A Nation State modified it’s users’ web traffic to overload the deployed servers of a Silicon Valley start-up. The business, GitHub, allows businesses to store files online.
Why this matters…
This was done to bring offline content that was against their censorship policies. Such an attack is possible against any business, service, or organization. This could be done against something as harmless as taking offline any website in the planet, but could also be applied to any critical infrastructure sensor and set of systems – think Internet of Things, Nuclear power plants, 911 phone systems, etc ..
The business and nation state security implications are quite severe here. The reason for the attack was about the 2 types of content – New York Times (banned in China) and information on bypassing the Chinese censorship firewall. Clearly these are not aligned to China leadership.
This attack was executed in the following manner:
via GitHub suffers ‘largest DDoS’ attack in site’s history | ZDNet.
Despite a good deal of articles the common media (WSJ, Bloomberg, etc..) and political response has been lacking compared to the response and support provided to Sony.
My true concern here is that this minor attack (only a few citizens of China are unknowingly having their traffic used to attack a small technology company) is an excellent BETA TEST for a full scale modification of all 1.4B Chinese citizen traffic against critical infrastructure (46% of population was used for GibHub).
MasterCard published a very brief document outlining the very popular Use Case where a Merchant leverages a third party e-commerce system for processing transactions by redirecting to a separate hosted site. The attraction is the obvious shift of the payment card environment to that of the hosted page provider. This does help in reducing the PCI DSS scope, but as highlighted within the paper “…does not remove the need for a robust information security program.”
The brief highlights there is a risk to Merchants (“Based on the current compromise and attack trends”) where attackers may attack the Merchant’s web environment to redirect the traffic from the approved Hosted-Page vendor to a malicious party site. This can be executed with a fake page where nothing but an error occurs, or the attackers can proxy (pass through) the traffic to the true Host-Page vendor. This second approach allows the transaction to occur without any notice to the user of the attack.
The attack mitigation presented (follow best practices) are expected. It does not say to solely or specifically to follow PCI DSS specifications, but instead to follow best practices appropriate for the web environment itself.
An additional attack mitigation stated is to establish SSL tunnels to fixed addresses and certificates. This is definitely effective when securing the point to point connection, but generally would be ineffective from the attack described (as an attacker could simply compromise from the Merchant Host itself).
An alternative mitigation approach to consider would be expanding the monitoring & response capabilities. As an example, if traffic is being redirected and the host Merchant server is compromised than the next best technique would be (among many) to have automatic triggers at the IPS, FW, and ACL points when these hosts are transmitting to unapproved targets. This highlights the important need of when procuring services with valuable data, to have a deep process of onboarding the Service Provider in a manner that brings to light these technical details and establishes operational response capabilities jointly with the vendor.
The article is short and worth a read. A key question that rang throughout the article was – does the issuance of this guidance make it clear that if the Use Case Attack happens than Y Merchant is deemed out of PCI DSS compliance? The closing paragraph provides some light. Would love others thoughts here too!
“While a merchant may be able to reduce or remove the scope of its environment’s applicability to comply with PCI DSS requirements by using hosted payment pages, it does not remove the merchant’s risk of being involved in, or even the source of, an account data compromise event.
Merchants still have a duty to employ security controls based on industry best practices to their web based environment to protect payment card data.”
Link directly to the guidance.
Posted in Compliance
Tagged 2012, attack, best practices, cloud computing, cloud practices, Compliance, deluccia, guidance, it compliance and controls, IT Controls, jdeluccia, man in the middle, mastercard, pci, PCI DSS, regulation, Security
A malware executed attack was highlighted by ActivClient that provides technology for secure authentication (smart cards to comply with the GSC-IS 2.1). The attack is described in detail in a number of sites, such as Security Week here, and I would encourage reading the explanation of the attack by AlienVault here.
What is interesting here and relevant to all security practitioners and sectors is that cryptography at some levels can be made irrelevant. The immense sophistication of the crytography and hardware manufacturing placed within these keycards and their infrastructure, in this case, are countered simply by capturing the pin that is associated with the key. That allows an attacker to access the protected resources the card was designed to restrict. Specifically the attack works because the attacker gets the PIN through a key logger, then binds it to the local computers certificate, and finally attacks remote resources protected by key card whenever the card is connected.
In all, a pretty elegant way of defeating what would be a complex and low-return attack vector (hacking the crytography).
The takeaway is that, as always it seems, the old assumptions that hardware / cryptography / and standard processes are enough is wrong. A practice of continually evaluating the impact of new attack types (variants) and the new ability of attacker. Plus, the recent ongoing attack on the underlying security safeguards as a means of attacking an organization has reached a critical level. In the past 12 months anti-virus source code has been stolen; 2 factor authentication tokens perceived as insecure due to the RSA breach; Certificate Authorities breached and poisoned, and this demonstration of bypassing card security.
The malware yes, could be detected through malware and behavioral IPS type technology on the network and host. The increased activity / parallel queries of a user could yes be detected. The vulnerabilities allowing the installation in this particular case could also be patched. The result though is still an ongoing need to evolve security practices; monitor and respond rapidly to suspect activity, and reduce / limit access as much as possible.
Other thoughts and avenues?
James DeLuccia IV
Posted in Security
Tagged 2012, attack, best practices, china, cybersecurity, data breaches, fisma, GSC-IS, it compliance and controls, IT Controls, james deluccia, PCI DSS, regulation, rsa, smartcards, sykipot