Blog Entry #16: The Payback

Link: http://www.pcworld.com/article/2013233/data-breach-victims-could-get-damages-from-careless-firms.html

            The article, “Data breach victims could get damages from careless firms” relates strongly to my previous post about what is going on in South Carolina.  Until recently, victims who had their private information stolen from a company or government agency had limited options with the legal system and often saw small restitution amounts.  With the changing digital landscape though, judges have begun to realize that there is real immediate, and future, harm when ones personal information gets in to the wrong hands.  Data theft victims now have the ability to file class action lawsuits, “[making] companies liable for steps taken to prevent financial harm, such as insurance to cover the costs associated with identity theft."  According article author Antone Gonsalves, the average settlement per plaintiff in a data breach class action suit is $2500.  Add to that an average of $1.2 million in lawyers fees and these lawsuits can get expensive for companies. 

            This can mean only good things for consumers.  The high cost of lawsuits might act as a catalyst, getting IT departments to beef up security and implement more than adequate best practices.  Companies will realize that if they do all they can to secure sensitive information, the amount of liability they are responsible for might be far less.  A bill pending in Congress might also help along the process of securing private information.  The bill would “set a national standard for data breach notification, replacing the variety of state laws that exist today. Introduced in June, the Data Security and Breach Notification Act would also set maximum damages and define what is considered a breach.”  The most important thing for all companies and agencies to realize is the fact that it is only a matter of 'when' an attack will occur.  As long as a company hosts sensitive data, there will be someone who wants access to it.

Blog Entry #15: South Carolina's Unsecured Systems

Link: http://www.huffingtonpost.com/2012/10/27/south-carolina-taxpayer-cyber-attack_n_2025912.html

            South Carolina was the latest victim of data theft by a hacker. According to a report released by Reuters, “As many as 3.6 million Social Security numbers and 387,000 credit and debit card numbers used by state taxpayers” could have been stolen.  This theft has put the residents of South Carolina at risk of being victims of identity theft.  The investigation into the cause of the breach is in its early stages and so far investigators know that the hacker operated from a foreign IP address.  Understandably Governor Nikki Haley is quite upset about the breach, and for good reason. 

            According to the article, not all of the data kept by the state’s Department of Revenue was encrypted.  None of the Social Security numbers and about 16,000 credit card numbers kept by the government agency was encrypted. This fact points to a lapse in maintaining best practices for securing sensitive information.  On the plus side, no public funds were stolen by the hacker, and the vulnerability that led to the breach was found and closed up.  There is no telling what the stolen data may be worth, but if even a small amount of personal data is used for fraud, the cost to the citizens of the state will be huge.

It seems that there were multiple warning signs that South Carolina had security issues with their systems.  According to a state official, two attempts were made to “probe” the South Carolina Department of Revenue’s network in September and one attempt was made in August.  Also in September, two intrusions occurred in which the hacker was able to steal data for the first time.  What’s more troubling is the fact that attacks against South Carolina’s government systems are not isolated to these instances at the department of revenue.  Early in 2012 police arrested a South Carolina state health agency employee who stole the information of 230,000 Medicaid recipients.  Additionally, a hacker was able to access the personal information of 34,000 students and faculty from the University of South Carolina.  It would seem that whoever is in charge of maintaining the systems used by the government in South Carolina should assess and restructure the security practices of the state.

Blog Entry #14: Attacks on the Banks

Link: http://www.foxbusiness.com/industries/2012/10/19/hsbc-is-latest-target-in-cyber-attack-spree/

            Again the focus of international cyber criminals has turned to western Banking institutions.  Over the last few weeks numerous banks have been hit by the Izz ad-Din al-Qassam Cyber Fighters.  A story was reported in the news back in September that this attack would occur.  HSBC was the latest bank to experience an attack.  Similar to attack on other banks, HSBC servers were attacked causing websites to be inaccessible to customers for a short time.  The attack occurred on Thursday the 18th and was under control by early Friday London time.  The group has vowed that the attacks will continue "until the anti-Islamic ‘Innocence of Muslims’ film trailer is removed from the Internet."

            What makes this attack unique is that a group claiming to have ties to Anonymous has also claimed they had a hand in the attack.  According to a source in the article though, “the technique and systems used against HSBC were the same as the other banks.”  Of course this does not mean that some other group did not help out the Islamic Cyber terrorists.  Some in the US government believe that Iran is behind the attacks but researchers think otherwise.  What is agreed upon is the fact that this attack is fairly sophisticated.

During the last two weeks, the following banks have been attacked:

Bank of America

Capital One

SunTrust

Regions Financial

BB&T

HSBC

Wells Fargo

Blog Entry #13: Cyber War Preparedness

Link: http://m.itworld.com/security/304904/why-governments-cybersecurity-plan-will-end-catastrophe?page=0,0&mm_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dcyber%2Bsecurity%26hl%3Den%26client%3Dms-android-sprint-us%26tbo%3Dd%26source%3Dandroid-browser-type%26v%3D141400000%26source%3Dlnms%26tbm%3Dnws%26sa%3DX%26ei%3Db2WGUO6pLsXf0gHU24DADw%26ved%3D0CAoQ_AUoAw

            In his new proposal to sure up US cyber defenses, Defense Secretary Leon Panetta laid out a plan that would give the government unprecedented and invasive access to private systems in the US.  While the threat on America's infrastructure is very real, according to the author, Rob Enderle, the proposed system to monitor it would create privacy issues.  Panetta feels this intrusive measure is necessary to prevent a 9/11 scale cyber attack.  The article makes a strong argument for not implementing his plan and points out that Panetta's idea may be more dangerous.
            The fact that the various infrastructure systems in the US are independent and do not even have "a common security structure", means that potential cyber attackers would have to narrow the focus of their attack on a particular area.  With Panetta's plan there would be a link that, no matter how well protected, could potentially be exploited.  We saw with Stuxnet that it is possible to attack a closed system.  However, that was highly sophisticated and took a huge amount of resources.  An attack that could be waged on a single point of weakness, via a connected network, might be far less difficult for someone with similar resources, or even a small group of motivated private citizens.
            Enderle continues his article with a few ideas that he sees as more effective.  He proposes that compensation is given to companies hurt by attacks, with the money coming from the targeted government agency's budget, and requiring minimum legal coverage.  He feels this plan "would promote a higher level of prevention through better-funded protection."  I would like to know if there would be any accountability on the side of the private sector in addition to the government agencies, but at the very least, requiring a minimum legal standard of coverage seems like a smart idea.

Blog Entry #12: Universities are under attack.

Link: http://www.securityweek.com/cybercriminals-increasingly-attacking-university-networks

 

            The article, "Cybercriminals Increasingly Attacking University Networks" by Fahmida Y. Rashid, sheds light on an issue that should concern all college students. Rashid looks at analysis by ThreatMetrix, a cyber security firm. They concluded "that cyber-criminals had already infiltrated networks belonging to major educational institutions including New York University, George Mason University, Harvard University, Purdue University, and University of California in Irvine. ThreatMetrix collects millions of pieces of transaction data from its customer websites every day. This data is used to create rules that will "automatically reject transactions that don't meet a certain threshold." When looking at the data from the universities, one trend noticed that even though transactions came from devices with university IP addresses, the data indicated the transactions were made from multiple time zones. This means that cyber criminals were "using a proxy server, a VPN, or that the network has been compromised." Once compromised, devices and servers can be used for any number of criminal activities.
            A big problem facing universities is the number of devices infected with malware. Often students and faculty are bringing their own infected devices, or not protecting their devices once on a university network, opening them up to attacks. In fact, the BYOD practice has been commonplace at universities for years and is a big reason universities are being attacked at such a high rate. One such attack noted in the article enabled a group of hackers, named Team GhostShell, to "steal personal records of students, faculty, and staff from 53 universities around the world." The hackers proceeded to release the data to Pastebin, where it was free for anyone to grab. This type of attack can compromise social network accounts, email accounts, and countless other accounts users want to keep private. Again, this shows just how important it is to educate people about protecting their data in a connected world.

Blog Entry #11: Something for nothing

Link: http://nakedsecurity.sophos.com/2012/10/01/bogus-apple-store-discount-card/

            In keeping with current classroom discussion, I found an interesting article on a phishing scam currently taking place in Australia. It seems that phishers are taking advantage of people’s eagerness to get something for nothing. According to the email pictured below, loyal Apple customers have the option to purchase AU$100 of in-store credit for just AU$9. After searching through multiple articles, there is no word on how the email addresses were obtained by the phishers. However, given Apples popularity, it is a good bet that a large number of recipients have purchased an Apple product.
            It is not clear as to whether the victims are actually charged the $9, but they are definitely affected by the scam. The email contains an attachment titled, “Apple Discount - Complete this form to get your discount.html. “ This form asks for a variety of personal information, including “your name, your address, date of birth, driver's license, your mother's maiden name, and credit card information." The credit card information portion of the form is quite expansive. In addition to the normal requests, the phishers ask for the cards “security code, what password you use for Verified by Visa / MasterCard SecureCode and even (rather cheekily) your credit limit!” The email is very neat and concise and free from common errors made in less sophisticated phishing emails. However, people should always be aware that they will never be asked for such personal information from any business.  Apple has announced that they have nothing to do with this.  Hopefully soon there will be more information on the number of people affected by this.

image courtesy nakedsecurity.sophos.com

 

Blog Entry #10: James Bond's Dry Erase Marker

LINK: http://www.forbes.com/sites/andygreenberg/2012/10/02/hackers-crack-hotel-room-locks-with-a-tool-disguised-as-a-dry-erase-marker/

 

            It seems that a small group of penetration testers have found a way to bypass a common hotel keycard door lock.  The tool has the look of a dry erase marker but is powerful enough to almost instantly unlock keycard door locks built by the company Onity.  Matthew Jakubowski, one of the three who built the device, notes “someone using this could be searched and even then it wouldn’t be obvious that this isn’t just a pen.” The trio, who built what they are calling the "James Bond's dry erase marker: the hotel pentest pen," got their idea from Cody Brocious, a hacker and software developer for Mozilla.  He built a device that functioned in much the same manner but was less concealable.
            This hardware hack is quite significant because of the sheer number of Onity locks in use, over 4 million according to Onity's own statistics.   The hackers "exploited the port on the bottom of the lock intended for a device that hotels can use to set master keys."  From this they were able to read the locks memory, ultimately giving them access to the locking mechanism.  The entire build cost about $30 and took eight hours to assemble.  That is really cheap considering it gets you worldwide access to some of the finest hotel rooms.  Other hackers have created similar versions, concealing the hardware into an aluminum wallet and an iPhone case.

            You would think that as soon as Onity heard of this issue with their locks, they would be quick to remedy the situation.  However, the solutions they presented were replacing or upgrading the locks at the hotels cost, or installing a small plug which would block the locks data port.  The first solution would be cost prohibitive, meaning hotels would not be likely to repair the locks.  This would leave hotel guests in danger.  The second fix could probably be circumvented by a pick or screwdriver, and even if it cannot be dislodged, "the plugs would prevent the use of the hotels’ lock programming devices." Either way Onity has acted irresponsibly and needs to find an economical way to make their product more secure.

For a complete list of instructions and materials to build the pentest pen, follow the link.

Blog Entry #9: Hold on to your wallet.

LINK: http://www.pcworld.com/article/2011307/cybercriminals-plotting-massive-banking-trojan-attack-security-firm-warns.html

            It looks like the assault on U.S. banks will not let up anytime soon. Jaikumar Vijavan writes about a looming attack uncovered by security group RSA. According to RSA, a major campaign is underway to rob online bank accounts of thousands of customers of over 30 major U.S. banks. Information obtained by RSA reveals that the group will use malware called Gozi Prinimalka. This is an updated version of Gozi which caused the loss of millions by U.S. banks a few years back. The malware will “infiltrate computers belonging to U.S. banking customers and use the hijacked machines to initiate fraudulent wire transfers from their accounts.” The scale of this operation is unparalleled, with the criminal organization looking to recruit about 100 botmasters to carry out the Trojan attacks for a share of the stolen money. It is suspected this newest attack will focus on individual consumer accounts rather than going after the banks as a whole. The Trojan being used will trigger when certain words are entered into a URL string. The malware will then create a virtual machine identical to the one infected, allowing the criminals to access banking websites from computers with the same IP address as the infected machines.
            U.S. banks recently fell victim to sustained DDoS attacks which caused websites of several major banks, including JP Morgan Chase, Bank of America, Citigroup and Wells Fargo to be disrupted for a period of time. This most likely already cost the banks millions and further attacks would only raise the amount losses. These attacks are thought to have been initiated by a government body, but a group called "Cyber fighters of Izz ad-din Al qassam" claims to be behind the attack. Banks have been made aware of current and future attacks by the Financial Services Information Sharing and Analysis Center (FS-ISAC), specifically “to watch out for hackers using spam, phishing emails, Remote Access Trojans and keystroke loggers to try and pry loose bank employee usernames and passwords.”
            In order to protect against this it is important that anyone who uses online banking updates their browser and is vigilant in monitoring account activity. No word was given in the article about an exact date, but all signs point to this attack happening sometime this fall.

Blog Entry #8: PlaceRaider Malware

Link #1: http://threatpost.com/en_us/blogs/new-android-malware-app-turns-phone-surveillance-device-100112?utm_source=Threatpost&utm_medium=Left+Sidebar&utm_campaign=Most+Commented

            Up until now mobile malware has been used almost exclusively to steal data from inside a person's phone, and perhaps the data they have stored in the cloud. Recently though, the game has changed. Michael Mimoso, a writer for ThreatPost.com, details the latest in mobile malware which has come from the Naval Surface Warfare Center and Indiana University’s School of Informatics and Computing. Researchers at the school have created a sophisticated method that utilizes a low tech attack to gain control of a few of the features of Android smartphones. This attack turns the phone into a surveillance tool. The software, named PlaceRaider, is being dubbed as "visual malware", a term coined by the researchers. According to the article, "PlaceRaider exploits innate weaknesses in Android to use the phone’s camera to surreptitiously take photographs, and send that data off to a command and control server where an attacker could build a 3D model of the victim’s environment." This allows the controller to get a picture of the phone owner's surroundings and the objects within the surroundings.
            Once a user has installed a malicious camera application infected with PlaceRaider onto their phone, the malware controller's C&C server is notified and the attacker can begin modeling the users surrounding environment. In tests, barcodes, personal information, credit card information, and other sensitive data was able to be picked up. The creators, Robert Templeman, Zahid Rahman, David Crandall and Apu Kapadia upped the ante on spying with smartphones. Previous malware allowed attackers to listen in with a phones microphone, but now this malware allows its controllers to have eyes on the phones surroundings. Additionally, it has the capability to perform this task remotely. In their paper, the authors write, “We show how PlaceRaider allows remote hackers to reconstruct rich three-dimensional models of the smartphone owner’s personal indoor spaces through completely opportunistic use of the camera."
            The news is not all bad though. It seems the makers of PlaceRaider share one big concern of all smartphone readers, battery life. They were considerate enough to build into their software the ability to analyze each image to weed out “redundant and uninformative images” before they are sent out to the malware controller. This is done by applying a set of algorithms to each image. Once complete, "the analysis sets a threshold for images, and discards any that fall below in order to lessen the burden on the phone for transmission and power consumption." Of course this malware was created in a research environment, and we can't be so sure that real criminals will be so considerate to their potential victims.

To read the full write-up by the researchers follow this link.

Blog Entry #7: Malnets, when one piece of malware just won't do.

Link #1: http://hothardware.com/News/Malnets-Were-the-Cause-of-Most-CyberAttacks-in-2012/
Link #2: http://www.theregister.co.uk/2012/10/03/malnets/

            The world of malware has a new king.  Malnets, a malware attack strategy that emerged in 2011, have been given the dubious distinction by Blue Coat as the leading cause of cyber attacks in 2012.  Malnets are networks of malware that provide a robust and easily adapted platform for carrying out series of organized attacks.  According to the article Zombie-animating malnets increase 200% in just 6 months, "Blue Coat expect malnets to account for more than two-thirds of all malicious cyber attacks in 2012.  The firm is currently tracking more than 1,500 unique malnets, a 200 per cent (four-fold) increase from just six months ago."  This is an alarming statistics and it must mean that criminals are having huge amounts of success with this type of attack.  Malnets make use of thousands of servers and spread themselves out across the web. Their command and control structure is also constantly changing. This makes detection and discovery of the entire network a daunting task for security firms and law enforcement.
            According to Blue Coat, a "negative day defense" is the best approach to bringing down these expansive pieces of malicious software.  Because of the way the malnet network is set up, taking down a single system, or even a few nodes, will not do much to slow down the malnet's progress.  The software will simply replace the closed down pieces with a new one.  The "negative day defense" strategy involves blocking the malnets before they launch. Blue Coat describes this process: "Blue Coat Security Labs maps the relationships between malnet components to identify and block new subnets, IP addresses and host names when they come online.  Once the malnet infrastructure has been identified, it can be blocked at the source before attacks are launched."
            Here is a graphic describing the top five malnets as identified by Blue Coat.  This image is courtesy of Blue Coat and taken from Paul Lilly's article “Malnets” Were the Cause of Most Cyber-Attacks in 2012.  For a more detailed description of these and a few other big malnets to watch out for check out the John Leyden article Zombie-animating malnets increase 200% in just 6 months from the Register.com.