Category Archives: Security

Verizon and USSS Release 2010 Data Breach Report

Leave a reply

Expanded Study Finds More Insider Threats, Greater Use of Social Engineering, Continued Strong Organized Criminal Involvement

Recently Verizon, in collaboration with the United States Secret Service, released their 2010 Data Breach Report.  I would like to take a moment to share my praise, concerns, and general findings. Verizon Breach Report 2010

I’ll begin with business practice findings.  In the past, it was emphasized that there was a gap in termination procedures as pertains to access removal from network assets.  Based upon the metrics brought forth from this report (an astounding 26% increase in breaches attributed to “insider” threats), this is still a persistent issue.  Here, another concern arises when one mentions the concept of segregation of duties; often trusted “insiders” have unhindered or UNDERhindered access to a broad pool of resources. 

As corporations fail to recognize this, and respectively provide resource access controls and limitations, this will continue to be an issue.  Interestingly enough, the percentage of breaches implicating business partners has dropped by 23%.  One may attribute this to the increased business awareness and legal controls implemented in the contract phase over the past year.  If this trend continues (which it should, as the public is more aware than ever of the threats “in the wild”), this number should continue to drop at a decreasing rate. 

Additionally, the report indicates that a vast 48% (26% increase) of breaches discovered over the past reporting period involved privilege misuse to some extent – while only 40% of breaches involved “hacking” proper (-24%).  This continues to make it obvious that nefarious users do not necessarily have to be “hackers,” and may employ conventional information gathering tactics to procure sensitive data.  This may be attributed to the presence of the inevitable “human layer,” and can only be mitigated through a strong, broad-scale, employee education policy.  If the point is still unclear, it was reported that 28% (a sizable increase since 2009) of breaches made use of social engineering tactics at some point.

While a corporation may have the most “locked-down” and “secure” internet presence, it remains possible that a loose-lipped employee may still unknowingly play a role in facilitating a data breach.

On a rather interesting (read: disturbing) note, 79% of reported victims that were subject to the Payment Card Industry Data Security Standard (PCI-DSS) had NOT achieved compliance.  86% of breaches were preventable via use of reasonable, simple-to-intermediate controls.  While PCI may only provide a baseline data security model, following the standard ensures that basic defense mechanisms are in place – and, if a breach happens, the standard assures that the incident will at least be tracked to some extent.  On a somewhat related note, 86% of breach victims had substantial evidence logged, yet 61% of breaches were reported by a third party.  This indicates to me that log correlation/SIEM tools are not in place (or underreferenced) in many scenarios; avoid becoming a victim by implementing a strong log reference policy.  The burden of sorting through can be eased significantly by use of common string parsing tools. 

Some examples of commercial-grade log/event correlation and management tool vendors include LogLogic, ArcSight, and Q1 Labs.  By the way, PCI 10.6 mandates log maintenance.

As far as demographics are concerned, the report continues to indicate that the focus of data breaches remains within the Financial Services, Hospitality, and Retail sectors.  This does not surprise me, and should not surprise anybody; Cash is King.  Note, however, that this may be attributed in part to the fact that – in the United States (the primary source for the data contained within this report), these sectors are required to adhere to strict breach reporting requirements (due to such regulatory standards as PCI and HIPAA).

On a closing note, the report indicates that approximately 13% of the reported breach cases involved organizations that had recently been involved in a merger or acquisition (as opposed to 9% in 2009).  This indicates the all-too-obvious truth that, in the common flurry associated with large-scale corporate policy changes, security assurance is frequently sacrificed. 

Based upon reading this report, I believe that – in a world where cyber crime continues to be on the rise – large companies need to take a moment to smell the coffee.  Making small sacrifices in project deadlines and procuring additional software resources (e.g. log correlation tools, which are essential for far more than just security) to ensure their bottom lines are not only met, but exceeded, while maintaining brand stability.

The 2010 report may be found here

Verizon’s 2009 report (not collaborated with USSS) may be found here

Peek-a-boooooooo – Default web pages, and why you should care to change or eliminate them

1 Reply

Just dropped 200 bucks on your new webcam (link will be opened in new window) you can use to check up on your pets from across the world? Does it do everything you hoped it would?

News flash – depending upon how it’s configured, it could be doing even more; that same page you browse to in order to check up on Fido may be indexed by search engines such as Google.

Now, 9 times out of 10, the web server is configured to host the content under a non-intuitive URL; while this may deter somebody who is trying to guess the URL used by the software, it also provides those “in the know” with a “one-stop shop” for all of their nefarious needs. As an example, most Panasonic networked cameras have the string “ViewerFrame?Mode=” in the URL, and can easily be located by using the Google search string inurl:”ViewerFrame?Mode=”.  If you’re following along with the links, I’m guessing (without actually accessing this page which was likely intended to be private) the third page on the above Google search (it’s a *.edu) is exactly what a hacker would want to see — and exactly what you don’t want them to see**.

To avoid this, it may be possible (depending upon the software) to at least change the default URL used. If not, consult the support documentation – and if necessary, the vendor – to determine the best course of action by which you can better protect your privacy. Depending upon the software leveraged by the device, you may also be able to create a robots.txt file (file including all pages not to be indexed by the search engine) for the web server as well.  For more detail, see here.

By the way, it’s not just cameras, but printers and telecommunications equipment (read: WOW) as well. A surprisingly vast listing of known devices (and information on their default pages) can be found here.

** The posted information is for educational purposes only, I neither recommend nor condone using the web as a tool for spying on others.  Don’t do it.

Cross Site Scripting (XSS) Attack

1 Reply

“What is Cross Site Scripting?”

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. If for example I was logged in as “john” and read a message by “joe” that contained malicious javascript in it, then it may be possible for “joe” to hijack my session just by reading his bulletin board post. 

“What are the threats of Cross Site Scripting?”

Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user (Read below for further details) in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks. The post below by Brett Moore brings up a good point with regard to “Denial Of Service”, and potential “auto-attacking” of hosts if a user simply reads a post on a message board. 

Hackers Can Delete Facebook Friends

Leave a reply

Facebook has been having so many security problems lately, the latest one is a bug discovered on Wednesday by a college student. The bug would allow a hacker access to accounts with the power to delete friends and more. Even though this is a serious bug, as of Saturday it was still unpatched.

The college student, Steven Abbagnaro, wrote up proof-of-concept code of an attack that would get all of a users’s publicly available data from their Facebook page and then delete their friends one by one. However, the attack can’t be started until the user clicks on a rigged link while logged into Facebook.

Abbagnaro won’t release the code until a patch is applied but competent hackers could figure it out on their own. The code is based on a previously discovered vulnerability in Facebook that doesn’t check code from user’s browsers properly to make sure they are authorized to make changes on Facebook. Another possible attack that has arisen out of this bug is the ability of hackers to make users “like” things.

This attack and the others that have been cropping up lately stresses the need to educate users about social engineering techniques and to be suspicious of links from people they don’t know or links from friends that seem uncharacteristic.

Facebook Password Reset Malware

A fake Facebook password reset email seems to be doing the rounds in the last few days. I fixed two computers today that had been infected by this particular malware.

Instead of having a fake Facebook page to collect the victims passwords (phishing), the email is sent with a malware attachment. The malware is known as “Bredolab” which is a Trojan downloader. In the two computers I repaired today, Bredolab downloaded some rogue antivirus products. However, some sites are saying that it also downloads a password stealing trojan.

If you see it onsite, Malware Bytes seems to deal with the Trojan once you kill the main executable (at least the rogue antivirus variants). Be sure to tell your clients to change their passwords after the infection has been removed as well.