Attack on Fed Exposes Weak Patch Maintenance
It's one thing for an individual computer user to neglect software patches that fix security flaws. When a major organization or government agency is lax in patch maintenance, however, the risks multiply. The recent hacking of the Federal Reserve website is not only highlighting that problem, but also putting a focus on the possibility that software may soon be smart enough to defend itself from attacks.
Feb 11, 2013 7:15 AM PT
While many Americans watched the wrap-up of the Super Bowl Feb. 3, the band of hackers called Anonymous broke into a Web-facing server at the Federal Reserve and pilfered a list of some 4000 people who work in the banking industry -- many of them ranking executives at banks and credit unions.
Later in the week, the Fed acknowledged the break-in. "The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product," a spokesperson told the media.
"Exposure was fixed shortly after discovery and is no longer an issue," she added.
Since the hackers never reached the Fed's back-end systems, the integrity of the banking system isn't at risk. The incident, however, does expose a glaring security problem with all software, according to Glenn Chisholm, vice president of products and CSO of Cylance.
"There is a constant problem that people have with what to patch, what to secure and how to secure it," Chisholm told TechNewsWorld.
"This attack wasn't rocket science," he added. "It was exploitation of a known vulnerability."
Attacks like those on the Fed will continue to create mischief as long as the software industry clings to the notion that it can create "perfect programs" -- programs that do not contain any flaws that can be exploited by hackers, argues Dan Stickel, CEO of Metaforic.
However, that attitude is changing. "There's a growing movement to build software that can defend itself from attack, not relying on busy system admins or uninformed consumers to provide that perfectly protected operating environment," Stickel told TechNewsWorld.
"Within a few years," he added, "it will likely be considered unprofessional and irresponsible to deploy software that cannot operate under imperfect conditions."
DMARC's 1st Birthday
DMARC may not be a household acronym. For the last year, however, the technology that proponents claim can put a dent in phishing attacks has been steadily growing in popularity.
Some 3.3 billion consumer mailboxes worldwide -- almost two-thirds of all mailboxes -- are protected by DMARC: Domain-based Message Authentication, Reporting & Conformance. That is according to DMARC.org, the collaborative backing the technology. That group includes Google, Microsoft, Facebook, Bank of America and JP Morgan Chase.
DMARC works in conjunction with two other email authentication systems -- SPF and DKIM -- to ensure that the sender of an email message is who they say they are. That's bad news for phishers because their effectiveness depends on pretending to be someone they're not.
While DMARC may create problems for phishers, it may make things easier for malcontents launching DDoS attacks, according to Razvan Stoica, a security analyst with Bitdefender.
"It's another thing that's tacked on to the DNS system, which is already overloaded," Stoica told TechNewsWorld.
"The more data a DNS server has to serve, the easier it is to choke the pipe with requests," Stoica continued. "Every little bit of data you tack on makes a denial of service attack that much easier."
Big Data Fights Cyberthreats
The exploding amount of data circulating and stored in a modern company can provide an impenetrable cover for cybercriminals. IBM wants to make that cover less dense.
Last week the company introduced a new security product that uses big data to combat cyberthreats. IBM Security Intelligence With Big Data combines security intelligence with data analytics to fight both external and internal threats to an organization.
Large organizations want to bring more and more data into their security hoppers; not just security data, but enterprise data as well, explained Marc van Zadelhoff, vice president of strategy for IBM Security Systems.
When enterprise data such as transaction data is combined with security data -- logins and logouts -- threats that would have evaded detection can be exposed, he noted.
"You can go from a pattern that's anomalous in the business data, and combine it with security data, and find a needle in a haystack," van Zadelhoff told TechNewsWorld.
Data Breach Diary
- Feb. 4. Guardian reports Twitter considering deploying two-factor authentication following data breach in which 250,000 Twitter accounts were compromised.
- Feb. 4. Reuters reports that the U.S. Department of Energy began on Feb. 1 sending letters to an unspecified number of employees and contractors informing them that a data breach at the agency resulted in the unauthorized disclosure of personal identifying information. The DoE said it is working with federal law enforcement agencies to assess the nature and scope of the attacks. No classified data was compromised, DoE said.
- Feb. 6. Federal Reserve acknowledges that information was obtained from the agency by exploiting a temporary vulnerability in a website vendor product. On Feb. 3, the hacktivist collective Anonymous posted to a government website a list containing personal information of some 4000 people in the banking industry, and claimed it got the list from the Fed.
- Feb. 7. European Commission recommends that each EU member set up an authority to which companies with functions critical to a country's economy would be required to report data breaches.
- Feb. 8. A hacker with the handle Guccifer breached accounts of George H.W. Bush's daughter, sister-in-law and brother-in-law, as well as family friends Wilard Heminway and Jim Nantz. The hacker made public on the Internet photos and emails from the accounts.
Upcoming Security Events
- Feb. 7. Closed to Risk, Open for Business: Keeping Retail Networks PCI Compliant. 1 p.m.-2 p.m. ET. Webinar sponsored by Watchguard. Free.
- Feb. 7. Three Ways to Insure Data Loss Does Not "Deep Six" Your Business. 2 p.m. ET. Webinar sponsored by WatchGuard. Free.
- Feb. 8-9. Suits and Spooks Conference: Should Private Companies Take Measured Offensive Actions against Attackers? Waterview Conference Center, Washington, D.C. Registration: US$595.
- Feb. 12. Transforming Intelligence Operations Through IT. Sponsored by INSA and Nextgov. Ronald Reagan Building, 1300 Pennsylvania Ave., NW, Washington, D.C. Free.
- Feb. 14. Optimizing and Safeguarding Your Data Network. 1:30 p.m. ET. Webinar sponsored by Bank Info Security. Free.
- Feb. 24-25. BSides San Francisco. DNA Lounge, 375 Eleventh St., San Francisco.
- Feb. 25-Mar. 1. RSA Conference USA 2013: Security in Knowledge. Moscone Convention Center, San Francisco. Registration: To Jan. 25, $1,895. After Jan. 25, $2,295.
- Feb. 26. Optimizing and Safeguarding Your Data Network. 11:30 p.m. ET. Webinar sponsored by Bank Info Security. Free.
- Mar. 12-15. Black Hat Europe. Grand Hotel Krasnapolsky, Amsterdam, Netherlands. Registration: through Jan. 10, 1095 euros ($1,447); through Feb. 28, 1,295 euros ($1,711); Mar. 1-15, 1,495 euros ($1,975).
- Apr. 23-24. Black Hat Embedded Security Summit. McEnery Convention Center in San Jose, Calif. Registration: Before Feb. 9, $999; Feb. 9-Apr. 18, $1,099; Apr. 19-25, $1,199.
- Apr. 23-25. Infosecurity Europe. Earls Court, London, UK. Registration: By Apr. 19, free; After Apr. 19, Pounds 20.
- Jun. 11. Cyber Security Brainstorm. 8 a.m.-2:30 p.m.ET. Newseum, Washington, D.C. Registration for Non-government attendees: Before March 3, $395; Mar. 3-Jun. 10, $495; On-site, $595.