Archive for the 'Breaches' Category
August 24th, 2010 by Brian Honan
Monday the 23rd of August was a big day for many Irish students as their anxious wait to see if they had been accepted into their preferred third level college was finally over. Many logged onto their computers and nervously accessed the CAO website. However, many were ùnable to access the site as the CAO website was victim to a malicious attack. According to a press release issued by the CAO yesterday “Access to the CAO website was affected because of a malicious attack from an unknown source this morning. The CAO website was available intermittently between 6.10 am and 1 pm today when the problem was resolved by CAO technical staff. The system is being monitored 24 hours a day to ensure continuity of online services.”
Without hard facts on exactly what type of DOS attack it was and other details of the attack it is difficult to make any judgement on the event. However, yesterday’s attack highlights that no matter what business your organisation is in you need to accept that once you are connected to the Internet you are a potential victim of an attack. At IRISSCERT, www.iriss.ie, we see attacks against Irish websites on a daily basis. Most of these attacks are by criminals targeting websites to use them to host their criminal activity, be that hosting a phishing site or spreading computer viruses.
Without the details of the attack it is hard to know what exactly happened. DOS attacks can take various forms from flooding the network bandwidth with so much traffic you cannot reach the site, to the server not having enough CPU or memory to cope with the load, to exploiting software bugs in the operating system, website software or the web application to cause the server to become unavailable.
Defending against a DOS or DDOS attack can be difficult but some steps can be taken to reduce the risk of becoming a victim;
- Have appropriate perimeter defences in place such as firewalls and intrusion detection systems. Make sure these are configured properly and updated with the latest software patches and that their rules on these devices are reviewed regularly.
- Ensure you have adequate bandwidth with burst capacity (i.e. the ability to get more bandwidth) in the event an attack happens.
- Agree with your ISP or hosting provider that DOS defence capabilities are built into the service you are getting from them.
- Have all the software on the system patched and up to date with the latest releases to ensure you are protected from a software based attack.
- Make sure your incident response plans are documented and up to date with how to tackle such an attack.
- Have key logging and alerting facilities turned on to detect such an attack as early as possible.
- For times that are crucial and demand is expected to be high you should have extra servers, or mirrored servers in multiple locations, configured to take the unexpected load.
They are other techniques that can be used to mitigate the impact of these attacks but the bill can soon start getting higher and higher and it ends up with who has the most resources, the attacker or the defender.
I was interviewed by the RTE 9 o’clock news and the Irish Times on this matter.
October 7th, 2009 by Brian Honan
Various news media are reporting that over 30,000 email accounts belonging to users of web based email providers such as Gmail, Yahoo! Mail, Hotmail and Aol (to name a few) have been compromised. It is unclear yet as to the exact nature of the compromise. Some reports state that the accounts were compromised by a phishing attack. Others state, and some of the sources I have spoken to, state the accounts were compromised as the result of a trojan or keylogger software infecting the victims machines.
Either way if you use a webmail based service you should change your password. Also make sure you do not use the same password across different systems because if your email password has been compromised then those other systems could be accessed by the criminals. If you are responsible for managing the security of your organisation then consider that some of your users may use the same password for their personal email and their corporate account. You should monitor your access logs and if you detect any suspicious activity, such as logins from countries your users are not based in, then react accordingly. The CyberCrime & Doing Time blog have a good post on the topic which analyses how they believe the attack may have happened.
I was interviewed by both the SiliconRepublic and RTE today on this issue
June 18th, 2009 by Brian Honan
Bord Gais recently announcedthat they lost the personal details of 75,000 customers on a laptop that was stolen, with three others, from one of their offices. What is very disappointing is the laptop with the details of the 75,000 customers was not encrypted. Given the huge publicity last year over the loss of unencrypted laptops by Bank of Ireland and the HSE, it is astounding that something like this should happen.
Unfortunately I am not surprised. Many companies still take an avant garde approach to the data their customers entrust to them. That information is not seen as belonging to the customer but rather it now belongs to the company and therefore they can do with it what they want. This is not so. Personal information entrusted to an organisation either by customers or staff still belongs to those individuals and the organisation becomes a custodian of that information. This is one of the key tenets of our Data Protection Act.
Lets take a closer look at the word “custodian” to see what it actually means. According to Websters a custodian is “one that guards and protects or maintains ; especially : one entrusted with guarding and keeping property or records or with custody or guardianship of prisoners or inmates” (emphasise mine).
So does putting personal sensitive information on something that is very portable, highly attractive to thieves and with little or no protection (and no, “advanced password protection” does not secure the data) qualify someone to be a custodian of that information? I think not.
We should also consider why was that amount of sensitive information available to download onto the laptop in the first place? Why was it not stored on a secure server in a secure server room where there would be proper security controls, both logical and physical?
I have no doubt that despite the publicity surrounding this story and the loss of the laptop earlier this week by the HSE we will have a similar incident in the not too distant future. Until tougher legislation is introduced that penalises companies for not protecting the data it is entrusted with this story will repeat itself again and again.
I was asked by RTE Radio 1′s Morning Ireland program to explain what encryption is and to give my thoughts on the issue. You can hear the podcast of the segment on their website.
January 29th, 2009 by Brian Honan
More details available as to how the breach occurred at Heartland resulting in potentialy the biggest breach ever of nearly 100m credit card transactions. Investigators discovered that a piece of malware was hillden in an unallocated portion of disk on one of the Heartland servers.
What puzzles me though is;
- How did a user have the rights to install the malware on the system? Was it an administrator that was duped into loading the malware?
- Why did the monitoring of the logs on the servers not detect any strange behaviour?
- Where was the pilfered data being sent to? If external to Heartlands network surely egress filtering or monitoring of outgoing traffic would have flagged the suspicious behaviour?
The CEO of Heartlands has also said that if other payment processors who had previously suffered breaches had shared their experiences then maybe Heartland would have been better prepared to prevent this type of attack. It will be interesting to see if he live up to his own statement and publishes details of this attack so others can learn from it.
Do take the time to read the article as it is a fascinating read into how the breach occurred.
January 21st, 2009 by Brian Honan
Courtesy of Brian Krebbs from the Washington Post it appears that the largest ever breach of credit card data may have occurred. It appears that a payment processor company in the United States, Heartland Payment Systems, discovered malware on their network that may have captured the credit and debit card details of over 100 million credit cards. The data captured include names, credit and debit card numbers and expiration dates.
There are no details yet as to how the malware got onto their network or indeed what type malware it is or the type of systems infected. Often when I do security assessment for clients I see strong malware controls on desktops and servers but often the network is one area that is overlooked. Routers, switches and other network components are often never looked at once they have been installed. These devices invariably are not included in any vulnerability or patch management strategies and will probably not have been upgraded, reviewed or tested since they were installed. This leaves a gaping hole in your security infrastructure as once an attacker controls a router or switch they have access to all the data that passes through it.
Another item to consider is what monitoring was in place to detect any suspicious behaviour. Again this is often something I find clients overlook as part of their information security infrastructure. The article does explain that Heartland found the malware as the result of an investigation so to be fair it is possible that their monitoring systems alerted them to some suspicious behaviour. However, until more details are available we can only rely on speculation at the moment.
No doubt questions will be asked as to whether or not Heartland was PCI compliant. To me this is a non-issue. If you have implemented a strong information security infrastructure then PCI compliance, or indeed any compliance, will practically be a side benefit. As always I will repeat the mantra, just because you are compliant does NOT mean you are secure.
I await more details on this breach with interest. As always we should use all of these breaches as an opportunity for ourselves to learn how better to protect our own networks and data.
January 11th, 2009 by Brian Honan
The raft of data breaches involving lost laptops and mobile devices that occurred last year, both in the government and private sector, led to a rash of organisations running out to encrypt these mobile devices. While an effective tool in helping to secure data on mobile devices, encryption by itself is not a silver bullet nor the answer to the problem. You still need to ensure that people minimise the amount of sensitive data they store on mobile devices and most importantly that they are properly trained and educated in how to use the technology employed to protect that data.
This story from the Lancashire Evening Post is a prime example of where security is the effective combination of People, Process and Technology. The story reports on how a USB key containing medical details of over 6,300 prisoners was lost. The good news is that the USB key was encrypted, however the bad news is that the pass-phrase to decrypt the information was attached to the USB key. This in reality makes the encryption worthless and provides no security to that data.
So remember when deploying technology to enhance the security of your organisations remember to ensure that those who will be using that technology are properly trained in its use.
October 6th, 2008 by Brian Honan
It appears that a security breach at Deutche Telekom in 2006 exposed personal details of over 17 million customers of its mobile phone division, T-Mobile. The company claims that no credit card or financial details were exposed but that information such as email addresses as well as mobile numbers and addresses was exposed.
The company claims that they found no evidence of the data being used or traded on the Internet or any data exchanges. Well I am sure that will make those affected sleep better at night. However, German newspapers are claiming that the data is already in the hands of criminals. In particular the data belonging to some celebrities, politicians and well known business people.
This issue does beg the question who decides when individuals should be notified that their data has been exposed? The company who suffers the breach or an independent third party? I guess if you have read this Blog for any period of time you know where I stand on this.
October 5th, 2008 by Brian Honan
It has been an interesting week to say the least with regards to information security breaches in Ireland. First we heard of the responses to Ruairi Quinn’s question as to how many portable devices belonging to government departments have gone missing this year. So far over 45 devices have been lost. Damien Mulley has a breakdown as to what was lost. Then on Friday the HSE reports that it lost another laptop which reports claim leaves the personal details of thousands of HSE staff at risk of identity theft.
To cap it all the Irish Times reports that the Minister for Justice Dermot Ahern is now considering introducing mandatory breach disclosure laws. Having been an advocate for the introduction of such laws I welcome these moves. However, as Digital Rights Ireland points out the proposed laws appear to have a number of shortcomings such as being restricted to only portable devices. This means that breaches such as the exposure of people’s CVs on the Jobs.ie website earlier this year would not need to be reported. Also it appears the minister wants to concentrate on major breaches. It will be interesting to see what a major breach is defined as. Will that be dependent on the type of data exposed or the number of records?
I attended the Irish ISACA Chapter’s conference on Friday and a number of people asked me for my reaction to the above. So let me take this post as an opportunity to share my thoughts on breach disclosure;
Continue reading ‘Once More Into The Breach’
August 12th, 2008 by Brian Honan
Following on from last week’s announcement that the office of the Comptroller Auditor General lost a laptop containing sensitive data at a bus stop, today the CAG announced that it lost a laptop in April 2007that contained information from the Department of Social and Family Affairs on over 380,000 welfare recipients. The laptop was stolen from the office of the CAG and to compound the problem further, while the data was send to the CAG from the Department of Social and Family Affairs in encrypted format it was subsequently stored on the CAG laptop in plaintext form. The compromised data included personal details such as bank account numbers, names and addresses of people, in fact the perfect data an identity thief would pay a lot of money for.
Questions have to be asked why did it take so long for those affected to be informed of the breach? It is nearly 17 months since the laptop was stolen but details are only being made public now. Why were those affected not made aware that they were at risk of identity theft? And by the way the argument that the data has not yet been abused is not a valid one.
Yet again this is another example of why we need mandatory breach disclosure laws in this country. While we have had a number of good examples of how to deal with breaches too often we have had too many bad examples. The time of people relying on organisations to do the right thing is over and we need to introduce regulations organisations that mandate the appropriate steps an organisation should take in the event it suffers a breach.
Digital Rights Ireland have a post that covers some of the legal aspects regarding this breach. If you feel as strongly about breach disclosure as I do then they also have details on how you can add your voice to the debate.
August 9th, 2008 by Brian Honan
The Irish Examiner broke the news this morning that an Irish online retailer’s computer security was breached by criminals who managed to compromise an undisclosed number of credit card details belonging to Irish customers. The breach was apparently discovered after the criminals tried to test if the cards were active by making small online purchases against a New York based online food retailer. Most major Irish banks are in the process of reissuing credit cards to those affected by the breach. While most people who hold credit cards are frantically checking with their provider to see if they have been victims.
At the time of writing there are no public details as to which retailer was compromised, how that compromise happened nor how many people affected. This is one of the reasons I believe that we need Data Breach disclosure laws here in Ireland.
Knowing who the retailer is could save a lot of unnecessary worry for people who may think their cards have been compromised. Knowing how the attack happened will also be useful for other companies so that they can ensure they have appropriate mechanisms in place to prevent and detect a similar attack, be that an attack via the Internet or an insider using the information.
It will also be interesting to know if the retailer was PCI DSS compliant. And if not what steps the credit card companies and the acquiring bank will take? My experience in dealing with a lot of companies is that many are not yet compliant with PCI DSS. With all its various faults at least PCI DSS provides organisations with the minimum best practises and standards that they should have in place. Despite many of the vendor hype PCI DSS should not be that hard for most companies to achieve. Indeed if a company is serious about protecting their customers’ data the PCI DSS standard should be a by product of their own efforts.
Lets keep a close eye on this case and see what lessons can be learnt from it.
UPDATE: John Collins has a piece in 9th August edition of The Irish Times covering this story with some commentary from myself.
