Hacking

SPOTLIGHT ON SECURITY

Target Fiasco Shines Light on Supply Chain Attacks

The holiday data breach at Target was opened up with stolen credentials from a vendor in the company’s supply chain, according to reports that surfaced last week. That kind of attack is getting more and more common these days.

“About 80 percent of data breaches originate in the supply chain,” Torsten George, vice president of marketing for Agiliance, told TechNewsWorld.

With security concerns mounting, corporations have dedicated greater resources to hardening their defenses against hacker attacks. That has forced cyberbandits to adjust their penetration thinking.

“Hackers began looking for the weakest point in the chain, and that’s the supplier,” George said.

Companies today do business in a hyper-networked world. They’re working with more and more business partners — partners in payment collection and processing, manufacturing, IT and even human resources.

“It is simple. Hackers find the weakest point of entry to gain access to sensitive information, and often that point is within the victim’s ecosystem,” Stephen Boyer, CTO and cofounder of BitSight, told TechNewsWorld.

Inside Job

Large organizations can have hundreds or even thousands of suppliers. Typically, the security set of only two dozen or so are scrutinized by the mother company.

“The rest of the vendors fall off the radar screen, and that’s what hackers take advantage of,” observed Agiliance’s George.

Rather than burn intellectual and computing resources trying to break through the layered system defenses of a corporate giant, attackers are taking the route of least resistance: stealing credentials from suppliers.

“To detect that someone is using someone else’s credentials is very tough,” George said, “and often takes a long time to find out. Mmost companies simply don’t have the capacity to really encompass all of their suppliers into a detailed risk assessment.”

In a way, the Target attack was a variation on the classic inside job.

“The bad guys are now using advanced threats to steal credentials and pose as employees, and once on the network, they look the same as good guys,” Eric Chiupresident and founder of HyTrust, told TechNewsWorld.

“Access controls, role-based monitoring and data security are critical to securing against these new insider threats, especially in cloud environments that concentrate systems and data,” Chiu added.

2FA Under Attack

Two-factor authentication has been hailed as an authentication technology whose time has finally come. Requiring something a user has — a mobile phone, for instance — and something the user knows — like a strong password — is believed to thwart many data theft attempts. However, it seems Net predators have begun to adjust to the brave, new world of 2FA.

“We’re seeing a lot more malware that is attempting to bypass dual factor authentication,” said Andrew Conway, a threat researcher at Cloudmark and co-author of its 2013 Messaging Threat Report released last week.

“Since a phone is very often an important device for dual-factor authentication,” he told TechNewsWorld, “the malware is intercepting incoming SMS messages or blocking incoming phone calls.”

Online banking services have been using a mobile Transaction Authentication Number sent by SMS to a user’s mobile phone for several years, and hackers have been attacking the practice equally as long. For example, Zeus-in-the-Mobile, or Zitmo , began intercepting mTANs back in 2010.

Much of the 2FA attack activity last year occurred in Asia, Conway said. “People there are more likely to install apps on their phone that come from non-trusted sources — not from Google Play.”

Breach Diary

  • Jan. 25. Arts and crafts retailer Michaels reveals it is investigating a possible breach of its computer systems and warns customers to check their financial statements for fraudulent activity.
  • Jan. 28. The Guardian, citing documents from Edward Snowden, reports NSA and UK counterpart GCHQ are developing capabilities to gather information from “leaky” smartphone apps, including Angry Birds game.
  • Jan. 28. Researchers at Ben-Gurion University in Israel announce they’ve discovered flaws in Android 4.3 and 4.4 that allow malware traffic to bypass an active VPN and divert it to a hacker controlled system.
  • Jan. 28. Aleksandr Andreevich Panin pleads guilty in the United States to conspiracy to commit wire and bank fraud for his role as primary developer and distributor of the SpyEye bank fraud Trojan. It’s estimated the malware has infected 1.4 million computers since 2009.
  • Jan. 29. FileZilla warns that tainted versions of its open source, free file-sharing software are circulating on some third-party websites. Tainted versions contain code that steals login credentials and sends them to a server in Germany associated with malware and spam activities.
  • Jan. 29. Hackers deface Angry Birds website in response to reports that intelligence agencies have been collecting data from the game and other mobile apps.
  • Jan. 29. Bard Vegar Solhjell and Snorre Valen of Norway’s Socialist Left Party nominate whistleblower Edward Snowden for Nobel Peace Price.
  • Jan. 29. Jeffries analyst Daniel Binder estimates in research note that holiday data breach at Target could cost the company US$400 million to $1.1 billion.
  • Jan. 30. FIDO Alliance, a consortium developing authentication standards, announces RSA, an EMC company, has joined the group.
  • Jan. 30. Yahoo discovers coordinated attack on its email accounts and resets some users’ passwords. Company says attackers obtained account information from database of third-party provider.
  • Jan. 30. RSA discovers server infrastructure being used to steal payment card information from point-of-sale terminals from several dozen retailers in the United States and 10 other countries.

Upcoming Security Events

  • Feb. 6. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • Feb. 9-13. Kaspersky Security Analyst Summit. Hard Rock Hotel and Casino Punta Cana, Domincan Republic.
  • Feb. 10-15. CyberCon 2014. Sponsored by SANS. Online courses range from $4,195-$5,095.
  • Feb. 17-20. 30th General Meeting of Messaging, Malware and Mobile Anti-Abuse Working Group. Westin Market Street, San Francisco. Members only.
  • Feb. 25. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • Feb. 27. TrustyCon. 9:30 a.m.-5 p.m. PT. AMC Metreon, 135 4th St #3000, Theater 15, San Francisco. Sponsored by iSEC Partners, Electronic Frontier Foundation (EFF) and DEF CON. $50 plus $3.74 fee.
  • March 3-8. Cyber Guardian 2014. Sheraton Inner Harbor hotel, Baltimore, Md. Sponsored by SANS. Courses range from $4,895-$5,095.
  • March 5-10. DFIRCON 2014. Monterey Marriott, Monterey, Calif. Sponsored by SANS. Courses range from $4,845-$5,095.
  • March 12-23. ICS Security Summit. Contemporary Hotel, Lake Buena Vista, Fla. Sponsored by SANS. Cources range from $1,700-$4,595.
  • March 20-21. Suits and Spooks Singapore. Mandarin Oriental, 5 Raffles Ave., Marina Square, Singapore, and ITU-IMPACT Headquarters and Global Response Center, Cyberjaya, Malaysia. Registration: Singapore and Malaysia, by Jan. 19, $415; after Jan. 19, $575. Singapore only, by Jan. 19, $275; after Jan. 19, $395.
  • March 25. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • March 25-28. Black Hat Asia. Marina Bay Sands, Singapore. Registration: by Jan. 24, $999; by March 21, $1,200; by March 28, $1,400.
  • April 1-2. SecureCloud 2014. Amsterdam RAI Convention Centre, Amsterdam, Netherlands. Registration (includes VAT): Through Feb. 14, 665.50 euros, government; 847 euros, business; After Feb. 14, 786.50 euros, government; 1,089 euros, business.
  • April 5-14. SANS 2014. Walt Disney World Dolphin Resort, Orlando, Fla. Job-based long courses: $3,145-$5,095. Skill-based short courses: $575-$3,950.
  • April 8. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • April 8-9. IT Security Entrepreneurs’ Forum. Computer History Museum, 1401 North Shoreline Boulevard, Mountain View, Calif. April 8 workshops and April 9 forum and reception, $595. Forum and reception only, $495. Government employees, free. Students, $195.
  • April 11-12. Women in Cybersecurity Conference. Nashville, Tenn.
  • April 29. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
  • June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels