Law Firms Increasingly At Risk Of APT

Dark Reading is reporting that law firms are being attacked by stealthy, under the radar, targeted attacks looking to gather and exfiltrate intelligence on their corporate clients at an increasing rate.   Forensics investigators at Mandiant are seeing twice as many targeted attacks involving advanced persistent threats (APT) against law firms than ever.  It is highly likely that many more law firms and other companies are being attacked by this scourge and don’t even realize it.

Law firms appear to provide a means to an end; the actual target is a client that they represent.  Firms that handle mergers and acquisitions or civil litigation are getting hit hard, particularly those with deals involving Chinese companies.  Attackers find law firms an attractive and relatively soft target compared to the actual targets, for gathering the intelligence they are after because they generally have a lower security posture than the actual target, and are constantly being solicited for new business, often via email.  When email messages come in seeking to hire the law firm, they will often pursue it to see if it results in a new client.  New clients are where law firms make their real money.

The e-discovery process law firms execute can leave sensitive client information relatively unprotected.  Firms sometimes use USB drives to gather information and take it back to the law firm, where it is potentially handled and the data stored in an insecure manner.  There are common guidelines available, however the legal industry doesn’t have specific data handling security regulations.

According to the article, when Google announced that it had been targeted by hackers operating out of China in January 2010, the law firm King & Spalding, which specializes in corporate espionage, was identified publicly as a victim of the same attack campaign.  Shortly after, Gipson Hoffman & Pancione said it was hit with a targeted attack using spoofed emails from firm employees that contained Trojanized attachments.

I hope my friends and colleagues at Canadian law firms and the Bar Association are paying attention to this very real threat, and are taking the necessary precautions to harden systems, educate their users, and monitor their network traffic.

Protecting Against Data Leaks

Wikileaks seems to have become a rather quiet issue.  Very little in the press lately, and not much discussion for such a high profile and potentially damaging experience.  In follow-up to “Could it Happen To You“, here are some thoughts on detecting data leakage, and protecting your sensitive data and intellectual property.

You will never completely eliminate the possibility that someone will leak documents to WikiLeaks or any other outside organization, and every organization, even those that operate legitimately and completely above board have SOMETHING to hide.  From the competition, from enemeies, everyyone has intellectual property and those special trade secrets.  The opportunities and methods for extricating information in its various forms are just too diverse.  In order for any organization to function, individuals need to be able to access, copy, manipulate and print information.  There will always be a chance that an individual will intentionally or accidentally make that information available to an unauthorized audience or individual.  It could be as easy as adding the wrong email address on a CC list.  Auto-complete is notorious for making this example more common.

Eliminate Common Means   In incident response, an attacker typically needs 4 things in order to launch a successful attack. 

1. The opportunity to attack.  This is provided to insiders by having access to data, and poor internal controls.
2. The ability to attack.  This is provided by the tools and knowledge available to anyone.
3. The motive to attack.  This could be monetary, moralistic, vengeful, accidental, etc.
4. The means to complete the attack.  This is the physical or logical device used to move the data.

Continue reading →

Protect Your New Mobile Devices

Laptops, cellphones, PDA’s, they can all be stolen from your home.  You want to prevent thieves from making off with your expensive portable devices if possible, but if they’re stolen despite your best efforts, you still want to protect that data.  You certainly don’t want to lose access to the data yourself, but you don’t want the thieves to gain access to confidential information that could do you harm either.  I am pretty sure that you also want to increase the chances of getting the devices that you’ve paid for back.  These 4 statements will make up our goals and objectives for this exercise in securing these often targeted gadgets. 

PRIMARY GOAL: 

Protect the data.

Objectives Required To Meet The Primary Goal: 

1. Prevent the theft of portable devices.
2. Prevent unauthorized access to data stored on portable devices.
3. Maintain authorized access to the data stored on portable devices.
4. Increase the chances of recovery and expedited return of the stolen portable devices.

Continue reading →

What is an Advanced Persistent Threat?

The term APT is gaining increasing press coverage, and yet the definition of this growing threat remains unclear to most of the people that I have spoken with in IT and Information Security.  I blogged about it earlier, but the description is too short to clarify APT.   https://kohi10.wordpress.com/2010/05/16/what-is-this-apt-thing-anyway/

Wikipedia leads with the classic military definition, as APT has a history centered on clandestine infiltration of an enemy’s national, regional or local infrastructure, intelligence gathering, and espionage.  They also attempt to describe the Information Security perspective, however the assumption of nation state involvement remains pivotal to the description.  This is no longer completely accurate.

APT agents are not the massively distributed, noisy and clumsy malware agents that pervade the Internet.  Most malware has been built to subvert as many systems in as short a time span as possible in order to maximize target acquisition and short-term profit.  Successful APT attacks take the opposite approach, requiring that the attacker be patient, discrete, and make an effort to fly below the radar of the target organization.  Since the resources expended and the time involved in researching, developing and distributing malware to such a minute audience are both costly and high value, the attacker will be expecting high value returns at some point in the exercise. 

So, what makes APT malware any different than BotNet malware?  They both grab data, they both try to get the data outside, and they both operate on financial and password information while attempting to remain installed and/or hidden.  The devil is in the details.  Break down the individual components of the term Advanced Persistent Threat:

Continue reading →

Beware The Evil PDF

It is a good idea to remain aware and vigilant of current attacks and recent threats in this Internet connected world, both at home and at work. 

Researchers have recently released information pertaining to PDF documents as an attack vehicle due to the uncovering of multiple vulnerabilities and design flaws, and the popularity of the PDF file format.  PDF documents are being used for a multitude of purposes, from delivering marketing materials to industry and internal reports.   The PDF file format is generally viewed to contain static text and graphics.  This popularity, acceptance by the general population, perception of static content, and ability to deliver malicious payloads has made them a very attractive target for those in the business of fraud and theft.

Analysts have recently alerted on a massive increase in specific malicious PDF spam attacks. The subject lines of these spam emails is “setting for your mailbox are changed” and the body contains something to the effect that “SMTP and POP3 servers for {account-name} mailbox are changed.  Please carefully read the attached instructions before updating settings.”  The attached PDF file is malicious and introduces malware to the system that steals credentials and connects the system into a botnet to remotely control the system.  The IBM X-Force team has posted a blog article detailing the nature of this mass spamming attack, which is still ongoing. 

At work most of us have multiple layers of protection; our email gateway filters out email with specific subject lines, known contents, and identifies malicious files.  A number of Intrusion Detection Systems (IDS) signatures will also trigger on malicious payloads or characteristics, alerting security staff to take action.  Desktop Anti-Virus quietly quarantines malicious files that it identifies at the desktop level.  While the exploit in the malicious payload is novel and takes advantage of a recently exposed problem with the PDF /Launch command, the spam attack itself appears to be largely conventional and addressed to a broad range of email addresses and domains.

At work, if you notice anything unusual, contact your HelpDesk right away.  At home, watch for and delete these spam messages without opening the attachments, download PDF files only from Internet sources that you trust, keep your personal Anti-Virus products up to date, and if suspicious pop-ups or other unusual activities appear while opening a PDF (or any other) file, turn the system off rather than clicking on any provided buttons.  While this particular attack is relatively easy to spot, other attacks exploiting this vulnerability are likely to arise before long, and users should follow Adobe’s instructions to disable this feature.  Auto-run on USB devices should also be disabled (see Microsoft Support for instructions on how to do this). Please refer to the articles below for more information.

• http://blogs.iss.net
• http://www.m86security.com/labs/traceitem.asp?article=1310
• http://blog.bkis.com/en/the-malware-exploiting-the-true-nature-of-launch-vulnerability-has-appeared/
• http://www.computerworld.com/s/article/9176088/Major_malware_campaign_abuses_unfixed_PDF_flaw?source=rss_networking
• http://blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html
• http://support.microsoft.com/kb/967715

DLP – Protecting What Matters Most

Data Loss Prevention (DLP) products exist to help organizations monitor and protect sensitive data.  This data could be customer information, credit card numbers, employee’s personal information, project plans, intellectual property, trade secrets, whatever the crown jewels may be.  If this data were to be lost or stolen, it could create significant legal liability, financial loss, security risks, as well as reputational and regulatory hardships.  DLP keeps sensitive data from falling into the wrong hands.  NetworkWorld has a collection of excellent DLP articles for those that are concerned with the topic.  Find the related items at the end of this entry.

You can put in place all of the intermediary policies and risk mitigating conrols from perimeter to storage server that you can afford.  One thing with technical security controls is almost certain,  a determined attacker will find a way to violate your strongest safeguards.  Filter web traffic and they resort to encryption and obfuscation.  Isolate sensitive systems from the Internet and they plug in a USB drive.  Disable USB support and they reboot a with CD.  Disable CD/DVD booting in CMOS and block the USB ports with super glue and they use a cellphone camera to snap a picture of sensitive material on screen.  Create a policy barring cameras and enforce it, and the attacker will reach for a pencil.  DLP is just shy of a silver bullet from my perspective in Incident Response.  It is a security control that if implemented and managed correctly, protects the data from inappropriate exfiltration. 

Continue reading →

Mariposa Cellphone Infections

According to Cnet, Panda Security has been investigating a recent cell phone infection incident in Spain.  Several HTC Magic phones have been found to be carrying the Mariposa botnet agent.  This malware is known to steal private credit card and banking information.  The alleged ringleader of the Mariposa botnet was arrested earlier this month, but the virus is still popping up in various places.  After Panda Security’s report, Vodafone Spain launched an investigation into the cell phone virus infections.

It seems that over 3,000 HTC Magic handsets have been infected by the malware after a batch of cell phone memory cards became infected.  The incident seems to be isolated to Spain for now, but no one knows how the virus got onto those memory cards.  Apparently, the malware remains dormant while on the cell phone until a user connects the phone to a PC.  Once connected, an auto-run process executes the virus.

Panda Security has provided a downloadable vaccine that disables auto-run on your PC to prevent the virus from executing automatically.  SD memory cards and USB thumb drives have also been infected.  Currently, approximately 13 million PCs have been infected so far.

CNET

Panda

Lessons Learned From Data Theft

Interesting article posted up at Processor. Carl Herberger of EvolveIP explains the layered approach to information security as bringing together several comprehensive policies and manual procedures to a variety of point security solutions, filtering systems, and monitoring strategies to protect IT resources and data.

As data loss prevention becomes increasingly important, it becomes more likely that a re-assessment and redeployment of security perimeter resources will occur. Implementation of DLP tools may boost the detection of data theft. Creating multiple layers can be useful not only in preventing theft but also in spotting it when it happens.

Processor

Secure USB Flaw Exposed

A flaw in USB vendor SanDisk’s secure USB technology is leaving multiple devices vulnerable to attack, and has led to the recall and patching of multiple vendors’ secure USB drive products.  The flaw resides in the password-handling process of the encrypted USB keys. 

SanDisk has issued a security alert and updates for multiple Cruzer Enterprise models that fixes the bug in the access-control features.  SanDisk emphasized in their alert that the flaw was not in the device hardware or firmware, but in the application that runs on the host system.

Kingston Technologies, which uses SanDisk software in its products, has recalled 3 of its secure USB drives, warning its customers that data on the encrypted drives could be accessed by seasoned attackers with local access and a specialized tool in their notice. Kingston recommends the drives be physically returned for updates, although they are also reported to be working on a downloadable patch.

Verbatim, which also uses SanDisk technology, has issued an update alert on some of its USB products, as well.

The vulnerability, which was discovered by researchers at German penetration testing firm SySS, would basically provide access to data on the drives if a weakness in the way the software handles passwords was exploited.  The problem lays in the fact that they check passwords using software, and rely on the same underlying master password. They are relying on software on a computer to check if a password is correct.  Vendor IronKey suggests that their devices, which use dedicated hardware components for security measures are the way to go.

Vulnerability finds for secure USB drives have been rare, with the biggest threats to these devices historically being malware contamination.  Some say this newly discovered password-handling flaw is only the tip of the iceberg when it comes to potential bugs that could be found in secure USBs that rely on software controls.  Software-based password validation technology may leave the door open for trouble, as any software element is bound to be subject to flaws.

Affected Devices:

• SanDisk Cruzer Enterprise USB flash drive CZ22 & CZ32
• SanDisk Cruzer Enterprise with McAfee USB flash drive CZ38
• SanDisk Cruzer Enterprise FIPS Edition with McAfee USB flash drive CZ46
• Kingston Technologies DataTraveler BlackBox
• Kingston Technologies DataTraveler Secure”Privacy Edition
• Kingston Technologies DataTraveler Elite”Privacy Edition

IronKey Releases 32GB USB Drive

IronKey, maker of the worlds most secure USB flash drives has announced that it is adding 32GB capacity devices to its D200 product line.

IronKey D200 drives are ideal for large-scale enterprise and government deployments, and provide superior value for users with high-volume storage needs.  IronKey 32GB secure drives provide the capacity required for storing and transporting large amounts of data, and can be used as portable back-up devices, while their dual-channel architecture enables rapid data transfer rates.  IronKey D200 drives are self-defending against physical, malware and password attacks, and are the first USB drives to meet the rigorous security requirements for FIPS 140-2, Level 3 validation.

With IronKey, organizations can centrally administer, remotely manage, and enforce policies on thousands of devices located anywhere in the world.  Thousands of customers use IronKey, including Fortune 500 companies, enterprise organizations in financial services, healthcare and legal markets, as well as government agencies, including FEMA, NATO and DHS.

IronKey 32GB capacity D200 devices are available immediately through IronKey authorized distributors and resellers globally. For more information, visit http://www.ironkey.com.