Sister CISA CISSP


April 15, 2010  6:49 PM

Adobe Reader at the Forefront of Malware Delivery

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

Statistics from a new study by F-Secure indicate that Adobe Reader has surpassed Microsoft Office products as a vector for malware delivery 2009.

F-Secure has also pointed out that you can embed movies and songs, JavaScript, and forms that upload data a user inputs to a web server from within PDFs. And let’s not forget how there are functions within a PDF to launch executables and/or connect to a website.

Another researcher, Didier Stevens, has determined how to launch from a PDF, and demonstrated it with videos of the process, found here.

Adobe has been getting a lot of heat from the malware research community about their lagging efforts to patch the Reader, and other Adobe products, such as Flash. They are being compared to where Microsoft was eight years ago, when their security responses and their understanding of secure code development was hopelessly inadequate.

Microsoft has turned it around (mostly), and Adobe could benefit by following their example. There are a growing number of recommendations to eliminate Adobe as a Reader. Given that 48% of malware attacks came attached to PDFs, they could see their customer base shrink drastically.

At this rate of risk, halting incoming PDFs at the email server may be a prudent action. I’d do it.

April 7, 2010  3:16 PM

A Free Tool Both Admins and Auditors Will Like

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

For an admin, making the auditor happy is NOT the goal in life. It’s to keep things running, squeeze in improvements, implement new products and do it with a work force that is always too small.

For an auditor, getting information to build a complete report, with all the test information, means acquiring facts, facts, facts. As inexpensively as possible, so that the boss AND the client are happy.

So I’m delighted to report that a free tool, WinAudit, from the fine folks at PXServer, is available to download and a very fine tool for reporting.

It runs on a single server at a time (which is great for a small business), and gives very detailed information on operating system versions, patches installed, users, groups (including domain controllers) password policies and last login, as well as a whole lot more. Give it a go.


March 31, 2010  11:53 PM

A Trojan as a “Value-Add” for a Battery Charger

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

I’m really not sure why a USB battery charger would need software to be hooked up to a computer, or a coffee-maker, for that matter. As much as I like computers, using a computer to charge batteries appears a bit circuitous, at best. (Please pardon the really bad pun.)

It seems that product vendors, in ever more desperate efforts to introduce something “new,” think that some piece of software will help (help them, that is). The problem is, this software is often developed without good quality controls, and probably without testing of any sort other than “it works!”

Once this product is handed off to suppliers and retail merchants, it is “untrackable” in most, if not all, respects. So a recall gives me little comfort. Especially since the sales for the Bunny’s charger started in 2007.

“Energizer is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software,” Energizer said in a statement.

An additional question might be, “What are your quality controls for software that is issued with your products?”

It’s not that manufacturers are unaware of this issue. In 2007, Seagate Technology admitted that an unknown number of its hard drives left an Asian manufacturing plant with Trojan horses. (Wonder where they are now?)

And, of course, Best Buy’s digital picture frame, sold during the Christmas 2007 holiday season (was 2007 the year for this, or what?) with software that added a Trojan. Although the company made claims that it was making efforts to contact customers, (how, exactly?) it never specified the type of Trojan, nor did much more than post an announcement on its website.

Perhaps enough reputation failure will persuade manufacturers to improve their Quality Assurance practices ( how about a little security in the software development??)

Meantime, I guess it’s best to keep an eye on any software that comes with a “product.”


March 26, 2010  2:52 PM

Update on Medical Identity Theft

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

A report released by Javelin (requires an expensive membership) has updated statistics for 2008:

There were more than 275,000 cases in the U.S. last year of medical information theft, twice the number in 2008, The average fraud cost $12,100, Javelin said.
(The bold emphasis is mine.)

Medical identity theft is about 2.5 times more costly than other types of ID frauds, said James Van Dyke, president of Javelin, in part because criminals use stolen health data an average of four times longer than other identity crimes before the theft is caught. The average fraud involving health information was $12,100 compared with $4,841 for all identity crimes last year and consumers spent an average of $2,228 to resolve it, or six times more than other identity fraud, according to Javelin.

“It’s becoming the credit card with a $1 million limit,” said Jennifer Leuer, general manager of ProtectMyId.com. “If the health insurance is valid, they’ll treat you and not always check your ID.”

Ouch.

“A thief may change the billing address for a victim’s insurance so they’re unaware of charges.”, according to the World Privacy Forum “Once you aggregate and put data in one place it’s easier for you to see it but it’s also easier for a criminal to see and use it.” And how secure are we, these days?

Given that a lot of doctors have relatively small offices, many staff have all access to patient information. It’s fairly easy to download much more patient records to a USB drive than can be acquired by paper forms.


March 24, 2010  12:35 PM

Painfully Educational

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

I’ve talking a fair amount about ACH fraud and how they are committed by banking Trojans. At a recent forensic exam I discovered not one, but three banking Trojans on a CFO’s hard disk.

Want to know (I know you don’t not really…but) exactly how they work?

Here’s a down-to-the-code analysis from analysis from TraverseCode.com that explains the inner workings, but the really educational one comes from a blog written by a Czech (my apologies to the man, but I can’t pronounce his name nor read the language on his Facebook page) that describes how and where the Trojan is “sold,” the different models “sold,” and how much each model costs to buy from the author of the code.

He has done an impressive amount of research about this code, as well as how there is a thriving market for this type of code. He discusses how the code “calls home” to get more information, or downloads a client software so that the hacker can actually access, unseen, the user’s computer and see what he/she is typing, what pictures, and even the key generator number.

He suggests, and I can’t recommend strongly enough, that people use a segregated computer for financial activities. VMWare is going to have quite a sale in workstation licenses, really soon, if not NOW.

It’s going on my computer when I get home.


March 17, 2010  8:26 PM

What Constitutes “A Lot of Money?”

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

There’s always a lot of discussion on the Internet about how much “security” (by which they usually mean IT security) costs, and whether it’s a good ROI. (Return on Investment – another candidate for Acronym dismemberment.)

There’s a lot of factors to consider, but for small to medium sized businesses or non-profits, here’s some important questions:

What is the financial risk to your company?
Lawsuits
Regulatory fines
Repairs to systems
Reputation – loss of business due to public awareness of your company’s perceived “flaw”
Direct cost of theft

I started thinking about this from a small/medium sized company’s perspective, after reading a commentary in a SANS NewsBite. The commentary (Yes! I’m now commenting on a commentary about a commentary on news. Does this mean I can now be a Certified Commentarian?)

The news commentary (alright, I’ll stop now) article referenced statistics from the FDIC that were provided at the recent RSA conference, most notably:

…small businesses and nonprofits have suffered some relatively large losses — $25 million in the 3rd quarter of 2009. Hackers target small businesses where the security controls are weak.

It’s an interesting article, and summarizes the ACH and wire fraud thefts via Banking Trojans that I’ve talked about previously. The commentary went on to say that in the larger scheme of things, $25 million dollars is a relatively small amount.

My first response was, “Not to me!” Then I began to wonder, how much money could a small/medium company lose and still stay afloat? It’s a question worth asking when costs for IT Security are raised.


March 12, 2010  12:59 PM

Update on Wyndham Hotel Breaches – “Only 37″

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

Comes the latest news via CSOOnline:

Wyndham Hotels and Resorts experienced a computer security incident in late 2009. As a result of that incident, an unauthorized user may have gained access to credit card numbers and certain associated information. As soon as the incident was identified, the perpetrator’s access was quickly isolated and contained. We believe a maximum of 37 Wyndham Hotel and Resorts branded properties may have been affected for various windows of time during the period between October 25, 2009 and January 29, 2010.

This is rather different from the announcement on their web page:

In late January, 2010, our company discovered that a sophisticated hacker penetrated the computer systems of one of the Wyndham Hotels and Resorts (WHR) data centers. By going through the centralized network connections, the hacker was then able to access and download information from several, but not all, of the WHR hotels and remove payment card information of a small percentage of our WHR customers. The incident did not affect any of the other branded hotels in the Wyndham Hotel Group system.

If you delve into their FAQ page, the information concerning the dates is made clear. I guess they didn’t want to say somebody was in their system for 3-4 months on the announcement page.

I guess the Ramada, Days Inn and Super 8 customers can rest easy. It was only the high-end hotels.


March 6, 2010  3:59 AM

Wyndham’s 3 Breaches in 1 Year = PR Nightmare

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

The Wyndham chain of hotels includes Ramada, Days Inn, Super8, Howard Johnson and Travelodge. None of which I have stayed at in the last year, and frankly, I am really glad.

Not one, not two but three breaches have been disclosed to the public by Wyndham management in the last year. Because they have not disclosed which chain, or even which hotel, I can honestly say I now would not stay at any of them.

They also would not say how many customers were affected (because they probably don’t know).

A lot of companies provide very poor disclosure for a number of reasons (including ongoing investigations, legal limits and events still occurring). Unfortunately, lots of other companies are poor disclosers simply because they don’t want to expose poor (in this case, extremely poor) management practices.

Gib Sorebo, a senior information security analyst for San Diego-based Science Applications International Corp. (SAIC), said “It’s important for the company’s legal counsel and communications team to work together on the proper wording of a notification letter, because one that’s short on details and steeped in legalese can cause further frustration among customers and business partners — opening the door to nasty rumors on what may have happened. ”

Clearly Wyndham is up to speed on that part.

A good disclosure emphasizes clearly what information has been affected, what steps are being taken to detect criminal activity and keep further breaches from happening, and what affected customers can do to ensure they don’t become victims of fraud.

A good incident response team can also make the difference in finding out the exact details so that the legal and communications teams have real information to work with, in order to decide on what responsibly can be disclosed. The emphasis here should be on “responsibly,” if they want to retain their customer base.

It seems that Wyndham is in the unenviable position of being a really good example of a bad example.

Rule of Thumb: Lose customer data, customers go elsewhere.


March 2, 2010  6:18 PM

I.E. Help Files and F1 Function Key = Vulnerability

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

A new alert came out from Microsoft on March 1st.

When a user is online with Internet Explorer, they have to press the F1 function key when a pop-up is displayed. Not that users commonly use this key in IE, but some may do so when invited to by malware masquerading as a help file.

Microsoft is not being very specific, probably because they don’t have a patch yet.

According to the firm that discovered the vulnerability, “It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript.”

The newer Microsoft OSes are not affected by this “feature,” but if you are using Microsoft Windows 2000, Windows XP, and Windows Server 2003, it’s worthwhile alerting your users.

In terms of IE version, all are vulnerable, so you can guess that it is more specific to the OS than the IE version.

Of course, if your users are not running their machines with administrator rights, you’re in much better shape.


February 26, 2010  7:25 PM

Health Care Breaches and Third Party Associates

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

The Department of Health and Human Services has posted a list of the covered entities, (i.e., those that come under HIPAA regulations) that have reported health information data breaches impacting more than 500 people.

DHHS is now required by the HITECT Act to post the list, which includes the covered entity’s name, the nature of the breach and the number of individuals affected.

It’s worth noting that the 36 incidents posted date only from Sept. 22, 2009–when entities were first required to start reporting the breaches–to Jan. 18, 2010.

Out of the 36 incidents, 29 were due to theft.
Out of the 29 incidents, 16 were due to “portable electronic devices,” (mostly laptops and a few USB drives). That’s 50% of the thefts.

HIPAA requires that the entities (by which they mean: hospitals, private practices, higher education health care, health insurance companies, etc., etc.) have an a documented agreement with third party associates they use to process health-care information. In other words, the billing companies, drug companies, medical marketers, medical transcribers and any other associate that handles Personally Identifiable Health Information (PIHI).

Of the 36 incidents, seven occurred at associates. That’s about 20% of reported events.

Given today’s regulatory climate, as well as business improvements by outsourcing, it’s worthwhile to consider the risk of outsourcing handling of specific health and financial information.

If you review the list, you can see that the organization is listed first, whether or not the loss was from an business associate. That’s a list that no business (health care or otherwise) wants to be on. Does your organization have those kinds of relationships? (Think payroll, health billing, HR databases?)

What kind of agreement is in place to protect that data? (And your company?) Has anyone verified that they are handling the data securely? Organizations tend to think that they have offloaded the reputation and financial risk by outsourcing that information. They should take a look at that list and think again.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: