You’ll Shoot Your Eye Out…
…is probably one of the most memorable lines of any Holiday Classic. Of course I’m referring to A Christmas Story, where a young Ralphie tries to convince his parents, teachers and Santa that the Red Ryder BB Gun is the perfect present. I don’t know of there was a warning label on the 1940’s edition box but it is a good reminder from a security perspective that often we, meaning humans, are our own worst enemy when it comes to protecting ourselves. Every year about 100 or so homes burn down due to fried turkeys. A frozen one with ice crystals straight in or the ever famous too much oil that overflows and toasts everything it touches. Even with the warnings and precautions, humans still take the risk. Warning: You can get burned badly. As if the RSA breach wasn’t warning enough about the perils of falling for a phishing scam, we now learn that the South Carolina Department of Revenue breach was also due to an employee, and it only takes one, clicking a malicious email link. That curiosity lead to over 3.8 million Social Security numbers, 3.3 million bank accounts, thousands of credit cards along with 1.9 million dependant’s information being exposed. While the single click started it all, 2-factor authentication was not required and the stored info was not encrypted, so there is a lot of human error to go around. Plus a lot of blame being tossed back and forth – another well used human trait – deflection. Warning: Someone else may not protect your information. While working the SharePoint Conference 2012 in Vegas a couple weeks ago, I came across a interesting kiosk where it allows you to take a picture and post online for free to any number of social media sites. It says ‘Post a picture online for free.’ but there didn’t seem to be a Warning: ‘You are also about to potentially share your sensitive social media credentials or email, which might also be tied to your bank account, into this freestanding machine that you know nothing about.’ I’m sure if that was printed somewhere, betters would think twice about that risk. If you prefer not to enter social media info, you can always have the image emailed to you (to then share) but that also (obviously) requires you to enter that information. While logon info might not be stored, email is. Yet another reason to get a throw away email address. I’m always amazed at all the ways various companies try to make it so easy for us to offer up our information…and many of us do without considering the risks. In 2010, there were a number of photo kiosks that were spreading malware. Warning: They are computers after all and connected to the internet. Insider threats are also getting a lot of attention these days with some statistics indicating that 33% of malicious or criminal attacks are from insiders. In August, an insider at Saudi Aramco released a virus that infected about 75% of the employee desktops. It is considered one of the most destructive computer sabotages inflicted upon a private company. And within the last 2 days, we’ve learned that the White House issued an Executive Order to all government agencies informing them of new standards and best practices around gathering, analyzing and responding to insider threats. This could be actual malicious, disgruntled employees, those influenced by a get rich quick scheme from an outsider or just ‘compromised’ employees, like getting a USB from a friend and inserting it into your work computer. It could even be simple misuse by accident. In any event, intellectual property or personally identifiable information is typically the target. Warning: Not everyone is a saint. The Holidays are still Happy but wear your safety glasses, don’t click questionable links even from friends, don’t enter your logon credentials into a stray kiosk and a third of your staff is a potential threat. And if you are in NYC for the holidays, a limited run of "Ralphie to the Rescue!" A Christmas Story, The Musical is playing at the Lunt-Fontanne Theatre until Dec 30th. ps References How One Turkey Fryer Turned Into A 40-foot Inferno That Destroyed Two Cars And A Barn S.C. tax breach began when employee fell for spear phish 5 Stages of a Data Breach Thinking about Security from the Inside Out Obama issues insider threat guidance for gov't agencies National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs Insiders Big Threat to Intellectual Property, Says Verizon DBIR Negligent Insiders and Malicious Attacks Continue to Pose Security Threat Infographic: Protect Yourself Against Cybercrime The Exec-Disconnect on IT Security "Ralphie to the Rescue!" A Christmas Story, The Musical Opens On Broadway Nov. 19The Changing Security Threat Landscape Infographic
In conjunction with a new video and a security white paper, this F5 infographic validates the need for organizations to rethink security practices. The global security threat landscape is rapidly evolving and has changed dramatically in ways unfathomable just a few years ago. Due to this growing complexity and the rise of many unknown forces in the battle for information and causes, customers must rethink how they protect their network, applications, and data from ever-changing threats. (you can reuse within your own blogs, etc) ps Resources: F5 Networks Launches Informational Video on the Changing Security Threat Landscape The Changing Threat Landscape – F5 Security Video The Changing Threat Landscape – Infographic A New Firewall for the Data Center – Infonetics Research Paper F5 Security Vignette Series F5 Security SolutionsCure Your Big App Attack
Not that I really needed to point his out but, security attacks are moving ‘up the stack.’ 90% of security investments are focused on network security, yet according to Gartner, 75% of the attacks are focused at the application layer and ‘over 90 percent of security vulnerabilities exist at the application layer, not the network layer.’ SQL Injection and XSS are #1 and #2 reported vulnerabilities and the top two from the OWASP Top 10. Plus, from Forrester Consulting, the average loss of revenue per hour for a layer 7 DDoS attack is $220,000. These vulnerabilities are some of the primary routes that are being exploited in many of the recent attacks. Modern DoS attacks are distributed, diverse and cross the cavity that divides network components from application infrastructure yet many of these attacks are preventable. The problem is that organizations are using outdated network and/or desktop technology to try and protect against sophisticated application security attacks which traditional solutions like network firewalls, IPS or AV systems have little to no visibility or role. It’s like trying to protect a city against a coordinated air attack by digging trenches in the ground. Wrong band-aid for the attack vector. The solution is an integrated approach that covers network and application security along with access control. Another dilemma is that security has often been left up to the network gang who may or may not have expertise in and around the transport and application level exploits. And deploying more network firewalls, AV, or IPS systems is not really the answer. You might just be digging more trenches. F5 has technologies like BIG-IP ASM, APM, Edge Gateway and LTM that can help mitigate the recent attacks. Many of our solutions (particularly ASM) have capabilities to prevent DoS, DDoS, Brute Force, Parameter Tampering (and dynamic parameters), Forceful Browsing, Web Scraping, SlowLoris, Access Control, XSS, SQL Injection and the entire OWASP Top 10. ASM can also be configured to verify the value of web application set parameters isn’t changed during the user’s session along with ensuring a user has accessed the site via a login page. With those recent attacks, ASM could have blocked or at least alerted site owners of the intrusion. Detecting and alerting on this when it started, even without mitigating would have considerably minimized the business risk. BIG-IP LTM can protect you from a network perspective with BIG-IP ASM from an application angle. It is interesting that these attacks have been around for a while but also shows how hard it is to get protection right, especially when the attacks are blended. Once a vector is found to deliver, a variety of exploits can be used in quick succession to find one that will work. Most of these attacks would also have sailed invisibly through an IPS device – no offense to those solutions – they are just not designed to protect the application layer or didn’t have a signature that matched. A unified application delivery platform with multi-layer visibility is the best way to detect and mitigate multi-layer attacks. ps Resources Ongoing storm of cyberattacks is preventable, experts say With a click, employees invite a vampire into the network DataLossDB Codemasters email customers regarding recent security breach Thieves Found Citigroup Site an Easy Entry Sega Is the Latest Victim, Admits User Accounts Hacked Nearly half of firms don't fear hackers What Is Next on Hackers' Hit Lists Custom Code for Targeted Attacks And The Hits Keep Coming Unplug Everything! The Big Attacks are Back…Not That They Ever Stopped Technology Can Only Do So MuchCustom Code for Targeted Attacks
Botnets? Old school. Spam? So yesterday. Phishing? Don’t even bother…well, on second thought. Spaghetti hacking like spaghetti marketing, toss it and see what sticks, is giving way to specific development of code (or stealing other code) to breach a particular entity. In the past few weeks, giants like Sony, Google, Citibank, Lockheed and others have fallen victim to serious intrusions. The latest to be added to that list: The IMF – International Monetary Fund. IMF is an international, intergovernmental organization which oversees the global financial system. First created to help stabilize the global economic system, they oversee exchange rates and functions to improve the economies of the member countries, which are primarily the 187 members of the UN. In this latest intrusion, it has been reported that this might have been the result of ‘spear phishing,’ getting someone to click a malicious but valid looking link to install malware. The malware however was apparently developed specifically for this attack. There was also a good amount of exploration prior to the attempt – call it spying. So once again, while similar to other breaches where unsuspecting human involvement helped trigger the break, this one seems to be using purpose built malware. As with any of these high-profile attacks, the techniques used to gain unauthorized access are slow to be divulged but insiders have said it was a significant breach with emails and other documents taken in this heist. While a good portion of the recent attacks are digging for personal information, this certainly looks more like government espionage looking for sensitive information pertaining to nations. Without directly pointing, many are fingering groups backed by foreign governments in this latest encroachment. A year (and longer) ago, most of these types of breaches would be kept under wraps for a while until someone leaked it. There was a hesitation to report it due to the media coverage and public scrutiny. Now that many of these attacks are targeting large international organizations with very sophisticated methods there seems to be a little more openness in exposing the invasion. Hopefully this can lead to more cooperation amongst many different groups/organizations/governments to help defend against these. Exposing the exposure also informs the general public of the potential dangers even though it might not be happening to them directly. If an article, blog or other story helps folks be a little more cautious with whatever they are doing online, even preventing someone from simply clicking an email/social media/IM/txt link, then hopefully less people will fall victim. Since we have Web 2.0 and Infrastructure 2.0, it might be time to adopt Hacking 2.0, except for the fact that Noah Schiffman talks about misuse and all the two-dot-oh-ness, particularly Hacking 2.0 in an article 3 years ago. He mentions, ‘Security is a process’ and I certainly agree. Plus I love, ‘If the term Hacking 2.0 is adopted, or even suggested, by anyone, their rights to free speech should be revoked.’ So how about Intrusion 2.0? ps Resources: Inside The Terrifying IMF Hack: Who The Hackers Were And What They Took IMF Hacked; No End in Sight to Security Horror Shows Join the Club: International Monetary Fund Gets Hacked IMF State-Backed Cyber-Attack Follows Hacks of Atomic Lab, G-20 IMF cyber attack boosts calls for global action I.M.F. Reports Cyberattack Led to ‘Very Major Breach’ IMF Network Hit By Sophisticated Cyberattack Where Do You Wear Your Malware? The Big Attacks are Back…Not That They Ever Stopped Technology Can Only Do So Much 3 Billion Malware Attacks and Counting Unplug Everything! And The Hits Keep Coming Security Phreak: Web 2.0, Security 2.0 and Hacking 2.0 F5 Security SolutionsThe Big Attacks are Back…Not That They Ever Stopped
As we've seen with some of the recent high profile internet attacks, like HBGary, RSA, Google, Comodo and others, no one is immune from being a target and the perpetrators are exceedingly organized, exceptionally skilled and extremely well-funded. Often, the culprits might be better trained than the IT staff deployed to thwart the attacks. The attacks are targeted, elaborate and aggressive, not to mention a bit creative. The attacks are multi-layered in that once one type of attack settles in, another can and will crop up. They are not simply looking to deface a website but they are attempting to steal valuable data. Customer data, intellectual property, state secrets, SSL certificates and other proprietary, highly sensitive information are the top targets. The malware and other penetration techniques are custom made, can adapt and can cover the tracks of those seeking the information. They may start at the network level with DNS, ICMP or SYN flood attacks, then move to the application with Layer 7 DoS, SQL injection, or Cross-site scripts and once compromised, go after the data. Often they try to leave 'back-doors' so they can come and go as they please before being detected. And the targets are changing. A couple years ago it was retail and financial, like Target and Heartland, that were getting attacked and while those industries are still coveted kills, security companies, sensitive corporate secrets, and the internet’s overall infrastructure seem to be especially savory these days. Many organizations do a decent job of securing their infrastructure components but are challenged when it comes to securing their web applications, whether they are hosted in a cloud environment, in-house or both. Forester reported that in 2009, 79% of breached records were the result of web application attacks. An application breach can cost companies significant amounts of money and seriously damage brand reputation. The 2010 Symantec/Ponemon Data Breach Loss Report calculated that the average cost to a company was $214 per compromised record and $7.2 million over the entire organization. Other areas that an organization may have to address as part of the breach include compliance issues, legal actions, public scrutiny and loss of trust. BIG-IP ASM provides the application protection you require to block the evolving threats no matter where your applications are deployed in today's dynamic environments. One such threat is the recent ‘Slow HTTP DOS attack,’ which allows attackers to launch a DDoS attack by first sending a POST request with valid ‘content-length’ information and then slowly sending the POST message body, which leaves the server connection open depleting resources and eventually crippling the server’s ability to accept new connections. BIG-IP ASM, a high performance, ICSA certified web application firewall (WAF) can protect against this HTTP vulnerability out of the box with HF-1. Most of our competitors have addressed it through signature updates, or not at all. Signatures are great when they discover Slowloris, not so great when they encounter 5l0wl0ri5.32a. Today, IT faces a variety of changes that require control points that can adapt dynamically and secure applications and their content as its being delivered from a variety of locations to a mass of users. This is especially true for cloud computing deployments and infrastructures that span between the cloud and the organization's data center. F5 has the solutions to make any application deployment endeavor swift, successful and secure. ps Resources: Researchers To Demonstrate New Attack That Exploits HTTP Mitigating Slow HTTP Post DDoS Attacks With iRules (From Nov 2010) Mitigating Slow HTTP Post DDoS Attacks With iRules – Follow-up Layer 7 DDoS - OWASP (pdf) Layer 4 vs Layer 7 DoS Attack Denial of Service Attacks Get more Sophisticated In 5 Minutes - BIG-IP ASM L7 DoS & Brute Force Protection Comodo admits 2 more resellers pwned in SSL cert hack McAfee's website full of security holes, researcher saysAnd The Hits Keep Coming
In case you missed this over the long weekend, a few more notable names were compromised in recent weeks. A few weeks ago I wrote about how the Big Attacks are Back and it sure seems like the hits keep coming. First, last Friday, Lockheed Martin said that earlier in the week, they detected that someone was trying to break into their network through the VPN. Lockheed is a huge military contractor providing fighter jets, spy satellites and other military and intelligence equipment for the US and other government entities. They are also known for Skunk Works or their Advanced Development Program projects. These are highly classified assignments with the SR-71 Blackbird and F-117 Nighthawk (Stealth) as examples over the years. I live very close the Skunk Works facility and I can say that I’ve seen some interesting craft flying over at various times. Anyway, there is some indication that this attempted breach is tied to the security tokens issued to the workers. Reports have indicated that it was RSA tokens and this incident might be directly tied to the RSA breach earlier this year. Lockheed quickly shut the remote access doors and issued new tokens and passwords to the entire workforce. They do say that their systems are secure and nothing notable, like customer/employee/program data, was taken. While defense contractors like Lockheed get probed daily, this is significant since the ‘sources’ are saying that there is a connection between the RSA breach and Lockheed’s. The intruder seemed to have knowledge of some critical information (possibly algorithm, seed, serial, cloned soft key, key gen time) for the current tokens and dropped a key logger on an internal computer. After RSA’s initial announcement, Lockheed did take additional protective measures, like an additional password for remote users but a key logger probably would have sniffed that. Lockheed was fortunate to have caught it quickly but this might be the beginning of the token breach fallout. Lockheed is not the only defense contractor that has been specifically targeted using compromised tokens . L-3 Communications has also been fending off penetration attempts according to reports. In both cases, it appears that the intruders are using both phishing and cloned soft keys to try to attack SecurID systems. Installed malware or phishing campaigns are being used in an attempt to link end-users with tokens. Many companies are increasing PIN lengths and lowering the number of failed attempts before accounts are locked out. Even McAfee is talking about how employees are being approached by strangers in public places looking to gain information. Another breach this past weekend involved PBS. This time, C is for Compromise…and not good enough for anyone. While, according to PBS, no internal networks were exposed, the malicious hackers were able to break into the website and posted a bogus story about Tupac being alive and well in New Zealand. They also posted credentials for PBS’s internal media and affiliate station portals. This was a response to a Frontline story about WikiLeaks called WikiSecrets. Apparently the group that claimed the attack was less than impressed by the program. 2011 started out *relatively* quiet but is now tuning into a banner year for breaches. ps Resources: Data Breach at Security Firm Linked to Attack on Lockheed Lockheed Martin Suffers Massive Cyber attack InsecureID: No more secrets? (Cringely broke the Lockheed story) Second Defense Contractor L-3 ‘Actively Targeted’ With RSA SecurID Hacks Unknown hackers have broken into the security networks of Lockheed Martin Corp and several other U.S. military contractors Hackers breached U.S. defense contractors Cyber attack shows constant threat to key intel FRONTLINE statement on PBS hacking PBS Website Hacked Social hackers target McAfee staff in church, at car parks The Big Attacks are Back…Not That They Ever Stopped 3 Billion Malware Attacks and Counting Technology Can Only Do So Much Unplug Everything!2010 Year End Security Wrap
Figured I’d write this now since many of you will be celebrating the holidays over the next couple weeks and who really wants to read a blog when you’re reveling with family and friends. It’s been an interesting year for information security, and for me too. I started the year with New Decade, Same Threats? and wondered if the 2010 predictions of: social media threats, smarter malware/botnets, using the cloud for crime, financial DDoS, rogue software, Mac and Mobile malware, more breaches and a whole host of others would come through. And boy did they. Social media was a prime target for crooks with the top sites as top targets. Users were tricked to accepting and sharing friends that really weren’t friendly and social networks became a new hotbed for malware distribution. As for malware, while many botnets and spam outfits got taken down this year, Stuxnet was certainly the most sophisticated piece of malware researches have seen in a while. Targeting industrial & utility systems along with the ability to reprogram itself, no longer was it my single laptop or a company’s system that had a bull's-eye, although the initial infection is with those systems, it was nuclear facilities, oil refineries and chemical plants that were the ultimate objective. For Cloud Computing, was it Cloud 9 or Cloud Crime when it came to using the cloud for nefarious activities? Many people thought that with the cloud offering a slew of computing power, that it would be a prime way to initiate an attack. We really didn’t see much pertaining to ‘cloud breaches’ even though almost every survey throughout the year indicated that security in the cloud was everyone’s ichiban concern. I covered many of these surveys in my CloudFucius Series, now playing in a browser near you. This article talks about that, the reason we might not have seen much in the way of cloud specific breaches is that many of the data loss repositories do not differentiate between a cloud based and non-cloud attack. In addition, cloud providers are not that willing to spill vulnerabilities that have led to crimes. Share please. Banks and financial institutions were certainly targets this year, why wouldn’t they be, that’s where all the money is. In one incident, about $3 million was stolen from various banks around the world using viruses and more than 100 crooks suspected of running the global cybercrime ring were arrested in the US and UK this September. A 16 year old Dutch kid was arrested last week for a Distributed Denial of Service attack on the MasterCard and Visa websites. And, merging malware, mobile and money stores, the ZeuS Trojan could infect a desktop, capture the user’s bank credentials next time they logged in to their financial institution, popped a dialogue box for the user to ‘include’ their mobile phone for SMS payments, send the phone a fake message & certificate for acceptance and then installed another Trojan on the phone to monitor messages via SMS. Lots of trickery and luck to be successful but still a very scary exploit. And if you think those mobile banking apps are secure, think again. Just last month, a number of those apps were found to have serious vulnerabilities, flaws and holes. Many of those apps have been patched in light of the research but as with any ‘new-ish’ type technology, mobile banking must be locked down before the masses adopt. Too late now. I wrote about corporate espionage both in Today’s Target: Corporate Secrets (2010) and The Threat Behind the Firewall (2009) and this year did not disappoint. Social engineering or convincing someone to give up their info is alive and well but throughout 2010, employees stole secrets from the companies they worked for: Former Goldman Programmer Found Guilty of Code Theft, Greenback engineers guilty of corporate espionage, Ford secrets thief caught red handed with stolen blueprints, and SEC Bares Text of Inept Suspects As They Sold Disney Earnings Info To FBI Agents. These insider events can often be more costly than an external breach. This is by no means an exhaustive list of the breaches, attacks, vulnerabilities, hijacks, frauds, or other cybercriminal activities from 2010. I’d probably be writing through the holidays to get them all. These were just some of the things I found interesting when looking back at my initial blog entry for the year. With 2011 being the Year of the Rabbit, just how much will cybercrimes multiply? ps Resources: Social Life’s a ‘breach’ Security: Malware, Hacks and Leaks: The Top 10 Security Stories of 2010 2010: Looking back at a year in information security Surprising little information about Cloud Computing and Terrorism or Crime Accounts Raided in Global Bank Hack ZeuS attacks mobiles in bank SMS bypass scam Firm finds security holes in mobile bank apps The truth about Mac malware. It's a joke Study: No Hacking Needed when Modern Spies Steal Corporate Data Growth in Social Networking, Mobile and Infrastructure Attacks Threaten Corporate Security in 2011 Ponemon Encryption Trends, 2010 Personal Data For Sale – In time for the Holidays! Synthetic Identity Theft: The Silent Swindler Cybercrime, the Easy Way Dumpster Diving vs. The Bit BucketToday’s Target: Corporate Secrets
Intellectual Property is one of a company’s most precious assets and includes things like patents, inventions, designs, source code, trademarks, trade secrets and more. These formulas, processes, practices and other inside information can differentiate your brand and give a competitive edge in the marketplace. An often cited example is Coca-Cola’s formula or KFC’s 11 herbs and spices. For technology companies it can be their software, hardware design, development process, roadmaps, patents and others pertinent to the company. In F5’s case, we own the patent for Cookie Persistence technology and have had to lawfully protect that valuable intellectual property. A new study from Forrester in conjunction with RSA and Microsoft entitled The Value of Corporate Secrets (pdf) concludes that while companies do focus and invest in compliance driven data security programs like PCI-DSS, they miss the mark on protecting corporate secrets and valuable intellectual property. "Nearly 90% of enterprises we surveyed agreed that compliance with PCI-DSS, data privacy laws, data breach regulations, and existing data security policies is the primary driver of their data security programs. Significant percentages of enterprise budgets (39%) are devoted to compliance-related data security programs," according to Forrester Consulting's study. "But secrets comprise 62% of the overall information portfolio's total value while compliance- related custodial data comprises just 38%, a much smaller proportion. This strongly suggests that investments are overweighed toward compliance." (from the RSA press release) Companies spend enormous amounts of time and money protecting the Custodial Data; things like medical & card payment information along with sensitive customer data, as they should and are required to do, yet losing Intellectual Property or Trade Secrets can have long lasting ramifications. The study indicated that loss of sensitive information from employee theft is 10 times more costly to a company than a single accidental loss – ‘hundreds of thousands verses tens of thousands’, the study says. Also, companies are targeted and attacked more frequently the more valuable their information. From the study, the key findings are: Secrets comprise two-thirds of the value of firms’ information portfolios. Compliance, not security, drives security budgets. Firms focus on preventing accidents, but theft is where the money is. The more valuable a firm’s information, the more incidents it will have. CISOs do not know how effective their security controls actually are. The study’s Key Recommendations: Identify the most valuable information assets in your portfolio. Create a “risk register” of data security risks. Assess your program’s balance between compliance and protecting secrets. and Reprioritize enterprise security investments. Increase vigilance of external and third-party business relationships. Measure effectiveness of your data security program. psDan Kaminsky Interview Part I
Peter Silva of F5 sits down with IOActive's Dan Kaminsky. In this extremely informative and lively discussion, the Domain Name System is the topic. DNS infrastructure, DNS vulnerabilities including DNS Cache Poisoning, DNSSEC and what's happened since the discovery of the flaw are all discussed. In 3-10 minute segments.
