Content Migration

September 25, 2008

Everyone,

The content of this blog will be moving to http://pandalabs.pandasecurity.com. Therefore, you can find new and interesting posts at http://pandalabs.pandasecurity.com or www.pandalabs.com for this point on.


Scientific America Industry Panel

August 21, 2008

This past May I sat on an industry panel regarding digital privacy along with Whitfield Diffie (Sun Micro), Patrick Heim (Kaiser), Art Gilliland (Symantec), Rahul Abhyankar (McAfee), Martin Sadler (HP), John Landwehr (Adobe) and Steve Lipner (Microsoft). The panel discussed many interesting topics around technology and today’s need for digital privacy. The full edited transcript is available on-line at Scientific America.


Top Weekly News Spam

August 19, 2008

This morning we detected another spam campaign with a very similar motivation to the MSNBC and CNN spam attacks that were detected recently. The vector for infection is a re-direction to a phony video page. In this case the user is asked to download an update which appears to be a video codec identified as installer.exe or better known as Trj/Exchanger.  We expect that these type of attacks are only going to evolve over a period of time to be much more sophisticated.

VirusTotal Information

 


Fake Google Adwords Site

August 4, 2008

This morning I discovered several emails in our marketing inbox appearing to be from Google informing us that our Google Adwords payment information could not be processed and that we needed to login to update the information. However, even though the email looks authenticate, when you click the link you are actually re-directed to a fake Google Adwords site.

When I type in a fake Google login (obviously I would not provide mine) I am directed to a very authenticate looking form that is now asking me to submit payment information.

After submitting your payment information you are informed that your ads have been re-activated and then you are directed back to the real Google Adwords site (by the way it looks exactly the same). In conclusion Targeted phishing scams are becoming popular and in this case it was directed at our marketing inbox.


Research Paper: Breaching Wireless POS Systems

August 2, 2008

Wireless networks and endpoints offer convenience and connectivity. Unless properly secured, they also offer a means of ingress into the network. This article will describe the vulnerabilities and strategies for mitigation as it pertains to protecting wireless point-of-sale systems.

In the wake of undiscovered data breaches and subsequent public exposure, hackers have begun to turn their eyes towards breaching wireless networks and taking advantage of their many weaknesses. Furthermore, we are seeing a trend towards stealing cardholder information from retailers through much publicized breaches such as TJ Maxx and Hannaford Brothers. According to the 2008 Data Breach Investigations Report by the Verizon Business Risk Team, 84% of the data compromised in documented breaches pertained to card holder information.

Read full article here:


Anatomy of a Data Breach Part 3 – The Wireless Hack

July 17, 2008

Wireless networks and endpoints offer convenience and connectivity. Unless properly secured, they also offer a means of egress into the network. This article will describe the vulnerabilities and strategies for mitigation.

In the wake of undiscovered data breaches and subsequent public exposure, hackers have begun to turn their eye towards breaching wireless networks and taking advantage of the many weaknesses incumbent. Furthermore, we are seeing a trend towards stealing cardholder information from retailers such as TJ Max and Hannaford Brothers as a quick way to gain profit.

The use of mobile networks is not an uncommon way of providing access for employees anywhere anytime throughout the corporate campus. However wireless networks come with several often ignored dangers:

• Exploitation of WEP and WPA protocols.

• Impersonation and interception of wireless traffic.

• Access points being deployed with little or no security enabled.

All of these vulnerabilities can eventually lead to the exposure of private information if not properly secured and accounted for when implementing a data security policy. The weaknesses of a wireless environment can often lead to violations of PCI, HIPAA & SOX if an exposure were to occur through one of those vulnerabilities. Regulations such as SOX, HIPAA and PCI were ultimately designed to protect specific classes of information that if exposed can cause serious ramifications such as: fines, potential jail time and a host of other unwanted aftereffects.

The Target: Wireless Point-of-Sales (POS)

For example the protection of cardholder information as covered under PCI-DSS includes a number of guidelines to aide in the development of policy that (a) protects cardholder information stored on servers and (b) protects cardholder information that may be in transit via transactions that occur between front-end point-of-sales terminals, to backend merchant processing servers (the machines that handle and authorize transactions when a credit card is swiped at a store location).

 

Because the target is often cardholder information – meaning it has a higher raw value on the black-market then other information like a social security number, hackers are developing strategies that involve breaching wireless networks – mainly because it is much easier to penetrate then cracking the corporate firewall and obtaining access via the external gateway.

This is a stepping ground to harvesting data at rest, but in motion as well. The methodology behind this goes in tangent with the “low hanging fruit” theory and part of an overall emerging trend towards gaining access to cardholder information.

Cracking the Wireless Network

Wireless hacks attributed to around 9% of the security incidents documented in a recent report published by the Verizon Business Risk team. This is likely due to incorrectly configured access points or the use of weak authentication ; WPA-PSK in some cases can be vulnerable to offline dictionary attacks if given enough time to decode the captured traffic. WEP on the other hand can be cracked in less than 10 minutes using commercially available tools on the market.

For wireless hacks to be successful without investing a large amount of time and resources the access point either has to have a vulnerable encryption protocol enabled such as WEP or WPA-PSK or not have security enabled at all – which has been seen in the field numerous times.

As data security issues become the number one problem, hackers will continue to innovate and find additional ways of accessing the information they want. Penetrating a wireless network and planting targeted malware only recently emerged on the scene and is expected to increase; especially being that cardholder information is one of the primary targets of interest when it comes to data of value.

Thus, one popular method being used today is the development of targeted malware to intercept transmissions and to extract credit card information and other sensitive data directly from these streams .

However; it all starts with penetrating the wireless network and obtaining the ability to access its resources – as we have seen the weaker link in the chain is often targeted first (stores or regional offices in the field). Some recent breaches have led to malware being physically installed on key servers and the avenue for attack was through a wireless network at a field office.

Theories on how this malware would work would be using filters to detect certain packets with specific information (e.g. credit numbers, social security numbers, authorization codes and pin numbers all of which are of value). Another theory is capturing the details in real-time by installing Trojans that directly interact with the application on the POS terminal, thus, capturing the customer’s information in real-time as it exits the POS to the payment authorization gateway.

 

Once the malware has captured the necessary data it can open a channel with a command and control server and upload the stolen information – it is often found that the C&C server will also be connected to thousands of compromised PCs; subsequently distributing the stolen data to be stored on a consumer’s PC. The chilling part is any consumer’s PC can instantly become a drop-box for stolen corporate information once it has been compromised by hackers.

As mentioned before hackers will target wireless networks located at smaller regional offices as they did with Hannaford and TJX Max This is done under the assumption that security is weaker then at corporate HQ and fits part in parcel with them being “low hanging fruit”. This is probably true given the technical resources available and the diversity that smaller locations have.

Discovery and Prevention

Determining if you have been breached is somewhat difficult as the intruders have likely covered their initial entry by hiding any physical traces (deleting or hiding audit logs, etc). Therefore, your best approach is to adopt a strategy for detecting and mitigating the effects of a breach such as:

• Database monitoring: Technologies exist to monitor SQL and Oracle databases for suspicious activity (access from unauthorized users, insertion of scripts, execution of SQL statements, etc). Monitoring is only part of the equation to detecting an actual breach in progress. If hackers subsequently decide to access cardholder information stored in your databases in addition to extracting the data in real-time; database monitoring will increase the odds of discovering unauthorized access.

• Network Intrusion Detection: Intrusion detection technologies in addition to other methods can be used to detect anomalous traffic and behavior that might be associated with an attack.

• Hardening critical assets: You can minimize your exposure & risk by hardening critical assets (in this case the POS terminal); in other words you are removing non essential functionality such as services, applications and ports that not only adds to the complexity, but introduces additional risk.


PandaLabs Q2 Figures

July 7, 2008

Today we published our Q2 figures covering the most relevant trends in the malware landscape. Some of the key points from this Q2 report includes:

  • Distribution of Banker Trojan families by prevalence in the market.
  • Distribution of Active malware by country (this entails PCs with active malware running in memory).
  • Spam levels fluctuated between 60% to 94% of all email on the Internet

Banker Trojans continue to be a prominent factor when taking into consideration Identity Theft. As covered in the report Banker Trojans experienced a 400% increase as opposed to other years which were significantly less. In addition Russian Banker Trojans remain strong in terms of the overall distribution by family.

In the first half of Q2 2008 we saw an emergence of SQL Injection attacks being used to conduct mass hacking campaigns in order to distribute as much malware as possible. In conclusion cyber-crime only continues to evolve and should not be ignored when implementing security at your organization. The report can be found here: