2014 Trustwave Security Pressures Report.pdfData loss worries IT pros more than reputation damage, fines and legal action, but 3 out of 4 think their organization is safe. 58% of respondents said that, following a cyberattack or data breach, customer data theft worries them the most, followed by intellectual property theft at 22%. 12% are worried most about reputation damage, 3% by fines or legal action and 5% of respondents do not believe their organization will fall victim to cyberattacks data breaches. In a separate question, 73% of respondents said they believe their organization is safe from IT security threats, including cyberattacks and data breaches.
2014 Trustwave Security Pressures Report.pdfTargeted malware topped the list of security threats exerting the most pressure on organizations in 2013, while threats from viruses and worms caused the lowest pressure. During 2013, respondents felt increased pressure to keep their organizations secure from (#1) targeted malware, (#2) data breaches, (#3) phishing/ social engineering and (#4) zero-day vulnerabilities, while pressure to protect from (#5) viruses and worms decreased. 64% of respondents said that pressures related to targeted malware/advanced persistent threats (APTs) increased. In the United States and Canada, targeted malware was the top threat IT pros felt pressured to secure against, and in the U.K. and Germany, the top threat was phishing/social engineering. Respondents in each country surveyed said viruses and worms caused the lowest pressure.
In the United States and Canada, targeted malware was the top threat IT pros felt pressured to secure against, and in the U.K. and Germany, the top threat was phishing/social engineering. Respondents in each country surveyed said viruses and worms caused the lowest pressure.
http://wwThe global risk of cyberattacks is a real and growing threat, and could carry a whopping price tag, says McKinsey & Company in a report on enterprise IT security implications released in January 2014.What kind of risk? Organizations worldwide are not "sufficiently protected" against cyberattacks, says McKinsey in its "Risk and responsibility in a hyperconnected world" report.As a result, the price tag—the material effect of slowing the pace of technology and innovation due to a lack of cyberresiliency—could be as high as $3 trillion by 2020. That's the number three, by the way, followed by 12 zeros. And it's a scenario, asserts McKinsey, that senior leadership in the public and private spheres had best pay attention to.The report states that if "attackers continue to get better more quickly than defenders," as is presently the case, "this could result in a world where a 'cyberbacklash' decelerates digitization."The asymmetric effect of a small number of successful attackers, leading to tighter government restrictions, could mean that:the world would capture less of the $10 trillion to $20 trillion available from big data, mobility, and other innovations by 2020—the ultimate impact could be as much as $3 trillion in lost productivity and growth.That is the report's main finding—the global economy has yet to mount an adequate defense against the rise of cyberattacks. McKinsey and the World Economic Forum conducted a survey last year of 200 enterprises, tech vendors, and public sector agencies.The two other findings of the report are that executives in enterprise tech have a consensus on the seven best practices for cyberresiliency, and that cybersecurity is a CEO-level issue.The executive summary, written by McKinsey consultants David Chinn, James Kaplan, andAllen Weinberg, provides valuable information and insights about each of these findings, and I devote the remainder of this article to outlining their results.Main finding: Cyberrisk is a critical social and business issue.The biggest technology risk that organizations in the joint survey face is the "theft of information assets" and the "disruption of online processes." Close to two-thirds of respondents characterized the risk of cyberattack as a "significant issue" with "major strategic implications."Cyberdefenders are "losing ground" to attackers. Almost 80 percent of executives surveyed said their organizations cannot keep up with the "increasing sophistication" of attackers, which include nation-states, criminals, and political "hacktivists."Enterprises do not have the "facts and processes to make effective decisions about cybersecurity." The report surveys the approaches of 60 organizations in detail; of these, 34 percent had a "nascent" maturity level and 60 percent were "developing."Current controls required to protect enterprises from attack are having a "negative business impact." Areas noted are mobile functionality delays, public cloud deployments, and frontline employee productivity. Some CIOs in the survey believe that security requirements drive up activity "as much as 20 to 30 percent" in their organizations.Second finding: Making institutions cyberresilient"All too often," states the report, ominously, "security is the choke-point for any innovative business initiative." In a "hyperconnected world," organizations are more dependent on their information systems, and become more open to cyberattacks.New, as-yet-untested models of security are needed. Nevertheless, executives in the survey displayed "an emerging consensus" on what those models should be. Here are the seven cybersecurity best practices described in the report:Prioritize information assets based on business risks.Provide differentiated protection based on importance of assets.Deeply integrate security into the technology environment to drive scalability.Deploy active defenses to uncover attacks proactively.Test continuously to improve incident responses.Enlist frontline personnel to help them understand the value of information assets.Integrate cyberresistance into enterprise-wide risk-management and governance processes.Third finding: Cyberrisk is a CEO-level issue."The stakes are high," write the authors, since trillions of dollars are at risk. Given the "degree of coordination and cultural change" that robust cybersecurity demands from organizations, it must be addressed by the "most senior business and public leaders" around the globe.According to the report, leaders have to make clear that they expect:an honest, granular assessment of existing capabilities and risks, given their business modelalignment on the most important information assets and a clear approach for providing them with required protectiona road map for getting to a scalable, business-driven cybersecurity operating modela well-practiced set of skills for responding to breaches across business functionsAs a closing thought, it seems that trust is increasingly becoming a necessary operating principle in the digital age. In the wake of spying scandals and corporate data breaches over the past year, people are more concerned about greater risks both to themselves and to organizations.If $3 trillion in lost benefits does not grab your attention, then perhaps we shouldn't talk about robust IT security any further. With the risks we all face, McKinsey is spot-on in its call to mount more active and effective defenses to cyberattacks.w.techrepublic.com/article/cyberattacks-fallout-could-cost-the-global-economy-3-trillion-by-2020/#.
http://www.csoonline.com/article/748580/energy-sector-a-prime-target-for-cyber-attacksFebruary 21, 2014 — CSO — Any government that wants to set priorities for cybersecurity should probably put its energy infrastructure close to the top.[Changeable default passwords are not seen as vulnerabilities by ICS-CERT, but should they be?]If your electricity or fuel supplies are down, it's tough to provide just about anything else. Heat, refrigeration, water, factories, financial services, power equipment, groceries, retail, and entertainment — they all depend on the power grid.So it is no surprise that the energy sector ranks close to the top of targets for cyber attackers. If you really want to cripple anything, from an enterprise to a nation state, take down its power infrastructure.Another reason energy is an increasingly high-risk industry is the variety of attackers interested in it. Candid Wueest, a researcher for security firm Symantec, said in a recent report titled, "Targeted Attacks Against the Energy Sector," that miscreants ranging from so-called script kiddies to rival corporations, hacktivists with a political agenda, hostile insiders, cyber criminals out to make money through sabotage or blackmail and nation states or those acting under their sponsorship are all looking to steal proprietary information or damage the grid.Wueest reported that there were an average of 74 targeted cyberattacks per day between July 2012 and June 2013, with the energy sector accounting for 16.3% of them, which put it in second place behind government/public sector at 25.4%.The U.S. government's Department of Homeland Security (DHS) reported last year that its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to more than 200 incidents between Oct. 2012 and May 2013 — with 53% aimed at the energy sector.There have, so far, not been any successful catastrophic attacks on the grid, and there is ongoing debateabout how high the risk is for what both former Defense secretary Leon Panetta and former Homeland Security secretary Janet Napolitano called a "cyber Pearl Harbor" attack.
http://www.cuinsight.com/target-shoppers-shrug-off-massive-credit-card-data-breach.htmlIt’s understandable that many consumers were shocked and outraged to learn that the credit card info of tens of millions of Target customers was compromised in a data breach during the holiday shopping period. But that outrage hasn’t translated into much action. Consumers say they are worried about being the victims of identity theft and credit card fraud, and with good reason. In the aftermath of high-profile security breaches affecting customers at Target and Neiman Marcus, among other retailers, nearly half of American adults said they are “extremely concerned” about their personal data when paying for goods at stores with plastic, according to a recent Associated Press-GfK poll. The Wall Street Journal reported that financial institutions have spent big bucks—more than $200 million alone in the case of the Target episode—to ease our concerns. The vast majority of that total ($172 million) covers the costs of replacing cards that have been compromised. “Credit unions have replaced or will replace 85% of their cards affected by the Target breach at no cost to their members,” Credit Union National Association Chief Executive Bill Cheney said in a statement, per the WSJ. “The combined $200 million cost borne entirely by banks and credit unions shows the extent to which financial institutions will go to protect their customers and members.” At the same time that consumer sentiment, retailers, and financial institutions all appear to be on the same page that such data breaches are a huge problem, only a small portion of consumers have changed their spending habits to safeguard themselves. In the AP poll, 37% of consumers have paid for goods with cash rather than credit or debit to avoid data theft, and a smaller percentage has taken proactive steps such as changing their retailer website account password or requesting a new credit or debit card. - See more at: http://www.cuinsight.com/target-shoppers-shrug-off-massive-credit-card-data-breach.html#sthash.UG3bQZhg.dpuf
http://nypost.com/2014/02/22/identity-crisis-exploding-with-massive-data-breaches/A stranger takes over someone’s life about once every two seconds.And 1 in 3 of us now already has undesired personal experience with that upsetting fact, according to a new research report.Even worse, that number is certain to grow dramatically this year.Identity theft was a booming criminal enterprise even before the massive data breach over the holidays at Target and other retailers.“Last year, some 13.1 million consumers suffered identity fraud … contributing to the near- record number of … victims,” Javelin Strategy & Research’s 2014 Identity Fraud Report said.But wait, it gets worse. Those numbers don’t include the more than 110 million victims of the holiday breach, which, as it ripples through the population, will send the figures up like a rocket.As a Javelin spokeswoman explained, “Four years ago, the number of identity-fraud victims was 1 in 9, and last year it was 1 in 3. We think the way it is going, and given the … breach, that number will likely increase.”The numbers are mind-boggling. And in the immortal words of Ron Popeil: But wait, there’s more!Losses are also dramatically increasing in online accounts such as eBay and PayPal, the report said.Javelin CEO Jim Van Dyke and others say the greatest danger of identity theft is that consumers are unaware that they’re being swindled. Electronic accounts can be breached, Van Dyke added, and victims “don’t even know that it is occurring for months.” Most financial institutions will cover fraud losses, but only after the victim has notified the financial institution.Financial-services experts say there is nothing a consumer can do when a company’s security has been breached (as happened at Target, for example), but there is still much the individual can do to protect oneself.“Whenever you receive an e-mail out of the blue asking you for a PIN or other vital personal information, never provide it,” said Bill Hardekopf, CEO of LowCards.com.Hardekopf also said that consumers should change PINs from time to time.“Go through your bank and credit-card statements online frequently,” Hardekopf added. “Do you see a charge, maybe a small one, that doesn’t make sense? Check it. It could be a crook who is trying to see if he can get a charge through. The next time he’ll probably try to charge a home-entertainment system against your account.”Hardekopf points out that another place to detect fraud is in one’s credit report.“People could be opening up new accounts under your name,” Hardekopf warns. “And that could be driving down your credit rating. You’ll only know if you check your rating on a regular basis.”
http://www.burlingtoncountytimes.com/business/irs-warns-about-scams/article_8d01916b-1af0-5960-8790-7991ef0bc20a.htmlIdentity theft again is the top scam, the agency said.Identity theft occurs when someone uses personal information, such as the name, Social Security number or other identifying information without the consumer’s permission, to commit fraud or other crimes. In many cases, an identity thief uses a legitimate taxpayer’s identity to fraudulently file a tax return and claim a refund. The agency’s work on identity theft and refund fraud continues to grow. For the 2014 filing season, the IRS has expanded its efforts to better protect taxpayers and help victims.The IRS has a special section on IRS.gov dedicated to identity theft issues, including YouTube videos, tips for taxpayers and an assistance guide. For victims, the information includes how to contact the IRS Identity Protection Specialized Unit. For other taxpayers, there are tips on how they can protect themselves against identity theft.Taxpayers who believe they are at risk of identity theft because of lost or stolen personal information should contact the IRS immediately so it can take action to secure their tax account. Taxpayers can call the IRS’ Identity Protection Specialized Unit at 800-908-4490. More information can be found on the special identity protection page.Following are the other scams, according to the IRS:The IRS has seen a recent increase in local phone scams across the country, with callers pretending to be from the IRS in hopes of stealing money or identities from victims.Phishing is a scam conducted with the help of unsolicited email or a fake website that poses as a legitimate site to lure potential victims and prompt them to provide valuable personal and financial information. Armed with this information, a criminal can commit identity theft or financial theft.Return preparer fraud, the IRS says, is another trick. About 60 percent of taxpayers will use tax professionals this year to prepare their returns. Most preparers provide honest service. Some unscrupulous preparers prey on unsuspecting taxpayers, however, and the result can be refund fraud or identity theft.Impersonation of charitable organizations is another long-standing type of abuse or fraud that occurs in the wake of significant natural disasters.Other scams are hiding money offshore; false promises of “free money” from inflated refunds; false income, expenses or exemptions; frivolous arguments; falsely claiming zero wages or using false Form 1099; abusive tax structures; and misuse of trusts.The IRS reminds taxpayers that tax scams can take many forms beyond the “dirty dozen,” and to be vigilant. More information on tax scams is available at IRS.gov.
http://online.wsj.com/news/articles/SB10001424052702304419104579324902602426862The holiday data breach at Target appeared to be part of a broad and highly sophisticated hacking campaign against multiple retailers, according to a report prepared with the U.S. government. Danny Yadron reports. Photo: Getty Images. The holiday data breach at Target Corp. TGT -0.67% appeared to be part of a broad and highly sophisticated international hacking campaign against multiple retailers, according to a report prepared by federal and private investigators that was sent to financial-services companies and retailers.The report offers some of the first details to emerge about the source of the attack that compromised 40 million credit- and debit-card accounts and personal data for 70 million people. It also provided further evidence the attack on Target during peak holiday shopping was part of a concerted effort by skilled hackers.Enlarge Image Investigators wouldn't say how Target's network was breached. Associated Press Parts of the malicious computer code used against Target's credit-card readers had been on the Internet's black market since last spring and were partly written in Russian, people familiar with the report said. Both details suggest the attack may have ties to organized crime in the former Soviet Union, former U.S. officials said.Investigators wouldn't say how Target's network was breached, but the software virus injected into its payment-card devices couldn't be detected by any known antivirus software, according to the report. The virus's authors included additional features to hide that they were collecting copies of data from the magnetic stripes on Target customers' payment cards and concealing it within Target's systems.Working with Dallas cybersecurity company iSight Partners Inc., the U.S. Department of Homeland Security recently sent these findings to financial-services and retail companies in a secret memo on the attackers. On Thursday, iSight released its own version of the report that included some of the same data.Introducing WSJD, the Journal's new home for tech news, analysis and product reviews.The Rise of China's Innovation MachineManjoo: Will Net Neutrality Ruling Make Web More Like Cable?Fowler: Mac Pro Is a LamborghiniSecrets Your Phone Is Sharing About You"What's really unique about this one is it's the first time we've seen the attack method at this scale," said Tiffany Jones, a senior vice president at iSight. "It conceals all the data transfers. It makes it really hard to detect in the first place."Ms. Jones declined to elaborate on the specific attack method these hackers used, citing a continuing government investigation.A Department of Homeland Security official confirmed it is working with iSight. The agency often works with private-sector partners. Financial-services industry officials confirmed they received the report. A Target spokeswoman said she didn't have any details at this time.ISight and DHS declined to name other companies that fell victim to the attack. But former U.S. officials and people close to the investigation said it isn't limited to Target. "The intrusion operators displayed innovation and a high degree of skill," the iSight report says.For instance, the virus tries to steal credit-card data during prime business hours—between 10 a.m. and 5 p.m. local time—and stores these inside an internal Target server later raided by hackers.Meanwhile, on Thursday, Neiman Marcus Group's Chief Executive Karen Katz apologized to customers about the theft of shopper credit- and debit-card data over the holiday period. The luxury retailer said there is no indication its security breach, which also involved malware, was related to Target's.Ms. Katz didn't disclose how many shopper payment cards were affected, at which stores data was compromised or how long the breach occurred. Social-security numbers, birth dates or personal identification numbers aren't thought to have been compromised, the company said.The company offered a clearer timeline of the discovery of the data breach. It was notified in mid-December that some credit cards used at their stores were racking up fraudulent charges. Working with forensic investigators and the U.S. Secret Service, the company discovered evidence on Jan. 1 that the company had a cybersecurity intrusion.Neiman's attack only happened in its stores and doesn't at this time appear to have affected online shoppers.The luxury retailer is offering one year of free credit monitoring for anyone who shopped at its stores over the past year using a credit or debit card. Target made a similar offer to its customers.
For nearly the last month, iSIGHT Partners has partnered closely with the U.S. Secret Service (USSS) to characterize a Point-of-Sale (POS) Trojan. The scope of this partnership included providing relevant cyber threat intelligence related to possible attribution and, of course, an extensive malware analysis and extended code research. At this point, iSIGHT Partners has a deeply comprehensive understanding of the entire code family as well as that from several other victims not yet identified publicly. Additionally, iSIGHT Partners has visibility into the forums where these malware tools are discussed and advertised and the criminal marketplace where these stolen credit cards are being commoditized. At iSIGHT Partners, each contractual relationship comes with an expectation and promise of client privacy while also promoting community sharing. The USSS has permitted us to share limited details surrounding these types of attacks to aid you in defending your network and determine if you may also be a victim. In the interest of advancing the defensive posture of your network, iSIGHT Partners is extending the courtesy of its report, which is attached to this e-mail. Please do not distribute this report outside of your organization. Should others want a copy of iSIGHT's report, please ask that they contact iSIGHT directly. In addition, the Department of Homeland Security (DHS) and Financial Services Information Sharing Analysis Center (FS-ISAC) has released a combined-credit TLP-GREEN report citing the work of the U.S. Secret Service and iSIGHT Partners detailing additional components of the malware for the same purpose. The DHS/FS-ISAC report provides relevant characterizations into how the malware operates and additional tools that enabled the attacks. iSIGHT Partners has confirmed that the high-profile point-of-sale (POS) compromise involved the use of a new malware variant, dubbed "Trojan.POSRAM," which is designed to extract payment card details from POS systems. The report also briefly describes POS malware relative to the Cyber Crime landscape including several other POS malware packages observed in use in recent years. The appendices contain information on recommended mitigation strategies and a technical analysis of the malware itself including consumable technical indicators. If you have any additional questions pertaining to this report or wish to contact iSIGHT Partners about how an actionable and relevant cyber threat intelligence partnership can further enable your organization’s security posture, please contact email@example.com. From: Ulf Mattsson [mailto:firstname.lastname@example.org] Sent: Saturday, February 22, 2014 4:52 PM
http://www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/Millions of U.S. citizens had their financial information and personal data stolen due to a security breach at Target, and it may be that a phishing email campaign is to blame.Reported by cybersecurity expert Brian Krebs on Wednesday, a third-party heating and air-conditioning contractor may have provided the avenue for infiltration of Target systems -- thanks to a phishing email campaign that at least one employee succumbed to.The breach at U.S. retailer Target -- taking place in November 2013 -- resulted in the theft of at least 40 million customer records containing financial data such as debit and credit card information. In addition, roughly 70 million accounts were compromised that included addresses and mobile numbers.The data theft was caused by the installation of malware on the firm's point of sale machines, thought to be accessed via third-party vendors with security flaws in their systems, which provided the bridge for hackers to break in to Target.The subsequent file dump containing customer data is reportedly flooding the black market, where it could be used to pilfer cash from accounts, be the starting point for the manufacture of fake bank cards, or provide data required for identity theft.According to Krebs, sources close to the investigation say that credentials were stolen from Fazio Mechanical in a malware-injecting phishing attack sent to employees of the firm by email. Believed to have begun two months before the subsequent data theft, the campaign has been linked to the Citadel malware -- a password stealing program related to the Zeus banking trojan.In a statement (.pdf), Fazio said it could not comment on the technical details of the breach, but admitted the firm was "a victim of a sophisticated cyber attack operation," and "is not the subject of the federal investigation." In addition, Fazio maintains its IT system and security measures are in "full compliance" with industry practices.However, as Krebs notes, the firm's primary security protection was through the free version of Malwarebytes Anti-Malware. While suitable for individual consumers and good as a clean-up program, the free version is not permitted for use on corporate systems and should not be used as a sole provider of protection -- especially on business networks -- as it does not provide a real-time scanner unless the Pro version is purchased.Target is currently working with the U.S. Secret Service and FBI to investigate the breach and attempt to track down the cyberattacks. However, the retailer is not alone as a high-profile victim of cyberattack -- in January, U.S. retailer Neiman Marcus Group admitted its own security breachwhich resulted in credit card scraping of 1.1 million customers.
It’s next to impossible to stop data leakage. You can’t beat it completely,”, but using Old security is like "boiling the ocean" since you are trying to “patch” all possible data paths and sensitive data stores, and you may not even find a trace of the attack.2014 Trustwave Security Pressures Report.pdf
http://searchsecurity.techtarget.com/news/2240213143/FBI-warns-of-memory-scraping-malware-in-wake-of-Target-breachFBI warns of memory-scraping malware in wake of Target breachBrandan Blevins, News Writer Published: 24 Jan 2014The U.S. Federal Bureau of Investigation last week provided select retailers with a confidential, three-page document warning them to expect more cyberattacks like those that recently hit Target Corp. and Neiman Marcus, according to a report by Reuters.In its warning titled, "Recent Cyber Intrusion Events Directed Toward Retail Firms", the FBI said in the past year it has uncovered around 20 cases of cyberattacks against retailers year that utilized similar methods to those uncovered in the Target incident. The agency pointed to "memory-parsing" malware, more commonly referred to as RAM scrapers or memory-scraping malware, as the source of the infections on point-of sale (POS) systems. RAM-scraper software scans memory in search of track data from payment cards that may be unencrypted."We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it," said the FBI in the report, seen by Reuters. "The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide range of actors."The FBI pointed to Alina, a variant of POS malware, as an example of the increasingly sophisticated threats targeting retailers' aged and often inadequately secured point-of-sale systems. Alina enables attackers to perform remote upgrades, which reportedly makes identifying and removing it more difficult for IT security teams.The FBI's warning comes after Minneapolis, Minn.-based Target admitted in December that criminals had stolen information on approximately 40 million credit and debit card numbers, immediately making it one of the largest data breaches in retail history. Through its investigation of the breach, the company later divulged that up to 70 million customers' personal data, including email addresses and phone numbers, had also been compromised in the same attack, though Target never clarified the possible overlap between the two sets of data.Dallas-based luxury retailer Neiman Marcus admitted this month that about 1.1 million payment cards had been compromised at its stores from July 16 to October 30 of last year. In a letter to U.S. Senator Richard Blumenthal (D – CT), Neiman Marcus CIO Michael R. Kingston said that 2,400 cards stolen as part of the breach had been used so far and described the malware that infected the company's point-of-sale systems as "complex".On Feb. 4, the commerce, manufacturing and trade subcommittee of the U.S. House of Representatives committee on energy and commerce will hold hearings on data breaches and their effect on consumers. Target is expected to testify about its own breach."By examining these recent breaches and their consequences on consumers, we hope to gain a better understanding of the nature of these crimes and what steps can be taken to further protect information and limit cyber threats," said House subcommittee chairman Lee Terry (R – NE).
http://www.usatoday.com/story/cybertruth/2014/02/03/hacking-of-point-of-sales-systems-escalates/5060523/SEATTLE – Researchers at RSA's First Watch cybersecurity team have unearthed evidence of another ring of data thieves focusing on retailers, akin to the gang that tapped into the point-of-sales systems at Target, Neiman-Marcus and Michaels. That gang used a memory parsing program called POSRAM. This most recently discovered ring of thieves makes use of a similar piece of malware dubbed ChewBacca. CyberTruth asked senior security researcher YotamGottesman to break it down.CT: So to be clear, this is a different gang than the one responsible for the Target breach, correct?Gottesman: The cybercriminals using ChewBacca do not appear to be connected to the gang that attacked Target, Neiman-Marcus and Michael's. Large scale breaches almost always entail a combination of attacks that happen over a longer time . ChewBacca is but one of the tools being used by cybercriminals targeting retail POS systems.CT: It's been reported that the Target attackers used POSRAM. Is ChewBacca similar?Gottesman: There was no relation found between ChewBacca and POSRAM. ChewBacca is developed independently. The memory scraping method may very well be the same, and similar to other POS malware in the wild.CT: What have you learned about the server infrastructure supporting ChewBacca?Gottesman: The infrastructure consists of a single server collecting all of the data. This server is most likely a virtual private server hosted at some hosting company. The server now appears to be offline, this might be an act made by the hosting company after being informed of the fraudulent activity.CT: Can you tell specifically what functions the server was used for: command and control, malware delivery, data storage etc?Gottesman: The server found in this case was used solely for collecting and storing data, along with a web panel that provides search capabilities. ChewBacca seems to be a Trojan in development, which means that the server-side may very well be developed to support more advanced command and control over the bots.CT: What happens next? How will this intel help stop the bad guys?Gottesman: This threat intelligence indicates a major and accelerating trend in the malware market, due to its relative simplicity and high return on investment. It also reveals the way the theft is technically being executed.We hope this information will help raise awareness among retail organizations, payment processors and POS system developers so they can take steps to enhance their security.We're seeing this type of memory-scraping malware increase in popularity because of its effectiveness and the fact that POS systems represent a very large attack surface with a low risk and high volume payoff for cybercriminals.
http://www.pcworld.com/article/2088920/target-credit-card-data-was-sent-to-server-in-russia.htmlThe stolen credit card numbers of millions of Target shoppers took an international trip—to Russia.A peek inside the malicious software that infected Target’s POS (point-of-sale) terminals is revealing more detail about the methods of the attackers as security researchers investigate one of the most devastating data breaches in history.Findings from two security companies show the attackers breached Target’s network and stayed undetected for more than two weeks.“The intrusion operators displayed innovation and a high degree of skill in orchestrating the various components of the activity,” according to a Jan. 14 report from iSight Partners, a Dallas-based information security company.Security company Seculert found that data stolen in the Target breach was received by a compromised U.S. server, then sent to a Russian server.Over two weeks, the malware collected 11GB of data from Target’s POS terminals, said Aviv Raff, CTO of the security company Seculert, in an interview via instant message on Thursday. Seculert analyzed a sample of the malware, which is circulating among security researchers.The data was first quietly moved to another server on Target’s network, according to awriteup on Seculert’s blog. It was then transmitted in chunks to a U.S.-based server that the attackers had hijacked, Raff said.Logs from that compromised server show the data was moved again to a server based in Russia starting on Dec. 2. Raff said it’s difficult to say if the attackers are based in Russia.“No one knows who is really behind this,” he said.iSight is working with the Secret Service to look into the Target breach, which compromised payment card and personal details of up to 110 million people between Nov. 27 and Dec. 15, 2013, the busiest shopping time of the year.A U.S. Department of Homeland Security spokesman said Thursday that a separate, private report with input from iSight and government agencies on the Target compromise could not be publicly released.Target has not revealed how intruders breached its network but said that its POS terminals were infected with malware.In its Jan. 14 analysis, iSight wrote that the “Trojan.POSRAM” malware collected unencrypted payment card information just after it was swiped at Target and while it sat in a POS terminal’s memory. The type of malware it used is known as a RAM scraper.The code of “Trojan.POSRAM” bears a strong resemblance to “BlackPOS,” another type of POS malware, iSight wrote. BlackPOS was being used by cyberattackers as far back as March 2013.At the time of its discovery, Trojan.POSRAM “had a zero percent antivirus detection rate, which means that fully updated antivirus engines on fully patched computers could not identify the software as malicious,” iSight said.Small code changes are often made to malware to make it undetectable to security products, which appears to have been done in this case.Although Trojan.POSRAM and BlackPOS are similar, the Target malware contains a new attack method that evades forensic detection and conceals data transfers, making it hard to detect, iSight wrote on its website.Target’s problems point to the difficulties of defending large, Internet-connected networks, said Levi Gundert, a former Secret Service agent and now a technical lead for threat research, analysis and communications at Cisco.“It’s literally impossible to prevent unauthorized access to the network,” Gundert said in a phone interview.
http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdfMemory ScrapersAttacks using memory scrapers can target any application that processes credit card numbers; they’re often multistaged, including separate discovery and capture tools. In the past, memory scraping often required the attacker to have a small amount of target environment knowledge to configure the capture tool. The trend in 2012 was toward generic discovery tools that could identify the desired information in a list of preconfigured processes or all running processes on the affected system. This generic data targeting technique is simple but very effective. The quality and accuracy of a tool’s discovery and capture mechanisms can assist in linking cases. Simplistic searches for cardholder data can yield a lot of results, but can also result in false positives, forcing the attacker to waste time collecting useless data. Alternatively, the attacker can use a pattern that targets data more accurately at the expense of computational power and adherence to expected format. In addition to tools, automation scripts can reveal a wealth of information about the attacker and their sophistication.
It’s next to impossible to stop data leakage. You can’t beat it completely,”, but using Old security is like "boiling the ocean" since you are trying to “patch” all possible data paths and sensitive data stores, and you may not even find a trace of the attack.2014 Trustwave Security Pressures Report.pdf
It’s next to impossible to stop data leakage. You can’t beat it completely,”, but using Old security is like "boiling the ocean" since you are trying to “patch” all possible data paths and sensitive data stores, and you may not even find a trace of the attack.New proactive security approaches are assuming that you are under attack and focus on protecting the data itself, across the entire data flow, even in computer memory. The highly sensitive data must be protected. For example, we know that home address and email is already used by fraudsters in the Target case.Money2020 is saying that "Tokenization has been a hot topic lately" and "In a tokenization scheme, even if a hacker has access to several PAN-token pairs, the tokenization algorithms should be complex enough so that no perfect translation can be reverse engineered." at http://money2020.com/blog/tokenization-%E2%80%93-why-what-how-and-who .I also found some good news in a report from the Aberdeen Group that revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users". Nearly half of the respondents (47%) are currently using tokenization for something other than credit card data. The name of the study is "Tokenization Gets Traction".
New proactive security approaches are assuming that you are under attack and focus on protecting the data itself, across the entire data flow, even in computer memory. The highly sensitive data must be protected. For example, we know that home address and email is already used by fraudsters in the Target case.Money2020 is saying that "Tokenization has been a hot topic lately" and "In a tokenization scheme, even if a hacker has access to several PAN-token pairs, the tokenization algorithms should be complex enough so that no perfect translation can be reverse engineered." at http://money2020.com/blog/tokenization-%E2%80%93-why-what-how-and-who .I also found some good news in a report from the Aberdeen Group that revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users". Nearly half of the respondents (47%) are currently using tokenization for something other than credit card data. The name of the study is "Tokenization Gets Traction".
http://news.medill.northwestern.edu/chicago/news.aspx?id=228123Chip-and-PIN technology offers solution to data breaches but isn't foolproofBY SHELBY LIVINGSTONFEB 19, 2014Following the recent string of large-scale retail data breaches, the Obama administration, industry leaders and consumers are calling for alternative payment card technologies in the U.S.Experts say embedded chip technology, known as chip-and-PIN or EMV, is more secure than the current magnetic stripe technology characteristic of American credit and debit cards and will reduce the amount and impact of payment fraud in the U.S. exponentially.“People are starting to look to chip-and-PIN, or EMV, as a standard. Most people will tell you that it reduces chances of a data breach,” said Paula Rosenblum, a retail analyst at RSR Research. But some experts caution that the technology isn’t 100 percent foolproof.Widely used throughout Europe and Canada, EMV cards, named for developers Europay, MasterCard and Visa, are embedded with a micro-chip containing the cardholder’s data and require a personal identification number for each transaction. U.S. card issuers have stated their intent for a mass rollout of EMV technology. Currently, major card companies have issued an estimated 15 million EMV cards, representing only 2 percent of the 1.2 billion U.S.-issued cards, according to the Smart Card Alliance. The cards distributed are mostly intended for use abroad, as systems in the U.S. aren’t capable of reading the data.But the overhaul is fast coming. “This is the first time that a data breach has created a rabid response,” Rosenblum said. “Now it’s a different world. It’s a defining moment. This is the first time the customers said, ‘this is awful.’”Illinois Attorney General Lisa Madigan released her annual list of top consumer complaints Feb. 11, citing identify theft as the fastest growing category. The attorney general’s office reportedly received 3,009 complaints of identify theft in 2013, which Madigan attributed in part to the massive breach at Target Corp. At a hearing on Feb. 5 before the U.S. House of Representatives Subcommittee on Commerce, Manufacturing and Trade, Madigan testified, “We have become too accustomed to their occurrence, and it is time the government and the private sector take serious, meaningful actions to curb this growing problem.”The government is beginning to take those steps: During a Senate Judiciary Committee Hearing on Feb. 4, the Obama administration stated its support for a tighter security standard that requires businesses to report theft quickly. At the same hearing, Target Chief Financial Officer John Mulligan testified that the company would accelerate its $100 million program to replace current payment systems and proprietary debit cards with chip-enabled technology.The current standard for protection in the U.S. is the Payment Card Industry Data Security Standard, or PCI DSS, a set of requirements meant to protect credit card information by ensuring that all processes are carried out securely. The retailers recently attacked were PCI compliant, but experts say it’s not enough.Investigations into the data breaches have revealed the growing sophistication of cyber criminals. Cyber criminals can “easily create cloned cards” from magnetic stripe data, which is a “big business with big profits,” said Randy Vanderhoof, executive director of Smart Card Alliance“This is not Target being negligent and not having any security,” said Shirley Inscoe, a senior fraud analyst at Boston-based business and technology consulting firm Aite Group. But, she added, “It requires that retailers take a holistic look at their security and ensure that they have multiple methods of protecting against these types of attacks.”Over the 2013 holiday season, a cyber attack carried out by Russian hackers affected up to 110 million Target customers, making it the second largest retail data breach to date.In other cases, luxury retailer Neiman Marcus issued a statement that a data breach carried out in 2013 may have affected up to 1.1 million individuals. Sports equipment and clothing maker Easton-Bell Sports said hackers stole credit card information of 6,000 online shoppers during December. In addition, arts and craft store chain Michaels proposed the possibility of an attack, but has not confirmed it.Historically, retailers, banks and credit card services have struggled to come to a consensus regarding U.S. payment technologies. One reason is the cost: the price tag for a complete EMV rollout will cost billions of dollars. Every debit and credit card will have to be replaced, as well as point-of-sale systems in retail stores, Inscoe said.Credit card companies were slowly beginning the EMV implementation in 2013 when the U.S. District Court in Washington ruled against the Federal Reserve’s plan to provide incentives to companies that invest in fraud prevention. “Most of the issuers I’ve spoken with said they were ready to do the rollout,” Inscoe said. “Judge Leon’s ruling literally stopped EMV’s rollout in its tracks.”Major credit card companies have placed a deadline on U.S. merchants to adopt EMV technology by October of 2015, or face increased liability of fraud. Mastercard recently issued a statement reiterating this stance.Of course, retail data breaches are nothing new. In past cyber attacks, banks simply paid the fines and people moved on. For instance, the 2007 attack on TJX Companies Inc., owner of T.J. Maxx and Marshall’s stores, affected more than 90 million customers and ended up costing the company $50 million. But this time, it’s different—it’s personal.“Every household in America knows Target,” Inscoe explained “Not everybody shops at TJX stores. I think the fact that it happened during the holiday season had a little to do with it. And I think as a society, our consumers are much more aware of fraud and wary of fraud than they have been before. They are saying enough it enough.”Nevertheless, some experts doubt if lasting change will result from an EMV overhaul. Inscoe said no payment system in the world is 100 percent secure.“I agree that rolling out EMV in the U.S. will help combat fraud, but EMV cards are not a silver bullet nor would their rollout have avoided data breaches at Target, Neiman Marcus, Michael’s, etc.,” Inscoe said. Rosenblum disagreed, saying EMV would have solved the last breach, though it’s only “a start.” She said, “It’s starting to look as though it’s going to become impossible to prevent data breaches. I’m not sure we can build a wall high enough to prevent from breaching that wall.”
Who is the Next Target
How is Big Data Related?
ulf . mattsson [at] protegrity . com
Data loss worries IT pros most
Source: 2014 Trustwave Security Pressures Report
Targeted Malware Topped the Threats
62% said that the pressure to protect from data breaches also increased over the past year.
Source: 2014 Trustwave Security Pressures Report
US and Canada - Targeted Malware Top Threat
In the United States and Canada, targeted malware was the top threat IT pros felt pressured to
secure against, and in the U.K. and Germany, the top threat was phishing/social engineering.
Respondents in each country surveyed said viruses and worms caused the lowest pressure.
Source: 2014 Trustwave Security Pressures Report
The Cost of Cyber Crime
Source: Symantec 2013
Risk of Cyberattacks is a Real and Growing Threat
Organizations worldwide are not "sufficiently
protected" against cyberattac
Cyberattacks fallout could cost the global economy
$3 trillion by 2020
The report states that if "attackers continue to get
better more quickly than defenders," as is presently
the case, "this could result in a world where a
'cyberbacklash' decelerates digitization."
Source: McKinsey report on enterprise IT security implications released in January 2014.
Energy Sector a Prime Target for Cyber Attacks
74 targeted cyberattacks per day between July 2012 and June
2013, with the energy sector accounting for 16.3% of them, which
put it in second place behind government/public sector at 25.4%.
The U.S. government's Department of Homeland Security (DHS)
reported last year that its Industrial Control Systems Cyber
Emergency Response Team (ICS-CERT) responded to more than
200 incidents between Oct. 2012 and May 2013 — with 53%
aimed at the energy sector.
There have, so far, not been any successful catastrophic attacks
on the grid, and there is ongoing debate about how high the risk is
for what both former Defense secretary Leon Panetta and former
Homeland Security secretary Janet Napolitano called a "cyber
Pearl Harbor" attack.
Half of Americans Worry about Identity Theft
The Wall Street Journal reported that financial
institutions have spent big bucks—more than $200
million alone in the case of the Target episode—to
ease our concerns
• The vast majority of that total ($172 million) covers the
costs of replacing cards that have been compromised
Half of American adults said they are ―extremely
concerned‖ about their personal data when paying
for goods at stores with plastic, according to a
recent Associated Press-GfK poll
Identity Theft Exploding with Massive Data Breaches
―Last year, some 13.1 million consumers suffered identity fraud,‖
Those numbers don’t include the more than 110 million victims of the
holiday breach, which, as it ripples through the population, will send
the figures up like a rocket
A stranger takes over someone’s life about once every two seconds
And 1 in 3 of us now already has undesired personal experience with
that upsetting fact, according to
Even worse, that number is certain to grow dramatically this year
―Four years ago, the number of identity-fraud victims was 1 in 9, and
last year it was 1 in 3. We think the way it is going, and given the …
breach, that number will likely increase.‖
Source: Javelin Strategy & Research’s 2014 Identity Fraud Report and
IRS Warns about Identity Theft
In many cases, an identity thief uses a legitimate
taxpayer’s identity to fraudulently file a tax return
and claim a refund
The agency’s work on identity theft and refund fraud
continues to grow. For the 2014 filing season, the
IRS has expanded its efforts to better protect
taxpayers and help victims
Taxpayers can call the IRS’ Identity Protection
Specialized Unit at 800-908-4490
iSIGHT partnered with the U.S. Secret Service
iSIGHT Partners has a
understanding of the
entire code family as
well as that from
several other victims
The USSS has
permitted us to share
types of attacks
How The Breach at Target Went Down
Credentials were stolen from Fazio Mechanical in a malwareinjecting phishing attack sent to employees of the firm by
Resulted in the theft of at least 40 million customer records containing
financial data such as debit and credit card information.
In addition, roughly 70 million accounts were compromised that
included addresses and mobile numbers.
The data theft was caused by the installation of malware on
the firm's point of sale machines
Free version of Malwarebytes Anti-Malware was used by Target
The subsequent file dump containing customer data is
reportedly flooding the black market
could be used to pilfer cash from accounts, be the starting point for
the manufacture of fake bank cards, or provide data required for
Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-creditcard-records-from-target-7000026299/
FBI warns of Memory-scraping Malware in wake of
In its warning titled, "Recent Cyber Intrusion Events
Directed Toward Retail Firms", the FBI said in the past
year it has uncovered around 20 cases of cyberattacks
against retailers year that utilized similar methods to
those uncovered in the Target incident
"We believe POS malware crime will continue to grow
over the near term, despite law enforcement and
security firms' actions to mitigate it," said the FBI in the
report, seen by Reuters
Researchers: Another ring of Attackers on Retailers
Researchers at RSA's First Watch cybersecurity
• Similar to the gang that tapped into the point-of-sales
systems at Target, Neiman-Marcus and Michaels
• That gang used a memory parsing program called
• This most recently discovered ring of thieves makes use
of a similar piece of malware dubbed ChewBacca
Malware Collected 11GB of Data from Target
The stolen credit card numbers of millions of Target
shoppers took an international trip—to Russia
―The intrusion operators displayed innovation and a
high degree of skill in orchestrating the various
components of the activity,‖ according to a Jan. 14
report from iSight Partners, a Dallas-based
information security company.
Security company Seculert found that data stolen in
the Target breach was received by a compromised
U.S. server, then sent to a Russian server.
Memory Scraping Malware – Target Breach
Point Of Sale Application
Memory Scraping Malware
Attacks using memory scrapers
Attacks using memory scrapers can target any
application that processes credit card numbers
In the past, memory scraping often required the
attacker to have a small amount of target
environment knowledge to configure the capture
• The trend is toward generic discovery tools that could
identify the desired information in a list of preconfigured
processes or all running processes
2014 Trustwave Security Pressures Report
• The rate and sophistication of malware and data breaches
continue to accelerate, a trend that is proving seemingly
impossible for businesses to counter.
• Used at Target: 110 million …
• It’s next to impossible to stop data leakage.
• You can’t beat it completely
• detecting or intercepting related malware-dropping attacks
aimed at those POS devices may be quite difficult to detect.
• That's because attackers can use antivirus evasion
techniques or packing tools to give the malware
executable a never-before-seen checksum.
Old Security Approaches
Old security is like "boiling the ocean―
• Since you are trying to ―patch‖ all possible data paths and
sensitive data stores, and
May not even find a trace of the attack.
• Data leaks
Is it Impossible to Prevent Data Breaches?
Chip-and-PIN or EMV, is more secure than the current
magnetic stripe technology
Cyber criminals can ―easily create cloned cards‖ from
magnetic stripe data
Major credit card companies have placed a deadline on
U.S. merchants to adopt EMV technology by October of
2015, or face increased liability of fraud
Use Big Data to Analyze Abnormal Traffic Pattern
Point Of Sale Application
Memory Scraping Malware
Reactionary vs Proactive Data Security
Don’t just fix yesterdays problems
Compliance vs Security
Think like a hacker
Malware & Memory Scraping
Protect the Data Flow with Tokenization
Use Big Data to Analyze Data Traffic
What is Big Data?
• Designed to handle the emerging ―4 V’s‖
• Massively Parallel Processing (MPP)
• Elastic scale
• Usually Read-Only
• Allows for data insights on massive, heterogeneous
• Includes an ecosystem of components:
Has Your Organization Already Invested in Big Data?
Sensitive Data Insight & Usability
Big Data and Cloud environments are designed for
access and deep insight into vast data pools
Data can monetized not only by marketing
analytics, but through sale or use by a third party
The more accessible and usable the data is, the
greater this ROI benefit can be
Security concerns and regulations are often viewed
as opponents to data insight
Big Data Vulnerabilities and Concerns
Big Data (Hadoop) was designed for data access,
Security in a read-only environment introduces new
Massive scalability and performance requirements
Sensitive data regulations create a barrier to
usability, as data cannot be stored or transferred in
Transparency and data insight are required for ROI
on Big Data
Attacks on Big Data – Honey Pot
The honey pot idea is a 10+ years old trick based
on fake data (in a pot) and redirection of requests:
• Great for monitor what attackers are doing.
• A modern approach should be based on tokenization
with fake data ―everywhere‖ instead of in ―a pot‖.
Attacks on Big Data – Perimeter & Encryption
The old perimeter security and encryption :
• The discussion should be how to ―balance between
security and insight‖.
Attacks on Big Data – Access Control
The challenge of maintaining a ―classic‖ access
• The ―new approach‖ should be based on building the
protection into the data (tokenization)
• Not be based only on preventing access to data
Attacks on Big Data – Data Inference
The ―data inference‖ (re-identification) problem:
• New problem
• Not a Big Data problem
A ―balance between security and insight‖ is the right
The de-tokenization-policy should evaluate
combination of data fields that are accessed over
Attacks on Big Data – Analytical Tools
The ―the lack of analytical tools‖
• Can it prevent an attacker from finding sensitive data?
Attackers are simply looking for sensitive records
• Not interested in advanced analytical results.
The attacker will find points in the data flow where
sensitive data is easier to find
Old and flawed:
levels so people
can only carry
out their jobs
Applying the protection profile to
the content of data fields allows
for a wider range of authority
How the New Approach is Different
levels – Least
Privilege to avoid
lower risk in data
Reduction of Pain with New Protection Techniques
Input Value: 3872 3789 1620 3675
Strong Encryption Output: !@#$%a^.,mhu7///&*B()_+!@
Format Preserving Encryption
8278 2789 2990 2789
8278 2789 2990 2789
Greatly reduced Key
8278 2789 2990 2789
Fine Grained Data Security Methods
Vault-based vs. Vaultless Tokenization
No replication required.
Practically impossible to
Easy to deploy at different
geographically distributed locations.
Prone to collisions.
Will adversely impact
performance & scalability.
Little or no latency. Fastest industry
Fine Grained Data Security Methods
Tokenization and Encryption are Different
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
The Future of Tokenization
PCI DSS 3.0
• Split knowledge and dual control
PCI SSC Tokenization Task Force
• Tokenization and use of HSM
Card Brands – Visa, MC, AMEX …
• Tokens with control vectors
• Tokenization and use of HSM
Security of Different Protection Methods
Speed of Different Protection Methods
Transactions per second*
10 000 000 1 000 000 100 000 10 000 1 000 -
*: Speed will depend on the configuration
How Should I Secure Different Data?
Personally Identifiable Information
Proven enterprise data security
software and innovation leader
Sole focus on the protection of
Continuing to Drive Innovation
Financial Services, Insurance,
Telecommunications, Media and
Retail, Hospitality, Travel and
Manufacturing and Government