Day: January 17, 2014

Yesterday’s story about the point-of-sale malware used in the Target attack has prompted a flood of analysis and reporting from antivirus and security vendors about related malware. Buried within those reports are some interesting details that speak to possible actors involved and to the timing and discovery of this breach.

As is the case with many data breaches, the attackers in this attack used a virtual toolbox of crimeware to get the job done. As I noted in a Tweet shortly after filing my story Wednesday, at least one of those malware samples includes the text string “Rescator.” Loyal readers of this blog will probably find this name familiar. That’s because Rescator was the subject of a blog post that I published on Dec. 24, 2013, titled “Who is Selling Cards from Target?“.

In that post, I examined a network of underground cybercrime shops that were selling almost exclusively credit and debit card accounts stolen from Target stores. I showed how those underground stores all traced back to a miscreant who uses the nickname Rescator, and how clues about Rescator’s real-life identity suggested he might be a particular young man in Odessa, Ukraine.

This afternoon, McAfee published a blog post confirming many of the findings in my story yesterday, including that two malware uploaders used in connection with the Target attack contained the Rescator string:

“z:\Projects\Rescator\uploader\Debug\scheck.pdb”.

A private message on cpro[dot]su between Rescator and a member interested in his card shop. Notice the ad for Rescator’s email flood service at the bottom.

Earlier this morning, Seculert posted an analysis that confirmed my reporting that the thieves used a central server within Target to aggregate the data hoovered up by the point-of-sale malware installed at Target. According to Seculert, the attack consisted of two stages.

“First, the malware that infected Target’s checkout counters (PoS) extracted credit numbers and sensitive personal details. Then, after staying undetected for 6 days, the malware started transmitting the stolen data to an external FTP server, using another infected machine within the Target network.”

Seculert continues: “Further analysis of the attack has revealed the following: On December 2, the malware began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked website. These transmissions occurred several times a day over a 2 week period. Also on December 2, the cyber criminals behind the attack used a virtual private server (VPS) located in Russia to download the stolen data from the FTP. They continued to download the data over 2 weeks for a total of 11 GBs of stolen sensitive customer information. While none of this data remains on the FTP server today, analysis of publicly available access logs indicates that Target was the only retailer affected. So far there is no indication of any relationship to the Neiman Marcus attack.”

Target has taken quite a few lumps from critics who say the company waited too long to disclose the breach, and new details about when it may have known something was wrong are likely to fan those flames. As I wrote yesterday, the point-of-sale malware used in Target referenced a domain within Target’s infrastructure called “ttcopscli3acs”. Several sources, including Seculert’s Aviv Raff and Dmitri Alperovitch at CrowdStrike, searched for other files with that unique string within the corpus of malware uploaded to Virustotal.com, a service that employs more than 40 commercial antivirus tools to produce reports about suspicious files submitted by users.

That search turned up numerous related files — including the aforementioned malware uploaders with Rescator’s nickname inside — all dated Dec. 11, 2013. Since this malware is widely thought to have been custom-made specifically for the Target intrusion, it stands to reason that someone within Target (or a security contractor working at the company’s behest) first detected the malware used in the breach on that date, and then submitted it to Virustotal.

Yesterday’s story cited sources saying the malware used in the Target breach was carefully crafted to avoid detection by all antivirus tools on the market. These two virustotal scan results from Jan. 16 (today) show that even to this day not a single antivirus product on the market detects these two malicious files used in the Target attack. Granted, the antivirus tools used at virustotal.com do not include behavioral detection (testing mostly for known threat signatures). I point it out mainly because nobody else has so far.

Incidentally, in malware-writer parlance, the practice of obfuscating malware so that it is no longer detected by commercial antivirus tools is known as making the malware “Fully Un-Detectable,” or “FUD” as most denizens of cybercrime forums call it. This is a somewhat amusing acronym to describe the state of a thing that is often used by security industry marketing people to generate a great deal of real-world FUD, a.k.a. Fear Uncertainty and Doubt.

[Source: KrebsonSecurity]

Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Today’s post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.

The seller of the point-of-sale “memory dump” malware allegedly used in the Target attack.

In an interview with CNBC on Jan. 12, Target CEO Gregg Steinhafel confirmed that the attackers stole card data by installing malicious software on point-of-sale (POS) devices in the checkout lines at Target stores. A report published by Reuters that same day stated that the Target breach involved memory-scraping malware.

This type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal and is still in the system’s memory. Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants.

Target hasn’t officially released details about the POS malware involved, nor has it said exactly how the bad guys broke into their network. Since the breach, however, at least two sources with knowledge of the ongoing investigation have independently shared information about the point-of-sale malware and some of the methods allegedly used in the attack.

‘BLACK POS’

On Dec. 18, three days after Target became aware of the breach and the same day this blogbroke the story, someone uploaded a copy of the point-of-sale malware used in the Target breach to ThreatExpert.com, a malware scanning service owned by security firm Symantec. The report generated by that scan was very recently removed, but it remains available via Google cache (Update, Jan. 16, 9:29 a.m.: Sometime after this story ran, Google removed the cached ThreatExpert report; I’ve uploaded a PDF version of it here).

According to sources, “ttcopscli3acs” is the name of the Windows computer name/domain used by the POS malware planted at Target stores; the username that the malware used to upload stolen data data was “Best1_user”; the password was “BackupU$r”

According to a source close to the investigation, that threatexpert.com report is related to the malware analyzed at this Symantec writeup (also published Dec. 18) for a point-of-sale malware strain that Symantec calls “Reedum” (note the Windows service name of the malicious process is the same as the ThreatExpert analysis –”POSWDS”). Interestingly, a search inVirustotal.com — a Google-owned malware scanning service — for the term “reedum” suggests that this malware has been used in previous intrusions dating back to at least June 2013; in the screen shot below left, we can see a notation added to that virustotal submission, “30503 POS malware from FBI”.

The source close to the Target investigation said that at the time this POS malware was installed in Target’s environment (sometime prior to Nov. 27, 2013), none of the 40-plus commercial antivirus tools used to scan malware at virustotal.com flagged the POS malware (or any related hacking tools that were used in the intrusion) as malicious. “They were customized to avoid detection and for use in specific environments,” the source said.

That source and one other involved in the investigation who also asked not to be named said the POS malware appears to be nearly identical to a piece of code sold on cybercrime forums called BlackPOS, a relatively crude but effective crimeware product. BlackPOS is a specialized piece of malware designed to be installed on POS devices and record all data from credit and debit cards swiped through the infected system.

According the author of BlackPOS — an individual who uses a variety of nicknames, including “Antikiller” — the POS malware is roughly 207 kilobytes in size and is designed to bypass firewall software. The barebones “budget version” of the crimeware costs $1,800, while a more feature-rich “full version” — including options for encrypting stolen data, for example — runs $2,300.

THE ATTACK

Target has yet to honor a single request for comment from this publication, and the company has said nothing publicly about how this breach occurred. But according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.

“The bad guys were logging in remotely to that [control server], and apparently had persistent access to it,” a source close to the investigation told KrebsOnSecurity. “They basically had to keep going in and manually collecting the dumps.”

It’s not clear what type of software powers the point-of-sale devices running at registers in Target’s U.S. stores, but multiple sources say U.S. stores have traditionally used a home-grown software called Domain Center of Excellence, which is housed on Windows XP Embeddedand Windows Embedded for Point of Service (WEPOS). Target’s Canadian stores run POS devices from Retalix, a company recently purchased by payment hardware giant NCR. According to sources, the Retalix POS systems will be rolled out to U.S. Target locations gradually at some point in the future.

WHO IS ANTIKILLER?

Image: Securityaffairs.co

A more full-featured Breadcrumbs-level analysis of this malware author will have to wait for another day, but for now there are some clues already dug up and assembled by Russian security firm Group-IB.

Not long after Antikiller began offering his BlackPOS crimeware for sale, Group-IB published an analysis of it, stating that “customers of major US banks, such as such as Chase (Newark, Delaware), Capital One (Virginia, Richmond), Citibank (South Dakota), Union Bank of California (California, San Diego), Nordstrom FSB Debit (Scottsdale, Arizona), were compromised by this malware.”

In his sales thread on at least one crime forum, Antikiller has posted a video of his product in action. As noted by Group-IB, there is a split second in the video where one can see a URL underneath the window being recorded by the author’s screen capture software which reveals a profile at the Russian social networking site Vkontakte.ru. Group-IB goes on to link that account to a set of young Russian and Ukranian men who appear to be actively engaged in a variety of cybercrime activities, including distributed denial-of-service (DDoS) attacks and protests associated with the hackivist collective known as Anonymous.

One final note: Dozens of readers have asked whether I have more information on other retailers that were allegedly victimized along with Target in this scheme. According to Reuters, “smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target.” Rest assured that when and if I have information about related breaches I feel confident enough about to publish, you will read about it here first.

[Source: KrebsonSecurity]

CareersInfoSecurity presents its first ranking of 10 individuals shaping the way that organizations and leaders approach information security careers in 2014.

Each of these Influencers has a substantial impact on InfoSec careers. Their influence ranges from education and training to recruitment, research and management.

Our selections include some of the nation’s most recognized leaders in promoting information security careers. But they also include a few individuals who focus on growing the profession behind the scenes.

How did we choose the Influencers? We queried our board of advisers and other information security thought-leaders to identify candidates, with the editors making the final decision. Influencers are listed alphabetically.

Click here to view the PDF version.

Follow Tom Field on Twitter: @SecurityEditor

[Source: CareersInfoSecurity]

You have earned your certification!  Congratulations!

Qualifying for, and studying for an InfoSec exam is not an easy task, and you should be proud of your accomplishment. But once the glow of accomplishment has worn off and you have framed your certificate, there is the nagging problem of earning the Continuing Professional Education (CPE) credits to remain in good standing in your organization.

For some folks this is an easy task.  Credits may be earned through the simple act of attending conferences and meetings of sponsored chapter organizations.  However, many of these meetings and conferences are not free. This presents a problem for a newly certified professional who may not have the money to attend these events.

Fortunately, there are plenty of free ways to earn your CPEs.

To avoid having the CPE rejected, one should fully understand the intent of the requirement. The reason for the CPE is to stay abreast of new developments and to remain active in the InfoSec community.  While some of the certifying authorities are very strict about the subject matter, others are more permissive.  For example, if you have a Certification from the EC-Council as a Certified Ethical Hacker, they insist that all your CPE credits are related to InfoSec, so if you submit a CPE for a general book about Ethics, it will be rejected unless it has a chapter that specifically addresses “Computer Ethics”.  On the other hand, if you have a certification from ISC², they will freely accept a CPE for study of general ethics.  This is not a criticism of either organization; it is presented to illustrate the differences in certifying authorities.

Some CPE credits are classified into different categories.  ISC² has different credits for the “core” disciplines (such as the ten domains of the CISSP) which they call “Type A” credits, and alternate “Type B” credits.  Type B credits could be just about any field of knowledge that shows that you are committed to learning.  For example, if you study a foreign language, you may submit that for a type B credit.  Have you brushed up on your math skills lately?  Claim a type B credit.

If you carry a certification that requires 120 CPE Credits over 3 years, the math breaks down very easily to just 3.33 hours a month over 36 months.  This means that you can clock 1 hour each week and still end up with a surplus!  This sounds like a lot, but it is easily manageable.

Here are some recognized methods for CPE credit.

One of the simplest methods is to install a podcast app on your mobile device and subscribe to some podcasts related to your certification and the podcasts will be ready when you are. No need to visit each podcast URL site hunting for what’s new; you can browse from your app. If you listen to as little as 15 minutes over 4 days, that is an hour for that week.  Webcasts are also available (and most are provided for replay if you cannot attend the live webcast).

Some excellent podcasts include (in no specific order):
PaulDotCom.com “Drunken Security” and “Security Weekly”. http://www.PaulDotCom.com (also available on video athttp://securityweekly.com/watch )

BrightTalk: Offering webcasts from notable organizations such as SANS and other reputable InfoSec vendors. https://www.brighttalk.com/

Steve Gibson’s “Security Now!” broadcast on “The Week In Tech” (TWIT). Gibson also makes his entire webcast available in multiple formats, including text transcripts.
https://www.grc.com/securitynow.htm

Down the Security Rabbit Hole: http://podcast.wh1t3rabbit.net/

Bank Info Security http://www.bankinfosecurity.com/ – You can achieve InfoSec benefits from this site even if you do not work at a bank.

This is by no means a comprehensive list, so please seek whatever educational avenues that work best for you. Most important is to try to go beyond your own area of expertise.  Take your weakest topics and focus on strengthening them.

The worst that can happen is that the CPE is rejected, in which case you may appeal the rejection, or it is “audited”.  People shudder when they hear the word “audit”.  Will the auditors come to your house with subpoenas and start searching through your closets?  No, the audit process is nothing like that at all.  It is generally an E-Mail notice to which you may respond with further information about the CPE that you submit.  The easiest way to avoid the audit process is to take some notes while you are listening to a presentation.  If the podcast offers transcripts or slides, those may be submitted for verification as well.

As you can see, the CPE credits are easy to maintain, and like the doctors, attorneys, and accountants, it helps us to keep current in our field and advances the maturity of the InfoSec profession.

Bob Covello, CISSP, C|EH
Sandy Tyson, CISSP

[Source: (ISC)²]

A new report states that women possess the communication skills and diverse academic backgrounds needed to bolster security performance in the enterprise.

A new report states that though women make up just 11 percent of the global information security workforce, they possess the communication skills and diverse academic backgrounds needed to bolster security performance in the enterprise.

Market research firm Frost & Sullivan interviewed 5,814 information security professionals for “Agents of Change: Women in the Information Security Profession,” which is sponsored by (ISC)2 and Symantec. Respondents came from businesses that had workforces of more than 500 employees.

The research reveals that women’s tendency to have strong communication skills and a broad understanding of the security field are essential to enhancing information security. It also notes that the industry is poised for transition and that women could be natural leaders.

“One of the major conclusions in the research is that this industry is changing significantly, and women are in a good position to lead that change as well as thrive in the changed environment,” wrote Julie Peeler, (ISC)2 foundation director, in an email to Baseline. “For example, the information security industry was initially defined as a subfield in information technology; now the industry is evolving to include legal issues, risk assessment and compliance issues, and with that redefinition of the industry, new sets of skills are desired.”

Women’s emphasis on the importance of training, as indicated in the study, shows that they believe education is critical across a workforce, not just for select security professionals. In fact, in seven out of eight categories—including those for cloud computing, mobile device management and information risk management—women were stronger advocates than men for workforce training. Only in one category, forensics, did women and men emphasize workforce education equally.

In addition, female information security professionals reported that they were more likely to spend time handling governance, risk and compliance (GRC) issues. This responsibility typically requires planning across different departments and that may aptly fit women’s communication skill sets.

“When we look at where the field is heading in the future and how the lines are being blurred to includes things like risk management and GRC, the number-one sought-after skill set is that of a security analyst,” Peeler said. “By and large, women are more likely to possess this skill set than men.”

The research also reports that women are more likely than men to be employed in occupations such as technical or security advisors or consultants, executives, and project or operations managers, while men are more likely to be employed as security engineers, security systems administrators, network administrators, and network, security or software architects. The study also showed than more male respondents had undergraduate degrees in computer and information sciences, engineering and engineering technologies. In contrast, female respondents had more degrees in business, math, the social sciences and communications.

Peeler wrote that she once spoke with a senior executive at a large firm who told her, “I’d rather recruit someone with a liberal arts [degree] because I can teach them the IT skills, but I can’t always teach an IT person the human skills.” In response, she pointed out that “companies need to be flexible in their recruiting practices and policies.”

Peeler believes that women security professionals can have a positive impact on end-user compliance. Women’s understanding of human behavior could enable them to “apply those skills when trying to get compliance from end users,” she explained.

Women information security professionals may also thrive as leaders in an organization because they often have the diverse background and skills necessary to bridge the communication gap with departments and employees outside the IT and security organizations.

“Communication skills are paramount in your ability to sell security policy and risk management within an organization,” she concluded.

[Source: Baseline]