Security Corner


October 3, 2014  1:40 PM

JP Morgan Chase – Security Tactics 101

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Client, Data breach, Security

A new credit card came in the mail today. An actual card. Not an offer, not a temporary or fake card, but an actual, ready-to-activate credit card from a major financial institution.

What am I supposed to do with it? It feels great to be wanted, but I thought the days of banks sending out pre-approved cards was over. Didn’t we just have a little problem with a bunch of banks going under because of mortgage issues?

card

While I’m a bit befuddled, I guess the larger question I’m posing is what are the security ramifications of credit cards being sent out without anyone requesting them? And should I, as a consumer, start thinking like a tinfoil-hat person and wonder if a card was ordered for me by some thief and they didn’t have the chance to intercept it before I got it?

Turns out, JP Morgan Chase replaced existing cards with new ones as a result of a data breach they discovered. But how long have they known and why didn’t they also email and/or alert their customers?

Has this happened to you? With so many data breaches at banks and stores, is sending out a new card going to be the SOP? Is it something we should be concerned about?

After a little research, I figured out this was actually Chase being proactive and vigilant about security. They discovered a large security breach and revealed their findings this week – see the story in the NY Times.

So, what do you think now? Did you have a JP Morgan Chase account…do you still have one? How would you have responded to the news that your customers data had possibly been accessed?

In my eyes, they’ve done the right thing but there’s more to be done. Let’s work toward not letting breaches occur in the first place, shall we?

Talk to you next week!

September 30, 2014  8:12 PM

According to employees, Home Depot was vulnerable for years

Ken Harthun Ken Harthun Profile: Ken Harthun
Data breach, Security, Software vulnerabilities, vulnerability management

On top of that, Home Depot hired a person who had been fired from another company for sabotaging their network. According to this article on ars technica,

Home Depot hired Ricky Joe Mitchell as its senior IT security architect. Mitchell got the job after being fired from EnerVest Operating in Charleston, West Virginia—and he sabotaged that company’s network in an act of revenge, taking the company offline for 30 days. Mitchell retained his position at Home Depot even after his indictment a year later and remained in charge of Home Depot’s security until he pled guilty to federal charges in January of 2014.

Well, duh! Is it any wonder that Home Depot suffered a bigger breach than Target? Target’s was bad at 40 million credit cards stolen; Home Depot’s was worse at an estimated 56 million. The malware in both cases was the same, “BlackPOS” (a.k.a. “Kaptoxa”), a malware strain designed to siphon data from cards when they are swiped at infected point-of-sale systems running Microsoft Windows,” says Brian Krebs.

From the ars technica piece: “…former employees contend that the company relied on out of date antivirus software—a version of Symantec’s antivirus purchased in 2007. And the company didn’t perform network behavior monitoring, so they would not have detected unusual network traffic coming from point-of-sale systems.”

Hate to say it, but they were hoisted by their own petard.


September 30, 2014  6:57 PM

Shellshock bug bashes Bash

Ken Harthun Ken Harthun Profile: Ken Harthun
Bash, Enterprise Security, patching, Software vulnerabilities

For the first time in a very long time, I’m not writing about a Windows vulnerability. Though Windows is infamous for its insecurity, there are other operating systems that also have have security holes, Unix, Linux and MacOS (based on Unix) being the top three. iMacs and MacBooks aside, most of the internet runs on routers and other devices that have embedded Linux/Unix operating systems at their core.

For those of you familiar with Linux/Unix, you know what Bash is. For those of you who are diehard Windows people, Bash is the Unix command shell that allows you to manipulate the operating system using text commands, similar to what you can do with the Windows command prompt (although Bash is more powerful).

Bash has a Remote Code Execution (RCE) bug and here’s what’s up with it:

“Everything from Unix, Linux and Apple systems, to servers, routers and network-attached storage devices are potentially at risk,” according to Alan Woodward (interviewed by Mathew J. Schwartz in Bank Info Security). If your company uses any of the previous platforms, you may be at risk. Those who use Windows systems are not affected.

Get more info about the exact details of the vulnerability here.

Again, if you’re running Windows systems, these are not affected. However, you should do the following on any other devices:

  • Patch the Bash flaw by upgrading all Linux/Unix-related software;
  • Disable remote log-in on all Mac OS X systems, until Apple patches the vulnerability;
  • Check every device that runs or relies on an embedded version of Unix or Linux, to see if they’re susceptible to the vulnerability, and patch their software or firmware accordingly.


September 30, 2014  4:34 PM

Stealing PINs with an iPhone

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

If you’re a profit-motivated cybercriminal willing to invest a couple of hundred bucks on some technology, you can easily steal anyone’s PIN at most retail card terminals.

http://www.youtube.com/watch?feature=player_embedded&v=8Vc-69M-UWk

 


September 29, 2014  3:59 PM

Cybercriminals infecting innocent computers worldwide

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

“What?” You say. “That’s not news!” Well, it is when the cyber-criminals are your own government agencies. I’m just going to block quote this from Bruce Schneier’s latest Crypto-gram newsletter:

There’s a new story on the C’t Magazin website about a 5-Eyes program to infect computers around the world for use as launching pads for attacks. These are not target computers; these are innocent third parties.

The article actually talks about several government programs. HACIENDA is a GCHQ program to port-scan entire countries, looking for vulnerable computers to attack. According to the GCHQ slide from 2009, they’ve completed port scans of 27 different countries and are prepared to do more.

The point of this is to create ORBs, or Operational Relay Boxes. Basically, these are computers that sit between the attacker and the target, and are designed to obscure the true origins of an attack. Slides from the Canadian CSEC talk about how this process is being automated: “2-3 times/year, 1 day focused effort to acquire as many new ORBs as possible in as many non 5-Eyes countries as possible.” They’ve automated this process into something codenamed LANDMARK, and together with a knowledge engine codenamed OLYMPIA, 24 people were able to identify “a list of 3000+ potential ORBs” in 5-8 hours. The presentation does not go on to say whether all of those computers were actually infected.

Slides from the UK’s GCHQ also talk about ORB detection, as part of a program called MUGSHOT. It, too, is happy with the automatic process: “Initial ten fold increase in Orb identification rate over manual process.” There are also NSA slides that talk about the hacking process, but there’s not much new in them.

The slides never say how many of the “potential ORBs” CSEC discovers or the computers that register positive in GCHQ’s “Orb identification” are actually infected, but they’re all stored in a database for future use. The Canadian slides talk about how some of that information was shared with the NSA.

Increasingly, innocent computers and networks are becoming collateral damage, as countries use the Internet to conduct espionage and attacks against each other. This is an example of that. Not only do these intelligence services want an insecure Internet so they can attack each other, they want an insecure Internet so they can use innocent third parties to help facilitate their attacks.

The story contains formerly TOP SECRET documents from the US, UK, and Canada. Note that Snowden is not mentioned at all in this story. Usually, if the documents the story is based on come from Snowden, the reporters say that. In this case, the reporters have said nothing about where the documents come from. I don’t know if this is an omission — these documents sure look like the sorts of things that come from the Snowden archive — or if there is yet another leaker.

http://www.heise.de/ct/artikel/NSA-GCHQ-The-HACIENDA-Program-for-Internet-Colonization-2292681.html or http://tinyurl.com/mevxbq2

No government agent or agency should be permitted to consider themselves above the law. What they are doing, you and I would be arrested and imprisoned for. I think it’s time we called these criminals to account for their crimes. Snowden did his part; it’s time for us to live up to our responsibilities as citizens and give these crooks the business.


September 18, 2014  8:17 PM

Has Apple received an order under the Patriot Act?

Ken Harthun Ken Harthun Profile: Ken Harthun
Apple, Security, USA Patriot Act

According to ZDNet, Apple has removed the warrant canary from their transparency report, suggesting that the company has received a top secret subpoena under the Section 215 of the USA Patriot Act.

The so-called “warrant canary” was first issued in Apple’s debut transparency report. Apple and other companies are not allowed to disclose whether or not they have received a Section 215 order under the Patriot Act, because the orders are classified.

Apple, however, preemptively asserted [it] “never received an order under Section 215 of the USA Patriot Act,” in November 2013.

That text has now been removed from its latest report, suggesting Apple has in fact received such an order.

BoingBoing reports this:

The premise of a warrant canary is that Section 215 of the Patriot Act can compel companies not to tell anyone about being served with a warrant, but that the law can’t compel a company to lie and say that it hasn’t received a warrant. This has not been tested in court yet.

It seems likely, based on the latest report, that Apple has now received at least one of the secret surveillance requests.


September 18, 2014  6:55 PM

Is that email malicious? Here’s how to tell

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

Ian Paul, writing in the Security blog for PCWorld, gives us three warning signs that email is malicious:

  1. Dear Customer — an email not addressed directly to you using your registered name [or, with no salutation at all. Ed.].
  2. A weird looking link that is confusing and not obviously from the source. [Here’s a good one: http://twierdzaprzemysl.za.pl/qjjaonoars/<redacted>html]
  3. An attachment

To that list, I would add blatant grammatical errors that make it obvious the sender does not have English as a first language. Example: “It’s operated by Dropbox and safety” in a message I recently saw.

And one more thing: Were you expecting to receive that email? Even if it says it’s from someone you know, you know the types of things your friends send you. If you get lots of emails about cats from one of your friends and then start getting emails about foreign lotteries, you can assume something’s up.

Stay on your toes and think before you click.


September 17, 2014  6:45 PM

Highly effective security: Watch that WiFi hotspot!

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

The proliferation of public WiFi hotspots has certainly made it convenient for mobile users, but it has also make it riskier. You have no control over the security features implemented, if any, and you have no way of knowing what they are. Therefore, you have to be extra cautious when using public hotspots.

  • Do not access sensitive personal accounts such as your bank or credit cards
  • Ensure that any websites you visit use HTTPS and display a lock icon
  • Watch out for “shoulder surfing” from people and be aware that security cameras may be recording you, too
  • Never use a public computer kiosk, such as one in a hotel lobby or “business center” to access personal information


September 16, 2014  5:39 PM

Beware of this Facebook scam

Ken Harthun Ken Harthun Profile: Ken Harthun
cyberscams, Facebook, Security

facebook-logo1Beware of this Facebook scam.

People are creating a “new” profile of someone and then they add the target’s friends, hoping that since you know them, you will add them. As part of the ruse, they make up some excuse as to why they had to create the new account. They will message you about winning a lot of money or some other reason, and try to get you to go to some site and sign up, etc., etc. I know someone whose account was spoofed, and I have a friend who had a relative’s account spoofed.

Facebook will immediately disable the fake account if you report it promptly. If anyone tells you they are receiving strange messages from you, investigate and make sure your account hasn’t been spoofed.

Let your friends know that they shouldn’t be receiving any friend requests from you, since you are already connected.


August 31, 2014  3:15 PM

What?! You don’t run antivirus software? Are you nuts?

Ken Harthun Ken Harthun Profile: Ken Harthun
Security

question-mark1Nope.

Yep.

But until something I’m not expecting blindsides me and causes me a bit of inconvenience, I’m not going to install the bloatware on my systems. Most of it doesn’t work anyway and when users insist on clicking  on scary popups because “of course I don’t want 10,000 viruses and registry errors and fix it for me now, please” all the while ignoring the warnings of their legitimate AV application, what’s the use? They bring those systems to me, all horked up with random junk and I find that they have AV software installed, but they opted in to all the adware that’s ******* up their computers anyway.

I don’t click on random links and I ignore popups. I’m a professional, of course, and I have everything backed up all the time and if I ever see a popup, I first ask, “Is this from an app I have installed?” I understand that most people have no clue and probably have no business owning and/or operating a computer.

But that’s why the cybercriminals are successful, isn’t it? Very few people are pros. Most of them will fall for anything.

My point is this: the AV companies are making money on people who they can’t help anyway. I may be wrong. Please tell me if I am. But 11 years of not running anti-malware software on my systems (I do occasionally do a safe mode scan, but I don’t run anything in the background) without a single infection on any of my systems is enough to convince me that smart computing and safe surfing practices is enough.

Is it?

Have a happy and safe Labor Day weekend!


Follow Ken Harthun on Twitter
Follow me on Twitter


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: