This ZDNET article, “Over 90 percent of data breaches in first half of 2014 were preventable”, had me intrigued but it was their summary that really caught my attention. Since the latest explanation of how the North Koreans hacked Sony was that they stole a system administrator’s password by some method that is not discussed but vaguely confirmed by the NSA, we would have to conclude that the Sony breach was probably a staff mistake.
The Online Trust Alliance says that a high percentage of data breaches were the result of staff mistakes — rather than external hacking.
According to a recent Online Trust Alliance press release about 47% of data breaches was the result of staff mistakes and 40% were the result of external intrusions. Here is what they said.
OTA also announced that it has analyzed over a thousand breaches involving the loss of personally identifiable information (PII) in 2014, as reported by the Open Security Foundation (OSF) and the Privacy Rights Clearinghouse. OTA found that only 40 percent were the result of external intrusions, while 29 percent were caused by employees—accidentally or maliciously—due to a lack of internal controls. The balance of incidents were primarily attributed to lost or stolen devices or documents (18 percent) and social engineering/fraud (11 percent).
There are a lot of loose ends with the Sony hack that bother old IT guys like me. Kim Zetter in the article, The Evidence That North Korea Hacked Sony Is Flimsy, makes the point that nation-state attacks are not normally this noisy. This attack was public and filled with revenge-filled rhetoric that sounded distinctly non-North Korean.
Marc Rogers in the article, Why the Sony hack is unlikely to be the work of North Korea, goes a step farther and says an insider is the likely culprit.
3. It’s clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of an insider. It also fits with the pure revenge tact that this started out as.
So if we are to assume that the attack is from North Korea, we have to ask when, why, and how did they plant a spy at Sony? The mainstream news media seems to be proceeding under the premise that the North Koreans could walk into Sony either literally or electronically and collect extensive knowledge of Sony’s architecture including key passwords in a relatively short period of time. I think this supports main stream media’s agenda that this is technology problem all we need to do is install the latest and greatest firewall. The reality is that this type of hack is typically an inside job so it is a primarily a personnel rather than a technology problem. In most major corporations this type of broad access requires lots of time since security is compartmentalized and transferring passwords to new people is dependent on developing trust. Password management in a large corporation like Sony can be further enhanced by delegating password control to different people. In this case the passwords for administering email, human resources and accounting systems are probably controlled and periodically changed by the people who have operational control of those systems. So if the insider working for the North Koreans is a new hire or contractor then they must have been inserted into Sony months ago. This begs the question of why did the North Koreans target Sony months ago, develop such a sophisticated operation, and then release detailed information about this operation to the world. All of this work for a movie! The North Koreans may be crazy but I do not think they are stupid!
If this hack is not North Koreans consumed by revenge over a movie, we have to conclude the insider was a long time employee or contractor who got the data directly off the servers or via malware installed on certain key computers. We are looking for a person with a Edward Snowden profile. Although some people who are skeptical of the North Korea explanation see a government conspiracy, my guess is our law enforcement agents are temporarily feeding the public misinformation to buy more time to complete the investigation and arrest the suspect while still in the United States.
For a detailed list of the Sony hack events check out the Riskbased Security article, A Breakdown and Analysis of the December, 2014 Sony Hack.
A couple of days I ago I wrote the post, Strengthening 2-Step Verification with Security Key, and yesterday I got the security key. I guess parcel post from France is pretty quick! I had to reboot the computer before I could get the hardware drivers to install. It took about two minutes to register the key with both of my gmail accounts after it finished booting. Pretty cool!
Today I tested it at work. The first step was to insert the security key and let Windows 7 install the drivers. Once again my luck installing the drivers was better after I rebooted. Then I cranked up Chrome and went to gmail. Google asked me to login. After I entered the password, it asked me to install the security key. In a couple of seconds it had validated and I was redirected to my inbox. I took the key out and put it back in my storage bag. Although I have entered my password several times as I browsed my security settings, it did not require access to the security key.
The last task was to create an app specific password for gmail for those applications that will not use the security key.
Last week Discover notified me that due to the Home Depot data breach, my Discover debit card was going to be re-issued. Their solution is not cheap but it is the best way to improve credit card fraud protection.
Yesterday we ran into an interesting new wrinkle on credit card fraud. A customer called us because they did not recognize a credit card charge on their bill. We had an order in our system with the correct billing address but they did not know the person the order was being shipped to. This is the typical way we find out about credit card fraud but this time when we called the person who it was being shipped to and she answered the phone. This was a first! She said that her husband probably ordered it and told us to call him. So we called him and he said he had ordered not one but two pumps from an auction site. Sure enough our order system said we had shipped a second pump to his wife using a completely different credit card and billing address. This is the first incident we have seen in which an auction site was used to launder money for stolen credit cards! Fortunately FedEx had not delivered either pump so we asked FedEx to return the pumps to us. Today we called the second customer and confirmed that they were unaware that their credit card had been stolen. We told them that a credit card refund had been processed and recommended that they notify their credit card company of the fraud. In this case the people whose credit card data was stolen did not lose any money. Typically we lose both the product and the shipping costs so we are pretty happy to get the products back. The biggest loser is the guy who thought he had won a legitimate auction for two pumps. I do not know how he paid for it but if he is fast enough he may be able to process a charge back.
In case you did not already know Home Depot had a data breach that is pretty similar to the Target breach. Since I am one of those Home Depot customers who are at risk, I took them up and signed up for their free identity protection from AllClearID. Like the first customer I plan to check my card activity several times a week.
Last Wednesday my wife and I celebrated our 31st anniversary at P. F. Changs. We had a nice dinner and they ran our card through a manual imprint system. Today I noticed that they wrote my CVV on the receipt. That is not necessary if they were actually going to process my bill as a manual credit card transaction in which the card is present. By writing the CVV on the receipt that means that they plan to process the charge later as a card not present transaction. For those of you who have jumped through the PCI hoops, you have to wonder what measures they are using to protect these receipts since they now include the CVV. In the PCI world there are some pretty serious restrictions on keeping the CVV information secure. This is a dumpster diver’s gold mine.
Okay, I am really annoyed. What is the best way for a company to continue their business after a data breach without annoying their customers? There are some interesting comments over at Krebs on Security but I have my own recommendation. As a long time developer I look for a good manual procedures to automate. In this case we are going in the opposite direction. We are breaking up a good automated procedure into standalone parts. In this case I would recommend creating a corporate web app to process the credit card transaction that would be very similar to the model used by internet retailers. In fact I would not be surprised if a corporate developer does not already have one they used to get through credit card processing certification. In this case either the waitperson or some other designated person enters the sixteen digit credit card number and CVV to run the transaction. If the transaction goes through then you update the bill in the restaurant’s order system with the confirmation code or reference ID. Is this a little more work? Yes but we literally have millions of people who enter their sixteen digit credit card number and CVV every day without exposing themselves to credit card fraud. There are a whole lot less PCI compliance issues with this procedure than a manual imprint with the customer’s CVV on the receipt.
I have been using TrueCrypt for several years. It is not the key cog in my security plan but it is helpful. The TrueCrypt development process looked trustworthy and professional. So I was shocked with the developer’s announcement last week. It was just so weird, I thought the site had been hacked. The developer’s explanation on why he was stopping development bordered on incoherent. What does the end of Windows XP maintenance have to do with anything? As an old IT guy I decided to wait this mess out. There was an ongoing security review of TrueCrypt which should sort some of the issues out. For those conspiracy buffs out there, Snowden was a big fan of TrueCrypt. This weekend I decided to see if I could still download the source. It was not available at the normal location but I did locate it at Gibson Research Corporation who I recognize from Shields Up fame. Considering their reputation in the security game, they had some interesting some things to say.
Yes . . . TrueCrypt is still safe to use.
Although the disappearance of the TrueCrypt site, whose ever-presence the Internet community long ago grew to take for granted, shocked and surprised many, it clearly came as no surprise to the developers who maintained the site and its namesake code for the past ten years. An analysis of the extensive changes made to TrueCrypt’s swan song v7.2 release, and to the code’s updated v3.1 license, shows that this departure, which was unveiled without preamble, was in fact quite well planned.
For reasons that remain a titillating source of hypothesis, intrigue and paranoia, TrueCrypt’s developers chose not to graciously turn their beloved creation over to a wider Internet development community, but rather, as has always been their right granted by TrueCrypt’s longstanding license, to attempt to kill it off by creating a dramatically neutered 7.2 version that can only be used to view, but no longer to create new, TrueCrypt volumes.
Then, leveraging the perverse and wrongheaded belief that software whose support was just cancelled renders it immediately untrustworthy, they attempted to foreclose on TrueCrypt’s current and continued use by warning the industry that future problems would remain unrepaired. This being said of the latest 7.1a version of the code that has been used by millions, without change, since its release in February of 2012, more than 27 months before. Suddenly, for no disclosed reason, we should no longer trust it?
I will continue to use it until a better option becomes available. Although I doubt I will look at the code for security problems, I am curious what the security professionals find.
I had some funky display show up when I went to finance.yahoo.com so I ran a antispyware check using http://www.superantispyware.com/index.html. Since this program takes a long time I ran the Microsoft Safety Scanner, too. Microsoft did not find anything and SUPERAntiSpyware found a false positive on a file included in QuickBooks SDK 10, tiny.exe.
Do you think your PC has a virus?
The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.
Microsoft Safety Scanner – Remove Spyware, Malware, Viruses Free
I found an interesting problem today. If I run the DNS Randomness test at work using Doxpara’s widget, our ISP fails this test. If I run the test at DNS-OARC, I get mixed results. Sometimes the source port randomness is good and sometimes it is bad. Hmm… I am guessing our ISP has not patched their DNS yet!
Recently I installed the pfSense firewall and now I have started to check out some of the packages that make pfSense such an interesting firewall platform. Without going into too much detail here is my impressions on several packages.
- NMAP – It kind of worked for me when I accessed it via the web server. It locked up the pfSense web server a couple of times. It worked fine for me via the command line and the Command page.
- NTOP – I had not heard of this package before but I was impressed. It had lots of information about my network. Some of the information was actually useful. I am keeping tabs on my son’s Internet usage. With all of this info I kept expecting the computer utilization of pfSense to go through the roof. It did not. Whew!
- SNORT – I did not get this package to work. It installs but the service does not start and it had problems downloading rules. I am guessing the rules issue might be related to the fact that the package was version 2.7 and the current rules are 2.8. I saw in a forum where several people were having problems running the package on pfSense. I manually uploaded a rule to see if I could start the package. It still did not start. Since I did not see any log messages, I decided it was not worth proceeding. It is hard to debug problems when you have logging turned off.
- EXEC.php – This goes under the name of Command. It gives you the equivalent of a command prompt and it is for those of us who do not want to crank up SSH for every little thing. It is not a “package” and its disclaimer says it is not supported. However, it worked better for me than the supported packages. Go figure! I used it to verify that NMAP was working. It was a helpful tool to work with SNORT, too.
- Internet Explorer – You need a SVG viewer plugin to view the traffic graph. I used Adobe’s version. The drop down navigation menu is quirky with IE. It opens and closes before you select an item. In IE the navigation menu is blocked by the traffic graph. I might try and fix this.
Wow, I did not know about this security feature in 2.5. I did not have the ‘SECRET_KEY’ defined since my WordPress sites were upgrades. Since I prefer to follow the Secure WordPress recommendations and missed that section in the paper, I added a random key to all of my sites. The key does not cause any ill effects. Read the original post, WordPress 2.5 Secret_Key Vulnerability, for more details.
A PCI audit point I saw recently recommended that servers not respond to ICMP timestamp requests. For externally based web servers this probably means asking your host provider to implement a rule on their router to block ICMP packets type 13 or 14 with a code of 0. I haven’t tried this but this should allow normal maintenance packets(e.g. ping) and prevent echo tests using timestamp requests.
The target computer responded to an ICMP timestamp request. By accurately determining the target’s clock state, an attacker can more effectively attack certain time-based pseudorandom number generators (PRNGs) and the authentication systems that rely on them.
- Apple, Mac OS
- Cisco, IOS
- Data General, DG/UX
- HP, HP-UX
- HP, Tru64 UNIX
- IBM, AIX
- IBM, OS/2
- Linux, Linux
- Microsoft, Windows 98 Second Edition
- Microsoft, Windows 2000
- Microsoft, Windows 2003
- Microsoft, Windows 95
- Microsoft, Windows 98
- Microsoft, Windows Me
- Microsoft, Windows NT
- Microsoft, Windows XP
- Novell, Novell NetWare
- SCO, SCO Unix
- SGI, IRIX
- Sun, Solaris
- Wind River, BSD
Configure your firewall or filtering router to block outgoing ICMP packets. Block ICMP packets of type 13 or 14 and/or code 0.
ISS X-Force Database: icmp-timestamp(322): ICMP timestamp requests
I recently tried to visit Codeplex and got a an error page with a Server 500 error. It did not take too long to figure out that there was a configuration problem on my firewall, ISA 2004. There were several proposed fixes but the one that worked for me I found on a Techarena forum and it said to either turn on or off the HTTP Compression filter. I turned it on and it worked.
I think I had turned off the compression filter in ISA 2004 SP1 days. According to Lazyadmin HTTP Compression started working in SP2 and he has recommendations for configuring it in his post, Enabling HTTP Compression in ISA 2004.
Recently while upgrading my WordPress blogs I installed WPIDS 0.1.2. WPIDS is a Intrusion Protection System, which is based upon the Intrusion Detection System PHPIDS. It is a nice plugin for those curious about WordPress security. In theory this should improve the security of my blogs.
For the last couple of days I have been monitoring its log. So far I have not found any false positives. It looks like it is blocking some comment spam. Most of my comment spam is caught by Akismet.
I am kind of fascinated with this plugin. If the developers are looking for ideas, it would be nice if:
- It would tell me if there is a new filter available. I am not sure how often the filter is updated but with a little modification the plugin could update the file directly. WordPress would like updated plugins to be updated on their web site. An updated the revision number for the plugin would appear in the plugin panel. In a perfect world the use could then update the plugin automatically.
- The search stats button overlaid the standard report onto the admin page for the plugin. It is not very useful in this format.
- It would be nice if the report said why the bad request was blocked. I have several blocked requests showing something called “__utmz” in the tag field.
- It would be nice to download the report as a csv file.
- It would be nice to have a summary report by type of blocked request.
I just finished checking my WordPress sites with both a dork and a FTP. Google says that there 29,000 infected sites. I guess that I was left out of the party since my WordPress sites are at the most recent stable release.
Cyberinsecure recently posted details of an automated WordPress hacking tool that is doing the rounds. This malicious worm or program appears to create the directory, "wp-content/1/" as well as spam comments:
The blogs are most likely attacked by some kind of automated tool since the amounts of spam are too big to work manually on all those spam pages creation. It seems there are also spam comments in posts as well. Spam comments are pointing to internal infected blog pages in folder “1″ to get them spidered and to get people to visit them.
Smackdown also has a nice blog entry about this issue.
Automated WordPress Hacking Tool Cached by Google
Wed, 26 Mar 2008 23:52:40 GMT
Last night I used the WordPress Scanner on two of my blogs and I got this message.
dangerous-check- PHP configuration file found in http://www.somewebsite.com/
I guess it is complaining about the fact that I have a php.ini file. I guess there is a security implication I am do not know about. I googled php.ini and security and I did not get any hits. Can anybody provide me with some insight on the security issue?
BlogSecurity » Blog Archive » WordPress Scanner
I have been using the Comodo™ Firewall for over a year now. My experience with it leads me to believe that it is more secure than others on the market. I really liked its flexibility and monitoring capability. When the beta for version 3 came out I enthusiastically installed it. I was surprised and disappointed that I was no longer able to use my VPN network connections. So I went back to version 2.4. Since I switched back to the old version I struggled to get back to configuration that worked before I undertook the leap of faith with the beta. The PPTP VPN connection worked but the L2TP VPN connection did not work for me locally.
Let me digress for a bit and describe my local network and the VPN connections I have set up. When I am out of the office and accessing my server via the Internet, I use a VPN connection that uses the DNS name in its configuration. The DNS name points to the static IP address of my hardware firewall. The hardware firewall forwards the VPN traffic to my SBS server where the software firewall, ISA, completes the VPN connection. When I am at my office my laptop connects to the same network that connects the SBS server to the firewall and the VPN connection I use to access the server remotely does not work. To get around this minor problem I use a different VPN connection with the local IP address of the server in the configuration. This connection goes directly to the server and does not go through the firewall. Yesterday I figured why the L2TP connection was not working.
The ports they say you need to open up on your hardware firewall to allow L2TP access from the Internet are 500, 1701, and 4500. When I look at the ISA log I can see the laptop using ports 500 and 1701. When I looked at the Comodo activity log I found that it blocked an outbound access to protocol 50. This sounded vaguely familiar. It was hard to find but Microsoft talks about protocol 50 and 51 in this article, Interoperation with Other Services. Why was Comodo blocking outbound access? I was befuddled but I decided to go ahead and add a IP IN/OUT allow for protocol 50 rule to my local server IP. My L2TP VPN is now working. It is interesting that you will not find protocol 50 showing up in the ISA log but according to the Comodo log it is talking to the server with this protocol.
About once a month I go to the Windows Update and let it check my computer. If Windows Update is working properly, the Windows Update cupboard will be bare. Sometime in December Windows Update stopped working for me and it started giving me a userdata persistence error. The help system said that all of my problems would disappear if I would just enable userdata persistence in my browser. So what do you do when your browser already has userdata persistence enabled? While I pondered that problem I ran Microsoft Baseline Security Analyzer to get my updates.
Today I found my solution. While I was investigating another problem, I found KB943144 – Updates are not installed successfully from Windows Update…. In this article it tells you how to manually re-install Windows Update. This was just what the doctor ordered!
A document obtained by Computerworld from a reliable source indicates that Piedmont was presented with a list of 42 items that HHS officials wanted information on within 10 days. Specifically, Piedmont was asked to provide policies and procedures for:
- Establishing and terminating users’ access to systems housing electronic patient health information (ePHI).
- Emergency access to electronic information systems.
- Inactive computer sessions (periods of inactivity).
- Recording and examining activity in information systems that contain or use ePHI.
- Risk assessments and analyses of relevant information systems that house or process ePHI data.
- Employee violations (sanctions).
- Electronically transmitting ePHI.
- Preventing, detecting, containing and correcting security violations (incident reports).
- Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
- Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
- Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
- Physical access to electronic information systems and the facility in which they are housed.
- Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals’ databases that house ePHI data?).
- Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software.
- Internet usage.
- Wireless security (transmission and usage).
- Firewalls, routers and switches.
- Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
- Terminating an electronic session and encrypting and decrypting ePHI.
- Transmitting ePHI.
- Password and server configurations.
- Anti-virus software.
- Network remote access.
- Computer patch management.
HHS also had a slew of other requests:
- Please provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
- Please provide a list of terminated employees.
- Please provide a list of all new hires.
- Please provide a list of encryption mechanisms use for ePHI.
- Please provide a list of authentication methods used to identify users authorized to access ePHI.
- Please provide a list of outsourced individuals and contractors with access to ePHI data, if applicable. Please include a copy of the contract for these individuals.
- Please provide a list of transmission methods used to transmit ePHI over an electronic communications network.
- Please provide organizational charts that include names and titles for the management information system and information system security departments.
- Please provide entity wide security program plans (e.g System Security Plan).
- Please provide a list of all users with access to ePHI data. Please identify each user’s access rights and privileges.
- Please provide a list of systems administrators, backup operators and users.
- Please include a list of antivirus servers, installed, including their versions.
- Please provide a list of software used to manage and control access to the Internet.
- Please provide the antivirus software used for desktop and other devices, including their versions.
- Please provide a list of users with remote access capabilities.
- Please provide a list of database security requirements and settings.
- Please provide a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.
- Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.
Source: HIPAA audit: The 42 questions HHS might ask
Jeff of the HIPAA Blog talks more about the questions here and that the questions are pertinent to all firms with information security requirements.
This week I upgraded the Trend Micro SMB installation on my “dog food” server to version 3.6. It kind of worked. The virus checking stuff upgraded nicely but the Messaging Security portion did not. I got this message, “Error 1923.Service Trend Micro Messaging Security Agent Remote Configuration Server(ScanMail_RemoteConfig) could not be installed”.
I researched the problem and it said I should check my privileges. After researching what privileges it was complaining about, I figured out that the privileges for the Administrator userid were just fine. So I rebooted and tried to install Messaging Security portion again. I was unsuccessful but this time it told me to install it from the Security Dashboard. I don’t remember seeing that message before but I was game. After a little research I found these instructions on how do this.
Installing the Messaging Security Agent from the Security Dashboard
These instructions were a little too short for me since the installation process asked me a few more questions than were included in the instructions. The installation process asked me which directory to install Messaging Security in and the “shared” directory. I was not sure what they wanted for the shared directory since this field was prefilled with C$. C$ looks like a “share” to me and I was clueless about a shared directory. If Trend Micro has a shared directory they want me to use, they hid it well. Since I was installing these files on my “H” drive, I assumed they wanted the “share” for the drive, H$. Anyway that is what I gave it. When I pressed the enter key, a screen showing the installation status popped up. The status screen updated several times over the next ten minutes before it finally completed. Now when I check the “Live Status” and “Security Settings” screens they show me that the Anti-spam is working. Since Microsoft’s Intelligent Messaging Filter catches most of the spam for my “dog food” server I got through this unscathed.