This past May I sat on an industry panel regarding digital privacy along with Whitfield Diffie (Sun Micro), Patrick Heim (Kaiser), Art Gilliland (Symantec), Rahul Abhyankar (McAfee), Martin Sadler (HP), John Landwehr (Adobe) and Steve Lipner (Microsoft). The panel discussed many interesting topics around technology and today’s need for digital privacy. The full edited transcript is available on-line at Scientific America.
Yesterday we detected several CNN spam messages that pointed to get_flash_update.exe with a different hash then the current one we have detected in past spam runs. We are seeing a whole new run of CNN spam messages hosted on several different domains using very authenticate looking emails with hidden links behind the news stories. It appears that this particular codec attack is evolving and changing dynamically in terms of sophistication, whereas before they had used very primitive methods to distribute this codec.
Most of these sites are legitimate sites that appear to have become compromised, some theories include vulnerabilities in .ASP code making them susceptible to SQL Injection attacks. More information can be found in the article “SQL Injections: The Future of Mass Hacking Campaigns”
The Target: the wireless point-of-sale (POS)
The wireless POS system consists of one or more networked wireless POS end-points located at check-out stands and the internal on-site transaction server which connects the system to the payment authorization source. The transaction server also interfaces with the inventory control system.
• Transaction initiated at wireless POS checkout stand
• Transaction information sent to wireless access point, to transaction server, to authorization source
• Transaction authorization returns to POS checkout to complete transaction
Note there are vulnerabilities at each point.
From an architectural perspective a POS end-point runs an operating system, either a version of Windows or Linux designed to limit functionality – meaning not all O/S functions are available to the logged-in user. These devices are physically divided into two different components:
• Card Reader – system that reads the card as it is swiped.
• Transaction Unit – system that sends the card information to an authorization source.
The information read at the POS will be sent to an authorization source (e.g., Amex) through the transaction unit. In addition the transaction information of the purchase (payment, item, quantity, etc.) is sent over the network to a branch server for inventory control and auditing purposes.
Normally the information sent between the retailer and the authorization source will use strong encryption to protect the information; however, network security between the POS and the internal branch servers may or may not be encrypted and really depends on the configuration.
Assuming that the retailer does encrypt the information sent between the POS and the branch server, the real vulnerabilities then exist at the POS end-point, the wireless access point, and the branch server itself.
• Because a POS terminal reads the card information, performs the transactions and receives the authorization code, information may be stored for short periods either in flash, static ram or the hard-drive (e.g., a few hours until close of register, etc). Therefore, malware could be installed directly on the POS to intercept the transaction data as it is being sent to the authorization source or the internal branch server for storage.
• Branch servers are normally used to collect information from multiple POS terminals, thus, they often will be running a database of some form or another. A hacker wishing to obtain access to this information would have to compromise the server first, and then likely exploit database encryption vulnerabilities.
Because the target is often cardholder information, hackers are developing strategies that involve breaching wireless networks – mainly because a POS requires either direct physical access or access via the network, thus, it’s easier to penetrate than cracking the corporate firewall and obtaining access via the external gateway.
Penetrating a wireless network and planting targeted malware only recently emerged on the scene and is expected to increase; especially being that cardholder information is one of the primary targets of interest when it comes to data of value.
Once the intruder has accessed the wireless network the next challenge would be to compromise the POS or the Branch server. There are a number of ways and vectors in which this can be accomplished in a relatively short period of time:
• Privilege escalation: Elevating user privileges is a method that hackers use to gain access to other parts of the system that may require a higher level of validation. Vulnerabilities that allow this condition to occur are often the culprit behind most escalation attacks.
• Hacking specific Windows services (IIS, SQL, Apache, etc): Gaining access via Windows services by exploiting specific vulnerabilities that allow remote arbitrary code execution.
• Buffer overflow attacks: Overflowing the buffer of an application will cause a condition to occur, that in some cases will allow for arbitrary code to execute with remote shell binding capabilities. Many of these methods if done correctly and the systems are somewhat vulnerable, often will work.
One popular method being used today is the development of targeted malware to extract credit card information and other sensitive data directly from the wireless POS, AP, or the Branch server .
Some recent breaches have led to malware being physically installed on key servers and the avenue for attack was through a wireless network at a field office.
One theory on how this malware would work, is by capturing the details in real-time by installing Trojans that directly interact with the application on the POS terminal, thus, capturing the customer’s information in real-time as it is sent to the authorization source or the branch server.
Once the malware has captured the necessary data it can open a channel with a command and control server and upload the stolen information – it is often found that the C&C server will also be connected to thousands of compromised PCs; subsequently distributing the stolen data to be stored on a consumer’s PC. The chilling part is any consumer’s PC can instantly become a drop-box for stolen corporate information once it has been compromised by hackers.
Hiding the evidence
A next step for the attacker after compromising the POS would be to hide the obvious signs that the system had been tampered with, thus, installing a root-kit is one way to hide any traces associated with the attack. Full kernel mode persistent root-kits are the hardest form to detect.
Therefore, the hacker is completely eliminating the possibility of detection by the means of security scanners, anti-virus applications or any other security tool focused on finding vulnerabilities. This way the breach can remain hidden for as long as possible before anyone considers the possibility a POS is breached.
SQL injection attacks are evolving as the prime mode of transportation for malicious scripts that hackers wish to insert into legitimate web-sites. Typically the web-site is a vehicle for distributing Trojans through scripts crafted to exploit certain vulnerabilities on visiting PCs.
These scripts are often designed to exploit vulnerabilities that the vendor usually has a patch available for; however, if you look at it from a statistical perspective, there will be a certain percentage of users who have not patched their systems against these vulnerabilities. In addition some of these attacks have used 0-day vulnerabilities to spread malware to unsuspecting users as in the case with the recent Adobe Flash vulnerability.
In most cases the Java script code being used to execute the vulnerability is obfuscated and very difficult to perform an analysis on, thus, the real intention behind the script (exploitation of vulnerabilities) can’t be seen by the naked eye. It takes clever decoding techniques to reveal the presence of actual exploit code.
The result is extra time and effort on the part of the anti-virus lab engineer to create an effective vaccination for malware delivered through encoded Java script.
However; the average rate of infection amongst protected networks is anywhere from 70% to 75% according to research conducted by PandaLabs on over 1200 networks across the globe. This obviously raises questions concerning the level and quality of protection companies have running on their PCs.
However; little is known about the true intentions or motivations behind these mass hacking campaigns. From our perspective it’s purely business and with a profit driven approach hackers will do pretty much anything to make a buck.
Over a five month period, Panda Security conducted several audits with a large state agency in the United States to assess the level of risk pertaining to hidden and undetected infection points. Due to the confidential nature of this customer, we cannot disclose the agency name. The information learned from this case is a great demonstration of how even the “well-protected” networks require more effective tools to fend off the latest generation of malware.
This agency by nature is obligated to enforce rigorous security policies to protect against unauthorized activity, especially when they are responsible for securing a large network of sensitive information. Some of the restrictions the agency enforces on its users include:
– Users have limited rights to the network
– Users can’t modify anything within the system directory
– Users must access the Internet through a secured proxy.
In such a secure environment, it should be extremely difficult for malware to cause any harm to the network. Unfortunately, even with these strict access rules, Panda Security found various dangerous intrusions in the agency’s network caused by malware.
The following case study covers an audit spanning more then 4,500 PCs with active, up-to-date anti-malware software from a leading vendor. These PCs were analyzed against a set criteria consisting of hidden active or latent malware along with their associated vulnerabilities.
For more information please see the attached study: Case Study
With the emergence of regulatory laws borne out of experience from a variety of embarrassing security breaches, today’s corporate leaders face a myriad of repercussions. These range from serious fines to jail time when found not in compliance with regulations such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB), and Payment Card Industry (PCI), etc.
These regulations are designed to protect the privacy of individuals and to ensure the proper internal controls are in place to maintain confidentiality and integrity of sensitive information.
For example it mandates in the Sarbanes-Oxley act section 404 that any publicly traded corporation must maintain adequate internal controls, ranging from proper financial reporting to the protection of critical assets. This includes designing controls around the premise of protecting consumer data from an information security perspective.
Normally, these controls are defined and established through a risk analysis that identifies potential threats and weaknesses. The development of a policy framework based on this audit untimely drives the definition of what would be considered “adequate” controls.
However, in 2007 the industry suffered a record-breaking loss of information stemming from data security breaches ranging from stolen laptops to hijacked advertising as seen in the Monster.com attack. It’s estimated that over 79 million records were exposed last year alone.
Despite established security policy, these breaches lead to public dismay and a loss of consumer confidence. Take for example the TJ Maxx incident that led to an exposure of 45 million credit card numbers and eventually cost the retailer over 200 million dollars in both hard costs incurred and stock value reduction.
These incidents raise several interesting questions. Were these security breaches a result of undetected malware, perhaps a targeted attack orchestrated by a foreign hacker group? Why did the internal controls, established according to company policy, fail to protect assets from being compromised? And what are the real risks and implications of undetected malware as it pertains to regulatory compliance?
These are all good questions, especially concerning the changing crimeware landscape and its evolution from curiosity to financial gain. Not surprisingly, this trend has a considerable part do with the dramatic increase in information exposure in 2007.
For example a majority of identity theft and financial fraud incidents in 2007 were related to Banker Trojans that infected individual consumers, thus, stealing credentials and other personal information that could be used to gain profit.
Furthermore, if we put this into perspective we are more at risk then we were a few years ago when the primary concern was the prevention of network worms that caused data destruction.
In that day and age, controls were designed around the need to ensure the integrity and availability of information assets. CIOs and IT Managers designed and implemented systems that had the primary goal of ensuring that their users had access to information. At that time security was a secondary concern in this scenario, because the threats were different and much less sophisticated.
Today we face a new breed of threats with different motives: financial gain through targeted attacks. In fact targeted attacks in 2007 showed a marked increase over previous years with respect to online fraud.
The mentality of CIOs and IT Managers has shifted to a security focused mind-set, especially with the advent of recent high-profile security breaches. What’s alarming is the rate at which malware is developed and released to infect victims on a daily basis. For example, PandaLabs and other major AV labs see over 4000 new strains per day.
This is mainly due to the overwhelming inability for security vendors to respond to this ever increasing rate of new malware strains. We are witnessing a literal denial of service against vendor resources.
The rapid pace at which cyber criminals seed the industry with new threats contributes to the overall problem that is causing technical safeguards to fail, thus, putting the corporation at risk of violating regulatory standards which untimely will lead to serious consequences if sensitive information is leaked.
For example, in a health care organization one undetected Trojan could make a case for a serious risk of violation of HIPAA §164.308(a) (4) that pertains to protecting health information: “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a) (4) [Information Access Management]”
A False Sense of Security – Audit and Assessment Standards
When doing a security audit to ensure that adequate controls are in place from an information security perspective, the auditor is normally looking at whether the corporation is in adherence to a defined policy. Furthermore, a security audit encompasses some of the following questions:
– Are passwords difficult to break?
– Are computers up-to-date with the latest security patches?
– Do any vulnerabilities exist in the operating system or applications installed?
– Are there Access Control Lists (ACLs) implemented on shared resources to control access to them?
– Have unnecessary services or applications been removed from computers that could potentially expose the resource?
– Are computers regularly scanned for malware?
The missing element in a security audit, however, is assessing for sophisticated active threats (e.g. kernel-mode root-kits, stealth Trojans, key-loggers, etc). Therefore the current assessment tools and verification methodologies used to validate controls rely mostly on identifying weaknesses or potential risk to assets; for example, a vulnerability scan or untimely a penetration test will tell the auditor of potential avenues for attack. But, the number one question to ask is: are assets already compromised with undetected malware?
There are a wide range of technical safeguards that can be implemented to significantly reduce potential exposure and the organization’s overall risk; however hackers have devised ways to circumvent these. For example the most common infection vector is via the web through malware laced web-sites that have been compromised and altered in some way, shape or form.
Therefore, a majority of malware (if not detected via signatures or proactively by other technologies) will simply evade perimeter defenses (firewalls, network intrusion prevention, etc.) and make its way to the end-point, especially if it is “targeted” in nature, and with a limited number of hosts designated to be infected.
There are certainly other ways to reduce risk. For example, corporations can implement a policy that limits the administrative access a user has to his or her own PC and other resources on the network. While this reduces the overall risk of unauthorized access, it is not the final solution as hackers tend to abuse system privileges (going around established ACLs) by exploiting applications and other flaws in the operating system.
Proactive defenses such as Host Based Intrusion Prevention (HIPS) can substantially raise the bar in terms of detection, anywhere between 80 and 90 percent. With malware 1.0 this model was acceptable; but with the rate and volume of new threats emerging on a daily basis hundreds or even thousands of threats over time can be missed.
Public companies that must adhere to regulatory laws, must also adopt better internal controls to ensure that hidden infection points are discovered and removed before any exposure occurs. Better yet, modern assessments must take into consideration the possibility of assets already compromised by hidden and undetected malware.
Regulatory compliance is an interesting but challenging topic that every public corporation, no matter what size or shape, is untimely affected by. Organizations must evolve their security best practices to include better assessment methodologies that take into consideration crimeware innovations and available technologies that not only assess weaknesses, but locate active unnoticed infection points.