This is a common question from our partners, clients, and others.  Penetration testing is often misunderstood, so we will provide you with our take.

FRSecure’s definition:

A penetration test is an active evaluation or assessment of information security controls.

Notice the key focus words in our definition:

Active – A penetration test requires an “active” component, meaning that the testing requires interaction with the tested control (firewall, server, application, employee, doors, etc.).  Contrast “active” with “passive” where the information security professional does not interact with the tested controls directly.  An example of “passive” evaluation would be an information security assessment based on interviews and questionnaires, often termed “audits”.

Information security controls – A penetration test is often limited to technical controls such as those protecting networks, computers, and/or applications.  A penetration test does not necessarily need to be limited in scope to technical controls, or need to include technical controls at all.  For instance, a penetration test may also include the active assessment of building entrances (physical control), or social engineering (administrative control).

FRSecure’s most common penetration tests are technical, but we also do administrative and physical penetration tests for some of our clients.

The term “penetration test” is confusing to some people, even people within the information security profession.  It shouldn’t be.   If you were to ask ten different information security professionals to define the term “penetration test”, you would probably get ten different answers.  For instance, read the Wikipedia definition of a penetration test:

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker.

This definition inserts scope into the definition; whereas scope should only be defined in an effort to determine the extent and method of the testing.

Now read how penetration testing is defined on TechTarget, a commonly referenced IT and information security resource:

Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.

Again, scope is inserted into the definition by limiting a penetration test to the identification of technical vulnerabilities.  This definition does not account for vulnerabilities in physical and/or administrative controls.  Furthermore, this definition does not account for the validation of vulnerabilities or exploits, which could also be part of the testing (assessment).

In our professional opinion, much of the confusion comes from lack of experience, misunderstanding, and/or simple differences in terminology.  We hope that this quick post helps you in understanding the term "penetration test". The next step in understanding a penetration test, is determining a need and defining the scope (what should be tested or assessed).

Happy Monday!  Do you dread Mondays?  Don’t!  Change your attitude and embrace Monday like any other day.  Attitude leads to more health problems than most people realize.  Did you know that you are 70% more likely to have a heart attack on Monday morning than any other time of the week?  Think about it?  Make changes if you should!

Today, like every other day, we read about the things going on in our world.  In our case it’s the information security world.  We share some of the more interesting things we have read with our partners, clients, and readers.  Here is some of the news that we found interesting this week.

Quote of the day:

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails." John Maxwell

Breaches:
UK university websites hijacked; selling Viagra etc.
[FRSecure] This attack is difficult for most non-technical people to understand, but Zack Whittaker makes some pretty good recommendations in this article that are easy to understand.  We run into poorly or non-segmented networks all of the time.

Monoprice.com Shuttered After Fraud Complaints
[FRSecure] The site was reportedly taken offline on Friday, March 5th, and it is still down as we are writing this post (10+ days now).  A timeline of announcements can be found on Monoprice’s Twitter feed, and Monoprice is also using their Facebook fan page to update customers.  If you like reading people’s comments, there are some good ones on the Facebook page.  Anyway, we have no idea (yet) how this alleged attack took place or who may be responsible.  One thing you can be sure of though; this takes a big chunk out of Monoprice’s bottom line.  Monoprice was #197 on last year’s Inc. 500 list.

Thrivent Financial for Lutherans Notifies Members and Clients of Breach of Unsecured Personal Information
[FRSecure] This announcement from Thrivent didn’t garner much press or widespread attention.  Maybe it’s because the stolen laptop was protected with "strong password protection and encryption."  Maybe it’s because there is not much information available.  According to the Thrivent press release, issued March 9th:

Thrivent Financial for Lutherans recently experienced a break-in at one of its offices in Pennsylvania and a laptop computer was among the items stolen. The laptop had a variety of safeguards to protect sensitive information, including strong password protection and encryption. However, Thrivent Financial believes that the information stored on the laptop may be at risk. This includes personal information, including name, address, social security number and health information.

If we can safely assume that the "strong password" was indeed strong and was not disclosed (i.e. written down on a Post-it note stuck to the laptop), then the risk is probably acceptable.  We will also assume that "encryption" means full-disk encryption with preboot authentication too.  If all of this were true, why would Thrivent issue a press release?  Many states have safe harbor for encryption in their disclosure laws, including Pennsylvania and Minnesota.

St. Louis police say computer was attacked
[FRSecure] Not just attacked, but also compromised.  How much confidence do you have in the technical, administrative, and physical security capabilities of your police department?  At the end of the day, nobody is immune to risk.

Outrage as hospital loses 2,000 records
[FRSecure] NHS has more than their share of information security incidents reported in the past few years (at least 17 since May, 2007).  In this case the patient information has gone missing.  About NHS from Wikipedia:

The National Health Service (NHS) is the name commonly used to refer to the four single-payer publicly funded healthcare systems in Great Britain, collectively or individually, although only the health service in England uses the name ‘National Health Service’ without further qualification.

Security breach at Atlanta VA hospital under investigation
[FRSecure] A physician’s assistant working for the Atlanta Veterans Administration Medical Center allegedly stored an unknown (publicly) number of patient records, some of which date back as much as 18 years, on her personal laptop for non-VA "research purposes."  The lady had the nerve to ask a nurse if she could use the data, and the nurse informed her that such use was not permitted and that she (the physician’s assistant) should destroy the data immediately.  According to the article:

After multiple follow-up conversations and receiving no confirmation from the (physician’s assistant) that she had destroyed the data, the nurse scientist notified the … compliance officer of the issue on 2/8/10,

The physician assistant, hired in October of 2009, resigned effective Feb. 28.

It’s no wonder that the actions of the physician’s assistant resulted in a criminal investigation!

Other Security Stuff:
Cyber attacks worry firms more than terrorism
[FRSecure] According to the article:

When it comes to threats, natural or man-made, Indian companies have rated cyber security as a major concern. In the light of increased cyber attacks, over 42 per cent of enterprises perceive cyber crime as a bigger threat than terrorism, crime and natural disasters.

Some American companies have outsourced much of their IT work to Indian companies over the past five years, or so.  How many of these companies have identified and addressed the information security risks in doing so?  We (FRSecure) don’t like to use fear as a motivation for securing information, but the risks are real.

PDF Based Targeted Attacks are Increasing
[FRSecure] Companies are generally doing a pretty good job (as of late) in patching their Microsoft software, but fall way short of patching critical vulnerabilities in software from other vendors.  We purposely stay product agnostic in our work, but we can’t help but urge people to check out products like those offered by Secunia for patch/vulnerability management.

7 Reasons Why Your Company Needs a Privacy Policy
[FRSecure] Excellent guidance by Aaron Titus.  Please read for your own protection.

FDIC: Hackers took more than $120M in three months
[FRSecure] There was a day when small business could claim that they were largely safe from "hackers" because they were too small to be a target.  THOSE DAYS ARE OVER, and have been for some time.  Unfortunately, if you are a business who hasn’t made an honest committment to information security, your days could be numbered.  We have read and experienced more stories about small businesses being put out of business by fraudsters than ever.  This is a trend that will not likely reverse.  From the article:

"Commercial deposit accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and nonprofits have suffered some relatively large losses," Nelson said. "In the third quarter of 2009, small businesses suffered $25 million in losses due to online ACH and wire transfer fraud."

Email FRSecure for a free consultation.  We are driven to help companies protect the information they have come to rely on!

HSBC admits to understating data theft
[FRSecure] It’s embarrassing enough to admit that your company’s information security was breached.  It is even more embarrassing to admit it with false information that you have to correct later on.  Such is the case with HSBC.  HSBC originally announced that a breach concerning the theft of personal information by a former employee affected only 10 clients.  Now, HSBC if forced to admit that the breach affects approximately 15,000 clients.  That’s a big difference!

LifeLock Will Pay $12 Million to Settle Charges by the FTC and 35 States That Identity Theft Prevention and Data Security Claims Were False
[FRSecure] This is bad for LifeLock.  We actually like some of the work the LifeLock did from a PR perspective in raising awareness of identity theft.  We also like the fact that they offer some form (effectiveness can be debated) of identity theft protection outside of the services offerred by the credit bureaus.  The credit bureaus, and the system they defend, are the biggest cause of identity theft.  This is not the time or place for us to write about that, but anyway;

In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.

The part of this quote that caught our attention was "required to take more stringent measures to safeguard" personal information.  What?!  LifeLock isn’t protecting people’s information?  Not sufficiently.  Information security is lacking at the company.

While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it," said FTC Chairman Jon Leibowitz.

Really, but how can this be?

According to the FTC, LifeLock routinely collected sensitive information from its customers, including their social security numbers and credit card numbers. The company claimed:

• "Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis."

• "All stored personal data is electronically encrypted."

• "LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us."

The FTC charged that LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a "need to know" basis. In fact, the agency charged, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.

An interesting press release.  It seems like the cards have been stacked against LifeLock from the beginning, but there are few excuses for the lack of adequate information security controls.

Change in Focus
[FRSecure] This is the announcement that parts of SecurityFocus will transition to Symantec Connect.  Infocus articles, whitepapers, and other SecurityFocus content will all be available through the Symantec website starting today (3/15/2010).  We have mixed feelings, but mostly sad.

FBI: Online Fraud Costs Skyrocketed in 2009
[FRSecure] Another excellent Brian Krebs article.  This one starts out:

Reported losses from online fraud more than doubled last year, from $265 million in 2008 to nearly $560 million in 2009, according to figures released Friday by the FBI.

The largest source of claims where from people reporting email scams that fraudulently used the FBI’s name.

SSD tools crack passwords 100 times faster
[FRSecure] You need to know a little bit about brute force password attacks, rainbow tables, and SSDs (solid state drives) in order to fully appreciate this article.  One thing you don’t need to be a geek to appreciate is this gem:

After optimising its rainbow tables of password hashes to make use of SSDs Swiss security firm Objectif Sécurité was able to crack 14-digit WinXP passwords with special characters in just 5.3 seconds.

5.3 seconds.  Just in case you though that your password was safe.

NetFlix Cancels Recommendation Contest After Privacy Lawsuit
[FRSecure] Hmmm.  That’s all for now.

Humor:
Don’t Judge Too Quickly (PG-13)

Non-embedded link

Each and every day, we get up early and tune into the information security news of the day.  We check a variety of sources from all over the world.  We do this to help get us in the right frame of mind as information security consultants and to be the best information security consultants that we can in order to assist our clients.  We recognize that our clients have businesses to run and money to make.  Our role is help our clients to that end by protecting a very important asset; their information. So what are we reading today?

It’s been a while since we’ve written on our blog.  We’ve still been reading, but we haven’t had time to write about it.  Business has been very good!

Last week we found ourselves in Louisville, Kentucky and Baltimore, Maryland.  We met with some outstanding people and experienced some interesting information security stuff.  Maybe we’ll share some of this "stuff" later on.  For those of you who may have missed it, we have a new law to comply with.  March 1st was the deadline for organizations to comply with Massachusetts 201 CMR 17.00.  If you do any business in the state of Massachusetts, we strongly urge you to learn about this new law.

Well, let’s get to it.  Our Monday morning reading list…

Quote of the day:

Fall seven times, stand up eight. – Japanese proverb

[FRSecure]  The number is arbitrary.  Fall seven thousand times, stand up seven thousand one.

Breaches:
Fraudulent PIN pads used at two Hancock stores
[FRSecure]  We have more questions than answers on this one.  How do you protect yourself from this if you are a consumer?  Chances are good that the fraudlent PIN pads looked authentic. How did these PIN pads get switched without Hancock’s knowledge?  Somebody at Hancock needs to answer some questions.

At least two stores in Wisconsin are affected by this incident; one in Stevens Point and the other in Marshfield.  If you shopped at either on of these stores with a credit or debit card, work with the issuing bank to get new accounts and cards, even if you haven’t suffered any fraud.  Once a number is compromised, it’s compromised, no matter if it has been used for fraud or not.

Argos exposes customers’ credit-card numbers in emails
[FRSecure]  Most people in the U.S. have never heard of Argos, which is a UK company.  Argos is a part of the Home Retail Group, and according to the Argos website; "Home Retail Group is the market leader in the home and general merchandise market."  Anyway, what the heck happened here?

"The company has been including the customer’s full name, address, credit-card number and three-digit CCV security code in order confirmation emails, which are sent once a customer has placed an order on the Argos website."

Seriously?  Did anyone think about information security, or the risks of sending this kind of information in plain-text emails?  Why would a customer care to receive their credit card number and CCV (card not present) code in a confirmation email?  This is a good example of a bad mistake.

Stolen Shands laptop had info of 12,500 patients
[FRSecure] An unencrypted laptop containing sensitive personal information belonging to Shands patients was stolen from an employee’s home.  The personal information included "names, addresses, medical record numbers and medical procedure codes of the patients, as well as the Social Security numbers of about 650 people."  The employee downloaded the information because he/she thought that their laptop was encrypted.

Among the concerns:

1. Why wasn’t this laptop encrypted?  Laptop encryption is nothing new and we have known about the risks of using laptops without encryption for quite some time.  If your organization uses laptops, you should seriously consider full disk encryption.  Seems like common sense, but common sense isn’t common sense if it isn’t so common.
   
2. Why did the employee assume that the laptop was encrypted?  Poor employee information security training and awareness.  People’s behavior presents the most significant risks to information security.  The time and investment into good training and awareness programs pays off.  ‘Shands’ human resources department has since worked to "discipline and re-educate" the employee’

UWMC patient financial information compromised

"In early February, an employee of the National Collection Office (NCO) Financial Systems Inc., a debt-collection agency that UW Medicine contracts with, violated security and compromised at least 50 confirmed contacts, and as many as 80 more are being investigated."

[FRSecure] The risks involved with using debt collection agencies (and other third-parties in general) can be very significant and must be properly managed.  We are curious to understand how UW Medicine manages third-party risk.

Westin hotel in LA reports possible data breach
[FRSecure] "Hotel officials disclosed Friday that the hotel’s four restaurants, along with its valet parking operation, may have been hacked at some time between April and December, disclosing names, credit card numbers and expiration dates printed on customers’ debit and credit cards."  The hotel has posted a letter to it’s customers on it’s website.

In the letter to customers, the hotel claims that it’s point-of-sale (POS) system may have been illegally accessed by an outside "hacker".

UT Southwestern employee accused of selling patient information

DALLAS – Authorities arrested an employee at UT Southwestern Medical Center after she allegedly stole patient information and possibly their identities."

Hundreds of patients’ personal information – including birth dates, addresses, phone numbers and financial data – was stolen before Tracy Renay Thomas’  arrest and termination, police said.

[FRSecure] This employee (former) is accused of stealing and selling personal information belonging to as many as 10,000 UT Southwestern Medical Center patients.  Here’s the doozy:

Representatives have admitted that when Thomas was hired to work in the financial services department, she did have a prior misdemeanor for theft on her record. She worked at the medical center for six months.

What’s the use in performing background checks if you aren’t going to use the information in your employment decisions?

Other Security Stuff:
Monster botnet held 800,000 people’s details

Months of investigations by the Guardia Civil in Spain, the FBI and security firm Panda Security and Defence Intelligence led to the takedown of the 12.7 million strong zombie network in December and the arrest of three suspects in Spain two months later.

[FRSecure] This is an example of excellent work and cooperation between the private sector and public authorities.  We follow Panda Security’s tweets and blog.  If you are interested, you are encouraged to do the same.

At a press conference announcing the operation in Madrid on Wednesday, Spanish police said they recovered the personal details of 800,000 people from systems recovered from three alleged cybercriminals. This cache of stolen information includes bank login credentials from businesses and consumers as well as email passwords.

People often mistakenly think that bot networks are only used for disruptive attacks (DDoS).  The fact that over 800,000 personal records were found as part of this investigation drives home the fact that bots are more often used for financial gain.  Do these 800,000 people know that their personal information has been compromised?  Nope.  Will they ever know?  Only when something bad happens.

RSA Conference: Gonzalez may receive largest ever U.S. hacking sentence
[FRSecure]  The RSA Conference was held last week.  This is arguably one of the most popular and productive get togethers for information security professionals.  We had to miss this year’s event due to work engagements, but we are looking forward to attending next year.

If you have never heard of Albert Gonzalez; he is accused of (and pled guilty to) being the mastermind behind the attacks on TJX (40 million+ credit card numbers), Dave & Busters, and Heartland Payment Systems (130 million+ credit card numbers), among others.  It is widely agreed upon that Mr. Gonzalez will not see freedom for many, many years, if ever.

Smartphone Weather App Builds A Mobile Botnet
[FRSecure] Here is another story that came out of the RSA Conference.  Good research out of Derek Brown and Daniel Tijerina, with TippingPoint’s Digital Vaccine Group.  We are a little leary of conducting this type of research on live systems that aren’t owned and controlled by the researcher, but we are probably more averse to legal actions.

Fraudsters Bank on Business Accounts: How to Protect Your Funds Online
[FRSecure]  WARNING – This is a must read for small to medium-sized business.  We have seen good companies go out of business through unauthorized money transfers and this is an increasingly common attack.  The risks are real, and banks are not required to reimburse you for loses (and most don’t).  The protections for businesses are not the same as they are for individuals.  DO NOT ignore this type of attack and hope it doesn’t happen to you.

Yep, There’s a Patch for That
[FRSecure] Patching Windows software is not enough.  There are significant vulnerabilities in software made by other vendors in your systems.  Your patch management program should account for software from all vendors and developers.

Two insecure programs found among the 109 programs installed.

Secunia is a very good solution that we have used for the better part of three years.  It’s probably worth a look for you too.

The two insecure programs, with drop downs to additional information and links to patches.

‘Severe’ OpenSSL vuln busts public key crypto
[FRSecure] This vulnerability may be patched before you even get a chance to read this.  The article and paper are interesting to read, and stress the importance of protecting secret keys.

White House Cyber Czar: ‘There Is No Cyberwar’
[FRSecure] We like Howard Schmidt’s calm demeanor and approach, but we don’t see how we are not in the midst of a "Cyberwar" or whatever else you would like to call it.  We have read about a significant number of seemingly state-sponsored attacks on US companies and government systems.  What do we call state-sponsored cyber attacks?

USB battery charger installs Trojan
[FRSecure] According to the article:

Malware bundled in a charger-monitoring software download package opens up a back door on compromised Windows PCs. The contaminated file is automatically downloaded from the manfacturer’s website during the installation process, not bundled with an installation CD.

In a statement, Energizer acknowledged the problem and discontinued sale of the affected device, the Duo Charger (Model CHUSB). The battery maker has also launched an investigation into how backdoor functionality found its way into its software.

This didn’t happen on accident. There is no legitimate reason for Arucer.dll to be placed on computers as part of the install. This looks like a potential compromise of the company’s software development process.

Humor:
We are in the mood for spring, and we’ll be mowing our lawns before we know it.

Non-embedded link

Each and every day, we get up early and tune into the information security news of the day.  We check a variety of sources from all over the world.  We do this to help get us in the right frame of mind as information security consultants and to be the best information security consultants that we can in order to assist our clients.  We recognize that our clients have businesses to run and money to make.  Our role is help our clients to that end by protecting an important asset; their information. So what are we reading today?

Well, it’s Tuesday.  You have successfully made it through another Monday; now what?  If you’re in Minnesota (as we are), then you probably have some shoveling and/or snowblowing to do.  We built a small luge course yesterday (after we got our work done!).  Information security people have a lighter side too!

Today is Safer Internet Day!  Even though this is primarily a EU initiative, take a minute to visit SaferInternet.org.  Maintaining information security awareness goes a long way in protecting yourself, your family and your community or business.

Quote of the day:

It is one of the severest tests of friendship to tell your friend his faults. – Henry Ward Beecher

[FRSecure] At FRSecure we consider our clients to be close friends.  Even in a business friendship, Mr. Beecher’s quote can ring true.

Breaches:
SSNs Printed On Nearly 50K Envelopes
[FRSecure] Another mailing error?!  Sheesh.  It seems like we have found more breaches resulting from mailing errors this year than in years past.  We understand that this is the time of year for sending tax and other sensitive information, but why do we continue to read about these breaches over and over?

Do you suppose that too many organizations consider information security to be an IT issue and miss significant risks in other areas of the business?  We have stated this before, and we will state it again; Information security is a business issue, not an IT issue.  If your organization intends to mail sensitive information, then the processes supporting the mailings must be taken into account in your risk assessments.  These mailings should have been QAed better.

Comerica Phish Foiled 2-Factor Protection
[FRSecure] There is still this general sense (among business and too many information security professionals) that two-factor authentication will protect against phishing attacks.  This is obviously a false assumption, and your post does a good job of driving this fact home.  If a user is going to give away their credentials, there are few (if any) technological solutions to prevent unauthorized access to sensitive information.

The question of Comerica’s liability will be left to the courts, but it seems as though EMI has a point (case). 

We have received the same types of emails from other banks (not to be named because some of them are now our customers) and have in turn alerted them to the risks.  We have never received a response to our warnings.

ACC says sorry for botched mailout
[FRSecure] This is a case of another mailing error, but this time it occurs in New Zealand.  Accident Compensation Corporation (ACC), allegedly sent 2,000 mailings to the wrong companies.  The mailings contained sensitive private information about workplace injuries.

This was done by an external agency whose procedures would be reviewed – ACC general manager Dr Keith McLea

Oh how true, but ACC’s third-party information security management procedures should be reviewed as well!  We mentioned in our Daily Reading post yesterday how important third-party information security management is to an effective information security program.  How do you manage information security with respect to third-parties?

Other Security News:
Adobe apologizes for festering Flash crash bug
[FRSecure] Emmy Huang, product manager for Flash at Adobe writes some interesting news on her blog that might be at odds with Adobe CTO Kevin Lynch’s insistance that "we don’t ship Flash with any known crash bugs."  The bug in question was reported in September, 2008 and still has not been fixed.  All of this comes one week after:

Apple CEO Steve Jobs lambasted Adobe engineers as "lazy" and said when Macs crash, "more often than not it’s because of Flash."

Adobe is (and should be) on the hot seat for not properly securing their software.  Have you had any problems with Flash or Reader?  If not, then you probably haven’t used them.

McAfee Threats Report: Fourth Quarter 2009 (.pdf)
[FRSecure] We always find the stats in these reports to be pretty interesting.  For instance, there were an average of 135,500,000,000 spam messages per day in 2009.  Not surprising, but interesting when you put a number on it.  Also interesting is the fact that China has now taken over the number one spot from the U.S. in terms of zombie production.  We can’t say we’re upset about losing the this top spot, but it reminds us of the ever-increasing threats coming from overseas.

Search through Palin’s email
[FRSecure] We’re not sure how much value you can get from this, but it’s interesting.  We can search through some of (then) Alaska Governor Sarah Palin’s emails.  Read the background on the landing page for information about how these emails were obtained.

Mario Pirate Fined $1.3 Million
[FRSecure] Ouch. We recommend that you wait for the official release of software titles, and then if your interested in owning a copy for yourself, buy it!

Cops using YouTube to find criminals
[FRSecure] There sure are a lot of stupid criminals out there!  It’s not the stupid ones that we worry about.

China’s largest hacker training site shuttered
[FRSecure] It’s fine with us if the Black Hawk Safety Net was shut down by Chinese authorities, but we don’t think that this is going to have any real impact on information security.  We are more curious about China’s motivation for shutting the site down, and what could happen to the three individuals who were charged by Chinese officials.

Facebook ‘Cash Scam’ Continues to Grow Even Bigger
[FRSecure] We can warn people again and again, until we are blue in the face, but we can only do so much.  This is a good read about how scammers will collect and aggregate information from various sources to come up with pretty accurate profiles of unsuspecting people.

Screenshot of a PDF file used in a targeted espionage attack
[FRSecure] Want to know what one of the .pdf files used in a targeted espionage attack looks like?  Check it out.

Humor
Today, we thought we would add some Obama humor.  Maybe we’ll add some George Buch humor tomorrow (there’s plenty to choose from).

Non-embedded link

Each and every day, we get up early and tune into the information security news of the day.  We check a variety of sources from all over the world.  We do this to help get us in the right frame of mind as information security consultants and to be the best information security consultants that we can in order to assist our clients.  We recognize that our clients have businesses to run and money to make.  Our role is help our clients to that end by protecting an important asset; their information. So what are we reading today?

Happy Monday!  We hope you enjoyed the Superbowl, if you watched it.  Lighter reading today.

Quote of the day:

You become a champion by fighting one more round. When things are tough, you fight one more round. James Corbett

[FRSecure] James Corbett was a former heavyweight boxing champion and the "Father of Modern Boxing".  Want to be a champion?  According to "Gentleman Jim" and most others, you need to keep fighting.

Breaches:
Indian IT Mammoth "TCS" Website Hacked. Most Probable To Be ‘French Hackers’ Behind This
[FRSecure] This doesn’t look good for Tata Consultancy Services.  Like the article says, the tcs.com website is back to normal now.  There is no mention of the hijack/hack/whatever you want to call it, on Tata’s site.  A DNS hijack is suspected.  This attack appears to have been the work of a single person.  How well do you secure and manage your DNS?

UTEP: Students Social Security Numbers May Have Been Visible In Mail
[FRSecure] If you follow breaches, you know that these mailing/folding/sorting errors are fairly common.

UTEP said they notified 15,000 students but they don’t know exactly how many students were affected.

"Some of the forms were folded in such a way that the document shifted on the envelope and allowed for the Social Security number to be visible through the mailing window on the envelope," said Jose Hernandez with UTEP Business Affairs.

Hernandez said this is the first time UTEP has encountered a problem like this and said students should monitor their credit report.

This may be the first time UTEP has encountered a problem like this, but this is hardly the first time something like this has happened at other organizations.  If you expect to mail sensitive information, then you certainly should take steps to QA your mailings.

AvMed: Data of 208,000 at risk after Gainesville theft
[FRSecure] OK this may seem obvious, but it is not good to store sensitive information (including names, addresses, phone numbers, Social Security numbers and protected health information) on laptops.  Especially if the laptops are not encrypted, and we will assume these were not. These laptops were stolen from the AvMed Health Plans corporate offices and affect as many as 208,000 customers.  Tsk tsk.

Security in General
FICO security lapse scary, but not part of larger problem
[FRSecure] This is an interesting Q&A.  Apparently FICO sold a customer’s personal information on to an imposter.  The company is not offering any credit monitoring or other assistance.  Basically, they tell you that your information was accessed by an imposter and that’s that.  An interesting quote from FICO spokesman Craig Watts:

"We tend to over-alert our members about possible threats rather than under-alert, since we believe it’s much better to be safe – if possibly a little rattled – than sorry in the face of possible identity theft"

While this may seem like a noble policy on the part of FICO, we don’t suggest this approach.  If there is no real reason to concern someone, then don’t.  Remember the boy who cried wolf?  Pretty soon, nobody listens anymore.  Or, you risk the possibility of customers jumping to conclusions and misunderstandings.  If you are and organization that believes in taking the FICO approach, be sure to include enough information for people to understand their risk.

We are assuming that the information in this Q&A is legit.  We would be interested in knowing how this breach took place in the first place (what is/was the vulnerability), and what FICO plans to change in order to prevent a breach like this from happening in the future.

ShmooCon: P2P Snoopers Know What’s In Your Wallet
[FRSecure] P2P can be your friend or your worst enemy.  We suggest that if you don’t need it (which you probably don’t), then don’t use it!  According to the information in this article, an insecure P2P implementation could even get you killed!  There are numerous reports of breaches occurring through P2P networking, although not many of them seem to make it into the public domain.

Pesce described the findings as a lesson in stupidity and compared the act of stealing identities through P2P to "clubbing baby seals."

Blunt, and to the point.  Read on and consider what you should be doing to prevent P2P breaches.  If you aren’t sure, contact FRSecure.

Oracle Breaks Regular Patch Cycle Because of Zero-Day Bug
[FRSecure] Full disclosure forces Oracle to break with tradition.

The company was forced to take this step after exploit code has been publicly released by a security research company without any notification in advance.

The debate for and against full disclosure rages on.  Brian Krebs wrote a nice article that addresses the frustration some security researchers have when dealing with software vendors.  See "Firm to Release Database & Web Server 0days".  Are you for or against full disclosure?

Mass injection web hacks yield to targeted attacks
[FRSecure] Quality vs. Quantity.  It appears as though the bad guys are seeking quality.

Copiers Present Risk for Identity Theft
[FRSecure] Anything that has the ability to store data must be properly sanitized before retirement or repurpose.  Copiers with hard drives or flash drives are no exception.  Think twice before you go to a commercial copy retailer to run off a couple of copies of your tax return.  How many people know how to properly sanitize a hard drive or other data storage device?

Cellular networks breach not easily executed ‘live’
[FRSecure] No comment.

Third parties introduce many deficiencies exploited by attackers
[FRSecure] FRSecure has seen a significant amount of work around the security of third party relationships.  Either a company that engages us has recently been audited by one of thier B2B customers, or a company is seeking help on how to formalize their approach to third-party information security management.  Poor third-party information security management can be devastating.

In a striking trend, the SpiderLabs team also found that third-party vendors or their software was responsible for more than 81 percent of investigations of a security incident or compromise. It was these third parties that introduced many deficiencies exploited by the attacker, such as default vendor-supplied passwords and insecure remote access applications.

We don’t think that this is a "striking trend".  This information should not be a surprise to information security pros.

Vodafone Suspends Employee Following Homophobic Remarks
[FRSecure] At the end of the day, Vodafone’s Twitter following grew dramatically.  Hmmm, makes us think…  Naw.

Humor
Some more tasteless humor.  In order to be included in this section of our daily reading, the joke, picture, or video has to make us giggle (a manly giggle, not a girlish one).  We giggled at this one.  This video clip just ain’t cool, but it was funny enough to get us giggling.

Brutal Buttered Shower Floor Faceplant – Click here for the most popular videos

Each and every day, we get up early and tune into the information security news of the day.  We check a variety of sources from all over the world.  We do this to help get us in the right frame of mind as information security consultants and to be the best information security consultants that we can in order to assist our clients.  We recognize that our clients have businesses to run and money to make.  Our role is help our clients to that end by protecting an important asset; their information. So what are we reading today?

Happy Friday!  Got any big plans this weekend?  We are hosting a small group of FRSecure friends for dinner this evening and hosting a UFC 109 party tomorrow night.  Ooh, can’t forget the Superbowl on Sunday.  Wow, it’s a busy weekend.

Quote of the day:

A fanatic is one who can’t change his mind and won’t change the subject." W. Churchill

[FRSecure] We like this definition.  That Churchill guy was pretty smart.

Breaches:
Cyber threat hits county appraisal district
[FRSecure] Another case of malware-induced, unauthorized wire transfers.  These attacks are a hot commodity for scammers!  These cases often use "money mules" as U.S. intermediaries to send the money overseas.  These money mules are often caught up in these scams without their prior knowledge and suffer a number of consequences as a result.  We have pointed out various other articles that highlight these types of attacks.  See the excellent work that Brian Krebs does on his blog, namely "Hackers Try to Steal $150,000 from United Way" and "Money Mules Helped to Rob W. Va. Bank".  Brian has a passion for exposing and publicizing these attacks.

In response to the security breach, the Kendall County Appraisal District is installing several new security measures.

Hopefully these measures prove to be effective!  Kudos to Kendall County Appraisal District personnel for detecting this breach before hard financial damage occurred.  Awareness is key!

Strangers Lose Personal Information in Non-Profit Mix-Up
[FRSecure] More than 500 landlords affiliated with the Ozarks Area Community Action Corporation are affected by this breach when errors occurred in the printing and mailing of 1099 tax forms.

OACAC’s director, Carl Rosenkranz, says the organization printed two 1099 forms on one piece of paper. They were supposed to separate them and send each to the rightful owner. Instead one person got both.

Printing and mailing errors can occur and this is why quality control is so important.  Arguably, the errors should have been caught internally before the exposure occurred.

Malware continues to be a challenge to computer security
[FRSecure] There is a breach announced in this article that we haven’t seen before.  The title of the article wouldn’t lead you to find it.

The most recent breach occurred in the Student Aid Office in January, when malware exposed 5,600 records containing Social Security Numbers. These records represent a combination of current and former students. Letters are going out today (Feb. 5) to those affected by the breach,

The latest scam as reported by the ITRC involves an IRS Form W-2 spoof, coming from the e-mail address update@irs.com. According to the ITRC site, "A couple of days after the United States Internal Revenue Service (IRS) kicked off the 2010 tax filing season on Jan. 4, Trend Micro researchers received samples of spammed email messages informing recipients that there have been some important changes in the IRS Employers W-2 forms. … The message also comes with an attachment, which is supposed to be a copy of the updated version of the W-2 form. The attached file (Update.doc) contains an embedded file named W-2update.pdf, which is actually a malicious EXE file."

So here we have a breach that affects the personal information belonging to as many as 5,600 current or former Penn State students.  The breach appears to be the result of a successful phishing attack that installed malware on one or more Student Aid Office computers.

Security in General
Report Details Hacks Targeting Google, Others
[FRSecure] This is scary!  The buzzword (phrase) is "Advanced Persistent Threats (APT)".  First it was Google, then it was Google and 34 undisclosed companies, and now we are reading about "thousands" of other US companies being "quietly plagued" by APT.

The non-APT hackers target only financial data or sensitive customer data for identity theft, while the APT attackers never target such data. Instead, their focus is espionage. They attempt to take every Microsoft Word, PowerPoint and Adobe PDF document from every machine they compromise, as well as all e-mail, says Mandia.

APT attackers also appear to be well-funded and well-organized. In some cases, Mandiant has found multiple groups inside a network, each pursuing their own data in a seemingly uncoordinated fashion.

Many entities don’t discover a breach until someone from law enforcement tells them. By then, it’s too late.

One mark of APT attacks is that they have especially hit companies with dealings in China, including more than 50 law firms.

Great article with some very good insight.  The attacks, like many others rely on the human factor to be successful.

Cybersecurity Enhancement Act passed by U.S. House
[FRSecure] The Act provides for:

Up to $396 million over the next four years to fund cybersecurity research and $94 million over that period to provide scholarships to students pursuing cybersecurity studies, as long as they commit to public service after graduating.

The bill was passed overwhelmingly in the House by a 422 – 5 margin.  We don’t feel comfortable with the commitment to public service requirements.  Do we really need more public employees?  Most of the innovative information security work comes from the private sector.  How much of an impact will this Act really make?  TBD.

Information about H.R. 4061: Cybersecurity Enhancement Act of 2009 can be found at GovTrack.us. There have been many cybersecurity enhancement acts (or similar) over the years.  To put $396 million into some perspective, this amount is .01% of the recently proposed $3.8 trillion federal budget.

Dear Adobe: It’s time for security rehab
[FRSecure] We agree with Mr. Goodin.  Adobe really does need an intervention!  Vulnerability after vulnerability after vulnerability with no real commitment to the security of their products.  Crazy.

Test: Most Web Application Scanners Missed Nearly Half Of Vulnerabilities
[FRSecure] Web application security scanners are important, but understand them for what they are.  They are indicators of potential issues that should be followed-up on, but they are never to be taken as the definitive, single source of vulnerabilities that exist in your web applications.  Organizations that rely on web applications for critical/sensitive processing should employ oustide vendors for periodic, objective code reviews.  If you are going to spend good money for a web application scanner, make sure that it fits your budget and your needs.  Evaluate your options carefully.

Liberty Mutual accuses Aspen of trying to steal a piece of its business
[FRSecure] We thought we would include this article to demonstrate a real-world scenario where former employees have the potential to take critical information with them.  Often times we focus on external sources of attacks like hackers and we forget the real threats among our troops.

Mercer County officials still not sure on missing money
[FRSecure] More than $100,000 goes missing, nine months pass, and still nobody knows what happened.  It’s not that it won’t be known, it just hasn’t been disclosed yet.  The FBI is still investigating.  This is another case of an unauthorized money transfer.  Is this like so many of the others we have seen involving off shore fraudsters and money mules?  Maybe, but we’ll just have to wait longer before we know for sure.

Portable Technology Causing Trouble In Courtrooms
[FRSecure] This may not be directly related to information security (or maybe it is).  It’s interesting.  Some notable quotes:

"Is there anyone here who is on Facebook? God, how many are there? Would you keep your hands up," Milwaukee County Circuit Court Judge David Hansher asked prospective jurors.

In Florida, a judge halted a week’s-long drug trial after nine jurors admitted they’d researched the case online.

In Maryland, a judge ordered five jurors back to court after the corruption trial of Baltimore’s former mayor. They were accused of chatting on Facebook during the trial.

And in England, a judge dismissed a juror in a rape case after she polled her Facebook friends about her verdict.

The solution followed in Wisconsin doesn’t sit to well with us; friending the judge on Facebook so that he/she can monitor what your saying about the trial.

We want to know if we’ve been talking about the trial already, so we ask for permission to friend them on Facebook or to know what blog they post on, or to see if they’ve posted any tweets on the subject" – Milwaukee County Circuit Court Judge Rick Sankovitz

Uh thanks, but no thanks.  We have nothing against judges, but we like to reserve facebook friends for uh, friends.

MS Patch Tuesday heads-up: 13 bulletins, 26 vulnerabilities
[FRSecure] Patch Tuesday is the 9th; next Tuesday.  Microsoft is issuing patches for 13 bulletins and 26 vulnerabilities.  Microsoft has categorized five of thirteen bulletins as "critical".  Get your testing on next week.  You DO test your patches before deployment, right?  If you need help developing and implementing an effective patch management program for your organization, contact FRSecure.

U goof adds $65 late fee to thousands of tuition bills
[FRSecure] We often focus on information security problems that affect information confidentiality.  Here is a good example of how the lack of good information security controls can affect information integrity which can be equally as important.

Versign fails to take action against malicious sites, researcher says
[FRSecure] It sure is easy to contact Verisign for sales, but we couldn’t find where we could send an abuse complaint to them on their website.  Is Verisign taking responsible action to protect the integrity of the .com TLD?  It doesn’t appear so from this article.  Maybe the are limited legally.  Verisign has a lot of lawyers; 39 found on LinkedIn search for "counsel".

Follow Up
Macquarie Bank says trader will not lose job over near-nude photos
[FRSecure] You may have heard about the guy (David Kiely) looking at scantily clad pictures of supermodel Miranda Kerr while a colleague was giving an interview on national (Australian) news.  We posted this video in our Humor section of our "What we’re reading today, February 2nd" post, and we incorrectly assumed that he would lose his job.  Soon after the report aired, a "Save Dave" web campaign got underway, and Macquarie Bank announced that he would keep his job despite the fact that he violated company policy.  We are not saying that he should or should not lose his job, but what good is a policy if a company is unwilling to enforce it?

Humor
Some more tasteless humor.  In order to be included in this section of our daily reading, the joke, picture, or video has to make us giggle (a manly giggle, not a girlish one).  We giggled at this one.  This QVC clip aired in 2006, and we assume the QVC has since built a delay into their broadcasts.

Non-embedded link

About FRSecure

FRSecure LLC is a full-service information security consulting company dedicated to information security education, awareness, application, and improvement. FRSecure works with businesses of all sizes, in all industries; enabling our clients to achieve optimal results per information security dollar spent. Every one of our clients is in business to make money, so we design secure solutions that drive business, protect sensitive information assets, and improve the bottom line.

Each and every day, we get up early and tune into the information security news of the day.  We check a variety of sources from all over the world.  We do this to help get us in the right frame of mind as information security consultants and to be the best information security consultants that we can in order to assist our clients.  We recognize that our clients have businesses to run and money to make.  Our role is help our clients to that end by protecting an important asset; their information. So what are we reading today?

Oh yeah!  It’s almost Friday, and you know what Friday means… uh, it’s Friday.

Quote of the day:

Men do not quit playing because they grow old; they grow old because they quit playing. – Oliver W. Holmes

[FRSecure] See honey!  This is why we play so many games; we need to stay young and vibrant.

Breaches:
Highmark tells customers personal information lost
[FRSecure] Highmark sent a large billing statement to Boscov’s and the envelope arrived damaged and torn.  There were 171 pages missing and the pages contained sensitive personal information belonging to "some 3,700" current and former Boscov’s employees.  How large is "large"?

Lisa Martinelli, Highmark’s chief privacy officer, said the lost data included the Social Security numbers, but not in an obvious way, because the Social Security number is mixed in with other account identification data.

"This is a series of numbers," she said. "It’s not a neon light that says, hey, this is [a Social Security number]."

Oh yes, the old security through obscurity argument.  Not a good argument, but an argument nonetheless.

Ms. Martinelli said Highmark was reviewing its mailing and data transfer procedures, but acknowledged that little could have been done on Highmark’s end to prevent the loss.

"Maybe stronger envelopes," she said.

Really, that’s it?!

Hacker attacks Ceridian; data from 27,000 at risk
[FRSecure] From Steve Alexander’s article at the StarTribune:

A hacker attack at payroll processing firm Ceridian Corp. of Bloomington has potentially revealed the names, Social Security numbers, and, in some cases, the birth dates and bank accounts of 27,000 employees working at 1,900 companies nationwide.

This is the second breach affecting Ceridian in the past three years, and there are no details regarding how this "hack" took place or what the company plans to change.  It’s sad to note that some victims are confused about the Ceridian notification letters.

Watchdog slams police failure to safeguard files
[FRSecure] This quote from the article almost made into our Quote of the Day:

The fact other law enforcement data was not accidentally or deliberately released appears to have been a matter of good luck rather than good management – The Office of Police Integrity

Hopefully the results of this report will be embraced by management as an opportunity to improve the information security practices of State Surveillance Unit.

Credit union’s Visa debit cards breached
[FRSecure] At this point it is not publicly known how this breach occurred or who may be at fault.  Visa notified HHFCU, but did not provide any real details.  HHFCU  and their customers are left guessing because Visa is notoriously tight-lipped about breaches.

Unfortunately Visa’s very tight-lipped with stuff like that, so we’re trying to break it down – HHFCU President and CEO Michael Ciriello

Should people be told enough to judge the risks to themselves, for themselves without compromising an ongoing investigation?

Kudos to HHFCU for posting a bold notice on their homepage to alert customers.

Private student info posted to Brock website
[FRSecure] This breach occurred because a librarian inadvertently posted a file containing personal information belonging to "thousands" of Brock University students to a publicly accessible web server.  Breaches like this one are much more common than people realize.  Should a librarian be authorized to post information to a public website?  Maybe, but certainly not without proper training, procedure, and checks/balances.

Hackers Steal Millions in Carbon Credits
[FRSecure] Wow!  This is the first time we have read about the bad guys targeting carbon credits.  It makes sense tough.  Crooks will target ANYTHING of value, whether it be personal information, health information, credit card numbers, debit card numbers, login information, intellectual property, etc. 

In this case, "hackers" launched a phishing attack targeted at companies across Europe, New Zealand, and Japan.  The phishing emails appear to be sent from the German Emissions Trading Authority.

According to the BBC, it’s estimated the hackers stole 250,000 carbon credit permits from six companies worth more than $4 million. At least seven out of 2,000 German firms that were targeted in the phishing scam fell for it. One of these unidentified firms reportedly lost $2.1 million in credits in the fraud.

Phishing is a very effective method of obtaining sensitive information, and will be for a long time to come.  Be careful!

Security in General
Facebook tool could be exploited by cyber-bullies
[FRSecure] Interesting, but we’re still not sure how significant the risk is.  This attack vector relies on a bad guy (or gal) gaining unauthorized access to one of your friends email accounts.  If an attacker has gained unauthorized access to a friend’s email account, it is trivial for the attacker to pose as your friend anyway, right?  Also, many people log into Facebook with their email address and the same password they use for email.
 
Does a Mac need anti-virus protection? (updated)
[FRSecure] Oh boy!  This is one of those ongoing arguments.  Our answer is simple; Yes!  Yes you should run malware protection on your Mac.

I don’t know of any live malware attacking Mac OS X, so you probably don’t need either anti-virus or anti-malware software at the moment. However, this does not mean you shouldn’t run it.

Well what is it?  We don’t need anti-virus, but this doesn’t mean we shouldn’t run it?  This certainly doesn’t answer the question in the title of the article.

If you are a home user, you don’t have to care what happens to your data, but business users do.

You should care about your data at home!  Do you bank at home?  Do you have priceless family pictures?  Do you shop online at home? [Add your own question here] 

How about the possibility of your Mac becoming part of a botnet?  Would you care if your Mac was involved in a coordinated attack against someone else?  The author is true in stating that malware is not widely running rampant through Macs today, but the opportunity exists. (keyword is "widely" because Mac malware does exist).  OS X, just like any other commercially available operating system, has bugs.  Bugs are vulnerabilities and vulnerabilities can be exploited.

Google to enlist NSA to help it ward off cyberattacks
[FRSecure] We get a VERY uneasy feeling about this.

Hackers Try to Steal $150,000 from United Way
[FRSecure] There are many true stories that are just like this.  It is heartbreaking in some cases.  Here we have an unemployed man being offered a job as a "financial manager" and unbeknownst to him he is actually a money mule involved in bank fraud. 

Should he have known better?  Would you have acted differently if you were in his shoes?  It’s easy to say that there is no way we would ever fall for this, but if given the same circumstances it wouldn’t be very hard to understand.  It’s not that "money mules" are uneducated dunces; they are duped by very convincing fraudsters who prey on basic human emotions like desperation, greed, hope, etc.

MS probes bug that turns PCs into ‘public file servers’
[FRSecure] Another potentially devastating "feature" in Microsoft’s Internet Explorer.  To see what is affected and potential workarounds, we suggest you visit Core’s advisory.  Microsoft may not patch this vulnerability until March’s Patch Tuesday (second Tuesday of the month).  For now, we will use Firefox.

Fugitive VoIP hacker admits 10 million minute spree
[FRSecure] Another "hacker" bites the dust.  Edwin Andrew Pena pled guilty to two felony counts and faces up to 25 years in prison.  He hacked and lived lavishly from 2004 through 2006, went on the lam from August 2006 to February 2009.  Now, he will be served with some justice.  It’s sad to admit, but to him it was probably all worth it.

Humor
Some more tasteless humor.  In order to be included in this section of our daily reading, the joke, picture, or video has to make us giggle (a manly giggle, not a girly one).  We giggled at this.

For those of you who are aware of Remi Gaillard, you can get some background about him on Wikipedia.

SAVING PRIVATE REMI
WARNING: There is one swear word in french (but with english subtitle).

Non-embedded link

About FRSecure

FRSecure LLC is a full-service information security consulting company dedicated to information security education, awareness, application, and improvement. FRSecure works with businesses of all sizes, in all industries; enabling our clients to achieve optimal results per information security dollar spent. Every one of our clients is in business to make money, so we design secure solutions that drive business, protect sensitive information assets, and improve the bottom line.

Each and every day, we get up early and tune into the information security news of the day.  We check a variety of sources from all over the world.  We do this to help get us in the right frame of mind as information security consultants and to be the best information security consultants that we can in order to assist our clients.  We recognize that our clients have businesses to run and money to make.  Our role is help our clients to that end by protecting an important asset; their information. So what are we reading today?

It’s Wednesday and we’re almost halfway to another weekend!  We don’t have much time to read this morning.  Work calls!

Quote of the day:

"There is nothing wrong when men possess riches but the wrong comes when riches possess men." – Billy Graham

[FRSecure] Wise advice from a wise man.

Breaches:
Medical files in Port St. Lucie trash bin could have led to ID fraud, police say
[FRSecure] This news article was posted last week, but we must have missed it earlier.  We like to read about breaches because we believe that there are lessons learned in each one.  A woman, acting on an anonymous tip found medical files discarded in a trash bin outside near the University Medical Clinics office.  Police were called.

A garbage bag full of medical records is not an oversight – Officer Tom Nichols, police spokesman

Dr. Samuel Sadow, CEO of University Medical Clinics, said Wednesday he didn’t think any patient information had been compromised.

There may have not been a compromise of patient confidentiality in this particular case, but we doubt that this is the first time patient information has been thrown in the garbage.  This is just the first time that University Medical Clinics was caught and exposed publicly for doing it.

Teachers union hit by data loss of almost 7,000 personal details, as ICO finds it to be in breach of the Data Protection Act
[FRSecure] A breach resulting from a lost laptop AND USB flash drive.  The laptop and flash drive were stolen while an ATL member was packing is car.  Sensitive personal information belonging to 6,282 union members on the password-protected (but unencrypted) laptop, and 3,366 of the same records on the unprotected flash drive.  In this day and age, we have to wonder why things like this still happen so frequently.

About ATL:

ATL, the education union, supports 160,000 members across the UK.

Security in General
A hacked Twitter account may cost as much as $1,000
[FRSecure] A peek into the underground economy that helps to drive attackers.  $82 for a gmail account, $5/mo. for a RapidShare account, and up to $1,000 for a Twitter account with 320 followers.  It’s all about the money.

It’s Apple Mac-Guyver: pocket sized detective tool hacks into computers
[FRSecure] The device is only available to law enforcement personnel, but we are not naive enough to think that others (bad and good people alike) don’t already have it.  Let’s suppose for a second that others didn’t have the device, the technology is readily available.  About the device:

SubRosaSoft’s MacLockPick is a USB sized gizmo that can extract passwords, e-mail addresses, recently accessed files, search strings, bookmarks and internet history from running or sleeping computers.  But the US$499 device can only penetrate the defences of Macs running OSX…

Twitter Explains Recent Phishing Attack
[FRSecure] Twitter confirms what we already suspected.  See yesterday’s "What we’re reading today".  We get some additional details today however.  It appears as though the a person (or persons) created a number of torrent (Warez) sites with registration pages in order to capture login information under the assumption that people use the same passwords for multiple sites.  The attackers were correct.  Good advice from Mikko Hypponen:

Think what sites and services are important to YOU and pick a good, strong & unique password for those. For the rest, do whatever you want.

Don’t use the same password that you use on important sites on warez sites!

Apple patches iPhone, iPod Touch vulnerabilities
[FRSecure] There are three vulnerabilities patched that could allow remote code execution if not patched.  The latest version is 3.1.3, and we patched all of our phones this morning.  We suggest you do the same.

Use of Twitter, Facebook rising among gang members
[FRSecure] Gangstas go 2.0!  Do they not even think?  Investigators use the information posted on Twitter and Facebook to gather incriminating information and find out about people they never previously knew about.  This is good!

Law enforcement officials say gangs are making greater use of Twitter and Facebook, where they sometimes post information that helps agents identify gang associates and learn more about their organizations.

"You find out about people you never would have known about before," said Dean Johnston with the California Bureau of Narcotics Enforcement, which helps police investigate gangs. "You build this little tree of people."

"We are seeing a lot more of it," Johnston said. "They will even go out and brag about doing shootings."

"Once you get into a Facebook group, it’s relatively easy," Johnston said. "You have a rolling commentary."

We’re glad to see that law enforcement is using Twitter and Facebook to help make our kids and streets safer, just as long as they stay within the law themselves.

Trustwave report reveals companies making same old mistakes
[FRSecure] The only effective way to manage information security is through a formalized, holistic approach.  Over half of the organizations that we engage, initially lack a formalized, holistic approach to information security.  We aim to change this!

NotW reporter accused of hacking over 100 mobiles
[FRSecure] Surprised?

Humor
Man Hurt As Homemade Rocket Explodes
[FRSecure] Drunk people do funny things.  We can’t see someone doing this sober.

Strip Tease (PG13)
[FRSecure] No nudity, and funny for adults.  Watch the girls reaction.

Non-embedded link

Each and every day, we get up early and tune into the information security news of the day.  We check a variety of sources from all over the world.  We do this to help get us in the right frame of mind as information security consultants and to be the best information security consultants that we can in order to assist our clients.  We recognize that our clients have businesses to run and money to make.  Our role is help our clients to that end by protecting an important asset; their information. So what are we reading today?

You made it through Monday, so celebrate!  Punxsutawney Phil saw his shadow today, so we are in for six more weeks of winter.  We’re in Minnesota, and we would be thrilled if it were only six more weeks!

Quote of the day:

Good information security is common sense.  Unfortunately too many people lack good information security common sense." – Evan Francen, Managing Partner at FRSecure

[FRSecure] If the sense ain’t so common, then it ain’t common sense.

Breaches:
Innotek reports data breach to the New Hampshire Attorney General (pdf)
[FRSecure] This is one of the most vague breach notifications we have ever read.  We sincerely hope that the potential victims receive more information than this!  Innotek states that they “filed a criminal complaint on January 7, 2010”, so this leads us to believe that they may have caught a perpetrator.  We can only speculate.

Stolen P.F. Chang’s China Bistro "electronic equipment" affects employees (pdf)
[FRSecure] We don’t know what “electronic equipment” is exactly, but it’s probably something mobile like a laptop, flash drive, or external hard drive.  If we assume this, then we question why sensitive information was stored on a mobile device without proper control?  The breach notification states that the electronic equipment was password protected, but password protection does not sufficiently protect mobile data.  This breach affects current and former P.F. Chang’s employees.

Student info leaked through routine update
[FRSecure] We hope that this wasn’t a “routine” update!  If routine updates lead to breaches, then we have bigger problems.  53 West Virginia University students are affected by this breach.

EveryChild acts over loss of donors’ data
[FRSecure] Is street fundraising popular where you live?  EveryChild street fundraisers carry around folders containing sensitive information collected from donors, and in this case one of these folders went missing.  Is it wise to give sensitive information to someone on the street posing as a fundraiser?  How would you know that the person posing as a fundraiser is really a legitimate fundraiser?  In the past this may have worked, but today given all the opportunity for fraud, we wouldn’t suggest this as a way to raise or give money to charitable organizations.

Town hall in new data blunder
[FRSecure] A flash drive containing sensitive information belonging to more than 200 disabled UK residents goes missing.  The council has policies that address mobile devices and personal information.  Personal information is not permitted on mobile devices.  The next steps after policy adoption are education and enforcement.  Policy is good, but only if it is supported by action!

Security in General
‘Foreign spies behind email leak’
[FRSecure] We all heard about the leaked emails from the Climatic Research Unit at the University of East Anglia (UEA) that happened just before the Copenhagen climate conference.  Now Sir David King, a very prominent figure in pro-global warming circles, makes some extraordinary claims:

A very clever nerd can cause a great deal of disruption and obviously make intelligence services nervous, but a sophisticated intelligence operation is capable of yielding the sort of results we’ve seen here.

It was an extraordinarily sophisticated operation. There are several bodies of people who could do this sort of work. These are national intelligence agencies and it seems to me that it was the work of such a group of people.

Really?  We have no evidence to support of refute these claims, but we do know how easy people make things for the bad guys.  We are skeptical of the claim that this was “an extraordinarily sophisticated operation”.  You might be amazed by what a teenager can do with little more than a netbook or an iPhone.

Britain warns businesses of Chinese ‘honey trap’
[FRSecure] China IS attacking the United States public and private sector, AND they are attacking other countries.  China has been engaging in this for years.  After the highly publicized attacks on Google and other US companies, these things are coming to light.  In this article we read about some of the other purported tactics being used by the Chinese, and we are reading another article (below) where there are claims that the Iowa gaming commission server hack was the work of the Chinese.   Is doing business in China and with China worth the risk?  In fairness, we also know (or assume) that the United States and United Kingdom do their share of intelligence gathering too.  This is the new battleground.

Twitter Under Phishing Attack?
[FRSecure] Oh, how things make sense after a day passes by.  Yesterday, Mikko Hypponen tweeted:

Interesting Twitter hack. Within hours, with no action from their part, 50,000 people started following @THCx. THCx signed up a week ago.

We looked at the @THCx account on Twitter and it did look funny.  We left it at that.  Today we read Mashable’s news that:

this incident has something to do with the user account @THCx, which may have gained access to a large number of Twitter accounts, possibly by abusing NutshellMail ( ), but all of this is unconfirmed at this point

Makes sense.  The @THCx account has been suspended by Twitter.

Conficker worm disrupts Manchester police systems
[FRSecure] Oh yes, Conficker is still a real threat, and this serves as another good reminder.  Conficker will still be a threat for some time to come.  Our advice is to be sure that you have formal, comprehensive patch and malware management programs (among many other things) built into your information security program.

Report says U.S. needs new approach for security
[FRSecure] Is the United States ready for what it takes to secure our nation from real security threats?  If not now, when?

Crooks try to romance users with Valentine’s Day spam
[FRSecure] Every holiday presents additional opportunities for crooks.  We should always remain vigilant, but even more so during holidays.

Trail of Iowa computer hack points to China
[FRSecure] We read about this breach yesterday, but now we have additional details.

A forensic investigation indicates China was the source of the hacking incident, although state officials are not absolutely certain because some computer hackers try to disguise their digital footprints, said Robert Bailey, a spokesman for the Iowa Department of Administrative Services.

Tracking down online sources of attacks is very difficult when dealing with countries that may not cooperate with the United States.  It’s not like we can subpoena the logs of an anonymous proxy server in China or Iran or North Korea or Russia or [insert country name here].  The best that the Iowa authorities can do is speculate unless China is willing to cooperate in the investigation (highly unlikely).

Facebook viewed as riskiest social network by companies
[FRSecure] How does your organization address the risks involved with social media?  Hopefully, your organization has addressed these risks through policy, education, technical controls, etc.  If not, contact us for help!

Russia’s Novaya Gazeta Web site hacked, paralyzed
[FRSecure] The DDoS attack has been ongoing for a week or more.

The paper, which comes out three times a week, relentlessly criticizes the Kremlin, often detailing top-level corruption in embarrassing exposes and investigations. Its reporters have been harassed, attacked and even killed in crimes that police rarely solve.

Wow!  Scary.

Humor
This is humorous and sad at the same time.  This guy definitely has a real problem if he can’t resist looking at these pictures at work.  Now he is probably jobless which will only add to his problems. 

Before you do something stupid, make sure you’re not on national television.  Check out the guy off to Martin Lakos’ right.

Non-embedded link.

About FRSecure

FRSecure LLC is a full-service information security consulting company dedicated to information security education, awareness, application, and improvement. FRSecure works with businesses of all sizes, in all industries; enabling our clients to achieve optimal results per information security dollar spent. Every one of our clients is in business to make money, so we design secure solutions that drive business, protect sensitive information assets, and improve the bottom line.

Each and every day, we get up early and tune into the information security news of the day.  We check a variety of sources from all over the world.  We do this to help get us in the right frame of mind as information security consultants and to be the best information security consultants that we can in order to assist our clients.  We recognize that our clients have businesses to run and money to make.  Our role is help our clients to that end by protecting an important asset; their information. So what are we reading today?

Happy Monday!  If you have the right frame of mind, you will get through it just fine.

Quote of the day:

It’s ok if you become senile, because you won’t even know it. – Jeremy Jones

[FRSecure] Yeah, but your wife will remind you.  Constantly.

Breaches:
HSU employee info possibly compromised after computer virus
[FRSecure] Humboldt State University reports the presence of a "sophisticated virus that is used to steal login information".  The personal information belonging to 3,500 current and former employees may be affected.

State investigates hacking of computer server
[FRSecure]  The names, birth dates, and Social Security numbers belonging to "more than 80,000" casino employees was exposed by a "person who hacked into" the server storing the information.  According to the article, the "hacker" used an external account.  Are you wondering why a server that stores sensitive information is externally accessible?  Yep, we are too.

Stolen mortgage info led to spree
[FRSecure] A former Ameriquest Mortgage Company employee pled guilty to stealing the personal information belonging to Ameriquest clients, and using the stolen information to commit fraud.  More than 300 people may have been affected.

Tauer faces a maximum penalty of 30 years in prison for each count of bank fraud, 10 years for the access device fraud count and a mandatory minimum penalty of two years for each count of identity theft.

Paper trail: Personal data found blowing in wind
[FRSecure] It’s not yet clear who is responsible for this breach.  We know some very good document and media shredding companies in the Twin Cities.

Building society could face fine after data blunder
[FRSecure] This breach is from our friends in the UK.  The Skipton Building Society mailed 3,155 account statements were sent to customers with another customer’s account details. 

Security – Other
Internal Data Breaches a Rarity, Study Finds
[FRSecure] We can certainly appreciate the insight and valuable work put into the UK Security Breach Investigations Report (pdf).  The title of the news posting "Internal data breaches a rarity, study finds" is very misleading.  If you were a drive-by newsreader, what would you be led to believe?  We would be led to believe that internal breaches don’t happen very often.  NOT TRUE!  Internal breaches happen more often than we think.  Breaches with internal sources are very hard to track and quantify by outsiders.  Organizations are inclined to keep internal breaches internal.  Keep in mind that the information used in this report was obtained through the forensics work conducted by 7Safe; an analysis of 62 breaches.  The sample data set is not sufficient to extrapolate out to organizations in general.  We applaud the work done by the authors of this report, but we find great fault in the misleading title given to this news article.  At the end of the article it is acknowledged.

Standing back from the figures it is hard to know how accurately the breach proportions in this report reflect wider business experience. As Phillips himself acknowledges, internal hacks are almost certainly under-reported for a variety of reasons and the UK lacks any legal requirement to report breaches of any sort.

and from within the report itself:

It is not claimed and should not be assumed that the actual proportion of breaches that are due to internal sources is consistently this small; we can only report on the cases undertaken by the 7Safe forensic investigation team.

A Tale of Two Victims
[FRSecure] Wow!  We wonder how the decisions were made by Umpqua Bank representatives.  What led them to reimburse one customer, but not the other?  Both incidents appear to be very similar.  It will be very interesting to read how this story turns out.  Once again, an excellent article by Brian Krebs!

Godfather Colin Gunn used Facebook to run empire from jail
[FRSecure] You could hardly pick a better name for a gangster!  We looked and his Facebook page is gone.  Can you just email or call Facebook to have them remove a person’s page?  There is probably a policy on this issue, but it makes us think.

Interesting quote:

Critics believe the authorities may have turned a blind eye out of fear of receiving a legal challenge on human rights grounds.

Uh, really?  Now we have people who claim that we have a human right to Facebook?!  Oh boy.

Swiss Bank Data Offered to Germany

and when one article about a story isn’t enough to satisfy our hunger

Germany’s Merkel backs bid to buy tax evasion data (Roundup)
[FRSecure]  This is very interesting.  The idea of using stolen data to enforce tax laws seems contradictory.  The French and Swiss recently resolved their disagreements over the same (or similar) issue.  The person or persons in possesion of the stolen data get rewarded for stealing from their employer.  Do you suppose they will pay taxes on the bounty?  We’re torn.

Lawmakers want review into House site defacements
[FRSecure] We read about these defacements last week and how it may not bode well for thier contractor, GovTrends.  A couple of interesting quotes:

The defacements prevented thousands of constituents from being able to communicate with their elected officials, Brady said.

Do our elected officials (in general) listen to us anyway?

The lawmakers also requested a security review of the third-party vendors used by the House.

Comprehensive and ongoing third-party information security management is an absolute requirement for a well-run information security program.

CIA, PayPal under bizarre SSL assault
[FRSecure]  According to Shadowserver, this unusual amount of SSL (TCP 443) traffic started about a week ago (at the time of the article post).  Very few people know for certain why this is happening.  One comment from a reader named "Anonymous Coward" seems plausible.

I’d say they’re probing for something on the remote boxes, but it doesn’t sound like an attack to me, it’s probably a prelude to one though.

They could be sitting on some crypto exploit code and want to know who’s vulnerable before they make their pay run.

Maybe DDOS the strong encryption servers so that fraudulent requests are handled by systems with the weak encryption that they have an exploit for?

Got you wondering?

Top 5 social networking business threats
[FRSecure] You can probably come up with your own top 5 threats, but this is a good read.  We strongly suggest that you account for social networking in your information security program, if you haven’t already.

Google mystery server runs 13% of active websites
[FRSecure] Impressive, but at the same time scary!  According to the article:

Google’s private internet – which spans nearly 40 data centers across the globe – is built atop countless custom-built and proprietary tools, including a top-secret distributed file system dubbed GFS; the distributed number-crunching platform known as MapReduce; and a new platform known as Spanner that’s designed to automatically move and replicate loads between the company’s mega data centers when traffic and hardware issues arise.

Google also builds its own data centers and its own servers, with design help from Intel and, according to one source speaking with The Reg, a breed of Intel chip guaranteed to withstand higher temperatures. Reports even indicate that Mountain View builds its own routers.

All of this under the control of one authority.  Not just one authority, but a closed authority without outside information security scrutiny.  That is a lot of blind trust.

Facebook, LinkedIn Resist New Privacy Regs
[FRSecure]  What do you do?  On the one hand, we are not fans of additional regulation for a variety of reasons.  Regulations rarely make things more secure in an effective or efficient manner.  On the other, do we trust organizations to do the right thing?

Humor
We gotta hand it to the Brits.  They have a sense of humour (U.S. translation; humor).

Thanks for reading!  We hope you enjoy.

About FRSecure

FRSecure LLC is a full-service information security consulting company dedicated to information security education, awareness, application, and improvement. FRSecure works with businesses of all sizes, in all industries; enabling our clients to achieve optimal results per information security dollar spent. Every one of our clients is in business to make money, so we design secure solutions that drive business, protect sensitive information assets, and improve the bottom line.