On Wednesday April 6th the Federal Bureau of Investigation (FBI) seized control of 5 servers used to control as many as 2 million computers infected with Coreflood malware. This malware, also known as AFCore, quietly steals personal and financial information from the computer and forwards the information to the criminal ring leaders. The attackers use the information collected by AFCore to conduct fraudulent wire transfers, emptying the users’ bank accounts.  The botnet is suspected to have existed since at least 2002, and has evolved over the years from using IRC based command and control and selling DDOS/anonymity services, to HTTP based command and control and performing fraud.

Using a similar approach used to take down the Bredolab botnet, US federal investigators were granted special authorization by the Department of Justice to substitute their own Command and Control server for the hosts operated by the criminal organization.  When the bot of the infected machine checks into the new C&C it is simply given a command to shutdown.  The DNS records used by the bots have also been pointed to Shadowserver’s sinkholes.

Seizing control of the C&C servers by law enforcement is now preventing the criminals from accessing any information already harvested by the infected computers.  It also keeps them from covering their tracks by deleting files and terminating processes.  However, the millions of Coreflood infections remain intact and still require intervention by a trained security analyst or antivirus program with signatures to detect it. Investigators are also alerting the Internet Service Providers of the compromised machines and requesting they inform their customers.

More information about the takedown can be found here:

• Botnet Operation Disabled: FBI Seizes Servers to Stop Cyber Fraud
• Bold FBI Move Shutters COREFLOOD Bot

Perimeter’s Security Operations Center is actively monitoring for outbound activity known to be associated with the Coreflood botnet.  In one instance, minutes after adding inspection for the redirected C&C check-in, alerts indicated a single customer network to have 17 actively compromised hosts. Here’s a sample screenshot from our SOC’s Security and Information Event Management System:

Coreflood Botnet Traffic, from Perimeter SOC

Looking at the raw event logs, we can see that the compromised host is attempting direct HTTP connections to a sinkhole IP. The URI confirms the activity to be related to a bot C&C check-in:

Recommendations for Perimeter customers

Although the FBI has taken ownership of the Command and Control and are issuing shutdown commands to the active bots, the malware is still installed on the compromised machines and reactivated at bootup.  Analysis of this Coreflood variant indicates the C&C domains change monthly and have been pre-registered in countries that are outside of United States jurisdiction.  There still remains a possiblity of the criminal ring regaining control of the botnet.  Perimeter strongly recommends customers take the following actions to stay protected:

• Use Web Content Filtering to lockdown Internet usage by enforcing user authentication and blocking of categories not critical to business
• In particular, customers are strongly advised to block access to unclassified sites, which commonly harbor malware and C&C servers
• Use standard best practices such as Network IPS and Network/Desktop AV to help prevent infections
• In cases where infections do occur, a strong WCF policy will help prevent theft of data, and will provide additional logging information used by the Perimeter’s Security Operations Center

Thanks for your time and attention, and stay safe.

Late last week, e-mail services firm Epsilon, which manages e-mail campaigns for hundreds of high-profile clients in retail, publishing, consulting and other sectors, revealed that it had been hacked. As a consequence, the attackers were able to obtain the names and e-mail addresses of millions of customers of companies like Citigroup, Walgreens, JP Morgan and many, many others.

Like me, you likely received a notice from a company you do business with informing you of the hack. I got mine from McKinsey Quarterly:

We have been informed by our e-mail service provider, Epsilon, that your e-mail address was exposed by unauthorized entry into their system. Epsilon sends e-mails on our behalf to McKinsey Quarterly users who have opted to receive e-mail communications from us.

We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information. We are actively working to confirm this. We do not store any credit card numbers, social security numbers, or other personally identifiable information of our users, so we can assure you that no such information was accessed.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. Also know that McKinsey Quarterly will not send you e-mails asking for your credit card number, social security number or other personally identifiable information. So if you are ever asked for this information, you can be confident it is not from McKinsey.

We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Three quick observations about What It Means:

First, this is embarrassing for Epsilon. It suggests that they have some work to do on their defenses. We don’t know how the attackers got in — it could have been by exploiting a weakness in their web applications (likely), or from a social engineering attack of the type that hosed RSA (less likely).

Second, the attack will be of no consequence to most people. Yes, as many commentators have written, there is an “elevated risk of spear phishing attacks,” which in plain English means this: because the bad guys have your name and e-mail address, they might try to trick you by sending you an e-mail with a funny link. But to be honest, I don’t get much, if any, spam — thanks to Perimeter’s multi-stage e-mail filtering service. And if you use a premium spam filtering service, you probably don’t either. And even if the attackers manage to put together an e-mail that does get through your spam filters, how would you be able to tell that this particular break-in was the cause of it? Right.

Third, nice work McKinsey! The e-mail above is a great example of how to write an unambiguous and clear disclosure e-mail. You’ll note that they spell out exactly what Epsilon says has been disclosed (name and e-mail address, not enough to trigger a PCI or HIPAA violation). They also provide appropriate guidance on what to watch out for, and reinforce that McKinsey employees will never request sensitive information from their customers (which they shouldn’t). This is exactly what you should say in an e-mail like this.

The bottom line is this: spam happens. Just make sure that your employees and colleagues don’t blindly click on attachments they shouldn’t, or blindly click on links embedded in e-mail. Take this incident as an opportunity to reinforce your security policies. But don’t worry too much. Compared to the RSA compromise from a few weeks ago, this is very small beer.

Over the last few weeks it seems as though I can’t turn on a TV or pick up a newspaper without reading about the security issues related to Radio Frequency Identification or RFID technology in credit cards.  This seems to be the latest hot topic and I have seen feature stories on both my local and national news channels.  The reality is that this topic is not so new.  If you perform a Google search on “RFID security in Credit Cards” you will see that this security concern stretches all the way back to the early 2000’s.  Hacker’s and security experts have been using RFID reader technology in their hacking arsenal for some time now.  In fact, a simple search of eBay for RFID readers will bring up devices for under a hundred bucks that can skim data from a person walking by.  Even more frightening is that smartphones are now coming equipped with the ability to read RFID signals.  Read about RFID coming to the iPhone: http://www.readwriteweb.com/archives/iphone_as_rfid_tag_reader.php

So why is it such a hot new topic in the last few weeks? Well the simple fact is that while the skimming attack is not new, the adoption of RFID technology has taken off in the last year.  In the past month I personally was issued two new credit cards (replacing my old expired cards) and if I was not specifically looking for it I would have never realized that most credit card companies are now issuing new cards with the RFID technology enabled by default.  I challenge you to look into your wallet or purse and locate your newest card and flip it over.  Chances are that you will see that familiar wireless symbol that indicates RFID technology in the card.  Furthermore if you hold that same card up to a bright light you can probably make out the chip that is embedded into the card.

Mystery solved…with more and more cards enabled with this technology this old skimming attack resurfaced into the limelight and televisions stations all over the world are picking up the story.  So much in fact that sales of aluminum credit card sleeves and insulated wallets (technology that shields the frequency from being skimmed) have shot through the roof.

However, let’s dig a little deeper into the real risks associated with this technology in credit cards before we all run around in a panic.  I want to first state that I am a security guy so I don’t want to lighten the concern but rather educate you on the real risk.  First let’s take the RFID readers that you can buy from eBay or enable in your smartphones and analyze what these devices can do.  Typically the reading signals from these low end devices are fairly weak.  Meaning that in order for a skimming attack to work a person that walks by you with one of these devices would have to align their skimmer and your wallet within a few centimeters of each other.  Think about it…when you walk up to a gas pump to pay with a speed pass you have to remove the card from your wallet and hold it a few inches from the reader for it to register.

Secondly, if you examine the actual data that is able to be skimmed from these readers you will notice that the reader will essentially gather the same information that is publically displayable on the front of the card, such as your full name, the credit card number and expiration.  So basically this skimming attack would gather the same information that I could gleam from performing a simple shoulder surfing attack. The key missing element is that three digit code imprinted on the back of most cards. Since this is the case, cardholders are even making the case that the new RFID technology provides greater privacy than even traditional card payments since the card never leaves your hands and the transmitted data contains less sensitive data than what is imprinted on the back of the card.  You should not be able to make an Internet or phone purchase, since merchant should ask for the 3 digit code on the back, or zip code verification – to complete any purchase.  You can’t create a phony mag stripe card without that data as well. You can’t even create a phony swipe card since encrypted and dynamic verification data is held securely in the chip on the original card.

You can link to the cardholder statements here:

Mastercard – http://www.mastercard.us/paypass.html#/home/

Visa – http://usa.visa.com/personal/cards/paywave/index.html

American Express- https://www295.americanexpress.com/cards/loyalty.do?page=expresspay

The real scary fact that I gathered from these news stories is that since 2006 all new passports issued contain RFID chips and simple scans of these passports can reveal all of your passport data.  Think about the possible risks associated with this and how quickly your data can circle the world into the hands of malicious counterfeiters.  A wise person should spend their money on a protective metal-lined passport jacket instead of a credit card sleeve.

In summary, if all of this doesn’t make you feel a little better than maybe the fact that all of the major credit card companies provide 0% fraud liability if your data is stolen.  I personally have more comfort in the option that a simple hammer and screwdriver will provide.  Just a simple tap from a hammer and screwdriver placed on top of the embedded chip inside the card will render it useless.  I am sure this method is not endorsed by the card issuers, but is the path I elected to take, Google it!

What are the greatest challenges now?

• Attacks are becoming so sophisticated that hackers have developed methods to bypass or subvert traditional IDS/IPS systems.
• Additionally, more and more hackers are using Malware to do their dirty work for them rather than traditional inbound attacks where IDS/IPS systems are most effective.  If the hacker can get malware on the internal system, it renders IDS/IPS systems useless.  This is why methods to install and spread malware have absolutely exploded; especially malware websites (although this is just one of several methods).  Once malware in installed in the local system, the bad guys can create encrypted tunnels back to their command and control networks.  IDS/IPS systems cannot read encrypted packets so essentially this all happens “under the radar” from traditional security solutions.

Which industries are most/least vulnerable?

• Any industry that houses valuable data is always a greater target.  These include anything that can assist in identity theft or fraud for the hackers.  Usually this means companies that house financial data or personally-identifying data.  So, banks and healthcare providers are at the top of the list.

What are myths and realities about some of the current strategies and solutions?

• Unfortunately, people still think that edge-based security solutions are enough to keep the bad guys out.  A firewall, network-based IDS/IPS and other technologies that are in the network or “cloud” are still necessary but are far from enough to keep the hackers at bay.

What are the key points you want to make in this interview?

• See the answer above to myths and realities again…then…the only effective way to secure sensitive data and mission-critical systems are through the next generation HOST-BASED intrusion prevention system.  Rather than network-based systems that can be bypassed or subverted, HIPS can be installed directly on the system you are trying to protect.  It can protect it at a much higher level than traditional network-based solutions.  It combines signature matching capabilities to behavioral techniques.  When combined with 24×7 management and monitoring, it offers the greatest protection for these targeted industries.  And, don’t feel like you have to install HIPS everywhere…you only need it on those “mission-critical” systems that if they were compromised by a hacker or were unavailable for a period of time, it would be problematic for your organization.

Mariposa is said to have as many as 12.7 million compromised computers (Zombies) worldwide. The software acted as a Trojan horse and captured login credentials for online bank accounts. Following the arrests, police recovered personal information of more than 800,000 people. Zombies were in many of the Fortune 1000 companies as well as in 40 major banks. The Mariposa Working Group, which is a coalition of security experts, academics and law enforcement, were the ones who got it shut down.

Just looking at round numbers, 17 million people at (lets say) $10/month will be $2 billion/year plus the fee for identity theft cases. Hannaford had 1,700 known cases on their 4.2 million records lost. So if you mulitply that by 4 to meet the same number or records lost in the Contrywide breach, they may see 6,800 identity theft cases. If they had to pay the maximum for each of those, it would be an additional $340 million.

Not surprisingly, the breach was committed by an insider over the course of two years.  Keep an eye out for our upcoming free webinar about Insider Threat.

You can read the ABCNews.com article here.

It sure seems like financial institutions are losing the game of “who is left holding the check.” Regulators are coming down on them harder and more often than ever. Consumers are rightfully expecting their personal information to be protected, but usually unwilling to pay any more for these measures. Criminals are getting better and better about effectively compromising systems in more diverse, complex, and innovative ways. FI’s vendors and partners are often the source of issues and breaches and yet the FI still has to pay the bill and do the clean-up…not to mention the reputational impact. It is tough to be a FI these days.

What most organizations don’t realize is their data is all over the place. Sure it’s on the server, but Joe has also copied it to his laptop.  Sally has it on a memory stick that is in her purse. Jill burned it to a CD and left it at home. Sensitive data is all over the place and most organizations do not even know where it is, let alone how to find it.

There are some products available to help you identify sensitive data. Other products will also immediately encrypt the data if it is found. Still others will locate it, encrypt it, and apply access permissions. Depending upon what type of business you are in, you will have to decide what type of system you need.

Having sensitive data outside of your control is a growing problem and one that several regulators are trying to address. Even with new Red Flag Rules that go into effect November 1, these in part are meant to address rogue data in an effort to identify and stop identity theft.

I have been talking for some time how security is moving more and more towards the end-points. This is one of the reasons why. As time goes on, we will see more mature software products become available. IT Admins and compliance officers should begin thinking about how they will address this problem in their organizations.

We as a society are all-to-often willing to trust other people or companies with our very identities. While this is scary enough, doing it for the purpose of saving a couple of minutes in line at the airport seems a bit reckless. But I believe that this might be just the first minor step in a much larger program that everyone may be required to participate in. Obama passed the HITECH healthcare law in February of this year that promotes the creation of a national healthcare system. This system will be tied to identities of participants…which will likely be all Americans, or nearly all Americans. Whether this will turn out good or bad remains to be seen.

The real problem of course is what they do with the data. In a more recent article, Clear said it may sell its sensitive customer data to a similar provider if it’s authorized to do so by the US government.

It just shows that when you turn this type of information over to a provider, you really don’t know where it will end up, or what it might be used for.

Now U.S. Legislators want to know what the company plans to do with the information. In a letter dated June 25, 2009, Representative Bennie Thomas (D-Miss.), chairman of the House Homeland Security Committee, expressed concern about the security of the collected data and asked the TSA to describe its plans to secure the data.

I have mentioned several times that while the economy is poor, insiders are a major threat to organizations. When a company has a data security breach as a result of an insider, the losses are the worst of any class of breach. Greater than hackers, theft, etc. Many say there isn’t much you can do about the insider threat. While a sophisticated and motivated insider would likely always be able to be successful, a company can do a lot to prevent desperate employees with fear and a conscience looking to make extra money. Good hiring practices, end user security awareness training (creating a culture of security in the company), and other practices can positively impact the security posture of a company.

Read the Bloomberg.com article here – Ex-Mitsubishi UFJ Unit Worker Arrested for Data Theft

Beware with fraud and identity theft being at all time highs, something like this (if it gets into the hands of criminals) can make it grow at an even faster pace.  Check your credit often as this type of data would most often be used to create new accounts.

2008 had the highest number of complaints reaching 275,284.  This is a 33% increase over 2007 levels.

Total financial loses were $264 million with a median dollar loss of 931 per complaint.  Again, this was higher than 2007 numbers.

Non delivery of merchandise and online auction fraud accounted for more than 50% of complaints.  Other fraud types included credit/debit card fraud, confidence fraud, computer fraud, check fraud, and even Nigerian letter fraud (as opposed to all the legitimate Nigerian letters we all get).

Highest losses were check fraud at a median loss of $3000.  Nigerian letter fraud accounted for a median loss of $1,650.

Three quarters of perpetrators were men.  Two thirds of all perpetrators were in the United States. Half of all perpetrators were in one of the following states: California, New York, Florida, Texas, District of Columbia, and Washington.  Most of these being the most highly populated states shouldn’t surprise anyone.

Complainants were almost nearly split between men and women, but the men edged out by 55%.  Half of all of the complaints came from those ages 30 to 50.

Men seemed to lose more than women in these incidents by between 25-35 percent.

Probably most interesting is that 74 percent of all fraud complaints were sourced through email.  Nearly 29 percent included web sites.  I think the lesson to learn here is that a good SPAM filter, and web content filtering can reduce fraud.  If you can limit the amount of SPAM getting to your employees desktops, and block their access to inappropriate websites, you could be saving them thousands of dollars.  This also increases their productivity.  It does this in general, but also imagine the number of hours (often work hours) that they will use to fight whatever fraud they experience.  So implementing these solutions is best for everyone (except the criminals).

Criminals target organizations in an effort to get their hands on sensitive data that would allow them to commit identity theft.  A social security number in conjunction with a name or other information.  Perhaps an account number or username.  Bad guys know how to correlate and use this information for malicious purposes.

As a result, it is up to each individual company to protect their customer and employee data.  There are of course several laws and regulations around this sort of thing, but just because a regulation says a company should do something, doesn’t mean that they do.

Data security is so much less expensive than it used to be.  For example, firewall, intrusion detection and prevention, web content filtering, anti-virus, SPAM filtering, virtual private network technology, and more are built into a single device smaller than a book and can offer even the smallest of businesses a great deal of protection.

Your employer could be the one that leaks your private information and causes the theft of your identity.  Ask your employer what measures they have taken to protect your identity.  Encorage them to implement additional solutions, policies, procedures and best practices to keep your data safe.  By doing so, you will be helping out yourself, your family, and many others as well.  Lets raise the water line when it comes to Internet and data security and keep our identities safe.

This shows how you cant look at security with the hopes that a single solution will solve your problems.  Data security requires a layered approach.  Also, technology can’t solve everything.  Polcies, procedures, enforcement, training in addition to technology are all needed for an effective security policy.

I guess what we should learn here is that if you do have several data breaches near the same time, announce them all at the same time in the hopes people will look at it as one breach rather than multiple.