On Wednesday April 6th the Federal Bureau of Investigation (FBI) seized control of 5 servers used to control as many as 2 million computers infected with Coreflood malware. This malware, also known as AFCore, quietly steals personal and financial information from the computer and forwards the information to the criminal ring leaders. The attackers use the information collected by AFCore to conduct fraudulent wire transfers, emptying the users’ bank accounts.  The botnet is suspected to have existed since at least 2002, and has evolved over the years from using IRC based command and control and selling DDOS/anonymity services, to HTTP based command and control and performing fraud.

Using a similar approach used to take down the Bredolab botnet, US federal investigators were granted special authorization by the Department of Justice to substitute their own Command and Control server for the hosts operated by the criminal organization.  When the bot of the infected machine checks into the new C&C it is simply given a command to shutdown.  The DNS records used by the bots have also been pointed to Shadowserver’s sinkholes.

Seizing control of the C&C servers by law enforcement is now preventing the criminals from accessing any information already harvested by the infected computers.  It also keeps them from covering their tracks by deleting files and terminating processes.  However, the millions of Coreflood infections remain intact and still require intervention by a trained security analyst or antivirus program with signatures to detect it. Investigators are also alerting the Internet Service Providers of the compromised machines and requesting they inform their customers.

More information about the takedown can be found here:

• Botnet Operation Disabled: FBI Seizes Servers to Stop Cyber Fraud
• Bold FBI Move Shutters COREFLOOD Bot

Perimeter’s Security Operations Center is actively monitoring for outbound activity known to be associated with the Coreflood botnet.  In one instance, minutes after adding inspection for the redirected C&C check-in, alerts indicated a single customer network to have 17 actively compromised hosts. Here’s a sample screenshot from our SOC’s Security and Information Event Management System:

Coreflood Botnet Traffic, from Perimeter SOC

Looking at the raw event logs, we can see that the compromised host is attempting direct HTTP connections to a sinkhole IP. The URI confirms the activity to be related to a bot C&C check-in:

Recommendations for Perimeter customers

Although the FBI has taken ownership of the Command and Control and are issuing shutdown commands to the active bots, the malware is still installed on the compromised machines and reactivated at bootup.  Analysis of this Coreflood variant indicates the C&C domains change monthly and have been pre-registered in countries that are outside of United States jurisdiction.  There still remains a possiblity of the criminal ring regaining control of the botnet.  Perimeter strongly recommends customers take the following actions to stay protected:

• Use Web Content Filtering to lockdown Internet usage by enforcing user authentication and blocking of categories not critical to business
• In particular, customers are strongly advised to block access to unclassified sites, which commonly harbor malware and C&C servers
• Use standard best practices such as Network IPS and Network/Desktop AV to help prevent infections
• In cases where infections do occur, a strong WCF policy will help prevent theft of data, and will provide additional logging information used by the Perimeter’s Security Operations Center

Thanks for your time and attention, and stay safe.

Late last week, e-mail services firm Epsilon, which manages e-mail campaigns for hundreds of high-profile clients in retail, publishing, consulting and other sectors, revealed that it had been hacked. As a consequence, the attackers were able to obtain the names and e-mail addresses of millions of customers of companies like Citigroup, Walgreens, JP Morgan and many, many others.

Like me, you likely received a notice from a company you do business with informing you of the hack. I got mine from McKinsey Quarterly:

We have been informed by our e-mail service provider, Epsilon, that your e-mail address was exposed by unauthorized entry into their system. Epsilon sends e-mails on our behalf to McKinsey Quarterly users who have opted to receive e-mail communications from us.

We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information. We are actively working to confirm this. We do not store any credit card numbers, social security numbers, or other personally identifiable information of our users, so we can assure you that no such information was accessed.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. Also know that McKinsey Quarterly will not send you e-mails asking for your credit card number, social security number or other personally identifiable information. So if you are ever asked for this information, you can be confident it is not from McKinsey.

We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Three quick observations about What It Means:

First, this is embarrassing for Epsilon. It suggests that they have some work to do on their defenses. We don’t know how the attackers got in — it could have been by exploiting a weakness in their web applications (likely), or from a social engineering attack of the type that hosed RSA (less likely).

Second, the attack will be of no consequence to most people. Yes, as many commentators have written, there is an “elevated risk of spear phishing attacks,” which in plain English means this: because the bad guys have your name and e-mail address, they might try to trick you by sending you an e-mail with a funny link. But to be honest, I don’t get much, if any, spam — thanks to Perimeter’s multi-stage e-mail filtering service. And if you use a premium spam filtering service, you probably don’t either. And even if the attackers manage to put together an e-mail that does get through your spam filters, how would you be able to tell that this particular break-in was the cause of it? Right.

Third, nice work McKinsey! The e-mail above is a great example of how to write an unambiguous and clear disclosure e-mail. You’ll note that they spell out exactly what Epsilon says has been disclosed (name and e-mail address, not enough to trigger a PCI or HIPAA violation). They also provide appropriate guidance on what to watch out for, and reinforce that McKinsey employees will never request sensitive information from their customers (which they shouldn’t). This is exactly what you should say in an e-mail like this.

The bottom line is this: spam happens. Just make sure that your employees and colleagues don’t blindly click on attachments they shouldn’t, or blindly click on links embedded in e-mail. Take this incident as an opportunity to reinforce your security policies. But don’t worry too much. Compared to the RSA compromise from a few weeks ago, this is very small beer.

It is not clear whether the theft of this information enables attackers to compromise customers’ own SecurID deployments. RSA claims that the information obtained by the attackers does not. As described in RSA’s advisory (http://www.rsa.com/node.aspx?id=3872):

“[RSA has] no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”

However, RSA’s news release notes that “the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

We strongly urge customers to read the full advisory from RSA here: http://www.sec.gov/Archives/edgar/data/790070/000119312511070159/dex992.htm

There is no indication that suggests Perimeter’s customers are at risk. We are continuing to monitor the situation and will send out additional updates as new information is made available.

Defining an enterprise mobile device passcode policy can be surprisingly difficult. Security managers must attempt to reconcile two opposing goals. They must:

• Create a passcode policy that is strong enough to protect the device if it is lost or stolen, while:
• Not annoying users with needless length or complexity

These goals are hard to reconcile because mobile devices like smartphones and tablets are personal, portable and convenient. Employees use their devices in places they wouldn’t use a PC: in the car, during their kids’ football game, and during (shall we say) otherwise unproductive periods of the day. It’s tempting to simply duplicate existing network security policies. The rationale goes something like this: smartphones and tables are nothing more than small PCs with antennas, so the password policies should be the same as for PCs. It’s easy to think that, but it’s the wrong attitude.

This whitepaper will describe the passcode policy Andrew recommends for mobile devices that comply with NIST’s e-authentication Level 1 guidelines as described in Special Publication 800-63, “Electronic Authentication Guidelines”. The policy is reasonable, employee-friendly and highly usable, but strong enough to protect your company’s data. To cut to the chase, here’s what it is:

• 8-digit numeric PIN
• Simple PINs disallowed
• Automatic lock after 15 minutes
• Grace period of 2 minutes
• Automatic wipe/permanent lock after eight wrong tries
• No expiration

Click here to read the whitepaper.

All that being said, I found something very interesting in the Goatse response that I hadn’t thought of before.  One of the pieces of information that they captured (or rather systematically guessed and then verified through data extraction) is the ICC-IDs.  This is the unique identifier on the iPad.  Using the ICC-IDs, someone could potentially identify the location of any particular iPad owner and track everywhere the user goes.  This could have very serious security ramifications, especially when you consider those that were among that list of 144,000.  If this were really possible (which no one has shown that it really is yet), it is certainly a privacy issue but would hedge on a national security problem.  Imagine if a foreign government knew exactly where all the top military leaders and the secretary of state were at all times.  There are a lot of scary scenarios that we could talk about if this were really possible.  But I didn’t think of the risk the ICC-IDs could potentially have when I wrote my initial blog post.

Lawsuits, as a result of data breaches, were out of control.  Sure, if a company has a breach that results in fraud or identity theft, I can understand why someone would want to sue the company.  I believe that if a breach occurs, and it is at all possible that identity theft or fraud might occur as a result, that the company should offer credit monitoring services for people.  But what I have never agreed with are those suits filed by individuals or groups where no identity theft has occurred, no fraud occurred, and there is little or no chance of having that happen and still, they get sued.  The Ninth US Circuit Court of Appeals has ruled that a man whose personal information, including his social security number, was exposed has no legal standing to seek damages BECAUSE HE DID NOT SUFFER MATERIALLY AS A RESULT OF THE BREACH.  This is how it should be.  I remember the class-action lawsuit against the Veterans Affairs where they had to pay $20 million and no identity theft or fraud had occurred.  There were 26.5 million records exposed, so was everyone going to get $0.50 after the attorneys were paid.  These lawsuits have been ambulance-chasing lawyer’s dreams for some time.  I am glad it is moving in another direction…

Poor website security practices by AT&T lead to the breach, but like many breaches, AT&T is just the third party.  So when everyone references this breach in the future it will be Apple’s name, not AT&T.  That being said, this is somewhat symbolic because emails by themselves usually don’t constitute a data breach.  It is unclear what other information, if any, was also captured.  This is an interesting case because no other time would anyone care about email addresses being exposed.  This isn’t about a data breach, it is about a group being able to capture an exclusive list of America’s most influential people and their private email addresses.  A list like this simply doesn’t exist.  But Goatse (the security consulting group) was able to write a script that systematically harvested these addresses from the AT&T website for any iPad owners that signed up for the 3G service.  While they say 114,000 emails were compromised, it is likely that many others were compromised as well.    Personally, this is where I think Goatse stepped over the line.  They detected and exploited the vulnerability.  They told AT&T about it.  They wanted press and they have it.  But they said that they gave the vulnerability exploit and script to others.  Who are these others?  What did they do with this information?  It is always a slippery slope when a rogue security firm does this type of thing in the first place.  But if you are going to do this and already be in a “grey area”, you really shouldn’t give the script out to others to use.  That is what makes it go from grey to black very quickly.  Let’s all remember it is just email addresses (as far as we know).  It isn’t like someone hacked into the government, took over the presidents “red phone” and called in a nuclear strike.  But due to the high profile nature of those compromised (you can’t get much higher profile), AT&T and Apple will take a lot of heat for this.

I was asked to answer some specific questions for a reporter of Processor Magazine. They usually take bits and pieces of what I send combined with others in the industry to write their articles. So I thought I would list the questions here and my full answers. At some point we will see what they use of these…
—————————

What does it take to keep the enterprise secure?
A lot more than people think. The idea that a firewall and anti-virus software are enough can only be described as reckless these days. Even intrusion detection and prevention systems can be easily bypassed by cyber criminals. Every organization is different and therefore there isn’t one answer that will keep all enterprises secure; but in general a layered security approach that includes information security defenses at the edge, in the core of the network, and on the endpoints is what is needed.

More importantly than the technologies or solutions employed is the way in which the enterprise will get the most out of those solutions. Centralized reporting and administration is key. Central repositories for compliance documents and audit documentation is critical. Policies, procedures and controls are paramount. The best thing an enterprise can do is work with a security expert that has their best interest in mind and help them design and roll out a comprehensive security program that fits their requirements and budget.

Why should some applications (or classes of apps) NOT be used in the enterprise?
The term “applications” is so broad it is tough to answer this. In general, there are lots of applications that shouldn’t be used in an enterprise or closely managed and monitored if they are used. Some for productivity reasons. Others for security reasons. In my mind, what is more important than broadly banning applications (although there are times you should do that) is ensuring that systems only have the applications they need to perform their various functions. Any application can have vulnerabilities that can be exploited. Look at Adobe Acrobat for example. It is on more systems than any other application on the planet and has one of the highest rates of known, critical vulnerabilities. I don’t know of many enterprises that are going to ban Adobe Acrobat. So the more important thing is a process whereby you can patch the systems and keep them up to date to reduce the chance of compromise.

If you are referring to “applications” in the context of security solutions then I would answer differently. Simply stated, every organization is unique and information security must be implemented and somewhat customized for that particular organization to offer real value.

Why should others be used? Do you have any examples?
Again, if we are talking about security applications, one that I feel is really necessary these days but often not known or used is Host Based Intrusion Detection & Prevention (HIPS). This is software that goes right on the endpoints you want to protect. It does a great job with securing individual assets you want to protect at a higher level such as mission critical systems, customer databases, active directory services, or Internet accessible devices like an email server or web server. Web Content Filtering is another one that is absolutely necessary to help keep malware out of your organization. From a security standpoint, there are so many solutions an enterprise really needs to work with an expert to see what they need.

Why isn’t it the best idea to give end-users administrator rights?
There are lots of reasons for this 1) the user may install software that could compromise the system and subsequently the entire network. 2) Hackers that compromise the system may use these rights for other nefarious purposes.

How is mobility affecting the typical company’s security planning?
USB thumb drives, smart phones, iPods/iPhones, and other devices are causing major problems for enterprises. Malicious insiders can use these devices to steal massive amounts of information and walk out with it on their keychain or in their pocket. Careless and untrained insiders often spread malware, viruses, Trojans, worms and other things that can compromise or destroy systems and data. Mobile users such as telecommuters and travelers often have laptops stolen which have sensitive data on them. 45 of the 50 states have data breach disclosure laws that require an enterprise to publicly announce these incidents which can have a huge impact on revenue, customer retention, and stock prices, not to mention the fees and class action lawsuits that usually follow.

Is there such thing as too much or too little security?
Of course there is such a thing as too little security. I also believe that there can be too much security. If you have so many security solutions and technology that you aren’t able to keep up with the 24×7 management and monitoring, you aren’t getting what you need out of those solutions. You are wasting money. In the hands of properly qualified information security experts, it would be better. But there are so many solutions that people have deployed and they simply aren’t getting much value from them. Maybe they were at one time, but people keep adding solution after solution and technology after technology rather than doing a risk and gap analysis and finding out what they really need and then simply using those things. They will find they spend less in the end and get much better risk mitigation.

Peer to Peer is continuing to be a real problem for organizations. Recently, the FTC sent out letters to about 100 organizations that they had detected personal information about their customers or employees. They say that failure to prevent this information from being shared may represent a violation of one or more laws that the FTC enforces, such as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act.

What is happening is that an employee or other insider is installing a P2P program on an inside computer, probably for the purpose of downloading music, movies or other (usually illegal) content. Insiders like using their employer’s Internet connection because it is usually faster than their bandwidth at home and they can do it during business hours. What these insiders usually don’t know is that these programs scan internal hard disks and other systems for other content to share with others on the Internet. Some of these programs are set to scan and present for download to anyone on the Internet things such as database files, word documents, excel spreadsheets and other sensitive document types.

If you don’t have a policy or ability to enforce such policies that prohibit these type of activity, you could be next to get a letter from the FTC.

Some people question the real costs behind a data security breach. Here is an example I thought was really interesting. BlueCross BlueShield of Tenn had a breach and they have already spent more than $7 million dollars. The breach is from the theft of some hard drives that were in an abandoned office. One of the costs that is often overlooked in a breach scenario is the cost of simply trying to figure out what information is on the stolen media. That is where a significant portion of the $7 million has been spent. As many as 500,000 people are believed to be affected by the breach.

Just looking at round numbers, 17 million people at (lets say) $10/month will be $2 billion/year plus the fee for identity theft cases. Hannaford had 1,700 known cases on their 4.2 million records lost. So if you mulitply that by 4 to meet the same number or records lost in the Contrywide breach, they may see 6,800 identity theft cases. If they had to pay the maximum for each of those, it would be an additional $340 million.

Not surprisingly, the breach was committed by an insider over the course of two years.  Keep an eye out for our upcoming free webinar about Insider Threat.

You can read the ABCNews.com article here.

I must commend Google on the way they handle the information security breach. They are forthright about it. See, Google understands that breaches happen. They also understand they are significant and must be addressed promptly. They utilize the resources to delve fully into them…which often uncover additional issues.

There is still some controversy about this bill. One the one hand, it would standardize all the various state data breach disclosure laws and make things much more simple. It would also cover those few states that still don’t have a data breach disclosure law. On the other hand, it states that the FTC would be responsible for enforcement. There are some industries that are exempt from FTC enforcement (the government, financial institutions, insurance companies, non-profits, and institutions of higher education) so it is somewhat unclear how these organziation would fall under the new legislation.

Read More…

While there will likely be significant resistance in the full Senate, I think this shows the direction these laws and regulations are moving and it is only a matter of time before everyone is on the hook for better information security.