News reports coming out this morning indicate that EBay will be asking all of it’s 112 million usersto reset their passwords on the site as soon as possible. We highly recommend you do that, and use a good, hard to guess password that you don’t use anywhere else.
EBay is obviously an incredibly popular site, and emails about needing a password reset on EBay have long been a favorite ruse of email scammers. Today’s email (which may or may not be caught in your spam filter) is actually legit (but you’re going to follow the rules for not getting phished, right? Thought so..)
We’re still waiting on more details from EBay, but at this point it appears that attackers used stolen employee credentials to access the database containing all of the encrypted passwords for all EBay users sometime in February or March. It appears at this point that no confidential information was contained within that database, but it does include usernames, email addresses, phone numbers, and addresses.
Paypal, a sister company of EBay, was not involved in this breach and as of right now there is no indication that this breach has effected PayPal at all.
Although the passwords were encrypted, EBay (and others) believe that sufficient tools exist that the attackers may be able to reverse the encryption. So, better safe than sorry. Oh, and while you’re at it, you don’t use the same email and password to log in to Facebook, do you? Or Twitter? And certainly not any of the financial institutions you do business with, right? Good, just checking. Because you shouldn’t use the same password for everything, right? Right. Good. Glad we got that cleared up.
Now if you’ll excuse me, I have an EBay password to change. And while I’m there, I may as well check on my bid on that Atari 7800. It’s vintage!
Thanks for reading! More updates as they become available!
As information security professionals, we crave reliable information about our adversaries and their tactics. As you can imagine, this kind of data can be difficult to get (for a variety of reasons), so we take full advantage of any good information we can obtain. One of the great sources of information over the past few years is the annual Verizon Data Breach Investigations Report (DBIR).
The DBIR started out as Verizon Enterprise (the part of the division that was previously known as Cybertrust) publishing anonymous statistics on the cases they had conducted over the previous year. Since they were only called in when it was already known that a security incident resulting in information loss occurred, they were in a good position to describe the chain of events leading to a data breach and look for patterns there.
Over the years, a number of other groups have added their caseload to the study. The DBIR team has continued to refine their approach, and are consistently looking to use a new perspective to see if patterns emerge from the data. This year the report includes all security incidents, not just cases where data loss was confirmed. This helps to grow the sample size of cases. The annual DBIR is one of the best insights we have into how the bad guys work, and something we always look forward to reading.
There are lots of great pieces in this year’s report, and a lot of it aligns with trends we have seen in the past year as well. In this year’s DBIR, a fresh perspective revealed that 92% of all information security attacks can be described with 9 basic patterns. This proves that a) these attack patterns are successful across industry verticals and b) the vast majority of attacks don’t require an extraordinary level of sophistication. Which is both good and bad news.
One of the more eye-opening data points within the report every year is the difference in time between how long the initial (successful) attack takes (usually measured in minutes) and then compare it to discovery and containment (usually measured in months!). This year’s report doesn’t disappoint in this area. To the charts!
The above chart shows that the attackers have a much better ratio of successful attacks in less than a week than defenders do in just finding the evidence of the attack. And the attackers are getting better. Let’s look at one of the nine specific attack patterns highlighted in this year’s DBIR to see the gap between compromise to containment:
There were several publicized breaches involving retailers in 2013. As you can see (from the mildly terrifying graph above) the attacker successfully compromises their target and exfiltrates data from the network in minutes. The information security team responsible for defending these systems may not find out that they have a problem for weeks. But how did they find out they had a problem?
Turns out that (for the POS attack vector) it’s always an external party that makes the discovery, usually because the data the attackers exfiltrated in for sale on the various marketplaces that traffic in such things. While the overall trend isn’t quite that bad, it’s not great either:
As you can see, internal detection checks in as the source of detection in 20% of the cases over the last 10 years.
We’ve got to do better. We can do better. We’ve got two major places to improve: detection and response time.
It’s a (sad) fact of life in the information security field these days, but we know that prevention isn’t enough. We’ve got to be able to detect and correct when our preventative defenses are breached. We’ve got to build better segmentation into our networks, manage the configurations and patch levels of our systems, and ensure we provide our defenders time to look around and find potential problems.
Even with increased detection, how do we fix the response time gap? The DBIR notes in a few places that the attacker speed is most likely an indication that the attack sequence has been heavily automated. It’s time for the blue teamers to automate too. And we’re not talking about scripts for specific tasks. We’re talking about digital robots executing the same standard operating procedures you’re security analysts would use, only faster and at scale.
Over the next few weeks we’ll be following up with some of our strategies on both detection and automation. Let’s make a dent in these numbers for next year!
A few months ago I was at the airport, ready for my 6:50 am flight. Yeah, that’s right. 6:50 AM. In the morning. I am going to be totally honest, I wasn’t even sure oxygen is out that early in the day, but evidently it is. Anyway, arriving in the terminal mere moments before my flight, it occurs to me I have but a brief chance to obtain caffeine before wheels up. Luckily, a Starbucks presented itself across the hallway. Ducking inside, I order an iced coffee, to which the barista replies “We’re all out.”
Me: “Oh, are you having a problem with the ice machine?”
Me: <Long Pause> “So…. are you out of coffee?”
Barista: “Nope, we have coffee. We usually make a batch of coffee and cool it down, but we don’t have any right now.”
Full disclosure: I am not a physicist. I have limited training in fluid thermo dynamics. I am not a barista.
Me: “Umm. OK. Can I have a regular coffee and a cup of ice then?”
Barista: “OK, here you go.” <Hands me a cup of hot coffee and a cup half full of ice. I drain the hot coffee into the cup with ice and hand back the hot coffee cup>.
I walked away celebrating my victory over inside-the-box thinking. And then I promptly spilled the coffee on my shirt. Oh yeah, and my flight ended up delayed for two hours.
Why did I just bore everyone with that story? To illustrate how annoying and aggravating today’s topic is. I’d rather repeat the iced coffee saga every morning than deal with this other thing.
Hopefully you never have to deal with Cryptolocker. It really is one of those don’t-even-wish-it-on-your-enemies kind of thing. But at some point you or someone you know will. So here we go:
Cryptolocker: A brief primer:
It can go by lots of names, but the most famous is Cryptolocker. A member of the ransomware family of malware, Cryptolocker is installed on your computer like any other piece of malware, and then proceeds to encrypt all of the files on your computer. Everything in your Documents folder, everything in your Pictures folder, and even files on network shares that your computer has connected. Then you get the message pop-up: You can have the key to decrypt your files… for a fee.
The malware itself isn’t actually that hard to remove. The only problem is you are still left with all of your files encrypted. Should you pony up the cash if this hits your computer? While there are certainly stories of people trying this route and re-gaining access to their files, there are also plenty of stories of payment leading to no action on the bad guys part. My suggestion is that you take some basic precautions that will allow you to survive an attack of this sort without having to deal with this decision at all.
An ounce of prevention…
When it comes to defending yourself, the very best thing you can do is follow some good practices before you ever have to deal with something like this.
A good backup routine is the single most important thing you can do to ensure your ability to survive any of these types of attacks. The simplest way to do backups is to get an inexpensive USB hard drive and backup your important files once a week or so. Don’t leave it connected all the time though! In fact, if you have a fire safe, that would be a good place to keep it when not actively backing up your PC.
There are also an abundance of “cloud” backup solutions available, and the costs are dropping rapidly. They have the added advantage of being offsite, available anywhere, and usually have some kind of automatic backup application that handles everything for you. Even if Cryptolocker strikes, you can usually access the previous non-encrypted version of your files.
The basic rule of thumb for determining if your backups are sufficient is by answering the following question: If I had to replace my current computer with a new one and all I had was this backup, could you do it? Would you have everything you needed, like documents, pictures, music, and email?
After backups, the best prevention is following the basic safe computing practices: Don’t open attachments in your email from people you don’t know, keep your computer up to date on patches, and run an up-to-date host protection suite (won’t catch everything, but will certainly catch the obvious stuff).
If you’re already infected with Cryptolocker…
I hope you have good backups. So far none of the white hat researchers who have tried have been successful in reverse engineering the malware to find a method to obtain the decryption key. The only way to fix a computer infected with Cryptolocker is to do a complete reinstall of the operating system, and then bring back in your documents from a backup. Much like my shirt with the giant coffee stain, an infected machine needs a fresh start before it will be useful again.
That’s it for this post. Thanks for reading, and stay safe out there!
Let me start by saying that I realize that a lot of important messages with links arrive in your inbox everyday. I get it. It’s painful to not use the links. And so many legitimate emails come through this way! The problem is lots of phony ones do too.
For the most part, computers are pretty well set up to prevent direct attacks. You have to do something to help along this process. One of the most useful ways of attacking your computer is to take advantage of vulnerabilities in your web browser (see our previous post on a recent IE vulnerability).
In order to obtain anything of value from you (money, passwords, control of your computer, etc.) the attacker needs to get you to visit a webpage that runs code specifically designed for their purpose. So the attacker needs to make a choice: hijack an existing webpage that you are likely to go to, or use some tactic to prompt you to visit a new website. Phishing is one of those tactics.
One of those words that nobody would recognize 15 years ago, phishing is the act of using Internet communications like email, instant messaging, and social media messaging to entice a user to click on a link to an attacker site. Email is a very popular vector because it is cheap, it is (nearly) universal, and it is effective. Now the attacker only needs to craft a message that looks important enough for at least some of their audience to click on.
There are several methods the attacker can use here. They may copy notification messages from a universal type of Internet service that nearly everyone uses (PayPal, Ebay, Facebook, etc.). They could try to fake a message from a common financial institution. Or they could pose as UPS or Fedex, letting you know that action is needed on your part or your shipment will be cancelled. They might pretend to be a large retail chain or consumer electronics company. Last, but certainly not least, is the lottery method (“You’ve won a Starbucks giftcard, click here to give us your mailing information!”).
The point is, if you think about it, it wouldn’t be hard to craft a fake email that you could get your friends to click on. And the click is all it takes. The action is over and done before you’ve had time to rethink your decision and close the browser tab.
So what can you do to protect yourself?
Rule #1 – Go direct.
Got an email from Paypal that your account needs attention? Open a new browser tab and go directly to Paypal. Message from your bank? Same thing. If you need to call these companies, go directly to their website and find the Contact Us info. And if it was actually legitimate, let them know you think their communications need some work.
Rule #2 – Hover over the link
Did you ever notice that if you put your mouse cursor over a link and leave it you get a little dialog box that pops up? That dialog box shows you the actual link that you will be going to if you click on it.
Try hovering over the link:
This trick is not fool-proof, especially when the link is created by a marketing firm who wants to help their customers measure exactly who clicked on their link. I find though that going to Google and search for whatever the email refers to gets me there just the same.
Rule #3 – There’s no need to rush.
A common theme among these phishing schemes is that they often are crafted to create a sense or urgency in the recipient. After all, if it doesn’t look like you need to deal with it right away, you will probably push it off until later. If the message is screaming for immediate attention, alarms should be sending in your head. Follow step 1 and 2 very closely on these.
Preventing phishing is a way bigger topic than what I can fit here in a blog post, but there are a number of additional resources to help you protect yourself from these kinds of scams. And if you think you may have accidentally clicked on a link that may be suspicious, please don’t hesitate to report it to our Service Desk.
Some additional resources on protecting yourself from phishing attacks: