Security Blog

Weekly Intelligence Summary Lead Paragraph: 2014-04-11

Steve Simpson — Posted: Saturday, April 12, 2014

What was supposed to be remembered as the week that XPocalypse officially began will now be known as the week that the OpenSSL Heartbleed vulnerability (CVE-2014-0160)brought headaches to just about everyone in ICT. For the uninitiated, OpenSSL contains a vulnerability which allows an attacker to steal 64KB of plaintext memory from a vulnerable application. The Verizon Cyber Intelligence Center (VCIC) notified customers of this vulnerability on Wednesday and provided them with recommendations for handling the issue. In other vulnerability news that might have faded to the background this week Microsoft released four security bulletins and officially ended support for Windows XP,Adobe released a security bulletin for Flash Player and a new version of WordPress is availableWebsenseMandiant and Symantec all released their yearly threat reports and Anonymous and its affinity groups tried to erase Israel from the Internet againThey did not succeed.  

Comments (0)  | Permalink 

Weekly Intelligence Summary Lead Paragraph: 2014-04-04

David Kennedy — Posted: Tuesday, April 8, 2014

The Korean National Police Agency arrested four persons involved in the data breach of the Naver portal and compromise of 25 million user accounts.  A US regulator for financial institutions issued an advisory warning hackers were trying to access smaller bank’s systems to raise the withdrawal limits on ATM cards.  Targeted attacks reported this week include: Stop Malvertizing’s report of the targeting of abuse teams; F-Secure’s report of malicious PDF files using the crisis in the Ukraine as lures; and IntelCrawler’s report of malicious ZIP files with spoofed contents appearing to be harmless resumes or fax images but contain malware for strategic geopolitical targets. Microsoft announced four bulletins for April’s patch Tuesday including a fix for the MS Word vulnerability they reported two weeks ago.  A team of researchers have found RSA’s BSAFE was weakened by an extension, co-written at the request of the NSA.  On a related note,ESET’s Stephen Cobb assessed a recent Harris poll on the impact the NSA’s surveillance activities have on user trust.

Comments (0)  | Permalink 

Weekly Intelligence Summary Lead Paragraph: 2014-03-28

David Kennedy — Posted: Saturday, March 29, 2014

Monday Microsoft released Security Advisory 2953095 announcing attacks on a previously unknown vulnerability in Word 2010, but also affecting Outlook.  Microsoft reported “limited, targeted attacks.” The Security Research and Defense blog has the details.  Both EMET and a Fix-it mitigate the risk.  Symantec’s report on Ploutus ATM malware stirred up some excitement: “Hackers text ATMs for cash via Windows XP flaws.” But Larry Selzer let the air out of that balloon in eight paragraphs: “Robbing ATMs by SMS: Not in the real world.” Cisco released their semi-annual IOS update with five advisories.  Our e-readers took on six high-quality reports: the RAND Corporation released “Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar.”  The US Senate released the staff report: “A ‘Kill Chain’ Analysis of the 2013 Target Data Breach.” IntelCrawler published: “Syrian Electronic Army - Hacktivism to Cyber Espionage?” Incapsula and NSFocus each released reports on the DDoS environment: “2013-2014 DDoS Threat Landscape Report,” and, “DDoS Threat Report 2013,” respectively.  And NTT Communications released: “2014 Global Threat Intelligence Report.” This week’s good news: the FBI arrested thirteen in the Chicago area and two in Bulgaria who are alleged to be behind a money laundering and ATM skimming operation.

Comments (0)  | Permalink 

Test driven development with json schema

Kevin Thompson — Posted: Tuesday, March 25, 2014

Our team is going through the process of examining potential changes to the VERIS schema that we use to encode security incidents. As changes are accepted we have to make changes to the enumerations and in some cases the schema itself. It is really important that the schema documentation accurately reflects what we actually want from our VERIS incidents. And so we need to test the documentation.

Imagine that you're weighing an object on a scale. The scale says that the object weights 92 kilograms. How do you know that it really weighs 92 kilograms? How do you know that the scale isn't lying to you? The answer is calibration. We calibrate the scale regularly by weighing known objects and making sure that the output from the scale gives us the right value. That is essentially what we're doing with the schema tests we're writing. We create an incident which should fail or pass validation and then make sure that it really does.

Test driven development

TDD is a software development methodology that goes a bit farther than just throwing tests at your classes, functions, or in this case, schema. In a TDD environment, the software is developed in response to the test rather than doing it the other way around.

The VERIS schema is being updated to use the features available in IETF Draft 4 for json schema documentation. We're also trying to make use of features that we weren't taking advantage of but were available in Draft 3. For example, where an array is present in the schema, we can specify that it must have at least one item in it. That way an array of [] will not be valid.

Walk through a test cycle

One thing we want to avoid is having an automated process or script accidentally put fields in the wrong place. We have a list of properties that are valid in the root of a VERIS json object, such as actor, action, discovery_method, etc. If a VERIS object is created that has an additional field (property) in the root, we want for that to fail validation.

Ordinarily, we might go right to the schema and add some logic to reject json objects that have additional properties. The Draft 4 schema has a boolean called ``additionalProperties'' which you can use for that. But in TDD, we are going to start by writing a failing test.

Here we have a VERIS json object that has a new property called ``test'' and the value ``test string''. This VERIS object is part of the ``incident'' field of a larger json object which also has a field called ``should'' and a field called ``message.''

The python test (written using nose) will try to validate the ``incident'' field and catch whether it passes or fails. Then it checks whether the object should have failed valiation. If the validation script came to the wrong conclusion, then the test has failed.

At this point we haven't put any logic into the JSON schema to deal with this type of failure, so when we run the test the JSON object is found to be valid even though our test dicates that it should have been invalid. The test has failed.

Now that we have a failing test, we can write some code to make that test pass. In this case, we will add the ``additionalProperties'' option to the schema so that having additional properties is no longer allowed.

Now when we run our tests, they pass. We have successfully implemented this feature. And by having a detailed set of tests we can be more confident that the changes we make to the schema are not breaking other functionality.

Comments (0)  | Permalink 

Weekly Intelligence Summary Lead Paragraph: 2013-03-21

Steve Simpson — Posted: Monday, March 24, 2014

ESET’s report on Operation Windigo is the best open source intelligence we’ve collected this week. The group behind Windigo is responsible for compromising around 25,000 Linux-running servers over the past two years. The whitepaper is a must-read but the indicators of compromise released alongside the report are what make it this week’s best intel. Brian Krebs had another busy week. Krebs continued his series of reports on ColdFusion compromises as the Guardian reported that one of Citroen’s websites fell victim to the same group behind those attacks. As for the group itself, Symantec calls it the Cyclosa gang and published a report identifying the individuals responsible for the ColdFusion attacks and for running the SSNDOB site where the stolen data is sold. Apparently Hollywood is interested in pursuing a movie about Krebs’ work. The Russian mafia, outing cybercriminals and exposing massive data breaches, what’s not to like? Order us a soda and some popcorn please.

Comments (0)  | Permalink 

Weekly Intelligence Summary Lead Paragraph: 2014-03-14

David Kennedy — Posted: Friday, March 14, 2014

We nearly made it.  Crashing after the adrenalin-rush of RSA week, intel seemed to be drying up. Justin Bieber’s Twitter getting hacked was almost the most significant event in InfoSec risk this week.  Almost.  But careful examination of this week’s bulletins from Microsoft popped that bubble.  There have been surprise attacks using another previously unreported vulnerability in Internet Explorer. This is other than the one (CVE-2013-0322) announced in the February Security Advisory about targeted attacks on IE 9 and 10.  CVE-2013-0324 is the new attack.  Symantec has a little more information including they believe it was used in a watering hole attack and the exploit works on IE 8.  ArborAlienVault and McAfee all updated our intelligence on point of sale malware and attacks.  In the body of last week’s intelligence summary we included Trend Micro’s report of the “Siesta Campaign,” and this week, Mandiant/FireEye expanded our collections and probably connected it to the infamous APT1 actor.

Comments (0)  | Permalink 

Weekly Intelligence Summary Lead Paragraph: 2014-03-07

Steve Simpson — Posted: Monday, March 10, 2014

Good news, defenders! Microsoft announced it will patch the Internet Explorer zero-day currently being targeted in a limited number of attacks as part of March’s Patch Tuesday. The update will be released alongside four other bulletins that will plug holes in Silverlight and Windows. Bad news if you’re a customer of Flexcoin and/or Poloniex. Both companies admitted to suffering breaches that saw hackers walk off with $600,000 and $50,000 respectively. BitStamp also copped to a breach but claimed the only thing compromised was its customer mailing list. Brian Krebs continued his coverage of retailer breaches by reporting on separate incidents involving the Smucker’s online storeSally Beauty Supply and Chicago taxicabs. Researchers from Team Cymru published a report on a massive campaign being waged by hackers to compromise home routers and alter their DNS settings. Team Cymru suspects this attack impacts at least 300,000 systems throughout Europe and Asia. Your chuckle of the week comes via AnonGhost, which defaced a site belonging to UK-based Yorkshire Bank. It turns out the defaced site isn’t operated by Yorkshire Bank at all and is likely a phishing page to lure unsuspecting bank customers. Looks like AnonGhost can add brand monitoring to its resume. 

Comments (0)  | Permalink 

Weekly Intelligence Summary Lead Paragraph: 2014-02-28

David Kennedy — Posted: Saturday, March 1, 2014

This week, we collected intelligence from IntelCrawler of mobile malware targeting Middle Eastern bank clients. Also targeting the Middle East, from Symantec and Fidelis respectively, a new Java RAT and SSTEAM targeted attacks on energy and government sectors. Symantec also reported malware exploiting the most recent vulnerability in IE 10 has evolved from targeted to widespread attacks.  For situational awareness, the cream of the reports released this week include: FireEye’s 2014 Annual, Dell SecureWorks Cryptocurrency-stealing Malware Landscape, both Kaspersky’s and Symantec’s reports on Mobile Malware and BAE/Detica’s “Business and the Cyber Threat: The rise of Digital Criminality.”  Apple has been excoriated in tech media and the security blogosphere overa bug in the SSL implementation in both iPhones and Macs.  Our colleague Bruce Schneier is perhaps the most high-profile security expert to ponder whether the NSA is responsible.  For a bug. Also tickling the hype-meter: the “Chameleon” Wi-Fi access point virus.  The one made public in a university research paper published last October; the one that is not, and never has been in the wild; the one that only affects access points with security settings essentially turned off and not the way they almost always come out of the box. 

Comments (0)  | Permalink 

Weekly Intelligence Summary Lead Paragraph: 2014-02-21

David Kennedy — Posted: Saturday, February 22, 2014

Last week it was a zero-day attacks using a vulnerability in Internet Explorer (CVE-2014-0322) that was making headlines. This week it’s a new vulnerability in Flash Player that’s getting all the attention. Researchers from FireEye discovered a strategic web compromise of two non-profit organization’s websites being used to exploit this new vulnerability in Flash Player (CVE-2014-0502). Luckily Adobe is already pushing a patch to plug this hole. As for the Internet Explorer vulnerability from last week, Microsoft finally issued a security advisory confirming IE 9 and 10 are affected and providing a temporary fix-it. No word yet on when a permanent patch will be made available. Noteworthy vulnerabilities and targeted attacks weren’t the only things grabbing headlines this week. The University of Maryland announced it got popped for data on 300,000 people, Kickstarter reported hackers stole e-mail addresses and encrypted passwords belonging to its users and Bank of the West notified former career prospects that attackers may have stolen their personal information. After getting pwned by the Syrian Electronic Army last week Forbes decided to publish an after-action report on what went wrong. Kudos to Forbes for its transparency; the RISK Team hopes this trend continues in the future. 

Comments (0)  | Permalink 

Error Detecting Data Visualizations

Kevin Thompson — Posted: Thursday, February 20, 2014

Winter is in full swing and the RISK Team is hard at work gathering, validating, and analyzing data for a variety of projects that we’re working on. One of those is the upcoming quarterly release for the VERIS Community Database.

For those not familiar with the VCDB, every quarter the RISK Team releases raw data regarding information security breaches that have been reported in public channels, like the news or reports to the Attorney General’s office. The basic process is to identify news articles, create issues in github, and then code them up using a web-based application. When it comes time for a release, we export the data and use some python to turn the entries into VERIS schema-compatible JSON objects.

Of course, humans are prone to error and so we have a variety of sanity checks that we run on the data before it gets committed to github. For example, we check each incident to make sure that all the values are actual enumerations from the standard (no incidents that have ‘hakcing’ instead of hacking) and that an integer is present in the data total.

Even with these checks in place, bad data can slip through the cracks, and one great way to detect that is by having some dynamic data visualizations made up that work against your live data. For example, earlier this week I pulled the latest data from our tool, converted it to JSON, validated it, and then put it into a test database. Now what data scientist wouldn’t want to play around with a shiny new data set? So I pulled up a graph of the incidents in each year in the dataset.

Before I updated the data, the graph looked like this:

And after adding the new data I got this:

Well that’s not good. What the heck happened? Turns out that one of the incidents that passed validation had a mistake in the timeline. In that one file, timeline.incident.year was set to 20134. When I generate this particular view of the data I like to fill in any missing years. That way I don’t have 1971 showing up next to 1983 (yes we have some of those in the data set - I just clipped off the graphic so it wouldn’t be huge). So when this view came up, it filled in every year from 20134 down to 2014. All of the years that actually had something were basically printed on top of each other and were very thin.

So even though my data validation script had given the thumbs up to all the data, taking a glance at some simple visualizations alerted me to a problem. It was an easy fix, and after I re-populated my database I got a picture that was much more in line with what I had expected. 

Another example is seeing enumerations in a graphic that simply don’t belong there. Take a look at this graph of actor varieties in the VCDB.

One of the actor varieties is motive, which is not a valid enumeration in VERIS for actor variety (motive is a different variable to describe an actor). Looking in the data set I was able to find an incident that had been coded wrong and fix it even though it had slipped past our other checks.

Comments (0)  | Permalink 

Older posts

Subscribe to this blog

Add to Google
Subscribe with Bloglines


All bloggers

Business Sign-In

Manage your My Business or Verizon Enterprise Center account.
Watch Video >

Invalid Login

One or more of the values you entered is incorrect. Please verify your information and try again.

Forgot Password?