Author: Dr. Philip Cao

Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Today’s post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.

The seller of the point-of-sale “memory dump” malware allegedly used in the Target attack.

In an interview with CNBC on Jan. 12, Target CEO Gregg Steinhafel confirmed that the attackers stole card data by installing malicious software on point-of-sale (POS) devices in the checkout lines at Target stores. A report published by Reuters that same day stated that the Target breach involved memory-scraping malware.

This type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal and is still in the system’s memory. Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants.

Target hasn’t officially released details about the POS malware involved, nor has it said exactly how the bad guys broke into their network. Since the breach, however, at least two sources with knowledge of the ongoing investigation have independently shared information about the point-of-sale malware and some of the methods allegedly used in the attack.

‘BLACK POS’

On Dec. 18, three days after Target became aware of the breach and the same day this blogbroke the story, someone uploaded a copy of the point-of-sale malware used in the Target breach to ThreatExpert.com, a malware scanning service owned by security firm Symantec. The report generated by that scan was very recently removed, but it remains available via Google cache (Update, Jan. 16, 9:29 a.m.: Sometime after this story ran, Google removed the cached ThreatExpert report; I’ve uploaded a PDF version of it here).

According to sources, “ttcopscli3acs” is the name of the Windows computer name/domain used by the POS malware planted at Target stores; the username that the malware used to upload stolen data data was “Best1_user”; the password was “BackupU$r”

According to a source close to the investigation, that threatexpert.com report is related to the malware analyzed at this Symantec writeup (also published Dec. 18) for a point-of-sale malware strain that Symantec calls “Reedum” (note the Windows service name of the malicious process is the same as the ThreatExpert analysis –”POSWDS”). Interestingly, a search inVirustotal.com — a Google-owned malware scanning service — for the term “reedum” suggests that this malware has been used in previous intrusions dating back to at least June 2013; in the screen shot below left, we can see a notation added to that virustotal submission, “30503 POS malware from FBI”.

The source close to the Target investigation said that at the time this POS malware was installed in Target’s environment (sometime prior to Nov. 27, 2013), none of the 40-plus commercial antivirus tools used to scan malware at virustotal.com flagged the POS malware (or any related hacking tools that were used in the intrusion) as malicious. “They were customized to avoid detection and for use in specific environments,” the source said.

That source and one other involved in the investigation who also asked not to be named said the POS malware appears to be nearly identical to a piece of code sold on cybercrime forums called BlackPOS, a relatively crude but effective crimeware product. BlackPOS is a specialized piece of malware designed to be installed on POS devices and record all data from credit and debit cards swiped through the infected system.

According the author of BlackPOS — an individual who uses a variety of nicknames, including “Antikiller” — the POS malware is roughly 207 kilobytes in size and is designed to bypass firewall software. The barebones “budget version” of the crimeware costs $1,800, while a more feature-rich “full version” — including options for encrypting stolen data, for example — runs $2,300.

THE ATTACK

Target has yet to honor a single request for comment from this publication, and the company has said nothing publicly about how this breach occurred. But according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.

“The bad guys were logging in remotely to that [control server], and apparently had persistent access to it,” a source close to the investigation told KrebsOnSecurity. “They basically had to keep going in and manually collecting the dumps.”

It’s not clear what type of software powers the point-of-sale devices running at registers in Target’s U.S. stores, but multiple sources say U.S. stores have traditionally used a home-grown software called Domain Center of Excellence, which is housed on Windows XP Embeddedand Windows Embedded for Point of Service (WEPOS). Target’s Canadian stores run POS devices from Retalix, a company recently purchased by payment hardware giant NCR. According to sources, the Retalix POS systems will be rolled out to U.S. Target locations gradually at some point in the future.

WHO IS ANTIKILLER?

Image: Securityaffairs.co

A more full-featured Breadcrumbs-level analysis of this malware author will have to wait for another day, but for now there are some clues already dug up and assembled by Russian security firm Group-IB.

Not long after Antikiller began offering his BlackPOS crimeware for sale, Group-IB published an analysis of it, stating that “customers of major US banks, such as such as Chase (Newark, Delaware), Capital One (Virginia, Richmond), Citibank (South Dakota), Union Bank of California (California, San Diego), Nordstrom FSB Debit (Scottsdale, Arizona), were compromised by this malware.”

In his sales thread on at least one crime forum, Antikiller has posted a video of his product in action. As noted by Group-IB, there is a split second in the video where one can see a URL underneath the window being recorded by the author’s screen capture software which reveals a profile at the Russian social networking site Vkontakte.ru. Group-IB goes on to link that account to a set of young Russian and Ukranian men who appear to be actively engaged in a variety of cybercrime activities, including distributed denial-of-service (DDoS) attacks and protests associated with the hackivist collective known as Anonymous.

One final note: Dozens of readers have asked whether I have more information on other retailers that were allegedly victimized along with Target in this scheme. According to Reuters, “smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target.” Rest assured that when and if I have information about related breaches I feel confident enough about to publish, you will read about it here first.

[Source: KrebsonSecurity]

CareersInfoSecurity presents its first ranking of 10 individuals shaping the way that organizations and leaders approach information security careers in 2014.

Each of these Influencers has a substantial impact on InfoSec careers. Their influence ranges from education and training to recruitment, research and management.

Our selections include some of the nation’s most recognized leaders in promoting information security careers. But they also include a few individuals who focus on growing the profession behind the scenes.

How did we choose the Influencers? We queried our board of advisers and other information security thought-leaders to identify candidates, with the editors making the final decision. Influencers are listed alphabetically.

Click here to view the PDF version.

Follow Tom Field on Twitter: @SecurityEditor

[Source: CareersInfoSecurity]

You have earned your certification!  Congratulations!

Qualifying for, and studying for an InfoSec exam is not an easy task, and you should be proud of your accomplishment. But once the glow of accomplishment has worn off and you have framed your certificate, there is the nagging problem of earning the Continuing Professional Education (CPE) credits to remain in good standing in your organization.

For some folks this is an easy task.  Credits may be earned through the simple act of attending conferences and meetings of sponsored chapter organizations.  However, many of these meetings and conferences are not free. This presents a problem for a newly certified professional who may not have the money to attend these events.

Fortunately, there are plenty of free ways to earn your CPEs.

To avoid having the CPE rejected, one should fully understand the intent of the requirement. The reason for the CPE is to stay abreast of new developments and to remain active in the InfoSec community.  While some of the certifying authorities are very strict about the subject matter, others are more permissive.  For example, if you have a Certification from the EC-Council as a Certified Ethical Hacker, they insist that all your CPE credits are related to InfoSec, so if you submit a CPE for a general book about Ethics, it will be rejected unless it has a chapter that specifically addresses “Computer Ethics”.  On the other hand, if you have a certification from ISC², they will freely accept a CPE for study of general ethics.  This is not a criticism of either organization; it is presented to illustrate the differences in certifying authorities.

Some CPE credits are classified into different categories.  ISC² has different credits for the “core” disciplines (such as the ten domains of the CISSP) which they call “Type A” credits, and alternate “Type B” credits.  Type B credits could be just about any field of knowledge that shows that you are committed to learning.  For example, if you study a foreign language, you may submit that for a type B credit.  Have you brushed up on your math skills lately?  Claim a type B credit.

If you carry a certification that requires 120 CPE Credits over 3 years, the math breaks down very easily to just 3.33 hours a month over 36 months.  This means that you can clock 1 hour each week and still end up with a surplus!  This sounds like a lot, but it is easily manageable.

Here are some recognized methods for CPE credit.

One of the simplest methods is to install a podcast app on your mobile device and subscribe to some podcasts related to your certification and the podcasts will be ready when you are. No need to visit each podcast URL site hunting for what’s new; you can browse from your app. If you listen to as little as 15 minutes over 4 days, that is an hour for that week.  Webcasts are also available (and most are provided for replay if you cannot attend the live webcast).

Some excellent podcasts include (in no specific order):
PaulDotCom.com “Drunken Security” and “Security Weekly”. http://www.PaulDotCom.com (also available on video athttp://securityweekly.com/watch )

BrightTalk: Offering webcasts from notable organizations such as SANS and other reputable InfoSec vendors. https://www.brighttalk.com/

Steve Gibson’s “Security Now!” broadcast on “The Week In Tech” (TWIT). Gibson also makes his entire webcast available in multiple formats, including text transcripts.
https://www.grc.com/securitynow.htm

Down the Security Rabbit Hole: http://podcast.wh1t3rabbit.net/

Bank Info Security http://www.bankinfosecurity.com/ – You can achieve InfoSec benefits from this site even if you do not work at a bank.

This is by no means a comprehensive list, so please seek whatever educational avenues that work best for you. Most important is to try to go beyond your own area of expertise.  Take your weakest topics and focus on strengthening them.

The worst that can happen is that the CPE is rejected, in which case you may appeal the rejection, or it is “audited”.  People shudder when they hear the word “audit”.  Will the auditors come to your house with subpoenas and start searching through your closets?  No, the audit process is nothing like that at all.  It is generally an E-Mail notice to which you may respond with further information about the CPE that you submit.  The easiest way to avoid the audit process is to take some notes while you are listening to a presentation.  If the podcast offers transcripts or slides, those may be submitted for verification as well.

As you can see, the CPE credits are easy to maintain, and like the doctors, attorneys, and accountants, it helps us to keep current in our field and advances the maturity of the InfoSec profession.

Bob Covello, CISSP, C|EH
Sandy Tyson, CISSP

[Source: (ISC)²]

A new report states that women possess the communication skills and diverse academic backgrounds needed to bolster security performance in the enterprise.

A new report states that though women make up just 11 percent of the global information security workforce, they possess the communication skills and diverse academic backgrounds needed to bolster security performance in the enterprise.

Market research firm Frost & Sullivan interviewed 5,814 information security professionals for “Agents of Change: Women in the Information Security Profession,” which is sponsored by (ISC)2 and Symantec. Respondents came from businesses that had workforces of more than 500 employees.

The research reveals that women’s tendency to have strong communication skills and a broad understanding of the security field are essential to enhancing information security. It also notes that the industry is poised for transition and that women could be natural leaders.

“One of the major conclusions in the research is that this industry is changing significantly, and women are in a good position to lead that change as well as thrive in the changed environment,” wrote Julie Peeler, (ISC)2 foundation director, in an email to Baseline. “For example, the information security industry was initially defined as a subfield in information technology; now the industry is evolving to include legal issues, risk assessment and compliance issues, and with that redefinition of the industry, new sets of skills are desired.”

Women’s emphasis on the importance of training, as indicated in the study, shows that they believe education is critical across a workforce, not just for select security professionals. In fact, in seven out of eight categories—including those for cloud computing, mobile device management and information risk management—women were stronger advocates than men for workforce training. Only in one category, forensics, did women and men emphasize workforce education equally.

In addition, female information security professionals reported that they were more likely to spend time handling governance, risk and compliance (GRC) issues. This responsibility typically requires planning across different departments and that may aptly fit women’s communication skill sets.

“When we look at where the field is heading in the future and how the lines are being blurred to includes things like risk management and GRC, the number-one sought-after skill set is that of a security analyst,” Peeler said. “By and large, women are more likely to possess this skill set than men.”

The research also reports that women are more likely than men to be employed in occupations such as technical or security advisors or consultants, executives, and project or operations managers, while men are more likely to be employed as security engineers, security systems administrators, network administrators, and network, security or software architects. The study also showed than more male respondents had undergraduate degrees in computer and information sciences, engineering and engineering technologies. In contrast, female respondents had more degrees in business, math, the social sciences and communications.

Peeler wrote that she once spoke with a senior executive at a large firm who told her, “I’d rather recruit someone with a liberal arts [degree] because I can teach them the IT skills, but I can’t always teach an IT person the human skills.” In response, she pointed out that “companies need to be flexible in their recruiting practices and policies.”

Peeler believes that women security professionals can have a positive impact on end-user compliance. Women’s understanding of human behavior could enable them to “apply those skills when trying to get compliance from end users,” she explained.

Women information security professionals may also thrive as leaders in an organization because they often have the diverse background and skills necessary to bridge the communication gap with departments and employees outside the IT and security organizations.

“Communication skills are paramount in your ability to sell security policy and risk management within an organization,” she concluded.

[Source: Baseline]

Getting the most out of big data sets and seemingly unrelated security information

Ericka Chickowski

As more CISOs begin to lean on data scientists to discover new threats in security feeds and increasingly more IT security departments institute security analytics programs, infosec pros have started to reap the obvious benefits of security analytics. Most evident among them is a broader and deeper visibility into IT security data sources, which in turn in offers a better understanding of security risks and faster response times.

But as security programs mature their analytics practices, they often find themselves surprised at the discrete benefits they start seeing from programmatic exploration of security-related data feeds. Here are just a few of the top positive surprises.

1. Uncover Data Leaks You’d Never Guess You Had
One of the first jolts that security analytics programs may give your organization is concrete evidence of data leaks it never before suspected were happening.

“The one that comes up regularly is that they discover leaks that have been ongoing for some time,” says Matthew Gardiner, senior product marketing manager for RSA.

As he explains, this may not even necessarily be a leak at the hands of some kind of complicated nation-state spying or even a data that’s being stolen by a crime syndicate.

“They’re just leaks caused by data moving out of the enterprises to places the organization didn’t know about, didn’t expect and maybe doesn’t like,” he explains. “The question then is figuring out what to do about that flow of data at that point.” [Are you getting the most out of your security data? See 8 Effective Data Visualization Methods For Security Teams.]

2. Sniff Out Questions You Didn’t Know Needed Asking Before
The huge amount of unstructured data pumped out by IT infrastructure and security tools makes it difficult for security analysts to even begin to start querying data for answers to common questions about its risk posture. The simple act of organizing analytics programs to answer those obvious questions may turn up unexpected returns as other patterns emerge to answer questions that the team may never have even thought to ask.

“Often companies may not know exactly what they are looking for or what exact problem they want to solve before the data is stored and made accessible,” says Dan Hubbard, CTO of OpenDNS. “Analytics can uncover security intelligence and capabilities that we would otherwise have no way of knowing is possible.”

What’s more, the visualization of those trends can also help better communicate risks to the business and start collaboration with business leaders who may start to come up with their own important questions to be answered based on data that was never as accessible without analytics.

“They start to ask good questions, so it gives a different perspective on not only what you should be looking at but how you should be looking at it,” says Ron Schlecht, managing partner for security service provider BTB Security. “It’s a good way to collaborate with different business leaders and it starts to pull together why security is important to the overall organization.”

3. Make Connections Between Data Sources You Might Not Have Made Before
Often times security analytics programs will start making associations between data sources that a security team may have never uncovered on its own.

“Most security analytics programs require feeding data from multiple sources in to a single engine for processing to look at patterns and anomalies,” says Corey Lanum, general manager for North America at Cambridge Intelligence. “When I’m working with customers who are loading in data from disparate sources, they will often immediately see connections between individual data elements that were previously stored in different databases and had no connection.”

For example, one police agency his firm worked with extended his security analytics engine out toward information sources about offenders and crime, with everything from 911 call information, jail records and the like.

“After loading in their crime reports and pawn shop records, we immediately started to see connections,” Lanum says. “It was immediately obvious that stolen property was being sold at pawn shops in the same general neighborhood of the theft. We generated leads on several burglaries on the first day we were using the software.”

This kind of modeling can easily translate to find connections between disparate parts of the network, different departmental information and so on.

4. Discover operational IT issues you never knew were there
The benefits of security analytics programs may well extend beyond IT security and bleed into IT operations as well. In many cases, the modeling and dot-connecting performed on security data can uncover IT operational problems that could impact availability, workflow and efficiency department-wide.

“One benefit that has surprised many companies is that the security analytics have also helped find operational IT issues, likely due to the sheer volume of information and depth of insight that can be gained with a proper analytics program,” Schlecht says.

For example, when he worked in-house years ago he found that a new analytics program not only helped identify security issues but was also able to pinpoint development issues in the company’s applications that were draining many hours of troubleshooting from its dev team. A look at application and security event logs for something completely unrelated ended up helping to spot the root cause of the development frustration.

5. Find policy violations you didn’t know were happening
Another beneficial surprise offered up from analytics–one that can often be a bit of a double-edged sword–is the discovery of policy violations across the organization. They won’t always necessarily be malicious, but they’re there and the difficult thing about it is that once the team has seen these violations, it can’t unsee them no matter how inconvenient response may be.

“You hear about rogue cloud services and with analytics you’ll see they’re very real,” Gardiner says. “It’s beneficial because you have better visibility, but you can’t be an ostrich once you see it. You have to do something about it and make the determination of whether it’s important and whether you have to investigate it and respond.”

[Source: DarkReading]