Domain: securosis.com
Stories and comments across the archive that link to securosis.com.
Stories · 12
-
Ask Slashdot: Preventing Snowden-Style Security Breaches?
Nerval's Lobster writes "The topic of dealing with insider threats has entered the spotlight in a big way recently thanks to Edward Snowden. A former contractor who worked as an IT administrator for the National Security Agency via Booz Allen Hamilton, Snowden rocked the public with his controversial (and unauthorized) disclosure of top secret documents describing the NSA's telecommunications and Internet surveillance programs to The Guardian. Achieving a layer of solid protection from insiders is a complex issue; when it comes to protecting a business's data, organizations more often focus on threats from the outside. But when a trusted employee or contractor uses privileged access to take company data, the aftermath can be as catastrophic to the business or organization as an outside attack. An administrator can block removal of sensitive data via removable media (Snowden apparently lifted sensitive NSA data using a USB device) by disabling USB slots or controlling them via access or profile, or relying on DLP (which has its own issues). They can install software that monitors systems and does its best to detect unusual employee behavior, but many offerings in this category don't go quite far enough. They can track data as it moves through the network. But all of these security practices come with vulnerabilities. What do you think the best way is to lock down a system against malicious insiders?" -
RSA's Servers Hacked
Khopesh writes "EMC subsidiary RSA was the victim of 'an extremely sophisticated cyber attack' which resulted in the possible theft of the two-factor code used by their SecurID products." The Boston Herald has a short article on the intrusion. Update: 03/17 23:54 GMT by T : Reader rmogull adds "With all the hype that's sure the explode over this one, we decided to do a quick write-up to separate fact from speculation." -
RSA's Servers Hacked
Khopesh writes "EMC subsidiary RSA was the victim of 'an extremely sophisticated cyber attack' which resulted in the possible theft of the two-factor code used by their SecurID products." The Boston Herald has a short article on the intrusion. Update: 03/17 23:54 GMT by T : Reader rmogull adds "With all the hype that's sure the explode over this one, we decided to do a quick write-up to separate fact from speculation." -
Three Indicted In Huge Identity/Data Breach
ScentCone and other readers let us know about an indictment just unsealed in federal court for stealing 130 million credit cards and other data useful in identity theft, or just plain money theft. The breaches were at payment processor Heartland (accounting for the bulk of the 130M), Hannaford, 7-11, and two unnamed "national retailers." Interestingly, the focus of the indictment, Albert "Segvec" Gonzalez, is currently awaiting trial for masterminding the TJX break-in, which until Heartland counted as the largest credit-card theft ever. The indictment cites SQL injection attacks as the entry vector. Two unnamed Russia-based conspirators were also indicted. Securosis has analysis of the security implications of the breach ("These appear to be preventable attacks using common security controls. It's possible some advanced techniques were used, but I doubt it") and the attackers' methodology. -
Three Indicted In Huge Identity/Data Breach
ScentCone and other readers let us know about an indictment just unsealed in federal court for stealing 130 million credit cards and other data useful in identity theft, or just plain money theft. The breaches were at payment processor Heartland (accounting for the bulk of the 130M), Hannaford, 7-11, and two unnamed "national retailers." Interestingly, the focus of the indictment, Albert "Segvec" Gonzalez, is currently awaiting trial for masterminding the TJX break-in, which until Heartland counted as the largest credit-card theft ever. The indictment cites SQL injection attacks as the entry vector. Two unnamed Russia-based conspirators were also indicted. Securosis has analysis of the security implications of the breach ("These appear to be preventable attacks using common security controls. It's possible some advanced techniques were used, but I doubt it") and the attackers' methodology. -
Taming Conficker, the Easy Way
Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend." -
Largest Data Breach Disclosed During Inauguration
rmogull writes "Brian Krebs over at the Washington Post just published a story that Heartland Payment Systems disclosed what may be the largest data breach in history. Today. During the inauguration. Heartland processes over 100 million transactions a month, mostly from small to medium-sized businesses, and doesn't know how many cards were compromised. The breach was discovered after tracing fraud in the system back to Heartland, and involved malicious software snooping their internal network. I've written some additional analysis on this and similar breaches. It's interesting that the biggest breaches now involve attacks installing malicious software to sniff data — including TJX, Hannaford, Cardsystems, and now Heartland Payment Systems." One bit of good news out of this massive breach is that, according to Heartland's CFO, "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address." Heartland just put up a press release on the breach. -
Largest Data Breach Disclosed During Inauguration
rmogull writes "Brian Krebs over at the Washington Post just published a story that Heartland Payment Systems disclosed what may be the largest data breach in history. Today. During the inauguration. Heartland processes over 100 million transactions a month, mostly from small to medium-sized businesses, and doesn't know how many cards were compromised. The breach was discovered after tracing fraud in the system back to Heartland, and involved malicious software snooping their internal network. I've written some additional analysis on this and similar breaches. It's interesting that the biggest breaches now involve attacks installing malicious software to sniff data — including TJX, Hannaford, Cardsystems, and now Heartland Payment Systems." One bit of good news out of this massive breach is that, according to Heartland's CFO, "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address." Heartland just put up a press release on the breach. -
Massive, Coordinated Patch To the DNS Released
tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible." -
Massive, Coordinated Patch To the DNS Released
tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible." -
Massive, Coordinated Patch To the DNS Released
tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible." -
Mozilla Launches Security Metrics Project
Earthweb passes along a ZDNet article which notes, "In partnership with indie security consultant Rich Mogull, Mozilla has launched a valuable Security Metrics Project that — we can only hope — could help to put an end to the silly notion that patch-counting helps to determine a product's security posture. The idea is to develop a metrics model that goes beyond simple bug counts to reflect accurately the effectiveness of secure development efforts and the relative risk to users over time. Mogull has released a spreadsheet (.xls) with a preliminary version of the model and Mozilla's Window Snyder is actively seeking feedback to make the project open and meaningful."