A new law requiring consumers to be notified about websites saving their cookie information:

Friday marks the last working day for UK businesses to prepare their websites for a new law governing the use of cookies.

From Sunday, sites must obtain "informed consent" from visitors before saving cookies on a machine.

The good news?  Most consumers have no clue about what cookies do and just how much personal information they help websites harvest.  Websites and internet technology have become so complex that it is impossible for a typical consumer to understand the implications of a simple click.  This law will hopefully help consumers understand that cookies are the keys to personal information and present a threat if exploited, stolen, altered, harvested or hijacked.

The bad news?  The law is ambiguous.   The BBC article quotes: 

Mr Evans defended the ICO's approach, saying the ambiguity was to enable websites to interpret the rules to best suit their own audience and website design. He also told the BBC that he believed that in the long term issues over cookie use should be regulated by the industry rather than government. "What we want to do is look at where our resources can best be put," he said.

In the past, regulators have made regulations intentionally vague.  The legislative thinking is that ambiguity forces the private sector to experiment with different approaches until somewhere somehow someone finds the right way.  The rest of the market soon follows the lead.  But the lesson from PCI is that suggesting a precise approach—even one created by the private sector—removes a lot of guesswork and the time to compliance accelerates.  For some time, we can expect to see a lot of confused consumers and companies.

 

 

This hack back of the HerpesNet bot is a must read for any geek.  Not only does it show how the bot works but, more importantly, you see how hackers fail to protect themselves from the very vulnerabilities they exploit.  In this case, the hackers were done it by a blind SQL injection using SQL map:

Place: POST

Parameter: id
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: userandpc=foo&admin=1&os=WindowsXP&hwid=2&ownerid=12345&version=3.0&raminfo=256&cpuinfo=p1&hdiskinfo=12GO&uptime=3600&mining=0&pinfo=none&vidinfo=none&laninf=none&id=23724' AND SLEEP(5) AND 'PtaQ'='PtaQ
---

[08:22:41] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.3.10
back-end DBMS: MySQL 5.0.11

 

 

 

A few months ago, we wrote about cyber insurance in two blog entires.

Here's an excellent article explaining how to select a policy.  Though this piece addresses the issue from a healthcare perspective, its lessons apply to many verticals.

At the end of March 2012, the Lulzsec hackers had attacked http://www.militarysingles.com/ and disclosed sensitive information on more than 170,000 members.

How did the hack occur?  What lessons can we learn?  The answer to these questions comprises our latest Hacker Intelligence Initiative report (HII), Dissecting A Hacktivist Attack (no registration required).

This report analyzes the anatomy of the attack methods deployed by the “new” Lulzsec. Overall, the attack, using Remote File Inclusion, is nothing new. But it underscores how today’s hackers adhere to Sun-Tzu’s maxim: “Strike where your enemy is most vulnerable.” RFI vulnerabilities are prevalent in PHP applications which comprise 77% of total applications on the web.

This attack also underscores the need for proper password encryption. In this case, archaic methods of password encryption meant hackers could decrypt the full list of passwords in just 9 hours.

Finally, military service professionals need to recognize that social networks are dangerous and that a different standard of involvement applies to men and women in uniform. As a special target for hacktivists and foreign hackers, the military should set policies in place for servicemen participating in social networks.

From the SF Chronicle:

An executive with SAP crafted fake bar codes and pasted them over the real thing on Lego packages in Target stores only to sell the goods on eBay...Prosecutors said the thefts were puzzling, because the scam was extremely labor-intensive and not particularly lucrative.

This example shows how hacking, even barcode hacking, isn't always for money.  In many case, the thrill of the hunt is the motivation.

 

 

 

http://www.infoworld.com/t/hacking/hacker-group-ugnazi-leaks-and-deletes-billing-services-database-193867

Here’s how the attack went down:

According to WHMCS lead developer Matt Pugh, the perpetrators employed a social-engineering attack to dupe the company's Web hosting company -- reportedly HostGator -- to give up administrator credentials. With credentials in hand, the group accessed WHMCS' database on Monday to steal customer's credit card information and passwords, as well as user names and support tickets. UGNazi proceeded to leak links to the stolen records on Pastebin.

We’ve written on compromised insiders before—but in the context of spear phishing.  In the case above, hackers used social engineering.  Whatever the means, protecting the database is essential.  Since our blog on the topic was explained the mitigation process nicely, we’ll simply CTRL-C, CTRL-V so you don’t have to perservere any extra clicks:

One customer, a large financial institution, starts with the assumption that the organization is infected. To them, as hackers and phishers get more sophisticated and targeted with phishing, it’s not a question of ‘if’ but ‘when.’  Though you should deploy anti-virus, you can’t rely a 100% block rate.   The idea?  Since the perimeter is porous, defend yourself by putting a camera with a security guard inside the vault itself.  This approach is what the customer calls “DAMing the database.” This method blocks unwarranted theft of data by blocking the malware that tries to steal goods out of the malware’s usual target:  the database.  How does DAMing the database work?

Essentially, DAM monitors access to the super-sensitive targets, identifies access attempts to sensitive data such as corporate transactions, customer details, employee records. Anyone—or any malware—that is not supposed to be accessing that data, or is accessing too much of that data, or is accessing the data in an anomalous fashion would issue an alert or get blocked.   How does this work?

DAM checks the entry method. Legitimate individuals should, typically, access data through a main door. In addition, many databases provide an alternative side-door for privileged users, such as higher-level managers. With DAM, you require anyone not entering through approved doors is a suspicious at best and, at worst, malware creating a tunnel.   A proper DAM solution should identify and block inappropriate access.  

Similarly, a database control would check and ensure that the client’s application is approved for usage. For example, an organization may permit access to the database only through a particular customized Web-based application whereas malware tries to bypass legitimate access channels. Any connection to the database by any other application (say, Excel) would be blocked.  Potentially, sophisticated malware emulates administrators.  In such cases, only administrators can access the database through a local client – the controls should block access originating from a local connection when the user is not an administrator.

Monitor the activity of the individuals.  If employees have been granted miscellaneous access permissions, you should monitor what they are doing.  Malware from spear phishing typically causes unusual behavior including:

1. Low-level employees attempting to access data only managers can.
2. Downloading unusually high volumes of data.
3. Accessing data that isn’t aligned with a job function, e.g., a marketing employee accessing financial data.

Such behavior is can be an indication of infection.  DAM tracks the activity of the logged in individuals and weird behavior would issue an alert and/or block the suspicious activity.

Monitor the activity of privileged users.  Managers, by definition, have greater privileges. If spear phishing infects higher-level employees, the malware’s work is much easier.  Nonetheless, malware will cause unusual activity and DAM tries to pay attention to weird behavior.  Database controls would track the activity of the privileged users and monitor what are these privileged users accessing:

1. Is it something they are doing in order to perform their job?
2. Is this something would normally access?
3. If they retrieve data – how much data did the retrieve?  Was it appropriate for their job?
4. What about other activities that they are performing – is that their normal behavior or does it signify some suspicious, out of the ordinary, behavior? 

If any of the above scenarios occurs, DAM should record and block the activity while alerts go off.

 

 

 

Big insider threat breach hits the UK over the weekend.  Here’s the gist:  “Over 1,000 breaches of personal information have occurred in the last year due to rogue civil servants accessing the data without permission…”

To borrow a phrase from the great insider himself, this is a clear case of the "great silent majority."

Without realizing, similar data compromises occur behind the scenes, on a daily basis, and we hardly ever hear about them. And, while these breaches usually seem to go unnoticed, this is the real threat that companies face from within. We’re talking about the loyal employee. These are the individuals who over time accumulate work data on their computer. Perhaps even storing this information on their personal tablet used also for work purposes. When these individuals leave, the machine – together with the data- leaves with them. Yet, the last thing organizations need is this data in the hands of their competitor.

The problem is that more and more people understand the value of data.  It’s worth revisiting some important surveys: 

• In the UK, a survey performed in 2010 across 1000 people showed:
  • 70% of employees plan to take something with them when they leave the job
  • Intellectual property: 27%.
  • Customer data: 17%.
  • More than 50% feel they own the data.
• An identical survey was performed in China and found:
  • 62% took data when they left a job.
  • 56% admit to internal hacking.
  • 70% of Chinese admit to accessing information they shouldn’t have.
  • 36% feel they own the data.
• Other industry surveys supported the notion that the insider threat is the common employee, such as a 2011 Sailpoint study. A concerning key finding of theirs showed that some of these employees – who have legitimate access to the data in order to perform their job – would willingly turn against the company. From the UK respondents, 24% mentioned they would feel comfortable selling the data.

 

It’s a well-known fact that hackers learn their trade in underground forums that feature tutorials, videos and other instructional material.  Traditionally, such material was designed to help hackers profit.

Recently, we came across a nice library that was assembled by a hacktivist group.  This group used to have quite a large site explaining about how to hack, forums for new hackers and exploits.  (The site is no longer active and the activity of its members is unknown.)

First, to get an idea of what this group did, here’s a screenshot from their Twitter feed:

In essence, their purpose was clear:  Release easy to use hacks for people that are semi technical. 

Here’s an interesting chat room example.  In the screenshot below, a newbie asks how to become an effective hacker:  

And the main thing to read from ALL the answers and replies he got is “don’t get skills, get tools and read stuff”:

What should a newbie do?  Use automation, such as password dictionaries and cracking tools.

 

With this example, we see:

• How education played a key role in the evolution of hacktivism that created the movement that we see today.
• How easy it has become to learn hacking for the nontechnical that lays the groundwork for future hacktivists.
• How efficiently good hackers created an infrastructure to proliferate their skills.

 

Incapsula (full disclosure:  Incapsula is a subsidiary of Imperva) today released a great bit of research. They asked:  "What is the overhead of all the automated bot traffic?"  Today, most people think that a cost is incurred from bad bots only when a breach occurs.  Not true if more than up to 80% of your total web traffic comes from machines.  The automated traffic has a drag-like effect seen in aerodynamics. They write:

Most of this traffic is automated and is entirely unrelated to the website’s real human traffic. Basically, each website spun up by a hosting provider will suffer a set level of Bot traffic regardless of how many real visitors it attracts. We like to compare this to an analogous a phenomenon in aerodynamics known as parasitic drag, which occurs when moving a solid object through a gaseous medium – a common example is an airplane wing’s drag during flight.

What is the impact of parasitic drag?

Bots seriously degrade the user experience and performance of your website. Would-be customers abandon shopping carts or flee to a competitor when your website doesn’t perform.

Incapsula does provide recommendations that any website should carefully review.



Or is law enforcement behind it?  Can’t say who compromised the Bitcoin site, but it has been compromised.  It looks like the database was stolen:

Reminder again: Please do not reuse your Bitcoinica passwords as the database server was compromised.

For reference, here’s the leaked memo from the FBI expressing concern over the Bitcoin site.

Ironically, this news comes as hacktivists lament tougher times:

• First, there’s this interview from Canada where fugitive hacker, Christopher Doyon, a.k.a. Commander X,  states, “I think it’s a stalemate at the moment.”  Though he does go onto predict that Anonymous will be the most powerful organization on Earth.”
• Second, Barrett Brown states, "Anonymous is, for now ... in a crippled state.”