Verizon Says Passwords are Not Enough

April 25, 2016

Lately, I’ve been spending a lot of time performing static code security assessments of web applications. That leads to working with developers and those who work around them. One thing many of them share with me is their faith in authentication infrastructure — infrastructure that generally sits “in front” of their applications and protects them from unauthorized users. Sometimes I still hear Architects talk about “security” as if it were really just authentication… In that context, the latest Verizon Data Breach Investigations Report (DBIR) reviews their 2016 dataset of over 100,000 incidents, including 2,260 confirmed data breaches across 82 countries.

The full paper is worth a read, but in the context of my comments above I wanted to highlight Verizon’s recommendations concerning passwords:

“…passwords are great, kind of like salt. Wonderful as an addition to something else, but you wouldn’t consume it on its own.”

“63% of confirmed data breaches involved weak, default or stolen passwords.”

The top 6 breaches included the following steps: “phish customer > C2 > Drop Keylogger > Export captured data > Use stolen credentials”

“If you are securing a web application, don’t base the integrity of authentication on the assumption that your customers won’t get owned with keylogging malware. They do and will.”

Verizon Data Breach Investigations Report (DBIR)



Targeted Phishing Still Works – Resistance is Critical

February 29, 2016
As many have been reporting today, one of Snapchat’s employees was recently targeted by online criminals who convinced them that they were the company’s CEO.
Then what?
In response to the targeted phish, the employee emailed a copy of some company payroll details to what they hoped was their CEO.  As a result, a number of Snapchat’s workers have had their identities compromised [not Snapchat’s millions of users].
Still, and too often, social engineering works…
Members of any Financial Services workforce need to resist this force all day, every day.
In this 4 minute video, Graham Cluley outlines how this can happen and how employees might reconsider breaking the rules.
His final guidance can be summarized as: “It’s okay to say no.”
He is an entertaining presenter and his message is completely applicable to any Financial Services work environment.
Take a break for this 4 minute security reminder:
 Snapchat Apology:
VIDEO: “Snapchat data breach shows that sometimes it’s good to say no to your CEO. — Do you mind just sending over the payroll database?”
By Graham Cluley, February 29, 2016

Six Months of Cyber-Attacks Against the Financial Services Sector

June 24, 2015

For years, the finance industry has been under attack by groups of hostile parties.

The frequency and sophistication of targeted cyber-attacks is a top-tier risk for our industry.

A threat intelligence vendor, WebSense, recently released a short report outlining their analysis of the actions and attack patterns directed against organizations in the financial services sector. This type of information can be used to help enterprises more effectively protect customers’ data and assets (as well as — for some types — to market their products and services).
This report identifies some key cyber threats and tactics targeting the financial sector, briefly discusses their effectiveness along with the respective volumes of those attack techniques from January through May of this year.

This type of information may be viewed under the category of “forewarned is forearmed.” It can help organizations to construct more proactive resistance to attack, quicker incident detection, and faster responses.

We are enablers & users of global operations that flow trillions of dollars daily.
That, along with the fact that we also host large numbers of personal and identity information, results in our being a continuous focus for hostile agents world-wide — agents who are motivated to constantly optimize their activities.

Financial information and the sensitive personal information of millions of consumers under our care, we must continually strengthen our security practices — our technology, tools and talent — in order to maintain effective (good-enough) defensive and reactive capabilities.

A key message of the WebSense report is that there appears to be no single path to effectively combat threats and risks presented by cyber-security attacks.
Comprehensive, edge-to-edge due diligence is still required.

2015 Industry Drill-Down Report Financial Services” is worth a read, and contains a range of reusable facts & assertions.


“2015 Industry Drill-Down Report Financial Services.”
By Raytheon & WebSense, 06-23-2015.

Predictable Techniques Succeed in Big Bank Theft

February 14, 2015

In a report to be published on Monday, and provided in advance to The New York Times, Kaspersky Lab says it has seen evidence of $300 million (or much more) stolen from more than 100 banks and other financial institutions in Russia, in Japan, the United States, and in at least 27 other nations.

The attack appears to have been initiated via a phishing campaign, followed by long-running surveillance malware, remote access trojans (low and slow), and finally exfiltration of large amounts of money — part via manipulation of bank accounting systems.  …Nothing new there, the story highlights the scale of cyber-crime successes.

The rest of the story will be outlined by Kaspersky on Monday.

Or you can watch a condensed version via YouTube.

This should also be a reminder that there are no security ‘ruby slippers.’  We need to keep rejecting vacuous vendor and pundit preaching about replacing our security perimeters with (pick your hot solution-of-the-moment) ‘the cloud,’ ‘an appliance,’ or some other replacement for common sense, intelligence, and hard work.  Optimizing a layered defense on top of active resistance to phishing (along with all other types of social engineering) and malware remains our primary path to risk-reasonable due diligence.  Announcements of cyber-thefts like the one mentioned above are reminders that there are still tough challenges for all of us in financial services security and risk management.


“Bank Hackers Steal Millions via Malware.”
By David E. Sanger and Nicole Perlroth, 02-14-2015

Updated 02-16-2015:

Report from Kaspersky:
and the full report at (downloaded 02-16-2015 @ 1 PM CST)

Video: “The Great Bank Robbery: Carbanak cybergang steals $1bn from 100 financial institutions worldwide.”

For some context, see:

The Great Bank Heist, or Death by 1,000 Cuts?, By Brian Krebs, 02-15-2015

Keylogger Revealed in the Apple iOS Ecosystem

February 25, 2014

In the course of their daily grind, Financial Security professionals dealing with the current BYOD fever often refer to risks associated with use unmanaged endpoints in business operations — especially when this involves using consumer-oriented unmanaged tablets and/or phones running Android or iOS.  A special subset of that risk involves the theft of company credentials — generally still a username/password pair.  Once those credentials are ‘owned’ by hostile actors, a targeted organization is at elevated risk along any dimension associated with the ‘real’ worker’s role.  For example, a hostile who possesses credentials of the chief financial officer, treasury personnel, database administrator, server administrator, or other individual with elevated rights can (in theory) perform all the activities authorized for those individuals — which would result in material risk to your organization.  All risk management professionals and decision-makers at all levels need to keep these risks in mind as they evaluate the appropriateness of BYOD for their organization(s).

In the last month, two separate research teams (from Trustwave and FireEye) have produced proof-of-concept apps to exploit an iOS flaw that allows a hostile party to record every tap and keystroke made on an Apple iOS device — jailbroken or not.  This type of software has been around in the Android marketplace for some time.  But Apple and its ‘marketers’ have been adamant that various features of the iOS operating system architecture provide overlapping layers of protection to prevent this type of activity, and as a final backstop their (opaque) App Store app review practices effectively eliminate the risk of overtly hostile software successfully behaving in a hostile manner in the iOS ecosystem.  In other words, “just trust us…”  A recent example of ‘analysis’ of this type — stating that “there is essentially no iOS malware” — might include “Defending Data on iOS 7.”

Security researchers have identified a vulnerability which allows malicious actors to log your taps & keystrokes (X-Y coordinates) before sending that data to a remote server of their choice.

Mobile specialists on staff of security company FireEye have been collaborating with Apple after creating a proof-of-concept app, and deploying it through the production Apple App Store review process without detection, and then having it successfully exploit a non-jailbroken iOS 7 device after downloading and installing from Apple’s App Store.

In practice, the ‘keylogging’ would be an ‘added feature’ in an otherwise ‘reasonable’ app, and a hostile party would use phishing or other social engineering to mislead victims into installing their software.  Another route would be to exploit another remote vulnerability in iOS itself or in another app to begin the malicious app download process.

According to the authors, the exploit works on non-jailbroken modern iOS devices, including iOS 7.0.5, 7.0.6 and 6.1.x.

In the context of the recent iOS SSL vulnerability — something that any reputable static code security analysis product or service would have caught — it is difficult to support Apple’s opaque ‘trust us…” approach to security details.  I believe that Apple is going to have to be much more transparent to win over the Financial Services markets.

The exploit takes advantage of the way Apple’s exceptions to the iOS settings for “background app refresh.” Security-conscious users can use settings to ‘disable’ specific app’s background refreshing. App authors, though, are allowed to bypass the user’s wishes. One example is permitting an app to play music in the background without turning on its ‘background app refresh’ switch. It appears that in this case, the proof-of-concept app may have disguised itself as a music app to conduct background monitoring. MDM vendors also deploy apps that exhibit analogous behaviors to this ‘backgrounding exception.’ Even when an iOS device is set to deny all ‘Background App Refresh’ the MDM app will continue to run, examining the local device, and ‘calling home’ with results of that assessment.

As we have mentioned before on this blog, the Android app marketplace is still an ‘elevated security risk muddle,’* and there is no ‘Apple security magic.’ Apple has an excellent record of managing their image, but an uneven record at implementing real, or Financial Services-grade resistance to hostile actors.

Until Apple figures this one out, iOS users should avoid at least some of this risk by using the iOS task manager to stop unnecessary apps from running in the background. This will prevent a range of potential elevated risk monitoring that might be occurring.** iOS7 users can press the Home button twice to enter the task manager and see preview screens of apps opened, and then swipe an app up and out of preview to disable unnecessary or suspicious applications running on the background.

*Technical term.
**Remember, an MDM agent is a ‘trusted’ app and is used to qualify endpoints for some types of access to private infrastructure. If your company requires a given MDM agent, I recommend that you let it continue to run.
“Researcher Creates Malware to Captures Every Tap on Your Smartphone or Tablet.” By David Gilbert , January 31, 2014

“New iOS flaw makes devices susceptible to covert keylogging, researchers say — Proof-of-concept app in Apple’s App Store sent keystrokes to remote server.” By Dan Goodin – Feb 24 2014

“Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation.” By Min Zheng, Hui Xue and Tao Wei, February 24, 2014

“Defending Data on iOS 7. Version 2.0” by Rich Mogull, Securosis.

Symantec Report Highlights Hidden Lynx Threat to Financial Services Enterprises

September 25, 2013

Last week researchers at security vendor Symantec released a whitepaper attempting to describe the nature and activities of a group of advanced, professional attackers working out of China, dubbed the Hidden Lynx team.

They report that Hidden Lynx offers a ‘hackers for hire’ operation that has stayed busy the last four years stealing specific information from a wide range of corporate targets.  Symantec says that Hidden Lynx activities display skill-sets far above some other attack groups also operating out of China — for example the Comment Crew (aka APT1) — and adds that they are “breaking into some of the best-protected organizations in the world.”

Hidden Lynx has targeted hundreds of organizations worldwide since November 2011.  Financial services organizations (not commercial banks) have been the vertical targeted most often by this group, amounting to almost 25% of the top 10 targeted industries.  In that same period, they also hit targets in United States almost 53% of the time.

Symantec’s analysis suggests that Hidden Lynx is “tasked with obtaining very specific information that could be used to gain competitive advantages… It is unlikely that this organization engages in processing or using the stolen information for direct financial gain.”

When Symantec looked at Hidden Lynx’s large scale attacks, the focus on Financial Services increased, amounting to 30% of their attacks.

The key conclusion offered by Symantec is that “cyber-espionage campaigns are becoming increasingly common,” and that “these attacks are becoming increasingly sophisticated.”

We can take steps to help resist attacks like those by Hidden Lynx keeping valuable information from falling into their hands. The key is to take those steps! Work with your information security consultants.  Protect all endpoints, yours included, from malware.  Use ‘safe’ web filtering services. Train your workforce to resist social engineering through all communications channels, including your browser.  Incorporate secure software practices into all of your business application investments.  Insist on secure infrastructure configurations and practices.


“Hidden Lynx – Professional Hackers for Hire.”
By Stephen Doherty, Jozsef Gegeny, Branko Spasojevic, and Jonell Baltazar.
Version 1.0 – Sept 17, 2013

“Hidden Lynx – Professional Hackers for Hire.”
17 Sept 2013

“Hidden Lynx and MSS protection.”
18 Sept 2013

APWG Reports Criminals Focusing on Financial Services and Succeeding

February 1, 2010

APWG Reports Criminals Focusing on Financial Services and Succeeding

“These criminals are rapidly figuring out how the financial industry works, where there is big money and large transfers, so they can basically do large wires out of these accounts without setting off fraud alerts.” Linda McGlasson, Managing Editor, Bank Info Security, quoting Dave Jevans, Chairman of the APWG.

The Anti-Phishing Working Group (APWG) has published phishing activity trend reports for years.  They recently released their report for Q3 2009.  It is the result of their scanning more than 22 million unique PCs during the three month period — which seems like a useful sample size.  More than 11 million of those PCs were infected with malicious software, and almost 16% (1.87 million) of those were infected with banking trojans or password stealers.  Financial services security and risk management professionals need to keep this information front-of-mind as we deal with problem-solving across a broad spectrum of issues and situations.

I strongly recommend that you invest, or continue to invest creativity and sustained energy in ensuring that your security staff, as well as your entire workforce understand that “phishing” is (what APWG described as) a complicated “criminal mechanism employing both social engineering and technical subterfuge to steal” sensitive and valuable information.  It is a “big deal” because it continues to be successful on a scale that delivers attractive profits to criminals at what continues to be minimal risk.

In its “3rd Quarter ‘09 Phishing Activity Trends Summary” the report included:

  • Financial Services rose back to the top of most targeted industry sectors in Q3 after a brief displacement by Payment Services in Q1 & Q2 of 2009.  54% of all phishing targeted financial services during Q3, 2009 [Page. 7]
  • Over the quarter, the proportion of crimeware‐specific (malicious code designed specifically against financial institutions’ customers) malware remained consistent, while data‐stealing malware rose. [See page 8]
  • The number of rogueware variants fell as gangs turned to ransomware to extort money from users. [See page 9]
  • The total number of infected computers in Q3, represented more than 48.35 percent of the total sample of scanned computers. [See page 10]

Overall, the criminal activity they describe in this report is composed of two high level components:

Social Engineering Component: Personal identity data and account credentials are prominent examples of their targets.  Criminals are increasingly sophisticated in their social-engineering efforts using spoofed email that appears to come from legitimate businesses and agencies to direct financial services employees, as well as customers to counterfeit websites designed to trick the recipient into divulging identity (starting with user name-password pairs) and financial information.
Technical Component: Criminals plant malicious software (malware) onto PCs to steal credentials directly.  This is often carried out using a combination of software and remote command-and-control systems to intercept user’s identity information — usually their login account name(s) and password(s).  They use a variety of technical means to corrupt “local navigational infrastructures” — hosts files, DNS, or, look-alike or obfuscated target server names, to misdirect users to carefully-crafted counterfeit websites.  Another approach to credential and other identity information is to employ phisher‐controlled or phisher-rented proxies used to monitor and intercept users’ keystrokes [See page 2 for more detail].  Because of the diversity of potent methods of employing malicious software, the APWG used to include monthly counts of ‘password‐stealing malicious code URLs’ and ‘password stealing malicious code unique applications’ in their reports.  Their researchers have determined that this has “proven systematically unreliable.”  In its place, they now report on “Detected Crimeware,” which they believe provides a “more precisely descriptive measure of malevolent code trends” [See page 8].

They define “crimeware attacks” as:

“…designed with the intent of collecting information on the end‐user in order to steal those usersʹ credentials. Unlike most generic keyloggers, phishing‐based keyloggers have tracking components which attempt to monitor specific actions (and specific organizations, most importantly financial institutions, online retailers, and e‐commerce merchants) in order to target specific information. The most common types of information are: access to financial‐based websites, ecommerce sites, and web‐based mail sites.”

They define “Malevolent Software” as:

  • Crimeware (data-stealing malicious code designed specifically to be used to victimize financial institutions’ customers and to co-opt those institutions’ identities);
  • Data Stealing/Generic Trojans (code designed to send information from the infected machine, control it, and open backdoors on it);
  • Other Malware (the remainder of malicious code commonly encountered in the field such as auto-replicating worms, dialers for telephone charge-back scams, etc.)” [Page 8]

Unless users understand that serious phishing is composed of many facets can we expect them to resist criminal’s efforts on this front.  User-awareness and training is a sub-optimal solution to resisting criminal phishing attacks.  It seems, though, to be an essential component of our risk-management plans on this front.  The phish-resisting vendor technology and services are maturing, but they are still only a fraction — maybe even a small fraction — of what I believe would be a risk-appropriate level of due diligence in the financial services industry today.

The report also reports that:

  • More than 300 brands per month were hijacked by phishing campaigns. [Page 3]
  • More than 60% of malicious phishing web sites include some form of user’s intended target web site name in its URL. [Page 3]
  • 98.7% of malicious phishing web sites use a hostname instead of just an IP address. [Page 3]
  • 99.94% of malicious phishing web sites sites are accessed using HTTP via TCP port 80 (which needs to be “open” to support your Internet-enabled business activities). [Page 3]
  • Criminals employ round 150 unique URLs to attack each targeted brand. [Page 5]

So, what should we make of all this?  One way to view this is that it helps to explain what the FDIC was reporting about increasing thefts via electronic funds transfers (EFT) last year.  In 2009, the Federal Deposit Insurance Corporation (FDIC) reported that it had detected an increase in the number of unauthorized electronic funds transfers (EFT) as well as an increase in the resulting direct financial losses.  These EFTs were placed through automated clearing houses (ACH) and wire transfers.  The FDIC also reported that in most of these cases, the fraudulent transfers were made using stolen credentials.

Credential theft is a big criminal business.  It plays out in many ways.  One way is a direct assault on financial services enterprises — because that is where so much money is concentrated.  I believe that we need to continue increasing and fine-tuning our efforts to ensure that our leadership and our workforce understand what they are up against.  In order to meet our threshold due diligence obligations, we are going to be making additional financial and human investments to resist these types of attacks.  What do you think?


“Phishing Trends: Numbers up, Corporate Accounts Targeted Analyst: ‘I Think We’re in for a Challenging Year.'” January 27, 2010. By Linda McGlasson, Managing Editor, Bank Info Security.

“3rd Quarter ‘09 Phishing Activity Trends Summary.” By the Anti-Phishing Working Group.

“FDIC: Alert About Fraudulent Electronic Funds Transfers (EFTs).” August 26, 2009.

%d bloggers like this: