping criminals trade and sell stolen financial data was shut down.  As part of its inaugural issue in May, “O&E” wrote “Carders is a marketplace full of everything that is illegal and bad,” including drugs, weapons and stolen credit card numbers.  Carders is back up, three days later.

The SourceForge page hosting the Ettercap message boards and files for a “white hat” penetration testing tool was another interesting target.  The tool hasn’t been maintained for five years, and the group found evidence the site had already been compromised by someone else. The group warned against downloading anything from the compromised site.

These attackers claim to be “watchmen”, quietly observing the scene, according to the newsletter.  They deny being just another “underground rival kiddy group”.   The goal was to shut down sites that “spread garbage” across the Internet, the group wrote.

More information:

NY Tour Company Hacked, 110,000 Records Stolen

The website of New York double decker bus tour company CitySights NY has been breached, and about 110,000 bank card numbers have been stolen using an SQL Injection attack, according to New Hampshire’s attorney general.  A web programmer discovered an unauthorized script uploaded to the company’s web server which is believed to have been used to compromise the security of the database and server.

In SQL injection attacks, hackers sneak database commands into the server for execution using the Web by adding specially crafted text into Web-based forms or search boxes that are used to query the back-end database.  In this incident, they were able to get names, addresses, e-mail addresses, credit card numbers and their expiration dates, and Card Verification Value 2 codes, used to validate online credit card purchases.

The company has taken steps to secure their environment, began notifying customers about the incident two weeks ago, and victims are being offered one year free credit monitoring and a 50% off coupon for another CitySights NY tour.  So, how security minded has this incident made the company?  The coupon’s security code is “012345”.  ACK!