Tag Archives: OPSEC

South Carolinas’s Majority of Social Security Numbers Exposed…

In an article in Dark reading, South Carolina officials announced that more than three-quarters of the states social security numbers were exposed in a recent hack. The data included debit and credit card information for the states residents as well. The most concerning issue was that the database that was compromised was not encrypted. As a state agency, it should have been an example to follow rather than one to avoid. The state’s Department of Revenue should have been held to not only federal regulatory requirements, but also PCI. This type of failure is not acceptable.

While not everything has been released as to the cause other than the database was breached and not encrypted, the article states the following:

Although state officials referred to the hack as a “database” breach, they didn’t specify just what flaw was exposed. Security experts say it was most likely a SQL injection or other vulnerability in the Web-based application that ultimately led to the data breach.

Chris Eng, vice president of research for Veracode, says it sounds like a SQL injection attack against a Web application. “That’s the simplest way in,” he says.

It is easy to make conjecture about how the breach occurred, but it would seem that the necessary due diligence was not followed. Security should be more than a check-box. States and Federal governments should be setting the examples for the rest of business…Another instance where measure twice and cut once should have been put in place…

Tagged , , , , , , , , , , , , ,

Weather To Have Security or Not…

Millions of people are feeling the effects of Hurricane Sandy along the East Coast of the United States. Natural disasters occur all the time all of over the world, but many times some of the basic precautions do not get addressed in advance. Many will ask how this topic deals with technology or security, but the answer is simple…it just does. Most businesses will have a process or procedures if a server crashes or the phone system or Internet goes out for a couple of hours, but how many businesses address the longer term impacts of flooding or the fact that your cloud provider lost one or more of its data centers.

The reality is that business continuity planning and disaster recovery planning should include these types of scenarios. Scenarios and planning for short and long-term outages. Whether it is an earthquake, tornado/hurricane, or flooding, the planning needs to be there and how it could impact your business from a safety and financial stand point. If you take this recent storm as an example, many businesses lost power and will be flooded for days potentially having a strong negative impact for their customers. In fact, the NYSE closed for multiple days as a result of the storm and that has not occurred for weather related issues since the early 1900s.

The bottom line is to plan. Make business continuity and disaster recovery a part of your process and then also test those processes. The last thing your business needs during an outage is to go to a process that does not work or has never been tested. Now we know that security and business has to evaluate risk. If not being prepared is an acceptable risk, then that is the business decision you will need to make…

Tagged , , , , , , , , , , , , , , , ,

Phishing for HTML 5…

The blog, Feross.org, posted a good article on using HTML5 for phishing on Oct 8th. Now, to most security professionals, this type of attack will be easily bypassed, but this type of attack is meant for the same group fo people who help feed the African Prince that is trying to pay you by transferring his money through your bank account. In addition, this also targets those people who do not validate the websites they go to or allow scripting on all sites.

This article could be used to help educate, although in a highly technical way, users in how to look for and prevent the success of this type of attack. It is important that all the technical defenses applied to a network or system can be circumvented by uneducated or unaware users that do not practice proper security principles.

Tagged , , , , , , , , , , , , , , , , ,

Zero-Day Attacks Last Longer Than Zero…

Research from Symantec has been published in ACM on October 16. The research, which was also referenced in articles in SC Magazine and Dark Reading, looks at the amount and duration of zero-day attacks. Specifically:

A zero-day attack is characterized by a vulnerability that is exploited in the wild before it is disclosed, i.e., t0 > te. Similarly, a zero-day vulnerability is a vulnerability employed in azero-day attack. Our goals in this paper are to measure the prevalence and duration of zero-day attacks and to compare the impact of zero-day vulnerabilities before and after t0.

The research within the paper has some important considerations to business and the need for effective patching and defense-in-depth within the enterprise. Specifically, the paper found the following conclusion:

Zero-day attacks have been discussed for decades, but nostudy has yet measured the duration and prevalence of these attacks in the real world, before the disclosure of the corresponding vulnerabilities. We take a first step in this direction by analyzing field data collected on 11 million Windows hosts over a period of 4 years. The key idea in our studyis to identify executable files that are linked to exploits of known vulnerabilities. By searching for these files in a dataset with historical records of files downloaded on end-hosts around the world, we systematically identify zero-day attacks and we analyze their evolution in time.We identify 18 vulnerabilities exploited in the wild before their disclosure, of which 11 were not previously known to have been employed in zero-day attacks. Zero-day attacks last on average 312 days, and up to 30 months, and they typically affect few hosts. However, there are some exceptions for high profile attacks such as Conficker and Stuxnet, which we respectively detected on hundreds of thousands and millions of the hosts in our study, before the vulnerability disclosure. After the disclosure of zero-day vulnerabilities, the volume of attacks exploiting them increases by up to 5 orders of magnitude. These findings have important implications for future security technologies and for public policy.

Based on these findings, it will be interesting to see if the various technology vendors, programmers, and business will take this to heart and work harder in getting less vulnerable software and systems to market. Follow on research from this paper could be to evaluate the cost impact associated with zero-day attacks or vulnerabilities that were left unpatched. The reality is that security is about risk acceptance and in some cases the cost may be deemed an acceptable risk by some businesses.

Tagged , , , , , , , , , , , , ,

Java for OS X 2012-006

On October 16, 2012 Apple released yet another Java update for OS X. This update is a security update to correct multiple vulnerabilities in Java. This update applies to Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, OS X Mountain Lion v10.8 or later. Specifically, the update addresses the following according to the Apple site:

Description: Multiple vulnerabilities exist in Java 1.6.0_35, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_37. Further information is available via the Java website at http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html

As usual, Java is a security concern. If you haven’t already done so, disable/uninstall Java unless you absolutely need it. In addition, make sure you update your Java if needed.

SOAP BOX: For Oracle, if Java is going to continue to be used…FIX IT…

Tagged , , , , , , , , , , , , , ,

Taking the Hacker and Heading Home…

Many may have heard of the ongoing dispute between England and the United States about the pending extradition of British hacker Gary McKinnon. Well the wait is over, the British Home Secretary Theresa May in an announcement yesterday before Parliament stated that she would block the extradition of Gary McKinnon. She based her decision on the several medical examinations and his Asperger’s Syndrome diagnosis. He has been charged by the United Stated for hacking into highly classified Pentagon computer systems, for what McKinnon alleges in search of proof of extraterrestrial evidence.  USAToday.com has a good article on the coverage.

According to the article:

Officials in Washington expressed disappointment at the outcome, and State Department spokeswoman Victoria Nuland said the decision meant McKinnon would not “face long overdue justice in the United States.”

British prosecutors will now decide if he should face charges in the U.K.

There has also been discussion that England will also renegotiate the extradition treaty to make it harder for British citizens to be extradited to the United States.

Tagged , , , , , , , , , ,

The Cost of Monitoring Saves You Money…

In an article in Dark Reading, they discuss a recent study that shows the costs of cybercrime are reduced through intelligence, which included monitoring. The study by the Ponemon Institute was a survey tallying the cost of cybercrime. The study surveyed 56 companies and these companies lost on average, $8.9 million due to cyberattacks each year. Based on the survey, companies that detected attacks slowly incurred greater costs. In the 2012 survey, that is to say the companies needed 24 days, on average, to resolve a cyberattack, which in turn created a hefty bill of more than $590,000 per incident — 42 percent more than the previous year.

While many businesses see information technology and especially information security as a cost center, there has always been a hard sell when it comes to proving or showing that the security controls, including network and security monitoring, help in saving money. Most of this is because of the usual hefty price tag that occurs with the implementation and ongoing maintenance of these systems.

According to the article and study:

“Some organizations seem to experience a lower cost, but not a zero cost, if they do certain things,” says Larry Ponemon, chairman and founder of the survey firm. Security intelligence “is really important and helpful — not only in the detection of the cybercrime — but in the containment and ultimately remediation of the crime.”

Companies that had deployed security information and event management systems or intrusion detection systems had, on average, $1.7 million less in cybercrime costs, according to the Ponemon survey. Companies that had implemented access and identity management tools saved $1.6 million, and the deployment of tools to help with governance, regulation, and compliance trimmed $1.5 million.

It is easy to understand that technologies for monitoring and gaining intelligence on threats, “security intelligence” within the report, correlated the most with a reduction in cybercrime costs. As mentioned above, while the costs were not reduced to zero, the reduction provides a good basis for the implementation or continuation of these functions within business.

Tagged , , , , , , , , , , ,

This Window is Closed…

According to a CSO Online article, Prolexic Technologies identified the distributed denial of service (DDoS) attacks against several online banking institutions including Wells Fargo, U.S. Bank, PNC Bank, Bank of America and JPMorgan Chase as a toolkit called itsoknoproblembro. The attackers who identified themselves Izz ad-Din al-Qassam Cyber Fighters, claim to be muslim hacktivists angry over the YouTube video that has recently sparked controversy regarding its portrayal of Muhammad.

According to Prolexic:

The “itsoknoproblembro” toolkit is capable of simultaneously attacking components of a website’s infrastructure and application layers, flooding the targets with sustained traffic peaking at 70 gigabits per second. In addition, Prolexic found that traffic signatures were unusually complex and therefore difficult to reroute away from the targets.

The vendor, which declined to name the banks whose sites it tracked, said the attackers likely spent months probing the sites for the components most susceptible to a DDoS assault. They also were knowledgeable in the technology used to mitigate such attacks.

“From a DDoS perspective, they are on the level of a Stuxnet type of attack,” said Scott Hammack, chief executive of Prolexic.

This recent hack should drive home that attacks against business will become more complex over time and that it is necessary to re-evaluate risk levels and the associated mitigation/defense strategies deployed. Security is a life-cycle that needs to be re-evaluated on a regular basis to adapt to the shifting landscape.

Tagged , , , , , , , ,

Surveillance In the Day to Day…

An article in the Wall Street Journal Blog discusses 20 ways that an individual is under surveillance during the normal day-to-day hustle and bussle. When looking at the article, most people will not realize the extent to which they are monitored and the economics around it.

Whether it is the GPS device in the car, the street cameras, or facebook, the ability to monitor and track an individual is becoming more common. In addition, it is a major money maker for those doing the tracking…

Tagged ,

Iran’s Other Export…

In an article published by Bloomberg Press and redistributed by the Dallas Morning News, Senator Lieberman and other analysts state that Iran is planning an escalating set of cyber attacks against US companies and interests in response actions around Iran’s nuclear capability.

According to the Senator:

Iran’s government and its elite Qods Force were probably responsible for cyber attacks launched this week against JPMorgan Chase & Co. and Bank of America Corp., Senator Joseph Lieberman said yesterday in an interview on C-SPAN’s “Newsmakers” program.
“I don’t believe that these were just hackers,” Lieberman, an independent from Connecticut who’s chairman of the Homeland Security Committee, said in the interview scheduled to air tomorrow. “I think that this was done by Iran and the Qods Force, which has its own developing cyber attack capacity.”

This has major ramifications not only to US policy regarding state sponsored cyber attacks, but also to US businesses. It is becoming more apparent that improved operational security (OPSEC) practices and overall architecture will be needed to mitigate the increased threat that these type of cyber threats from governments can pose. The ancillary question will be whether the US will truly define state sponsored cyber attacks as an act of war and if not, to what degree will the US expect business to “defend” themselves…

According to Frank Cilluffo, director of George Washington University’s Homeland Security Policy Institute and a former special assistant to President George W. Bush for homeland security:

“The good news is Iran is not at the level of sophistication of China, Russia, us and some of our allies,” Cilluffo said. “The bad news is what they lack in capability, they more than make up for in intent.”

Tagged , , , ,
%d bloggers like this: