Monday, October 26, 2015

TalkTalk Hack: Leaves 400K Customers as Latest Victims in Identity Theft

“Names, records, bank details, and dates of birth: the full extent of the breach,” say Paul Sandle and Erich Auchard of Reuters, “has yet to be discovered, but the potential is huge, affecting up to 4M customers.”

The breach happened on Wednesday, October 21st, and resulted from a cyber attack characterized by the BBC as a Distributed Denial of Service DDoS.

TalkTalk immediately pulled down all its websites and began a full on investigation that included London’s Metro Police Cyber Crime unit.

Email servers returned to operation that afternoon, once the provider was confident their email had not been compromised.

In an October 23rd BBC News interview, TalkTalk chief executive, Dido Harding, announced the breach.

Customers learned of the breach through BBC news, a blast email, and regular mail. To compensate victims, TalkTalk is providing 1-year of free credit monitoring.

Harding, who is also a TalkTalk customer, is encouraging customers do the following:

-- to change passwords
-- to take advantage of the credit-monitoring service
-- to report any suspicious activity
-- not to disclose passwords or personal details

“Customers have expressed their frustration,” reports Rory Cellan-Jones, of the BBC, “with what is the third cyber-attack to affect TalkTalk over the past 12 months.”

Sadly, “the database in question appears related to customers who have recently undergone credit checks for new service with the company.”

It sounds painfully similar to the T-Mobile Experian Breach that took place earlier this month. Saturday, Reuters reported criminals unable to steal money.

Cybercrime Syndicates
Krebs on Security learned from an anonymous source “the hacker group responsible for the breach is demanding £80,000 ransom—payable in Bitcoin. The group provided customer database tables as evidence.”


Image Courtesy KrebsonSecurity
A number of collectives are claiming responsibility for the breach, but neither law enforcement nor TalkTalk have released names of potential suspects.

You can get a good look at how developed syndicates have become by checking out this link Krebs posted to the AlphaBay dark market thread on Reddit.
The group outlines incentive levels for vendors.

They propose exit strategies for selling hacked data, including how to follow chain of custody for encryption keys.
Our Current Advanced Threat Landscape

Firewalls and password encryption can only take you so far.

Paolo Passeri of Hackmageddon, provides a timeline for the Malware Evolution.  This slide appears in a recent presentation, Multi-Layered Approach Against Advanced Threats.

Evo of Malware Hackmageddon.png

Image courtesy CISCO and Hackmageddon
Notice the emergence of Spyware and Rootkits in 2005. This is how criminals do recon.

Spyware: software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive.

Rootkit: a set of software tools that enable an unauthorized user to gain control of a computer without being detected.

Notice API Crime as a Service. CaaS equals syndication.

Shifts in the Security Paradigm

The attack surface paradigm has shifted from defense penetration to user manipulation models. We still do penetration testing, but it’s a bigger perimeter.

An access point for cloud-based email may be an Internet café. An access point for CRM may be the WIFI in a hotel.

These days the threat starts from the inside—hence, social engineering and insider threats. Hackers identify so many different vulnerabilities, the strategies to infiltrate are almost endless.
Attack Strategy

Kill Chain.png

Image courtesy CISCO and Hackmageddon
Recon: Spyware and Rootkits [over months]
Launch: DD0S used as a smoke screen
Exploit: Compromises weak area
Install: Can be as simple as spear phishing
Breach: Take what they want
Persistence: Months or years*
Verizon Data Breach Report.png

Image courtesy Verizon, CISCO and Hackmageddon.
The average timeframe of Discovered Breaches in Passeri’s model is 256 days, and comes from a Ponemon Institute | Verizon Data Breach report dated 2015.

Most breaches are never discovered.

The reality today is that the threat is already inside your network. You’ve got to take steps to make sure you know exactly when, where and how as soon as possible.
TalkTalk Breach – Day 5

The exact vulnerability the hackers exploited has not yet been publically announced. Our hearts go out to the victims and to TalkTalk.

But one TalkTalk customer believes the criminals hacked the broadband provider months ago.

Prior to the Hack announcement, the customer received a fraudulent call from someone claiming to be with TalkTalk. The scammer had all of the customer details including account and phone number.
The customer convinced the fraudster to call him back and made a quick call to TalkTalk. The broadband provider did not act to investigate the lead.

Breaches are never fun. Cleanup is tedious and painful. This being the third breach in 12-months, TalkTalk is definitely up for some security strategy updates.

Judging from the customer outrage and the scathing interviews that Dido Harding is getting, BAE’s findings can’t come too soon.

To learn more about breach detection and penetration testing, reach out one of our staff.

Tuesday, October 20, 2015

The T-Mobile Experian Hack: Lessons in Socially Engineered Breach Prevention

Experian, the world's biggest consumer credit monitoring firm, has suffered two major data breaches.

The first breach came shortly after Experian purchased Court Ventures in March 2012. They learned of the breach when the U.S. Secret Service informed them of a problem with their newly acquired company. It was reselling data from a U.S. Info Search database.

A third party client was engaging in illegal activity. Hieu Minh Ngo posed as a detective to gain physical access to Experian’s network. He took this opportunity to inject his Trojan-Horse malware to access sensitive data. He then sold that data through his online service called to identity thieves.

Ngo is now serving a reduced 13-year sentence for cooperating with law enforcement. This breach compromised 200 million personal records.

To give you a context: the U.S. currently has a population of 325 million people.
T-Mobile Breach Discovery

The second breach, the subject of this article, exposed the personal data of 15 million people. Those records came off a server for T-Mobile US Inc. Experian discovered the problem on Sept. 15, 2015.

There are things you never read about in these news reports. There’s a human cost.

Try to imagine the agony the T-Mobile systems admin felt as he or she realized the magnitude of the problem. Someone had accessed a backdoor and used it to inject malware into a server. And worse, that server contained people’s private information.

See the shock registered on the face of the Experian CISO, as he recognized another breach had taken place.

Think of the Experian Board of Directors and the horrible moment they realized their mistake. They never should have rushed the vetting process for the Decisioning Solutions acquisition.

Feel the disgust the T-Mobile Chief Executive felt. He had to explain to customers that Experian’s remedy for this problem was 2-years of free credit monitoring.

Think about the customer. Maybe it was you, and you now have to work with the 3-credit reporting agencies any time you want to make a major life move.

Our hearts go out to the victims of these attacks.

It’s easy to point fingers and blame in hindsight, but the fact is that most breaches are never detected.

This one was just painfully high profile.
More Details about the T-Mobile Server Breach

Krebs on Security reports: on December 3, 2013, T-Mobile notified a small group of customers that someone gained unauthorized access to a file stored on servers owned by Experian.

The T-Mobile exposure began September 1, 2013, and lasted until September 16, 2015. Breached information includes:

·    Names
·    Dates of birth
·    Addresses
·    Social security numbers (SSNs)
·    Other forms of identification
The mobile provider identified Decisioning Solutions as the breached vendor. It’s an identity proofing company acquired by Experian in April 2013.

T-Mobile Chief Executive posted this response on their company website:

Obviously, I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected.

Connecticut's attorney general plans to launch an investigation.

Jeff Stone (International Business Times) reported the hacked T-Mobile records were available for sale for $1 apiece on Dark Net, payable in Bitcoin.
Decisioning Solutions Onboarded

Decisioning Solutions provides Software-as-a-Service (SaaS) based workflow management. The system automates decisions for the customer lifecycle.

So far so good…

Experian is a huge company. To take care of the customers well requires workflow processes.

The problem came when Experian failed to fully vet the security for the different verticals at Decisioning.
Automation and the Need for Customer Care

Automation was one of the big topics at NANOG 64. It speeds things up, standardizes processes, and takes care of the customer.

The problem with automated systems is the potential for risk.
During a podcast for SEI, Tim Maher, President and Chief Strategist for the RSA Security Conference, had this to say:

Software, Infrastructure, and Platform as a service can be very enticing given the potential cost savings.

But business leaders need to make sure of three things.

They must (1) evaluate the benefits and savings against the risks that can arise when co-mingling their data with other, unknown organizations.

They must (2) demonstrate they meet their compliance requirements.

And they must (3) attempt to hold providers accountable.

In his 2014 article: SaaS Security Risks: It’s the Users, Stupid, Sean Michael Kerner said the security approach is different.

With SaaS, the attack surface shifts from the traditional application deployment landscape.

Instead of infrastructure itself being the primary target, attacks are moving toward users who hold access rights to data. Individual users of SaaS apps also typically do not have appropriate security controls in place to fully minimize risk.
Universal Access to Filing Support Tickets

Krebs also says: The problem with the T-Mobile Experian hack there was a backdoor in the form of a support site portal. It allowed anyone to file support tickets and attach any type of file including malicious files.

By the time Experian became aware of this problem, the exposure had gone on for 2 years. The agency immediately contacted law enforcement.
Data sharing

Dark Reading: The T-Mobile and Experian relationship illustrates the importance of tracking and auditing. The use of sensitive and regulated data in different forms evolves throughout its lifecycle and processing supply chain.
The Critical Nature of Security Assessments

The usual timeline for picking up a breach can range from real time to a few days or even to a number of years. But most breaches are never even picked up at all.

Anytime you involve people, there’s potential for risk.

That’s why regular security assessments are critical to keep your network safe.
The hacking field is dynamic.

As new systems are developed, hackers find ways of breaking into them.

That’s why you need to have security assessments done regularly.
To find out more about how security assessments and training can minimize risk for your enterprise, reach out to one of our staff members.