Data Breach plus an Exciting Microsoft Exploit

            This week’s blog will address two items: one is a data breach and the second is an exploit. The data breach happened at Daytona State College in Daytona Beach, Florida. There is a twist to this story though. While investigating the first data breach investigators found a second data breach had occurred. There is no knowledge yet of how many people were affected by the data breach. The information taken was employee W-2 forms, students’ social security numbers, names, dates of birth, driver’s license number and how much the student makes (Abel, 2017). It is too early to find out how the breach occurred, but they believe it was because of a third-party vendor. The college did send out letters giving the affected students one year of identity protection if they want it.

            Again, a data breach has occurred because of a third-party vendor. It is important companies do their due diligent and audit their third-party vendors. JP Morgan and Chase has a great information / cyber security group and they were breached because of a third-party vendor. Just because a vendor says it’s secure does not mean it is true. Trust, but verify. It would be good for a company to put in the contract they sign, if they get breached because of the third-party vendor they can be held liable.

            The second item is about Microsoft’s zero-day exploit called DoubleAgent. DoubleAgent is a code injection vulnerability and it allows an attacker to maliciously take over anti-virus programs and other software via the Microsoft Windows Application Verifier debugging tool (Barth, 2017). The exploit was discovered by Cybellum, which is a company that specialized in zero-day attacks. This exploit can only be used is the system has been affected. If the system is affected by the DoubleAgent exploit it will remain on the system even after a reboot. This vulnerability affects Microsoft Windows versions XP thru 10. Anti-virus vendors have started issuing patches to fix issues with their software related to the Microsoft Windows Application Verifier debugging tool exploit. Per Sophos their anti-virus is protected from the DoubleAgent exploit because it is using Intercept X and the Intercept X it will protect any application on the system against DoubleAgent (Brenner, 2017). Intercept X is an endpoint protection technology that used behavior based screening to detect malicious behavior (Greene, 2015).  Here is a video showing what the DoubleAgent attacking Avira Anti-virus.

            This exploit affects all version of Windows because Microsoft allows backwards capability. The exploit also affects other applications installed on the operating system. Anti-virus was chosen because it can be used against the operating systems, such as turning the anti-virus into ransomware. The Microsoft Application Verifier is old and at this point cannot be patched. Vendors are urged to switch to Protected Processes, which is the new “Application Verifier”. Microsoft on their new operating system after Windows 10 needs to stop backwards capability and write fresh code for Windows 11. The Xbox one can’t play the first-generation Xbox games unless they are purchased from the live store. Microsoft did this because it would be too much work to add backwards capability to the Xbox. If Microsoft stop backwards capability this would stop these old exploits and vulnerabilities from working on new systems. Until that happens most Windows operating systems will be affected by the same vulnerability because they can run old software.

References

Abel, R. (2017, March 28). Two Daytona State College breaches affect students and staff. Retrieved March 31, 2017, from https://www.scmagazine.com/daytona-state-college-hit-with-double-breach-affecting-staff-and-students/article/646957/

Barth, B. (2017, March 24). Microsoft tool exploit DoubleAgent can turn antivirus software into your worst enemy. Retrieved March 31, 2017, from https://www.scmagazine.com/microsoft-tool-exploit-doubleagent-can-turn-antivirus-software-into-your-worst-enemy/article/646173/

Brenner, B. (2017, March 27). DoubleAgent 'vulnerability' – just how bad is it? Retrieved March 31, 2017, from https://nakedsecurity.sophos.com/2017/03/27/doubleagent-vulnerability-just-how-bad-is-it/

Greene, T. (2016, September 15). Sophos rolls out Intercept X for endpoint protection. Retrieved March 31, 2017, from http://www.networkworld.com/article/3120322/security/sophos-rolls-out-intercept-x-for-endpoint-protection.html

CYBR 650 Week 1-2 Part 2

Week 1-2 Part 2

After going thru many of the masters classes in the cybersecurity program I have come across several good resources for security news and threats. The first credible source is the Internet Storm Center from sans https://isc.sans.edu/. Sans provides cybersecurity training and offers a master’s degree in cybersecurity. The internet storm center has the latest security news, podcasts and diaries. Since sans is a school and provides training there is no reason for them to provide false information. The writers for the internet storm center are teachers and other security experts talking about current events. I consider this website to be a credible source because they have been around for 25 plus years and they provide great educational material.

The second credible source is Krebs on security https://krebsonsecurity.com/.  Brian Krebs wrote for the Washington Post for 14 years and now runs his blog krebsonsecurity. Krebs focuses on cybersecurity and he likes to report on skimmers. Krebs has been a trusted source in the security community and has reported on several breaches such as Target and the Ashley Madison hack. I think Krebs is a credible source because other websites use information off his blog to write their stories. Krebs has been writing about cybersecurity for many years and his articles are accurate plus they are backed up with creditable sources. Since Krebs wrote articles for the Washington Post before starting his blog, he has the experience and contacts to provide great information. Krebs is known in the security circle as a great reporter and if he calls an organization up then there is a problem.

The third credible source is the CVE or common vulnerabilities and exposures is a site that stores security vulnerabilities. https://cve.mitre.org/ is not really a news site; it is more of a database that stores information. If a person needs to know about a CVE from the year 2006 on Windows XP it can be looked up in the database. The CVE site provides the description and references for the CVE. The reason I think this is a credible source is because it is a central repository for cybersecurity vulnerabilities. The site is also nonprofit and provides information on several operating systems. The CVE identifiers are used by OWSAP and are mentioned in the NIST standard. Since it is recognized by NIST and OWSAP organizations that is a good sign of reliable and accurate information.

The fourth credible source Dark Reading is a news site that contains information on several information technology topics.  Some of the interesting topics are internet of things, cloud, risk, attacks / breaches and threats / vulnerabilities. Our professor Coach got me hooked on the website http://www.darkreading.com/ and I haven’t looked back. Some of the article writers have spoken at black hat and they even have a black hat news section. Dark reading has been recommended to me by several security professionals and I find there articles well written.

The last credible source is www.csoonline.com a website that provides security and risk news. Our professor Coach has written articles for csoonline and so have other top cybersecurity talent. Having talented authors and well known people in the cybersecurity community write articles is good sign for a credible source. Csoonline focuses on cybersecurity news and other topics such as management. I think they are a credible source because many of their articles have great information. They only allow a person to see a part of the article and a person must sign up to read them, but I figure this is so they can track people.

After doing research for papers, discussion boards and other assignments in my master’s classes I have found some news sites have conflicting information. What I have found is if websites that are not on my list, sometimes have different information then the sites on my list. I would trust the five websites on my list over other sources because the websites on my list usually have more details about the event. The five sites on my list sometimes have the same story depending on how big it is, but they usually provide the same information and there are no conflicts. If there were conflicts between the sites I listed it would depend on the conflicts and which sites they were on. I have never seen a conflict between the sites listed below. Overall I trust the five sites listed for my cybersecurity news and other security information.

Here is a list of the sites from above.

https://isc.sans.edu/

https://krebsonsecurity.com/

https://cve.mitre.org/

http://www.darkreading.com/

http://www.csoonline.com/

Reboot of Blog and Verifone Breach Week 1

My name is Scott Athey and I will be restarting my blog called Scott Athey’s Cyber Security Blog for the CYBR 650 class. When I first started my blog I focused in on data breaches that occurred every week. The data breaches ranged from large to small organizations and anything in between. The reason I chose data breaches is because they are a hot topic and data breaches are happening every day. I also want to find out how attackers are getting into company networks and what can be done to protect those networks. I will be keeping the topic the same and focus on recent data breaches.

A recent data breach that happened on March 7, 2017 was Verifone. Many people may not know what Verifone does, but I can guarantee people have used their products before. Verifone is one of the largest point of sale manufactures and payment processors. Verifone provides self-service payment devices or point of sale systems, which include countertop and mobile (About Verifone). Verifone’s products are used a gas stations, hotels and other businesses that accept credit and debt payments. Verifone is also a payment processor like first data, which allows them to see people’s credit and debit card information.

The attack seems to be related to the MIRCOS data breach that occurred in January 2017. MICROS were hit when the attackers used phishing emails to install malware on a computer that targeted a ticketing portal. Without knowing the details of the Verifone breach, Krebs on Security was able to possibly link the attack to a Russian crime group and the attackers may have been inside of the network since the middle of 2016 (Krebs, 2017). The attack appears to be limited to 24 United States gas stations convenience stores (Schwartz, 2017). Verifone would not confirm other details related to the breach as it seems they are still investigating. Verifone did hire a forensic company to come in and do an investigation. 

Here is a sample of a phishing email that a person received from “Apple” regarding ITunes.

http://macgroup.org/blog/2014/05/12/5-easy-ways-detect-phishing-scam/

This data breach is scary and people should not forget about it. If the attackers were inside of the company for more than six months think of the damage they could do. Verifone’s systems run their own operating system, which means the attackers could have gotten the source code. Of course this is all hypothetical right now, but if the attackers got their hands on the source code they could do more damage than the Target hack. One example of having the source code is it allows attackers to write vulnerabilities or malware for that specific operating system. The operating system is on POS machines, which could lead to attackers stealing credit and debit card information. Then the company would have to fix the vulnerabilities, but that would require them to reverse engineer the malware or do a forensic investigation to find the vulnerability or vulnerabilities in their operating system.

Could this data breach been prevented? At this time it’s too early to say whether this breach could have been prevented. If it was because of the phishing email, then yes it could have been prevented. According to Krebs, users are no longer allowed to install software on their computer unless it is through there help desk (Krebs, 2017).Could a malicious program an employee installed be the cause of the breach? Users should not be allowed to install software because most users don’t check the MD5 or SHA1 hash of the file that was downloaded. Having the help desk or a different team within the company install software that has been approved will reduce the risk of malware on a network. Malicious word documents have macros enabled that allow malicious code to run and install malware. Having macros disabled by default can help protect users from installing malware. It is also a good idea to train users to not open word documents from emails they do not know. Hopefully within a few weeks there will be more information on the data breach. At that time I will update my blog with the new information.

References

Krebs, B. (2017, March 07). Krebs on Security. Retrieved March 19, 2017, from https://krebsonsecurity.com/2017/03/payments-giant-verifone-investigating-breach

About Verifone | Company | Verifone. (n.d.). Retrieved March 19, 2017, from http://global.verifone.com/company/about-verifone/

Schwartz, M. (2017, March 8). Verifone Investigates Gas Station Hack Attacks. Retrieved March 19, 2017, from http://www.bankinfosecurity.com/verifone-investigates-gas-station-hack-attacks-a-9759