Security Under Fire

Here is an interesting article that talks about emerging technologies and the vulnerabilities, threats, and risks that they increase as they are adopted.  Several experts are interviewed in the article, and although their experiences vary, they are consistent for the most part in their opinions that businesses are scrambling to adopt these technologies fast, and to figure out how to secure them.  Good work Howard!

Computing Canada – May 2013 Read it now: http://epubs.itworldcanada.com/i/129542/23

2011 PCI Breach Research

There is a very good article regarding research into 2011 breach statistics by Trustwave over at InfoWorld Security Central.  A great source for much IT & Security information, by the way.  According to the article, hackers infiltrated 312 businesses making off with customer payment-card information.  Their primary access point was through 3rd-party vendor remote-access apps, or VPNs setup for remote systems maintenance.  Seventy six percent!  These external ingress paths introduced security deficiencies that were exploited by attackers.

The vast majority of the 312 companies were retailers, restaurants or hotels, and they came to Trustwave for incident response help after one of the payment-card organizations traced stolen cards back to their businesses, demanding a forensics investigation within a matter of days.  Only 16% of the 312 companies detected the breach on their own!

The businesses hit claimed to be compliant with Payment Card Industry (PCI) security standards, when in reality there were gaps.  The remote-access provisions were poorly protected by simple, re-used, shared, and seldom changed passwords.

I will leave the most scary statistics, how long the attackers were able to maintain their ownership of the networks in these cases, for you to seek out yourself on the second page of the article.  It is not a happy number!

The lesson to take away from this article is, PCI compliance is the bare minimum that an organization should do, and DOES NOT equate to comprehensive security.  A PCI-DSS pass score does not ensure actual compliance either.  It is a good starting point to ensure that the bare minimum, common sense, security controls are implemented at a single point of time, but good security practices must spread out from the center.  If your security efforts don’t include other servers and the workstations that access them AND the Internet, you are not managing security, you are faking it for compliance sake.  Russian roullette with a fully loaded gun.

pcAnywhere Source Posted

According to the Register, hacktivists affiliated with Anonymous have uploaded what they claim is the source code of Symantec’s pcAnywhere software today, after negotiations broke down with a federal agent posing as a Symantec employee.  Symantec confirmed that it had turned the case over to the Feds as soon as the hackers made contact.

According to the article, the release of the 1.27GB file coincides with the breakdown of the “negotiations” – which the group has now published on Pastebin – that took place between “Symantec” and the spokesperson of hacker group Lords of Dharmaraja, an Indian hacking crew affiliated with Anonymous.

Catch the details in the original article.  Beware downloading anything purporting to be a source code cache.  These things are tracked by the vendor, law enforcement agencies, and others, and are most often laced with some type of malicious software.  Stories like this are news-worthy, generating a lot of interest, and anything that generates conversation and controversy is fair game for miscreants.  And what better way to get their hooks into your computer than to offer you something enticing, like a peak at some commercial source code?

The Anonymous ‘Movement’?

I’ve been reading way too much of this garbage on the Internet lately, and it is starting to stick in my craw.  Crap like this.  It seems that everyone has accepted that the hacking group Anonymous is above the law, and has some special insight that makes them a voice of reason.  21st century Robin Hoods.  I hope that this is just the result of sensational journalism, and not what people are really believing.

“The beginning years have intensified their activities demonstrating great technical skills.”

No, what it has demonstrated is a disregard for your privacy, a lack of moral fiber, a little too much technical knowledge, and the patience that is common in a good criminal.

“As always, the movement gives voice to social dissent and protest against amendments and decisions of governments guilty of not listening to the masses.”

The Movement?  What bloody movement?  This is a bunch of self-entitled, self-indulgent, egotistical miscreants that are incapable of operating within the confines of the law or rules of society.  These are people that have an abundance of tools, have found cracks in programs and protocols, and are taking advantage of those flaws.  They are no more a movement than the clowns that walk into a bank with a note in one hand and a formiddable looking pocket in the other. Continue reading →

Toronto Law Firms Targeted

Here is a lesson to us all about the global reach and intent of internet hackers who have an interest in the information assets that we may hold for our own or clients’ interests.  China-based hackers have homed in recently on the offices of Toronto’s Bay Street law firms handling a $40 billion acquisition of the world’s largest potash producer by an Australian mining giant.  Bloomberg has a great article with all of the details, and outlines discussions undertaken by a group of law firms that got together recently to strategize protective and detective techniques.

The hackers in the Toronto case penetrated and combed through one computer network after another, hitting seven different law firms as well as Canada’s Finance Ministry and Treasury Board, seeking to gather detailed intelligence and potentially undermine the deal.  A law firm involved in the deal detected intrusion indicators, including spoofed emails, malicious websites, and network disruptions.  Investigators found spyware designed to capture confidential documents, compiled on a Chinese-language keyboard, and using servers in China involved in the attack.

The investigation linked the intrusions to a Chinese effort to kill the developing acquisition.  Stolen data of this nature can be worth tens of millions of dollars to those involved on either side of the bargaining table, and gives the possesser an unfair advantage in negotiations.  The deal eventually fell apart when the Canadian government declared it wasn’t in the nation’s interest, but the incident highlights the vulnerability of law firm information resources in particular, and the threat of loss of client trust and future business. Continue reading →

Anonymous’ Latest Shennanigns

Over the weekend, Anonymous defaced CBS‘ website, and apparently deleted all of their online content.  Monday they were working on defacing a Brazilian city site.  Now they have taken to Twitter, asking their “followers” to select their next targets for them, The Register reports.

Still seething over the arrest of Megaupload mogul Kim Dotcom, Anonymous tweeted the following:

Just out of curiosity, what would you like to see #Anonymous hack next? Tweet and let us know…

They are vowing to keep up the pressure, launching attacks and causing disruptions until Dotcom is released.

Cisco Q4-11 Global Threat Report

‘Tis the season for 2011 threat reports to start emerging, and here is Cisco’s contribution.  The Q4-11 report covers the period from 1 October 2011 through 31 December 2011.  This quarter’s contributors were Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco Security Research and Operations (SR&O), and Cisco ScanSafe.

.

.

Highlights from the Cisco 4Q11 Global Threat Report include:

• An overall average of 362 Web malware encounters per month occurred throughout 2011.
• Enterprise users experienced an average of 339 Web malware encounters per month in the quarter.
• The highest average rate of encounters occurred during September and October (698 and 697).
• An average of 20,141 unique Web malware hosts were encountered per month in 2011, compared to 14,217/month in 2010
• During 4Q11, 33% of Web malware was zero-day, not detectable by traditional signature-based methodologies.
• The rate of SQL injection signature events remained steady, with a slight decrease observed as the quarter progressed.
• Denial-of-service events increased slightly over the course of 4Q11.
• Global spam volumes continued to decline throughout 2011. Continue reading →

MegaUpload Arrests Spark Anonymous Fury

Gizmodo.com is reporting that the shutdown of Megaupload, accused of breaking copyright laws, has spawned retaliatory attacks by the hacktivist group Anonymous.  Gizmodo is continuing to update their article regularly, and I highly staying on top of it.  Among sites reported as being down are the Universal Music Group and BMI, the US Copyright Office, the Motion Picture Association of America, and several law enforcement and government agencies.  Recent claims by Anonymous indicate that this is their biggest DoS campaign, ever.

“The government takes down Megaupload? 15 minutes later Anonymous takes down government & record label sites,” a member of Anonymous said via Twitter. Continue reading →

New Years PostBank Heist

A well planned and coordinated bank robbery was executed during the first three days of January in Johannesburg, leaving the targeted South African Postbank, part of the nation’s Post Office service, with a loss of approximately $6.7 million, just as the Postbank sought to become a separate entity and get a full banking licence from the Reserve Bank, allowing it to compete with commercial banks while remaining state-owned.

The perps behind the heist appeared very well informed about the post office’s IT systems, and began preparing the ground for the heist a few months before by opening accounts across the country, and by compromising an employee computer in the Rustenburg Post Office.

http://www.timeslive.co.za/local/2012/01/15/it-was-a-happy-new-year-s-day-for-gang-who-pulled-off…r42m-postbank-heist

Quantifying Reputational Risk

Trying to explain, measure and report on reputational risk has always posed a challenge for every IT organization that I have encountered.  IT understands technology, and most of the risks associated with technology.  They struggle for the most part with business risk, and although they will agree reputation is important, can’t seem to figure how to factor it in, or what it means to the organization.

Reputational risk is defined by The Federal Reserve System’s Commercial Bank Examination Manual as “the potential that negative publicity regarding an institution’s business practices, whether true or not, will cause a decline in the customer base, costly litigation or revenue reductions.”  Reputational risk is one of the Federal Reserve System’s categories of safety and soundness and fiduciary risk (credit, market, liquidity, operational, legal, and reputational) and one of three categories of compliance risk (operational, legal, and reputational). While it may be a defined risk, reputational risk remains difficult to identify and quantify.

Michelle Dennedy has a good article on McAfee’s Privacy Matters blog that scratches the surface of reputational risk, and suggests a simple method for estimating and tracking it.  Although not an accurate measurement of an organizations specific reputational risk, it does provide a yardstick, which is better than just ignoring it.

Michelle’s proposed workflow is to: Continue reading →