In a new wave of phishing attacks, companies have been receiving spam disguised to look like it’s coming from the Better Business Bureau. According to eWeek, for the scam to work, the user must click on the link embedded in the email (which we all know better not to do, right?).

Once activated, the Trojan steals all data transmitted by the victim’s browser to other sites, including information sent over SSL (Secure Sockets Layer) Web sites. This is possible because the BHO, or browser helper object, intercepts the data before it’s encrypted. Only Internet Explorer is capable of loading BHO, so other browsers are immune to the attack.

Experts have speculated that the attack was successful because it has been used selectively. Had it been spammed to the masses, it would have allowed the spam filters to pick up on it better, and it would have also attracted some press which would have made more people aware of it.

SecureWorks, a managed security services provider out of Atlanta, uncovered a cache of stolen data from the scam that included band and credit card numbers from 1,400 high-level executives. "Getting data from SSL streams is not all that new, actually—I hope people aren't under the impression that SSL encryption has been protecting them from malware stealing their data—SSL only provides privacy for the traffic out on the network," Joe Stewart, a senior analyst at SecureWorks, said. "Once someone manages to get their malware onto your system, they can pretty much see any data you are working with if they want to badly enough."

Tag: Phishing, BBB, Better Business Bureau, SSL

Posted by pschooff in Phishing | Permalink | Comments (0) | TrackBacks (0)

According to Infoweek, the Payment Card Industry (PCI), and the severe fines they have levied against companies, has become one of the primary motivations for companies to protect their data. And if that's not convincing enough, the seemingly unending bad publicity and ever-mounting costs of the TJX data breach should be more than enough.

"TJX is the new poster child for why PCI compliance is essential," says George Peabody, director of the emerging technologies advisory service at Mercator Advisory Group, which specializes in research and consulting for the payments industry.

Large payment processing firms, such as Intuition Systems, are trying to get the jump on the PCI compliance requirement that is coming in 2008 and will require organizations to use application firewalls. Where a network firewall primarily blocks malicious data traffic, an application firewall provides information about requests coming into their Web applications.

Intuition, which uses Imperva's SecureSphere Web app, has reportedly spent $250,000 on hardware and software need to achieve PCI compliance, which does not include labor costs associated with implementing the technology. TJX's data breach was primarily the fault of not being PCI complaint, and as I blogged recently, their recent first quarter earning reported a $12 million loss because of the breach, but that number is expected to escalate (some have said into the billions).

But even as is, $250,000 give or take, vs $12 million and up, including all the negative publicity, it just doesn't add to be PCI noncompliant.

Have a great Memorial Day weekend, all.

Tag: TJX, PCI Complaince, Data Breach

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the entire 7:07 podcast below:

Download file

Below is a summary of my discussion with Chris Smith, Vice President of Marketing with Alert Logic. Chris and I discuss the current state of security, Alert Logic’s Security as a Service -- how it works, who it works best for, and how it would work against the Storm Worm -- and we also delve into compliance, and how Alert Logic is equipped to deal with the newest attack vectors expected with Web 2.0.

How do you see the current state of security?

Well, we focus on security for mid-market companies. So we think the state of security of mid-market companies is not what it needs to be. And we think the problem that mid-market companies face is that they have been able to deploy fairly simple, straight-forward security technologies like firewalls and antivirus but they have not been able to deploy more sophisticated and complex network security technologies that they require to be safer to keep their networks appropriately safe. And what we do as a company is we put that type of sophisticated security technology within the reach of a mid-market buyer, whereas before, it's been out of their reach.

That leads directly to my next question: I find it very interesting that Alert Logic is the first company to offer Software as a Service in terms of security. Can you give me an overview of your solution?

Well, the solution that we offer is a network security solution. And we do leverage the Software as a Service model. And the reason we leverage the Software as a Service model is because it makes it simpler to deploy, configure and maintain the solution. So, as a result of that, it makes it easier for mid-market companies to deploy a model like this, which is a very sophisticated, complex, network security technology. So we actually host in our data center most of the components of the application. Our philosophical approach to building security applications is that we take as many of the moving parts of the application as we possibly can and we host them in our data center. So they don't have to reside at the customer's premise, so it's one more piece that the customer doesn't have to configure and deploy and maintain. So that's the Software as a Service approach. It's a hosted approach and it minimizes the footprint of our solution at our customer sites. So it just makes it easier to deploy and care and feed for.

What type of company is your ideal customer?

So, like I said before, we do cater to mid-market companies and midsize companies and we have a pretty broad definition of what a mid-market company is. Our definition is anywhere between 500 and 10,000 employees. So it's a pretty broad section of the middle market. And these are companies that in the past haven't had significant resources for security. Haven't had big security staffs. Haven't had big security -- IT security -- budgets. And so they haven't been able to deploy the right types of technology.

I think it was the FBI/CSI study that's done every year. And it's a survey on the state of information security. And I think it said that half of all companies in that size range experienced some type of serious security breech last year in 2006. So these companies are not sufficiently protected. And we're helping solve that problem.

At the beginning of the year, the Storm Worm, which was an email warning about deaths from a bad storm, infected many users who opened the email's attachment. How would Alert Logic protect against something like the Storm Worm?

Well, the Storm Worm was interesting. The initial infection vector for the Storm Worm, like you said, was email. So we're not an email security solution per se, so we would not block the initial entry or the initial vector of the Storm Worm getting into somebody's in-box. We would not block that. Now what we would block is after infection, the Storm Worm was one of these worms, and we are seeing a lot more of these days, that would actually infect the host computer and it would phone home, and it would open up a communication channel back to a central spot, where the bad guys are, so to speak. And it would act as a botnet. A botnet is simply a piece of code that sits on the host system that's infected and responds to remote commands -- and a lot of people call those spam zombies, because a lot of what they're used for is sending spam.

So that's a remotely controlled system, remotely controlled by a bad guy. We actually can detect that remote control activity. So we don't block the initial infection of the email coming in that has the attachment, but once that zombie phones home and waits for instructions, and starts receiving instructions, we pick up that communication and we can shut it down. So not the initial infection. But we can shut down as soon as the botnet wakes up and starts doing bad things.

I read on your web site that you provide companies with immediate compliance. What compliance laws do companies have to be concerned with?

Well, there's a myriad of compliance, both government regulations and also industry regulations that companies of all shapes and sizes have to comply with. But the list is too long to cover. But the two that we see the most are Sarbanes-Oxley and PCI BSS, which is the payment card industry. It's an industry regulation that governs information security practices on companies that do credit card transaction processing. We see PCI a lot. We see Sarbanes-Oxley a lot. Now the one we see the most is PCI. And PCI is one of the few regulations that specifically mandates information technology and security specifically. So PCI actually calls for technology that can detect malicious intruders on your network, which we offer. And also requires technology that scans networks continuously for vulnerabilities that can be exploited by malicious intruders. So looking for vulnerabilities and also detecting intruders. Those two types of technologies are specifically called for by PCI and that's one that we see the most because we offer that type of technology. So that's perfect for us!

Many believe most of the threats in the future are going to be with Web 2.0. How is Alert Logic equipped to deal with these types of threats?

Well, our approach to Web 2.0 type threats is the same approach that we've been using for five years now. And that is, we sit on the network. We scan for vulnerabilities and help you fix those vulnerabilities to make sure that the bad guys can't get in. And then we also scan for malicious intruders on your network in real time, so we can spot the bad guys in real time. Now, Web 2.0 -- it's another potential threat, these are new applications, new web technologies, that represent new vulnerabilities for bad guys to exploit. So it's just more of the same for us. We will continue to scan for vulnerabilities including Web 2.0 based vulnerabilities, continue detecting the bad guys, intruders on your network, like we always have. So this for us is just more of the same. This doesn't really change the complexion of detecting threats and vulnerabilities for us. It's just a continuation of a theme that we've been on for five years.

Tag: Security as a Service, Storm Worm, Sarbanes Oxley, PCI BSS, Compliance, botnet, Mid-Market Security,

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

This past Tuesday, TJX, a Framingham, Mass. based retail behemoth reported its earnings and, according to the filing, took a $12 million dollar charge tied to the breach which exposed 45.7 million credit and debit card holders to identity theft. To date the massive breach has cost TJX $25 million.

TJX's net income for the quarter was $162.1 million, compared with $163.8 million for the same quarter last year, which represents a 1% drop in earnings. The company missed Wall Street estimates by a penny.

The breach was a result of bad guys exploiting gaps in the Wi-Fi system outside a Minnesota Marshalls. TJX said the $12 million cost for the quarter was to "investigate and contain the intrusion, enhance computer security and systems, and communicate with customers, as well as technical, legal, and other fees."

The cost of the breach to TJX is not expected to stop there (read my recent blog that predicts expenses to reach into the billions). Three New England banking associations and several individual banks are currently suing TJX for the cost of replacing compromised cards and cover fraudulent charges. They argue that TJX failed to adequately protect consumer data, and therefore should be held liable.

The company came clean about the breach in an SEC filing in March, and besides the 45.7 million card holders who were compromised, they also acknowledged that another 455,000 customers who returned merchandise without receipts also forfeited their driver's license numbers and other information to the thieves.

Tag: TJX, data+breach, Marshalls, Wi-Fi

Posted by pschooff in | Permalink | Comments (1) | TrackBacks (0)

Brain Kreb’s recent blog at Security Fix details how cyber-thieves have figured out a way to infiltrate Microsoft’s security patch delivery process so they can sneak their malware right past security and onto your computer.

Last week security researcher Frank Boldewin published a paper regarding an attack he had witnessed in March from an email he had received from Germany. The attached file was a Trojan horse program designed to enable other malicious programs to be downloaded. This program used BITS, or background intelligent transfer service, which is used by the Windows automatic updating feature to gain access to a system.

BITS is also designed so that it will even resume downloading an incomplete file if the transmission has been interrupted in any way. As Kreb says, the real danger is that the firewall will not detect the outgoing connection once the malware tries to download a second-stage virus.

And while testing this exploit, Kreb’s found that it easily bypassed ZoneAlarm Free, it was unsuccessful against a Windows XP system running under a limited user account. To read more, go here.

Tag: Microsoft Patch, BITS, Malware, Trojan Horse

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the entire 8:56 podcast below:

Download file

What follows is a summary of my discussion with Ruben Dias, the President of Panda Software Canada, where we discuss the current state of security, why malware has flourished in the face of so many security solutions, steps people can take to use the internet more safely, Panda's security solution, the launch of Panda’s new website, Infectedornot.com, and finally, what threats to expect in the future.

Can you give me a quick overview about the current state of Internet security?

The current era is very strange because currently, the users feel secure. And actually, the truth is that we are living in a period that security is in a major threat. Because some years ago, people were feeling that they were threatened by viruses and they were correct. And these viruses were widespread. But now the vulnerabilities and the threats are very different. So that the sensation is that people are secure, although they are not secure anymore because of types of threats and vulnerabilities are completely different. So I would say that it's a very peculiar area that we are living in, in terms of security right now. The truth is, that people are not secure anymore.

How have hackers changed their strategies to become so successful?

Well, it has everything to do with motivation, you know. Because what motivates those people that were hacking some years ago, we all know that they wanted to be famous. They wanted to, you know, just gain attention. And the type of virus that they were producing were exactly to have that effect. They wanted people to look at them as being great programmers or great hackers. But now, the motivation is completely different. We have seen the motivation being purely money. So it's a financial issue right now. There's crime, there's financial crime involved in computer security nowadays. So the motivation is what has changed. Actually, the behavior of the hacker.

On your web site it says that Panda Labs detected more malware in 2006 than in the previous 15 years combined. At the same time, security solutions have also proliferated. Could you tell me why most security products fail then, to protect its users?

The answer is related to the motivation behind the hacker right now. You know, the amount of new threats that appear daily is tremendous. I'll tell you one thing. There is no security company nowadays that can cope with the quantity of viruses or threats that are being put out everyday. It has everything to do with the variations that the hackers come out with. Because what they actually wanted to do is to take control of your PC anyhow and to steal information. So that motivation, what they want is to hide themselves and to hide themselves, they don't find any better way to do it then to come up with a lot of variations.

So a lot of different type of codes, similar codes but a lot of different ones. Let's say 100, 200. So there's no security company that can cope with the quantity that is brought up everyday. So this old approach of handling these new threats no longer works. We need a new approach to confront this new threat.

What are some of the key steps people need to take to use the Internet safely?

They are quite simple. The steps that people can take--most of them are related to avoiding social engineering. Because social engineering has to do with taking abuse of yourself in some way. So you should be very aware of these tactics. If you get something very attractive, you should be suspicious. So your behavior towards a very attractive invitations, you should suspect about it. That's the first part.

And also, you shouldn't be using your PC everyday as an Admin. You shouldn't give Admin rights to your PC when you use it everyday. That's a common sense way of protecting yourself. And obviously having a good security solution, updated. But not only updated! Make sure that you have proactive technology that can do behavior analyses. Because as we have seen, the signature-based protection no longer works. So you need something else. You need behavior analysis. As a type of social intelligence, avoid these overwhelming threats that appear everyday.

So how does Panda help with Internet security?

We were the first company to come out with a proactive technology back in 2004. Nowadays, there are several other solutions. They have some type of integration of proactive technologies. We have come up with something called collective intelligence. What collective intelligence is, is mainly three parts. First, we have an automatic system to collect what is good behavior and bad behavior through the usage of our solutions. Then we have an automatic process through a server, a server infrastructure that we have built up artificial intelligence to automatically categorize and classify. And the third part is to make it available to our users. So all this, we call it collective intelligence and it's an automatic process. We can no longer depend on people looking at the code and coming up with the solution. So that's why we have already three years of actually doing this and we are becoming more and more efficient.

I heard you mention collective intelligence. Is that related to your, I think, relatively new web site, www.infectedornot.com, which Panda has started?

Exactly. You know, Infectedornot is a way that we also give to the community to participate in this process. It has everything to do with the Web 2.0 that everyone is talking about. We want to be collective and collaborate on this security issue also. So the way we are seeing things, if we have this tool that people will use and people will verify, am I protected or not? Am I infected or not? Then in that case, they are probably going to have a surprise. The truth is that our figures right now, we are still in a pre-launching stage and our figures right now is that the consumer base is over 50% infected, which is even with security solutions installed. And in the corporate area we have Malware Radar which is a similar tool but for a corporate environment which what it does is actually scan the whole infrastructure to verify if the infrastructure is protected or not. So these tools are a way of us making it freely available to the community to participate in this collective intelligence.

What threats do you see coming in the future, and how should we prepare for them.

You know, we don't have that magic ball, that crystal ball, but we can see some trends. And the trends are clearly what we have started in this conversation, is that the trends are motivated by money. So money will continue to be the motivation of the hacker. We will see more and more of the social engineering techniques, so that's why we should clearly identify and avoid them. So these two areas being motivated by money and being very oriented towards hiding themselves, you know. Some years ago, again, the people were trying to make them popular through viruses. Now they want to hide themselves. So we will see more and more spread out and specific epidemics originate, let's say, but not generalize. We have a lot of them and this makes the situation very threatful.

Tag: malware, Computer Security, hackers, botnet, collective intelligence, Web 2.0, Social Engineering, spambots, computer virus,

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

Found an interesting blog on one way to fight identity theft from Brian Kreb's Security Fix. Apparently, a resident of Delaware won the passage of a law that allows consumers in that state to "freeze" their credit reports in order to stop identity thieves from establishing new lines of credit.

And while a freeze can be effective in stopping criminals from opening new accounts, it does nothing to stop thieves from using accounts they have already plundered. What I found most disturbing, though, is that the credit bureaus put up a tough fight to block these laws, which now exist in 33 states and the District of Columbia.

For more info, the Consumer Union provides the complete list of the laws each state and instructs you how to block access to your credit, just in case.

Tag: Identity Theft, Credit Report

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Found an interesting blog over at Security Monkey which, while it might seem a little off topic for computer security, still carries a valuable lesson. Going through his to-do list, the Chief, as the Security Monkey likes to be called, telephoned a CSO and got the following message:

"Hi, you've reached Joe Blow, Chief Security Officer of Company, Inc. I'm going to be out of the office on vacation from (date) to (date) and unable to check my voice mail or e-mail. Please leave a message, or you can dial '0' and talk to my administrative assistant. Thanks!"

What is wrong with this message? The CSO gave his name, title and company name, and said exactly how long he was going to be away for, which is ideal information for a scammer. What follows is a couple of scenarios where someone might use that information for no good.

First, someone impersonating the CSO could call the help desk number, say he's on vacation and cannot remember his access, or say his access isn't working, and ask to reset it. As far fetched as this may sound, this trick is often very effective.

Second, a crude but effective code-cracker can start hitting trying to crack the web portal, email account, and other remote access systems by inundating the system with attempts. If the CSO is frozen out, what does it matter, as they won't be back for awhile.

Third, an inside attack, where an employee might want to know if the CSO is investigating them. Say they start trying to guess the CSO's email password, or convinces facility security to creat a duplicate employee badge by saying the CSO is busy at another facility.

And who knows what someone really determined to might think of. Here is what the voicemail message should have said:

"Hi, this is Joe. I'm unavailable to take your call. Please leave a message, or dial 0 and we'll redirect your call to someone that can help you. Thanks for calling."

Tag: voicemail, CSOl, voicemail, Social Engineeringl,

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Found a survey at Network World quite interesting, as they questioned IT pros about how they feel about their job security after a security breach.

Three-quarters of the 250 IT folks questioned believe they would likely lose their jobs after a major security breach at their place of business. Two-thirds said that said having such responsibility affected them personally. While 87% of organizations felt able to defend against spam, spyware and malware attacks, only 35% felt they could defend against a corporate data attack.

"IT departments … are working endlessly to combat and minimize security issues. But even with the wide range of tools these organizations have invested in, there are still security gaps," said Diane Hagglund, of King Research, which conducted the survey on commission by systems management vendor Kace. "Few IT professionals, those from the mid-market sector in particular, feel equipped to deal with lost corporate or personal data."

Also, nearly half IT pros said learning different security applications as the greatest challenge in trying to secure all the devices. While about 100% had antivirus and 80% had antispyware, only 70% had those features set to automatically update. Fewer IT professionals reported having automated desktop configuration (50%) and end-node vulnerability (35%) scanning products in place.

I think what that tells us is IT security is a stressful job. And while some people might say, "Well, at least nobody's life is at stake," the truth of the matter is, a company's life can be very much at stake. And that's people's livelihood.

Tag: Security Breach, Spywarer, System Administrator, Security gaps

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

IPLocks, a compliance and database security company, has estimated that the cost to TJX Companies Inc, which owns TJ Maxx, will be around $4.5 billion. This is based on a cost of $100 dollars per record, and costs are a total of fines, legal fees, notification, as well as permanent damage done to the brand.

While $100 dollars per record runs pretty much average, others have said this amount is low. According to Information Week, The Ponemon Institute, a data protection think thank, believes the breach could reach somewhere in the range of $182 per record, which is based on the costs of 31 different incidents. For TJX, that would bring their ever-escalating fiasco to $8.6 billion.

"The effectiveness of the people who stole the information is critical here," said Lane. "They did it for a long time. They sold [the stolen information] out to multiple sources. Those credit card numbers are showing up in foreign countries. This is not just a U.S. security breach anymore."

What I hope from reporting this kind of story is that people realize how important protecting their data is. If the data is valuable enough for the company to hold onto it, then it's probably valuable to someone else as well, someone who will do whatever they can to get their hands on it. And if data protection seems expensive, just imagine how cheap it looks to TJX right now.

Tag: TJX, Data Breach, Data Protection

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)