Tuesday, August 18, 2009
Three Indicted in Largest Corporate Identity Theft Case in History
Three Indicted in Largest Corporate Identity Theft Case in History
Monday , August 17, 2009
ADVERTISEMENTFederal Authorities indicted three men in New Jersey in a massive identity theft case that the Justice Department is labeling as the largest in American history.
Albert Gonzalez of Miami, 28, is charged with acting with two unnamed conspirators to locate large corporations and steal vital account information in a crime that the Department of Justice calls "the single largest hacking and identity theft case ever prosecuted."
Authorities say more than 130 million credit and debit card numbers were stolen in a corporate data breach involving three different corporations and two individuals. The card numbers, along with additional account information, were allegedly stolen from Princeton-based Heartland Payment Systems; 7-Eleven Inc., a Texas-based convenience store chain and Hannaford Brothers Company, a Maine-based supermarket chain.
The indictment also mentions two other unidentified corporate victims as being hacked by the co-conspirators.
According to the Justice Department, the suspects used a sophisticated hacking technique called an "SQL injection attack," which "seeks to exploit computer networks by finding a way around the network's firewall to steal credit card and debit information."
According to the two-count indictment alleging conspiracy and conspiracy to engage in wire-fraud, beginning in October 2006, Gonzalez and the others would seek out Fortune 500 companies and attempt to identify potential vulnerabilities in their computer systems.
FULL COVERAGE: Click here for all of FOXNews.com's identity theft coverage.
After reconnaissance of the computer systems was completed, information would be uploaded to servers which served as hacking platforms. Once the information was discovered, it was stolen from the corporate servers and placed onto servers around the world controlled by the suspects.
Upon the alleged theft of the data, Gonzalez, known online as "soupnazi," and his co-conspirators would seek to sell the data to others who would then use it to make fraudulent purchases, unauthorized withdrawals from banks and other identity theft schemes, the Justice Department said Monday.
RELATED: Russian Hackers Stole U.S. IDs for Attacks
If convicted, Gonzalez could face up to 20 years on a charge of wire-fraud conspiracy and an additional five on the conspiracy charge. He also faces fines of up to $250,000 for each charge.
He is currently in federal custody. The whereabouts of the two unidentified suspects, both from Russia, are unknown.
The latest charges are hardly Gonzalez's first brush with the law — in May 2008, the U.S. Attorney's Office of New York charged him for his alleged role in the hacking of a computer network run by a national restaurant chain. He is slated to stand trial on those charges in September of 2009.
In August of 2008, he was indicted on additional charges for a number of hacks into eight major retailers including discount giant TJ Maxx that involved an estimated 40 million credit cards and cost TJ Maxx $200 million. He is scheduled for trial on those charges in 2010, the Department of Justice said.
Heartland Systems announced a suspected breach on January 20, 2009, noting the discovery of "evidence of an intrusion," but denying the compromise of any merchant data, social security numbers, PIN numbers or addresses. It has an entire Web site devoted to the breach, accessible at www.2008breach.com. At the time of the 2008 intrusion, Heartland was responsible for processing 100 million payments for at least 250,000 businesses each month, the Washington Post reported.
FOXNews.com's Allison McGevna and FOX News' Mike Levine contributed to this report
Monday , August 17, 2009
ADVERTISEMENTFederal Authorities indicted three men in New Jersey in a massive identity theft case that the Justice Department is labeling as the largest in American history.
Albert Gonzalez of Miami, 28, is charged with acting with two unnamed conspirators to locate large corporations and steal vital account information in a crime that the Department of Justice calls "the single largest hacking and identity theft case ever prosecuted."
Authorities say more than 130 million credit and debit card numbers were stolen in a corporate data breach involving three different corporations and two individuals. The card numbers, along with additional account information, were allegedly stolen from Princeton-based Heartland Payment Systems; 7-Eleven Inc., a Texas-based convenience store chain and Hannaford Brothers Company, a Maine-based supermarket chain.
The indictment also mentions two other unidentified corporate victims as being hacked by the co-conspirators.
According to the Justice Department, the suspects used a sophisticated hacking technique called an "SQL injection attack," which "seeks to exploit computer networks by finding a way around the network's firewall to steal credit card and debit information."
According to the two-count indictment alleging conspiracy and conspiracy to engage in wire-fraud, beginning in October 2006, Gonzalez and the others would seek out Fortune 500 companies and attempt to identify potential vulnerabilities in their computer systems.
FULL COVERAGE: Click here for all of FOXNews.com's identity theft coverage.
After reconnaissance of the computer systems was completed, information would be uploaded to servers which served as hacking platforms. Once the information was discovered, it was stolen from the corporate servers and placed onto servers around the world controlled by the suspects.
Upon the alleged theft of the data, Gonzalez, known online as "soupnazi," and his co-conspirators would seek to sell the data to others who would then use it to make fraudulent purchases, unauthorized withdrawals from banks and other identity theft schemes, the Justice Department said Monday.
RELATED: Russian Hackers Stole U.S. IDs for Attacks
If convicted, Gonzalez could face up to 20 years on a charge of wire-fraud conspiracy and an additional five on the conspiracy charge. He also faces fines of up to $250,000 for each charge.
He is currently in federal custody. The whereabouts of the two unidentified suspects, both from Russia, are unknown.
The latest charges are hardly Gonzalez's first brush with the law — in May 2008, the U.S. Attorney's Office of New York charged him for his alleged role in the hacking of a computer network run by a national restaurant chain. He is slated to stand trial on those charges in September of 2009.
In August of 2008, he was indicted on additional charges for a number of hacks into eight major retailers including discount giant TJ Maxx that involved an estimated 40 million credit cards and cost TJ Maxx $200 million. He is scheduled for trial on those charges in 2010, the Department of Justice said.
Heartland Systems announced a suspected breach on January 20, 2009, noting the discovery of "evidence of an intrusion," but denying the compromise of any merchant data, social security numbers, PIN numbers or addresses. It has an entire Web site devoted to the breach, accessible at www.2008breach.com. At the time of the 2008 intrusion, Heartland was responsible for processing 100 million payments for at least 250,000 businesses each month, the Washington Post reported.
FOXNews.com's Allison McGevna and FOX News' Mike Levine contributed to this report
Thursday, August 06, 2009
Researcher reveals massive 'professional thieving' botnet
Researcher reveals massive 'professional thieving' botnet
Ultra-stealthy Clampi Trojan snags 'tremendous' amount of financial info, money
Gregg Keizer
July 29, 2009 (Computerworld) A ferocious piece of malware that's infected up to a million PCs is stealing a "tremendous" amount of financial information from consumers and businesses that log on to their bank, stock broker, credit card, insurance, job hunting and favorite e-shopping sites, a noted botnet researcher said today.
"Clampi is the most professional thieving pieces of malware I've ever seen," said Joe Stewart, director of malware research for SecureWorks' counter-threat unit. "We know of few others that are this sophisticated and wide-ranging. It's having a real impact on users."
The Clampi Trojan horse has infected anywhere between 100,000 and 1 million Windows PCs, said Stewart -- "We don't have a good way of counting at this point," he acknowledged -- and targets the user credentials of 4,500 Web sites.
That's an astounding number, said Stewart, who has identified 1,400 of the 4,500 total. "There are plenty of other banking Trojans out there, but they usually target just 20 or 30 sites."
Hackers sneak Clampi onto PCs by duping a user into opening an e-mailed file attachment or by using a multi-exploit toolkit that tries attack code for several different Windows vulnerabilities, Stewart said. Once on a machine, the Trojan monitors Web sessions, and if the PC owner browses to one of the 4,500 sites, it captures usernames, passwords, PINs and other personal information used to log on to those sites, or to fill out forms.
Periodically, Clampi "phones home" the hijacked information to a command-and-control server run by the hackers, who then empty bank or broker accounts, purchase goods using stolen credit card information or simply compile it for future use, said Stewart.
Although that describes most key-logging or spying malware, Stewart said Clampi is different, both because of the obvious scale of its operation and because of the multiple layers of encryption and deception used by its makers to cloak the attack code and make it nearly impossible for researchers to investigate its workings.
Stewart started tracking Clampi in 2007, but began an intensive examination earlier this year. "The packing that Clampi uses is very sophisticated, and makes it really, really difficult to reverse engineer, said Stewart. "I'd say this is the most difficult piece of malware I've ever seen to reverse engineer." Security researchers often will reverse engineer malware -- pulling it apart to try to decipher how it works -- during their investigations.
"They're using virtual machine-based packers that lets them take code from a virtual CPU instruction set, so that the next time it's packed, it's completely different," said Stewart. "You can't look at Clampi with a conventional tool, like a debugger. It's a real mess to follow, frankly."
The Trojan also encrypts the traffic between hijacked systems and the botnet command-and-control server using multiple methods, said Stewart. Not only is the network communications traffic encrypted in 448-bit blowfish encryption, but the strings inside the attack code binaries are also encrypted. Clampi also uses another unusual tactic to hide from antivirus scanners; its modules -- there are anywhere from four to seven different pieces of the malware -- are stored as encrypted "blobs" in the Windows registry.
The sheer scope of the Clampi operation also separates it from run-of-the-mill financial malware, Stewart argued. "They're targeting not just banking sites, but a wide variety of sites where people put in credentials that help them steal money somehow," said Stewart. Among the 1,400 site he has identified are military information portals, mortgage, insurance, online casino, utility advertising networks and news sites. The sites are hosted in 70 different countries.
"That, in itself, speaks to a vast operation on the back end," Stewart said.
It's impossible to say for certain, but all clues point to Russia or Eastern Europe as the base for the criminal gang riding herd on the Clampi botnet. "It looks like it's just one group behind it," said Stewart. "We don't see [chatter about it] on the usual underground forums, which is one reason why there's little or no coverage about Clampi up till now. It's very closely held, and the group is very secretive."
In fact, Stewart held out little hope of nailing the criminals behind Clampi. The command-and-control servers they use to direct the hijacked PCs -- and to receive the stolen usernames and passwords -- are not hosted by a commercial hosting service, but instead are hidden within individual compromised PCs. "I don't think we'll ever get the command-and-control servers," Stewart admitted.
One victim of a Clampi infection, and resulting theft, that has come forward is Slack Auto Parts, in Gainesville, Ga., which was robbed of nearly $75,000, according to a story last week in the Washington Post. The co-owner of the company, Henry Slack, told the newspaper that the malware ripped off log-on information for the firm's bank accounts, then managed to move the money to multiple money "mules" across the U.S.
Clampi had been on a Slack PC for more than a year before the bot's controllers used the information gathered to pillage the company's bank account.
One way for businesses -- and users -- to stymie this ultra-stealthy Trojan, said Stewart, is to do any financial tasks on an isolated, dumbed-down PC that is used only to connect to banks, brokers and the like. That advice works because Clampi spreads most efficiently on company networks. If it manages to infect one PC inside an organization, it uses a Windows SysInternals tool dubbed "PsExec" made by Microsoft to copy the Trojan to all the machines on the domain.
"Clampi can spread across Microsoft networks in a worm-like fashion," said Stewart. "Forget things like Conficker. You'd better rank this [botnet] up there right at the top."
Ultra-stealthy Clampi Trojan snags 'tremendous' amount of financial info, money
Gregg Keizer
July 29, 2009 (Computerworld) A ferocious piece of malware that's infected up to a million PCs is stealing a "tremendous" amount of financial information from consumers and businesses that log on to their bank, stock broker, credit card, insurance, job hunting and favorite e-shopping sites, a noted botnet researcher said today.
"Clampi is the most professional thieving pieces of malware I've ever seen," said Joe Stewart, director of malware research for SecureWorks' counter-threat unit. "We know of few others that are this sophisticated and wide-ranging. It's having a real impact on users."
The Clampi Trojan horse has infected anywhere between 100,000 and 1 million Windows PCs, said Stewart -- "We don't have a good way of counting at this point," he acknowledged -- and targets the user credentials of 4,500 Web sites.
That's an astounding number, said Stewart, who has identified 1,400 of the 4,500 total. "There are plenty of other banking Trojans out there, but they usually target just 20 or 30 sites."
Hackers sneak Clampi onto PCs by duping a user into opening an e-mailed file attachment or by using a multi-exploit toolkit that tries attack code for several different Windows vulnerabilities, Stewart said. Once on a machine, the Trojan monitors Web sessions, and if the PC owner browses to one of the 4,500 sites, it captures usernames, passwords, PINs and other personal information used to log on to those sites, or to fill out forms.
Periodically, Clampi "phones home" the hijacked information to a command-and-control server run by the hackers, who then empty bank or broker accounts, purchase goods using stolen credit card information or simply compile it for future use, said Stewart.
Although that describes most key-logging or spying malware, Stewart said Clampi is different, both because of the obvious scale of its operation and because of the multiple layers of encryption and deception used by its makers to cloak the attack code and make it nearly impossible for researchers to investigate its workings.
Stewart started tracking Clampi in 2007, but began an intensive examination earlier this year. "The packing that Clampi uses is very sophisticated, and makes it really, really difficult to reverse engineer, said Stewart. "I'd say this is the most difficult piece of malware I've ever seen to reverse engineer." Security researchers often will reverse engineer malware -- pulling it apart to try to decipher how it works -- during their investigations.
"They're using virtual machine-based packers that lets them take code from a virtual CPU instruction set, so that the next time it's packed, it's completely different," said Stewart. "You can't look at Clampi with a conventional tool, like a debugger. It's a real mess to follow, frankly."
The Trojan also encrypts the traffic between hijacked systems and the botnet command-and-control server using multiple methods, said Stewart. Not only is the network communications traffic encrypted in 448-bit blowfish encryption, but the strings inside the attack code binaries are also encrypted. Clampi also uses another unusual tactic to hide from antivirus scanners; its modules -- there are anywhere from four to seven different pieces of the malware -- are stored as encrypted "blobs" in the Windows registry.
The sheer scope of the Clampi operation also separates it from run-of-the-mill financial malware, Stewart argued. "They're targeting not just banking sites, but a wide variety of sites where people put in credentials that help them steal money somehow," said Stewart. Among the 1,400 site he has identified are military information portals, mortgage, insurance, online casino, utility advertising networks and news sites. The sites are hosted in 70 different countries.
"That, in itself, speaks to a vast operation on the back end," Stewart said.
It's impossible to say for certain, but all clues point to Russia or Eastern Europe as the base for the criminal gang riding herd on the Clampi botnet. "It looks like it's just one group behind it," said Stewart. "We don't see [chatter about it] on the usual underground forums, which is one reason why there's little or no coverage about Clampi up till now. It's very closely held, and the group is very secretive."
In fact, Stewart held out little hope of nailing the criminals behind Clampi. The command-and-control servers they use to direct the hijacked PCs -- and to receive the stolen usernames and passwords -- are not hosted by a commercial hosting service, but instead are hidden within individual compromised PCs. "I don't think we'll ever get the command-and-control servers," Stewart admitted.
One victim of a Clampi infection, and resulting theft, that has come forward is Slack Auto Parts, in Gainesville, Ga., which was robbed of nearly $75,000, according to a story last week in the Washington Post. The co-owner of the company, Henry Slack, told the newspaper that the malware ripped off log-on information for the firm's bank accounts, then managed to move the money to multiple money "mules" across the U.S.
Clampi had been on a Slack PC for more than a year before the bot's controllers used the information gathered to pillage the company's bank account.
One way for businesses -- and users -- to stymie this ultra-stealthy Trojan, said Stewart, is to do any financial tasks on an isolated, dumbed-down PC that is used only to connect to banks, brokers and the like. That advice works because Clampi spreads most efficiently on company networks. If it manages to infect one PC inside an organization, it uses a Windows SysInternals tool dubbed "PsExec" made by Microsoft to copy the Trojan to all the machines on the domain.
"Clampi can spread across Microsoft networks in a worm-like fashion," said Stewart. "Forget things like Conficker. You'd better rank this [botnet] up there right at the top."
Incident Response for Data Breaches
Incident Response for Data Breaches
Interview with Shane Sims, PricewaterhouseCoopers
Linda McGlasson, Managing Editor
July 21, 2009
A veteran cybersecurity pro, Shane Sims shares his insights on trends he's seeing as cybercrime continues to hit all companies, including financial institutions. Sims is currently a Director in the Forensic Services practice at PricewaterhouseCoopers, where he provides investigative, forensic technology, security incident response and cyber security services to commercial and government clients. He is a former FBI Supervisory Special Agent who specialized in cybercrime, digital evidence, computer exploitation, and network surveillance.
Listen to this podcast and hear Sims insights on:
•Who's hitting financial institutions with cybercrime activities;
•Why just having an incident response plan isn't enough;
•What needs to happen and (what shouldn't be done) when a breach occurs.
LINDA McGLASSON: Hi, I'm Linda McGlasson, Managing Editor for BankInfoSecurity and CUInfoSecurity. Today's Information Security Media Group's Podcast is with Shane Sims, a veteran cyber security professional. Shane is a Director in the Forensic Services Practice at Price Waterhouse Coopers. He is also a former FBI Supervisory Special Agent who specialized in cyber crime, digital evidence, computer exploitation and network surveillance. Welcome Shane.
SHANE SIMS: Thank you. Glad to be here.
McGLASSON: What are the types of cyber threat groups out there now and how are they targeting? Any specific types going after financial institutions?
SIMS: The cyber threat groups are varied and complex and they always seem to be evolving. One common denominator across the groups is that they remain highly motivated. The threat groups from my perspective can be classified as criminals, state sponsors, terrorists or insiders. The insiders and criminals are the primary threat groups to financial institutions and I can describe each of these threat groups in a little more detail.
McGLASSON: That would be great.
SIMS: Criminal enterprises are becoming more sophisticated at compromising private cyber space. They are spending time recruiting technical talent, they are devoting funds to research and development of malware and their breach operations are planned and organized. This threat group's main objective is to convert data into profit primarily; secondarily they attempt to extort organizations by holding IT assets hostage.
I have seen criminal hacker groups actually develop custom malware on the fly while they are in the midst of compromising a target organization. Stated differently, as they infiltrate an environment and begin to learn what hardware and software is alive and active, custom applications are developed to defeat counter measures employed by those victim organizations. This type of malware can't be detected by in house antivirus technology.
Today's sophisticated hacker crews are using data egress methods that really mirror the well-funded techniques of state sponsors. Ten years ago, traditional organized crime families would hire hackers to steal data for them; today hackers and hacker groups operate independently of traditional organized crime and these groups will often team with each other to compromise certain target organizations in order to leverage the skill sets needed based on the target environment. That is my quick assessment of the criminal threat group.
Moving on to the state sponsored threat group, obviously this is the best funded, most organized and most difficult to detect. Foreign intelligence services actively target the U.S. government, its military and its private sector cyber space. The purpose of the foreign government cyber threat is to acquire intelligence and steal intellectual property, so they are not a major threat to financial institutions.
Terrorist organizations, like criminals, can convert stolen data into financial gain, but they need identities to permit the movement of terrorist operators around the globe so that is one of their primary focuses of a cyber attack. The most feared objective of this threat group is the disruption or sabotage of a cyber space of any organizations that have been designated as critical infrastructures by DHS. So the cyber WMD, if you will, is the big fear of the terrorist groups and obviously this type of activity would have serious implications on national security. DHS has designated the banking and financial sector as a critical infrastructure and this sector has nearly 30,000 financial firms I believe.
The final group that I mentioned was the insider threat and this threat is really multifaceted. Traditionally a discussion of this threat has been human centric, so a disgruntled employee or contractor that is experiencing financial difficulty or an agent of a foreign government tasked with becoming an employee or contractor.
Today the insider threat is much more complex. Poor IT security practices create threats and exploitable opportunities and the interconnectivity of an organization's network to the internet, vendors and so forth results in that organization assuming the risk of the poor security practices of those external modes.
Strangely, the insider threat with the highest probability of realization is the human finger. As comical as that may sound, it is true. Laptops with encrypted hard drives and secure remote VPN access to private networks are really no match for somebody who clicks on the wrong e-mail attachment or some embedded e-mail link. And when that happens, if there is some malicious intent behind the attachment or the link, that person's computer gets infected and compromised and the network it has access to potentially becomes compromised, and then any data obviously within that network could be potentially compromised.
McGLASSON: Has there been an evolution of attack vectors or targets along with the types of criminal groups attacking networks?
SIMS: That is an interesting question Linda. On one hand I would say no connections to the internet and corruptible insiders are constant targets, but on the other hand, every time the latest and greatest operating system, COTS application or custom developed application is installed, basically a new attack vector is born.
I think the most significant attack vector of late, which will not likely disappear anytime soon, is the compromise of technology products while in the supply chain. Supply chain compromise typically involves installing an undetectable back door on your newly purchased router or firewall, etc., either at the manufacturer or after it leaves the manufacturer and before it arrives at its destination. Organizations today are really starting to think about this problem and stepping up their due diligence efforts with all of their suppliers.
McGLASSON: What are some of the specific items that these criminal groups are targeting at financial institutions?
SIMS: Ultimately they are trying to get at the data and the data that they really want is payment car industry data and what people call personally identifiable information. Basically, identities have a price tag on the black market and PCI data can quickly be used to counterfeit credit cards and ATM cards. So somebody can get data that allows them to counterfeit a debit card and they can walk up to an ATM machine and quickly get cash. That is the primary focus.
McGLASSON: The mindset at most companies, including financial institutions, has been data breaches and attacks happen to other companies but not here. What would you say to them to make them change their minds?
SIMS: Linda you are absolutely right. That is not an unusual stance and again, it is a stance that doesn't really apply to any specific industry; you see it everywhere. I could remotely understand that perspective maybe ten years ago, but not today. However, the bottom line is that preventative and defensive measures only reduce risk to an acceptable level if defined by any organization and none of the measure completely eliminates all risk of a breach or insider bad behavior, data loss or asset sabotage.
Of course the acceptable level of risk reduction is subjective to any given organization and its leadership, so I think it is safe to say that if a breach and/or data loss were to happen and become public knowledge, that organization's risk reduction program and the associated budget assigned to it will certainly be scrutinized by customers, stockholders, regulators, etc.
McGLASSON: Let's say you have been breached, what are some of the before steps that a company should take before a breach happens to prepare for a forensic investigation such as formation of a CERT or any other preventative steps?
SIMS: It is nice if somebody has the budget to form a CERT or have in-house investigators and forensic staff, but at minimum just having a defined incident response plan that involves notification and deployment of qualified forensic incident responders, whether they are internal or leveraged through some outside advisor. The response plan should be clear and concise and not a complex attempt to cover every potential scenario.
In my experiences a lot of organizations that actually have response plans create them in a way that they become so complex and so lengthy that no one can even consume them much less use them. In my opinion the best plans are always written by people who have experience in these matters and you just can't really afford to operate from a position of a hypothetical or academic position or perspective.
And then just as important as the plan is training on the execution of the plan. The training in my opinion should be provided in two forms at a minimum, what I would call a walk through drill and a tabletop exercise.
A walk through drill is where you would get all of the participants that would be involved in an incident response into a room, create a breach scenario and then walk through and actually tell them what they are supposed to do and what the expectations of them are.
A tabletop exercise is where you gather all of the incident response players around a table and you walk through a breach scenario and you ask the different folks who are required to do certain actions to chime up and play the role that they would in the incident response.
McGLASSON: Shane what are the things that should not be done after a breach is discovered? And, are there any examples that you can give of particularly damaging things that can happen before the forensic team arrives on the scene?
SIMS: The thing I see most and it is completely innocent and unintentional, but the most typical action when a breach is discovered is that someone from the victim organization puts hands on the keyboard of a known compromised system for the purpose of investigating and mitigating the situation. This natural human reaction unfortunately can damage visual evidence and call into question the forensic purity of any evidence that is uncovered.
Also, because investigating a computer intrusion requires the collection and analysis of visual evidence, the overriding of backup media, system and event logs should be stopped immediately. This should be clearly articulated in any incident response plan.
McGLASSON: Shane what are some of the not widely used cyber crime investigative techniques that one can leverage to improve their organization's proactive security countermeasures?
SIMS: Two areas come to mind right off the bat. Malware analysis from a proactive standpoint and what we at PWC have been calling breach indicator assessments. A breach indicator assessment ideally would be comprised of two elements, host based and network based.
Both of these elements are more of an art than a science. Unauthorized remote access to systems and the egress of data can be detected by monitoring network traffic if the right and experienced set of eyes are on the job, typically unauthorized remote access and data theft involving installation and execution of malware on systems.
Again, the right and experienced set of eyes analyzing certain components of a computer system can identify breaches that haven't been detected by your in-house technology. Now if the budget is there and you can hire an outside firm to analyze malware you find in the environment, then you are going to have a leg up as well. Typically what we do is we let the antivirus technology immediately neutralize malware when it is discovered, and then we assume everything is okay.
But I think the better approach is when malware is discovered, preserve it, neutralize it and then you analyze it. Often the analysis will uncover intelligence that permits an organization to take actions to further improve its security posture.
McGLASSON: Finally Shane, what do you recommend in terms of proactive measures that financial institutions may take to protect themselves, their networks and their customers from data breaches that aren't even their fault? I am thinking along the lines of Heartland and some of the other more notable data breaches of late.
SIMS: I mentioned the supply chain problem earlier; so I think this doesn't get enough attention in my opinion, but conducting full, complete, thorough background investigations of your vendors, suppliers and the organizations that might be in a merger/acquisition pipeline. The banking and financial sector relies heavily on a complex supply chain that includes providers outside the U.S. so I think this important proactive measure can't be underestimated or overlooked. I would say the same about key personnel that have sensitive access to data; do a full, complete background investigation.
Another item I would mention is conducting security assessments and treating them as an organic program and not a series of one-time events.
McGLASSON: Thank you Shane for your excellent insights that you have shared with us today.
SIMS: My pleasure Linda.
McGLASSON: Until later, I'm Linda McGlasson for Information Security Media Group.
Interview with Shane Sims, PricewaterhouseCoopers
Linda McGlasson, Managing Editor
July 21, 2009
A veteran cybersecurity pro, Shane Sims shares his insights on trends he's seeing as cybercrime continues to hit all companies, including financial institutions. Sims is currently a Director in the Forensic Services practice at PricewaterhouseCoopers, where he provides investigative, forensic technology, security incident response and cyber security services to commercial and government clients. He is a former FBI Supervisory Special Agent who specialized in cybercrime, digital evidence, computer exploitation, and network surveillance.
Listen to this podcast and hear Sims insights on:
•Who's hitting financial institutions with cybercrime activities;
•Why just having an incident response plan isn't enough;
•What needs to happen and (what shouldn't be done) when a breach occurs.
LINDA McGLASSON: Hi, I'm Linda McGlasson, Managing Editor for BankInfoSecurity and CUInfoSecurity. Today's Information Security Media Group's Podcast is with Shane Sims, a veteran cyber security professional. Shane is a Director in the Forensic Services Practice at Price Waterhouse Coopers. He is also a former FBI Supervisory Special Agent who specialized in cyber crime, digital evidence, computer exploitation and network surveillance. Welcome Shane.
SHANE SIMS: Thank you. Glad to be here.
McGLASSON: What are the types of cyber threat groups out there now and how are they targeting? Any specific types going after financial institutions?
SIMS: The cyber threat groups are varied and complex and they always seem to be evolving. One common denominator across the groups is that they remain highly motivated. The threat groups from my perspective can be classified as criminals, state sponsors, terrorists or insiders. The insiders and criminals are the primary threat groups to financial institutions and I can describe each of these threat groups in a little more detail.
McGLASSON: That would be great.
SIMS: Criminal enterprises are becoming more sophisticated at compromising private cyber space. They are spending time recruiting technical talent, they are devoting funds to research and development of malware and their breach operations are planned and organized. This threat group's main objective is to convert data into profit primarily; secondarily they attempt to extort organizations by holding IT assets hostage.
I have seen criminal hacker groups actually develop custom malware on the fly while they are in the midst of compromising a target organization. Stated differently, as they infiltrate an environment and begin to learn what hardware and software is alive and active, custom applications are developed to defeat counter measures employed by those victim organizations. This type of malware can't be detected by in house antivirus technology.
Today's sophisticated hacker crews are using data egress methods that really mirror the well-funded techniques of state sponsors. Ten years ago, traditional organized crime families would hire hackers to steal data for them; today hackers and hacker groups operate independently of traditional organized crime and these groups will often team with each other to compromise certain target organizations in order to leverage the skill sets needed based on the target environment. That is my quick assessment of the criminal threat group.
Moving on to the state sponsored threat group, obviously this is the best funded, most organized and most difficult to detect. Foreign intelligence services actively target the U.S. government, its military and its private sector cyber space. The purpose of the foreign government cyber threat is to acquire intelligence and steal intellectual property, so they are not a major threat to financial institutions.
Terrorist organizations, like criminals, can convert stolen data into financial gain, but they need identities to permit the movement of terrorist operators around the globe so that is one of their primary focuses of a cyber attack. The most feared objective of this threat group is the disruption or sabotage of a cyber space of any organizations that have been designated as critical infrastructures by DHS. So the cyber WMD, if you will, is the big fear of the terrorist groups and obviously this type of activity would have serious implications on national security. DHS has designated the banking and financial sector as a critical infrastructure and this sector has nearly 30,000 financial firms I believe.
The final group that I mentioned was the insider threat and this threat is really multifaceted. Traditionally a discussion of this threat has been human centric, so a disgruntled employee or contractor that is experiencing financial difficulty or an agent of a foreign government tasked with becoming an employee or contractor.
Today the insider threat is much more complex. Poor IT security practices create threats and exploitable opportunities and the interconnectivity of an organization's network to the internet, vendors and so forth results in that organization assuming the risk of the poor security practices of those external modes.
Strangely, the insider threat with the highest probability of realization is the human finger. As comical as that may sound, it is true. Laptops with encrypted hard drives and secure remote VPN access to private networks are really no match for somebody who clicks on the wrong e-mail attachment or some embedded e-mail link. And when that happens, if there is some malicious intent behind the attachment or the link, that person's computer gets infected and compromised and the network it has access to potentially becomes compromised, and then any data obviously within that network could be potentially compromised.
McGLASSON: Has there been an evolution of attack vectors or targets along with the types of criminal groups attacking networks?
SIMS: That is an interesting question Linda. On one hand I would say no connections to the internet and corruptible insiders are constant targets, but on the other hand, every time the latest and greatest operating system, COTS application or custom developed application is installed, basically a new attack vector is born.
I think the most significant attack vector of late, which will not likely disappear anytime soon, is the compromise of technology products while in the supply chain. Supply chain compromise typically involves installing an undetectable back door on your newly purchased router or firewall, etc., either at the manufacturer or after it leaves the manufacturer and before it arrives at its destination. Organizations today are really starting to think about this problem and stepping up their due diligence efforts with all of their suppliers.
McGLASSON: What are some of the specific items that these criminal groups are targeting at financial institutions?
SIMS: Ultimately they are trying to get at the data and the data that they really want is payment car industry data and what people call personally identifiable information. Basically, identities have a price tag on the black market and PCI data can quickly be used to counterfeit credit cards and ATM cards. So somebody can get data that allows them to counterfeit a debit card and they can walk up to an ATM machine and quickly get cash. That is the primary focus.
McGLASSON: The mindset at most companies, including financial institutions, has been data breaches and attacks happen to other companies but not here. What would you say to them to make them change their minds?
SIMS: Linda you are absolutely right. That is not an unusual stance and again, it is a stance that doesn't really apply to any specific industry; you see it everywhere. I could remotely understand that perspective maybe ten years ago, but not today. However, the bottom line is that preventative and defensive measures only reduce risk to an acceptable level if defined by any organization and none of the measure completely eliminates all risk of a breach or insider bad behavior, data loss or asset sabotage.
Of course the acceptable level of risk reduction is subjective to any given organization and its leadership, so I think it is safe to say that if a breach and/or data loss were to happen and become public knowledge, that organization's risk reduction program and the associated budget assigned to it will certainly be scrutinized by customers, stockholders, regulators, etc.
McGLASSON: Let's say you have been breached, what are some of the before steps that a company should take before a breach happens to prepare for a forensic investigation such as formation of a CERT or any other preventative steps?
SIMS: It is nice if somebody has the budget to form a CERT or have in-house investigators and forensic staff, but at minimum just having a defined incident response plan that involves notification and deployment of qualified forensic incident responders, whether they are internal or leveraged through some outside advisor. The response plan should be clear and concise and not a complex attempt to cover every potential scenario.
In my experiences a lot of organizations that actually have response plans create them in a way that they become so complex and so lengthy that no one can even consume them much less use them. In my opinion the best plans are always written by people who have experience in these matters and you just can't really afford to operate from a position of a hypothetical or academic position or perspective.
And then just as important as the plan is training on the execution of the plan. The training in my opinion should be provided in two forms at a minimum, what I would call a walk through drill and a tabletop exercise.
A walk through drill is where you would get all of the participants that would be involved in an incident response into a room, create a breach scenario and then walk through and actually tell them what they are supposed to do and what the expectations of them are.
A tabletop exercise is where you gather all of the incident response players around a table and you walk through a breach scenario and you ask the different folks who are required to do certain actions to chime up and play the role that they would in the incident response.
McGLASSON: Shane what are the things that should not be done after a breach is discovered? And, are there any examples that you can give of particularly damaging things that can happen before the forensic team arrives on the scene?
SIMS: The thing I see most and it is completely innocent and unintentional, but the most typical action when a breach is discovered is that someone from the victim organization puts hands on the keyboard of a known compromised system for the purpose of investigating and mitigating the situation. This natural human reaction unfortunately can damage visual evidence and call into question the forensic purity of any evidence that is uncovered.
Also, because investigating a computer intrusion requires the collection and analysis of visual evidence, the overriding of backup media, system and event logs should be stopped immediately. This should be clearly articulated in any incident response plan.
McGLASSON: Shane what are some of the not widely used cyber crime investigative techniques that one can leverage to improve their organization's proactive security countermeasures?
SIMS: Two areas come to mind right off the bat. Malware analysis from a proactive standpoint and what we at PWC have been calling breach indicator assessments. A breach indicator assessment ideally would be comprised of two elements, host based and network based.
Both of these elements are more of an art than a science. Unauthorized remote access to systems and the egress of data can be detected by monitoring network traffic if the right and experienced set of eyes are on the job, typically unauthorized remote access and data theft involving installation and execution of malware on systems.
Again, the right and experienced set of eyes analyzing certain components of a computer system can identify breaches that haven't been detected by your in-house technology. Now if the budget is there and you can hire an outside firm to analyze malware you find in the environment, then you are going to have a leg up as well. Typically what we do is we let the antivirus technology immediately neutralize malware when it is discovered, and then we assume everything is okay.
But I think the better approach is when malware is discovered, preserve it, neutralize it and then you analyze it. Often the analysis will uncover intelligence that permits an organization to take actions to further improve its security posture.
McGLASSON: Finally Shane, what do you recommend in terms of proactive measures that financial institutions may take to protect themselves, their networks and their customers from data breaches that aren't even their fault? I am thinking along the lines of Heartland and some of the other more notable data breaches of late.
SIMS: I mentioned the supply chain problem earlier; so I think this doesn't get enough attention in my opinion, but conducting full, complete, thorough background investigations of your vendors, suppliers and the organizations that might be in a merger/acquisition pipeline. The banking and financial sector relies heavily on a complex supply chain that includes providers outside the U.S. so I think this important proactive measure can't be underestimated or overlooked. I would say the same about key personnel that have sensitive access to data; do a full, complete background investigation.
Another item I would mention is conducting security assessments and treating them as an organic program and not a series of one-time events.
McGLASSON: Thank you Shane for your excellent insights that you have shared with us today.
SIMS: My pleasure Linda.
McGLASSON: Until later, I'm Linda McGlasson for Information Security Media Group.
Wednesday, August 05, 2009
Network Solutions Data Breach: 573,000 Cardholders at Risk
Network Solutions Data Breach: 573,000 Cardholders at Risk
Company Says It Was PCI-Compliant When Hacked
Linda McGlasson, Managing Editor
July 28, 2009
A data breach at Internet domain administrator and host Network Solutions has compromised personal and financial data for more than 573,000 credit and debit cardholders. To add more pain to the breach, Network Solutions says it was PCI compliant at the time of the breach.
The breach, discovered in June, was the result of hackers planting rogue code on the company's Web servers used to host mostly small online stores, intercepting financial transactions between the sites and their customers. No further explanation of how the rogue code made its way onto the company's servers was available from Network Solutions. When asked, Susan Wade, Network Solutions communications representative says "Not at this time. Because of the ongoing law enforcement investigation, we aren't able to release that information."
Compromised data was captured between March 12 and June 8, 2009, when the breach was discovered, says Wade.
The last PCI assessment and certification of Network Solutions' networks was completed on October 31, 2008, says Wade. The firm that performed the assessment was the Payment Software Company, a San Jose, CA-based qualified security assessor company.
The 4.343 ecommerce merchant customers were notified of the breach on Friday, July 24, via an email and a letter sent via US postal service, Wade says. Network Solutions provides service to more than 10,000 merchant websites. The ecommerce customers are mainly small businesses, mostly "Mom and Pop" type retailers spread geographically across the country. Wade says that Network Solutions has offered them help in contacting their affected customers. Of the compromised data, no fraud has been reported thus far by the four major credit card brands, Wade notes.
Network Solutions has hired TransUnion, a credit reporting agency, to work with it on behalf of its merchants, to contact their customers whose data may have been affected. Affected merchants can visit www.careandprotect.com, the website Network Solutions set up for them to get more information.
PCI Security Council Weighs In
Just because a company has passed its compliance validation, it doesn't mean that the need for vigilance of security measures should stop, says PCI Security Standards Council General Manager Bob Russo. As for whether Network Solutions was PCI-compliant at the time of the breach, Russo notes, "Until a forensics investigation is completed, an organization can not comment accurately on its compliance status."
The announcement a data breach at Network Solutions underscores the necessity for ongoing vigilance of an organization's security measures, he adds. "Security doesn't stop with PCI compliance validation. As the Council has said many times, it is not enough to validate compliance annually and not adopt security into an organization's ongoing business practices," Russo states. A card data environment is under constant threat, so businesses must ensure their safeguards are also under constant vigilance - "monitoring and where necessary, ongoing improvement. A layered approach to security is absolutely necessary to protect sensitive payment card data - without ongoing vigilance or a comprehensive security strategy, organizations may be just a change control away from noncompliance," he says.
Validation to the principles and practices mandated in the PCI DSS plays an integral part in an organization's security posture, but basic monitoring and logging cannot be set aside after a security assessment is complete, Russo stresses. "Reports by forensics companies suggest that this is an area of weakness among organizations," he says. "An intrusion need not result in card data compromise if an organization is following the 12 guiding requirements of the PCI Data Security Standard."
Company Says It Was PCI-Compliant When Hacked
Linda McGlasson, Managing Editor
July 28, 2009
A data breach at Internet domain administrator and host Network Solutions has compromised personal and financial data for more than 573,000 credit and debit cardholders. To add more pain to the breach, Network Solutions says it was PCI compliant at the time of the breach.
The breach, discovered in June, was the result of hackers planting rogue code on the company's Web servers used to host mostly small online stores, intercepting financial transactions between the sites and their customers. No further explanation of how the rogue code made its way onto the company's servers was available from Network Solutions. When asked, Susan Wade, Network Solutions communications representative says "Not at this time. Because of the ongoing law enforcement investigation, we aren't able to release that information."
Compromised data was captured between March 12 and June 8, 2009, when the breach was discovered, says Wade.
The last PCI assessment and certification of Network Solutions' networks was completed on October 31, 2008, says Wade. The firm that performed the assessment was the Payment Software Company, a San Jose, CA-based qualified security assessor company.
The 4.343 ecommerce merchant customers were notified of the breach on Friday, July 24, via an email and a letter sent via US postal service, Wade says. Network Solutions provides service to more than 10,000 merchant websites. The ecommerce customers are mainly small businesses, mostly "Mom and Pop" type retailers spread geographically across the country. Wade says that Network Solutions has offered them help in contacting their affected customers. Of the compromised data, no fraud has been reported thus far by the four major credit card brands, Wade notes.
Network Solutions has hired TransUnion, a credit reporting agency, to work with it on behalf of its merchants, to contact their customers whose data may have been affected. Affected merchants can visit www.careandprotect.com, the website Network Solutions set up for them to get more information.
PCI Security Council Weighs In
Just because a company has passed its compliance validation, it doesn't mean that the need for vigilance of security measures should stop, says PCI Security Standards Council General Manager Bob Russo. As for whether Network Solutions was PCI-compliant at the time of the breach, Russo notes, "Until a forensics investigation is completed, an organization can not comment accurately on its compliance status."
The announcement a data breach at Network Solutions underscores the necessity for ongoing vigilance of an organization's security measures, he adds. "Security doesn't stop with PCI compliance validation. As the Council has said many times, it is not enough to validate compliance annually and not adopt security into an organization's ongoing business practices," Russo states. A card data environment is under constant threat, so businesses must ensure their safeguards are also under constant vigilance - "monitoring and where necessary, ongoing improvement. A layered approach to security is absolutely necessary to protect sensitive payment card data - without ongoing vigilance or a comprehensive security strategy, organizations may be just a change control away from noncompliance," he says.
Validation to the principles and practices mandated in the PCI DSS plays an integral part in an organization's security posture, but basic monitoring and logging cannot be set aside after a security assessment is complete, Russo stresses. "Reports by forensics companies suggest that this is an area of weakness among organizations," he says. "An intrusion need not result in card data compromise if an organization is following the 12 guiding requirements of the PCI Data Security Standard."
Incident Response for Data Breaches
Incident Response for Data Breaches
Interview with Shane Sims, PricewaterhouseCoopers
Linda McGlasson, Managing Editor
July 21, 2009
A veteran cybersecurity pro, Shane Sims shares his insights on trends he's seeing as cybercrime continues to hit all companies, including financial institutions. Sims is currently a Director in the Forensic Services practice at PricewaterhouseCoopers, where he provides investigative, forensic technology, security incident response and cyber security services to commercial and government clients. He is a former FBI Supervisory Special Agent who specialized in cybercrime, digital evidence, computer exploitation, and network surveillance.
Listen to this podcast and hear Sims insights on:
•Who's hitting financial institutions with cybercrime activities;
•Why just having an incident response plan isn't enough;
•What needs to happen and (what shouldn't be done) when a breach occurs.
LINDA McGLASSON: Hi, I'm Linda McGlasson, Managing Editor for BankInfoSecurity and CUInfoSecurity. Today's Information Security Media Group's Podcast is with Shane Sims, a veteran cyber security professional. Shane is a Director in the Forensic Services Practice at Price Waterhouse Coopers. He is also a former FBI Supervisory Special Agent who specialized in cyber crime, digital evidence, computer exploitation and network surveillance. Welcome Shane.
SHANE SIMS: Thank you. Glad to be here.
McGLASSON: What are the types of cyber threat groups out there now and how are they targeting? Any specific types going after financial institutions?
SIMS: The cyber threat groups are varied and complex and they always seem to be evolving. One common denominator across the groups is that they remain highly motivated. The threat groups from my perspective can be classified as criminals, state sponsors, terrorists or insiders. The insiders and criminals are the primary threat groups to financial institutions and I can describe each of these threat groups in a little more detail.
McGLASSON: That would be great.
SIMS: Criminal enterprises are becoming more sophisticated at compromising private cyber space. They are spending time recruiting technical talent, they are devoting funds to research and development of malware and their breach operations are planned and organized. This threat group's main objective is to convert data into profit primarily; secondarily they attempt to extort organizations by holding IT assets hostage.
I have seen criminal hacker groups actually develop custom malware on the fly while they are in the midst of compromising a target organization. Stated differently, as they infiltrate an environment and begin to learn what hardware and software is alive and active, custom applications are developed to defeat counter measures employed by those victim organizations. This type of malware can't be detected by in house antivirus technology.
Today's sophisticated hacker crews are using data egress methods that really mirror the well-funded techniques of state sponsors. Ten years ago, traditional organized crime families would hire hackers to steal data for them; today hackers and hacker groups operate independently of traditional organized crime and these groups will often team with each other to compromise certain target organizations in order to leverage the skill sets needed based on the target environment. That is my quick assessment of the criminal threat group.
Moving on to the state sponsored threat group, obviously this is the best funded, most organized and most difficult to detect. Foreign intelligence services actively target the U.S. government, its military and its private sector cyber space. The purpose of the foreign government cyber threat is to acquire intelligence and steal intellectual property, so they are not a major threat to financial institutions.
Terrorist organizations, like criminals, can convert stolen data into financial gain, but they need identities to permit the movement of terrorist operators around the globe so that is one of their primary focuses of a cyber attack. The most feared objective of this threat group is the disruption or sabotage of a cyber space of any organizations that have been designated as critical infrastructures by DHS. So the cyber WMD, if you will, is the big fear of the terrorist groups and obviously this type of activity would have serious implications on national security. DHS has designated the banking and financial sector as a critical infrastructure and this sector has nearly 30,000 financial firms I believe.
The final group that I mentioned was the insider threat and this threat is really multifaceted. Traditionally a discussion of this threat has been human centric, so a disgruntled employee or contractor that is experiencing financial difficulty or an agent of a foreign government tasked with becoming an employee or contractor.
Today the insider threat is much more complex. Poor IT security practices create threats and exploitable opportunities and the interconnectivity of an organization's network to the internet, vendors and so forth results in that organization assuming the risk of the poor security practices of those external modes.
Strangely, the insider threat with the highest probability of realization is the human finger. As comical as that may sound, it is true. Laptops with encrypted hard drives and secure remote VPN access to private networks are really no match for somebody who clicks on the wrong e-mail attachment or some embedded e-mail link. And when that happens, if there is some malicious intent behind the attachment or the link, that person's computer gets infected and compromised and the network it has access to potentially becomes compromised, and then any data obviously within that network could be potentially compromised.
McGLASSON: Has there been an evolution of attack vectors or targets along with the types of criminal groups attacking networks?
SIMS: That is an interesting question Linda. On one hand I would say no connections to the internet and corruptible insiders are constant targets, but on the other hand, every time the latest and greatest operating system, COTS application or custom developed application is installed, basically a new attack vector is born.
I think the most significant attack vector of late, which will not likely disappear anytime soon, is the compromise of technology products while in the supply chain. Supply chain compromise typically involves installing an undetectable back door on your newly purchased router or firewall, etc., either at the manufacturer or after it leaves the manufacturer and before it arrives at its destination. Organizations today are really starting to think about this problem and stepping up their due diligence efforts with all of their suppliers.
McGLASSON: What are some of the specific items that these criminal groups are targeting at financial institutions?
SIMS: Ultimately they are trying to get at the data and the data that they really want is payment car industry data and what people call personally identifiable information. Basically, identities have a price tag on the black market and PCI data can quickly be used to counterfeit credit cards and ATM cards. So somebody can get data that allows them to counterfeit a debit card and they can walk up to an ATM machine and quickly get cash. That is the primary focus.
McGLASSON: The mindset at most companies, including financial institutions, has been data breaches and attacks happen to other companies but not here. What would you say to them to make them change their minds?
SIMS: Linda you are absolutely right. That is not an unusual stance and again, it is a stance that doesn't really apply to any specific industry; you see it everywhere. I could remotely understand that perspective maybe ten years ago, but not today. However, the bottom line is that preventative and defensive measures only reduce risk to an acceptable level if defined by any organization and none of the measure completely eliminates all risk of a breach or insider bad behavior, data loss or asset sabotage.
Of course the acceptable level of risk reduction is subjective to any given organization and its leadership, so I think it is safe to say that if a breach and/or data loss were to happen and become public knowledge, that organization's risk reduction program and the associated budget assigned to it will certainly be scrutinized by customers, stockholders, regulators, etc.
McGLASSON: Let's say you have been breached, what are some of the before steps that a company should take before a breach happens to prepare for a forensic investigation such as formation of a CERT or any other preventative steps?
SIMS: It is nice if somebody has the budget to form a CERT or have in-house investigators and forensic staff, but at minimum just having a defined incident response plan that involves notification and deployment of qualified forensic incident responders, whether they are internal or leveraged through some outside advisor. The response plan should be clear and concise and not a complex attempt to cover every potential scenario.
In my experiences a lot of organizations that actually have response plans create them in a way that they become so complex and so lengthy that no one can even consume them much less use them. In my opinion the best plans are always written by people who have experience in these matters and you just can't really afford to operate from a position of a hypothetical or academic position or perspective.
And then just as important as the plan is training on the execution of the plan. The training in my opinion should be provided in two forms at a minimum, what I would call a walk through drill and a tabletop exercise.
A walk through drill is where you would get all of the participants that would be involved in an incident response into a room, create a breach scenario and then walk through and actually tell them what they are supposed to do and what the expectations of them are.
A tabletop exercise is where you gather all of the incident response players around a table and you walk through a breach scenario and you ask the different folks who are required to do certain actions to chime up and play the role that they would in the incident response.
McGLASSON: Shane what are the things that should not be done after a breach is discovered? And, are there any examples that you can give of particularly damaging things that can happen before the forensic team arrives on the scene?
SIMS: The thing I see most and it is completely innocent and unintentional, but the most typical action when a breach is discovered is that someone from the victim organization puts hands on the keyboard of a known compromised system for the purpose of investigating and mitigating the situation. This natural human reaction unfortunately can damage visual evidence and call into question the forensic purity of any evidence that is uncovered.
Also, because investigating a computer intrusion requires the collection and analysis of visual evidence, the overriding of backup media, system and event logs should be stopped immediately. This should be clearly articulated in any incident response plan.
McGLASSON: Shane what are some of the not widely used cyber crime investigative techniques that one can leverage to improve their organization's proactive security countermeasures?
SIMS: Two areas come to mind right off the bat. Malware analysis from a proactive standpoint and what we at PWC have been calling breach indicator assessments. A breach indicator assessment ideally would be comprised of two elements, host based and network based.
Both of these elements are more of an art than a science. Unauthorized remote access to systems and the egress of data can be detected by monitoring network traffic if the right and experienced set of eyes are on the job, typically unauthorized remote access and data theft involving installation and execution of malware on systems.
Again, the right and experienced set of eyes analyzing certain components of a computer system can identify breaches that haven't been detected by your in-house technology. Now if the budget is there and you can hire an outside firm to analyze malware you find in the environment, then you are going to have a leg up as well. Typically what we do is we let the antivirus technology immediately neutralize malware when it is discovered, and then we assume everything is okay.
But I think the better approach is when malware is discovered, preserve it, neutralize it and then you analyze it. Often the analysis will uncover intelligence that permits an organization to take actions to further improve its security posture.
McGLASSON: Finally Shane, what do you recommend in terms of proactive measures that financial institutions may take to protect themselves, their networks and their customers from data breaches that aren't even their fault? I am thinking along the lines of Heartland and some of the other more notable data breaches of late.
SIMS: I mentioned the supply chain problem earlier; so I think this doesn't get enough attention in my opinion, but conducting full, complete, thorough background investigations of your vendors, suppliers and the organizations that might be in a merger/acquisition pipeline. The banking and financial sector relies heavily on a complex supply chain that includes providers outside the U.S. so I think this important proactive measure can't be underestimated or overlooked. I would say the same about key personnel that have sensitive access to data; do a full, complete background investigation.
Another item I would mention is conducting security assessments and treating them as an organic program and not a series of one-time events.
McGLASSON: Thank you Shane for your excellent insights that you have shared with us today.
SIMS: My pleasure Linda.
McGLASSON: Until later, I'm Linda McGlasson for Information Security Media Group.
Interview with Shane Sims, PricewaterhouseCoopers
Linda McGlasson, Managing Editor
July 21, 2009
A veteran cybersecurity pro, Shane Sims shares his insights on trends he's seeing as cybercrime continues to hit all companies, including financial institutions. Sims is currently a Director in the Forensic Services practice at PricewaterhouseCoopers, where he provides investigative, forensic technology, security incident response and cyber security services to commercial and government clients. He is a former FBI Supervisory Special Agent who specialized in cybercrime, digital evidence, computer exploitation, and network surveillance.
Listen to this podcast and hear Sims insights on:
•Who's hitting financial institutions with cybercrime activities;
•Why just having an incident response plan isn't enough;
•What needs to happen and (what shouldn't be done) when a breach occurs.
LINDA McGLASSON: Hi, I'm Linda McGlasson, Managing Editor for BankInfoSecurity and CUInfoSecurity. Today's Information Security Media Group's Podcast is with Shane Sims, a veteran cyber security professional. Shane is a Director in the Forensic Services Practice at Price Waterhouse Coopers. He is also a former FBI Supervisory Special Agent who specialized in cyber crime, digital evidence, computer exploitation and network surveillance. Welcome Shane.
SHANE SIMS: Thank you. Glad to be here.
McGLASSON: What are the types of cyber threat groups out there now and how are they targeting? Any specific types going after financial institutions?
SIMS: The cyber threat groups are varied and complex and they always seem to be evolving. One common denominator across the groups is that they remain highly motivated. The threat groups from my perspective can be classified as criminals, state sponsors, terrorists or insiders. The insiders and criminals are the primary threat groups to financial institutions and I can describe each of these threat groups in a little more detail.
McGLASSON: That would be great.
SIMS: Criminal enterprises are becoming more sophisticated at compromising private cyber space. They are spending time recruiting technical talent, they are devoting funds to research and development of malware and their breach operations are planned and organized. This threat group's main objective is to convert data into profit primarily; secondarily they attempt to extort organizations by holding IT assets hostage.
I have seen criminal hacker groups actually develop custom malware on the fly while they are in the midst of compromising a target organization. Stated differently, as they infiltrate an environment and begin to learn what hardware and software is alive and active, custom applications are developed to defeat counter measures employed by those victim organizations. This type of malware can't be detected by in house antivirus technology.
Today's sophisticated hacker crews are using data egress methods that really mirror the well-funded techniques of state sponsors. Ten years ago, traditional organized crime families would hire hackers to steal data for them; today hackers and hacker groups operate independently of traditional organized crime and these groups will often team with each other to compromise certain target organizations in order to leverage the skill sets needed based on the target environment. That is my quick assessment of the criminal threat group.
Moving on to the state sponsored threat group, obviously this is the best funded, most organized and most difficult to detect. Foreign intelligence services actively target the U.S. government, its military and its private sector cyber space. The purpose of the foreign government cyber threat is to acquire intelligence and steal intellectual property, so they are not a major threat to financial institutions.
Terrorist organizations, like criminals, can convert stolen data into financial gain, but they need identities to permit the movement of terrorist operators around the globe so that is one of their primary focuses of a cyber attack. The most feared objective of this threat group is the disruption or sabotage of a cyber space of any organizations that have been designated as critical infrastructures by DHS. So the cyber WMD, if you will, is the big fear of the terrorist groups and obviously this type of activity would have serious implications on national security. DHS has designated the banking and financial sector as a critical infrastructure and this sector has nearly 30,000 financial firms I believe.
The final group that I mentioned was the insider threat and this threat is really multifaceted. Traditionally a discussion of this threat has been human centric, so a disgruntled employee or contractor that is experiencing financial difficulty or an agent of a foreign government tasked with becoming an employee or contractor.
Today the insider threat is much more complex. Poor IT security practices create threats and exploitable opportunities and the interconnectivity of an organization's network to the internet, vendors and so forth results in that organization assuming the risk of the poor security practices of those external modes.
Strangely, the insider threat with the highest probability of realization is the human finger. As comical as that may sound, it is true. Laptops with encrypted hard drives and secure remote VPN access to private networks are really no match for somebody who clicks on the wrong e-mail attachment or some embedded e-mail link. And when that happens, if there is some malicious intent behind the attachment or the link, that person's computer gets infected and compromised and the network it has access to potentially becomes compromised, and then any data obviously within that network could be potentially compromised.
McGLASSON: Has there been an evolution of attack vectors or targets along with the types of criminal groups attacking networks?
SIMS: That is an interesting question Linda. On one hand I would say no connections to the internet and corruptible insiders are constant targets, but on the other hand, every time the latest and greatest operating system, COTS application or custom developed application is installed, basically a new attack vector is born.
I think the most significant attack vector of late, which will not likely disappear anytime soon, is the compromise of technology products while in the supply chain. Supply chain compromise typically involves installing an undetectable back door on your newly purchased router or firewall, etc., either at the manufacturer or after it leaves the manufacturer and before it arrives at its destination. Organizations today are really starting to think about this problem and stepping up their due diligence efforts with all of their suppliers.
McGLASSON: What are some of the specific items that these criminal groups are targeting at financial institutions?
SIMS: Ultimately they are trying to get at the data and the data that they really want is payment car industry data and what people call personally identifiable information. Basically, identities have a price tag on the black market and PCI data can quickly be used to counterfeit credit cards and ATM cards. So somebody can get data that allows them to counterfeit a debit card and they can walk up to an ATM machine and quickly get cash. That is the primary focus.
McGLASSON: The mindset at most companies, including financial institutions, has been data breaches and attacks happen to other companies but not here. What would you say to them to make them change their minds?
SIMS: Linda you are absolutely right. That is not an unusual stance and again, it is a stance that doesn't really apply to any specific industry; you see it everywhere. I could remotely understand that perspective maybe ten years ago, but not today. However, the bottom line is that preventative and defensive measures only reduce risk to an acceptable level if defined by any organization and none of the measure completely eliminates all risk of a breach or insider bad behavior, data loss or asset sabotage.
Of course the acceptable level of risk reduction is subjective to any given organization and its leadership, so I think it is safe to say that if a breach and/or data loss were to happen and become public knowledge, that organization's risk reduction program and the associated budget assigned to it will certainly be scrutinized by customers, stockholders, regulators, etc.
McGLASSON: Let's say you have been breached, what are some of the before steps that a company should take before a breach happens to prepare for a forensic investigation such as formation of a CERT or any other preventative steps?
SIMS: It is nice if somebody has the budget to form a CERT or have in-house investigators and forensic staff, but at minimum just having a defined incident response plan that involves notification and deployment of qualified forensic incident responders, whether they are internal or leveraged through some outside advisor. The response plan should be clear and concise and not a complex attempt to cover every potential scenario.
In my experiences a lot of organizations that actually have response plans create them in a way that they become so complex and so lengthy that no one can even consume them much less use them. In my opinion the best plans are always written by people who have experience in these matters and you just can't really afford to operate from a position of a hypothetical or academic position or perspective.
And then just as important as the plan is training on the execution of the plan. The training in my opinion should be provided in two forms at a minimum, what I would call a walk through drill and a tabletop exercise.
A walk through drill is where you would get all of the participants that would be involved in an incident response into a room, create a breach scenario and then walk through and actually tell them what they are supposed to do and what the expectations of them are.
A tabletop exercise is where you gather all of the incident response players around a table and you walk through a breach scenario and you ask the different folks who are required to do certain actions to chime up and play the role that they would in the incident response.
McGLASSON: Shane what are the things that should not be done after a breach is discovered? And, are there any examples that you can give of particularly damaging things that can happen before the forensic team arrives on the scene?
SIMS: The thing I see most and it is completely innocent and unintentional, but the most typical action when a breach is discovered is that someone from the victim organization puts hands on the keyboard of a known compromised system for the purpose of investigating and mitigating the situation. This natural human reaction unfortunately can damage visual evidence and call into question the forensic purity of any evidence that is uncovered.
Also, because investigating a computer intrusion requires the collection and analysis of visual evidence, the overriding of backup media, system and event logs should be stopped immediately. This should be clearly articulated in any incident response plan.
McGLASSON: Shane what are some of the not widely used cyber crime investigative techniques that one can leverage to improve their organization's proactive security countermeasures?
SIMS: Two areas come to mind right off the bat. Malware analysis from a proactive standpoint and what we at PWC have been calling breach indicator assessments. A breach indicator assessment ideally would be comprised of two elements, host based and network based.
Both of these elements are more of an art than a science. Unauthorized remote access to systems and the egress of data can be detected by monitoring network traffic if the right and experienced set of eyes are on the job, typically unauthorized remote access and data theft involving installation and execution of malware on systems.
Again, the right and experienced set of eyes analyzing certain components of a computer system can identify breaches that haven't been detected by your in-house technology. Now if the budget is there and you can hire an outside firm to analyze malware you find in the environment, then you are going to have a leg up as well. Typically what we do is we let the antivirus technology immediately neutralize malware when it is discovered, and then we assume everything is okay.
But I think the better approach is when malware is discovered, preserve it, neutralize it and then you analyze it. Often the analysis will uncover intelligence that permits an organization to take actions to further improve its security posture.
McGLASSON: Finally Shane, what do you recommend in terms of proactive measures that financial institutions may take to protect themselves, their networks and their customers from data breaches that aren't even their fault? I am thinking along the lines of Heartland and some of the other more notable data breaches of late.
SIMS: I mentioned the supply chain problem earlier; so I think this doesn't get enough attention in my opinion, but conducting full, complete, thorough background investigations of your vendors, suppliers and the organizations that might be in a merger/acquisition pipeline. The banking and financial sector relies heavily on a complex supply chain that includes providers outside the U.S. so I think this important proactive measure can't be underestimated or overlooked. I would say the same about key personnel that have sensitive access to data; do a full, complete background investigation.
Another item I would mention is conducting security assessments and treating them as an organic program and not a series of one-time events.
McGLASSON: Thank you Shane for your excellent insights that you have shared with us today.
SIMS: My pleasure Linda.
McGLASSON: Until later, I'm Linda McGlasson for Information Security Media Group.
Miami Man Sentenced in Computer Fraud Offense
Department of Justice Press Release
For Immediate Release
July 14, 2009 United States Attorney's Office
Southern District of Florida
Contact: (305) 961-9000
Miami Man Sentenced in Computer Fraud Offense
Jeffrey H. Sloman, Acting United States Attorney for the Southern District of Florida, and Jonathan I. Solomon, Special Agent in Charge, Federal Bureau of Investigation, Miami Field Office, announced that defendant, Lesmany Nunez, 30, was sentenced today by Chief U.S. District Judge Federico A. Moreno to twelve months and one day imprisonment after pleading guilty to computer fraud, in violation of Title 18, United States Code, Section 1030(a)(5)(A)(ii). Upon his release from prison, Nunez was ordered to serve three years of supervised release, with a special condition that he perform 100 hours of community service by lecturing young people on the implications of hacking into other people's computers and networks. Nunez was also ordered to pay $31,560 in restitution.
According to the pleadings and in-court statements, Nunez was a former computer support technician at Quantum Technology Partners (QTP), located in Miami-Dade County. QTP provides data storage, email communication and scheduling for their client companies. Late one Friday night, Nunez remotely accessed QTP's network without authorization, using an administrator account and password. After changing the passwords of all of the IT system administrators, Nunez shut down almost all of their servers. Nunez also deleted files which would have made the re-installation of data from backup tapes easier and less time consuming. In so doing, QTP and their clients could not perform their normal business functions for a number of days.
As a result of the unauthorized access to the system and the deletion of data, QTP suffered over $30,000 in damages, which included the cost of responding to the offense, conducting a damage assessment, restoring the data, system and information to its previous condition, and other costs incurred due to the interruption of network services. Nunez was identified as the perpetrator by tracing activity on QTP's computer to Nunez' home network. Additional evidence was subsequently found in a search of Nunez' computer.
Mr. Sloman commended the investigative efforts of the FBI. The case was prosecuted by Assistant U.S. Attorney Aurora Fagan.
For Immediate Release
July 14, 2009 United States Attorney's Office
Southern District of Florida
Contact: (305) 961-9000
Miami Man Sentenced in Computer Fraud Offense
Jeffrey H. Sloman, Acting United States Attorney for the Southern District of Florida, and Jonathan I. Solomon, Special Agent in Charge, Federal Bureau of Investigation, Miami Field Office, announced that defendant, Lesmany Nunez, 30, was sentenced today by Chief U.S. District Judge Federico A. Moreno to twelve months and one day imprisonment after pleading guilty to computer fraud, in violation of Title 18, United States Code, Section 1030(a)(5)(A)(ii). Upon his release from prison, Nunez was ordered to serve three years of supervised release, with a special condition that he perform 100 hours of community service by lecturing young people on the implications of hacking into other people's computers and networks. Nunez was also ordered to pay $31,560 in restitution.
According to the pleadings and in-court statements, Nunez was a former computer support technician at Quantum Technology Partners (QTP), located in Miami-Dade County. QTP provides data storage, email communication and scheduling for their client companies. Late one Friday night, Nunez remotely accessed QTP's network without authorization, using an administrator account and password. After changing the passwords of all of the IT system administrators, Nunez shut down almost all of their servers. Nunez also deleted files which would have made the re-installation of data from backup tapes easier and less time consuming. In so doing, QTP and their clients could not perform their normal business functions for a number of days.
As a result of the unauthorized access to the system and the deletion of data, QTP suffered over $30,000 in damages, which included the cost of responding to the offense, conducting a damage assessment, restoring the data, system and information to its previous condition, and other costs incurred due to the interruption of network services. Nunez was identified as the perpetrator by tracing activity on QTP's computer to Nunez' home network. Additional evidence was subsequently found in a search of Nunez' computer.
Mr. Sloman commended the investigative efforts of the FBI. The case was prosecuted by Assistant U.S. Attorney Aurora Fagan.
Houston Computer Administrator Sentenced
Department of Justice Press Release
For Immediate Release
July 15, 2009 United States Attorney's Office
Southern District of Texas
Contact: (713) 567-9000
Houston Computer Administrator Sentenced to Two Years in Prison for Hacking Former Employer’s Computer Network
WASHINGTON—The former director of information technology for a non-profit organ and tissue donation center was sentenced today to two years in prison for hacking into her former employer’s computer network, announced Assistant Attorney General Lanny A. Breuer of the Criminal Division and U.S. Attorney for the Southern District of Texas Tim Johnson.
Danielle Duann, 51, of Houston, pleaded guilty on April 30, 2009, to a one-count criminal indictment charging her with unauthorized computer access. Duann was sentenced today by U.S. District Judge David Hittner in the Southern District of Texas. In addition to the two-year prison term, Judge Hittner sentenced Duann to a three-year period of supervised release following completion of her prison sentence, and ordered her to pay $94,222 in restitution to compensate her former employer for the damage that resulted from her actions.
In pleading guilty, Duann admitted to illegally accessing the computer network of LifeGift Organ Donation Center and then intentionally deleting organ donation database records, accounting invoice files, database and accounting software applications and various backup files, without authorization. LifeGift is the sole provider of organ procurement services for more than 200 hospitals throughout 109 counties in North, Southeast and West Texas.
According to court documents, LifeGift terminated Duann from her position as their director of information technology on Nov. 7, 2005, and revoked all of her previous administrative rights and access to the LifeGift computer network. In pleading guilty, Duann admitted that beginning on the evening of Nov. 7, 2005, and continuing until Nov. 8, 2005, she repeatedly gained unauthorized access to the LifeGift computer network via a remote connection from her home and intentionally caused damage by deleting numerous database files and software applications, as well as their backups, related to LifeGift’s organ and tissue recovery operations.
Duann further admitted that in an attempt to conceal her activities, she disabled the computer logging functions on several LifeGift computer servers and erased the computer logs that recorded her remote access to the LifeGift network
This case was investigated by the FBI and is being jointly prosecuted by Trial Attorney Thomas Dukes of the Criminal Division’s Computer Crime and Intellectual Property Section and Special Assistant U.S. Attorney Bret W. Davis of the U.S. Attorney’s Office for the Southern District of Texas.
For Immediate Release
July 15, 2009 United States Attorney's Office
Southern District of Texas
Contact: (713) 567-9000
Houston Computer Administrator Sentenced to Two Years in Prison for Hacking Former Employer’s Computer Network
WASHINGTON—The former director of information technology for a non-profit organ and tissue donation center was sentenced today to two years in prison for hacking into her former employer’s computer network, announced Assistant Attorney General Lanny A. Breuer of the Criminal Division and U.S. Attorney for the Southern District of Texas Tim Johnson.
Danielle Duann, 51, of Houston, pleaded guilty on April 30, 2009, to a one-count criminal indictment charging her with unauthorized computer access. Duann was sentenced today by U.S. District Judge David Hittner in the Southern District of Texas. In addition to the two-year prison term, Judge Hittner sentenced Duann to a three-year period of supervised release following completion of her prison sentence, and ordered her to pay $94,222 in restitution to compensate her former employer for the damage that resulted from her actions.
In pleading guilty, Duann admitted to illegally accessing the computer network of LifeGift Organ Donation Center and then intentionally deleting organ donation database records, accounting invoice files, database and accounting software applications and various backup files, without authorization. LifeGift is the sole provider of organ procurement services for more than 200 hospitals throughout 109 counties in North, Southeast and West Texas.
According to court documents, LifeGift terminated Duann from her position as their director of information technology on Nov. 7, 2005, and revoked all of her previous administrative rights and access to the LifeGift computer network. In pleading guilty, Duann admitted that beginning on the evening of Nov. 7, 2005, and continuing until Nov. 8, 2005, she repeatedly gained unauthorized access to the LifeGift computer network via a remote connection from her home and intentionally caused damage by deleting numerous database files and software applications, as well as their backups, related to LifeGift’s organ and tissue recovery operations.
Duann further admitted that in an attempt to conceal her activities, she disabled the computer logging functions on several LifeGift computer servers and erased the computer logs that recorded her remote access to the LifeGift network
This case was investigated by the FBI and is being jointly prosecuted by Trial Attorney Thomas Dukes of the Criminal Division’s Computer Crime and Intellectual Property Section and Special Assistant U.S. Attorney Bret W. Davis of the U.S. Attorney’s Office for the Southern District of Texas.
