Target and FireEye

Beginning of December 2013, US retail Target suffered a huge leak of data: 40 million valid credit card information were sent to Russian servers. This leak will have serious financial impact for Target as there are already more than 90 lawsuits filed against Target.

Target is undergoing deep investigation to understand why this data breach occurred. Recently, an interesting fact popped up. On the 30th November, a sophisticated, commercial, anti-malware system FireEye detected the spreading of an unknown malware within Target’s IT system . It spotted the customized malware that was installing on the point of sales to collect the credit card number before sending them to three compromised Target servers. Target’s security experts based at Bangalore (India) reported it to the US Security Operation Center in Minneapolis. The alert level was the highest from FireEye. The center did not react to this notification. On 2nd December, a new notification was sent without generating any reaction.

The exfiltration of the stolen data started after the 2nd December. Thus, if the Security Operation Center would have reacted to this alert, although it may not have stopped the collection but at least it would have stopped the exfiltration to Russian servers.

As we do not have the details on the daily volume of alerts reported from Bangalore to the Security Operation Center, it is difficult to blame anybody. Nevertheless, this is a good lesson with the conclusions:

  • Law 10: Security is not a product but a process. You may have the best tools (and Fire Eye is an extremely sophisticated one. It mirrors the system and runs the input data within the mirror and analysis the reactions in order to detect malicious activities). If you do not manage the feedback and alerts of these tools, and take the proper decision, then these tools are useless. Unfortunately, the rate of false error is too high to let current tools take such decisions
  • Law 6: You are the weakest link; The Security Operation Center decided not to react. As FireEye was not yet fully deployed, we may suppose that the operators may not fully trust it. The human decision was wrong this time.

European industry worried by APT

According to a recent report from Quocirca, the trouble heading for your business, European business claim they are concerned by APT.  Many interviewed companies assert to have been under targeted attacks.  Even more worrying, most of them believe that undetected malwares are running on their networks.

Advanced Persistent Attacks (APT) or targeted attacks are high profile attacks that aim to one precise target with a precise objective.   The attackers are highly efficient attackers.  most of the time, they are either funded by criminal organizations or are state operated teams.     This is the most dangerous type of attack.  Usual tools such as firewall and anti viruses are not sufficient.  Bit9 and RSA attacks are good examples of targeted attacks.

The report gives interesting insights to the perceived impact on business of APTs.  For instance, we discover that loss of regulated financimageial data is the top impact.  Loss of IP is in fourth position.  Reputational damage and negative media coverage are the least impacts.

(Copyright Quocirca 2013 for the figure)

The ranking of concern about the impacts following an APT:

  1. Loss of regulated data
  2. Loss of IP
  3. Reputational damage
  4. Fines
  5. Remediation costs



Thus, this report is a good reference when you have t explain why you need this new deep  packet inspection tool, or the latest behavioral analysis software. 

It is good to see that companies are aware of this new APT risk.  Is your company aware?

Bit9: when a security company signs malware…

Bit9 offers security solutions that control which applications are authorized to be executed on a platform. Rather than relying on detecting malicious applications, Bit9 uses an engine that only authorizes a whitelist of trusted applications. Every application that is not part of the whitelist is by default considered as suspect and denied access. Of course, the Bit9 engine considers as trusted every application issued by Bit9. The control is done by verifying whether the application was properly signed by Bit9 signing key.  Bit9 claims that their solution is the ultimate defense, and the only valid answer to Advanced Persistent Threats (APT)

On 2013 February 8 security consultant, Krebs Brian announced that some companies were affected by a malware signed by Bit9. Later ton he same day, Bit9 Chief Executive Officer (CEO), Patrick Morley, acknowledged the problem. Their own solution did not protect some of the Bit9 servers. Among them were servers used to sign digital applications. Attackers were able to penetrate the network and get their malicious code signed by Bit9. Thus, any Bit9 engine would accept these pieces of malware as trusted applications. Bit9 announced that they started to cure the issues. They applied their own solution to their complete infrastructure. They revoked the compromised digital certificate and informed their customers.

According to Bit9, only three undisclosed customers were affected. Due to the high profile of Bit9 customers (defense department, Fortune 100), it may be part of a larger APT targeting some companies.   Was it the same attempt to use a security technology as an entry door like for RSA hack.

Ironically, Bit9 a few hours before bragged that Anti Virus software were old story.  It would be interesting to learn how the attackers penetrated the network.

Two lessons:

  • In depth defense is mandatory;  multiply the number of defense mechanisms.  Relying on one unique mechanism is brittle security.
  • Signature of production code should be supervised by a trusted human operator. You may use automatic signature for the development process, if of course you are using an independent root key just dedicated to development code.  Normally, there are very few pieces of software going out in the field for production.  Thus, using a human operator will not increase the cost.

Malware signed by Adobe

In September, Adobe detected two malwares that were legitimately signed by Adobe!  Having a valid signature of a trusted source like Adobe was a compelling advantage for these malwares.  As one of the malwares was not publicly available, the likelihood that it was to be used with an Advanced Persistent Threat (APT) is extremely high.

Did a signing private key leak out as it was the case for Yahoo in May?  Adobe performed an extensive forensics analysis.   They discovered that one build server had been compromised.  This build server could submit software for signature.  According to Adobe, the configuration of the server was not at the proper Adobe standard of security. As it was a server that was compromised, this means that the private key stored in a Hardware Secure Module (HSM) was not compromised.  Adobe had also the proof that this server requested the signature of the malwares.  They believe that the attackers accessed first another server and then moved laterally to control this build server.   Once the server controlled, the attackers requested the signature of their malware. This is a typical scheme for APT.  It means also that the signed malware should also be used by other steps of this APT, which target was not Adobe.

Adobe has informed in details about the attack.  The signing key has been revoked on October 4, 2012.  Very proper job.

Once more, we see that APT become more and more sophisticated.  Large organizations are clearly under serious threats (I will come back on that topic in one of my future posts.)

Notes on PST 2012: (day 1: Innovation day)

Here are some notes on the first day of  PST2012.  These notes are personal and biased in the sense that they reflect what topics did ping me.  As such, they are not exhaustively representing the content of the various presentations.

Today’s challenges of cybercrime (E. FREYSSINET)

Eric is the head of the cyber crime department of French gendarmerie.  As such, he has a deep knowledge of today’s cybercrime as he is fighting it.

He first presented the big trends and issues:

  • Data to analyze is exploding
  • Organized crime;  interestingly, organized crime entered the game only lately.  The target that attracted organized crime was car theft that required electronic specialist due to increased electronic defense;  then, organized crime jumped to electronic money.
  • Cryptography becomes more generalized.  It has impact.  for instance, house search has to occur at a time of the day when the computer is already switched on.

Then he described more some cases.  A few excerpt:

  • Crime against children; This is one of the most important threat handled by his team (25% of the cases).  Several hundreds cases per year in France.   The best defense is the education of children
  • Attacks on IT system;  Botnets become the core element of many IT attacks.  Often individuals do the tools, and are hired by organization that install such infrastructure.   Interestingly, many SMEs are attacking each others!
  • There is a real business approach behind such crime.  Carders are offering professional sites with customer supports.  Malware is sold with a licensing approach, CMS,…

Then he presented a typical attack: the police ransomware.  A malware blocks the computer, sometimes encrypts data and display a message supposed to be issued by police claiming that you violated the law and have to pay a fine.  10% of the infected people pay the alleged fine.

Cyber Defense

Can we protect against the unknown?  (D. BIZEUL, Cassidian, Head of Security Assurance)

The focus of the presentation is on APT (Advanced Persistent Threat)

The six steps of APT:

  1. Information gathering
  2. Vulnerability identification
  3. Spear phishing/RAT installation
  4. Pass the hash protection/ propagation (for escalation)
  5. Malware and pack of tools
  6. Exfiltration

Detection of steps 3 to 6 should use reputation evaluation, Statistics and of course log.  Thus, it is recommended to have savvy IT team, cyber intelligence, IDS/IPS and SIEM & SOC.  Cyber intelligence is key.

CERT, CSIRT  (O. CALEFF, Devoteam)

Presentation of what a CERT/CSIRT is , and how it works.

Cyber defense tools: the sourcefire example (Y. LE BORGNE)

He explains how an Intrusion Prevention System (IPS) works:

  • Stage 1:  decoder of packets
  • Stage 2: pre-processor to normalize data
  • Stage 3: Rules engine

Why are there still intrusions?

  • The client side is more prevalent and it is the best place to attack.
  • File complexity is a good vector for malware
  • IDS exploitation is too complex
  • IPS needs skill for exploitation

Evolution of Snort

New pre-processors (gtp, modbus…), http compression.

>Deeper detection (cookies, javascript obfuscation…)

The message is that human is the key element.  Thus, they claim to simplify the task by focusing the reporting.


APT is more a buzz word.  It is not new.  The most important aspect is the Persistent Threat aspect.


Keynote: The authorization leap from rights to attributes: Maturation or Chaos? (R. Sandhu)

Ravi is the father of Role Based  Access Control (RBAC).   Will RBAC be replaced by Attribute Based Access Control?   In any case, we’re going towards flexible policy.  According to him, the main issue with Access Control is and will always be the analog hole.  Smile   The main defect of RBAC is that it does not offer an extension framework.  Thus, it is difficult to cope with short comings;  ABAC has the advantage to offer inherent extensibility by adding for instance attributes.

Security policy requires Policy Enforcement, Policy Specifications and Policy Administration.

He believes in Security as a Service because there will be an incentive to  properly secure stuff else you change the service provider.

SME session

Arxan (M. NOCTOR)

Nothing new.  If you don’t know Arxan, and if you need software tamper resistance, visit their site.


How to strip off a TV set?  He highlights the risk  of connected TVs that are not  secure at all, although they may handle confidential data such as credit card number.

Secure IC (P. NGUYEN)

Silicon Security;   Usual presentation on side channel attacks.   The new attacks are Correlation Power Analysis and Mutual Information Analysis (new since 2010)  The new trend is to use Information Theory realted metrics.  They have  a dual rail family with formally proved security (to be presented at CHES2012)

Lessons from RSA hack

It is now six months since RSA suffered from the hack that compromised secureID.  RSA had a positive attitude regarding the hack by providing some details and good visibility.  Thus, we can learn many things about it.

We know now how RSA was penetrated.  It was through a targeted email using an excel file.  The excel file had an embedded flash object inside.   The object, using a zero-day vulnerability, installed Poison Ivy Backdoor.  For more details see F-secure’s analysis.  The attacker used the backdoor to get access to the sensitive data to break SecureID.  The mail was addressed to four members of RSA, thus a targeted attack.  Once SecureID compromised, the attackers could access Lockeed Martin.

This is the first publicly known instance of Advanced Persistent Threat (APT).   This corresponds to extremely targeted attack that works stealthily, slowly in order not to be detected, and performed by extremely skilled attackers.  It was currently reserved to warfare.   As the final target was Loockhed Martin, we may believe that it as a high-profile attack.  They used a zero-day exploit which passed under the radar of any anti-virus scanner.

RSA and Kapersky Labs presented an interesting analysis of the attack.

What can we conclude:

  • The perimetric defense is not anymore sufficient, at least in a professional environment.  Skilled hackers will try to attack from inside.  We need new tools to detect suspect behaviour within the enterprise network.  For instance, an alert should be triggered when a device communicates with “exotic” IP addresses.  Unfortunately, they will be more complex to administrate and probably need more manual monitoring. :Weary:
  • Targeted attacks will be more and more used against industrial targets.  Security awareness will become key.  People must also be aware of business intelligence.  It is a reality that is too often downplayed by people.
  • I will rant against all these software that are used for other purposes than the initial ones.  How often did I see Excel used for other things than calculating!  For instance, to display tables of text.   As a result, software editors add new features.  Why should we have to add flash object in calculus?  In security, KISS (Keep It Simple & Stupid) is a golden rule.  The more features, the more potential  vulnerabilities.