Canaudit Inc, IT Security Audit publications and tools.

Canaudit Newsletter February, 2013

IT Security Audit Year in Review: 2012
As we look back, 2012 was a big year in IT Security. Hacking activity consistently made the front page across the globe and viruses and other malware still continue to evolve and adapt to changing environments. I'd like to examine some of the major hacking events that shaped this last year in IT Security:
Largest Breaches of 2012
Zappos data breach exposed roughly 24 million account details
  • These 24 million account details include "Customers' names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of their credit card numbers, and their scrambled passwords may have been illegally accessed," according to Zappos CEO Tony Hsieh. [1]

LinkedIn breach resulted in the compromise of 6.4 million unsalted SHA1 hashed passwords
  • The LinkedIn breach seemed to be a more sophisticated attack which was not noticed for some time. "Marcus Carey, security researcher at Boston-based Rapid7, said he believed the attackers had been inside LinkedIn's network for at least several days, ... computer security experts discovered files with some 6.4 million scrambled passwords on Tuesday, which they originally suspected belong to LinkedIn members because some of the passwords included the phrase 'LinkedIn,' .. it is possible that all or just some of those 6.4 million passwords belong to LinkedIn members, Cluley added."[2]

eHarmony suffered 1.5 million hashed passwords
  • Passwords were the bounty of a hacking attack at eHarmony, "that resulted in 1.5 million stolen passwords"[3]

Yahoo password breach exposed 450,000 unencrypted user logins
  • Yahoo suffered the loss of logins, usernames matched with passwords, which are often reused across different sites. "Yahoo Inc. said it is investigating a data breach that allowed a hacker group to download about 453,000 unencrypted user names and passwords..." [4]

Wyndham Hotels was hacked 3 times in 2 years between 2008-2010, 600,000 credit card numbers were compromised and more than $10.6 million was estimated in fraud
  • Though the hacking took place between 2008 and 2010, in 2012 the Federal Trade Commission began an investigation which found evidence of breaches "beginning in 2008 that first compromised 500,000 credit card numbers stored by the firm, followed by attacks that breached another 50,000 and 69,000 accounts at other locations." [5]
  • "The breaches led to more than $10.6 million in 'fraud losses,' the FTC said." [6]

University of Nebraska 650,000 student records, backdated as far as 30 years with SSN, address and financial information
  • Data retention and poorly secured access increased the level of devastation after the breach at the University. "The University of Nebraska is investigating a data breach that compromised the personal records of as many as 650,000 current and former students dating back to 1985." [7]

South Carolina Tax suffered huge Social Security records theft, approximately 6.4 million affected
  • Nearly 75 GB of data held in 23 stolen database files containing a mix of encrypted and unencrypted data were taken from the South Carolina state tax agency. "The data included SSNs for 3.8 million tax filers and information on 1.9 million dependants" as well as "Information belonging to 699,900 businesses..." [8]
  • "The state made two mistakes... It didn't require two different ways to verify when someone was trying to get into the system to look at tax returns and it did not encrypt Social Security numbers." [9]

Utah Department of Health exposed 780,000 patient files due to a weak password on a server
  • The Utah Department of Health had exposure of "close to 280,000 social security numbers [as well as] less sensitive personal data, such as names, birth dates and addresses of another 500,000 people, may have also been exposed" [10]

Nationwide Mutual hacked, 1.1 million Americans affected
  • Nationwide Mutual Insurance was hit in October which "affected over a million Americans... The company reported to the North Carolina Attorney General that 1.1 million American customers may have been affected by the data breach, conducted by an unknown party and potentially from overseas." [11]
As you can see, hacking and other cyber attacks are not strictly limited to the business sector; any sensitive information can be very valuable. Cyber attacks come from many different methods and inflict various amounts of damage. As demonstrated above, it doesn't matter what type of organization you represent, the ease with which the customers and employees can connect to your data will be tested by hackers in some way at some point.
In recent years, breaches like these have come to surface more frequently and Canaudit has been following the trending activities of malicious attacks, which has led us to continually expand our line of products to ensure a more complete coverage of vulnerabilities that are being used in the wild.

These attacks were just cross-section examples of the massive amounts of cyber attacks that occurred at many levels of business, education, government and other organizations. They were initiated through many different attack vectors with varied levels of difficulty. In most cases, a successful attack depends on exploiting many types of vulnerabilities, both low and high tech, chained together in a cohesive manner. The major attack vectors in most of these breaches varied and showed a wide range of available methods for intrusion. Though details in some of the attacks were not disclosed or remain unknown, the vulnerabilities leading to exploitation and data breach are generally available in many places. A phishing attack was used in at least one case, coercing an employee to click on a malicious link in an email leading to a malicious website that automatically downloaded an exploit which gave attackers access to the internal network. Misconfiguration of a firewall exposed a system meant to remain internal onto the internet. A trusted employee used legitimate access to obtain sensitive data for personal, malicious purposes. SQL injection was used to exploit a web application to access internal systems. In at least one case a weak password allowed high level access to a machine available on the internet, making short work of any other security precautions.
Beyond these threats, light has been shed this last year on the depth and effectiveness of several other major vulnerabilities in the wild which will be discussed below. Government funded malware, social engineering, web plug-in exploits, and the implicit costs of cloud based security are all major concerns for 2013.
Government Funded Malware
This year revealed multiple malware and viral threats sponsored by various governments, sometimes in collusion with other governments. These viruses were seemingly directed toward other governments for geopolitical purposes, but at least one form of the Stuxnet virus found its way onto the open internet. The New York Times broke the story in June of the United States' active involvement in Stuxnet to thwart Iran's nuclear program. The virus was targeted at SCADA networks and industrial machines. "Operation Olympic Games was devised as a means to throw sand in the works of Iran's controversial nuclear program." [12] Quoting Richard Stiennon, principal analyst at the security consultancy IT-Harvest, "Nation states are now undeniably in the game of cyber attacks. Olympic Games ushered in the era of weaponized software. There is no looking back." [13]
Flame, discovered by Kaspersky Lab, was found mainly in apparently targeted systems in the Middle East. The code is much larger than Stuxnet, containing many modules for specific espionage purposes. In that way it is more of an advanced toolkit than strictly malware for a smaller scope. [14]
The key point to note in these new threats is that both foreign and domestic government funded malware incorporated multiple 0-day attacks in 2012. Such attacks may target government information or operations, but public and private entities can easily get caught in the cross fire. The normal precautions and best practices, such as consistent patching and complex passwords, won’t defend against well funded malware that incorporates multiple 0-day exploits. Organizations that strive to survive this storm must reassess their fundamental network controls including firewalls, access control lists, network segmentation and intrusion detection and prevention systems (IDS/IPS). The first rule of security is if you don't need it, get rid of it, and if you do need it, restrict it and monitor it as much as possible.
Social Engineering
By far ,the most vulnerable part of any system is the human element. People are susceptible to being persuaded to give up sensitive information if they are not specifically trained to identify and deny such attempts. In one instance, a fraudster found an image of the signature of a high ranking officer at a healthcare organization on the internet. They used this signature to initiate wire transfers of increasing amounts to a bank account. Because of the rank of the signature, it was not questioned by the escrow agent until after several million dollars had already been transferred. [15]
At DEFCON 20 last year, Shane MacDougall used social engineering techniques to gain sensitive information from a Wal-mart employee about pay cycles, manager shifts, PC model. and email and antivirus versioning from an unsuspecting and overly helpful manager seeking an alleged government contract. MacDougall, who runs a security firm which regularly conducts these types of social engineering audits, said he enjoys targeting individuals in a sales position; "As soon as they think there's money, common sense goes out the window." [16]
In 2012 ,as organizations improved their technical controls in response to evolving threats, hackers continued to more heavily target users through social engineering attacks. Though security education has always been critical, it will become even more critical going forward. Attacks will target all levels of the organization and therefore security education must span all levels of the organization from Management down.
Web Plug-in Exploits
This last year saw a few tremendous hits against Java, first version 7, and additionally a different exploit affecting 5 and 6 as well. The latter exploit resulting in a complete bypass of one of the central security features of Java, the sandbox. [17]
Red October, a sophisticated "swiss army knife" of cyber espionage "was characterized by relying on highly targeted spearfishing email attacks with infected files." This spearphishing attack directed a victim's machine to a website that used the Java exploit to automatically download and install malware. [18]
Though patching in the Windows environment has greatly improved over the recent years through the adoption of Windows Server Update Services (WSUS), third party patch management remains poor in many cases. In 2012 we saw hackers target neglected web browser plug-in vulnerabilities with devastating cross platform exploits for Flash and Java. Organizations must address these vulnerabilities going forward through investment in a holistic patch management solution rather than relying on WSUS which only addresses Microsoft products.
Costs of the cloud
In 2012 we continued to see more organizations employing cloud based security in the form of virtual security operations centers (SOC) and we saw many of our clients realize far too late the limitations of these services. In our penetration tests, virtual SOCs were found to provide clients poor or delayed notification of malicious activity, and in some cases were unable to be configured to pick up subtle malicious activity like network scans for a single service. Even more frightening was the fact that these organizations had been sold on these services as security panaceas with no understandings of these services limitations or need for additional configuration and testing. The proverbial chickens have not come home to roost on virtualized security, the costs have not yet been tallied nor the risks understood.
An interesting example of this is Trustwave’s involvement in the 2012 breach of South Carolina Department of Revenue and the resultant lawsuit filed against them and other state entities for violating state breach notifications laws and acting negligent in regards to the breach. Though the outcome of this case is still pending, we would hope such cases would cause organizations to be more hesitant and thorough before contracting with cloud security providers.

Although various organizations are sometimes specific targets of cyber attacks, more often it is a matter of unnecessary exposure, poorly configured or insecure services being publicly exposed, or weak controls between external and internal systems. In general, a cyber attacker will go after the systems that appear to be the easiest targets. For more information about how we can help you protect your organization by finding weaknesses before malicious attackers do or to request a proposal, contact Tamra Savage at or (805) 583-3723 or visit our IT Security Audit Services page for further information.

Jonathan Carr
Security and Audit Specialist
Canaudit, Inc.
Office: 805.583.3723

Request Info

Contact Us