|
Internet Security News
Breaking news and updates in Internet security
Last Updated: July 25th, 2008 03:02:46 CDT -0500
Regulatory Compliance and the Real Risk of Undetected Malware
With the emergence of regulatory laws borne out of experience from a variety of embarrassing security breaches, today's corporate leaders face a myriad of repercussions.
These range from serious fines to jail time when found not in compliance with regulations such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB), and Payment Card Industry (PCI), etc.
These regulations are designed to protect the privacy of individuals and to ensure the proper internal controls are in place to maintain confidentiality and integrity of sensitive information.
For example it mandates in the Sarbanes-Oxley act section 404 that any publicly traded corporation must maintain adequate internal controls, ranging from proper financial reporting to the protection of critical assets. This includes designing controls around the premise of protecting consumer data from an information security perspective.
Normally, these controls are defined and established through a risk analysis that identifies potential threats and weaknesses. The development of a policy framework based on this audit untimely drives the definition of what would be considered "adequate" controls.
However, in 2007 the industry suffered a record-breaking loss of information stemming from data security breaches ranging from stolen laptops to hijacked advertising. This was exemplified in the highly publicized Monster.com attack. According to an article in CIO Magazine, a Trojan stole more than 1.6 million records belonging to several hundred thousand people from Monster Worldwide Inc.'s job search service.
Despite established security policy, these breaches lead to public dismay and a loss of consumer confidence. Take for example the TJ Maxx incident that exposed 45.7 million credit card numbers, according to details in a filing with the Securities and Exchange Commission last year. The breach eventually cost the retailer millions of dollars in both hard costs incurred and stock value reduction.
These incidents raise several interesting questions. Were these security breaches a result of undetected malware, perhaps a targeted attack orchestrated by a foreign hacker group? This certainly appears to be the case as more and more targeted attacks are involving malware of some shape or form. Take for example the recent incident with popular supermarket chain Hannaford. Why did the internal controls established according to company policy fail to protect assets from being compromised? And what are the real risks and implications of undetected malware as it pertains to regulatory compliance?
These are all good questions, especially concerning the changing crimeware landscape and its evolution from curiosity to financial gain. Not surprisingly, this trend has a considerable part do with the dramatic increase in information exposure in 2007.
According to the PandaLabs 2007 Annual Report, a majority of identity theft and financial fraud incidents in 2007 were related to Banker Trojans that infected individual consumers, thus, stealing credentials and other personal information that could be used to gain profit.
Furthermore, if we put this into perspective we are more at risk then we were a few years ago when the primary concern was the prevention of network worms that caused data destruction.
In that day and age, controls were designed around the need to ensure the integrity and availability of information assets. CIOs and IT Managers designed and implemented systems that had the primary goal of ensuring that their users had access to information. At that time security was a secondary concern in this scenario, because the threats were different and much less sophisticated.
Today we face a new breed of threats with different motives: financial gain through targeted attacks. In fact targeted attacks in 2007 showed a marked increase over previous years with respect to online fraud.
The mentality of CIOs and IT Managers has shifted to a security focused mind-set, especially with the advent of recent high-profile security breaches. What's alarming is the rate at which malware is developed and released to infect victims on a daily basis. In a 2007 report published by Panda Research, entitled "From Traditional Antivirus to Collective Intelligence," PandaLabs saw over 4000 new strains per day last year.
This is mainly due to the overwhelming inability for security vendors to respond to an ever increasing rate of new malware strains, thus, the anti-virus industry is not really protecting their customers. Signatures are generated on the basis of what the vendor considers a threat and thereby traditional AV products may not reflect actual reality. As a result, we are witnessing a literal denial of service against vendor resources.
Therefore, a large number of malware currently circulates the Internet undetected, thus, resulting in a large number of companies infected despite having up-to-date security solutions.
The rapid pace at which cyber criminals seed the industry with new threats contributes to the overall problem that is causing technical safeguards to fail, thus, putting the corporation at risk of violating regulatory standards which could untimely lead to serious consequences if sensitive information is leaked.
For example, in a health care organization one undetected Trojan could make a case for a serious risk of violation of HIPAA §164.308(a) (4) that pertains to protecting health information: "implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a) (4) [Information Access Management]"
A False Sense of Security - Audit and Assessment Standards
When doing a security audit to ensure that adequate controls are in place from an information security perspective, the auditor is normally looking at whether the corporation is in adherence to a defined policy. Furthermore, a security audit encompasses some of the following questions: - Are passwords difficult to break?
- Are computers up-to-date with the latest security patches?
- Do any vulnerabilities exist in the operating system or applications installed?
- Are there Access Control Lists (ACLs) implemented on shared resources to control access to them?
- Have unnecessary services or applications been removed from computers that could potentially expose the resource?
- Are computers regularly scanned for malware? The missing element in a security audit, however, is assessing for sophisticated active threats (e.g. kernel-mode root-kits, stealth Trojans, key-loggers, etc). Therefore the current assessment tools and verification methodologies used to validate controls rely mostly on identifying weaknesses or potential risk to assets; for example, a vulnerability scan or an untimely penetration test will tell the auditor of potential avenues for attack. But, the number one question to ask is: are assets already compromised with undetected malware?
There are a wide range of technical safeguards that can be implemented to significantly reduce potential exposure and the organization's overall risk, however hackers have devised ways to circumvent these. For example the most common infection vector is via the web through malware laced web-sites that have been compromised and altered in some way, shape or form. Therefore, a majority of malware (if not detected via signatures or proactively by other technologies) will simply evade perimeter defenses (firewalls, network intrusion prevention, etc.) and make its way to the end-point, especially if it is "targeted" in nature, and with a limited number of hosts designated to be infected.
There are certainly other ways to reduce risk. For example, corporations can implement a policy that limits the administrative access a user has to his or her own PC and other resources on the network. While this reduces the overall risk of unauthorized access, it is not the final solution as hackers tend to abuse system privileges (going around established ACLs) by exploiting applications and other flaws in the operating system.
Proactive defenses such as Host Based Intrusion Prevention (HIPS) can substantially raise the bar in terms of detection, anywhere between 80 and 90 percent (source: "From Traditional Antivirus to Collective Intelligence," Panda Research, 2007). With malware 1.0 this model was acceptable; but with the rate and volume of new threats emerging on a daily basis hundreds or even thousands of threats over time can be missed.
Public companies that must adhere to regulatory laws, must also adopt better internal controls to ensure that hidden infection points are discovered and removed before any exposure occurs. Better yet, modern assessments must take into consideration the possibility of assets already compromised by hidden and undetected malware.
Summary
Regulatory compliance is an interesting but challenging topic that every public corporation, no matter what size or shape, is untimely affected by. Organizations must evolve their security best practices to include better assessment methodologies that take into consideration crimeware innovations and available technologies that not only assess weaknesses, but locate active unnoticed infection points.
From Traditional Anti-Virus to Security-as-a-Service
Over the past five years, the anti-virus market has experienced tremendous growth as many new technologies have emerged in response to current conditions.
What was once a market consisting of very few players has evolved into a multi-billion dollar enterprise consisting of dozens of companies with huge assortment of anti-virus products varying in focus and quality.
According to analysts, the global anti-virus market is forecasted to surpass $58 billion by 2010 with the introduction of new technologies in the areas of data loss prevention, virtualization security, security-as-a-service and many others.
Despite this growth, the technology behind anti-virus today is highly inefficient when it comes to protecting against modernized threats. This is fueled by the fact that vendors simply can't keep up with all of the new malware surfacing each and every day. The situation has created a breakdown in the quality and effectiveness of their underlying core technology. 1
This problem is evident in today's high-profile security incidents. According to the Identity Theft Resource Center (an organization that tracks incidents relating to exposure of confidential information), the number of recorded breaches more than doubled in the first quarter of 2008. 2
This problem is even more visible when you take into account the current application delivery model employed by various end-point technologies today.
This agent-based delivery model introduces several challenges, not only on the side of administration, management and ease of use, but to the degree necessary to provide an adequate level of protection against zero-day, zero-hour, and zero-minute threats.
This traditional model has the following characteristics:
· Upgrades require time and effort to implement, leaving a dangerous window of opportunity to become infected. This problem is amplified if the upgrade includes engine revisions to detect new strains of malware.
· Enterprise protection suites require deployment of a dedicated management infrastructure that in some cases will require additional hardware.
· Some end-point protection suites that use a policy driven system are particularly complex to manage and maintain, therefore the total cost of ownership will increase overtime.
· Anti-malware intelligence has traditionally resided on the end-point, thus, the trade-off between security and resource consumption has always been a challenge.
· The memory and CPU foot-print is directly proportional to the size of the signature file. Therefore, the growth of new threats will ultimately affect the user's experience.
· On average, the foot-print for leading products is anywhere from 100MB to 150MB, depending on the modules enabled (i.e. firewall, anti-virus, anti-spam, host intrusion prevention, etc).
· Most end-point products on the market today have a very narrow, short sighted view of the threat-landscape and do not provide protection for all malware currently in circulation and affecting users.
· Nodes do not share intelligence amongst themselves, thus, reducing the overall efficiency to detect and prevent against targeted attacks.
When we examine this security model further, the small and medium size business (SMB) market will be affected the most. The traditional anti-virus model introduces significant challenges for SMBs who have tight budgets for security. This is especially true as they often do not have the expertise or resources in-house to manage and administer complex anti-malware solutions.
The best alternative that an SMB can take when it comes to security is out-sourcing their services to a hosted infrastructure and/or adopting a Security-as-a-Service model. This helps reduce complexity and time to market when implementing new security technologies and will not require a high degree of skill to maintain the solution.
Security-as-Service revolves around the concept known as Software-as-Service or SaaS. SaaS changes the way that applications are currently delivered to customers by hosting them "in the cloud" and providing a web interface to interact with the applications. Previously, software had to be installed directly on the user's system and managed inside the business or manually remote controlled by an outside service provider.
Customers of an SaaS solution benefit from real-time up-to-the-minute content provided on a continuous basis through a subscription model making life a lot easier. This model allows companies, their IT consultants, managed service providers or value added resellers to more efficiently manage protection against malicious malware, freeing up valuable time and resources to stay focused on the business.
In conclusion, the SaaS model offers an alternative approach to the way that end-point security is delivered today. Since 2008 and 2009 will certainly focus on consolidation (anti-virus, data leakage prevention, end-point encryption, etc), it is essential that SaaS be adopted as an industry standard in end-point security protecting businesses from the SMB to the very large enterprise.
1 PandaLabs Research Study 2007:
http://research.pandasecurity.com/
archive/Think-you_2700_re-protected_3F00_-Think-again.aspx
2 http://www.idtheftcenter.org/artman2/publish/
m_press/Breach_List_2008_Q1.shtml
Don’t Overlook the Online Channel: Combating Multi-Channel Fraud at the Source
The latest threat to online banking accounts involves fraudsters using multi-step schemes that involve different interaction points with financial institutions.
Cyber-criminals commit this multi-channel fraud by first breaching an account via the online channel to steal valuable information such as account balances, check images, or signature blocks, in order to commit wire, check and other types of offline fraud that never gets linked to the original breach online.
Unfortunately, the online channel's role in these schemes is often overlooked. This is precisely what makes this kind of fraud so effective - and hard to catch. Financial institutions only register the final transaction fraud, and cannot account for the original breach, which often occurs in the online channel. Add this to the fact that consumers don't know it is happening, and the fraudsters have a perfect opportunity to continuously get away with this crime.
Case in point is what happened recently to a leading financial institution that serves tens of thousands of customers daily. Despite aggressive efforts to safeguard its online environment, fraudsters pulled off a startling multi-channel fraud scheme.
Here's how the fraud scheme worked:
1. The fraudster called the institution's customer service number and, using social engineering techniques, reset the online account password and contact phone number.
2. The fraudster accessed the online account, learned more about the customer's online activities, and downloaded check images containing the customer's signature.
3. The fraudster then called on a separate institution using the stolen information to open a new account in the victim's name.
4. A wire transfer was arranged to empty the victimized account and credit the new account at institution #2. Because the names on the accounts were the same and the fraudster had provided a phone number under his/her control and a valid signature, an offline verification of the transfer by phone, as a second means of identification, passed and was authorized.
5. The fraudster withdrew his loot piecemeal, visiting separate branches in a state different than the victim's.
Legacy Fraud Detection Methods Blind to Online Activity
When fraudsters use schemes involving multiple interactions with different touch-points across an institution, they aren't caught because the precursor online channel breach is often overlooked.
Common industry practice registers the final fraud transaction as the breach point, and case forensics employ limited resources to return insight that cannot trace the original breach to the online channel. When accessed only for reconnaissance, the online channel records no "transaction" for detection. This is precisely what makes multi-channel fraud so effective - and so hard to catch. Moreover, what kind of fraud is our previous example to be classified? Is such a loss wire fraud, check fraud, or simply "online account fraud"?
A next-generation approach to online fraud prevention is needed if we are to continue to inspire customer confidence in the online channel. According to Javelin Research's 2007 Identity Fraud Survey Report, it takes an average of 60 days for consumers to even detect that fraud has occurred. This leaves fraudsters with a perfect opportunity to commit successful multi-channel fraud crimes if financial services providers don't take pre-emptive steps to protect both their customers and their bottom line. New best practices and back-end technologies that focus on online behavior can better isolate and prevent multi-channel fraud at the source.
Modeling Individual Account Behavior Stops Fraud at Its Source
An emergent best practice is to employ predictive models of individual customer online behavior to detect when the "customer" logging in isn't who they say they are, even if they pass authentication. Beyond simple machine signature technology, user profiling technologies rely on trended analysis of behavior account by account. They start by understanding what "normal" behavior is for each individual customer - and admit that there is no single pattern of "normal" behavior to write an anti-fraud rule against.
Dynamic, model-based analysis of account activity "does the math" - piecing together what are by themselves may seem like weak indicators of fraud until a powerful pattern emerges. Behavior that deviates from what is expected becomes suspicious - the more the deviation, the deeper the suspicion. This comprehensive analysis allows for more granular risk scoring and better correlation with offline activity patterns. A byproduct of this behavioral analysis also allows for a rich history of online activity that aids investigation and forensics.
Using these techniques, institutions can identify the fraudster via the alerts to online activity outside the customer's predicted behavior. Deploying strong analytics at the source - the online channel - ensures that fraudsters' attacks are shut down before any damage is done.
Storm Botnet Subsides
Something new may be on tap to replace Storm as the big botnet pest, as its size decreased substantially in April.
Efforts to clean up the Storm botnet drove it down to 5 percent of its original size in April. This puts current estimates of Storm-botnetted machines at around 100,000 machines.
Security vendor MessageLabs said ongoing efforts associated with new Storm cleanup tools purged the malware from infected computers. Some estimates put Storm's botnet at 2 million machines before the big purge took place.
"April was a month of unpredictability, Mark Sunner, Chief Security Analyst at MessageLabs, said in a statement. Storm's decline happened while incidents of attacks escalated.
MessageLabs claimed to observe 70 targeted spam attacks with Trojans per day in April. The upcoming Beijing Olympics persists as a major factor in such spam, with Olympics-related subject lines common for those attacks.
An old spam standby received a bit of a makeover, MessageLabs noted. Criminals are creating fake profiles on business networking sites like LinkedIn to lend credence to the typical 419 scam. They direct recipients to check out their "credentials" on the site to assure them they are dealing with a real person and not some common criminal.
eBay Has Its Romanian Hacker
An arrest in Budapest turned up one Vlad Constantin Duiculescu, aka Vladuz, a thorn in the side of the online marketplace.
A business deal turned out to be a sting, and Vladuz took a deep wound from it. His time roaming around eBay's forums using pilfered credentials and generally making a nuisance of himself to the company has been at least interrupted for now.
The Register cited Romanian news reports that Vladuz ended up wearing handcuffs after his attempt to sell a software application to interested buyers instead brought police to his door. EBay has been chasing Vladuz for over a year.
His exploits reached eBay's forums, where he managed to pose as an official eBay representative. He and eBay disputed how far he was able to get in to their systems; Vladuz claimed extensive access, while eBay denied that.
If eBay's account is accurate, they believe Vladuz caused about a million dollars in damages from his exploits. For now, Vladuz will enjoy jail cuisine for a 29-day period. Further details about the 20-year-old's fate have not been revealed.
Google Builds Tools To Fight Child Porn
An ongoing effort with the National Center for Missing and Exploited Children (NCMEC) by Google produced video tools for use in finding exploitative images and videos.
Google research scientist Shumeet Baluja described the search giant's work on the company blog in developing these tools. Through 2007, Baluja and co-workers crafted tools to help NCMEC find child predators.
"The tools we provided will aid in organizing and indexing NCMEC's information so that analysts can both deal with new images and videos more efficiently and also reference historical material more effectively," said Baluja.
NCMEC said in a statement the group and law enforcement agent partners have reviewed over 13 million images and videos to help rescue victims and identify criminals.
"Criminals are using cutting edge technology to commit their crimes of child sexual exploitation, and in fighting to solve those crimes and keep children safe, we must do the same," said Ernie Allen, president and CEO of NCMEC.
The tools come from Google's ongoing work in video and image search. This research-stage technology helped NCMEC handle the multitude of such content arriving at their CyberTipline and from police agencies.
"We hope the tools we've built for NCMEC will help its analysts make the important and often time-sensitive work of investigating child predators faster and more efficient," Baluja said.
PayPal Calls For Partnerships Against Phishing
One of the most popular phishing targets on the Internet wants to thwart criminals, but needs a lot of help to do so.
Stamping out phishing won't happen with one company pushing for a fix. Payment processor and eBay component PayPal needs cooperation to accomplish this.
"We know we're always going to be an attractive target for criminals. But what I don't want is PayPal to be protected and the rest of the industry not. Phishing could be solved, there's no need for it to happen," PayPal chief info security officer said at a security conference recently.
Phishing for PayPal details happens on an immense scale. A report at Silicon.com said Yahoo's efforts to block PayPal-related messages alone kept 50 million phishes out of Yahoo Mail since last fall.
That happened thanks to digital signatures appended to PayPal's legitimate messages. When a phish lacking that signature hits Yahoo, the message gets tossed.
Microsoft received some credit from Barrett, as the company's Internet Explorer 7 browser may be helping stop people from going to phishing sites thanks to its anti-phishing technologies. (Firefox and Opera also carry phishing protection in their browsers.)
Phishing persists as a standby for criminals. Through the use of botnets, phishers send out millions of messages. It doesn't take many to make the crime profitable, as the distributed nature of spamming this way costs the phishers little.
Couple that with how the phishing types tend to be hiding out in countries where effective prosecution against computer crime is a pipe dream for security pros at best, and one can see where Barrett is coming from with his call for more partnerships against phishing activities.
Online Criminals Outsource Their Work
A study by security vendor Finjan suggested a trend in criminal behavior has them farming work out to established rings with a technology infrastructure in place.
Among the trends cited by Finjan in its Web Security Trends Report, the company found criminals with sufficient capital opting to engage in a business practice normally associated with legitimate businesses: outsourcing.
Botnet creators have been known to let spammers pay for access to compromised servers, which are then used to crank out millions of messages to inboxes all over the world.
Finjan dubbed the next iteration of this practice, "crimeware." It isn't only about botnet rental, or even using pre-made kits to create exploits, as Finjan observed:
After maturing into a full-fledged market driven by economical forces, we are now seeing a trend for cybercriminals to deploy the B2B model (business to business, or more accurately Criminal to Criminal, C2C). Owners of malicious sites share their victims with other site owners in order to leverage the strength of one site and provide business to the other.
It gets worse for security pros:
Currently, we see the rise of the Crimeware-as-a-Service (CaaS) model in the Crimeware-toolkit market.
It enables such a toolkit to gather the data from the victims and sort it according to some rough criteria for the users, since all the data and networking is already built-in and available for the criminals and attackers.
This development will further distant the criminals from the techies - a trend that we have seen evolving over the past couple of years. This trend will get a further boost with the catching on of the CaaS model.
The bad guys are becoming more organized and sophisticated year after year. This isn't an Internet crisis anymore, it's a global crisis, and one that probably can't be solved. The profit potential is so high that we doubt anything short of turning the planet into a cold, lifeless cinder will put a stop to it.
Google Street View Becomes Driveway View
While one Pittsburgh couple sues Google over its Street View pictures of their residence, another neighboring home found itself the focus of a Google camera car that drove up its driveway.
No word yet on whether Janet and George McKee plan to ask Google for $25,000 for taking pictures of their Pittsburgh home, as Aaron and Christine Boring did in their lawsuit over Google's Street View photography.
The Smoking Gun reported on the series of pictures of the McKee's home, where the driver of the camera car entered the private property. That's a no-no by Google's standards; drivers are supposed to stay on public property.
The Google car traveled up the long driveway, ending up in front of the two-story home's three-car garage. Pictures on The Smoking Gun showed the progress of the car as it left the obvious street for the unpaved gravel of the McKee's homestead.
When The Smoking Gun tipped off Janet McKee as to Google's impromptu visit, she said it was "a little bit creepy to think of someone filming our home without me knowing about it."
It isn't known why the driver of the Street View car chose to stop by the McKee's driveway. Perhaps he or she thought the driveway was some kind of connector road, and upon entering it had no way to turn around until reaching the McKee's house.
Identity Info Breaches Hitting Everywhere In 2008
Commercial businesses, colleges and universities, government offices, and medical facilities of varying sizes share the common label of being hit by identity thieves.
167 breaches revealing over 8.3 million records happened or became public in the first three months of 2008, according to the nonprofit Identity Theft Resource Center. Targets of attacks ranged from a Vermont ski resort to the University of Georgia, and plenty of points in between.
Some of the breaches happened due to internal misuse of customer data. At Bank of the West in Washington state, a loan officer used applications from customers to steal identities. Cassidy Janosky and her mother rang up $16,000 grand in purchases like plasma TVs and electronics from a local Sears store.
Other breaches happened due to laptop theft, like that of the Florida Department of Children and Families. Five laptops stoled from their Orlando office forced them to alert 1,200 staffers that their Social Security numbers, birth dates, and other information was at risk.
Then there was the old standby, the lost backup tape. In one particularly embarrassing case, secure storage business Iron Mountain lost one with credit card information on 650,000 customers. Names, addresses, and Social Security numbers were on it as well.
Oh, there were network breaches as well. One can essentially envision an attack vector, and something probably happened along those lines, since reported incidents for Q1 2008 more than doubled what ITRC picked up on for the same period last year.
Nick Cavalancia of ScriptLogic said in commenting on the report that security pros need near-real time notification of sensitive file system events, especially in environments where regulatory compliance like Sarbanes-Oxley is a reality.
"Businesses must be able to provide reports indicating permission changes, highlighting what changes were made, who made them and when they were made," he said. Cavalancia also recommended administrators be able to lock down the myriad devices like iPods people bring into workplaces, to mitigate data theft.
|
