Data Breaches

Small Business is Being Targeted

The days when you could assume that because your company was so small hackers wouldn’t care, have officially gone past. Security by obscurity has passed as well. Now the thieves are looking for small businesses so they can get to the banking accounts and wire money.

I was called on one of these last spring, and it worked like this: the controller got a call from the bank (someone was watching! Yay!) about some wired fund transfers that looked suspicious. After reviewing them, the controller realized fraud and theft had occurred. Other evidence was that the thief had changed the email address back to the controller so that she/he would receive no notification of the wire transfers. It seemed pretty clear that someone had somehow gotten her/his access to the bank account. That was all that could be discovered at the time. They lost over $40,000. That’s small change compared to some of the fraud going on.

Reading an article from the Washington Post, I recognized the scam. It works like this:

“In many cases, the scammers infiltrate companies in a similar fashion: They send a targeted e-mail to the company’s controller or treasurer, a message that contains either a virus-laden attachment or a link that — when opened — surreptitiously installs malicious software designed to steal passwords. Armed with those credentials, the crooks then initiate a series of wire transfers, usually in increments of less than $10,000 to avoid banks’ anti-money-laundering reporting requirements.”

Sounds like exactly what happened to my client. The bad news is that once that money is wired out, there is no way the company can get it back. Losses to small businesses are becoming significant, but have not gotten much press up until this point.

In fact, wire-transfer fraud has gone up 58% in 2008, according to the US Treasury Department. Commercial business customers only have about two days to notify the bank of fraud, and then they eat the loss.

The problem is, Anti-Virus software is not keeping up with malware coming from over the Internet. Thieves are able to use malware to capture even the one-time codes on a fob during a transaction.

An advisory issued by the Financial Services Information Sharing and Analysis Center, recommends that commercial banking customers take some fairly rigorous steps to secure their online banking accounts. For example, the group recommends that commercial banking customers “carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.”

Another option might be VMware, where an image could be loaded for banking use only.

By the Numbers

I was reading through the list of 2009 reported data breaches/identity theft/etc over on Identitytheft.Info and pondering the patterns that might be visible with a little help of sorting/filtering in Excel.

Part of the problem is that there is no one complete source for gaining hard numbers on medical identity theft, identity theft, data breaches, lost, stolen, etc. Every tracking organization orders their data differently. But just for grins, let’s take this one web page sited above, as a source for analysis, and drop it into a spreadsheet.

Between January 2009 and August 18, there is a total of 237 incidents. Without any further analysis, say to numbers of people/records exposed, we can draw some interesting conclusions:

58 of those incidents involved theft by owners or employees (about one quarter)
52 happened due to hacked networks, servers or PCs
44 happened due to lost, missing or stolen computer equipment containing PII or CC#
32 were due to paper documents in trash (looked in YOUR dumpster lately?)
21 were due to Web or email exposure - i.e., poor custodian security practices
10 were due to Skimming via CC # or ATMs (including some employee & owners)

There were about 20 that defied this simplistic categorization - my favorite was “patient records left on train.”

The first group (58) interested me greatly; it shows the impact (IMHO) of our economy, and, perhaps, the growing awareness on a public level that credit card numbers and personal data are now worth stealing.

The second one I find fundamentally clueless, because there are excellent whole disk encryption products that are FREE.

I was tempted to combine 52 and 21, but refrained simply because there are zero-day exploits out there.

The most appalling, are, of course, the data dumpster droppers. The good news is that there are now data dumpster dropper divers. (Sorry, I couldn’t help it.) At least somebody is looking in dumpsters for this kind of information now. That’s a Good Thing. Anyone who puts that kind of information in the trash should be handcuffed to a shredder, don’t you think?

Points to Ponder: Reviewing the “SoupNazi” Activities

By now I’m sure you’ve heard that Albert Gonzalez is being charged with the attacks on Hannaford, Heartland, 7-Eleven, etc. In between all the excited reporting, are some points that admins and auditors ought to pay attention to. We ought to ponder how this attack is different from attacks in the past, and why this attack was so successful.

1. Using a “team.” Most of his team have not been captured, residing as they may somewhere overseas. Using a multiple talent set across several different technical approaches increases the chances of success. This is becoming more and more common, especially with ATM break ins.

2. They used SQL-injection attacks. This isn’t new, but all of these folks were having quarterly scans from external vendors as part of PCI compliance. Why didn’t the scans catch the injection vulnerabilities? Makes you want to take another look at the scanning company you may be using, doesn’t it?

3. They broke in via wireless. Anyone still using WEP out there - it’s now trivial to crack the protocol, and someone will certainly do it if you offer it up.

4. There’s a big market for those credit cards and the people that can get to them. Over 130 million cards made him a LOT of money.

And we still don’t know “exactly” how he was caught, do we?

Blaming the Auditor for Bad Security

Heartland Security has attempted to point the “Public Finger of Blame” at the hapless QSA auditor they used for PCI compliance, saying that the “QSA let us down.” So who is in charge of security, Heartland or the auditor?

Security is a corporate posture, not a pass/fail compliance test. You can pass the test and the next day change settings on the firewall that turn it into a router. Is the QSA still responsible? Nope. We don’t really know all the details of what happened at Heartland. But we do know that being compliant does not equal being secure. Never has, never will.

For a well written post excising this “Finger,” check out this article on CSO, written by Ben Rothke and Anton Chuvakin. Let’s just say that blaming the door lock when you’ve left the windows open is not a viable public relations option.

The corporate security posture should provide a mandate, from the top down, of the company’s position on information security. The power of C-level executives enforcing the mandate has to come into play. Otherwise it’s just window dressing - and open windows are no way to manage the security of your environment.

What IS the corporate policy? How effective is it? Is management promoting AND funding it? Policies that are effective also protect the information of employees. Everybody wins, even, long term, the stockholders.

Which One is More Clueless? I Can’t Decide

I ran across a story about a former employee who “broke into” his employer’s computers, according to a news story from a TV station, entitled Cops: Former Worker Hacked Casino Computers.

Now, here’s the real story: If you read the article, the guy did not “hack in.” He used his VPN connection from his home (Clueless Number 1) to go into his employer’s network and access computers to mess up some programming.

His VPN connection had obviously not been disabled (Clueless Number 2) by his employer.

The police (Clueless Number 3) referred to him as a “computer whiz” for using his VPN connection from his home to get into his employer’s network.

Whiz? Cheese Whiz, maybe?

Things NOT to Do When You’ve Been Hacked, Part II

I finally asked that deadly question: “What do your Incident Response Procedures say?” Whoops, there goes all the buddy-buddy geekiness: I have morphed into The Auditor Who Asks Questions.

“Umm, well, they pretty much say to do what we just did.” I notice the vagueness of the reply, but decide to let it pass, for the moment. They don’t really know what their procedures say they should do. Probably the procedures are too generic.

“OK. But what if he has jumped to this box from another box he compromised first? How would you know?” More pained and irritated looks coming my way. “By now, you won’t really be able to tell what happened unless you go to a backup and start analyzing whatever you can find for connection information. But that won’t necessarily give you rootkit information. If you’re lucky, you might see a netcat connection, but only if he hasn’t erased the Event Logs.”

“Even so,” I continue, knowing I am now excluded from the Kool Kids Klub, “If he has gotten your SAM database off the server, wouldn’t he know the administrator password? Is that password the same on every server?”

Turns out the password IS the same, and the Event Logs overwrite according to defaults. Now they can’t trust the server OR the administrator password. But I’m leaving, and besides, this isn’t an audit anyway, just some consulting.

So they left the server alone, because “There are all those websites on it, the users would scream and we’ll watch it carefully.” And never mind about passwords because “It’s a really tough one they’ll never crack.”

I wonder what will happen next, don’t you?

Things NOT To Do When You’ve Been Hacked, Part I

The problem with being a “geek” is that we truly love to tinker, to fix, to improve, to test….etc. So when you announce to a bunch of us that a website on the network has been broken into, there’s lots of leaping into action.

Which is exactly what you don’t want to do. At all.

While visiting a client to talk about network architecture, an engineer rushed into our room to announce that one of their websites had been hacked. We all hopped up and went out with him. (My lecture was boring, anyway.) I wanted to see what they were going to do, and if they were going to follow their own Intrusion Detection Policy. Plus, I was, like them, vastly interested.

Turns out it was a fairly generic attack, with the break-in artist simply using the website for cross-site scripting and redirection.

By the time we got there, two engineers had already been working on the web server, analyzing the code in the html, and checking other settings on the server. They took the web server offline, removed the offending code, looked at the event logs and brought it back up. All good, they said.

“Not really,” I said. “You do know that you can never trust this box again?”

“Not to be a party-pooper, but there’s no way of really knowing if a rootkit has been installed, is there? He could come back tomorrow.”

The four geeks looked pained. “What should we do?”

“Well, we can start with reformating the disk and reinstalling the OS.” I knew the minute I said that I was not going to be the most popular girl in the room. That sort of thing is awfully tedious and boring; no fun for geeks.

“But there’s ten other websites on this server!” Oops, this was going to be a LOT of work.

We segued briefly into the advantages of virtual machine backups, and then returned to the discussion of what to do.

I finally asked that deadly question: “What do your Incident Response Procedures say?”

ATMs that just spit out money - Nice!

As you may know, one of my favorite posting topics has to do with ATMs. I call them Automatic Theft Machines because there are way too many stories of equipment being hacked, and/or swiping hardware being installed, or people just driving away with them.

Well, along comes a story about the progression of this issue: In Eastern Europe, the bad guys have perfected the art of getting the machine to spit out all its money on demand.

According to the article (linked above), authorities say there must be some sort of inside access to allow software to be installed. The articles claims that after unlocking the security, the inside equipment is quite vulnerable.

Hmmm, hard on the outside, yummy and soft on the inside….where have we heard that before? And something else interesting to note: many of the ATMs appear to be Diebolds; the same company that makes voting machines for us……and was implicated in another attack earlier this year, also in Eastern Europe.

The ATMs utilize a scaled down version of Windows XP, which actually doesn’t make me feel any better at all.

Encrypt Your Laptops NOW

SC Magazine has reported that a laptop belonging to the State of Oklahoma was stolen, with 1 million names, Social Security numbers, birth dates and home addresses of Oklahoma’s Human Services’ clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits.

All this was secured with a password. The State of OK seems to think that is adequate protection - has nobody there heard of a Linux boot disk? It will ( and probably already has) taken a cracker ten minutes or less to gather the SAM database, and probably not much time to crack the password.

No excuses! Get it done. The cost of losing a laptop is now estimated at $50,000, after the cost of corporate security efforts, bad publicity, and lawsuits. No one is too small to get sued.

The Beginning of the End for PIN Codes

Yesterday Wired released a story that reveals a startling detail about the TJMaxx data breach: hackers were able to cash in on stolen debit cards because they had a way to crack PINS.

This “minor detail” was buried in an affadavit last year, but Wired has put it together with some other information afloat on the NET, and the article is a really good read on what happens to your PIN from your debit card as it transits various networks to receive approval. Your PIN gets decrypted and re-encrypted by a Hardware Security Module (HSM) each time it transits a network. Lots of opportunities for capture with the help of an insider or some sniffing malware.

“While statistically not a large percentage…in 2008, attacks against PIN information represent individual data-theft cases having the largest aggregate exposure in terms of unique records,” says the report. “In other words, PIN-based attacks and many of the very large compromises from the past year go hand in hand.”

Although there are ways to mitigate the attacks, experts say the problem can only really be resolved if the financial industry overhauls the entire payment processing system.

Ouch.

Clearly, PIN-based authentication has been cracked, and will be cracked more and more. Leave your debit card at home and Pay Cash Instead.