I spent a little time today getting caught up on some security news. Here are three fascinating security reads, I think you’ll enjoy:

Revisiting “Dude, your car’s infected!”

Last March, we posted a story about an article in Motor Trend detailing the interesting proclamation that cars may soon be in need of “McAfee or Norton protection.” Basically, a research team developed a virus called “CarShark” that allowed a car’s computer system to become exploited. Here’s a recent white paper on their findings.

The good news is the attack vectors and vulnerable subsystems are unique by car make and model. Thus, an exploit that makes one car vulnerable doesn’t necessarily cross over to another make or model at this point in time.

However, I believe it is simply a matter of time before the car industry starts implementing standards similar to the computer industry. For example, the computer industry’s ATX form factor standard simplified the assembly process by specifying locations of mounting holes and bus slots. These types of common sense changes could very well see their way into the auto industry as our computer technology becomes more fluid and replicable in all cars. But with a simplified system, comes easier access for a CarShark-like virus to take form.

A Truly Black Friday

After the Thanksgiving holiday, City College of San Francisco discovered their network had been breached. Now what makes this story especially shocking is the hole in the network that caused this breach has been open for over A DECADE. The network was compromised way back in 1999 and was a consistent source of private information for computer criminals in China, Russia and multiple other countries. Private data, including personal banking information was stolen from” tens of thousands of students, faculty and administrators” at the college over the past 12 years.

AT&T Wi-Fi Woes

In April 2010, CNET wrote an article about AT&T phones automatically connecting to Wi-Fi hotspots named “attwifi” without even bothering with username or password. Apparently the Einsteins at AT&T believe no one but AT&T would possibly name their wireless network “attwifi.”

In today’s day and age, this little goof was found and naturally exploited. A fun little blog entry from May 2011 ran an “attwifi impersonation experiment” with surprising results. AT&T still hadn’t eliminated this loophole and a high percentage of AT&T devices still automatically connected.

Imagine my surprise when a co-worker emailed me this last week, clearly illustrating the whole “attwifi” is still unfixed and still being exploited! A person on the above thread who plays around with the “attwifi” loophole allows users to connect to his fake hotspot, however uses a few harmless tools to flip images upside down and/or make them blurry in the hope people notice and start paying attention to what they’re connecting to.

And branching off the concept of altering the look and feel of web pages, check out this video by g0tmi1k of what he can do with Squid scripts. My personal favorite is the ASCII art script.

There are many exciting projects going on at RJS, so when I started this post I thought I might talk about the new security website we’re building or how we’re expanding our security offerings in 2012. But then I realized it’s December and December blog reading should be fun… so you get a post about improving your security with strategy lessons taken from Angry Birds!

In the world of Angry Birds, we have a small group of birds that are serially preyed upon by a kleptocratic monarchy of green pigs. In this world, the pigs steal the birds’ eggs and hide them in poorly-constructed shelters while the birds fling themselves at the pigs in efforts of destruction. Despite this vicious onslaught perpetrated by the birds, the pigs continue in their egg thievery, thereby allowing for a continuing series of episodes.

Clearly, there is room for improvement in terms of both offense and defense.

The Pigs

Let’s start by analyzing the Pig Empire. Their goal is to obtain eggs. It is implied they are for eating, raising the uncomfortable question as to where the pigs get their bacon. However, they are inefficient. If they were to take a lesson or two from real-life attackers, they would change their operations in the following ways:

1) Preparation

The root of their’ constant downfall is they expend insufficient effort on shelter construction. Even a cursory inspection of history would indicate a high likelihood of retaliatory avian attack, so it would be wise to prepare. The average shelter is shabbily built and falls to a mere handful of birds. If the pigs focused on quality over quantity, they could invest in sturdier materials and protect far more pigs. Building defenses prior to egg theft would result in a much more successful attack as well.

2) Planning

Another problem facing the pigs is the birds attack using a massive slingshot. I presume this provides additional impact force, but it does introduce a point of weakness. Modern attackers often focus on crippling their target’s ability to retaliate. In other words, if the pigs simply stole the slingshots when they stole the eggs, the birds would be seriously hampered in their efforts to counter-attack.

3) Sacrificial Hierarchy

It appears as though the pigs exist within a hierarchy consisting of a large king pig, a handful of mature leader pigs, some adult pigs and a large number of little pigs (that presumably cry “wee wee wee” all the way home). Malware teams have similar hierarchies, with the people funding development at the top, developers and project leaders below them, marketers below that and finally, those responsible for smuggling the money from your bank account overseas. If the pigs were to learn from this, they would hide their king and leaders in the best shelters possible, well out of reach of the birds, and draw their fire with an array of poorly defended little pigs. This structure allows for organizational continuity favoring the pigs and causes the birds to burn their resources inefficiently.

Common flaw of pig-based construction

A more secure design

The Birds

The birds seem to be structured as a loose confederation. Much in the way business owners band together to discuss and develop shared defenses, birds of more than one feather collaborate to combat the pigs’ designs. Just as there is room for improvement on the part of the pigs, there are areas where the birds could learn from the advice we give our clients as well.

1) Reduce Scope

First of all, the birds face the fundamental problem of constantly losing their eggs. The easiest way to protect against fundamental issues is to narrow the scope. If you’re protecting credit cards or health records, this means identifying the data and centralizing it for better protection. Now, in the case of eggs, there is clearly some risk from putting all one’s eggs in the same basket, but there is no rule that scope has to be limited that far. It could be limited to two or even three baskets. The key is to limit the scope as far as you can and then to boost the defenses around that area.

2) Improved Retaliation

Surprisingly, while the world of Angry Birds has a great many birds, none of them seem to be able to fly. This, as noted earlier, places them at significant risk from the loss of their slingshot. It also means their attacks must all originate from a single point. In the business world, we have several areas from which we can detect and respond to attacks. We detect attacks with technology, forward issues to security teams and law enforcement and, where needed, involve a judicial system. Similarly, an avian attack should be mounted from numerous locations. It should not require a specific bird attack from the East. Any flight-capabable bird should be able to respond to attack.

3) Agility

Agile security involves being aware of your environment, your capabilities and your attackers’ capabilities. You can then make defense plans and execute quickly in the case of attack. There are times when the appropriate response is to tighten security, others when one should involve law enforcement and still others where it makes sense to allow the attack and learn as much from it as you can.

In the case of the birds, while they seem to be masters of resource utilization (expending minimum force to achieve their goals), there is still room for improvement. Their technique works because they face an enemy that fails to adapt. If this ever changes though, it would be impossible to regain the eggs and the birds’ continued existence would be at risk. Simply reviewing the Pig Empire defenses and dynamically selecting the number, species and order of attack would allow a significant increase in agility.

Improved Attack Method Adapted To Environment

Conclusion

Perfect security is impossible so there are inevitable flaws on both the part of the birds and the pigs. While today’s birds are able to achieve their goals, if the enemy boosts their capabilities, the birds’ limited structure puts them at serious risk. The problem is that eggs keep getting stolen. If the birds improve their defensive strategy to such a point that egg theft drops significantly, the pigs might find it substantially easier to obtain sustenance from another source… Falldown 3D, perhaps.

Launching attacks is easier than defending against them. An attacker must only succeed once, but a good defender has to be vigilant all the time. A small improvement on the part of the pigs’ attack would place the birds themselves at risk of extinction. So it is essential that the birds improve their defenses and capabilities. With luck, they’ll manage to do this before things reach a point of criticality.

We discuss data loss and security on this blog quite often and unfortunately, here is another attack you need to be watching out for…

The Twin Cities have seen a rise in “smash and grab” burglaries recently. Even one of our own employees was an unfortunate recipient and spent $200 replacing the broken car window and (thankfully) empty laptop bag.

Plainly put, smash and grab is a crime of opportunity. The perpetrator scans vehicles for anything appearing valuable, smashes the window and cleans out the car in seconds. Car alarms don’t deter these criminals. Most people don’t pay attention to alarms going off anymore and by the time someone responds to the incessant beeping, the thief is gone with the goods anyway.

Common examples of smash and grab targets are purses, laptop bags, brief cases, backpacks built for holding laptops, cell phones and GPS devices. This type of crime rarely targets in-dash items that require time and effort to extract. Perpetrators are going for items that aren’t tied down and take a second or two to remove.

Unfortunately, this is just the beginning.

The Chicago Tribune reported a multi-state smash and grab gang described as a “large-scale, organized vehicle burglary crew that has operated in as many as seven states.” This crew is especially interested in women’s purses. They target locations where women will often leave their purses in their cars: fitness clubs, parks and day care centers. The gangs smash and grab and then use the stolen checkbooks to write fraudulent checks.

So what can you do?

1) Never leave anything in your vehicle in plain sight. Take the extra time to put valuables in your trunk. The rule of thumb here is “out of sight, out of mind.”

2) Take your valuables with you. It can be a pain to carry a backpack with your laptop or other bulky items to the fitness club (I’ve been doing it for years), but that minor inconvenience outweighs the potential consequences. I’d even suggest buying a second lock for its own locker.

3) Park as close to the front of the store/facility as possible. Smash and grabbers like to work on the periphery where they can escape the premises quickly. They certainly won’t be standing around the entrance handing out numbers (“now serving number 35”)!

4) Finally, be conscious of your surroundings. Take a minute to look around and note any people milling about the parking lot. Especially, keep an eye on anyone near you. You might be an easier target of opportunity than your car, if you’re not paying attention.

Join us online or at RJS Headquarters for a special security “Lunch & Learn.”

Date: Wednesday, November 9, 2011
Starting Time: 11:00 AM CST
Location: RJS Headquarters – Burnsville, MN  Map

Join us at RJS headquarters in Burnsville for a FREE RJS Security “Lunch & Learn.” This 90-minute event will provide attendees with a view of the current security landscape and best practice solutions to solve today’s hottest security issues.

You’ll learn advanced techniques on how to:
- Protect against data loss resulting from attacks or device theft
- Fight back against the malware tools hackers use to steal your data
- Keep your servers safe against network-based threats
- Safeguard your users from web-based attacks
- Eliminate application-level threats with patch management

Attendees will have a chance to win the new Amazon Fire!

Register for the onsite RJS Security Lunch & Learn.

Can’t join us in Burnsville? Register to view the live webcast.

I’ve just returned from a fun-filled week at Sophos’ North American Headquarters in Boston, Massachusetts. I was there for intensive training on Sophos’ updated Enterprise Console 4.7 and SafeGuard Enterprise 5.6. Our ProServe (Professional Services) instructors had many years of practical on-site experience with the Endpoint and SafeGuard products, so the week-long session was very productive.

During my training, there was one thing that really stood out to me and I’m going to share it with you today… free of charge! Here you go:

The key to successful endpoint protection is all about stopping malware from gaining a foothold within your system and the secret to accomplishing this (direct from the ProServe crew) is to get a handle on your daily system processes, place these processes into an authorized list and then block everything else that isn’t part of your everyday routine.

This certainly isn’t rocket science, but how many IT departments actually follow this simple concept? Let’s break it down again point-by-point.

1.  Run full-system scans daily for two weeks to catch every program you use.

2.  Examine the list of processes and add the ones you know are safe to the authorized list.

3.  Quarantine anything else that is not part of your authorized list.

This plan should help you catch any intrusion, hacker or rogue program attempting to gain access within your company walls. But what about when your information goes mobile?

For laptops containing confidential material, encryption is mandatory. However, security policies placed on your employees are not. When you add the human element to what you think is an iron-clad security solution, your security scheme may sometimes fail despite your best intentions.

Take for instance Fairview Health Services in Minnesota. For the second time in a year, information safeguards have failed and a data breach has occurred. Josh blogged about the first breach back in April when 1,200 medical files went missing after a recent move. Now we hear of a consultant’s stolen laptop jeopardizing 16,800 patient records. It is a tricky balancing act to encrypt critical business information, yet not burden end-users with hard-to-access data. But all companies, and certainly healthcare providers, need to take precautions very seriously. No amount of free credit report subscriptions to jaded customers will alter the public’s perception of your carelessness with their most sacred possession – their identity.

For USBs and removable storage devices, do you enforce full encryption at the volume or file level? Personally, I recommend file level encryption on USB devices. Keep in mind, this is about your end users being productive yet keeping the sensitive data on the portable device protected if it somehow ends up in the wrong hands.

Do you want your CEO to plug in his iPod and have music files fully-encrypted? Should your corporate policies require high security settings, we can render all removable devices “read only” unless they are encrypted. This allows the CEO to plug in his iPod and listen to music without the device being encrypted, yet still non-writable with the correct policies.

Part of the ProServe routine is to spend quality time with the customer discussing policies and their implications. When first examining new security provisions, it’s not unusual for customers to want an extreme totalitarian policy in place that goes beyond meeting the state and federal compliance guidelines. Once implications and possible outcomes are explained, however, organizations usually settle on something that is much more reasonable for end users, while still meeting compliance. User policies are what drive your security product to perform as advertised and ProServe, through years of on-site experience, have perfected it to a science.

If you’re interested in learning more about our ProServe approach to security, or want guidance creating effective policies driven on productivity and information security, give us a buzz. We can help you eliminate the dreaded Fairview Health Services situation… again.

This past spring I decided to break away from the world of security, take my family to Wisconsin Dells and retain my title as “world’s best dad.” Okay, that might be a self-proclaimed title but if my kids want to go to theme parks they have to keep feeding my ego!  Nevertheless, we had a fantastic time at Wilderness Resort where they have several water parks with many cool slides, restaurants and even a gigantic wave pool. Of course kids being kids, they also found the time to spend countless hours playing video games. Being on vacation, I didn’t think twice about sliding my credit card into the arcade machines in exchange for several hours of fun outside of the pool.

Flash forward several months and I’m reading one of my favorite blogs, Naked Security with Graham Cluley of Sophos. I come across yet another story of a security breach, but this one involves a chain of water parks where as many as 40,000 credit card records were exposed to an unauthorized party.  Nothing new right? In my line of work I see this type of story just about every day – company collects data, company doesn’t take proper security measures, company exposes data and then company’s name is splattered all over the news in an extremely negative light.

When reading these stories, however, you never really think of the breach affecting you personally, right? So imagine my surprise upon learning the security breached water park was none other than Wilderness Resort where I had worked so hard to retain my “best dad” title!  Even worse, it was specifically affecting those who used their credit cards for arcade games. Needless to say, I have since grounded my children until age 18 for exposing my credit card data to “unauthorized individuals.” I’m obviously kidding but in all seriousness, I find it amazing that despite the numerous regulations, industry requirements and affordable security tools available to organizations, they still expose themselves and most importantly their customers (including me) to threats like these.

If you are an IT manager or business owner, please do us all a favor and protect your company and customers with a data protection solution!

If you’d like read more about this particular story and many other security related posts, I  once again encourage you to check out the Naked Security blog. For other valuable security related tools and information, visit the RJS Security page.

Today’s guest post is by our Data Security Account Executive, Adam Johnson.

I read several reports last week of a new variant of FakeAV aimed at Mac OS X. The FakeAV disguises itself as the product “MacDefender” and is a classic example of the hostageware we know and love. It’s making the rounds on the web via search engine optimization (SEO) poisoning. When people click on the false links, they are presented with a FakeAV popup claiming their computer is infected. Naturally, the only way to fight off the “infection” is to break out your credit card and purchase MacDefender to remove the malware it has found.  

Once again targeting the Mac OS X, a new form of malware was recently identified by CSIS, a Danish security company. This first of its kind “Crimeware Kit” has been released under the name “Weyland-Yutani BOT” and produces malware based upon the Zeus and SpyEye form-grabbing banking Trojans. The Crimeware kit uses a web-inject template to generate URLs for SEO poisoning that lead to the above MacDefender FakeAV installation. This partially-redacted video on YouTube shows the form-grabber in action demonstrating how the malware grabs user credentials from browser sessions. CSIS states that the malware currently runs under Firefox only, but the authors will certainly have versions for Safari and Chrome soon as well.

An update on Sony:

Much like HB Gary Federal, Sony didn’t bother to update their web server… ever. According to congressional testimony, Sony used an unpatched Apache web server with no firewall. What’s worse is this issue was brought to Sony’s attention by an employee several months ago and apparently nothing was done to remedy the situation, which is truly inexcusable.

April 22^nd
Sony’s PlayStation Network (PSN) goes offline without warning. Days go by and 77 million Sony PSN customers are completely in the dark. The internet explodes with wild speculation as to what is going on.

April 26^th
Sony posts in their blog that the service outage is an intentional response to a severe data breach affecting all 77 million PSN users. Sony posts contact information for Experian, Equifax and TransUnion and urges PSN users to monitor their credit reports and to be wary of email, telephone and postal scams.

April 27^th
Sony updates their blog with further details regarding the breach. They specifically note that all names, birthdates, passwords, addresses and challenge questions used to reset passwords were stored in an UNENCRYPTED database. This database was protected by a “very sophisticated security system,” yet apparently not sophisticated enough in that it was UNENCRYPTED and accessed by a third party. 

They also assert that credit card information was stored in a separate encrypted database, yet no details as to the encryption method are given. Sony warns that despite the fact the payment information was encrypted, a possibility exists it may have been compromised, as well. This leads users to believe that Sony’s encryption was a similarly “very sophisticated security system” and are assuming the worst.

May 1^st
Sony publicly apologizes and admits that 10 million customers may have had their credit card details exposed.

Sony does pass on a bit of good news. Passwords within the compromised files were hashed. 

May 2^nd
Sony takes down their other service offerings and admits the intrusion was deeper than they first thought and appears to have also affected the Sony Online Entertainment portal as well.

May 3^rd
Sony announces in a press release that in addition to the 77 million records lost on PSN, another 24.6 million records were stolen from their Sony Online Entertainment division, bringing the grand total to 101.6 million customer records. Sony outlined the details of what the stolen records contained: name, address, email address, birthdate, gender, phone number, login name and hashed password. They also stated that 10,700 direct debit records for Sony customers from Austria, Germany, the Netherlands and Spain had their bank account numbers, customer name, account name and customer address stolen.

So if you are a Sony customer, what should you do?

1)  Contact your credit card company and tell them you suspect your card has been stolen. They will shut off your credit card and issue you a new one with a different number on it.

2)  Watch your email closely for scam messages asking you to verify account and payment information. Sony has posted in their blog that they will never ask for credit card details. An email doing so is most likely a phishing scheme.

3)  Change your password and password reset challenge questions for other online services you use that employ the same password and questions as your PSN account.

4)  Keep a close eye on your credit report. The encrypted data that was stolen from PSN has enough information to open a credit card in your name.

Final Thoughts
The loss of 45.6 million records cost TJ Maxx a record $1.7 billion in legal costs, not including revenue from customers who vowed to never shop there again. Sony has just broken the world record for the largest data breach in history with 101.6 million records. I wonder what this will cost Sony when the smoke clears?