Apr
21
2008
If your CEO received an email stating that you’re company was being sued in Federal court and that he had to install software to view the court documents properly, what are the chances that he’d do it without thinking? They’re probably pretty good, since the fear of a lawsuit would outweigh any concern over malware, if yours is a CEO who’s prone to even think about security when it comes to their computer. Network World is stating that this may be one of the biggest examples of spear phishing so far. And the reason it works is because it does such a good job of playing on one of the biggest fears many CEO’s have, getting sued.
I’ll be honest, even as a security professional, I might have fallen for this one. It’s scary the amount of detail that went into crafting these emails. The name, address, phone number and other corporate information is correct, eliminating one of the easiest ways to determine if an email is spam or a phishing attack. The same group is suspected of being responsible for a similar attack last month. Given that Verisign says that over 1800 CEO’s have been compromised, that’s a lot of corporate information that’s now in the hands of criminals, even if only a small fraction of those result in data leakage. To make matters even better, the major AV vendors can’t even catch the malware used on this one; this backs up a comment I heard on PauldotCom recently stating that even the best AV vendors are missing 20-30% of all viruses out there today.
This is a really good argument for egress filtering on the firewalls. That’s not enough by a long shot, but it’s a start. We can’t prevent our CEO’s from installing software and we can’t blame them if our anti-virus/anti-malware manufacturers can’t catch this stuff. The best we can hope to do is limit the impact of a compromise such as this. Next time your CEO wants access to the company databases, point him to this article as a valid reason to just say no.
Mar
18
2008
A grocery store chain of about 1500 stores, Hannaford Brothers and Sweetbay, reported on February 27th that they’d been compromised and 4.2 million credit card and debit card numbers had been stolen. While the details in the InfoWorld article are scarce, one interesting factor of this compromise is that the card data was stolen in the authorization phase of the process. This means the attackers either compromised a border system responsible for the authorization or they compromised the network itself and were able to capture authorization traffic directly. These are the only two places credit card data should be appearing unencrypted.
There has been some identity theft associated with this compromise, but here’s the silver lining: Hannaford does not associate card numbers and expiration dates with the cardholder names and addresses. This in a day when your local grocery store offers you a discount if you’ll just enter your phone number at the PIN pad so they can track every single purchase you make and send you a personalized weekly ad. Most stores would have had card numbers, your home address, the names of all of your relations and possibly the name your teacher in first grade. Well, maybe not the last one, but they would have a record of every embarrassing purchase you’ve ever made. The downside to this lack of association between card numbers and cardholder names is that they have no way of knowing who should be contacted in the breach. I’m not sure if that will absolve them of having to contact anyone or make it necessary for them to contact all of their customers. They probably haven’t figured that one out yet either.
I’m glad to hear that at least one company has disassociated the data in this way, making it harder on the attackers. I can only assume that this is because the chain is owned by a Belgium company; the European laws concerning privacy and the data collected on customers is much stricter than anything we have in the US. What I’ve chosen to view as a bit of forward thinking by an American grocery chain may be nothing more than an attempt meet with European Union laws. In either case, it’s to the benefit of Hannaford Brothers’ and Sweetbay’s customers.
Jan
24
2008
One of the basic tenets I’ve been living with for a while is if it’s online, it’s public. I consider everything I write online to be available to the public, whether it’s something I blog about, something I write on a closed mailing list or something I put on a social networking site. Most people don’t realize how true that really is and that their data is only a couple of lines of code from being posted all over the Internet at the best of times. Half a million MySpace users found out this week exactly how true that is; the photos they considered private were recently placed online in a 17 Gb file.
One of the things I find mildly surprising is that creator of the file, DMaul, says he hasn’t found any photos that we’re “obviously illegal”. I guess that means the folks doing bad things on the Internet are smart enough not to place photographic proof on a social networking site. The good news is even if your pictures were amongst those downloaded, the sheer size of the file is enough to keep most people from downloading it. Someone might index the files and place them in an online database though, which would make things interesting again.
The average end user thinks their information is safe with their social media company, if they think about it at all. But this isn’t the case, whether due to a vulnerability similar to what MySpace suffered or a business model that makes your private information a commodity like Facebook’s Beacon. This is a lesson we’ll have to teach our friends and end users, along with others like “never accept links from a stranger” and “don’t open unknown files”.
Jan
18
2008
It’s a legitimate question to ask if “The New Face of CyberCrime” is a documentary on the state of security or just a marketing piece for Fortify. They could have easily made a 20-minute movie that was all about Fortify, but they didn’t. The movie was a short, straight forward look at some of the issues facing internet users today regarding the security of the Internet. There are bad people out there and they’re becoming more organized in their efforts to get your data. It was meant to mildly shock the members of your board room or a class you might be teaching, without sending too strident of a message. Fortify hit their goal of making a movie that could be used to educate end users who aren’t that familiar with the Internet.
There were two things that disappointed me about the film though. The first was that there was nothing in the film that the audience hadn’t seen or read before. Much of the film was like reading an article from any one of the half dozen glossy security magazines that come out on a monthly basis. They rehashed many of the same subjects we’ve seen before, with many of the people we’ve all read before. There were a lot of people in the audience who would have like to see something that added to the body of knowledge, not just rehash what we know. In the director’s defense, they we weren’t his target audience. He was aiming for people who were like himself and barely understood computers.
The second thing I thought the film was lacking was a call to action. There was enough information in the movie to scare some people, but there was no “now go do this…” in the movie. There was a slight bias towards securing the applications, but nothing you’d notice if you weren’t in a theater surrounded by Fortify staff. But there was no suggestion of something to do about it, no suggestions of where to look for further information. If the film works and there’s an emotional charge worked up by viewing the film, you want to give people something to do with that energy. But I guess that’s for the person presenting after the film to take control of. The director says they thought of that, but that any call to action would have made The New Face of CyberCrime into a marketing piece and he may be right.
I went into The New Face of CyberCrime expecting to see something new and interesting; instead I saw Rsnake pointing to a screen while saying “Cross site scripting” a number of times and a good view of Marcus Ranum’s backyard. It wasn’t what I was hoping for, I would have liked to have heard some of the deeper conversations that went around the sound bites. But I think the movie was what Fortify and the director were hoping for. The New Face of Cybercrime would make a good brown bag lunch movie, something where you lead a conversation afterwards and educate your users. As far as using it in the board room though, I’m not too sure I’ve ever worked in a company where I could get the board to listen to me for 20 minutes, let alone watch a movie that long.