Tag Archive for Security

| August 22, 2009
Comments Off on Lessons From A Mega Data Breach

Lessons From A Mega Data Breach

Updated 04-05-09 Wired is reporting that on August 28, 2009, accused hacker, Albert Gonzalez accepted a plea agreement with federal prosecutors in Boston. According to the report’s Gonzalez has agreed to plead guilty to all the charges in a 19-count indictment and will face a sentence of 15 to 25 years for master-minding the mega data breach. He’s also agreed to forfeit nearly $3 million in cash as well as a Miami condo, a BMW car, a Tiffany diamond ring and three Rolex watches that he gave to others as gifts, a Glock 27 firearm seized from him at the time of his arrest and a 350C currency counter, among other items.

The agreement resolves the case against Gonzalez in Massachusetts — which charged him with hacking into TJX, Barnes & Noble, and OfficeMax — as well as a case in the eastern district of New York that charged him with hacking into the Dave & Busters restaurant change. There are still outstanding charges alleging that Gonzalez also hacked into Heartland Payment Systems, Hannaford Brothers, ATMs stationed in 7-11 stores, and two unnamed national retailers.

Gonzalez is scheduled to officially enter his plea at a court hearing on September 11. His lawyer, Rene Palomino, did not return calls seeking comment from the New York Times.

Updated 08-30-09 – On 08-24-09 The Financial Times reported that Gonzalez and crew penetrated a network linking 2,200 Citibank-branded ATMs kiosks inside 7-Eleven stores from late 2007 through to at least February 2008. The ATMs displayed Citibank’s logo. The network and the machines were owned by Texas-based CardTronics, which took in monthly fees from Citi. Reportedly the group lifted card and PIN codes from the system, and their allies manufactured new cards that were used to get about $2m in cash from Citibank ATMs elsewhere. An FBI affidavit said Yuriy Ryabinin of Brooklyn withdrew $750,000 from Citibank accounts in February 2008.

Lessons From A Mega Data BreachThe U.S. Department of Justice handed down an indictment in the Heartland Payment Services data breach on August 17, 2009.  The Heartland, data breach is the largest data theft on record in the U.S. The Feds allege that beginning in October 2006, 28-year-old Albert Gonzalez, aka “segvec,” “soupnazi,” and “j4guar17,” of Miami, FL, and his unnamed co-conspirators, in Russia and Virginia executed the Heartland data breach. This attack led to the theft of over 130 million credit and debit cards accounts. Gonzales faces two counts of conspiracy and conspiracy to engage in wire fraud.

Heartland Payment Systems data breach

accused hacker, Albert Gonzalez

In addition to stealing credit and debit card data from New Jersey-based Heartland Payment Systems; the conspirators also targeted 7-Eleven Inc., and Hannaford Brothers, a supermarket chain based in Maine, along with two other major national retailers whose names were withheld. According to the Government planning for the attacks began in 2006. The indictment says that in October of 2006, Gonzalez and his co-conspirators began to search for potential corporate victims by gathering intelligence such as the credit and debit card systems used by their targets.

7/11 data breach

In August 2007, 7-Eleven was hit with a SQL injection attack which resulted in an undetermined number of accounts being compromised. In November 2007, Hannaford reportedly detected a Trojan designed to skim magnetic stripe information from the checkout stations. This attack compromised 4.2 million accounts. Beginning on or about Dec. 26, 2007, Heartland was hit with a SQL injection attack on its corporate network that resulted in malware being placed on its payment processing system and the theft of more than 130 million credit and debit card numbers and corresponding card data.

According to the indictment, Gonzalez and his cohorts exploited vulnerabilities that are typically in many cybercrime cases. SQL injection attacks were used to insert specially crafted malware designed to evade detection. Once inside the corporate networks, the attackers used sniffers to conducted reconnaissance, find and steal credit and debit card numbers, and other information. According to the DOJ, the group tested their malware by putting it up against about 20 different anti-virus programs. The group used computers in California, Illinois, Latvia, the Netherlands, and Ukraine to stage attacks and store malware and stolen information.

Could have been defended against

While the attacks seem to be phased-in and coordinated, the attackers used classic and well-known methods that could have been defended against, experts say.  Robert Graham, CEO of Errata Security told Dark Reading that the attacks outlined in the indictment basically offer a roadmap for how most breaches occur, “This is how cybercrime is done,” Graham says. “If there is a successful attack against your company, this is roughly what the hackers will have done. Thus, this should serve as a blueprint for your cyber defenses.”

In a Dark Reading article, Rich Mogull, founder of Securosis, says the attacks were preventable, mainly because they employed common hacking techniques that can be foiled.  He points out that the attacks seem to mimic those in an advisory issued by the FBI and Secret Service that warned of attacks on the financial services and online retail industry that targeted Microsoft’s SQL Server. The advisory included ways to protect against such attacks, including disabling SQL stored procedure calls. “This seems to be a roadmap” to these breaches, Mogull says. “The indictment tracks very closely to the nature of attacks in that notice.

The attack took planning and organization, but ultimately it was done with relatively common attack techniques,” said Rohit Dhamankar, director of DVLabs at TippingPoint in an eWeek article, “It just goes to show that even the most basic type of attack can do serious damage and enterprises need to be more vigilant about protecting the outward-facing portions of their networks.

Rick Howard, intelligence director for iDefense, told Dark Reading that enterprises still aren’t closing known holes in their networks and applications. “They were using the same stuff that works all the time,” he says. “And it’s [an example of] another organization not diligent in closing up [vulnerabilities] we know about.”

Prevention

Upesh Patel, vice president of business development at Guardium, told Dark Reading the attackers must have exploited applications with authenticated connections to the database. “Since a SQL Injection attack exploits vulnerabilities in the database, the attack could have occurred from any end-user application that was accessing the database.

Errata’s Graham says the initial attack vector, SQL injection, is often dismissed by enterprises as unimportant. “We always find lots of SQL injection [flaws] with our clients. We talk to them about it, but get push-back from management and developers who claim SQL injection is just a theoretical risk.

As a fix, Graham recommends, ”The simple solution is to force developers to either use ‘parameterized’ queries or ‘sanitize’ input.” He also suggests that SQL-based servers be hardened. “Once they got control of the database, they were able to escalate the attack to install malware on the systems. The simple solution is to remove all features of the database that aren’t needed,” he says, such as “xp_cmdshell,” which attackers commonly abuse. Graham goes on to suggest that anti-virus doesn’t catch custom malware like the attackers wrote for their attacks, so add policies and technologies that can spot unknown threats.

Gonzalez crews’ alleged use of their own sniffers that copied card data from the network could have been thwarted with encryption according to Richard Wang, Sophos Labs‘ U.S. manager. Wang tells InternetNews that the data should have been encrypted while in transit on the wire.

Sopho’s Wang says that the databases need to be secured, “Businesses should secure the application code, and make sure that the underlying server and operating system are up to date with the latest patches.” Securosis’ Mogull says not to use a privileged account for the relational database management system. In a blog post, Mogull says to deploy data leakage protection to see if you can detect any card data internally before the bad guys find it, and l to focus on egress filtering.

This was preventable,” Securosis’ Mogull says of the major breaches. “There was some degree of sophistication — like they knew HSMs — but definitely the main way they got in is not the most sophisticated.

Gonzalez, who is in federal custody, faces a maximum sentence of 20 years in prison on wire fraud conspiracy, and another five years on conspiracy, plus $250,000 for each charge. In May 2008, the U.S. Attorney’s Office for the Eastern District of New York charged Gonzalez with an alleged role in the hacking of a computer network run of restaurant chain Dave & Buster’s. The trial on those charges is scheduled to begin in Long Island, N.Y., in September.

In August of 2008, the Department of Justice announced more indictments against Gonzalez and others for a number of retail hacks affecting eight major retailers and involving the theft of data related to 40 million credit cards. Those charges were filed in the District of Massachusetts. Gonzalez is scheduled for trial on those charges in 2010.

rb-

The work we do on behalf of our clients often includes many of the steps highlighted in this incident. We always insist that vendors harden any servers brought on to a client’s site and that unnecessary services be removed. Before we recommend the Owner accept any installation, the vendor has to fully patch the OS and any applications provided. More recently we have started to include internal and external facing port scans.

Heartland Payment Systems Reports Breach

TJX Hacker Charged With Heartland, Hannaford Breaches

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| August 8, 2009
Comments Off on Check Your EULA

Check Your EULA

I have been trying out EULAlyzer  2.0 from Javacool Software for a couple of months and have found the results to be interesting to say the least. EULAyzer scans the software publishers’ End User License Agreements (EULA) for privacy risks, unwanted software, and other surprises like pop-up ads, sending personally identifiable information, or using unique identifiers to track the user’s activity.

EULACheck Your EULAlyzer searches the publishers’ documents for what the vendor calls “words of interest” and then assigns its “Interest Rating” to the program. Like other anti-spyware programs, EULAlyzer ranks risks on a scale of 1 to 10 based on how crucial the disclosed information can be to the user’s security based on suspicious wording. The product also includes a search function that can be used to perform user-specific keyword searches of the entire EULA.

The copy and paste function can be used to quickly find suspicious parts of web-based license agreements, website terms, privacy policies, and other similar documents. By default the program scans for language that deals with:

  • Advertising
  • Tracking
  • Data Collection
  • Privacy-Related Concerns
  • Installation of Third-Party / Additional Software
  • Inclusion of External Agreements By Reference

EULAlyzer leverages the power of crowdsourcing through a related  EULA Research Center, which optionally allows users to anonymously submit license agreements they scan to enlarge the underlying database of EULA’s and further improve the program.  There is also a web forum available to provide support on the application.

rb-

EULAlyzer is a proactive tool in the fight against malware. In the enterprise, this tool can be used by those responsible for developing and maintaining disk images. It can also be used by the compliance staff to quickly flag potential issues and pass them up the line to SME or the legal department.

EULAlyzer is no substitute for reading the EULA. We all know that the EULA should be read and understood before proceeding with any software installation. What EULAlyzer does is save time and effort by flagging the most onerous parts of a EULA for your review to focus on potentially riskier behavior.

I found EULAlyzer interesting and effective. It made me realize the lengths that software manufacturers go to hide the details of the EULA. The EULA’s are buried deep down in sub-sub-sub directories, cryptically named and/or huge. The web-based EULA for Adobe Acrobat Reader is part of a 282 page PDF.

As for the application itself, I would like to see better explanations of the items the program flags, either through an in-depth help file or a web-based resource.

EULAlyzer is a donation-ware application that is free for personal and educational uses (there is a corporate version also available ) Compatible with: Windows 2000, XP, 2003, Vista.

NOTE: This blog does not provide legal advice. It can only highlight information that you may want to consider before making your own decisions to proceed or not. You should always consult a lawyer (or other competent authority) for advice on legal issues.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
| July 25, 2009
Comments Off on SPAM Continues to Grow

SPAM Continues to Grow

SPAM Continues to GrowDespite some recent victories in the struggle against spam, like the takedowns of McColo and PriceWert micro-analysis of spam trends confirms the continuing surge of spam. The overall trend over the last 12 months in spam volume is still headed up. This upward trend continues despite a year-long decline in the trend from April 2008 to April 2009, a trend Google also noted.

May 2009 saw a doubling of the spam received which moved the trend line up. The amount of spam in June 2008 fell back within the expected range, which coaxed the trend higher. If the amount of SPAM received in July 2009 stays at the average projected levels, the trend will continue to climb, which Google describes as  “the recent upward trajectory of spam ”

SPAM history

These results are based on spam statistics from my business email account. The practice of safer emailing, which includes the judicious use of email filters, anti-malware software on the desktop a hosted email server and Gmail helps keep spam under control. Whenever I conduct business with an unknown entity, they always get a GMail address until I know it is safe to transact business with them.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| July 18, 2009
Comments Off on Weak PBX Passwords Cost $55 Million

Weak PBX Passwords Cost $55 Million

Weak PBX Passwords Cost $55 MillionThe U.S. Justice Department unsealed indictments against three Filipino residents on 06-12-2009 for an international PBX hacking scheme. According to Security Fix, the three are accused of hacking into thousands of private telephone networks in the U.S. and abroad, and then selling access to those networks at call centers in Italy that advertised cheap international calls and used the profits to help finance terrorist groups in Southeast Asia.

broke into PBX and voice mail systems, mainly by exploiting factory-set or default passwordsThe U.S. government alleges that the people arrested in the Philippines were responsible for hacking private branch exchange (PBX) systems and voice mail systems owned by more than 2,500 companies worldwide. The indictments allege that between October 2005 and December 2008, Manila residents Mahmoud Nusier, Paul Michael Kwan and Nancy Gomez broke into PBX and voice mail systems, mainly by exploiting factory-set or default passwords on the systems. According to Erez Liebermann,  assistant U.S. attorney for New Jersey, “The default passwords were left open in most of these PBX systems.”

The government charges that Italian call center operators paid the hackers $100 for each hacked PBX system they found. The defendants are charged with computer hacking, conspiracy to commit wire fraud, and access device fraud. The case was filed in the U.S. District Court of New Jersey, the home of long-distance provider AT&T. The documents allege the thieves used the hacked PBX systems to relay more than 12 million minutes in unauthorized international phone calls, or $55 million worth of telephone charges.

According to Reuters the defendants allegedly sold access to the compromised systems to 40-year-old Pakistani Mohammed Zamir, the manager of a call center in Brescia, Italy. Italian authorities arrested Zamir and at least four other Pakistani men operating call centers throughout Northern Italy. According to the AP and Carlo De Stefano, head of Italy’s anti-terrorism police unit, much of the proceeds were sent to the Philippines and may have been forwarded to Islamic extremist groups in the region, including Al-Qaeda-linked Abu Sayyaf. “There are strong suspicions and some clues, but nothing concrete,” De Stefano said.

Rb-

No matter the system (TCM, VoIP, SIP, T’s) sloppy installation practices can make any type of system vulnerable. That’s why I always include a requirement that all manufacturer and VAR account passwords be changed before the equipment is brought on-site and that they are changed by the Owner at the time of acceptance of the system. I have started to back this up by tying this requirement to their PLM bond requirements.

We also recommend to our clients that they disable international calling by default on their system and only allow it as required, based on the concept of least privilege.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| July 4, 2009
Comments Off on Data Destruction Policy Suggestions

Data Destruction Policy Suggestions

Data Destruction Policy SuggestionsHumans have created more digital information than we have the ability to store according to EMC‘s digital universe survey. ComputerWorld recently published an excellent article with a lawyer’s point of view about data destruction. Attorney Mark Grossman is a tech lawyer and the founder of the Grossman Law Group and Tate Stickles a partner in the Grossman Law Group offers some insight for creating an effective data destruction policy.

Highlights of a data destruction policy

  1. Data destruction is intended to be permanent.
  2. Policies must be consistently enforced.
  3. The goal is to identify and classify what data the firm has and create effective policies for disposing of it.
  4. Legal and proper data destruction may prevent extensive fishing expeditions by your opponents.
  5. A regular business process addressing data destruction should provide some “safe harbor” protections under the Federal Rules of Evidence relating to electronic evidence.
  6. Have a data retention policy – A data destruction policy is the second part of your data retention policy which will help decide where data is stored and make it easier to delete old data.

General rules

  1. The general rule for the disposal of any data is that simple deletion and overwriting of data is not enough.
    • When reusing media, wipe the old data, confirm that the data is gone, and then document the process then the media can be reused.
    • Media that leaves the control of the firm by destroying old media or reselling it to another party need more processes up to the physical destruction of media.
  2. Obligations to take certain data destruction steps depend on the laws, rules, or regulations that regulate the firm:
    • Sarbanes-Oxley,
    • Gramm-Leach-Bliley,
    • The Fair and Accurate Credit Transactions Act,
    • HIPAA,
    • Check with your tech attorney who can provide guidance on what laws, rules, and regulations may apply to your company’s situation.
  3. Not heavily regulated firms can look to other destruction standards:
    • U.S. Department of  Defense standards and methods (DoD 5220.22-M,
    • National Institute of Standards and Technology’s Guidelines for Media Sanitation (NIST SP 80-88),
    • International, national, state, and local laws, rules, and regulations.
  4. Should address how to classify and handle each type of data residing on the media.
  5. Needs a process for the review and categorization of the types of data your company has and what kinds can be removed.
  6. Classifications and contents of data will play a role.
  7. Data and media containing confidential information, trade secrets, and the private information of customers require the strictest controls and destruction methods.
  8. Data and media containing little to no risk to the firm may have relaxed levels of control and destruction.
  9. Review contracts with other companies to ensure proper handling of data destruction within the terms of those contacts. I.e., non-disclosure agreements can contain data destruction terms that must be complied with.
  10. When reselling or recycling media, take samples to make sure that the proper levels of data destruction are maintained.
  11. In-house data destruction requires verification that the data sanitation and destruction tools and equipment are functioning properly and maintained appropriately.
  12. Document the entire policy so the firm will know what media is sanitized and destroyed. The documentation should allow easy answers to who, what, where, when, why, and how questions.

The last step of an effective policy is to have a process. in place so the firm can follow up with regularly scheduled testing of the process and media to ensure the effectiveness of the policy.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
« Older Entries   Recent Entries »