Infrastructure and Integration, Culture Matters

December 17, 2013

A recent 60 Minutes episode highlighted an NSA staffer describing a Chinese plot to “take down” the U.S. financial system using social engineering & a firmware update to brick the computers that support all economic activity.  The story received a lot of unflattering attention (Google it).  The broader piece about recent NSA data-gathering and spying also seemed less like news than an advertisement.  This has resulted in a lot of attention on the nature of the story and the likelihood that there is material distance between the themes highlighted by the CBS report and the behaviors of NSA staff and leadership.  So, why should we care?

There are many reasons.  One assumes that many in our industry receive “news” via feeds & tweets — which must radically distill stories down to a very few words.  Many senior decision-makers “grew up” with news shows like 60 Minutes and have sensors tuned to content from its brand.  So, that channel can deliver messages to financial services leaders in ways many others can’t.

Later in the December 15th 60 Minutes broadcast was a report about the Chinese telecommunications equipment giant “Huawei.”  It could have been a useful reminder that infrastructure matters in global Financial Services risk management.  Global data communications networking makes decision-making about ‘inside’ & ‘outside’ and what or whom to trust much more complex and challenging.  Culture matters.  Nation-state behaviors matter.  The scale and scope of Financial Services operations make it an attractive target for intellectual property theft.  We all need to continue to enhance our understanding of threats associated with infrastructure purchasing and integration, as well as with extending our operations using partners and massive shared ‘cloud’ infrastructure.


“Update on Huawei.” Dec. 15, 2013

“Chinese telecom giant eyed as security threat.” Oct. 05, 2012,



Keylogger Credential Theft Still A Business Threat

December 3, 2013

The combination of malware keystroke loggers and a business model based on credentials sales is a real threat to financial services organizations today. It is not a misty theory or something only security professionals need to care about. Credentials, typically a set of strings we call a username and password, are the only layer of protection for most of our business web applications.  Many, if not most of our industry’s systems cannot detect then an unauthorized party uses a given user’s credentials.

Yesterday Trustwave researchers announced that they found another cache of roughly two million stolen credentials on an active botnet controller.

These included:

1.580,000 general web site login credentials
318,000 Facebook credentials
70,000 Gmail, Google+ and YouTube credentials
60,000 Yahoo credentials
22,000 Twitter credentials
9,000 Odnoklassniki credentials (a Russian social network)
8,000 ADP credentials (ADP says it counted 2,400)
8,000 LinkedIn credentials
and more…

The attackers appeared to start their operation around October 21 and drove it until November 17.​

There are a few important issues associated with the data they found.

First, while press reports often highlight social networking credential thefts, ‘real’ businesses are also targeted. In this case, ADP. Also, it is a certainty that there are lots of ‘real’ businesses in that 1.5M ‘web site’ credentials in the first category above.

Second, 46% of the roughly 2M passwords included in this cache were 10 characters or longer. It seems rational to assume that as businesses rachet up password length requirements, a material percentage of humans just use that same (or similar) ‘long’ password at all their sites. That is an elevated risk behavior that we need to have all members of our workforce resist.

Finally, weak passwords are still an important problem. Do not use them! What were the top 11 tolen passwords in this collection?

  1. 123456
  2. 123456789
  3. 1234
  4. password
  5. 12345
  6. 12345678
  7. admin
  8. 123
  9. 1
  10. 1234567
  11. 111111



“Look What I Found: Moar Pony!” 12-03-2013

%d bloggers like this: