Login  |  Register  |  Contact


Wednesday, June 19, 2013

How China Is Different

By Rich

Richard Bejtlich, on President Obama’s interview on Charlie Rose:

This is an amazing development for someone aware of the history of this issue. President Obama is exactly right concerning the differences between espionage, practiced by all nations since the beginning of time, and massive industrial theft by China against the developed world, which the United States, at least, will not tolerate.

Obama’s money quote:

Every country in the world, large and small, engages in intelligence gathering and that is an occasional source of tension but is generally practiced within bounds. There is a big difference between China wanting to figure out how can they find out what my talking points are when I’m meeting with the Japanese which is standard fare and we’ve tried to prevent them from – penetrating that and they try to get that information. There’s a big difference between that and a hacker directly connected with the Chinese government or the Chinese military breaking into Apple’s software systems to see if they can obtain the designs for the latest Apple product. That’s theft. And we can’t tolerate that.

I think a key issue here is whether China recognizes and understands the difference. Culturally, I’m not so sure, and I believe that’s one reason this continues to escalate.


Tuesday, February 19, 2013

Mandiant Verifies, but Don’t Expect the Floodgates to Open

By Rich

Unless you have been living in a cave, you know that earlier today Mandiant released a report with specific intelligence on the group they designate as APT1. No one has ever released this level of detail about state-sponsored Chinese hackers. Actually, “state-employed” is probably a better term. This is the kind of public report that could have political implications, and we will be discussing it for a long time.

The report is an excellent read, and I highly recommend any infosec professional take the time to read it top to bottom. In information security we often repeat the trope “trust, but verify”. Mandiant has received a fair bit of criticism for pointing fingers at China without revealing supporting information, so this time they laid out their cards with a ton of specifics. They also released a detailed appendix (ZIP file) with specific, actionable data – such as domain names, malware hashes, and known malicious digital certificates.

Photo by leinadsimpson -- http://flic.kr/p/7qTUKT

Seriously – read the entire thing. Do not rely on the executive summary. Do not rely on third-party articles. Do not rely on this blog post.

I can’t express how big a deal it is that Mandiant released this information. In doing so they reduced their ability to track the attackers as APT1 (and possibly other teams) adjust their means and operational security. I suspect all the official PLA hackers will be sitting in an OpSec course next week.

I’m generally uncomfortable with the current line between intelligence gathering and common defense. I believe more information should be made public so a wider range of organizations can protect themselves. By the same token, this data is Mandiant’s work product, and whatever my personal beliefs, it is their data to share (or not) as they see fit. Mandiant states APT1 is the most prolific of over 20 APT groups they track in China.

In other words, this is big, but just the tip of the iceberg, and we cannot necessarily expect more reports like this on other groups, because each one impacts Mandiant’s operations. That’s the part of this game that sucks: the more information is made public, the less valuable the intelligence to the team that collected it, and the higher the cost (to them) of helping their clients. I hope Mandiant shares more detailed information like this in the future, but we aren’t exactly entitled to it.

Now if it was financed with public funding, that would be a different story. Oh, wait! … (not going there today).

I strongly believe you should read the entire report rather than a summary, so I won’t list highlights. Instead, below are some of the more interesting things I personally got out of the report.

  • The quality of the information collected is excellent and clear. Yes, they have to make some logical jumps, but those are made with correlation from multiple sources, and the alternatives all appear far less likely.
  • The scale of this operation is one of the most damning pieces tying it to the Chinese government. It is extremely unlikely any ad hoc or criminal group could fund this operation and act with such impunity. Especially considering the types of data stolen.
  • Mandiant lays out the operational security failures of the attackers. This is done in detail for three specific threat actors. Because Mandiant could monitor jump servers while operations were in progress, they were able to tie down activities very specifically. For example, by tracking cell phone numbers used when registering false Gmail addresses, or usernames when registering domains.
  • It appears the Great Firewall of China facilitates our intelligence gathering because it forces attackers to use compromised systems for some of these activities, instead of better protected servers within China. That allowed Mandiant to monitor some of these actions, when those servers were available as part of their investigations.
  • Soldiers, employees, or whatever you want to call them, are human. They make mistakes, and will continue to make mistakes. There is no perfect operational security when you deal with people at scale, which means no matter how good the Chinese and other attackers are, they can always be tracked to some degree.
  • While some data in the report and appendices may be stale, some is definitely still live. Mandiant isn’t just releasing old irrelevant data.
  • From page 25, we see some indications of how data may be used. I once worked with a client (around 2003/2004) who directly and clearly suffered material financial harm from Chinese industrial espionage, so I have seen similar effects myself –

Although we do not have direct evidence indicating who receives the information that APT1 steals or how the recipient processes such a vast volume of data, we do believe that this stolen information can be used to obvious advantage by the PRC and Chinese state-owned enterprises. As an example, in 2008, APT1 compromised the network of a company involved in a wholesale industry. APT1 installed tools to create compressed file archives and to extract emails and attachments. Over the following 2.5 years, APT1 stole an unknown number of files from the victim and repeatedly accessed the email accounts of several executives, including the CEO and General Counsel. During this same time period, major news organizations reported that China had successfully negotiated a double-digit decrease in price per unit with the victim organization for one of its major commodities.

  • Per page 26, table 3, APT1 was not behind Aurora, Nitro, Night Dragon, or some other well-publicized attacks. This provides a sense of scale, and shows how little is really public.

Most of the report focuses on how Mandiant identified and tracked APT1, and less on attack chaining and such that we have seen a lot of before in various reports (it does include some of that). That is what I find so interesting – the specifics of tracking these guys, with enough detail to make it extremely difficult to argue that the attacks originated anywhere else or without the involvement of the Chinese government.

Also of interest, Aviv Raff correlated some of this information from other data releases (by Dell SecureWorks and an anonymous pastebin dump):

I repeat: read this report, and hope we see more like it.

Photo by leinadsimpson – http://flic.kr/p/7qTUKT


Wednesday, April 15, 2009

Our Financial System is Under a Coordinated, Sophisticated Attack

By Rich

This is a great day for security researchers, and a bad day for anyone with a bank account.

First up is the release of the 2009 Verizon Data Breach Investigations Report. This is now officially my favorite breach metrics source, and it’s chock full of incredibly valuable information. I love the report because it’s not based on bullshit surveys, but on real incident investigations. The results are slowly spreading throughout the blogosphere, and we won’t copy them all here, but a few highlights:

  1. Verizon’s team alone investigated cases that resulted in the loss of 285 million records. That’s just them, never mind all the other incident response teams.
  2. Most organizations do a crap job with security- this is backed up with a series of metrics on which security controls are in place and how incidents are discovered.
  3. Essentially no organizations really complied with all the PCI requirements- but most get certified anyway.

Liquidmatrix has a solid summary of highlights, and I don’t want to repeat their work. As they say,

Read pages 46-49 of the report and do what it says. Seriously. It’s the advice that I would give if you were paying me to be your CISO.

And we’ll add some of our own advice soon.

Next is an article on organized cybercrime by Brian Krebs THAT YOU MUST GO READ NOW. (I realize it might seem like we have a love affair with Brian or something, but he’s not nearly my type). Brian digs beyond the report, and his investigative journalism shows what many of us believe to be true- there is a concerted attack on our financial system that is sophisticated and organized, and based out of Eastern Europe.

I talked with Brain and he told me,

You know all those breaches last year? Most of them are a handful of groups.

Here are a couple great tidbits from the article:

For example, a single organized criminal group based in Eastern Europe is believed to have hacked Web sites and databases belonging to hundreds of banks, payment processors, prepaid card vendors and retailers over the last year. Most of the activity from this group occurred in the first five months of 2008. But some of that activity persisted throughout the year at specific targets, according to experts who helped law enforcement officials respond to the attacks, but asked not to be identified because they are not authorized to speak on the record.

One hacking group, which security experts say is based in Russia, attacked and infiltrated more than 300 companies – mainly financial institutions – in the United States and elsewhere, using a sophisticated Web-based exploitation service that the hackers accessed remotely. In an 18-page alert published to retail and banking partners in November, VISA described this hacker service in intricate detail, listing the names of the Web sites and malicious software used in the attack, as well as the Internet addresses of dozens of sites that were used to offload stolen data.

Steve Santorelli, director of investigations at Team Cymru, a small group of researchers who work to discover who is behind Internet crime, said the hackers behind the Heartland breach and the other break-ins mentioned in this story appear to have been aware of one another and unofficially divided up targets. “There seem, on the face of anecdotal observations, to be at least two main groups behind many of the major database compromises of recent years,” Santorelli said. “Both groups appear to be giving each other a wide berth to not step on each others’ toes.”

Keep in mind that this isn’t the same old news. We’re not talking about the usual increase in attacks, but a sophistication and organizational level that developed materially in 2007-2008.

To top it all off, we have this article over at Wired on PIN cracking. This one also ties in to the Verizon report. Another quote:

“We’re seeing entirely new attacks that a year ago were thought to be only academically possible,” says Sartin. Verizon Business released a report Wednesday that examines trends in security breaches. “What we see now is people going right to the source … and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks.”

If you read more deeply, you learn that the bad guys haven’t developed some quantum crypto, but are taking advantage of weak points in the system where the data is unencrypted, even if only in memory.

Really fascinating stuff, and I love that we’re getting real information on real breaches.


Friday, April 10, 2009

Friday Summary: April 10, 2009

By Rich

It was nearly three years ago that I started the Securosis blog. At the time I was working at Gartner, and curious about participating in this whole "social media" thing. Not to sound corny, but I had absolutely no idea what I was getting myself into. Sure, I knew it was called social media, but I didn’t realize there was an actual social component. That by blogging, linking to others, and participating in comments, we are engaging in a massive community dialogue. Yes, since becoming an analyst I’ve had access to all the little nooks of the industry, but there’s just something about a public conversation you can’t get in a closed ecosystem. Don’t get me wrong- I’m not criticizing the big research model- I could never do what I am now without having spent time there, and I think it offers customers tremendous value. But for me personally, as I started blogging, I realized there were new places to explore. At Gartner I learned an incredible amount, had an amazingly good time, and made some great friends. But part of me (probably my massive ego) wanted to engage the community beyond those who paid to talk to me.

Thus, after seven years it was time to move on and Securosis the blog became Securosis, L.L.C.. I didn’t really know what I wanted to do, but figured I’d pick up enough consulting to get by. I didn’t even bother to change my little WordPress blog, other than adding a short company page.

It’s now nearly two years since jumping ship without a paddle, boat, lifejacket, any recognizable swimming skills, or a bathing suit. We’ve grown more than I imagined, had a hell of a lot of fun, posted hundreds of blog entries, authored some major research reports, and practically redefined the term "media whore". But we still had that nearly unreadable white-text-on-black-background blog, and if you wanted to find specific content you had to wade through pages of search results. Needless to say, that’s no way to run a business, which is why we finally bit the bullet, invested some cash, and rebuilt the site from scratch. For months now we’ve been blogging less as we spent all our spare cycles on the new site (and, for me, having a kid). I realize we’ve been going on and on about it, but that’s merely the byproduct of practically crapping our pants because we’re so excited to have it up. We can finally organize our research, help people learn more about security, and not be totally embarrassed by running a corporate site that looked like some idiot pasted it together while bored one weekend. Which it was.

I asked Adrian for some closing thoughts, and I absolutely promise this will be the last of our self-congratulatory, self-promotional BS. The next time you hear from us, we’ll actual put some real content back out there.


Some of you may not know this, but I had been working with Rich for a couple of months before most people noticed. Learning that was unsettling! I was not sure if our writing was close enough that people could not tell, or worse, no one cared. But we soon discovered that the author names for the posts was not always coming up so people assumed it was Rich and not Chris or myself. It was several months later still when I learned that the link to my bio page was broken and was not viewable on most browsers. We were getting periodic questions about what we do here, other than blog on security and write a couple white papers, as lots of regular readers did not know. It never really dawned on Rich or I, two tech geeks at heart, to go look at how we presented ourselves (or in this case, did not present ourselves). When a couple business partners brought it up, it was a Homer Simpson "D’oh" moment of self-realization. Rich and I began discussing the new site October of last year, and as there was a lot of stuff we wanted to provide but could not because WordPress was simply not up to the challenge, we knew we needed a complete overhaul. And we still were getting complaints that most people had trouble reading the white text on black background. Yes, part of me will miss the black background ..It kind of conveyed the entire black hat mind set; breaking stuff in order to teach security. It embodied the feeling that "yeah, it may be ugly, but it’s the truth, so get used to it". Still, I do think the new site is easier to read, and it allows us to better provide information and services. Rich and I are really excited about it! We have tons of content we need to tune & groom before we can put it public into the research library, but it’s coming. And hopefully our writing style will convey to you that this blog is an open forum for wide open discussion of whatever security topic you are interested in. Something on your mind? Bring it!


And now for the week in review:

Webcasts, Podcasts, Outside Writing, and Conferences:
    Favorite Securosis Posts:
    Favorite Outside Posts:
      Top News and Posts:

      Blog Comment of the Week:

      This week’s best comment was from Allen Baranov on RSA Conference: For Real?:

      Yeah … and it was only after I submitted both my credit card details and PIN number that I realised that I’m not even going to the RSA conference.


      Friday, March 06, 2009

      Gmail CSRF Flaw

      By Adrian Lane

      Yesterday morning I read the article on The Tech Herald about the demonstration of a CSRF flaw for ‘Change Password’ in Google Mail. While the vulnerability report has been known for some time, this is the first public proof of concept I am aware of.

      “An attacker can create a page that includes requests to the “Change Password” functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker,” the ISecAuditors advisory adds.

      The Google response?

      “We’ve been aware of this report for some time, and we do not consider this case to be a significant vulnerability, since a successful exploit would require correctly guessing a user’s password within the period that the user is visiting a potential attacker’s site. We haven’t received any reports of this being exploited. Despite the very low chance of guessing a password in this way, we will explore ways to further mitigate the issue. We always encourage users to choose strong passwords, and we have an indicator to help them do this.”

      Uh, maybe, maybe not. Last I checked, people still visit malicious sites either willingly or by being fooled into it. Now take just a handful of the most common passwords and try them against 300 million accounts and see what happens.

      How does that game go? Rock beats scissors, scissors beat paper, and weaponized exploit beats corporate rhetoric? I think that’s it.

      –Adrian Lane

      Saturday, January 24, 2009

      How Much Security Will You Tolerate?

      By Adrian Lane

      I have found a unique way to keep anyone from using my iMac. While family & friends love the display, they do not use my machine. Many are awed that they can run Windows in parallel to the Mac OS, and the sleek appearance and minimal footprint has created many believers- but after a few seconds they step away from the keyboard. Why? Because they cannot browse the Internet. My copy of Firefox has NoScript, Flashblock, cookie acknowledgement, and a couple of other security related ad-ons. But having to click the Flash logo, or to acknowledge a cookie, is enough to make them leave the room. “I was going to read email, but I think I will wait until I fly home”.

      I have been doing this so long I never even notice. I never stopped to think that every web page requires a couple extra mouse clicks to use, but I always accepted that it was worth it. The advantages to me in terms of security are clear. And I always get that warm glow when I find myself on a site for the first time and see 25 Flash icons littering the screen and a dozen cookie requests for places I have never heard of. But I recognize that I am in the minority. The added work seems to so totally ruin the experience and completely turn them off to the Internet. My wife even refused to use my machine, and while I think the authors of NoScript deserve special election into the Web Security Hall of Fame (Which given the lack of funding, currently resides in Rich’s server closet), the common user thinks of NoScript as a curse.

      And for the first time I think I fully understand their perspective, which is the motivation for this post. I too have discovered my tolerance limit. I was reading rsnake’s post on RequestPolicy Firefox extension. This looks like a really great idea, but acts like a major work inhibitor. For those not fully aware, I will simply say most web sites make requests for content from more than just one site. In a nutshell you implicitly trust more than just the web site you are currently visiting, but whomever provides content on the page. The plugin’s approach is a good one, but it pushed me over the limit of what I am willing to accept.

      For every page I display I am examining cookies, Flash, and site requests. I know that web security is one of the major issues we face, but the per-page analysis is not greater than the time I spend on many pages looking for specific content. Given that I do a large percentage of research on the web, visiting 50-100 sites a day, this is over the top for me. If you are doing any form of risky browsing, I recommend you use it selectively. Hopefully we will see a streamlined version as it is a really good idea.

      I guess the question in my mind is how much security will we tolerate? Even security professionals are subject to the convenience factor.

      –Adrian Lane

      Wednesday, December 17, 2008

      External Database Procedures

      By Adrian Lane

      Just ran across this ‘new’ SQL Server vulnerability in my news feed. This should not be an issue because you should not be using this set of functions. If you are using external stored procedures on a production database, stop. In fact, you want to stop using them altogether by either locking them down or removing them entirely. Not just because of this reported instance. External stored procedures exploits are favorites of database hackers, and have been used to alter database functionality and to run arbitrary code, both externally and internally launched attacks! SQL Server has historically had issues with buffer overflow attacks (See Microsoft Technical Bulletin MS02-020) against the pre-built procedures, and while known issued have been cleared up, XP’s are a complex and powerful extension ripe for exploits.

      The database vendors in general recommend as a security best practice the restriction of these to administrative use at a minimum. Even then it violates the best practice of segregation of the OS / database functionality required by compliance and operational security. Use of external stored procedures is flagged by all of the database vulnerability assessment tools, as both a security and a compliance issue. And in case you think that I am picking on SQL Server, many similar problems have been reported on Oracle ExtProc as well.

      The DBA in me loves the ability to run native platform utilities to support database admin efforts. It’s a really handy extension, and I know it is tempting to leave these on the database so you can make admin easier, but you will be relying upon security through obscurity. It is a really big risk in a production environment and one that every database hacker will have scripts to find and exploit.

      –Adrian Lane

      Tuesday, November 11, 2008

      Data Discovery & Classification

      By Adrian Lane

      I was reading the RSA report on the Torpig/Sinowal trojan while stuck at the airport for several hours last Thursday. During my many hours of free time I overheard some IT executive discussing the difficulties of implementing data discovery and classification with his peers. I did not catch the name of the company, and probably would not pass it along even if I had, but the tired and whiny rant about their associated failures was not unique. Perhaps I was a bit testy about having to sit in an airport lobby for eight hours, but all I could think was “What is wrong with you? If hackers can navigate your data center, why can’t you?”

      That’s where the RSA report just gelled my thoughts on the subject. If a small group, quite literally a handful of hackers, can use Torpig & BlaBla to steal hundreds of thousands of credit card numbers, steal accounts and passwords, install malicious software at multiple company sites … all without being provided credentials, access rights or a specific map of your IT infrastructure … why can’t your company classify its own data and intellectual property assets? You would think that a company, given a modest amount of resources, could discover, classify and categorize its own data. I mean, if you paid someone full time to do it, don’t you think you could get the job done?

      Some of the irritating points that they raised …

      “Data in motion made it difficult to track”: So what- the hacker tools are kept running and they never stopped scanning. Nor did they give up on the first try; rather they periodically modified their code to adapt for location and type of data, and they were persistent. You should be too.

      “Difficulty to classify the data” and “Can’t find stuff you know is there”: So what- hire better programmers. Pressure vendors for better tools. Can’t afford expensive software? There is open source code out there to start with; hackers can do it, so can you. There is at least a dozen programatic ways to analyze data, through content or even context, and probably even more ways to traverse/crawl/inspect systems. If the application your company uses it can find it, so can you.

      “Size of the project is difficult to manage”: So what- divide and conquer. Take a specific set of data you are worried about and start there. Compliance group breathing down your neck to meet XYZ regulation? Pick one category (customer accounts, credit card data, source code, whatever. Tune your tools and policies (you did not really think you were going to get perfection out of the box did you?), address the problem and move on. If you are starting with an ISACA or Cobit framework and trying to map a comprehensive strategy, stop making the problem more complex than it is. Hackers went for low hanging fruit; you should too.

      “The results are not accurate”: So what- your not going to be 100% right all the time. The hackers aren’t either. Either accept 95-99% accuracy, or try something different. Or maybe your policy is out of line with reality and needs to be reconsidered.

      “Expensive” and “Takes too much in the way of resources”: No chance! If hackers can run malware for 18 months at TJX and related stores UNDETECTED, then the methods used are not resource hogs, nor did they invest that much money in the tools.

      Some times, you just got to stop whinin’ and git ‘er done!

      –Adrian Lane

      Wednesday, July 16, 2008

      Stolen Data Cheaper

      By Adrian Lane

      ‘It’s rare I laugh out loud when reading the paper, but I did on this story. It is a great angle on a moribund topic, saying that there is such a glut of stolen finance and credit data for sale that it is driving prices down.

      LONDON (Reuters) - Prices charged by cybercriminals selling hacked bank and credit card details have fallen sharply as the volume of data on offer has soared, forcing them to look elsewhere to boost profit margins, a new report says.

      The thieves are true capitalists, and now they are experiencing one of the downsides of their success. What do you know, “supply and demand” works. And what exactly are they going to do to boost profit margins? Sell extended warranties? Maybe it is just the latent marketeer in me coming to the fore, but could you just imagine if hackers made television commericals to sell their wares? Cal Hackington? Crazy Eddie’s Datamart?

      It’s time to short your investments in Cybercriminals, Inc.

      –Adrian Lane

      Wednesday, June 11, 2008

      There Are No Safe Web Sites

      By Rich

      I spend a reasonable amount of time writing security articles for the consumer audience over at TidBITS, never mind this site. When I talk about browser security, one of my top tips is to avoid risky behavior and “those” sites. Although that’s pretty standard advice, it’s become a load of bollocks, and I can no longer give it in good conscience.

      I spend a lot of time these days focusing on web application security and talking with some of the leading web app researchers like Rnake and Jeremiah Grossman. It’s increasingly obvious that a combination of cross site scripting and some more nefarious web app attacks are destroying the concept of “safe” websites. We’ve seen everything from banks, to security vendors, to advertising servers, to major providers like Google and Yahoo, fall victim to attacks where malicious content is embedded or executed in the context of the trusted sites. PayPal may make a big deal about extended validation digital certificates and colorful anti-phishing banners, yet an EV cert doesn’t do squat if the bad guy sneaks in a little malicious JavaScript and you’ve now run the nasty code in a trusted context.

      Today, Dark Reading ran an article on some major security sites with cross site scripting vulnerabilities. Combined with a few beers with Rsnake last week, it pushed me over the edge.

      These days, it’s hard to call any site trusted. Thats one reason I’ve shifted to my multi-browser/multi-operating system strategy. Realistically, I can’t tell everyone in the world to adopt my level of paranoia. In part because as bad as things are, most people aren’t suffering real damage because of it. That said, it strongly emphasizes the need not only to keep your system up to date, but to at least split browsers for financial vs. regular sites.

      It also strongly points to the need to change the fundamental trust model of browsers, and to push us in the security industry towards solutions like ADMP and browser session virtualization (or better yet, a combination of both).

      This isn’t a “the world is ending” post. It’s merely a recognition that “safe” browsing is only a partial security control these days, and one that’s losing effectiveness. We need to think about adopting new strategies before we start seeing more mass exploitation leveraging commonly trusted sites. One that transcends current browser trust models, which do little but make life easier for the smart attackers who take advantage of them.

      Oh yeah, and stop wasting money on EV certs.


      Tuesday, March 18, 2008

      Picking Apart The Hannaford Breach- What Might Have Happened

      By Rich

      There goes another one.

      According to multiple sources, the Hannaford Brothers grocery chain suffered a major breach with 4.2 million credit cards exposed. Hannaford had published an FAQ for their customers. Odds are it will be months until we find out what really happened, but I’m going to speculate anyway, pick apart the press coverage and FAQ, and see if we can learn something from this now.

      As usual, the information released is incomplete and contradictory.

      PORTLAND, Maine (AP) - A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday. Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed. The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

      This is interesting since there is a direct tie to fraud, as opposed to many other breaches. This often means the fraud was detected in the credit system and then traced back to the retailer, which seems to be what happened based on the FAQ. As a researcher it’s always helpful to be able to tie the breach to illegal activity. This does, of course, suck for the victims, but as long as it’s credit card fraud they are protected.

      Since the information was stolen during the authorization process, and was distributed over many locations, it means a compromise of the central authorizations system or the credit card processor. It could be as simple as sniffing unencrypted communications, or a more complex compromise of a database or application. My money is 70% on sniffing, 30% on something in the database.

      No personal data such as names, addresses or telephone numbers were divulged - just account numbers.

      This can’t be true. Without names, the card numbers are unusable.

      Hannaford became aware of the breach Feb. 27. Investigators later discovered that the data breach began on Dec. 7; it wasn’t contained until March 10, said Carol Eleazer, Hannaford’s vice president of marketing in Scarborough. “We have taken aggressive steps to augment our network security capabilities,” Hannaford president and CEO Ronald C. Hodge said in a statement released Monday. “Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.”

      This reinforces the likelihood of a network breach and sniffing, assuming the statement is true. How was the network breached? Could be any one of hundreds of ways. Targeted phishing and compromise of the central network from a remote location are common. I can’t add anything more than pure speculation on this one.

      The company urged its customers to monitor their credit and debit cards for unusual transactions and report any problems to authorities.

      Actually, card issuers should reissue the cards and just eliminate the chance of greater fraud. This is irresponsible. Since this is just loss of credit cards, there is no need for identity theft protection.

      Mark Walker, an attorney for the Maine Bankers Association, said his organization sent an advisory to member banks Friday after learning of the breach. Only a few had reported suspicious activity involving the credit and debit cards they had issued customers, Walker said. “I had expected there would be more than we’ve heard of,” Walker said. “But it’s still too early for us to tell.”

      Strange- I consider 1,800 to be a large number. It could be that the fraud was performed directly in the Hannaford system or something. Or this is an erroneous statement.

      The FAQ gives us a little more information and narrows things down.

      What happened? Hannaford announced containment of a data intrusion into its computer network that resulted in the theft of customer credit and debit card numbers. This data was illegally accessed from Hannaford”s computer systems during the card verification transmission process in transactions. Further, Hannaford is cooperating with credit and debit card issuers to ensure those customers who may be affected by the theft are protected

      Somewhat contradictory, with a mention of data security and network, but I don’t expect everyone to be as picky about those details as we are. I suspect the last sentence means fraud alerts are in place, and cards are probably being reissued to some extent.

      When did you discover the intrusion? Hannaford was first made aware of suspicious credit card activity on Feb. 27, and immediately initiated a comprehensive investigation with the assistance of leading computer security experts

      Bingo. It was detected by the banks or credit card companies, then brought to Hannaford.

      Is it safe to continue shopping in your stores? We have continually devoted significant round-the-clock resources to ensure Hannaford has comprehensive data security systems in place. For example, our security measures meet industry compliance standards and many go above and beyond what is required by industry standards.

      In other words, PCI is worthless.

      In conclusion, it looks like some sort of a network breach (which could be anything from phishing/malware to compromise from a retail location to a full network hack). A sniffer was possibly installed, since it seems they don’t keep credit card information (again, assuming statements are true). The fraud was detected by the banks or credit card companies, then it took a little under two weeks to contain. Not great, and indicative of either a little sophistication on the attacker’s part, or a lack of sophistication on Hannaford’s part.

      How to prevent this?

      We won’t know until more information is out, but since they shouldn’t be PCI compliant if they transmitted credit card numbers in the clear, perhaps my guess of sniffing is off. I’m still laying odds on that, and if so, encryption is the answer.


      p style=”text-align:right;font-size:10px;”>Technorati Tags: ,


      Thursday, January 10, 2008

      Why You Shouldn’t Run An Open Wireless Network Like Bruce (Or Chuck Norris)

      By Rich

      Bruce Schneier is one of the more venerated figures in the information security world, and rightfully so. But reading his article in Wired today, I think he might want to stick to encryption. (I know and like Bruce, so this isn’t a personal attack.)

      Bruce has long bragged that he runs a totally open home wireless network. He considers it a kind of “pay it forward” charity. I love open WiFi and don’t have a problem with free access. Someday I might even open up part of my own network, although it’s probably not worth it considering where I live.

      Bruce breaks the potential security risks down into two categories:

      1. Somebody abusing his network for illegal activity- spam, file sharing, attacking other systems, and so on.
      2. Connecting to his network and attacking his home systems.

      He evaluates these risks as acceptable:

      1. Odds are a bad guy will use one of the five open, anonymous coffee shops down the street rather than parking in front of his house for (probably) hours on end. By saying that he instantly guarantees that some prankster will park their VW van out front and spam everyone from “Bruce Schneier’s House”. Perhaps not, but he does accurately outline the potential legal risks.
      2. In his own words, “I’m also unmoved by those who say I’m putting my own data at risk, because hackers might park in front of my house, log on to my open network and eavesdrop on my internet traffic or break into my computers. This is true, but my computers are much more at risk when I use them on wireless networks in airports, coffee shops and other public places. If I configure my computer to be secure regardless of the network it’s on, then it simply doesn’t matter. And if my computer isn’t secure on a public network, securing my own network isn’t going to reduce my risk very much.”

      While these risks might be acceptable to Bruce, I don’t recommend them for anyone else, including myself.

      1. Depending on population density, your risk of abuse of an open network may be higher. I could open part of my network in my current location without much worry, but I’ve previously lived in places where the pedophile living below me would take advantage of an open network. That’s not an exaggeration- for most of the time I lived in a particular condo in Boulder the person below me was known for risky activity. Never convicted, but concerning enough I sure as hell wouldn’t want him on my network. The risk of the RIAA going after you might also be higher if you live someplace with enough close neighbors that it’s worth someone’s effort to use your network to mask their activity. It’s a low risk for me where I am now, but has been high in the past.
      2. Very few people have the skills to secure their home network to the same degree as Bruce. I also suspect his network wouldn’t withstand a penetration test by a determined attacker. My home network is very secure; all systems are patched, firewalls turned on, and trust relationships are minimal. That said, I know I could crack it. I don’t encrypt all traffic (wireless is all WPA2 though) and I have some open file shares. Why? Because it’s “secure enough” for my home, and anything that leaves the walls and connects through the public Internet is totally locked down. In some cases, thanks to my consumer devices, I’m limited in the amount of security I can apply.

      I wouldn’t make a big deal out of this, but Bruce is a role model to those interested in security. I can guarantee at least a few people will open up their networks to emulate Bruce, and be the worse for wear because of it.

      He also mentions the risk of violating his ISP’s terms of service:

      Certainly this does concern ISPs. Running an open wireless network will often violate your terms of service. But despite the occasional cease-and-desist letter and providers getting pissy at people who exceed some secret bandwidth limit, this isn’t a big risk either. The worst that will happen to you is that you’ll have to find a new ISP.

      To give the press quote, if Bruce is doing this himself it looks like he has appropriately evaluated his personal risks and they are within his personal tolerance. If he’s recommending this to others, that’s just plain stupid.

      I’ve thought about opening my own access up via a separate, segregated segment, but it’s not worth the effort since almost no one around me would need it.

      Don’t follow Bruce’s example- he’s an industry pundit making a point. If you want to open up your wireless network, and are comfortable violating the terms of agreement with your ISP, please use a well-segregated open access point. Don’t just let anyone wander around and see what’s on your TiVo (since all TiVos have an open web server you can’t lock down without hacking, it ain’t that unusual a risk).

      Oh, and the Chuck Norris thing?


      Thursday, January 03, 2008

      Second Major Privacy Breach At Sears: Very Bad Logical Flaw

      By Rich

      Sears isn’t having much luck these days.

      First, they install spyware on their customers’ computers. If you “join the Sears community”, they install a proxy on your computer and intercept all web traffic.

      Ugly, ugly, idiocy.

      Now, it turns out they have a major logic flaw on their website. As reported by Brian Krebs at Security Fix, anyone can see anyone else’s purchase history with just their name, address, and phone number. Have those white pages handy? It seems to cover both online and offline purchases.

      If you’re not paying attention to logic flaws in your databases and applications, this is a great example. While it’s good to make life easy for your customers, it’s bad when you make it easy for your next door neighbor to figure out if you really bought those new hedging shears that coincidentally look just like the ones they lost out of their shed last month.

      This exploit was easily preventable with just a modicum of thought and the most cursory security review. Sears is too big a company to make this kind of mistake.

      And the spyware? Sheer stupidity by someone in marketing is my guess. Maybe they and whoever screwed up at Sony BMG went to the same marketing school.


      Saturday, December 15, 2007

      End Of Year Humor And Awareness: No Folks, Hoff Didn’t Pwn Me

      By Rich

      Chris Hoff and I decided to have a little fun and fake some back and forth exploits to highlight some security risks. It’s nearing the end of the year; either crunch time for some of you, or boring time for the rest. We figured a little humor couldn’t hurt in either case. We decided to blow this open early so it doesn’t get away from us.

      The attack Chris described could clearly work, but I’m surprised more people didn’t pick up the holes. While I do have a home automation system (but no cameras) I don’t know of any that use SCADA-based technologies. Then again, SCADA is going all IP so it might not be a stretch to define my system that way. For the record, I use an Insteon system but haven’t finished implementation yet.

      Bonus points to the commenters that noticed there’s no way I’d have a yard with that much green in Phoenix.

      The idea of the Quicktime rtsp attack was completely real. Until Apple released the patch a day or so ago, the only defense was avoiding clicking on potentially hostile links. I trust Chris, and would click on most things he sends me. Outbound filtering (which I do one one of my machines) could block the request unless it directed me to an unusual port; something Chris is capable of.

      The idea of pwning my workstation is dead on- and one reason I often recommend SCADA workstations be isolated from the Internet. I don’t have to take over your SCADA network if I can take over the workstation and do whatever I want when you aren’t looking.

      We were planning on highlighting a few other attack vectors in the next few days. Among them was a fake pretexting of Chris’s phone (we had a viable way for me to get his SSN) and username/password sniffing from wireless access points. All are common vectors that even us security pros are a little lax with sometimes.

      I suspect most of you enjoyed this, and we’ll come up with something more creative for April 1.


      Thursday, December 13, 2007

      Dark Reading Column Up- The Perils of Predictions & Predicting Perils

      By Rich

      My second monthly column is up over at Dark Reading; The Perils of Predictions & Predicting Perils.

      This is not your ordinary year-end prediction special. Here’s an excerpt:

      As the end of the year approaches, a strange phenomenon begins. As we relax and prepare for the holidays, we feel a strange compulsion to predict the future. For some, this compulsion is so overwhelming that it bursts the bounds of late night family dinners and explodes onto the pages of blogs, magazines, newspapers and the ever-dreaded year-end specials on TV. Ah, year’s end. Legions of armchair futurists slobber over their keyboards, spilling obvious dribble that they either predict every year until it finally happens or is so nebulous that they claim success if a butterfly flaps its wings in Liechtenstein. As you can tell, I’ve never been the biggest fan of these year-end predictions, especially in the security business. Since the days of the slide rule, scores of pundits have consistently, inaccurately predicted a devastating SCADA attack or the next big worm.

      Instead, I focus on two major threat trends and the security innovation they are inspiring. My favorite line in the column is near the end, so I’ll pull it out:

      Vulnerability scanning, secure software development, and programmer security training cannot solve the Web application security problem.

      I’ll leave you with two words: anti-exploitation, but you should really go read the article.