How Attackers Target You – Witchcoven Malware

Researchers at FireEye have discovered form of malware that is primarily designed to figure out who the high value targets are.  My guess is that this FORM of malware is far from unique and they say that this particular malware is state sponsored, likely by Russia.  The Witchcoven malware has infected more than a hundred sites and it redirects the user to another, malicious site.  In order for this to happen, those sites had to be compromised to insert the bit of code to do the redirection.  Since that bit of code is so small, it might possibly go undetected.  Think of those 100 sites as (uninfected) typhoid carriers.

The site that the user is redirected to contains the bulk of the malware and is controlled by the attacker.  Since this is not a site owned by or known by the infected carrier, they have no idea that this is happening.  This code could be changed every day if the attacker desires, since the attacker owns the site.  Likely, this site would be registered in a non-friendly country and may be hosted at a “bullet-proof hoster”.  Those are ISPs that charge a lot of money to the hackers, but which completely ignore law enforcement.  Often they are located in eastern European countries and have (bribed) law enforcement personnel on their staff.

That site likely loads a page silently with no visible signs, runs its script and then closes that invisible window.

Using data that your browser coughs up, the malware can decide if you are a target of interest and if you are, insert a persistent cookie on your computer (one which is hard to or nearly impossible to delete).  It might find out what software is installed on your computer, what browser plugins you have installed, what other sites you have visited, your location as revealed by your IP address (which is not always accurate) and a lot more information.

FireEye has found 14 sites hosting the malicious code and thinks that this bit of malware is targeting diplomats, government officials, military personnel and executives in the US and Europe.  At this point, they have not linked any attacks directly to this data collection effort.  In concept, this is not much different from what advertisers do to web surfers every day.

Unfortunately, there is not an easy way to block this form of attack.  Some anti-malware tools may block these sites once they are known, but since these sites are not actually doing anything malicious, they may not block them.  Think of these sites as the targeting analysts that every military organization has.  They don’t do anything bad, but the drones or bombers that they send – well, that is a different matter.


Information for this post came from SCMagazine.

Don’t Let Your Website Be Held Hostage

For most businesses, their web site is the public face of the company.  If your web site is an e-commerce site, then not only is it your public face, but also the way you earn money.  If your site is down, it says something to your customers.  If your site is defaced, it says even more.

Hackers, or more accurately, extortionists, have used this fact to separate business owners from their money.  If your site is hacked – compromised – defaced – pick one, do you have a plan to respond?  What if the attack is a ransomware attack where the hackers encrypt all the code and data – even backups if those are accessible.  Remember, even if you pay the ransom, you may or may not get your site and data back.

What if they take over your site and you lose control of it so that you can’t even log on to it to fix it?  If they put an offensive message on the site (for example, what happened to Sony) and you have lost control of the site, what do you do.

Having a plan is a good idea.  Pros call this disaster recovery and business continuity – keep the business running while you get things back to normal.

Here are a few basic suggestions.

  • Keep your web site software up to date.  As soon as patches are available, test and install them.  This includes the operating system, the content management system, shopping cart and any other pieces.  Once patches are released, the attackers have a roadmap for attacking you.
  • Make sure that the source code is stored some place that is not directly accessible from the web site so that if an attacker does get in, he can’t wipe out your source code too.  I replicate my backups in three places – on the web site, in the cloud and offline.  Nothing is perfect, but when it comes to backups, more is better.
  • Replicate files and databases frequently so that even if you get compromised, you can recover.  How often you replicate is dependent on how quickly things change.  If it is an e-commerce site, you may want to replicate changes every few minutes or hourly at the most.  And, you need to do this in a way that hackers won’t be able to destroy the backups.  Sometimes, that is easier than said.
  • Minimize the software that lives your web server.  You should NEVER use it for anything other than running the web server.  Other than the people managing the web server, no one else should be able to log on to the server.  This is for both security of the data and to reduce the chance of human error.  The more software on the server, the more attack points for the hacker.  And, NO web surfing from that server.  If you need to update a program, download the updates elsewhere and bring them over.  No browsing reduces the attack surface.
  • If possible, have the web server run inside a virtual machine – either in your data center or in the cloud.  Snapshot the VM often and do not store any data inside the VM. Keep enough generations of the backups so that even if you don’t discover the problem for a while, you still have an uncorrupted backup.
  • Finally, TEST, TEST and then TEST again.  Whether your site is taken offline, compromised or defaced, you want to be able to get back to “normal” as quickly as possible.  You don’t want to be trying to restore it for the first time.


Information for this post came from TMCNet.

What The Boardroom Thinks About Data Breach Liability

The New York Stock Exchange and Veracode surveyed 276 board directors or senior execs of publicly traded companies on the subject of data breach liability and I find the results interesting.

It is important to understand that these are very large companies and when it comes to cyber risk, they are likely at the top of the learning curve.  Still, what they think today is likely what the rest of the companies will think in a few years.

That said, here are some of the results:

  1. 90% believe that regulators should hold companies liable for breaches if they didn’t properly secure their data.  This answer really hinges on the definition of “properly”.  Still, these board members are not trying to get out of their responsibility, which I think is great.
  2. 90% also think that third party software providers should be held liable for vulnerabilities in their code.  While this sort of tracks with #1 above, if you are a software vendor and sell to big companies, I would worry about this.  If what this means is that they want you to fix the bug, that is not a big deal.  If what it means is that they want you to pay for the breach if the attackers got in due to a bug in your software, that is a BIG problem.
  3. 65% say that they either have already or are planning to include liability clauses in their contracts with software suppliers.  If you are a software vendor, this could dramatically affect your business and would likely change what cyber liability coverages you buy and at what amount and indirectly, your cost of doing business.
  4. When it comes to cyber insurance, 91% have some form of insurance including business interruption and data restoration.  54% have coverage for fines, breach notification and extortion.  35% say they want coverage for software coding and human error when it leads to a breach.  This last coverage is not well defined yet and could be expensive.
  5. 52% say they are buying employee or insider threat coverage.  This is smart because a goodly percentage of breaches are due to acts of omission or commission by insiders.

What is unclear at this point is what the regulators and insurance companies are going to demand.  Companies can wait for the regulators (like the very detailed proposed rules from the NYDFS) or companies can get ahead of the power curve.

What seems clear is that with insurance companies beginning to raise premiums and deductibles significantly (premiums in retail went up 32% in the first half of 2015;  Anthem had to accept a $25 million deductible when the renewed their insurance this year), what is next is insurance companies examining business practices much more closely before granting or renewing coverage – some carriers have already started doing this.

Businesses have two choices – wait and hope they can scramble fast enough when the regulators or insurance carriers call on them or get ahead of the power curve – the choice is a business decision that may impact the future of the company.  Big NYSE companies can afford to hire experts when this happens and pay them $50 million to get the tushes out of a crack.  For smaller companies, even if that bill scales down to $5 million, it might be a problem.  And, even if you spend the money, the inside resources that are needed to execute these plans will likely be significant.

Interesting food for thought.

Information for this post came from Dark Reading.

Lifelock As A Stalking Tool

Those of you who know me are aware that I am not very fond of Lifelock – and USAToday is giving me even more reason to not like them.

Lifelock, when it works as planned, can be a useful tool for monitoring your credit.  However, since it is an unregulated private company, all you can do is hope that things work as they would like them to.  That does not always happen.

In this case, Suzanna Quintana says that he ex-husband opened a Lifelock account in her name and, for several years was able to see every financial transaction she did – opening a bank account, getting a credit card, leasing a car, etc.

This particular problem stems from the fact that, as I have written about before, using non-public personal information as a way to prove someone’s identity in the age of the Internet is a joke.  Her ex-husband (at the time he opened the account they were separated and living in different states, however the activity continued after they were divorced) knew her name, birthday and social security number.  It appears that this is sufficient to open an account.

She discovered the account in March when her kids were visiting their father and discovered a spreadsheet detailing her financial transactions on her ex-husband’s computer and shared it with her.

She says that Lifelock did not respond to emails, delayed responses and denied her access to her account.

Early this month, after the Arizona Republic contacted them, Lifelock acknowledged they were slow to respond to Quintana and offered to pay her legal fees.

Kelley Bonsall, Lifelock’s chief spin doctor said that they were distressed that someone used their service this way.  I am sure they are.

The Sheridan County Sheriff’s Department validated Lifelock’s slow response – when they asked for information in June, it took the Sheriff months to get the information they asked for.

Lifelock is not new to being on the wrong side of the law.  Last month they announced they were setting aside $120 million to deal with a class action and handle claims filed by the FTC and 35 state attorneys general that they were in violation of an earlier settlement regarding making false claims.  They settled that first lawsuit by paying the FTC an $11 million fine.

At the time of the first lawsuit, when they were they were promising to protect your identity, they did not even have a formal information security program.

The company issued a letter of apology which Quintana says distorts the situation and is worded to minimize the company’s role in the illegal activities.  Given that they are in the middle of a fight with the FTC regarding violating their earlier settlement, the last thing they want is new allegations that their security is not up to par and that they are not responding to complaints promptly.

Lifelock represents the problem as a squabble between a husband and a wife (thereby trying to dismiss any liability), even though they were separated, living in different states, she had a restraining order against him and they were later divorced, all while this activity was going on.

More importantly, apparently, I can open a Lifelock account using your information and you likely would never know.  I would have access to your credit information and be able to follow your financial transactions.  While this is likely illegal, companies like Lifelock are new and do not fall into any of the neat buckets that lawmakers have created.  They are not a credit grantor nor a credit reporting agency, so they are not covered by the fair credit reporting act (FCRA).  In fact, the only part of the government that seems to have any control over them is the FTC and that has been a long and convoluted fight.

As far as I can tell, there is no easy way for you to find out if someone has done this to you.  I spoke to several people at Lifelock trying to get an answer to this question, but was not successful.

So, unfortunately, I don’t have a good answer to how you can protect yourself.  Perhaps the FTC will ask that question now that USAToday blew the whistle.

While this is likely not common, Lifelock did acknowledge another case like this one occurred earlier this year.  How many fraudulent accounts exist is an unknown.  I doubt Lifelock would know if I opened a fraudulent account, so they can legitimately claim ignorance.  And, as we all know, ignorance is bliss.

Information for this post came from USAToday.

NY Regulator Unveils Proposed New Cyber Security Regulations

When Ben Lawsky was running the New York Department Of Financial Services, he proposed new cyber security examination rules.  Now that he is gone on to start his own legal consulting firm, the legacy that he started continues.

This week the post-Lawsky NYDFS has released a set of proposed cyber security regulations.  And, just to up the ante, they shared their proposed regulations with every other significant regulator: the Federal Reserve, the OCC, the SEC and every other state regulator.  Their goal is to get everyone to adopt the same basic rules.

So what is in this gem?  If you are a state or federally chartered bank, an insurance company or a broker-dealer, you might want to check this out.  Here they are:

  • 12 very specific policies and procedures including data governance, access controls, systems and application development and QA, vendor and third party risk management and incident response.  That is just one of the items.
  • Third party service provider management
  • Multi-factor authentication
  • Hiring a CISO, who must submit an annual report to the regulator, signed off on by the Board
  • Application security procedures, guidelines and standards
  • Cyber security staff and intelligence
  • Cyber security audit
  • Notification of the department in the event of any cyber security incident.

While this is only a proposal and may change, it likely will not “go away”.

If you are a regulated entity, now might be a good time to start planning and getting ready for whatever comes.




Information for this post came from the WSJ and Reuters.

Starwood Hotels Is Latest Business To Be Breached

Credit card breaches are old news.  Well, sort of.  It seems like every day there is a new one, but we have gotten used to them.  If you are a slight geek, you have your bank send you a text or email every single time your card is used.  The first time that it is used and it is not you, you call the bank, they cancel the card and send you a new one.

Debit cards are more of a pain in the rear, especially if they have your PIN, so if you had a PIN based debit card compromised you MUST move quickly.  You do not have 60 days after you get your statement – you have like 2 days as I recall – which is why I STRONGLY recommend that people do not use their debit card as a PIN based debit card except at your bank.  Almost all banks will issue a Visa or Mastercard logoed debit card which you can use as a credit card.  While the money still comes out of your bank account instantly, it is processed as a credit card and the credit card protection rules apply.  Even though the credit card terminal in the store will try very hard to get you to use that card as a debit card (because it is cheaper for them), resist the temptation – DO NOT DO IT!

Anyway, back to the breach of the day.

Today it is Starwood Hotels – owner of Westin, Sheraton, W and many other brands.

The breach affected about 50 properties (list is in their announcement which is linked below). Some hotels were affected between March and April of this year.  Others between March and May and still others between November of last year and April of this year.

As seems to be usual, the breach only affects restaurants, gift shops and other (likely outsourced) systems.  It did not affect the front desk system.

I assume that Starwood outsources the restaurants and gift shops and those companies likely outsource their point of sale systems.  The different date ranges could mean that there is more than one outsourcer affected and that we may see other notices soon.  This is all speculation as Starwood has not said very much other than that protecting your information is a top priority.

Given that they apparently were not able to protect their top priority …………

As I have said before, if you watch your card and bank charges religiously, this is not a big issue for you.  It is, however, a big issue for Starwood and their likely outsourced restaurants and gift shops and they will spend millions and sue and be sued for the next several years.

Assuming these departments are outsourced, it is one more example of how supply chain security is a huge problem for businesses that they are not paying enough attention to it.

This comes just days after Marriott purchased Starwood.  I certainly hope they disclosed this!

My two cents.


Information for this post came from Starwood and Dark Reading.