By Mike S
iPhoneDevSDK—the site apparently responsible for the hacks at Facebook, Apple, and Twitter—says it was not aware it was being used to attack visitors until it read press reports this week. In a news post do not click if you’re wary of security breaches on Wednesday, site admins said they had no knowledge of the breach and were not contacted by any of the affected companies. Though, iPhoneDevSDK is now working with Facebook’s security team in order to share information about what happened.
Also, this is a great reminder to log and monitor, or SIEM. An admin’s account was compromised, then their website was hacked.
Tripwire would have caught the changes, and login auditing would have caught the hacker/admin’s actions.
By Mike S
Every company can afford – and must afford – some security monitoring.
Even three years ago, small businesses shied away from security monitoring as too complex and too difficult to deploy, with a 2009 article calling such systems “not for the faint of heart.”
Now, log-management services in the cloud, easier-to-use managed security services, and simpler security information and event management (SIEM) solutions have made security monitoring possible for all but the smallest firms. For such businesses, gathering intelligence on security events can be an offshoot of network monitoring or the other way around, but each can give companies better visibility into what is going on with their information systems, says Nicole Pauls, director of product management for SolarWinds, an information-technology provider.
By Mike S
Hackers logged onto a site reserved for credit card customers then inserted various account numbers into a string of text located in the browser’s address bar, according to a report in the New York Times, which cited anonymous sources close to the investigation. The cybercriminals repeated their actions, capturing the names, account numbers, email addresses and transaction histories of more than 200,000 Citigroup customers.
A client of mine had nearly that exact same vulnerability, except in this case, it allowed the user to log in through a URL with the last four digits of their social security number. So by merely crafting a URL with a random 4-digit number, a hacker could gain authenticated access to untold numbers of accounts.
Happily, we discovered it before anyone else did, as far as we know.
Citigroup likely detected the flaw in its own analytics engine. A person monitoring analytics tools would see different spikes of anomalous user activity. An individual sending in 200,000 server requests should generate an alert, Grossman said. Further inspection of the logs would show that a person is conducting an attack by tweaking the URL.
Saved by the logs and SIEM!
By Mike S
Sounds like a handy tool for SIEM to solve a key problem:
IT managers are collecting all network and application data for security and compliance reasons, but the sheer volume of the data makes it difficult to detect problems in a timely manner or correlate events, Jerry Skurla, executive vice-president of marketing at NitroSecurity, told eWEEK. Many log-management tools are not effective or efficient, and can’t test analyze all collected data, he said. He cited a 2010 data breach survey conducted by the Verizon RISK team in conjunction with the United States Secret Service that found 86 percent of data-breach victims had evidence of the breach in their logs but they hadn’t been able to find the information in time.
But the key, as always:
“You tell us what is important to you, and we will show you the relevant information,” Skurla said.
If you don’t know what to watch for, you’ll still miss it.
By Mike S
While it isn’t exactly groundbreaking news that malware attackers are using social media to control their botnets, certain aspects are notable:
In each of these cases, the attackers’ remote activity looked like normal SSL-encrypted traffic to popular Internet sites, making it nearly impossible for packet inspection and netflow anomaly analysis tools to differentiate the malicious from benign activity.
If you can’t read the packet because it’s encrypted, it is very difficult to detect what it is doing.
Prevention efforts will typically not work against APT, Mandiant said. Instead of trying to stop APT intruders from using legitimate sites to compromise their networks, organizations should make it difficult for the APT intruders to stay in the breached network, ultimately making them “too expensive” to attack, according to Mandiant.
This is achieved when the security team can determine what the attacker is doing and to anticipate what the attacker will do next, Mandiant said. Organizations need to increase visibility across the enterprise by incorporating specialized monitoring systems that provide host- and network-based visibility, increased logging, and log aggregation, Mandiant said.
Host-based detection tools look for indicators that the host had been compromised as well as signs of the tools, tactics and procedures used by the attacker. These tools can find unknown malware because they aren’t looking for actual signatures like a traditional anti-virus, the researchers said. Network-based tools do the same search on network traffic. Mandiant researchers listed nine different logs security managers should be looking at regularly, including internal DNS server logs, DHCP logs, internal Web proxy logs, firewall logs with ingress/egress TCP header information, and external Webmail access logs. Log aggregation tools help managers correlate information from numerous sources, highlight critical information and indexes all information for easy searching. The security team can use all the information to effectively detect and remove the compromised host, repeatedly forcing the attacker to start over to regain control, Mandiant said.
Anton Chuvakin was right about logs all along!