CounterMeasures - A Security Blog � data leakage

Data Breach Laws, Encryption and Having a Plan ‘B’

Rik Ferguson — Tue, 29 Jun 2010 11:43:31 +0000

from zappowbang's photostream under creative commons

Data breach laws are starting to become a serious concern for businesses of all shapes and sizes. It’s already five years since California passed data breach disclosure laws, requiring companies to notify customers of security lapses. Since then almost all other US states have joined it, many opting for penalties that could potentially land companies with a likely loss of reputation and crippling fines if customer data is lost or stolen.

Ireland published proposed measures on the subject two weeks ago. Frankly, it’s only a matter of time before the UK follows suit either through its own legislation or that of the EU.

Over on the Register, we’ve been running a series of articles about what constitutes an appropriate level of security, with the impending arrival of data breach laws adding some urgency to the discussion.

A common reaction is to demand the encryption of backup files. This appeals to companies not only because it makes it a lot less likely that any lost information can be used – you could even argue that encrypted data doesn’t even count as ‘information’ at all, following the line that information is data you can act upon. But also, it’s especially appealing to companies because encrypted data is exempt from the disclosure requirements in many forms of this legislation. So the potential loss of reputation and customer trust is hopefully avoided.

Encryption is trickier than it looks, though. First of all, what kind of encryption are you going to use? Software encryption takes time – and for larger organisations, it’s possible that the rate of data production – the proliferation of stuff you’re supposed to be backing up – could quickly exceed the rate at which data can be encrypted. Hardware encryption of backups often looks more attractive as a result, but being tied to a particular vendor with no rescue plan for when they go under is a recipe for spectacular disaster. There’s some interesting advice on this topic in this post from Securosis.

Backup hardware on its own is already proving hard to manage when it comes to finding data from more than a couple of years ago. Have you still got a tape streamer that will fit the open-reel tapes and cartridges from the early noughties? Still got a computer with a SCSI card to fit the streamer onto? Still got the cable to put the two together? I’m sure sysadmins will be delighted when they’re told to add encryption to the mix.

Now let’s throw in key management. Exactly how secure does your encryption need to be? And how secure will today’s tapes need to be in five years, a not uncommon legal retention requirement. Who will have access to encryption keys and how will they, in turn, be secured? Once again, this needs a systematic approach. There needs to be a plan and a backup plan for when it all goes wrong. Needless to say, there are products that can help with this – but as always, they can only do so much if the strategy for their implementation and management is weak.

Anyway, El Reg is conducting a poll to detect current attitudes towards encrypting data. We’ll be really interested to see the results, so make sure you add your own voice over there – and let me know what you think here in the comments box, too.

iProtect, iEncrypt… iLeak

Rik Ferguson — Wed, 02 Jun 2010 16:03:18 +0000

or, Careful With Those Naked Snaps!

I was very interested by a blog post by Bernd Marienfeldt that I read today, which appears to illustrate a serious security weakness in Apple’s iPhone data encryption implementation.

A flaw that allows an unauthorised backup to be made? Shurely shome mishtake...

The iPhone 3GS offers Full Disk Encryption using 256 bit AES encoding which should (theoretically) keep your sensitive data safe from prying eyes. It has been public for almost a year that this encryption does not stand up to even the most basic hacking or forensics tools. This latest flaw however will seemingly expose your data to anyone capable of simply booting the device; even if you have set a security PIN.

Bernd Marienfeldt has discovered that by booting a PIN protected iPhone, while it is connected to the USB port of an Ubuntu system, he could access

“music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents… by in my opinion the quickest compromising read/write access discovered so far, without leaving any track record by the attacker.”

This access was through the Ubuntu interface and did not require any PIN at all, furthermore the access was not simply read-only, but read/write.

Even on a standard Windows Vista, it's PIN not required

Further testing by heise Security has shown that it is also possible to trick an iPhone into pairing with a PC running iTunes in the same way. This is a phenomenon that I have been able to reproduce, again using a PIN protected, hardware encrypted iPhone.

This related vulnerability is even more worrying than the first. If an attacker manages to pair an iPhone with an unauthorised PC they can make a full back up the phone which would include notes, messages and even plain text passwords.

Testing indicates that this unauthorised pairing and folder access only occurs when the phone has been shut down in an unlocked state, which does serve to mitigate the risk somewhat.

However when a supposed hardware implementation of full disk encryption surrenders any data *at all* in the absence of credentials, something, somewhere is very broken.

Mr. Marienfeldt reports that Apple have acknowledged the flaw but not yet made any indications of a fix schedule.

China’s got Talent, but no email.

Rik Ferguson — Thu, 20 May 2010 08:46:56 +0000

The Shanghai Daily today reports that “the internet mailbox” belonging to the official show “China’s Got Talent” (yes that nonsense gets everywhere) has been compromised.

Photo from Julien Lozelli's photostream on Flicker - Creative Commons

The mailbox contained (note the past tense) about 900 mails detailing the show’s running order, schedules, plans, contestant details and much more. These mails have now all been deleted and the tone of the article and the concern from Dragon TV certainly seem to suggest that there may not have been a backup in place.

As well as the show and contestant details, the biggest loss to Dragon TV is the production manual for the series, purchased from Freemantle Media. This document is reportedly worth around US$400,000. Show organisers are extremely worried that this information may have been stolen and will appear posted on public websites. They have requested domestic websites to delete the data should it appear, personally I doubt the effectiveness of such a strategy.

For me the most shocking quote from the article is:

“The mailbox was for the use of the Dragon TV’s internal employees only so it had simple passwords for easy communication.”

So, an internet-facing, shared mailbox containing highly confidential information with simple passwords? Normally at this point in a blog article I suppose I would begin to point out things that could have been done to limit the possibilities of such an event. It seems almost too incredible that the aforementioned combination of circumstances should even occur, but here you go…

If information is sensitive, do not allow access to it from the internet.

If information is sensitive do not store it in a shared mailbox, it is impossible to audit effectively

Never use simple passwords, for any reason, ever.

If you have a document worth almost half a million dollars… Encrypt it.

Twitter.Grader.com hacked?

Rik Ferguson — Thu, 11 Feb 2010 20:07:29 +0000

Twitter Grader home page

UPDATE: You will see in the comments on this post an update from HubSpot with a link to their blog explaining the incident, I know a lot of folks don’t read the comments, so here it is in full.

“We are very sorry for the mistake. It is completely our fault. As your article mentions, we have contained the situation and stopped the malicious tweets.

We do want to make clear that by design, the HubSpot software applications are on different servers and systems from our free Grader.com tools. This attack did NOT affect the HubSpot software used by our 2,100 customers. Again, there is no impact on our paid product or paying customers.

We have posted an article on our company blog with more information:

http://www.hubspot.com/blog/bid/5594/One-Lesson-From-The-Twitter-Grader-Screw-up-OAuth-Rocks

- Mike Volpe
HubSpot (makers of Twitter Grader)”

…and that, ladies and gents, is an object lesson in how to deal with an event like this. Much respect to HubSpot.

__________________________________________________________________________________________

In what looks like another compromise related to Twitter services, a large number of Twitter users who have granted access to their accounts to the web service Twitter.Grader.com have all begun tweeting a bizarre and unauthorised message.

: Example of affected accounts (search by Twitscoop)

Fortunately the link that has been endlessly tweeted by grader users does not appear to host any malicious content. It points to a blog with an embedded YouTube video of Biz Stone back in 2006 promoting Twitter.

The domain name of the destination site however might give us a clue to the motivation behind the attack. Seonix presumably refers to Search Engine Optimisation and perhaps that is the real purpose of this attack. Forcing large numbers of Twitter users to tweet a link to the site may well be an effective method of pushing it up the search engine rankings. The domain seonix.org was created on the 11th February 2010 and the details of the owner have been anonymised.

Embarassingly the victims of this attack also include Dharmesh Shah, the founder of Grader

: Dharmesh Shah on Twitter

UPDATE: Hubspot, the parent company have tweeted that they are aware of the hack and working on a solution. In the meantime, if you are a Grader user, you may want to consider temporarily revoking Access to Grader in your Twitter profile via Settings -> Connections.

Google, China, Chicken Little and Cyber Armageddon.

Rik Ferguson — Tue, 19 Jan 2010 14:00:10 +0000

Foxy Loxy by Gustaf Tenggren

In the wake of the highly publicised “highly sophisticated and targeted” attacks on Google, at least three major governments have issued advisories urging their citizens to switch browsers away from Microsoft Internet Explorer. A well-known security company has redesigned their web sites to include a large ominous “Operation Aurora” graphic (that links to trial downloads of pre-existing software). The attacks have been described as “changing the world” by the CTO of that same security company and as “something quite different” by Google.

How much of this is real, justified and proportionate?

So what do we know so far? Well according to Google “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google“. They go on to say “As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies“.

Subsequent external conjecture, comment and analysis has blamed unpatched vulnerabilities in Internet Explorer and also in Acrobat Reader, the malware involved has been identified both as variants of the Hydraq Trojan and also as new malware, dubbed by McAfee as Roarur.dr and as TROJ_PIDIEF.SHK. The attack vectors have been identified as mail with malicious PDF attachments and drive-by downloads.

Google, who were hit by the zero-day vulnerability in Internet Explorer, state that at least 20 other companies were victimised, and iDefense who have customers who were hit by the zero-day vulnerability in Acrobat Reader state that 33 companies were affected.

The motivation for the attack has been described both as an attempt to steal intellectual property and also as an attempt to breach the security of email accounts belonging to Chinese human rights activists. The attacks “appear to have been launched from at least six Internet addresses located in Taiwan” according to James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc

“Changing the world”? I say not.

The attacks are not the first to use zero-day vulnerabilities, in fact we have most often seen zero-day exploits being first used in targeted attacks before becoming more widely spread and widely abused.

The attacks are not the first to use drive-by download or malicious PDF attachments to achieve their goal.

The attacks are not the most complex multi-component system yet seen, you want complex, look at Koobface!

This is not the first time that warnings have been given to use alternative browsers until a patch becomes available.

This is not the first time that the finger has been pointed at China for a widespread globally distributed espionage attack.

There is no doubt that this attack, or these attacks are methodologically sophisticated. The bad guys were visibly successful at delivering their malicious payloads to the right people in the right companies to get access to things like source code and email accounts, but I don’t see anything here that changes the world.

Social engineering, lack of awareness of the threat landscape, a willingness to share too much information, the highly developed underground economy will all have contributed to the possibility and the success of these attacks.

What can companies and individuals do to try to avoid falling victim to these kinds of attack?

Educate yourselves and your users, clicking a link is enough, opening a PDF is enough to infect you, even on a fully patched system.

That being said make sure all applications and systems are fully patched, if that is not possible, use host-based intrusion prevention to “virtually patch” systems and to secure against zero-day exploits.

When an unpatched vulnerability is identified be sure to follow vendor advice to minimise the risk as soon as possible.

Encrypt valuable personal and intellectual property at file level, that way, even if it is stolen it is of limited value or use.

Consider the deployment of data leakage prevention technologies that will recognise and stop sensitive content from leaving your network.

Rethink your security model from an outside in approach, to an inside out one. Secure data, secure access rights, secure applications. Your perimeter only exists on a network diagram.

At the risk of repeating myself, educate your users not to share too much personal information regarding employers, job roles, contact details. Currently far too many targets are far too visible.

Don’t let Chicken Little run your security.

Pakistani National Response Center for Cyber Crimes… Hacked!

Rik Ferguson — Fri, 08 Jan 2010 11:45:13 +0000

It seems to be the season for defacements and hacktivity. The week began with the Cross Site Scripting attack on the Spanish EU website and the defacement hack of Iranian President Ahmadinejad’s Official site and it closes with a high profile hack of the Pakistani National Response Center for Cyber Crimes, part of the Federal Investigation Authority.

The web site was compromised and defaced as below

Click for larger image

Unfortunately for the Pakistani FIA though this attack appears to go beyond a simple defacement. The hacker “zombie_ksa” also states on the defaced page

“your whole database and e-mails are leaked …. i was really excited to read, see what the f__k is private in here lOl“

At first glance this could well seem like idle l33t H4x0r bragging so I did a bit of digging to see if the boast could be substantiated. In a forum posting, zombie_ksa said

“I was Browsing! today Propakistani.pk So i saw post about” how to register complaint with fia cyber crime”! so i feel to check there Security, and i started Penetration Test On there Webserver, unfortunately I GOT access!! And they got Pwned!! !! thats Sounds crazy ! I got whole database! and e-mail Backup! everything!”

The hacker then posted two screen shots, one of the hacked site and second one, below demonstrating his access to their email database (I have sanitised the email addresses here)

Screen shot posted by the hacker

So it seems that from an amateur penetration test a hacker has access at least to the full email database and possibly the backups, of a National Response Center for Cyber Crimes in a highly politically sensitive country. The forum post was made at 4 in the afternoon yesterday and the hack is still live at the time of writing. To say this hack has national security implications would not be overstating the matter.

Any organisation holding material this sensitive should, as a priority, make sure all Internet facing servers are hardened and fully patched, the servers should also be regularly audited, preferably daily to look for evidence of new vulnerabilities as they arise. Web application firewalls should be used to look for evidence of and block anomalous or malicious behaviour.

But perhaps most importantly emails dealing with matters this sensitive should not be connected with, or stored on your public web server and they should always be stored in a secure encrypted format.

A whole new meaning to Phishing.

Rik Ferguson — Mon, 07 Dec 2009 10:58:10 +0000

UPDATE: At the suggestion of Dan Raywood from SC Magazine I am now offering up a prize to the first person to mail me all the fish I have (kind of) hidden in the blog entry. You can win my splendid USB fridge to keep your prize catch cool.

UPDATE 2: This competition has now closed and the prize been claimed. The lucky recipient of a Trend Micro USB fridge is The Harmony Guy, congratulations and may you have many happy hours together, and many thanks to all who played.

________________________________________________________________________________________

Good Cod! Sometimes it feels as though I am endlessly carping on about web site security and the value of personal information and while I realise that this is no plaice for levity, this most recent hake is noteworthy enough to cover. Most recent victims of the cybercriminal in their pursuit of gold, fishkeepers are not immune.

The web site Practical Fishkeeping has been compromised and the details of their forum users have been put at risk. Practical Fishkeeping is no sprat, boasting almost 24,000 registered users. The site is currently offline as the damage is repaired.

Practical Fishkeeping have not left their members floundering, an email from Matt Clarke, Editor-in-Chief of the Practical Fishkeeping magazine was sent to all forum members on Friday evening. It is not immediately clear how the hack came to light, but the mail noted

“We have been made aware that hackers have breached our website security. This is a criminal offence, and information on our register about our readers (usernames, passwords, email addresses, postal addresses and in some cases telephone numbers) may have been viewed or taken.“

The mail goes on to say “If you used your password for practicalfishkeeping.co.uk for other websites, you should change those passwords.”

It may be easy from my perch to criticise. but if passwords truly were visible to attackers, then the web site was not applying even the most bassic secure design principles such as storing passwords in an encrypted format (along with other personally identifiable information). This would ensure they are not made available to any john dory.

In all seriousness, this attack is highly reminiscent of the recent hack of the Richard Dawkins forum and is very much a trend I expect to see increasing over the coming months and years. Gaining access to the database of a popular website offers potential high returns for relatively little effort. If this phenomenon is in need of a new name, I offer up the term Phlatphishing.

There are several ways that your details can be exposed when they are stored by third parties; misconfiguration, poor coding or unpatched systems for example. This will only increase in importance as cloud services are more widely adopted. Remember, when you are registering for a community such as an online forum, you are under no obligation to give either complete or accurate personal information.

Only give whatever information is essential for the use of the service you are registering.

If the service requires more details than you are willing to share, you don’t necessarily have to be truthful, there’s always room for a red herring.

Consider using disposable email addresses for online services, that way if there is a compromise you can simply delete the address.

If you are concerned that you may have been affected by this attack and have not yet received a notification from Practical Fishkeeping, you could try contacting the publishing house Bauer Media in the first instance.

You may have noted I am not one to let the chance for a good pun goby, and if any of these have been crappie, I offer my sincere apologies.

Symantec hacked? Full disk and database access?

Rik Ferguson — Mon, 23 Nov 2009 10:50:36 +0000

hack-o-rama by Al Corr

Back in February of this year, the Romanian hacker Unu found a SQL injection vulnerability in a Kaspersky tech support portal server based in the USA. That vulnerability when exploited allowed full access to all the database tables, exposing things such as usernames and activation codes.

Well, Unu strikes again and this time Symantec is the unlucky recipient of his attentions, and certainly at first glance it looks worse than the Kaspersky breach. In a new posting on Unu’s blog he details a blind SQL injection-based attack against a Symantec server, the server appears to be responsible for tech support through “Norton PC Expert from PC-Doctor Co Ltd” in Japan.

According to Unu, by exploiting the vulnerability he is able to access a lot of very sensitive information including personal details and product keys (from the symantecstore database table). More worryingly, the screenshots appear to indicate that the attackers is able to browse the entire contents of the server hard drives at will. Unu also notes that both user and employee passwords are available in clear text which, if true, represents a serious oversight, passwords should always be stored encrypted or with a salted hash. It should be noted though that there is no evidence of this particular data other than Unu’s own typed report, no screen shots of this data have been posted.

Although commentators have not always agreed on the accuracy of Unu’s claims, as in the recent claimed compromise of the Barack Obama Donations site; as ever, Unu insists that his activities are only done to warn and raise awareness without saving or otherwise stealing any proprietary information.

“If you remember, in February, Kaspersky faced with a sql injection. Then they had the courage to admit vulnerability, why have my admiration. There was fair play, they quickly secured vulnerable parameter, and even if at first they were very angry at me, finally understood that I did not extract, I saved nothing, I have not abused in any way by the data found. My goal was, what is still, to warn. To call attention.

That being said, expect the curious reaction from Symantec.”

I have made sure Symantec UK and Japan are aware of this information and I am sure they are investigating as I type, but it’s never a bad idea to restate a few best practices for securing web applications:

Keep them patched.
NEVER store sensitive data in clear text.
Get them regularly vulnerability scanned from the inside as well as the outside.
Use strong authentication (2 factor) if you are only serving a limited user population or if the data you are holding is particularly sensitive. Cookies can lead to session hijacking…
Bounds checking of input data helps to avoid buffer overflows and SQL injection type attacks.
Provide access to information on a Need to Know basis and always provide it with Least Privilege.
Don’t provide detailed error information to browsers, you don’t expect your customers to debug your application, so don’t give up that error message.

Europe’s heartland in large-scale credit card theft

Rik Ferguson — Thu, 19 Nov 2009 22:02:02 +0000

Initial reports of a possible large scale breach of credit card data from a payment processing company in Spain are sketchy at best and the lack of information is not helping to allay the concerns of credit card customers across Europe.

Credit card details for sale on underground forum

In a statement released today, the Zentraler Kreditausschuss (Central Credit Committee) explained that German banks were acting in response to a warning issued by Visa and Mastercard over a potential data theft at a Spanish company. The Spanish company in question has not yet been identified as it is the subject of police investigations but it is widely believed to be a payment processing company responsible for dealing with payments made in Spain using credit cards issued in foreign countries.

In what is being described as a “primarily preventative measure” many German banks have begun cancelling more than 100,000 credit cards, notifying the card holders and issuing replacements. The mass replacement of cards is not restricted to Germany; banks in Austria Sweden and Finland have also begun to reissue credit cards according to reports.

Ralf Palm, a spokesman for Postbank in Germany, noted that their customers and the bank itself had already noted “irregularities” seeming to demonstrate that the stolen or leaked information is already circulating in underground carding circles.

What remains unclear is the extent of the data theft. How many people have been affected and exactly what information other than card details has been stolen? In a further indication of the Europe-wide scale of the problem, the BBC reports that “UK customers will be contacted directly if they are thought to be at risk.”

Despite the sketchy details so far available the data theft bears uncomfortable similarities to the Heartland Payment Systems breach in the US which was eventually responsible for exposing the details of more than 130 million credit and debit card accounts.

If you have used any plastic in Spain in recent months prepare yourself to learn a new PIN number or two. It may be worth revisiting your credit card and bank statements and keeping a close eye on any future statements. Of course you should contact your bank or financial institution immediately if you notice any suspicious activity on your accounts.

Deutsche Bahn on track for million Euro fine.

Rik Ferguson — Fri, 30 Oct 2009 15:55:30 +0000

The German rail operator Deutsche Bahn AG has been handed down a record fine of more than one million Euros according to a report in the German newspaper Süddeutsche Zeitung.

Deutsche Bahn HQ by Honza Soukup

The Berlin Data Protection Commissioner revealed that Deutsche Bahn were to be fined exactly 1,123,503.50 million Euros to cover a number of serious breaches of data protection legislation that date back over the past 10 years. According to the official press release from the Berlin Data Protection agency this is “highest penalty that a German Data Protection Inspectorate has established“.

The activity for which Deutsche Bahn is being fined relates to the mass screening of employee data including names, addresses, telephone numbers and bank details against those of suppliers. This screening was carried out on at least three separate occasions in 1998, 2002/3 and 2005/6, supposedly to detect fraudulent activity and employee fronted Scheinfirmen or shell companies. Deutsche Bahn also enlisted the services of a detective agency to assist in this screening activity and the Information Commissioner’s press release states that personal and banking information was illegally retained for “years” even after suspicions had been allayed. Particular weighting was given in the release to the monitoring of all external email communications of all employees in the years 2006 and 2007, ostensibly to discover who was leaking information to journalists and members of the German Bundestag or parliament. All of this was done without the knowledge or consent of the employees concerned.

The official press release does not mention further activity included in the Süddeutsche Zeitung article, snooping on management level employees in two separate incidents and also the collection of employee medical records. The newspaper report certainly appears to hint that this may not be the end of the financial penalties.

As a result of the incident, the CEO and several top execs were forced to resign. The new board has created a C-level position responsible for “Compliance, Data Protection & Justice” and promised to work on the development of new HR guidelines on data protection alongside the Works Council.

Deutsche Bahn’s heavy-handed tactics and the size of the resultant fine amply illustrate the need for enterprises to involve employees, works councils and unions from the outset, both when defining data protection policies and also when conducting sensitive investigations.

Effective training programs should inform the employees, but also check their understanding and gain their acceptance of the rights and obligations of the company and the employee. Effective security policies and technologies should include employee representatives in the design process and notify them when subsequent privileged searches are taking place. At the same time care must be taken not to expose the results of those searches to the employee representatives as this could in itself constitute a breach.

Businesses across Europe have a real motivation to get this right as data protection authorites across the continent are rapidly increasing in power and scope.