February 2009

You are currently browsing the monthly archive for February 2009.

Malicious Websites Target Internet Explorer

February 24, 2009 in Browser security, Web

I have always been a fan of Mozilla’s Firefox browser. To tell the truth, I have been using it since its original incarnation when it was known as Netscape Navigator (and Mosaic before that). I always thought it was more intuitive, faster, and had more and better features than Microsoft’s Internet Explorer. Of course, given that IE is included with the Windows operating system, and that Windows commands more than 90% of the desktop computer market, it is no surprise that IE remains the most popular browser in use today with 67% penetration.

However, there is another, even more important reason why Firefix is my prefered browser. Security. IBM’s ISS X-Force recently released its on Internet security which analyzed trends in threats and vulnerabilities for 2008. This is an excellent report that all information security practitioners should read carefully in order to understand the the types of threats that we all face. But it was the information on page 56 of this report that really caught my attention.

For many years I have argued that Firefox provides a more secure browsing experience than IE. And now, I have proof to support this opinion. According to the ISS report, nearly 68% of all exploits hosted on malicious websites target ActiveX and IE. Conversely, less than half of one percent of exploits target Firefox. Admittedly, this is likely as much a result of IE’s popularity as a browser as it is Firefox’s superior security. However, Firefox is the second most widely used browser with 21.5% penetration. All things being equal, one would expect more than .3% of the exploits to be targeted at a browser with this much penetration. Clearly there are other forces at work.

screenshot001

So why are criminals giving Firefix a pass?  In order for a vulnerability to be exploited, it must be worth the time and effort that will be required to create the exploit.  That means, there must be a high probability that the exploit will be successful and generate revenue for the criminal organization.  The fact Firefox does such a great job of automating software updates makes it much more difficult to exploit vulnerabilities in the browser.  A found that over 83% of Firefox users were running the most up-to-date and secure version of the browser.  Conversely, only 47% of IE users were using the most up-to-date and secure version of the browser.  This translates into hundreds of millions of people who are using vulnerable versions of IE, ripe for exploitation by criminal elements.  When viewed from this perspective, it is easy to understand why Firefox is a more secure browser than Internet Explorer.

Security Vendors Lacking Good Security

February 15, 2009 in General Information Security, Vulnerabilities

kettle

In two separate incidents ealier this month, well known security companies had their web sites breached as a result of SQL injection vulnerabilities.  The first was Kaspersky Labs, an anti-virus vendor which on February 9.  Two days later, it was reported that BitDefender, another anti-virus vendor also had their web site hacked by the same Polish hacker who had successfully breached the Kaspersky site.  Again, a SQL injection vulnerability was the cause.

If you do not pay attention to reported incidents and vulnerabilities, you might assume that security vendors would not frequently be the victims of web hacks or have vulnerabilities found in their software.  However, nothing could be further from the truth.  I have been in the security industry for over 13 years and sadly, the companies that are selling security software and services seem to be just as likely as everyone else to be on the wrong end of a security problem.  McAfee, Trend Micro, Barracuda, Cisco and Check Point (to name just a few) all reported serious vulnerabilities in in their products in 2008.  And now we are seeing security companies falling victim to web application attacks as well.

We should demand more from our security vendors.  These are the companies that are securing our infrastructures and protecting our data.  They need to ensure that the products they are selling are secure, because as a consumer of these products, I cannot afford to take the chance that my environment will be compromised due to a weakness in their systems.  And I certainly don’t want to be in a situation where I am frequently applying security patches to my security systems.  I for one will avoid purchasing products from any security vendor that has a poor track record of providing quality, secure products.  This is the only way that they will get the message that we expect more from the vendors that we entrust with the security of our data.

Heartland Payment Processor Breach

February 1, 2009 in Credit Card Fraud, PCI DSS

Another day, another major breach of credit card data. And this one is a doozy. The payment processor Heartland Payments Systems on January 20th that they had suffered a breach and an unknown number of credit card accounts had been compromised. Heartland is the 5th largest payment processor in the world, with over 250,000 customers and handling over 100 million transactions per month. It is likely this breach will result in the compromise of more accounts than the infamous TJX breach of 2006 in which approximately 95 million card accounts were exposed.

It appears this hack was a result of poor endpoint security and a lack of encryption of data in motion. I will start by stating that Heartland was in compliance with the PCI DSS and had been audited in April of 2008. That being said, PCI DSS compliance does not guarantee that data is secure. It is a good starting point, but more can and should be done, to ensure the protection of cardholder data.

Back to the Heartland hack; according to the information I have read so far, it appears that some number of systems in their cardholder data environment became infected with spyware that was able to sniff credit card account information while being transmitted over the network. If this is true, it validates my belief that endpoint security is often times the weakest link in the enterprise security environment. I have no doubt that these systems had anti-virus software installed. However, anti-virus software is only as good as their signature database and most are woefully inadequate at detecting malware, especially custom malware. In environments with high security concerns, it is appropriate to utilize application whitelisting utilities that allow only those applications that are specifically defined to execute. These utilities don’t rely on signtures and significantly reduces the threat of malware.

The other problem in the Heartland environment was the fact that credit card data was being transmitted between them and the card companies in clear text. The reason this was not highlighted as a violation of the PCI DSS is because many payment processors use dedicated leased lines to the payment brands, which is often cited as a compensating control for the use of encryption. Clearly, this is a weak compensating control that allows for unfettered access to information on the network in the event that a workstation or server is compromised. Best practice would dictate that account numbers should be encrypted over the network, which is easily achievable with a variety of methods. Defense in depth is lesson to be learned here.

Finally, it appears that Heartland did not have very strong logging and monitoring controls in place as they did not detect the malware themselves. They were notified by Visa and Mastercard of suspicious activity coming from their network. Once notified, Heartland took nearly two months to disclose the breach. It appears their handling of this incident may be in violation of several state laws. If the scope of the breach is as large as is being reported, Heartland may end up spending $100 million dollars or more to deal with this incident. They are already facing a lawsuit as a result of the incident. This is far more money than it would have cost to secure their endpoints and encrypt data in motion. Look for the PCI DSS to be amended as a result of this incident to address these issues.

Copyright © 2011 InfoSecStuff.com — All Rights Reserved