Monday, May 20, 2013

Chinese End Hacking Hiatus

Chinese hackers associated with the PLA (People's Liberation Army) had dialed back their cyberattacks in the wake of US protests. This hiatus appears to have ended.

An embarrassing public exposure of a unit closely associated with the PLA had led to a temporary decrease in attacks. The Chinese government appears to have calculated that the downside of the publicity surrounding the attacks is outweighed by the benefits they are reaping.

This is likely to be a ongoing feature of the online world.

Thursday, May 16, 2013

Data Protection Pointers

eWeek recently posted a slideshow describing several suggestions for planning a data protection policy in a Hadoop framework. The pointers apply to other data environments as well:
  1. Account for data protection in the planning phase of the project. Take compliance and privacy concerns into account in the initial design and architecture.
  2. Identify data elements that need special protection. What compliance or liability concerns apply to those elements?
  3. Does the application need access to the complete, raw data set? Can the data be masked, obfuscated, or desensitized?
  4. What encryption requirements do you have? What encryption solutions are available? Do they interoperate with the authentication methods in the environment?
  5. Establish standards. It will be easier to keep all the data safe if it is kept in standard templates.

CIO Magazine estimates the value of a data breach at $184-$330 million. Given the cost to an organization's recommendation, there is a business imperative in placing adequate resources and thought behind protecting the data in our custody.

Tuesday, May 14, 2013

ColdFusion Vulnerability Nets Attackers SSNs and DL Numbers

A ColdFusion vulnerability whose patch was released in January 2013 was used by attackers against the Washington State Administrative Office of the Courts (AOC). The attackers compromised 160,000 Social Security Numbers and about a million drivers' license numbers.

Organizations may need to take a close look at their patch philosophies, since many organizations would have difficulty testing and deploying an application server patch in such a relatively short time window. This compromise highlights the importance of defense in depth, and the importance of protecting data with the enterprise architecture, not just the capabilities of a particular product.

Sunday, May 12, 2013

Happy Mother's Day!

Federal Government to Default to Open Data

A recent executive order by President Obama mandates government agencies to default to a data policy of being open, publicly-available, and machine-readable.

Exceptions are allowed for information involving privacy, security, or confidentiality. There are obvious concerns that a government agency may not be as careful about privacy-related information as we would like.

Legislation to Track Foreign Hack Attacks

Legislation has been introduced in the US Senate to report on the activities of foreign government-sponsored cyber attacks.

A recent Pentagon report showing significant intrusions sponsored by the Chinese government is a key contributor to the renewed interest in this issue. A recent report by Mandiant definitively tracing attacks to the Chinese PLA's doorstep exposed some of the methods used in these attacks. Experts have also noted an increased pace of attacks that may be linked to other actors such as Iran.

One provision of the bill would restrict imports of technology that is identified as having been stolen as a result of these attacks.

While it is always important to bring out the results of cyberattacks, it may be more effective to focus attention on promoting good information security practices. Current regulations and security audits tend to focus more on paperwork than on the actual effectiveness of controls.

Good examples of best practices recommendations include the SANS 20 Critical Controls and the 31 guidelines recently released by US CERT.

Wednesday, May 8, 2013

Honeywords

Researchers have proposed that files containing encrypted passwords should include several false encrypted passwords (known as "honeywords") along with the real encrypted password. These should be indistinguishable to someone who has been able to access the file.

When one of the false passwords is entered, it would alert administrators that an attack is underway.

A similar security measure, using bogus accounts (known as "honeypot accounts"), alerts administrators when someone is trying to log into them.

Tuesday, May 7, 2013

reputation.com Reputation Tarnished by Security Breach

reputation.com, a company that advertises its ability to help manage customers' online reputations, suffered a security compromise of its own. Information stolen includes customers' physical addresses and employment history, both of which could potentially be useful in an identity attack. Some encrypted passwords were also stolen.

Unfortunately, part of the company's damage control efforts included mis-information about the risk posed by the stolen encrypted passwords. Dictionary-based attacks on encrypted passwords only depend on having enough computing power, especially given the poor quality of most passwords. But in an environment where the Internet is swimming in easily hackable powerful computers, computing power is not much of a barrier to entry.

(Since many people use a single password across platforms, a stolen encrypted password for one account could allow an intruder to access a broad range of accounts, including bank accounts and accounts at a target's workplace.)

Monday, May 6, 2013

Drone Maker's Secrets Stolen by Chinese PLA

Chinese hackers tied to the PLA (People's Liberation Army) have had access to secret information from QinetiQ, one of the world's foremost designers of military drones. Investigators have discovered that most, if not all, of the secret information in QinetiQ's computer network was compromised as a result of the breach.

Ironically, QinetiQ won a bid to consult with the Department of Defense on cyber-threats.

Denials by the Chinese government have been less than convincing, given the thoroughness of the report released by security firm Mandiant.

State-sponsored cyberattacks have become more common in recent months. These attacks can be particularly difficult for a company to defend against, since the resources of a state sponsor can swamp an individual security department. Even with that, most attacks can be defended against by following basic security principles like the 20 controls recommended by SANS. The US CERT has released 31 guidelines to protect against a broad range of attacks.

In the case of QinetiQ, for example, two-factor authentication would have protected against the most damaging hacks, if it had been implemented.

UPDATE: The Pentagon has directly accused the Chinese government of cyber-spying. The Chinese response:

Although it is common sense that you cannot determine sources of cyber attacks only through IP addresses, some people in the Pentagon still prefer believing they are from China as they always bear a sense of rivalry. It is an allegation based on presupposition.

Department of Labor Hacked

A Department of Labor sub-site appears to have been hacked, and the affected site distributed malware to the computers of people viewing the web pages. The "Site Exposure Matrices" page redirected viewers to pages which gathered information about the computer viewing the site, attempted to disable common AntiVirus packages, then attempted to run malware associated with the Chinese-linked DeepPanda operation.

The malware attempted to install command and control software on the PCs of people who were not patched to correct the vulnerability in the malware.

The site is used by people who are applying for job-related compensation for workers in the energy field.

UPDATE: People using the IE (Internet Explorer) 8 browser are vulnerable to the exploit on the DOL web site. A module exploiting this bug is available for Metasploit. It is not clear whether this will be patched in the next Microsoft patch round, but a patch is not available as of this writing. IE8 users are urged to update to a current, fully patched version of IE.

UPDATE: The May 13 patch round will include a fix for this vulnerability for IE 8. A temporary work-around has been provided by Microsoft as well.

Wednesday, May 1, 2013

Cybercrooks Target Small Businesses

The Symantec Internet Security Threat Report for 2013 notes that the number of attacks against small businesses has spiked, rising from 18% of attacks in 2011 to 31% in 2012.

While there are fewer rewards for attacks against a smaller business, attackers view smaller businesses as easier targets.

Ships Inadvertently Broadcast Location on Internet

More than 34,000 ships are potentially able to be tracked over the Internet via their Automated Identification System feed.

This system allows ships to share location information in order to help avoid collisions.