Today Microsoft released four security bulletins. All five have a maximum severity rating of Important.
Source:https://technet.microsoft.com/en-us/security/bulletin/ms14-jan
Author: David Forrestall
Updated: Originally posted by the WSJ, and sourced here from Business Insider, Target had warning last spring about a new emerging threat against POS systems. Internal analysts requested additional scrutiny.
Updated: According to an article posted on Krebsonsecurity “the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor.”
The recent retail breaches show that compliance is not enough. Cyber security needs to be an organizational wide initiative:
Initial Target Data Breach
Breach: Target, sometime between Thanksgiving and December 15th, 2013. Estimated 40 million records.
Discovered: Sometime around mid December 2013.
Reported: Target confirms breach of 40 million records on December 19th, 2013.
Notes: Wed, December 18th, data from the theft had already flooded underground markets.
Neiman Marcus Confirms Breach
Breach: Scope unknown UPDATED: included credit card and debit cards dated back to July 2013. UPDATED: approximately 1.1 million credit and debit cards affected
Discovered: Sometime around mid December 2013. UPDATED: The breach was not confirmed until January 1st.
Reported: Jan 10th 2013, Neiman Marcus reports breach.
Second Target Data Breach
Breach: On Jan 10th, 2013 Target confirms a second breach, which included names, emails, and phone numbers of up to 70 million additional records. This occurred sometime between Thanksgiving and December 15th, 2013. Estimated 70 million records for a total of 110 million records.
Discovered: Two to five weeks after the initial breach.
Reported: Over a month after the initial breach.
Jan 12th, 2013 Reuters reports more well-known retailers have been breached.
Source: http://www.reuters.com/article/2014/01/12/us-target-databreach-retailers-idUSBREA0B01720140112
UPDATE: The malware known as KAPTOXA has been reported to be involved in the Target breach and suspected to be involved in the Neiman breach. The article linked here is from firm, iSight Partners, a global cyber intelligence firm that works with the U.S. Secret Service and the Department of Homeland Security. They claim that the malware has probably infected a large number of POS terminals throughout the retail industry. We still don’t know who the other retail companies are that were breached around the same time as Target, but it is safe to consider that they were all linked somehow.
Retailers are extremely vulnerable during during the holiday season simply due to the high amount of customer volume. They try to get as many customers in and out as possible during peak times, and they neither want, nor have the ability, to inconvenience their consumers with any increased scrutiny. In these recent attacks the attackers had access to customer data for several weeks, as the breaches weren’t even discovered until at least 3 weeks after they initially started, and they weren’t reported until about a month later. Additionally, even after the breaches were discovered, all of the information was not available, so the scope was incomplete. It took Target over a month to understand the full scope of their breach, which is currently the largest breach in history, surpassing the TJ Max breach by over 60 million records.
This begs the question, is compliance enough? Retailers, such as Target, are required to be PCI-DSS compliant to handle credit cards, but does that mean the organization is secure? Security is a top down, cultural and organizational mind set. If security doesn’t start from the top, with financing and initiative, and bubble down to scrutiny and diligence, then security holes will exist and there will never be a completely secure organization. People make mistakes, systems will be compromised, and ultimately data will be breached. The question is, how quickly can an organization recognize and respond to the breach?
Joshua Carter, public relations manager at Target, said, “This theft is not a new breach; these are two distinct thefts as part of the same breach and this development was uncovered in the course of the ongoing investigation. The 70 million guests impacted by this new development are separate from the 40 million number that was previously shared.”
This goes to show how easily a data breach can get out of hand. Not only has it taken months for all of the information come out, the breadth of the breach continues to grow. The Verizon breach report says that it typically takes seconds to hours for attackers to exploit a breach and that it can take month’s for organizations to find out let alone deal the issue. Can your business recognize a breach if it happened?
We have managed security services that can help your organization correlate events and configure alarms to detect anomalies in the regular behavior.
Source: http://www.scmagazine.com/separate-info-on-70m-stolen-in-target-breach/article/328827/
[av_button label=’Managed Cyber Security Services’ link=’page,29′ link_target=” color=’theme-color’ custom_bg=’#444444′ custom_font=’#ffffff’ size=’small’ position=’right’ icon_select=’yes’ icon=’ue8c5′ font=’entypo-fontello’]
The author notes that LinkedIn has “…more than 259 million members—many who are highly paid professionals in technology, finance, and medical industries—LinkedIn holds a wealth of personal data that can prove highly valuable to people conducting phishing attacks, identity theft, and similar scams.”
Many times there are legitimate business reasons to post identifiable information such as email, phone, etc on LinkedIn. Is it necessary to add things like date of birth or address? Users must keep in mind the type of information they make available and what it could be used for.
Additionally, do you ‘know’ each of your contacts? How many times do you get a connection request from someone you don’t really know, but feel like it could be beneficial to connect to? A previous post references a targeted phishing attack through LinkedIn. These situations continue to emphasize the need for users to become aware of what information they make available regardless of the perceived trust of the system in use.
Troy Hunt wrote a great series on the OWASP top 10 for developers. This series is a few years old, but still completely relevant since the OWASP top 10 has remained the same for a while.
OWASP Top 10 for .NET developers series
Two hackers, going by ‘gyx’ and ‘Porphyry’, have released what they are calling Prison Locker, a toolkit for customizing your own ramsomware. They are apparently selling it for as little as $100. This is not good news for users who have yet to protect their systems. Given that this can now come through many different avenues and with many different customizations it makes this malware much more dangerous.
Read more: http://thehackernews.com/2014/01/power-locker-ransomware-upcoming_3.html
Linkedin is ripe with information about people. In a targeted attack, facebook and linkedin would probably be the two places to start gathering information. Many people lock down facebook, but Linkedin doesn’t have the same privacy controls and in fact, often times the information on linkedin is meant to be public. What linkedin provides is a free, centralized source for that information.
Source: http://securityaffairs.co/wordpress/19446/cyber-crime/linkedin-targeted-attacks.html
This is related to our initial post about the PHP.net attack and whether or not the source code was compromised. According to this article, “One of five distinct malware types served to visitors of php.net from October 22 to October 24, DGA.Changer employs a novel way of evading detection and takedown attempts.”
Source – http://nakedsecurity.sophos.com/2013/12/17/are-the-websites-youre-using-tracking-what-you-type/
- Backspacing, the select all/delete, hitting cancel or whatever it takes to avoid telling the world whatever it was that you typed may have been logged.
- Self-Censorship on Facebook (PDF), that describes a study conducted by two Facebook researchers said they used code they had embedded in the web pages to determine if anything had been typed into the forms in which we compose status updates or comment on people’s posts.
- If the content wasn’t shared within 10 minutes, it was marked as self-censored.
- Acording to Facebook: “the things you explicitly choose not to share aren’t entirely private.”
- Facebook spent 17 days tracking abandoned posts in a manner that some might find discomforting and readers are reminded that the internet allows website owners to be far, far more invasive.
Source: http://threatpost.com/poor-patching-communication-facilitated-july-dept-of-energy-breach/103200
- The U.S. Department of Energy is describes what lead to July breach
- Failures around vulnerability management, access controls and a general lack of communication between decision makers
- Hackers were able to penetrate a Web-facing application and steal personal information on 104,179 current and former employees, dependents and contractors.
- They had access to information that could have included Names, addresses, Social Security numbers, dates of birth and bank account information, unencrypted
- DOE failed to live up to industry standards and government mandates around not only encryption of sensitive data but also to install software updates, purchased in March, that would have prevented the breach and instead sat for five months in a testing environment, cost significantly less than the expected $3.7 million price tag for credit monitoring and other recovery costs.
