Archive for October, 2014

US CERT warning – Backoff POS agent impacts over 1000 businesses

US CERT warning related to dangers of point-of-sale malware that attempts to steal credit card numbers and sensitive customer information

QUOTE: Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the “Backoff” malware. Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected.

These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component:

* Scraping memory for track data
* Logging keystrokes
* Command & control (C2) communication
* Injecting malicious stub into explorer.exe


Insurance and Financial organizations – Changing the Security Mindset

This excellent article from “Insurance and Technology” magazine, highlights the need for organizations to take security protection seriously by performing a risk assessment, developing an incident response plan in advance, and exercising the principle of continuous improvement in both technology and human behavioral controls … Just as one does not wait until it starts raining to patch the roof, each organization must also prepare in advance and in a comprehensive manner

QUOTE: As cyber attacks evolve in number and complexity, financial services organizations must embrace proactive security strategies. Cyber security is rapidly evolving as an area of concern for insurers, with data breaches occurring more often than ever. Recent data from the Ponemon Institute reveals that 43 percent of businesses have experienced an attack in the past 12 months, and the changing motivation behind them is posing an even greater threat to the industry.

“Today, the main driver in hacking is financial,” says Jerry Irvine, CIO of Prescient Solutions and member of the National Cyber Security Task Force. “Criminal, governmental, and third-party organizations are all financially driven.”

Modern-day criminals want to be more than nuisances or political rebels, says Irvine, and today’s technology isn’t complex enough to block their attacks. Modern solutions are designed to protect environments with physical perimeters, but the growth of cloud technologies and evolution of hackers’ abilities are rendering these ineffective. Hackers don’t have new tools, but more of them are discovering and exploiting the flaws within existing systems.

He recommends that insurers begin by conducting a risk assessment, a process significantly more complex for organizations than for consumers. In addition to defining regulatory and compliance requirements, insurers must detail and inventory everything that relates to their data. This involves determining which apps access each set of data, as well as categorizing information as critically confidential.

To minimize damage in the event of a data breach, carriers should have an incident response plan, says Kirstin Simonson, underwriting director for Travelers Global Technologies. Many businesses lack a responsive strategy, she says, or a team in place to mitigate the effects of a cyber attack.

Leadership – Importance of research and probing questions

John Maxwell’s leadership blog shares excellent advice regarding the need to ask meaningful questions and seek the best solutions during project research phases.

QUOTE:   I have no special talents. I am only passionately curious.” – Albert Einstein

Curiosity = Asking … You only get answers to the questions you ask. There is a yawning chasm separating the person who neither formulates interesting questions nor asks for help and the person who poses profound questions to others and solicits their advice. People who fail to ask questions live in a mental fog. Trapped in the limitations of their own perspective, they have difficulty seeing their present situation clearly or discerning the best path forward. Conversely, people who seek ideas and input from others strengthen their decision-making, work smarter, see their surroundings with sharper clarity.

Immature leaders try to accomplish everything alone. They lean on their own understanding, and when it runs out, they fall flat on their faces. As leaders mature, they learn the value of putting together a team of people to help them think more intelligently.

FBI Warning – Fake Fraduluant Corporate Purchase orders

The FBI warns of an increase in highly realistic purchase orders used to defraud corporate suppliers

QUOTE: What began as a scheme to defraud office supply stores has evolved into more ambitious crimes that have cost retailers around the country millions of dollars—and the Nigerian cyber criminals behind the fraud have also turned at-home Internet users into unsuspecting accomplices.

FBI investigators are calling it purchase order fraud, and the perpetrators are extremely skillful. Through online and telephone social engineering techniques, the fraudsters trick retailers into believing they are from legitimate businesses and academic institutions and want to order merchandise. The retailers believe they are filling requests for established customers, but the goods end up being shipped elsewhere—often to the unsuspecting at-home Internet users, who are then duped into re-shipping the merchandise to Nigeria.

They order large quantities of items such as laptops and hard drives,” said Special Agent Joanne Altenburg, who has been investigating the cyber criminals since 2012 out of our Washington Field Office. “They have also ordered expensive and very specialized equipment, such as centrifuges and other medical and pharmaceutical items.”


Indicators of Fraud – Businesses can avoid becoming victims of purchase order fraud by being aware of several fraud indicators:

Incorrect domain names on websites, e-mails, and purchase orders. The scammers use nearly identical domain names of legitimate organizations, but in the case of a university, for example, if the URL does not end in .edu, it is likely fraudulent.

The shipping address on a purchase order is not the same as the business location. Likewise, if the delivery address is a residence or self-storage facility, it should raise red flags.

Poorly written e-mail correspondence that contains grammatical errors, suggesting that the message was not written by a fluent English speaker.

Phone numbers not associated with the company or university, and numbers that are not answered by a live person.

– Orders for unusually large quantities of merchandise, with a request to ship priority or overnight.

Microsoft Security Development Lifecycle – a historical account

This historical account shared by Microsoft is excellent as it lead to the strategic Trustworth Computing directive and improved security protection and update processes


Across thousands of developers and millions of lines of code, one company learns to build secure software in an increasingly insecure world.

It was 2 a.m. on Saturday, July 13, 2001, when Microsoft’s then head of security response, Steve Lipner, awoke to a call from cybersecurity specialist Russ Cooper. Lipner was told a nasty piece of malware called “Code Red” was spreading at an astonishing rate. Code Red was a worm — a malicious computer program that spreads quickly by copying itself to other computers across the Internet. And it was vicious.

At the time, ABC News reported that, in just two weeks, more than 300,000 computers around the world were infected with Code Red — including some at the U.S. Department of Defense and Department of Justice.

Windows 10 – Preview version guided tour by Network World

These 20 slides share highlights of the new features that are part of the Windows 10 Preview version

QUOTE: Microsoft released a technical preview of the next version of Windows for the public to download and try for free. Although a final release with additional features isn’t expected until the middle of 2015, there are already a number of changes compared to Windows 8.1. Here are some of the most prominent features summarized in a slide show presentation

Leadership – Principles apply regardless of position you are in

Leadership is more of a special attribute of someone that makes them stand out from the rest, rather than a title or position.

QUOTE:  Often hear this question from younger aspiring leaders. They want to apply my teaching to their current situation, but they don’t know how. The good news is that you can be a leader no matter where you are. You don’t need a title. You don’t need a position. You don’t need a formal education. All you need to begin is the desire to lead and the willingness to learn. The key is influence.

1. Leadership Is Influence
2. Influencing Others Is a Choice
3. Our Influence Is Not Equal in All Areas
4. With Influence Comes Responsibility
5. People of Positive Influence Add Value to Others

SSL version 3.0 – Testing and Disabling services for POODLE vulnerability

To test your browser in determining if your PC client is vulnerable:

For corporate users to test server vulnerabilities

Excellent documentation on how to disable SSL3 on servers and clients:

To turn off SSLv3 support in Internet Explorer 11:

Setting -> Internet Options -> Advanced Tab -> Uncheck “SSL version 3.0” under “Security”.

SSL version 3.0 – POODLE vulnerability compromises security

The Internet Storm Center has excellent resources on the new POODLE vulnerability which can greatly compromise encrypted sessions for the legacy SSLv3 protocol under the right circumstances

QUOTE: Finally we got an official announcement. SSLv3 had issues in the past. Remember the BEAST attack? It was never resolved (other then moving to TLS 1.1/2). The only alternative was to use a stream cipher like RC4, which had its own problems.

But this POODLE issue is different. With block ciphers, we have a second problem: What if the block to be encrypted is too short? In this case, padding is used to make up for the missing data. Since the padding isn’t really considered part of the message, it is not covered by the MAC (message authorization code) that verified message integrity.

So what does this mean in real live? The impact is similar to the BEAST attack. An attacker may either play MitM, or may be able to decrypt parts of a message if the attacker is able to inject data into the connection just like in the BEAST attack. The attack allows one to decrypt one byte at a time, if the attacker is able to inject messages right after that byte that include only padding.

What should you do: Disable SSLv3. There is no patch for this. SSLv3 has reached the end of its useful life and should be retired. This isn’t a “patch now”. Give it some time, test it carefully, but get going with it. The other problem is that this is a client and a server issue. You need to disable SSLv3 on either. Start with the servers for highest impact, but then see what you can do about clients.

Microsoft Security Updates – OCTOBER 2014

Critical Security updates to Microsoft Windows, Internet Explorer,  Framework, Office and other products became available on Patch Tuesday.  Users should promptly update to enjoy best levels of protection. So far, no issues encountered in early use after installation.