Category Archives: information security

Bank Hackers Steal Millions ($100M+) via Malware & long campaign – NYTimes.com

A good article was released on the NYT today highlighting an elongated attack into up to 100 banks where methods were learned by attackers, and then exploited. What is interesting here is that the attackers studied the banks own processes and then customized their behaviors accordingly.

It would be difficult to imagine these campaigns to succeed for such a long period as occurred if the malware was detected (which is possible with interval security process studies), and or the bank processes were re-examined by risk officers for activity within the dollar range thresholds. It is typical for data to be slowly “dripped” out of networks to stay below range (hence when signatures are essentially worthless as a preventive/detective tool), and thus similar fraud behavior is needed at the human/software process level.

I look forward to the report to analyze the campaign and share any possible learnings beyond this surface article. Two highlights of the NYT article jump to me, include:

Kaspersky Lab says it has seen evidence of $300 million in theft from clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms.

The hackers’ success rate was impressive. One Kaspersky client lost $7.3 million through A.T.M. withdrawals alone, the firm says in its report. Another lost $10 million from the exploitation of its accounting system. In some cases, transfers were run through the system operated by the Society for Worldwide Interbank Financial Telecommunication, or Swift, which banks use to transfer funds across borders. It has long been a target for hackers — and long been monitored by intelligence agencies.

via Bank Hackers Steal Millions via Malware – NYTimes.com.

The report is planned for release on Feb 16, and I hope there are substantial facts on the campaign.

Thanks for Kaspersky to continue to lead research and providing solutions.

Best,

James

 

1 Billion Data Records Stolen in 2014, WSJ

A nice summation of the Gemalto report regarding the data breaches in 2014.

Identity theft was by far the largest type of attack, with 54% of the breaches involving the theft of personal data, up from 23% in 2013.

Data records are defined as personally identifiable information such as email addresses, names, passwords, banking details, health information, and social security numbers.

via 1 Billion Data Records Stolen in 2014, Says Gemalto – Digits – WSJ.

Key points:

  1. 4% of the data breached was encrypted – demonstrating it’s effectiveness and it’s still lack of proper adoption
  2. 78% of breaches were from U.S. companies, followed by the U.K.

Lessons abound, and I am working on publishing a new piece on the evolution of these breaches, and how “we” have misinterpreted the utility of this data.

On a similar topic, please join me in pursuing to build leading habits for everyday user’s to minimize the impact of these breaches at – http://www.hownottobehacked.com my new research project.

Best,

James

Attribution & Intent challenges: Comparing Regin module 50251 and “Qwerty” keylogger

Kaspersky Labs (a pretty wicked good set of researchers) published an analysis on the Snowden shared source code and found it identical in part to a piece of malware known as Regin. Regin has been in the digital space for nearly 10 years and has been attributed to a number of infected systems globally.

I would encourage everyone to read and understand the analysis as it is quite thorough and interesting .. go ahead, I’ll wait .. Comparing the Regin module 50251 and the “Qwerty” keylogger – Securelist.

While I cannot speak to the course and reason behind this tool, beyond the obvious conjectures, I would stress one critical point.  Attribution and intent.

Attribution is hard and of little value

As we find with other digital attacks, attribution is very difficult and I often tell clients to not focus on that as a basis for sanity and response. This is obvious in the difficulty in attributing such attacks, but also the problems with incorrectly making such assertions. I.e., JP Morgan’s “Russian attack on the bank due to their activities” during Ukraine incident was in fact a breach due to simple human error on configuring a server.

Intent

We as the observers do not know the intent of the operatives with the malware. In this case with the NSA we have identified malware in various locations, but as we all know … malware code spreads pretty freely without much direction. The concept that one system was infected unintentionally or without purpose from the operators is pretty high.

This comes to the forefront with our own internal analysis of attacks and breaches in our corporate environments. We must seek out all of the possible vectors, and not allow our bias or evidence on hand sway us incorrectly.

Spiegel.de article on Kaspersky report and other thoughts

Thoughts?

James

Information Security executives … is responsibility being abdicated?

Is “it is your decision not ours” statement and philosophy a cop-out within the Information Security sphere?

This is a common refrain and frustration I hear across the world of information security and information technology.  Is this true?  Is it the result of personality types that are attracted to these roles?  Is it operational and reporting structure?

In Audit it is required for independence and given visibility. Does not the business (the CIO) and the subject expertise (CISO) not have that visibility possess a requirement of due care to MAKE it work?

The perfect analogy is the legal department – they NEVER give in and walk away with a mumble, they present their case until all the facts are known and a mutual understanding is reached. Balance happens but it happens with understanding.

This point is so important to me, that it warranted a specific sharing of the thought.  I hope we can reframe our approach, and to follow a presentation off TED – focus on the WHY.  (need to find link…sorry)   These individuals in these roles provide the backbone and customer facing layer of EVERY business.

Thoughts and realizations made from stumbling around our community and today during RSA resulting from the presentations with underlying tones.

Always seek,

James DeLuccia

My RSA Conference Notes and perspective – Tuesday AM 2013

Today kicked off, for me, the RSA conference. The best part of these types of events is the onslaught of ideas shared between peers – generally through networking and random encounters in hallways (such as bumping into Bill Brenner). Thanks first off to RSA for creating the forum for these discussions to occur.

I have the privilege of speaking tomorrow, and look forward to the debate and flow of ideas that will ensue.
While reviewing some of the research provided to attendees, I had the following observations, and wanted to share them in entirety for debate and expansion:

Vendor management by procurement SHOULD include data plus asset chain of custody, and #infosec assurance to YOUR standards#RSAC

So basically – costs per breach are up; # attacks higher; 6 more days to resolve, & the same forms of attack #rsachttp://lockerz.com/s/285234702

Aren’t costs per breach up in 2012 to $8.9 million the result of our greater leverage of information technology & resulting value!

Most botnet, malware, & C&C operators manage MORE devices; across WIDER geographies, & generate a positive ROI. How is your information security?

#rsac Art’s presentation was good. Agree with Taleb perspective, but it must applied at Org to match robustness #infosec

Art Coviello gave an impassioned presentation that I thought was very good for a keynote at that level. Typically there is a risk of sales (which did occur at the end, of course) material, but a couple good analogies and mental positioning. I thought his analogy to Nassim Taleb’s AntiFragile was on point (and funny since I am 1/3 through it, so very fresh in the mind) for the security operations against the cyber threats. I would expand it though to include the business process and information security compliance program. I have found that the block and tackle of information security itself needs to be robust and antifragile. The lacking of these elements forfeits the benefits of the threat intelligence he describes.

This is especially poignant to me given the relative lack of volatility in the type of attacks that succeed against organizations, and their ongoing effectiveness in breaching our company defenses.

If you are looking to enjoy the keynotes (I would recommend at least Art and Scott Charney) live or on-demand here.

RSA thoughts and sessions .. to be continued ..

Best,

James DeLuccia