It’s that time of year again! I just got my hands on the 2011 edition of the Verizon/SS Data Breach Report, and I figured I’d take a moment to share my thoughts.

First of all, note that the scope of the report now includes approximately 800 “incidents” from the year prior; last year’s report was comparable in size, covering 761 events. Next, I observe that this report is by no means “complete;” while a good deal of the year’s most significant incidents have been covered, there are likely thousands of noteworthy data points which have been overlooked or otherwise left out.

Now, the report:

Verizon has some good news and some bad news; the good news – only 76% of recorded data breach targets were servers in 2010, compared to much higher percentages in 2009 and 2008. However, this implies that the focus has shifted towards endpoint and social targets, which is very bad news, indeed. Probably nothing ground-breaking at this point, but this demonstrates the consistent challenge corporations face in raising enterprise-wide security awareness; we have erected multi-million dollar defense systems, and continue to monitor our logs for interesting traffic, but we cannot fix “people” problems with products. Additionally, note that – of the breaches reported – we continue to see a steady decline in those involving multiple parties, as well as business partner attacks. This is good news to corporations, as it indicates continued success in technical and business measures to control outsider access to enterprise resources.

Next, I’d like to take a look at some of the numbers which rose consistently between the three recent years. Specifically, I’d like to dwell on the “Employed Physical Attacks” metrics; over a 3-year window, this percentage has tripled (with little fluctuation in data set size in the prior 2 years), indicating a continued focus on technical security. While improved technical security may prevent a good deal of data breaches, it is not a holistic solution, and often results in “sore thumb” deficiencies.

Finally, I’d like to focus on the metrics provided which seemed to fluctuate between the reports issued in 2009, 2010, and 2011; note that, in 2010, the size of the breach “pool” increased tremendously with the inclusion of the US Secret Service data. Due to this, I would like to focus primarily on the metrics that rose between the 2010 and 2011 reports. Most specifically, I am concerned when I see the HUGE rise in percentage of breaches that have been discovered by a third party (+25% over a year, +17% over two years). While I’m sure corporate log monitoring initiatives have started to kick off, what is being done today is NOT enough. With “blended” attacks on the rise, there is a growing business case for event correlation and collective log management & review; if enterprise shops do not take action on this item, this number will rise exponentially. On a similar note, I observe that a steady (though slightly rising) portion of the reported breaches have been deemed avoidable, in retrospect, via simple or intermediate controls. These controls may include password policy enforcement, implementation of stateful packet inspection on firewalls, and security-focused Quality Assurance for web application content (among others). The effectiveness of such measures should be audited periodically.

Wrapping up:

• Shift in focus from Servers to Endpoints and Staff
• Shift to Physical Compromise, as opposed to Technical
• Social Compromise percentage consistent between 2009 and 2011 reports, although 2010 report indicates huge increase
• VAST majority of breaches are avoidable through simple controls
• Insider attacks are down, as are business partner breaches
• Third parties are disclosing breaches before first parties

Action Items:

• Know your assets
  • Accurate, comprehensive, and authoritative inventory is encouraged
  • Not just servers and endpoints, but identity assets as well
  • Pre-requisite to next item:
• Monitor your logs
  • Consider Event Collaboration & Correlation tools (not necessarily a product or a service, this can be a series of well-crafted scripts); note that the return presented by a product will be extremely limited, based upon organizational structure.  From my limited perspective, I see that most enterprise organizations should have comprehensive identity and asset inventory systems to get the most out of vendor SIEM products.  Even with SIM/SEM, individuals need to review their relevant logs frequently
• Invest in simple, easily monitored, controls (such as account usage policies, password complexity and refresh requirements, etc)
  • If they are already in place, audit your controls for effectiveness; more importantly, adjust accordingly
• Continue to raise enterprise awareness against breach indicators, consider random employee awareness drills
• Continue to raise enterprise awareness against physical security threats, enforce physical security policies (for example, laptops must be locked and docked within the office)
• Secure your endpoints, aggregate event logs, AV logs, etc. from workstations to a common environment for review

Original Blog Post

The attack came from several IP addresses, but mainly from Iran.

The affected domains according to Comodo are:

• login.live.com
• mail.google.com
• www.google.com
• login.yahoo.com (3 certificates)
• login.skype.com
• addons.mozilla.org
• Global Trustee

Comodo has revoked these certificates and listed them in its revocation list. Microsoft also is releasing an update that will blacklist these certificates.

The attacker obtained username and password to log into the partners systems, and was able to issue the fraudulent certificates. According to Comodo, the breach was discovered quickly and they are pretty sure that the attacker only issued the now blacklisted certificates.

Was this a state-driven attack?  Iran recently deployed DPI (Deep Packet Inspection), high-end network equipment that uses ultra-fast microchips to read and classify internet traffic in transit. The Iranian authorities used DPI to detect the highly specific parameters Tor uses to establish an encrypted connection. Since the Tor project developers have redesigned the software so that its traffic looks just like any other when it sets up an encrypted connection, and Iranian Tor users are now back to normal.

Google’s latest reaction, Saturday night by Android security head Rich Cannings, is the remote removal from users’ phones of applications identified as malware. Google also plans to release a security update “”Android Market Security Tool March 2011″ to infected phones.

The kill switch is actually software that’s downloaded onto an Android smartphone and installed automatically, removing the apps in question with no user action required. In its Google Mobile Blog, the company announced:

“We are pushing an Android Market security update to all affected devices that undo’s the exploits to prevent the attacker(s) from accessing any more information from affected devices. If your device has been affected, you will receive an email from android-market-support@google.com over the next 72 hours. You will also receive a notification on your device that “Android Market Security Tool March 2011” has been installed. You may also receive notification(s) on your device that an application has been removed. You are not required to take any action from there; the update will automatically undo the exploit. Within 24 hours of the exploit being undone, you will receive a second email.”

Google downplayed the harm caused by these malware apps, assuring users that none of their personal data has been compromised:

“For affected devices, we believe that the only information the attacker(s) were able to gather was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices and the version of Android running on your device). But given the nature of the exploits, the attacker(s) could access other data.”

Android devices are still vulnerable because of existing security holes at the system level, which must be fixed by cellular carriers and hardware manufacturers. The problem is made worse by cellular providers sticking with older versions of Android, unfortunate because the security exploit only affects Android versions 2.2.1 and older.

Who is responsible for application security in the new world of cloud computing? Increasingly, we see third-party application providers, who are not necessarily security vendors, being asked to verify the thoroughness and effectiveness of their security strategies. Nevertheless, the enterprise ultimately still bears most of the responsibility for assessing application security regardless of where the application resides. Cloud computing or not, application security is a critical component of any operational IT strategy.

With cloud computing, the customer is left vulnerable in many ways. First, the security team has lost visibility into the network security infrastructure. If the cloud provider makes a change to its infrastructure, it naturally changes the risk profile of the customer’s application. However, the customer is most likely not informed of these changes and therefore unaware of the ultimate impact. It is the customer’s responsibility to demand periodic security reports from its cloud vendor and thoroughly understand how their valuable data is being protected.

For many organizations, application security is an afterthought. The corporate focus is on revenue, and often that means frequently pushing new code. Even with rigid development and QA processes, there will be differences between QA websites and actual production applications. This was not as critical when the applications resided behind the firewall, but now managers must take into account the value of the data stored in an application residing in the cloud.

Ultimately, website security in the cloud is no different than website security in your own environment. If your organization has not prioritized website security previously, then now is the time to make it a priority.

The attack requires possession of the iPhone and targets the handsets individual keychain, the iPhone’s password storage platform. Researchers, utilising existing exploits, are simply able to jailbreak the device, install an SSH server on the device that allows them to run queries and execute third-party software on the phone.

Once access to the phone has been established, researchers were then able to copy a script to the phone that would access the keychain on the device. In-built system functions are employed to open the keychain and then output all of the users passwords, removing the need to physically crack any of the devices protection methods.

In short, if someone gets the hold of your device all you can hope is that you can issue a remote wipe command in time. Otherwise they will get your data if they are persistent enough.

Check this video out to see the hack in action.

This is a list of passwords / applications thought to be safe against this hack.

• AOL Email
• App using keychain with default protection
• Generic IMAP
• Generic SMTP server
• Google Mail
• iOS Backup Password
• Website Account from Safari
• Yahoo Email

This is list of passwords / applications that have been confirmed to be vulnerable to theft.

• Apple Push
• Apple-token.sync (mobile me)
• CalDav
• Google Mail as MS Exchange Account
• iChat.VeniceRegistrationAgent
• LDAP
• Lockdown Daemon
• MS Exchange
• Voicemail
• VPN IPsec Shared Secret
• VPN PPP Password
• VPN XAuth Password
• Wifi (Company WPA with LEAP)
• Wifi WPA

The flaw used simple JavaScript function to call onMouseOver which created an event when the mouse is passed over an area of text. The user was then redirected to a third party site without the users consent.

Twitter’s @safety account tweeted Tuesday morning, “We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.”

As of 10:00AM EST twitter issued this statement “This should now be fully patched and is no longer exploitable.”

Mashable estimates that the security flaw “has been widely exploited on thousands of Twitter accounts.”  TechCrunch reports the onMouseover exploit may have spread to as many as 40,000 tweets in just 10 minutes.

Have you seen it? How has it affected you? Let us know below.

This still unpatched vulnerability is actively being exploited in the wild. Exploits do not require JavaScript to be enabled within Adobe Reader and do not require write access to any directory.  Confirmed exploits against Adobe Reader 9.1.0, 9.3.0, 9.3.4 running on Windows XP, Windows Vista and Windows 7 have been reported.

Here is the exploit code in the PDF that’s circulating in the wild:

A Metasploit module is included in the most recent version. Adobe claims to be working on a fix, lets see how long…

A nasty vulnerability exists in the latest Internet Explorer 8. I have been unsuccessful in persuading the vendor to issue a fix. The bug permits — for example — an arbitrary web site to force the victim to make tweets.

A harmless example has also been posted on his site (see below) 

http://scary.beasts.org/misc/twitter.html

This bug appears to be strictly related to Internet Explorer and no fault of Twitter. At this time there does not appear to be a resonable workaround.  This appears to be a Cross-origin CSS attack which uses the style sheet import to steal confidential information from a victim website, hijacking a user’s existing authenticated session.

Chris continues to state that there is evidence to suggest that Microsoft has been aware of this since at least 2008.

Update: another PoC has been posted:

http://skeptikal.org/exploits/twitter/twitter_xss.html

How long do we have to wait for a fix?

You can protect yourself by using NoScript, RequestPolicy, or other client-side protections.

Recently Verizon, in collaboration with the United States Secret Service, released their 2010 Data Breach Report.  I would like to take a moment to share my praise, concerns, and general findings.

I’ll begin with business practice findings.  In the past, it was emphasized that there was a gap in termination procedures as pertains to access removal from network assets.  Based upon the metrics brought forth from this report (an astounding 26% increase in breaches attributed to “insider” threats), this is still a persistent issue.  Here, another concern arises when one mentions the concept of segregation of duties; often trusted “insiders” have unhindered or UNDERhindered access to a broad pool of resources. 

As corporations fail to recognize this, and respectively provide resource access controls and limitations, this will continue to be an issue.  Interestingly enough, the percentage of breaches implicating business partners has dropped by 23%.  One may attribute this to the increased business awareness and legal controls implemented in the contract phase over the past year.  If this trend continues (which it should, as the public is more aware than ever of the threats “in the wild”), this number should continue to drop at a decreasing rate. 

Additionally, the report indicates that a vast 48% (26% increase) of breaches discovered over the past reporting period involved privilege misuse to some extent – while only 40% of breaches involved “hacking” proper (-24%).  This continues to make it obvious that nefarious users do not necessarily have to be “hackers,” and may employ conventional information gathering tactics to procure sensitive data.  This may be attributed to the presence of the inevitable “human layer,” and can only be mitigated through a strong, broad-scale, employee education policy.  If the point is still unclear, it was reported that 28% (a sizable increase since 2009) of breaches made use of social engineering tactics at some point.

While a corporation may have the most “locked-down” and “secure” internet presence, it remains possible that a loose-lipped employee may still unknowingly play a role in facilitating a data breach.

On a rather interesting (read: disturbing) note, 79% of reported victims that were subject to the Payment Card Industry Data Security Standard (PCI-DSS) had NOT achieved compliance.  86% of breaches were preventable via use of reasonable, simple-to-intermediate controls.  While PCI may only provide a baseline data security model, following the standard ensures that basic defense mechanisms are in place – and, if a breach happens, the standard assures that the incident will at least be tracked to some extent.  On a somewhat related note, 86% of breach victims had substantial evidence logged, yet 61% of breaches were reported by a third party.  This indicates to me that log correlation/SIEM tools are not in place (or underreferenced) in many scenarios; avoid becoming a victim by implementing a strong log reference policy.  The burden of sorting through can be eased significantly by use of common string parsing tools. 

Some examples of commercial-grade log/event correlation and management tool vendors include LogLogic, ArcSight, and Q1 Labs.  By the way, PCI 10.6 mandates log maintenance.

As far as demographics are concerned, the report continues to indicate that the focus of data breaches remains within the Financial Services, Hospitality, and Retail sectors.  This does not surprise me, and should not surprise anybody; Cash is King.  Note, however, that this may be attributed in part to the fact that – in the United States (the primary source for the data contained within this report), these sectors are required to adhere to strict breach reporting requirements (due to such regulatory standards as PCI and HIPAA).

On a closing note, the report indicates that approximately 13% of the reported breach cases involved organizations that had recently been involved in a merger or acquisition (as opposed to 9% in 2009).  This indicates the all-too-obvious truth that, in the common flurry associated with large-scale corporate policy changes, security assurance is frequently sacrificed. 

Based upon reading this report, I believe that – in a world where cyber crime continues to be on the rise – large companies need to take a moment to smell the coffee.  Making small sacrifices in project deadlines and procuring additional software resources (e.g. log correlation tools, which are essential for far more than just security) to ensure their bottom lines are not only met, but exceeded, while maintaining brand stability.

The 2010 report may be found here

Verizon’s 2009 report (not collaborated with USSS) may be found here

News flash – depending upon how it’s configured, it could be doing even more; that same page you browse to in order to check up on Fido may be indexed by search engines such as Google.

Now, 9 times out of 10, the web server is configured to host the content under a non-intuitive URL; while this may deter somebody who is trying to guess the URL used by the software, it also provides those “in the know” with a “one-stop shop” for all of their nefarious needs. As an example, most Panasonic networked cameras have the string “ViewerFrame?Mode=” in the URL, and can easily be located by using the Google search string inurl:”ViewerFrame?Mode=”.  If you’re following along with the links, I’m guessing (without actually accessing this page which was likely intended to be private) the third page on the above Google search (it’s a *.edu) is exactly what a hacker would want to see — and exactly what you don’t want them to see**.

To avoid this, it may be possible (depending upon the software) to at least change the default URL used. If not, consult the support documentation – and if necessary, the vendor – to determine the best course of action by which you can better protect your privacy. Depending upon the software leveraged by the device, you may also be able to create a robots.txt file (file including all pages not to be indexed by the search engine) for the web server as well.  For more detail, see here.

By the way, it’s not just cameras, but printers and telecommunications equipment (read: WOW) as well. A surprisingly vast listing of known devices (and information on their default pages) can be found here.

** The posted information is for educational purposes only, I neither recommend nor condone using the web as a tool for spying on others.  Don’t do it.

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. If for example I was logged in as “john” and read a message by “joe” that contained malicious javascript in it, then it may be possible for “joe” to hijack my session just by reading his bulletin board post. 

“What are the threats of Cross Site Scripting?”

Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user (Read below for further details) in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks. The post below by Brett Moore brings up a good point with regard to “Denial Of Service”, and potential “auto-attacking” of hosts if a user simply reads a post on a message board. 

The college student, Steven Abbagnaro, wrote up proof-of-concept code of an attack that would get all of a users’s publicly available data from their Facebook page and then delete their friends one by one. However, the attack can’t be started until the user clicks on a rigged link while logged into Facebook.

Abbagnaro won’t release the code until a patch is applied but competent hackers could figure it out on their own. The code is based on a previously discovered vulnerability in Facebook that doesn’t check code from user’s browsers properly to make sure they are authorized to make changes on Facebook. Another possible attack that has arisen out of this bug is the ability of hackers to make users “like” things.

This attack and the others that have been cropping up lately stresses the need to educate users about social engineering techniques and to be suspicious of links from people they don’t know or links from friends that seem uncharacteristic.

Instead of having a fake Facebook page to collect the victims passwords (phishing), the email is sent with a malware attachment. The malware is known as “Bredolab” which is a Trojan downloader. In the two computers I repaired today, Bredolab downloaded some rogue antivirus products. However, some sites are saying that it also downloads a password stealing trojan.

If you see it onsite, Malware Bytes seems to deal with the Trojan once you kill the main executable (at least the rogue antivirus variants). Be sure to tell your clients to change their passwords after the infection has been removed as well.

Another great thing about antivirus products coming on a USB drive is that the installation of the antivirus product (which usually takes ages) would happen much faster, since it is usually much faster than installing something from a CD.

Lastly, at the end of the day the customer is left with a USB drive which they could use for other purposes.

Now that Windows 7 is out, Microsoft have reverted back to needing a separate disk for each version which is annoying for us computer technicians. However, the only difference between each DVD is a small 51 byte configuration file called ei.cfg which tells the installer what version disc it is. If you were to turn your DVD into an ISO, remove this ei.cfg file and write it back to a DVD, that DVD would become a Universal DVD.

ei.cfg Removal Utility will make this easy for you. Just create an ISO with your legitimate Windows 7 DVD, run this tool, choose the ISO and let it run. Once it has finished, just write the ISO back to a DVD again and you would only need to carry one 32bit version and one 64bit version to support any Windows 7 install onsite.

Of course, your client would still need to provide you with a working key for the Windows 7 install to work.

Secure both the network and each PC

Use security software that comes with your wireless or wired router to secure the network.

• Rename your network. Out of the box, most routers use their own easily identifiable names (SSIDs) that make them easier for hackers to crack. Change the router name to one that doesn’t give you or the network type away.

• Use the media access control (MAC) feature that is usually included with your router. It lets you name each PC on the network and restrict network access to only those PCs.

• Secure each PC with its own firewall, so that even if a hacker gets into the network, he/she won’t be able to access the PCs on it.

Use strong password security

• The security software that comes with most routers usually offers several levels of password protection. Don’t use WEP (wired equivalent privacy) passwords as they are easily hacked. Use at least WPA (Wi-Fi protected access) or WPA Personal passwords, or an even more secure format, if offered.

• Create hard to decipher passwords. Don’t include your name, birth date, address or other obvious words or numbers. The best passwords are a random mix of letters, numbers, and characters, eight or more characters long.

• Change your password often. 

Use up-to-date security software

• Firewall protection for each computer in the network.

• Transaction security to help ensure your online shopping or banking transactions are secured.

• Antivirus protection to help keep viruses, Trojan horses and worms from infecting your PCs.

• Antispyware to block hackers from placing spyware on your PC.

• Email scanning to remove viruses from email.

To maximize the effectiveness of your Internet security software, make sure it is always up-to-date so that you are always protected from the very latest security threats.

Internet security software will help you maximize the safety and security of your home network. It adds security features that neither PCs nor network routers offer.

Fix IE Utility has been tested on IE7 and IE8 on both Windows Vista and Windows 7.

Download from official site