Friday 11 June 2010

The return of the Proof of Concept hack

This week’s news of a breach at the AT&T network, which exposed 114,000 accounts of the recently launched iPad, is today an FBI investigation. The group that identified the breach is known for publicizing other weaknesses that can lead to breaches, such as Safari and Amazon.

The compromised accounts – which include some of most powerful people on the planet – will likely suffer no long-term effects. The point of this attack was not to gain access to specific accounts, but to show that a breach of this sort could be done. It is, therefore, more like the proof of concept attacks that were popular 10 years ago. The goal of a proof of concept attack is notoriety for the hackers and embarrassment for the company involved. What is encouraging is that the FBI is taking investigative action. Only when there are severe consequences associated with proof of concept activities will they cease to be an issue

Tuesday 4 May 2010

The US Treasury Trail

News is emerging of a hack at the US Treasury Department, in which a series of websites associated with the U.S. Bureau of Engraving and Printing (BEP) were affected.

Visitors to the sites were directed to another site in the Ukraine, one that is notorious for installing malware on computers.

The attackers targeted a cloud computing company that hosted the BEP’s pages.

This hack has the elements for a good press story because it involves a government agency, the Ukraine and the cloud environment. But, these elements are not newsworthy.

US governmental sites have been under attack for the past year, and these prior attacks should have been a call to action for all federal and state IT departments to review their security policies and practices.

The hackers’ purported destination of Ukraine is also not newsworthy.
Hackers will not attempt access in their own country but will target foreign sites, knowing that the likelihood of prosecution is slim to none.

That this happened in the cloud is also not a news hook. Cloud environments are no more or less safe than any other environment. Agencies putting their information in the cloud should know the security measures and practices involved.

What is newsworthy? The fact that there are still questions about the number of people affected and even whether all of the affected sites are disabled is disturbing.
(http://thompson.blog.avg.com/2010/05/whoops-treasury-still-hacked.html)
All organizations, especially government agencies, should have a disaster recovery plan in place in the event of a breach. This plan should include informing those involved with the basic details of what happened, who was affected, and what people should do.

The reality is likely that the US Treasury is looking to answer those questions now, which comes too little too late.

Monday 19 April 2010

No surprises in the OWASP 2010 tail – Injection remains the number-one stinging risk in 2010

OWASP have released their 2010 “top 10” Application Security Risks. Topping the list (again) is the “Injection” risk. People involved in both application security and database security will not be surprised. The world is awash with applications that have each been poorly engineered in their own individual manner. It is an easy mistake to make, but very difficult to rectify without good tools and technologies to deploy.

Comparing this year’s results and those from 2007 shows that the top three risks remain unchanged 1. Injection; 2.0 Cross-Site scripting (XSS); 3. Broken Authentication and Session Management. New entrants to the list are: Security Mis-configuration, ranked sixth, and Un-validated Redirects and Forwards coming at the bottom of the list.

It is interesting that security mis-configuration is a rising risk. It seems that system owners are at least trying to use security features, but are failing to get it correct. Getting any security system just right without disturbing the business is notoriously difficult.

Even more difficult is retrofitting security into an enterprise application environment which has a complex array of components – each tailored to the business. Good application security requires strong knowledge of the application operation combined with the ability to accurately prevent (or block) out-of-policy interactions. For example, the protection of a database from a poorly written web facing application requires a firewall that can determine that a query is inappropriate and stop it from ever reaching the database.

One does not need a crystal ball to forecast next year’s winner of the list!

Sunday 11 April 2010

Modern espionage, social media and the cloud

Reports are emerging of another attack on government computers, this one by a group in China that targeted networks in India and other countries. Among the data the hackers obtained are information on missile systems and relations between governments as well as correspondence from the Dali Lama’s office.

The researchers who identified and tracked the hacker’s actions have identified social media as the main means to infiltrate the networks. In the report, the researchers point to Twitter accounts, Yahoo Mail accounts, Google Groups and Blogspot blogs as among the hackers’ infrastructure. Compounding the problem is that some of these networks used cloud configurations, which the report alleges provides a “powerful mode of infiltrating targets who have become accustomed to clicking on links.”

What the researchers are also clear about – and perhaps the most alarming aspect – is that there is no way to track exactly what the attackers did once on the networks. Not being able to know the state of data at any time is the key to this hack – rather than the security vulnerabilities from the cloud infrastructure or social networking. We have advocated a security defense from the inside out – rather than the commonly accepted firewall to database approach.

In this threat environment, governments and others in the public sector will be targets. Quite simply put, the information that they hold is valuable to someone, and the hackers know this. What the report should signal to all groups holding sensitive information is to assume that your network will be infiltrated. What information will be at risk and how will you know if it is being accessed inappropriately? Knowing the answers could mean the difference between data protection or a devastating hack.

Monday 29 March 2010

Remote Robber does Local time

Last week, Albert Gonzalez was sentenced to 20 years in prison for his part in the hacking of more than 90 million credit and debit card numbers from TJ Maxx and other retailers. What makes this sentence unique is that it fits the severity of the crime. Gonzalez and his conspirators went after financial data with the intent to use it fraudulently. His knowledge of enterprise network weaknesses and how to exploit them made him no different from a common bank robber who plans a heist. Unlike the common bank robber, however, Gonzalez had technology that shielded his involvement and made him anonymous – allowing him to rob remotely.

We can expect these types of attacks to continue, given the potential reward. With many of the perpetrators geographically dispersed, nations need to have a no-tolerance policy toward this type of attack and be ready to do whatever it takes to bring the parties involved to justice. In the case of Gonzalez, the sentence is a good first step and should prove a deterrent.

Monday 22 March 2010

The IC3 report -- an exponential rise in identity theft

The IC3 issued its annual online crime report, which reported that losses almost doubled from 2008 to 2009. In 2009, the losses totaled $560m (£371m) vs. $265m (£176m) in 2008. What is interesting to us in the security industry is an even greater increase in identity theft between the two years.

In 2008, identity theft accounted for 2.5 percent of the claims; in 2009, the number is 14.1 percent, an increase of 564 percent. We should note that in 2009 the IC3 issued a new complaint class system that consolidated the amount of categories from 157 to 79. However, we do not believe that the smaller amount of categories had a marked effect on the increase in identity theft cases.

Rather, what is happening is that the online criminal is progressing from one-off fraud schemes to more sophisticated stealing of personal data for increased and prolonged gain. Personal data is a far more valuable commodity and over the past year, these US criminals have both realized this and found ways in which to obtain and use this data. The Internet provides a channel that can easily be manipulated to appear reputable, while also allowing the criminal crucial anonymity.

For the US consumer, the stakes are higher, in that identity theft is a far more devastating crime than one-off cyber-stealing. The consumer should be on alert and vigilant whenever he is sharing personal information.

Thursday 11 March 2010

A truly international breach

News is breaking of a breach at HSBC affecting 24,000 customers with Swiss Bank Accounts. The implications of this breach are global, and the press is speculating that the breach could expose those using the accounts to avoid taxation in their home countries.

French authorities have identified a former IT employee of a Swiss subsidiary as the suspect and allege that the former employee obtained the information between late 2006 and early 2007. Initially, when HSBC discovered the breach, it thought it affected fewer than 10 customers. The reality is that approximately 15 percent of the bank’s customers could have been affected.

From a security standpoint there are a number of things that make this newsworthy: First, the breach was allegedly committed by an insider, and insider theft is among the greatest dangers to financial data. Second, it appears that the suspect was attempting to sell the data, with speculation that he was offering the information to countries to identify tax evaders. Third, there is the numbers question. How could HSBC identify “fewer than 10” affected and then have a breach that in reality numbered in the tens of thousands. Finally, there is the question about sovereignty. France is one country that has access to some of the data. It has promised to turn the data over to Switzerland but the plain fact is there is no clear cut law that would prohibit France from using the data against citizens who were using Switzerland to avoid taxation.

With truly international data breaches, how long will it take to get truly international legislation?

Monday 8 March 2010

Even Schneier agrees: “It’s all in the database”

It’s official -- credit card security is no longer simply about WWII style “encryption” defenses, “it’s all in the database”. So says the information security industry’s “rock-star” Bruce Schneier. Bruce was being interviewed at this year’s RSA conference and was asked about the confidence of online shopping now that some “doubts” have arisen over the SSL encryption.

True to form, Schneier went straight to the heart of the matter stating that the problem is not about “eavesdropping” but rather it is about hacking the “endpoint”. It is clear that the database is the endpoint holding the potent information – including credit card information – and this remains the lucrative target for hacking.

Too many easy routes to the database exist – usually due to poor practice. Attackers who compromise databases get more than the data held inside. They get a completely privileged jump-off-point, deep within the corporate network. This is what Heartland discovered –after 130 million card details left. I am sure that they would suggest agree with Bruce that “It’s all in the database” – except when a complete copy has escaped!

Monday 1 March 2010

Check-in to your hotel – and let hackers check-out with your credit card

According to reports, sometime between October 09 and January of this year, hackers broke into databases associated with the Wyndham Hotels and Resorts (WHR). This is the third time that the hotel chain has suffered a data breach within a year, and this time the hackers stole customer names and payment card information. What the hotel is saying through an open letter and associated FAQs creates more questions about how exactly this company is safeguarding all data and what rights (if any) customers have to knowledge of data theft affecting their accounts.

In its FAQs, the hotel states that guests who had stayed at a Wyndham hotel contacted the chain regarding fraudulent use of their cards. Based on this feedback, the hotel went back through its system and discovered the breach. In simple terms, the hotel was not aware of the breach until the data had been stolen and used fraudulently. It would seem that the next logical step that the chain would take would be to notify all of the owners of the compromised data, which the hotel has identified.

What Wyndham did instead is to inform the Secret Service and to provide the card information to the credit card companies, advising them to watch for suspicious activity. Wyndham claims that it does not have the addresses of the affected individuals so it cannot contact them. It would seem that the hotel chain is shifting the burden to the card companies and doing only what is legally required. The people who suffer are the customers, who need to check their bills for fraudulent charges or hope that the card companies are checking for suspicious activity. It would seem that every customer should have the right to know immediately if his / her data has been stolen.

As for the hotel’s mention of hiring a PCI firm to check the revised security, the hotel could very well have been PCI compliant at the time of the breach. PCI does not equal safe data.

Monday 22 February 2010

The lessons from the Kaiser Permanente breach

Last year, a data breach involving close to 30,000 Kaiser Permanente employees in California was discovered when the suspect’s home was searched for unrelated reasons and authorities found evidence that the data of Kaiser employees had been stolen. The evidence came in the form of dozens of driver’s licenses and credit cards in the names of the Kaiser Permanente victims, whose addresses, date of birth, and social security numbers had been included in the data stolen. Much has been made of the items the suspect allegedly purchased using the stolen data, which included designer dogs and gift cards to expensive stores. The real news item for those in the security industry is how the data was obtained, how easily it was shared, and the inexplicable lapse in time between when the data theft was discovered and the suspect was stopped.

The main suspect in the data theft ring worked for a third-party that had access to the Kaiser employee files. When a third-party has access to confidential data, the risks to that data rise considerably. In the case of Kaiser, the employee information was allegedly downloaded and distributed in a file that was only 17 megabytes in size and, therefore, easy to transport and share. From there, the data was used to obtain driver’s licenses, credit cards and other items.

To put this case in perspective, the breach occurred in 2007, the theft was discovered in 2008 during an unrelated search of the suspects’ home. Kaiser employees were notified in February 2009. For a number of reasons, including the suspect’s being involved in multiple crimes and numerous law enforcement offices’ being involved, the suspect continued to use the data until February of this year. Kaiser offered the employees a one-year credit monitoring package for one year – 2009 until 2010. Since the suspect was using the data as recently as this month, those who suspect that they have been affected will need to continue to monitor their credit.

This case shows the need for a unified investigative process and ownership among law enforcement, the importance of knowing what data is being accessed and by whom at the corporate level, and the need for accountability when a data theft occurs. Next month, we will see the Massachusetts Data Privacy Law go into effect, mandating that any entity that stores or transmits residents’ personal information encrypt the data when it is stored on personal devices or transmitted over the Internet. This is a great first step in what will become an international drive to protect individual data.

Tuesday 16 February 2010

The disgruntled worker turned activist

This week brings news of a data breach at Royal Dutch Shell affecting 170,000 workers at the global oil company. From published reports, the database is thought to contain names, telephone numbers and additional details for both permanent and contract employees. The database is also believed to be about six months old.

What makes this breach unique and points to its likely being from a disgruntled insider is that the database was mailed to groups that have had contentious relations with Royal Dutch Shell. The recipients of the database allegedly include Greenpeace and other non-governmental groups that have protested Shell’s activities.

Last year, Shell cut 5,000 jobs and reduced IT Contractor pay by 12 percent. Many data thefts occur during a time of staff reductions or low morale, when individuals are more likely to “strike back” at the company. While we don’t know the exact details, it would appear that this insider or insiders attempted to put Shell at a disadvantage by giving detailed, proprietary information that could be used immediately against the company.

This type of “revenge breach” has been on the rise during the past few years, given the tumultuous global economic climate, and we expect these types of breaches to continue.

Ironically, if it is found guilty of not properly storing data, Shell could be fined by the UK Information Commissioner’s Office. Currently, these fines have a maximum amount of £5,000. These fines, however, are set to increase to up to £500,000 in two months, so Shell’s breach comes as a reminder to all companies to secure data from the inside out -- as well as from the outside coming in!

Sunday 31 January 2010

Security in the Sky with Diamonds

A new colleague asked me recently how I felt about “all the security issues in the sky”. At first, I wondered if I had missed a news story about break-ins at Rupert Murdoch’s satellite TV network. After a little probing it transpired that when she talked of “sky computing” she meant “cloud computing”. Ah, at last we were finally on the “same page”.

It is hard enough explaining what “cloud computing” is to some not in IT. It is even more challenging to teach them about the underlying security issues. There are a range of cloud models from remote hosting to SaaS, but for me, I like the definition of cloud computing that I learned from William Fellows of the 451-Group :
“A cloud is formed upon automatically managed, flexible shared infrastructure, where users help themselves to services via an access API with a per-use pricing model.”
I like to call this the “Pay-per-drink” model of cloud computing. Examples of current cloud computing providers include GoogleApps and Amazon Web Services. Many applications already exist running in the cloud and vary from personal finance management services/sites to security log analysis services. William Fellows also highlights the many barriers to adoption for cloud computing – the key issues are Security, Regulatory Compliance, and Retail Payment methods.

Like all IT systems, there are challenges to provide the usual C-I-A thinking of security (Confidentiality - Integrity - Availability) to systems deployed using the cloud computing model. For me, security is about ensuring that systems can only do what you want them to do – and enforcing that they can do no more. Attacks are typically users doing things in the systems that you don’t want – either because access controls are weak or inappropriate, or due to appalling application development whereby the functionality of the deployed system goes beyond what was expected.

Back to sky computing – I am not sure whether the sky is falling or the clouds are lifting (apologies for the appalling puns) maybe as 2010 unfolds it will all become clear.