Some Facts and Conjecture About the VeriSign Data Breach

The web is abuzz with stories about the 2010 data breach that VeriSign reported in its Oct 28, 2011, 10-Q statement. The document devotes a couple of paragraphs to the breach and includes the following:

“In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System (‘DNS’) network. Information stored on the compromised corporate systems was exfiltrated.”

VeriSign further explains that its information security team detected and responded to the incident. That in itself isn’t a big deal, as successful attacks occur on regular basis among companies large and small. If this were the full the extent of the situation, it wouldn’t be worth including in as part of the 10-Q filing. SEC disclosure guidelines published in October 2011 state that companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”

VeriSign’s mention of the breach in 10-Q implies that the incident was significant, probably because of the kind of data that was compromised. This theory is supported by VeriSign highlighting that although it “is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.”

VeriSign’s disclosure further states that “given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information.”

This description sounds like the company believes they were dealing with an APT-style attack. One of the characteristics of APT incidents is that it is very difficult to remove the adversary’s presence from the corporate network. Such efforts may take years and tend to be very expensive.

There is much conjecture regarding what occurred at VeriSign, given how few details the company released to the public. My hope is that VeriSign will do a better job than RSA did at providing a frank and comprehensive explanation of the affected products or services in a timely manner.

Other articles about the 2010 VeriSign breach from across the web:

• Key Internet Operator VeriSign Hit by Hackers by Joseph Menn
• VeriSign Hacked, Data Stolen by Darren Pauli
• VeriSign Hit by Hackers by Bill Brenner

From a more general perspective, I suspect we’ll be hearing more about such breaches due to the relatively recent guidelines published on breach reporting by SEC. How many large critical infrastructure haven’t been compromised at this point? How many of them actually know that this has happened?

— Lenny Zeltser

5 Events in 2011 That Challenged Online Security and Trust Assumptions

2011 is only three-quarters through. Yet, so much has already happened in the world of infosec this year that I’d like to start thinking about the events that have challenged our online security and trust assumptions.

• Data breach at RSA allowed attackers to compromise aspects of the SecurID product and led to compromises of defense contractors and possibly other firms. Until this incident, the effectiveness of SecurID specifically and token-based authentication in general as a security control was rarely, if ever, questioned.

• Data breach at the CA company DigiNotar allowed the attacker to issue illicit digital certificates for popular sites such as Google, Microsoft, AOL and many others. The certs, when used in a man-in-the-middle scenario, allowed attackers to stealthily snoop and modify the traffic that victims exchanged with these sites. The incident highlighted some of the limitations in the CA-based SSL trust model of the web.

• A surge in MacDefender malware for OS X, and the ease with which this rogue antivirus program spread demonstrated that OS X was also vulnerable to infections. While Apple issued software updates in attempts to curtail the spread of MacDefender, the company’s arguably slow response hinted on the company’s relative inexperience at dealing with such incidents.

• The appearance of ZeuS malware modules for mobile devices allowed attackers to intercept SMS authentication codes. By infecting both the victim’s PC and mobile phone, the attackers obtains victims’ banking logon credentials from the infected computer and could collect one-time authentication codes transmitted to their phones. This development highlighted the limitation of relying on the phone as the foolproof authentication token.

• The re-emergence of malicious hacking groups that compromised data for political and other causes or just for fun highlighted the diversity and vulnerability of potential targets. (Anonymous and LulzSec are the most prominent examples of such groups.) Their attack campaigns have caused many organizations that were complacent in their perspective on information security to reexamine their infosec posture.

These events are acting as catalysts for changing the threat models we use to secure data, networks and applications. If there were other critical events that I failed to list, please leave a comment. What will the remainder of 2011 bring? We’ll know soon enough.

Hand-picked related items:

• Similarities Between Riots and Modern Internet Hacktivism
• Evolving Threats: The Long Tail of Potential Data Breach Victims
• Could a Data Breach Actually Help the Affected Brand?

— Lenny Zeltser

Psychological Similarities Between Shoplifting and Malicious Hacking

I’d like to better understand what drives people to engage in malicious hacking activities on the Internet. It’s a complex topic, of course, which incorporates the dimensions of money, fame politics and other facets of human life and psyche. One way to gain insight into the psychology of hacking might be to learn about another illegal fringe activity: shoplifting.

Commonality of Shoplifting

Shoplifting is more common than most people realize. According to When Consumer Behavior Goes Bad: An Investigation of Adolescent Shoplifting by Cox, Cox and Moschis, “as many as 60 percent of consumers have shoplifted at some time in their lives.” In fact,

“Although a few shoplifters are professional thieves, the vast majority appear to be amateurs in that their activity is sporadic, they typically have no known history of criminal activity, and they steal for their own consumption rather than for resale.”

The situation seems to resemble the malicious hacking scene. Though I don’t have the data to prove it, my sense is that a fair number of people have dabbled in some form of hacking activities that would be construed as unethical or malicious.

Shoplifting as a Cinematic Crime

Some people who engage in shoplifting view it as a “cinematic crime,” as discussed in The Steal: A Cultural History of Shoplifting by Shteir. There seems to be a certain amount of mystique and coolness about shoplifting for some people. Some might even view it as a victimless crime. Some use it as a way to judge others: “I don’t trust anybody who hasn’t shoplifted,” said one former shoplifter according to Shteir.

Some shoplifters report feeling excited from the adrenalin rush when they were preparing for or in the process of stealing merchandise, talking about the crime as a love affair. Shteir explains:

“Shoplifters enjoy stealing. The objects mean something to them, but taking them feels dirty. Shoplifting is a spasm or a seizure. The lesson they learn from the crime—yes, I can!—they might apply to other areas of life. Shoplifting gives them courage to take chances.”

The book also brings up examples of shoplifters like the feeling of superiority over the store clerk after a successful run. Even when they know they are doing something wrong—or perhaps because of it—they enjoy belonging to a seemingly exclusive club of shoplifters.

All these aspects: The feeling of excitement, superiority and belonging seem relevant to the emotions associated with malicious hacking activities as well.

Shoplifting Inclinations and Psychological Disorders

Studies suggest that some people who engage in compulsive shoplifting behavior might be diagnosed with psychological disorders. I don’t know enough about such conditions to say much about them, beyond quoting from Shoplifting: A Review of the Literature by Krasnovsky and Lane:

“Whether seen as simply a crime or a multifaceted disorder, shoplifting is an increasingly frequent problem in our society. For many offenders, it seems that shoplifting is just one among a group of antisocial acttivities engaged in, due to anger, excitement, or profit.”

Similarly, different people engage in malicious hacking activities on the Internet for various reasons. What drives such individuals, what is their frame of mind and what, if anything, can be done to modify their behavior warrants a closer look. Perhaps understanding the psychology of shoplifting can shed some light on this complex topic. What do you think?

If you found this post interesting, you might also enjoy Similarities Between Riots and Modern Internet Hacktivism.

— Lenny Zeltser

How a Data Security Breach Can Be Used for Good PR

Hershey Corporation sent an email to its customers, notifying them that Hershey’s website experienced a data security breach. This incident was picked up by many online publications after the report surfaced on the Consumerist blog. People were fascinated to learn that the attacker only modified a single baking recipe, leaving the rest of the site untouched. I am interested in this incident because it presents an opportunity to learn from Hershey’s smart PR response to the breach.

Potential Effects on Consumer Data

According to Hershey’s notice, the compromised web server stored “consumer website registration information, including email addresses, birthdates and street addresses as well as passwords used to enter some of our sites.” This is probably the reason why the company notified the public about the breach.

Hershey has “no indication that any of this consumer information was compromised.” It’s very hard for an organization to definitively say that no sensitive data was compromised, which is why this form of describing the scope of the breach is often seen in breach notification reports. The implication is that the company went through reasonable efforts to determine what data may have been affected.

Highlighting the Importance of Recipes

While acknowledging the concerns over the security of consumer information, Hershey’s notice does a great job highlighting the strange circumstances of the breach, where the intruder altered only a single recipe on the compromised website:

“As you know, Hershey’s recipes are built on our legacy of offering the highest-quality products for more than 100 years. Consumers rely on us for this information, and we take the quality of our baking and cooking recipes very seriously. We have corrected the issue and taken steps to enhance the security of this information. We have thoroughly investigated the situation and reviewed the recipes on this site to ensure their quality.”

From a marketing and PR perspective, Hershey is focusing the message on the integrity of its recipes. The implication is that if someone were to bother modifying them, then there’s something truly special about their contents—something that Hershey’s customers have been benefiting-from for more than a century.

Sample headlines related to the breach read:

• Chocolate-obsessed hacker breaks into Hershey’s website to change a recipe (Digital Trends)
• Hackers change Hershey’s chocolate recipe (The Telegraph)
• Hershey’s website hacked, recipe changed (MSNBC)

I see the contents of Hershey’s breach notification notice as an excellent example of how companies can use a potentially negative event, such as a data security breach, for strengthening its brand. The approach of focusing the messaging on the modified recipe—seems to be paying off for Hershey, as the media’s coverage of the incident seems to be emphasizing on that strange aspect of the breach.

Hand-picked related posts:

• Learn Better Security Breach PR from Harold Sun’s Halfhearted Apology
• Could a Data Breach Actually Help the Affected Brand?
• How Not to Respond to a Security Incident

— Lenny Zeltser

Learn Better Security Breach PR from Harold Sun’s Halfhearted Apology

The website of Australia’s Herald Sun newspaper was compromised and used to attack its visitors on July 11, 2011. The newspaper reacted within a day or so, though its communications to its readers regarding the incident leave room for improvement. Let’s see what we can learn regarding security breach PR from this event.

Herald Sun’s Brief Apology

A few days after the incident, the newspaper posted a brief apology for the incident at the bottom right corner of its website for about a day, though it has now disappeared from the site:

Though Herald Sun’s apology offers few details regarding the incident, one can surmise that it involved a rogue antivirus scam, attempting to trick website visitors to install malicious software.

Follow-Up Statement from Herald Sun

The newspaper offered a few tidbits regarding the breach in a follow-up statement, confirming that the “attack attached malware on some files on the site.” This suggests that the problem wasn’t due to a malicious ad served by a third party; if it were, the company would be quick to displace the blame on the appropriate advertising network. Herald Sun further stated that:

“We have since addressed the issue, but we are not in a position to release any further details on the basis that it may provide information for further attacks.”

It’s not uncommon for organization to refuse providing data breach information in the name of security. If I were to nitpick on the Herald Sun’s statement, I’d say that if the issue had been addressed, then there would be little risk to shedding some light on the nature of the attack.

Ways of Improving Post-Incident Communications

Herald Sun’s post-incident communications reflect the typical PR approach of positioning the breach as a non-significant event. After all, in the words of the newspaper, its readers would only be affected if they clicked “Allow” to let malware install itself on their computers. In reality, social engineering scams are highly effective, especially with non-technical computer users, into persuading them to install rogue antivirus tools.

The newspaper’s suggestion of merely running an antivirus tool is akin to recommending that victims of data theft sign up for identity-monitoring service—the damage has already been done.

At the very least, Herald Sun should have clarified which malware was targeting its readers and offered specific recommendations for the tools that might be able to clean it up. Also, I would want the organization to make a stronger statement regarding the measures it is implementing to mitigate the risk of similar incidents occurring in the future.

In the words of Paul Ducklin, promptness, clarity, and openness should be the key elements of a company’s response to an information security breach. It’s great to see Herald Sun exercise promptness, but left much room for improvement regarding other aspects its communications to potentially-affected readers.

Related:

• Using Twitter for Public Relations During a Data Breach Incident
• How Not to Respond to a Security Incident

— Lenny Zeltser

The Use of Pastebin for Sharing Stolen Data

Pastebin is a popular website for storing and sharing text. Though it’s mostly used for distributing legitimate data, it seems to be frequently used as a public repository of stolen information, such as network configuration details and authentication records. Various hacker groups and individuals seem to be using Pastebin to distribute their loot; the highest-profile publisher in the recent weeks was LulzSec.

What’s Popular on Pastebin

To get a taste for the kind of information available on Pastebin, take a look at its Trending Pastes page. The most popular pages at this moment include gems such as:

• A listing of subnet addresses that belong to various corporations
• A dump of compromised Facebook accounts, complete with email addresses and passwords
• An internal user database of a compromised website, including email addresses, privileges and password hashes
• An export of a users table from a compromised database, including usernames and passwords

Why Do Hackers like Pastebin?

What is attracting the hacker community to Pastebin? And why do compromised records persist on the site? Trying to figure this out, I asked on Twitter, why Pastebin, rather than some other site, became a popular platform for sharing stolen records. The responses I received highlighted the following attributes of Pastebin:

• It’s easy to use
• It can handle large text files
• It doesn’t proactively moderate postings
• Publishing there doesn’t require registration
• Its heritage is rooted in IRC networks

Also, Jipe pointed me to an article by Matt Brian titled Pastebin: How a popular code-sharing site became the ultimate hacker hangout. Among the many examples brought up in the article is the story of the data stolen from Sony Pictures being posted on Pastebin in early June and receiving 155,000 views before it was removed due to a takedown notice from Sony. Id like to better understand the role that Pastebin plays in such incidents.

Pastebin’s Handling of Takedown Notices

To me, the most interesting aspect of Matt’s article was the the perspective that Jeroen Vader, the owner of Pastebin shared on the use of the site to share stolen data. He said:

“Pastebin is a website that is used by millions of people every month, and some of those people will create pastes with sensitive information in it. We have a good abuse report system in place that is monitored through out the day.”

Jeroen explained that the site responds to takedown notices and that “if a reported item contains private information it can be removed instantly.”

Is that a reasonable stance? I can understand why the site doesn’t want to take on the burden of moderating content. Yet, identifying and flagging the files that might contain sensitive data isn’t very hard. As a starting point, Pastebin could merely look at the items on the top of its Trending Pastes page.

Automatically Finding Stolen Data on Pastebin

Pastebin could also automatically look for the signatures that indicate possible sensitive data. In fact, that’s what Jaime Blasco seems to have done to create a free service called PastebinLeaks, which automatically identifies stolen data artifacts posted on Pastebin. The service is quite accurate and its findings, published on Twitter, are disturbing:

The idea is not unlike that of querying social networking sites, such as Twitter, for references to data breaches.

Wrapping it Up

To sum up, attackers seem to use Pastebin to share stolen data because the site is easy to use for sharing voluminous text and because their buddies use it as well. Moreover, they know that the data published there will be around for some time for the world to see, since Pastebin doesn’t proactively moderate content.

It’s interesting to explore the technological, historic and sociological reasons why Pastebin has become a popular repository of stolen data. Perhaps more importantly, we need to understand how companies can identify when their data was published on a site such as Pastebin. Also, my hope is that such sites will implement some form of proactive monitoring and will deal with suspected data leaks without waiting for a formal takedown notice.

Update: For my follow-up post related to this topic, see Using Pastebin Sites for Pen Testing Reconnaissance.

— Lenny Zeltser