THDP26 Information Security Why Can’t We be Serious

Information Security Tonight we are talking about malware and the state of Internet security overall.   Next week we will have our 2nd Annual Laptop Buyer’s Guide”.  And that will be followed by “Internet Security – Internet Scams”.

When I started planning this podcast I was calling it “Serious Talk about Online Security”.  Or maybe “When Will we Start Taking Security Seriously?”  Then I thought we should cover a more specific subject and we should cover each specific subject matter in a different episode.  Or two.  Or three.  Online Security.  Internet security.  Internet crime.  Cyber-Crime.

According to CompTIA a major player in IT Certifications, there are six domains, six specialties, six areas of concentration within the broad subject of “Internet Security”.  They are:

o   Network Security

o   Compliance and Operational Security

o   Threats and vulnerabilities

o   Application, Data and Host Security

o   Access Control and Identity Management

o   Cryptography

In addition to this list, the (ISC)2 website adds these additional domains to the field:

  • Software Development
  • Business Continuity and Disaster Recovery Planning
  • Security Architecture and Design

Heck, I count 83 different certifications in this field.  So, yes, too broad.

Back in the day (the mid to late 90’s) we thought we were being inundated by malware.  Viruses, Trojans, worms.  Heck, it was so bad the anti-virus companies were having to update their programs almost weekly to keep up with the demand.  Then later in the early 2000’s they needed to update them daily.  Then several times a day.  Now these same companies report they are having to fight new unique malware samples to the tune of 300,000 to over 500,000 per day.

In the article named “5 Reasons Internet crime is worse than ever”, by Roger A. Grimes, on August 5, 2014 in the online Magazine InfoWorld the author states that Internet crime has never been bigger than it is today.  His 5 reasons are:

1)    Internet criminals are almost never caught

  1. The author says the average cyber-criminal isn’t some uber smart brainiac, they just lack morals and a sense of conscience.

2)   Indefinite legal jurisdiction

  1. Many if not most of these people are from Russia, China, North Korea, Iran or on some othe foreign soil.

3)   Lack of legal evidence

  1. Collecting and preparing good legal evidence takes planning and commitment.  There are precious few organizations in this field with that.

4)   Lack of resources

  1. Too many people are ashamed to report the crime and large organizations are afraid of what the news would do to their bottom line.

5)   Cyber-crime isn’t hurting the economy enough yet.

  1. Most Internet crime is seen as the cost of doing business.  It will probably take a huge world-wide disaster to push society to the point where they no longer tolerate Internet crime.

A family of malware

The Payment Card Industry Data Security Standard (PCI DSS) requires end-to-end encryption of all payment data – including credit card numbers, cardholder names, and expiration dates.  So there is a point in time during the authorization process where the data is encrypted within the RAM on the Point Of Sale terminals.  Something called RAM-scraping malware is designed to break into the POS terminal and scan the system’s RAM.  Once it finds the encrypted data the RAM-scraping malware harvests the data and transmits it to the attackers.  These attackers will have a remote server accepting the data.  You can bet this/these servers will be located offshore.  Like Russia.

There are different versions of malware that use this RAM-scraping technology such as:  BlackPOS, Backoff, Trackr and Alina (related to Trackr).  Today, we are talking about Backoff specifically.  This has 4 capabilities:  Scraping memory for track data, Logging keystrokes, Command and Control communication, and Injecting malicious stub into exploere.exe.

The malicious stub that is injected is used for persistence in case the .exe is forcefully removed (in other words it makes it hard to get rid of), it scrapes the RAM memory because that is where the data resides during the authorization process and while it is in RAM it cannot be encrypted so it is vulnerable by nature.  Keylogging keeps track of everything typed into the terminal and the C2 communication part is responsible for uploading scraped data, updating the malware and downloading/executing further malware.

This type of malware first appeared in the 2010 Verizon Data Breach.  It’s next big appearance was the 2013 Target attack, and it has been verified to have struck P.F. Chang’s, Neiman Marcus, Sally Beauty Supply and Goodwill Industries.  Even though they are denying it, Dairy Queen has “probably” been breached also.  Just to note here, last week the US Department of Homeland Security and the Secret Service said that more than 1000 American businesses have faced cybersecurity attacks aimed at stealing credit card data.  Then KrebsonSecurity reported last week that a UPS subsidiary scanned its system for this malware and found security breaches in 51 UPS franchises in the USA.

What does it do?  First, it cruises the Internet looking for computer systems that are operating “remote desktop tools” such as Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, LogMeIn.  When it identifies such a computer it then sends “phishing emails” to the user inviting them to open a link to do whatever.  They do and it downloads.  There are more and more remote desktop tools being used in the Enterprise these days.  Very often these people do not have up to date rights and privileges.  Let’s just say that as time goes on if the Active Directory and Group Policy is not kept up to date vulnerabilities can emerge.

You just can’t make this up

Morning Scan: Cyber Attack Limited to JPMorgan?; iPhone Payments Threat


AUG 29, 2014 8:45am ET

Was JPMorgan Chase the Only Victim? Seven large banks said Thursday that they had no indication that their systems had been breached in the latest cyber attack on financial institutions, theWall Street Journal and Financial Times both reported. Bank of America, Wells Fargo, U.S. Bancorp, PNC Financial Services Group, Bank of New York Mellon, State Street and SunTrust Banks all said they have not detected signs of a breach. The FBI and other agencies are investigating possible Russian involvement in the attack, which may have been conducted by breaking into the personal computer of an employee working from home. Finally, the Washington Post asks a question that’s important to me and you, but apparently not so much to banks: why are customers usually the last to know if their personal information has been stolen in a cyber attack?

I researched this story and I could not find any other banks that were named.  I must add that JP Morgan didn’t exactly admit they were hacked but they said they were investigating the possibility.

 Ok, still, why does it happen?

Ok, but we still have to understand why it is happening.  All Enterprise organizations have “stringent” security policies in place.  How can this happen?  Well with Target, it has been pretty much determined that they did indeed somewhat drop the ball on the rigidity of their security.  They were complacent.  They became lax.

So there must be something someone can do, right?

So there must be something someone can do, right?  The checksum of the image must be different from the original if malware has been downloaded.  Heck, I would think the compromised computer’s image must now be different.  How about nobody noticing that data is going from the computer to a remote server in Russia?  I’m willing to bet that if the logs were studied (and I am quite sure they were) you would find enough abnormalities to raise an alarm.

If we were to look at 10 companies we would probably find a plague of unacceptable security policies.  If we found seemingly good policies we would find out they are grossly out of date.  We could start with password management.  How often do I hear users complain when they have to change their password every year.  What would they say if best practices were followed and they were changed every 45 to 120 days?  As I mentioned before, permissions are very often woefully out of date on privileged accounts.  The Information Security industry constantly comes up with the greatest, best, most comprehensive solutions you can imagine.  I’m willing to bet most of these unacceptable practices could be halted by a simple security audit.

Thanks for listening.

Leave a Reply

Your email address will not be published. Required fields are marked *