SpearTip, LLC

Broad New Hacking Attack Detected

tcaraffa — Thu, 18 Feb 2010 17:34:03 +0000

Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over the last 18 months in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft. While the damage is still being assessed, it is clear that the cyberattack took a wide array of data from the companies including credit-card transactions and intellectual property. This latest hacking operation is still running and its level of containment to this point is unknown. The full amount of data stolen and how it was or is being used is also unclear at this time.

Starting in 2008, hackers were able to breach corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses. In more than 100 cases since then, hackers have gained access to corporate servers that store large quantities of business data, such as company files, databases and email.

This is just another example of the dangers workers in any organization are exposed to daily. Without the proper awareness and training on these issues it is very easy for anyone to unwillingly make the mistake of visiting Web sites that are harmful to their corporation’s servers.

You can read the full article here: Broad New Hacking Attack Detected

New “Bugat” Trojan Harvesting Banking Credentials

tcaraffa — Wed, 17 Feb 2010 17:24:42 +0000

In January, SecureWorks researchers discovered a new banking trojan, “Bugat”, was being used to steal the financial credentials of customers of more than a dozen large and mid-sized US banks. The trojan operates similar to other data-stealing malware like “Zeus” and “Clampi” in that it monitors its infected users web browsing activity and searches for the URLs of targeted financial institutions, stealing credential information and relaying it back to the criminals’ hands. The “Bugat” trojan also has phishing capabilities that attempt to cipher additional information by modifying banking login pages to ask users for information like their PIN number and mother’s maiden name. While this trojan does not appear to be widespread, the introduction of “Bugat” shows that there is a criminal market for malware designed for financial data theft.

While the article downplays the immediate seriousness of this issue form the big-picture point of view, the facts I find most alarming are in the new capabilities not commonly found in banking trojans. The fact that this trojan uses HTTPS to secure its command-and-control communications to keep stolen data safe from other hackers and also has the functionality to steal FTP credentials, brings to light a whole new level of features that could be potentially damaging and harder to catch. Trojans have and always will be constantly improving on older models to make them less detectable and harder to prevent against. This is why it is so important to stay updated on your defense against them and other attacks.

You can read the full article of this summary and analysis here: New “Bugat” Trojan Harvesting Banking Credentials

Old Security Flaws Still a Major Cause of Data Breaches, Says Report

tcaraffa — Thu, 11 Feb 2010 17:31:56 +0000

In today’s cybersecurity environment, new security threats develop on a frequent basis. This fact is causing many companies to over-emphasize the latest security issues and overlook older, yet far more frequently exploited vulnerabilities.

In a report conducted by TrustWave, analysis showed that major companies are employing “vulnerability chasers” to search out the latest vulnerabilities and zero-day threats while overlooking the most common ones. The result of these “vulnerability chasers” is the continued impact of old and supposedly well-understood vulnerabilities.

The report discovered that the top three ways hackers gained initial access to networks in 2009 were via remote access applications, trusted internal network connections, and SQL injection attacks – all three of which have been well researched and established for up to 10 years. In most cases the report found that the vulnerabilities unearthed were common, well-understood, and should have been addressed long ago.

There are several measures you can take to mitigate the risks posed by older and often overlooked vulnerabilities. One step is to maintain a complete asset inventory due to the risk unknown assets pose to data. Maintaining an up to date list is vital to protecting them. It is also necessary to decommission older legacy systems and keep a close monitoring process on third-party relationships to make sure they are not introducing unwanted vulnerabilities.

You can read the full article here: Old Security Flaws Still a Major Cause of Data Breaches

PlainsCapital Suing Customer Hillary Machinery Over Cybersecurity

tcaraffa — Mon, 08 Feb 2010 18:21:10 +0000

Beginning on November 9th, cyberthieves transferred $801,495 from Hillary Machinery Inc.’s PlainsCapital bank account. Once alerted to the issue, PlainsCapital recovered nearly $600,000 of the missing funds. Following a letter from Hillary representatives demanding the rest of the money be replaced, PlainsCapital decided to sue its customer in federal court saying that Hillary’s security posture was at fault and the breach made PlainsCapital look unfavorable to the public. PlainsCapital claimed that it did not breach any of its obligations under its commercial agreement with Hillary and that the wire transfers were not by fault of the bank, as they were made by someone who accessed Hillary’s account information through Hillary’s own computer systems. While Hillary acknowledges that the cyberattack occurred after someone acquired the company’s Internet banking user name and password and logged into its account, they have not yet determined how exactly this happened.

Recent updates to this story include that Hillary Machinery is filing a counter-lawsuit against PlainsCapital. A situation like this has been a long time coming and will have very broad and powerful implications for the banking industry and its customers. Every sized organization should be thinking about what has happened here. What does your contract with your bank look like? Does it mention you having the responsibility to take reasonable caution? Does it imply that your bank is responsible for any breach? Is it mentioned that it’s the bank’s responsibility to identify every transfer of funds as being done by the appropriate sources? The implications of this case are far-reaching and the outcome could permanently change the way corporations and banks interact.

Read the full article of this summary and analysis here: PlainsCapital Suing Hillary Machinery

Google to Enlist NSA to Help It Ward Off Cyberattacks

tcaraffa — Thu, 04 Feb 2010 18:18:55 +0000

In response to a series of intrusions targeting Google source code in December 2009, The National Security Agency (NSA) and Google are in negotiations that sources say would build a better defense of Google networks while aiding the US effort to defend cyberspace. The partnership would allow the NSA to help Google understand whether it has the necessary defenses in place by evaluating vulnerabilities in hardware and software, calibrating the sophistication of adversaries, and determining what methods are being used to penetrate Google’s systems. An alliance between these two organizations would strike at the core of one of the most fundamental issues in cybersecurity – how to balance privacy rights and national security interests. Though sources say this partnership is being designed to allow the organizations to share important information without violating Google’s policies or laws that protect the privacy of Americans’ online communication, many are concerned about the heavy government involvement in private sector operations.

The potential of Google partnering with the NSA is a very scary situation. Private firms working with the government to solve security problems is not the answer to keeping organizations safe. To suggest that Google needs to form a partnership with the NSA will cause massive damage to Google’s brand. The type of firm that should be handling the security of private companies is fellow private companies like SpearTip. Bringing the NSA into this type of situation causes companies to fear the NSA more than they fear the actual ”bad guy”. SpearTip, along with other firms, can provide a proactive framework towards security posture for these corporations and are a much safer and more viable option than the NSA.

The full article of this summary and analysis can be found here: Google to Enlist NSA

RockYou Hack Reveals Most Common Password: ‘123456′

tcaraffa — Wed, 03 Feb 2010 18:16:50 +0000

RockYou, an application and service provider for social networking sites, was hacked through an SQL injection vulnerability resulting in the hacker obtaining more than 32.6 million user credentials. Analysis of the 32 million passwords obtained in the December 2009 RockYou hack has revealed the most common passwords used by individuals were ‘123456′, ‘12345, and ‘123456789′. RockYou password analysis also showed that nearly half of all users selected names, slang words, dictionary word, or consecutive digits for their password. Though this hack caused great damage for those impacted, it highlights the dire need for enterprises to enforce strong password policies.

Read the full article here: http://www.scmagazineus.com/rockyou-hack-reveals-most-common-password-123456/article/162071/

Corporate Account Takeovers Can Lead to Fraudulent Transactions

tcaraffa — Wed, 27 Jan 2010 18:09:53 +0000

NACHA’s ACH Operations Bulletin provides information on “corporate account takeover” – a type of cyber-crime targeting small and medium-sized business customers of financial institutions. Corporate account takeover allows cyber-criminals to gain control of a business’ bank account by stealing the business’ online banking credentials, most often by infecting business computer workstations and laptops with malware. Such malware infiltrates businesses via infected documents attached to an email, infected web sites embedded in an email as a link, or by users clicking on infected documents, videos, or photos on legitimate social networking websites. Once installed, malware provides the information that enables the cyber-thieves to impersonate the business in online banking transactions.

This bulletin also outlines the reasons smaller businesses and organizations are targeted, what a financial institution can do to protect itself and its customers, what to do if your financial institution’s customer is victimized, and how to spot a money mule. This document is intelligence vital to your business and your customers’ best interests. I highly recommend that you read the full document and take steps to ensure your business is protected from these threats. As always, feel free to contact me with questions and concerns.

Read the full Bulletin here: Corporate Account Takeovers Can Lead to Fraudulent Transactions

Application-Level Attacks Biggest Concern for ISP’s

tcaraffa — Wed, 20 Jan 2010 18:07:24 +0000

Arbor Networks’ 5th annual report reveals that IP network operators believe service and application-level attacks will cause the most problems in 2010. Released yesterday, the report surveyed 132 respondents from North America, South America, Europe, Africa, and Asia and found that following application-level attacks, Botnets are the second largest operational threat for organizations in the next twelve months. Arbor Networks also stated that the nature of attacks is shifting from volume-based to a more focused and targeted method of attack against cloud infrastructure.

Read the full article here:

http://www.scmagazineus.com/application-level-attacks-biggest-concern-for-isps/article/161758/

Spearphishing Attacks Out of China Targeted Source Code, Intellectual Property

tcaraffa — Fri, 15 Jan 2010 18:04:19 +0000

The mid-December wave of targeted attacks from China hit Google, Adobe, and at least 20 other large companies from the Internet, finance, technology, media, and chemical industries with custom-developed malware that was based on zero-day flaws. The attackers acted on behalf of the Chinese government and used a blend of intelligence and spearphishing email messages to lure users within victim companies to open infected documents that appeared to be from people they knew. These attacks show a new level of sophistication in malware as well as a shift from foreign nations attacking US military and defense towards attacking American industry and economy.

This Chinese malware quite often targets intellectual property, financial data, along with the obvious dual-purpose technology (commercial/military). There has been a recent moniker attached to this “collection network,” cited as (GhostNet) on several sites.

This recent discovery of attacks only references the Chinese and does not even address Eastern Europe/Russia. This is one of the greatest reasons SpearTip has staffed our growing team to include Russian, Italian, Farsi, Korean, and Chinese linguists to assist our corporate clients against these emerging threats.

You can find the full text of the source of this analysis at: http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=222300840

- J. Kolthoff

SpearTip Featured in STL Commerce Magazine

tcaraffa — Wed, 11 Nov 2009 18:30:49 +0000

SpearTip’s Advisory Group was featured in the November-December issue of St. Louis Commerce Magazine. The article highlights the expansion of the group with four experienced business professionals.

The group includes Norm Tice, former Chairman of the Board at MasterCard International; Jerry McElhatton, former CTO and president of global technology operations at MasterCard; Bill Linnenbringer, retired partner at PricewaterhouseCoopers; and Carter Williams, former director with Boeing Ventures and founder of Boeing Chairman’s Innovation Initiative.