We were asked to check the integrity of a larger financial firm located in Canada. We had a couple of meetings about where the important information was most vulnerable.  After great debate, we decided that the HR department would be our target. They held a lot of SSN and PMI information. As a team we looked into when the best time would be to test this target and figured out that most, if not all of the department would be recruiting at an MIT function. Because I set up a fake linkedin account as one of the upper management employees, I noticed that many of the employees including the VP of HR made reservations to MIT using Tripit via linkedin.  It was quite amazing how many requests I got out of the HR department to be linkedin without verifying the my account.

While planing our attack, we started following many of the employees on FB, Myspace and Twitter.  Nothing really special came out of our monitoring, until the weekend before our attack.  The VP started twittering about a trip to Chicago.  She was tweeting about the flight, the airline losing her luggage and how nice the weather was when she landed. Next she twittered for recommendations on where to get a new cell card for her laptop because the other one was in her lost luggage.  She also started tweeting about a great sub shop called Jimmy Johns.  The twitter was basically in these words, “I have fallen in love with a sandwich across the street from Best Buy.  While waiting for them to install my cell card I ordered the gargantuan.”  Well because twitter is in real time, I knew this would be a great opportunity for a social engineering attack.  I google mapped all the Best Buy stores and street viewed to see which had a Jimmy Johns across the street.  It was actually down a couple blocks..but I found it.

Calling the store, I asked for the technician working on her machine.  Thanked him for helping us out with her laptop and asked if he needed anything like an Administrator password?  The technician said, “No, she already gave us the 2 passwords, xxxxx and xxxxxx.”  I said, “Great!  What card and firmware are you installing?”  The technician answered the questions after 15 minutes of trying to find it on the CD.  “Version 2.1.1″ Finally, I asked if he could do a huge favor, because we knew of a bug that would cause problems for her connecting to our VPN with that particular firmware, could he install an update?  I will email you a 2.1.2_firmware.exe file, if you will install it then she will be all set and not call me later.  The technician sympathized and agreed to help me out. We now had a back door to the HR department and I freed up a weekend from testing.

Moral of the story?  Information security is just that…keeping your information secure.  If your policy is to allow employees to use social media sites then treat them as, yet, another system and find a way to monitor the information. Just like you should be testing phishing attacks you should be testing social networking attacks.  If you have a policy against employees using social media then find ways to enforce the policy.

What a great attack!  Well done.

Hackers will soon gain a powerful new tool for breaking into Oracle Corp’s database, the top-selling business software used by companies to store electronic information.

Security experts have developed an easy-to-use, automated software tool that can remotely break into Oracle databases over the Internet to simulate attacks on computer systems, but cybercrooks can use it for hacking.

The tool’s authors created it through a controversial open-source software project known as Metasploit, which releases its free software over the Web.

Chris Gates, a security tester who co-developed the Metasploit tool, will unveil it next week at the annual Black Hat conference in Las Vegas, where thousands of security experts and hackers will gather to exchange trade secrets.

“Anyone with no skill and knowledge can download and run it,” said Pete Finnigan, an independent consultant who specializes in Oracle security and who advises large corporations and government agencies.

He has not yet studied the Oracle tool but is familiar with other Metasploit software and said it works by automating many of the complicated procedures required to hack into Oracle databases, allowing amateurs to hack into them.

Oracle, which declined to comment, has already issued patches to protect against vulnerabilities that the Metasploit tool targets. But some companies are not diligent in upgrading their software to add the patches, so they are vulnerable to attackers using the new tool. They hire consultants like Gates to help them make sure they are protected.

Metasploit hacks are available for other software programs, including Microsoft Corp’s Windows as well as the Firefox and Internet Explorer browsers.

Gates said this is the first Metasploit program to target Oracle’s database.

“There is no way to keep these tools out of the hands of people who want to use them for nefarious purposes,” said Alan Paller, director of research for the SANS Institute. SANS trains security professionals in areas including use of Metasploit.

Security testers and hackers have previously used other programs to break into Oracle databases, but the new software from Metasploit is easier to operate and runs more quickly than existing options, said Gates.

Metasploit is the most widely used free hacking tool and has a loyal following in the security community.

In addition to letting hackers break into databases over the Internet, the Metasploit tool allows rogue employees to access them from their work PCs.

Workers could break into an Oracle system and secretly steal confidential data such as credit card numbers, give themselves pay raises or make other changes to corporate databases, said Finnigan, who has specialized in Oracle security for eight years.

(Reporting by Jim Finkle; Editing by Richard Chang)

Hackers are now using Twitter to send coded update messages to computers they’ve previously infected with rogue code, according to a report from net monitoring firm Arbor Networks.

This looks to be the first reported case of hackers using the popular micro-messaging company to control botnets, which are assemblages of infected PCs that can be directed to spy on their users, send spam or attack web sites with fake traffic.

Arbor Network’s Jose Nazario, an expert on botnets, discovered the so-called command-and-control structure. Infected computers were following the Twitter feed “Upd4t3″ (now suspended) through its RSS feed.

“Basically, what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run,” Nazario wrote. “It’s an infostealer operation.”

The tweets turned out to be obfuscated links to sites where further malicious code and instructions could be downloaded.

Hackers have long used IRC chat rooms to control botnets, and have continually used clever technologies, such as peer-to-peer strategies, to counter efforts to track, disrupt and sometimes decapitate the bots.

Perhaps what’s surprising then is that it’s taken so long for hackers to take Twitter to the dark side.

There’s something ironic about this finding, given that Russian hackers allegedly used a botnet to take Twitter down for two days last week. But we won’t go down that rabbit hole.

Password Advice

Here’s some complicated advice on securing passwords that — I’ll bet — no one follows.

• DO use a password manager such as those reviewed by Scott Dunn in his Sept. 18, 2008, Insider Tips column. Although Scott focused on free programs, I really like CallPod’s Keeper, a $15 utility that comes in Windows, Mac, and iPhone versions and allows you to keep all your passwords in sync. Find more information about the program and a download link for the 15-day free-trial version on the vendor’s site.
• DO change passwords frequently. I change mine every six months or whenever I sign in to a site I haven’t visited in long time. Don’t reuse old passwords. Password managers can assign expiration dates to your passwords and remind you when the passwords are about to expire.
• DO keep your passwords secret. Putting them into a file on your computer, e-mailing them to others, or writing them on a piece of paper in your desk is tantamount to giving them away. If you must allow someone else access to an account, create a temporary password just for them and then change it back immediately afterward.No matter how much you may trust your friends or colleagues, you can’t trust their computers. If they need ongoing access, consider creating a separate account with limited privileges for them to use.
• DON’T use passwords comprised of dictionary words, birthdays, family and pet names, addresses, or any other personal information. Don’t use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password.
• DON’T use the same password for different sites. Otherwise, someone who culls your Facebook or Twitter password in a phishing exploit could, for example, access your bank account.
• DON’T allow your computer to automatically sign in on boot-up and thus use any automatic e-mail, chat, or browser sign-ins. Avoid using the same Windows sign-in password on two different computers.
• DON’T use the “remember me” or automatic sign-in option available on many Web sites. Keep sign-ins under the control of your password manager instead.
• DON’T enter passwords on a computer you don’t control — such as a friend’s computer — because you don’t know what spyware or keyloggers might be on that machine.
• DON’T access password-protected accounts over open Wi-Fi networks — or any other network you don’t trust — unless the site is secured via https. Use a VPN if you travel a lot. (See Ian “Gizmo” Richards’ Dec. 11, 2008, Best Software column, “Connect safely over open Wi-Fi networks,” for Wi-Fi security tips.)
• DON’T enter a password or even your account name in any Web page you access via an e-mail link. These are most likely phishing scams. Instead, enter the normal URL for that site directly into your browser, and proceed to the page in question from there.

I regularly break seven of those rules. How about you? (Here’s my advice on choosing secure passwords.)

Ten to 25 percent of broadband networks are likely infected by bots, and bots cause 90 percent of spam, according to the Messaging Anti-Abuse Working Group (MAAWG), a coalition of security companies, bandwidth providers, and other interested parties.

MAAWG has issued a report on the problem as well as advice for IT managers, titled “Messaging Anti-Abuse Working Group Common Best Practices for Mitigating Large Scale Bot Infections in Residential Networks” (available here in .PDF format). It details best practices for ISPs for dealing with the issue and provides a list of software for handling bot infections.

“ISPs have expressed concern about the problem,” Michael O’Reirdan, MAAWG chairman, told InternetNews.com. “After all, the bot economy is about ripping people off. Enterprise IT should be as worried about the problem as anyone else. Enterprises have PCs that wander around the planet, aren’t always patch, and travel between home and work.”

There is a lot of evidence that there are bots on corporate networks, he added. “Corporate networks are especially valuable to criminals because they host valuable treasury or bank transactions.”

Bot police best practices

The recommendations on the MAAWG report will be familiar to IT managers and includes the Microsoft Windows Malicious Software Removal Tool, several online anti-virus scanners, and various applications that specialize in finding rootkits, spyware, adware, and bots.

Large enterprises are likely to know what to do about the issue, but smaller IT operations might benefit from the report, which is written for ISPs of all sizes, O’Reirdan said.

“This is not a guarantee,” said O’Reirdan. “There is no magic incantation that will work against all bots.”

He said that every IT manager should focus on the basics, such as patching, and should reinstall the operating system and patches from behind the firewall in the event of an infection. “IT managers should know this already,” he added.

“But please don’t think you’re immune because you have a firewall,” O’Reirdan said. He pointed to an attack in February in Fargo, N. D., in which a bad URL was distributed through flyers masquerading as parking tickets. A SANS advisory warned that the URL on the flyers led to an attack on the user’s browser through an infectious image and then to the download of scareware.

“Attacks can be low-tech and subtle,” O’Reirdan warned.

Network administrators are besieged today with a growing list of security risks, and analysts warn that too often they get caught up in battling one or two vulnerabilities and remain blind to a league of others.

“There are so many risks to deal with, it’s an overwhelming job,” says Dan Woolley, a vice president at Reston, Va.-based SilentRunner Inc., a wholly owned subsidiary of Raytheon. “In the day-to-day, they’re responding to wildfires, and they just don’t get a chance to stand back and figure out where they need to go next…Security administrators are really struggling to keep up.”

Security officers have been battling worms, viruses, denial of service attacks and hackers for years now. When you add the threat of cyber-terrorism, employees using Instant Messengers and downloading full-length feature movies onto their work PCs, the list of risks is multiplying far faster than security budgets or staffs can keep pace.

SilentRunner has created a Top 10 list of risk factors that security administrators should guard against. Here’s what has made their short list of vulnerabilities:

Formal security policies are less commonplace in enterprise environments than many people might think. Why are some organizations still dragging their feet, and what might help give security administrators a boost?

In a worldwide study of more than 1,000 IT executives last year, Computer Sciences Corp. (CSC) discovered that 46 percent do not have a formal security policy in place; 59 percent do not have a formal compliance program; and 68 percent do not regularly conduct risk analyses or security status tracking.

Security specialists, of course, find statistics like these alarming. “If organizations don’t develop and enforce security policies, they’re opening themselves up to vulnerabilities,” maintains Richard Pethia, director of the FBI’s National Infrastructure Protection Center (NIPC).

Other studies underscore these vulnerabilities. In its recently released “2002 Computer Crime and Security Survey,” the Computer Security Institute (CSI) conducted research among 853 security practitioners, mainly in large corporations and government agencies.

A full 90 percent admitted to security breaches over the past 12 months, and 80 percent acknowledged financial losses due to these breaches. Frequently detected attacks and abuses included viruses (85 percent); system penetration from the outside (40 percent); denial of service attacks (40 percent); and employee abuses of Internet access privileges, such as downloading pornography or pirated software, or “inappropriate use of email systems” (78 percent).

Why, then, are some organizations putting security on the back burner? Observers point to reasons ranging from insufficient staff resources, to the growing complexities of cyberattacks and security solutions, to difficulties in getting buy-in from business decision-makers.

“Most network administrators know what they should do about security. It’s just that they don’t always have time to do it. No matter how hard they run, they’re still just ‘running in place,’” says Guy Copeland, VP, Federal Sector, for CSC.

Clearly, policy tools abound these days, running the gamut from books and online templates to software programs. Still, though, some administrators do struggle over the basics.

“I have been left with the responsibility of writing up our Internet Security Policy. I suck at writing policies, and I have no clue as to what to do. Can anyone e-mail me or post an all compiled security policy that they may have? I need something to go by that I can modify to fit our purpose,” writes one stymied administrator, in an Internet newsgroup posting.

Incident reports to the FBI’s NPIC prove that cyberattacks are rising in sophistication, as well as in sheer numbers, according to Pethia.

Meanwhile, security solutions are getting so complicated that analyst firms are issuing entire reports dedicated to policies around specific technologies. Take, for example, application-specific access rights. IDC offers a report called “Managing Access Rights Efficiently: Policy-Based Provisioning.”

“Web-based applications are proliferating. End users, ‘outside’ suppliers, customers, and partners all expect to access back-office data and applications, such as order status and supplies availability. The old rule of ‘employees’ versus ‘outsiders’ breaks down as different users expect different levels of access to different types of data,” according to the report.

Getting business buy-in can be a big headache, too. “Recognition of security problems tends to ’stay low’ in an organization. Often, information only trickles up to CIOs in bits and pieces,” Pethia notes.

“Gaining executive management buy-in for an information security policy requires understanding corporate procedures, creating a review board, ensuring that the policy implications are understood, and providing updates,” according to a Gartner Group report.

Yet many business decision-makers have traditionally looked at security as “nice to have,” rather than essential, says Ron Knode, CSC’s global director for managed security services. Business managers’ perceptions don’t change till “something goes wrong,” according to Knode.

At this point, many observers are hoping for a quick uptick in policy activities. Federal government officials are among them. In “Security in the Information Age,” a 130-page federal report issued last month, security specialists contend that government needs to induce industry to be more open about security problems.

A big thrust of their argument is that private industry owns much of the nation’s infrastructure, a major target of terrorists. “If both the private sector and the federal government are targets, it makes sense for two targets to share information with each other. The private sector is on the front lines, yet has no access to government information about possible threats. On the other hand, the federal government, which has unique information and analytical capabilities, lacks specific information about attacks – particularly computer attacks, occurring outside the government but still within the United States,” writes U.S. Sen. Robert F. Bennett (R – Utah) in the report.

In another section of that report, Mark Montgomery contends that business and government security should rest on the same three “prongs”: policy, technology, and people. “Silicon Valley and the Beltway, where the sandal meets the wingtip, must stand side by side and on equal footing in addressing these issues and formulating responses,” according to Montgomery.

Meanwhile, on a day-to-day basis, administrators will keep trying to stretch their resources, catch the ear of top management, and fight their way through the snares of security.

See All Articles by Columnist Jacqueline Emigh

Big corporate layoffs are creating a nightmare of security risks as IT workers scramble to close down network connections and plug up dangerous holes as employees are walked out the door.

For companies like bankrupt energy trader Enron Corp. and now financially embarrassed WorldCom Inc., laying off thousands of employees means there simply may be too many security holes to patch up before employees are given their pink slips. And that means there are many ways back into the company’s network for any disgruntled employee who would like some revenge to help make up for a lost job and possibly squandered retirement funds and stock options.

“In my view, it’s got to be nearly impossible to fill that many gaps in network access,” says Dan Woolley, a vice president at Reston, Va.-based SilentRunner Inc., a wholly owned subsidiary of Raytheon. “Even when you layoff one or two people, there’s so much work to do. You need to close down user names, passwords, remote access, shut down VPNs and collect security ID cards. And if the person was IT, you need to change route accesses and network accesses. It’s a huge job. Try multiplying that by thousands of workers.”

Woolley and other security analysts say companies fraught with financial troubles may be digging themselves a deeper hole if they don’t fill up security gaps that strings of layoffs leave behind. A worker — who would have more knowledge of the system and critical business information than a hacker ever would — could destroy information or crash systems. They also could copy financial files, marketing or research plans and customer information that they could take to their next job or that they could sell to a competitor.

“If IT gets a couple hours or even a couple of days notice, can they get things shut down before their people get to them?” asks Woolley. “But if there are rumors…if people know it’s coming, you just don’t have time to protect yourself.”

And if the company is perceived to have mislead employees about the state of its financial health, that’s only going to increase employees’ frustrations and anger — and make them more likely to take advantage of any security vulnerabilities and strike out against the company.

Devastated And Disgruntled

“If I had joined WorldCom when the stock was $62 and now it’s down to 40 cents, and I’ve lost my retirement, maybe my kids’ college education fund…and I believed the company was being straight when they said it was turning around, and now I’m laid off, I would have to believe we’d all be disgruntled,” says Woolley. “The risks there are significant.”

That scene at WorldCom, which has announced plans to layoff about 17,000 workers after divulging that executives had cooked the books to the tune of about $4 billion, has been played out a lot in recent months. About 4,000 workers at Enron were shown the door just after Thanksgiving last year. Arthur Anderson, which has been dragged down in the mire surrounding Enron, is supposedly laying off 7,000 employees. And over at the new Hewlett-Packard Co., about 15,000 employees are expected to be let go in the wake of HP’s merger with Compaq Computer.

But the layoffs don’t have to be high-profile or come amid bad publicity and financial investigations to cause network vulnerabilities, warn analysts.

“There’s always going to be the person who thinks, ‘If they let me go, I’m going to make them pay,’” warns Charles Kolodgy, research manager of Internet Security Software at Framingham, Mass.-based IDC. “If he knows the company is in trouble, he could plant a Trojan or leave some malicious time bomb that could go off when his name appears on a layoff list. There have been a number of cases of people doing just that.”

Mike Rasmussen, director of research and information security at Giga Information Group, says if thousands of workers are being laid off, it could take weeks to secure the network. That figure will multiple if IT hasn’t kept complete documentation of each worker’s individual access rights, passwords, user names, biometrics specifications and security cards.

Rasmussen says any company preparing for a layoff should start working on that documentation immediately. Woolley of SilentRunner, however, says that documentation needs to begin the day a worker is hired. Keep it up-to-date and complete as the worker progresses through the company.

“It’s scary to be laid off,” says Kolodgy. “It’s a very disconcerting concept and it could compel people to do things they normally wouldn’t do. That evil little guy in the back of your head says, ‘Do this. Do that.’ And if you feel like you’ve got nothing to lose, you might listen to him.”

A big part of the effort to protect a network then, is balanced on how the workers are treated during and after their termination. A worker who is brought in to meet with her manager face-to-face to receive the news, and is offered a severance package and is given outplacement references and counseling options is, obviously, less likely to feel the need to harm the company.

Layoffs Are Traumatic

“Being laid off is among the top five stresses — right up with there with the death of a loved one and divorce,” says Bill Sala, vice president and managing director of Innis Co., a human resources consultant based in Houston, Texas. “It’s a separation, or a break in a bond, that is as strong in many cases as that with a family member. When that bond is broken, there is trauma.”

There have been reports that workers at both Enron and Arthur Anderson received notice of their termination from an email message or on their voicemail. Sala says he has heard the same but couldn’t verify it personally. If it did happen, that would be a clear recipe for building an employee with motive for revenge.

Analysts recommend a list of things to do if a company is about to have layoffs:

Unixbox Security Engineers

• About Our Team
• Resume
• Products and Services
• Contact us

Ethical Hacking