Continuing our Ad Spoof series, the team thought it would be good to highlight what many of our clients consider to be the initial way we stood out to them. They tell us that before they met our team, they constantly struggled to obtain Security and Risk Assessments that were useful to BOTH IT and the business unit. The challenge was that most firms either provided a report that was too technical, or too focused on process and high level controls. Our reports are actionable for both IT and the business as we provide high level of technical detail in the section tailored to IT teams and we provide business risk and IT risk management decision support in the section tailored to e-staff. The result, a report that is eye opening, cost effective, actionable, and useful to both parties.

Related posts:

1. HITECH Privacy Provisions Extend HIPAA Security Rule

This alert is intended for small to mid-sized businesses and banks who may realize $100K plus losses associated with unauthorized external wire transfers originating within the bank from known workstations with valid user credentials. Call us at 888.712.9531 for immediate assistance.

In the past few months, we have noticed an increase in targeted attacks towards our small to mid sized banking clients using attack vectors identified in early 2009. As these attacks have increased and attackers are utilizing a new trojan that is more effective, we want to increase the awareness around this threat and provide identification and remediation options.

Synopsis
The tools of choice were often from the Zeus or Clampi malware varieties. The new variant is being called Bugat (or Bredolab) and other various names by different vendors. In mid-January, the installer had moderate coverage (20/40) according to VirusTotal. The runtime behavior of the installed mspdb30.dll file did not match the normal signature, resulting in next to no AV recognition (2/41). Additionally, the AppInit_DLLs registry key setting changes made by the installer instruct Windows to load the Bugat DLL into any program that also loads user32.dll, which is commonly used by malware to infiltrate browser and email clients.

Secureworks Description of Bugat Functionality:
• Internet Explorer (IE) and Firefox form grabbing
• Scrape or modify HTML for targeted sites
• Steal and delete IE, Firefox, and Flash cookies
• Steal FTP and POP credentials
• SOCKS proxy server (v4 and v5)
• Browse and upload files from the infected computer
• Download and execute programs
• Upload list of running processes
• Delete system files and render Windows unable to boot

Bugat communicates with a remote command and control web server to receive commands and to exfiltrate stolen information. As part of this process, the malware also receives a list of URL target strings used to monitor the victim’s web browser activity. These target strings indicate a strong interest in websites used for business banking and wire transfers. Bugat may also use HTTPS in an attempt to secure its command and control communications.

Are You At Risk?
Rook provides the Banking community with several free and paid options for support to prevent, detect, and remove this threat from your environment.

Free Email Based Support
Email team6@rookconsulting.com with a subject of “Bugat tips” to receive information on identification of the threat through known paths, and other attributes as well as high level information around determining how to collect forensic evidence to use with local law and federal law enforcement should you detect wire fraud.

Bugat Scan & Removal
Email team6@rookconsulting.com or call 888.712.9531 and talk to our team about our quick, cost-effective service to identify and remove the threat from your environment. For an environment with less than 100 IPs, this can be done for under $5,000 and can be charged to your corporate card.

Holistic Security Posture Assessment
Identify this and other threats to your environment and receive a report providing you with a holistic view into the IT Risks associated with Policies & Procedures, Network & Host Based Vulnerabilities, Security Architecture and Web Application Vulnerabilities. Pricing is dependent upon a variety of factors, so please call J.J. Thompson directly at 415.695.4700 to find out the most cost effective and actionable option for your environment.

Free Web Briefing
Email team6@rookconsulting.com with a subject of “bugat web briefing” and we will notify you when our web briefing schedule is finalized for sometime towards the end of this week or the beginning of next.

For years, the Rook team has provided clients with insight around the residual risks associated with accepting risks and audit carry forwards associated with non-standard attacks targeting banks. Unfortunately, many commodity technical security scanning providers offering ineffective “security assessments” or “penetration tests”. These vendors are well versed in technology, but are missing critical applied experience in helping clients identify, understand, and manage residual risks associated with areas of analysis that are non-technical in nature.

The Rook Security Posture Assessment identifies these non-standard risks and provides management with risk based decision support to maximize risk deduction through strategically precise solutions.

Take a moment, pick up the phone, and call us at 888.712.9531 to understand how we can help you with identifying and removing this and other IT Risks inside your organization.

Related posts:

1. Over $100K Saved for SAP Controls

Entering into 2010, our team decided to step up our marketing efforts yet again, and instead of the traditional letters, post cards, and direct emails, we wanted to so something that would inject a bit of fun into a somewhat less than fun subject matter. The result: the beginnings of our 2010 Ad Spoof campaign. We figured the best way to kick it off would be with a football themed ad just in time for the Super Bowl. Make no mistake, we know our ads aren’t ready for t.v., but we sure did enjoy closing our laptops to brainstorm new and creative ways to share who we are and what we do with you. This is the first in a series of many, so stay tuned!

We hope you enjoy! Please leave comments and ideas for future spoofs!

No related posts.

While our team does not usually release vulnerability alerts, this one caught our attention and as we have a large number of clients with devices running JUNOS, we felt this insight would be appropriate.

The JUNOS kernel will crash (i.e. core) when a specifically crafted TCP option is received on a listening TCP port. The packet cannot be filtered with JUNOS’s firewall filter. A router receiving this specific TCP packet will crash and reboot. [CVS base score of 7.8]

Affected Devices

It is basically all of them save the more recent version. If you’ve installed a device with a JUNOS release version released later then 1/28/09, this issue is already corrected. Apparently the original issue and its correction did not conceive of this problem as a security vulnerability, and thus the criticality of applying the patch was not initially understood until this week.
•    JUNOS 9.x
•    JUNOS 7.x
•    JUNOS 8.x

Please note the versions below were removed from the bulletin today, 01/07/09. This is likely because, as Juniper states, these are end of life versions of the OS (meaning likely still vulnerable if you happen to be running them, but out of scope for Juniper because from their standpoint these should already have been upgraded).
•    JUNOS 6.x
•    JUNOS 5.x
•    JUNOS 3.x
•    JUNOS 4.x

The Fix

All JUNOS software releases built on or after January 28, 2009 have fixed this specific issue. This specifically includes 8.1S2, 8.5-20090227-SR, 9.0-20090612-SR,  9.1R4, 9.2-20090130-SR, 9.2R4, , 9.3-20090227-SR, 9.3-20090212-SR, 9.3R3, 9.4R1, and all subsequent releases.

There are no totally effective workarounds for this specifically crafted TCP packet.  Risk can be minimized by using best common practices (BCPs) which limit TCP packets which are destined to the JUNOS device. The crafted TCP packet is spoofable, requiring IETF BCP 38 “anti-spoofing” techniques to prevent a spoofed packet from entering a network. Note: If IETF BCP 38 style anti-spoofing is not feasible for all traffic, focus on anti-spoofing for the IP addresses used for the control plane, management plane, and link addresses. Packets transiting the router have no impact. The packet must be destined for an interface on the router which is listening to TCP.

Conclusion

Until yesterday, and exploit had not been released. Thanks to the “security firm” praetorianperfect, there is now a proof of concept exploit as well as a detailed video demonstrating the attack. Now that every high school student in America knows how to exploit this vulnerability, you may want to move this higher on your priority list.

If you need assistance, please don’t hesitate to call us or reach out to the Rook partner who distributed this Rook Insight release to you.

Call us at 888.712.9531, email info[at]rookconsulting.net, or keep up-to-date on critical issues, alerts, and intelligence by following us on Twitter and subscribe to Rook Insight to receive real-time Insight Intelligence Alerts via email.

Related posts:

1. 2010 IT Risk Outlook Coming Soon
2. 3 AES-256 USB Thumb Drives Vulnerable

“Cracking the drives is therefore quite simple. The SySS experts wrote a small tool for the active password entry program’s RAM which always made sure that the appropriate string was sent to the drive, irrespective of the password entered and as a result gained immediate access to all the data on the drive. The vulnerable devices include the Kingston DataTraveler BlackBox, the SanDisk Cruzer Enterprise FIPS Edition and the Verbatim Corporate Secure FIPS Edition.” – H-online

The good news is that IronKey is not vulnerable. IronKey will host a webinar on this topic on Wednesday, January 13, 2010 at 10:00am PST, and Rook team members have been accessible 24/7 to address current and future client concerns about this issue. Please don’t hesitate to call us at 888.712.9531.

IronKey’s responses:

Youtube:

IronKey responds to encrypted USB hack

Webinar: https://ironkeyevent.webex.com/ironkeyevent/onstage/g.php?d=665879884&

Call us at 888.712.9531, email info[at]rookconsulting.net, or keep up-to-date on critical issues, alerts, and intelligence by following us on Twitter and subscribe to Rook Insight to receive real-time Insight Intelligence Alerts via email.

Related posts:

1. 2010 IT Risk Outlook Coming Soon
2. JUNOS Kernel Crash Exploit Released
3. EMC & Archer Pave Way for 2010 Consolidation

Keep up-to-date on critical issues, alerts, and intelligence by following us on Twitter and subscribe to Rook Insight to receive real-time Insight Intelligence Alerts via email.

Related posts:

1. EMC & Archer Pave Way for 2010 Consolidation
2. 3 AES-256 USB Thumb Drives Vulnerable
3. JUNOS Kernel Crash Exploit Released

It is possible that their latest move could be a game changer in the ITRM space with the acquisition of Archer, assuming that they will be able to overcome potential human capital, and content & licensing challenges. We’ll update you with more on this potential hiccup and it’s potential impact to you once we can publicly do so.

Consumer confidence is up in December, home prices are up for the 5th month in a row, F100 CEO’s see a light at the end of the tunnel, and Indianapolis based ExactTarget has received $75 M in funding since October. Budgets are expected to oh-so-slightly increase to 2.5% gains, and 39% expect to add IT positions.

It sounds like its time for us to begin seeing cash hungry industry giants make a move. Sure enough, we now have.

Article on EMC and Archer here

Call us at 888.712.9531, email info[at]rookconsulting.net, or keep up-to-date on critical issues, alerts, and intelligence by following us on Twitter and subscribe to Rook Insight to receive real-time Insight Intelligence Alerts via email.

Related posts:

1. 2010 IT Risk Outlook Coming Soon
2. 3 AES-256 USB Thumb Drives Vulnerable
3. JUNOS Kernel Crash Exploit Released

+ an increase in demand for security professionals with marketing & finance skills
+ differences between West Coast and Midwest leading practices
+ the impact of cloud security on outsourcing and local jobs

Several handouts were offered to attendees and due to an increase in follow-up requests, we will make them available practitioners who email info@rookconsulting.net with a request.

No related posts.

No related posts.

The 59-page Federal Register regulation can be broken down as follows: 2 pages of title and signature pages, 35 pages of background and discussion of earlier proposals; 22 pages of rules, which is itself 6 virtually identical sets of rules, one for each of the agencies whose regulations are being modified or amended: CofC, NCUA, OTS, FRB, FRB and FTC. So the rules themselves are about 3.5 pages or so. Within each rule are 3 sets of rules and an appendix. The rules deal with (1) notices of address discrepancy, (2) id theft, and (3) changes of address. Within these three sections are found the “must do” language of the regulations. Analyzing the FTC section, within the address discrepancy section are 3 “musts;” within id theft are 11 “musts;” and within change of address, 2 “musts.” Everything else is “should do” or “may do” language. The appendix matters because at the end of the id theft section is stated: “each [covered entity]…must consider the guidelines in Appendix A of this part and include in its Program those guidelines that are appropriate.” The seven guidelines sections contain the categories of red flags but don’t even contain the “26 Red Flags” yet. Those are left for to a supplement of “may include examples” at the end of the appendix.

As with virtually all governmental regulations in our society, there are those who view these regulations as intrusive, illegal, too costly, bad policy or an ineffectual waste of time. This is evident from the extensive commentary discussed in the preamble. Besides good faith compliance with the rules, other coping mechanisms include malicious compliance, myopia (too narrow application of checklist), and cost minimization (just doing the barest minimum to create the illusion of compliance). While it is quite correct to observe that the 26 Red Flags are not a checklist nor are they prescriptive (meaning that once you’ve included them you’ve done enough), under the regulation, however, covered entities “must…identify the relevant Red Flags for the covered accounts.”

Assuming the covered entity has selected good faith compliance rather than the other coping mechanisms, each covered entity must “consider the guidelines in [the] appendix.” The word “consider” implies some sort of deliberation or analysis, which in order to demonstrate compliance should be documented to support definitive decisions. Within the supplement are offered the 26 Red Flags, which entities “may consider incorporating into its program.” I argue that given the list of Red Flags was once proposed by the regulators to be included as mandatory – based upon the identity theft experience as of 2007 – it would be far easier, faster and less costly to start with the 26, reject any that are clearly inappropriate for that organization, add any others that that institution considers necessary, and close the list until the next review.

An additional benefit of this approach is in dealings with third party providers. The regulation requires covered entities to “exercise appropriate and effective oversight of service provider arrangements.” The 26 Red Flags are the only reasonable place to start in enforcing relevant controls on service providers (in addition, of course, to the rules about address discrepancies and changes of address). Covered entities are responsible for the compliance of the service providers who process their covered accounts. This means service providers must know the Red Flags and have appropriate procedures to detect and respond to the red flags when they come up. Service providers might, in theory, have a separate custom list of Red Flags for each customer they service, which would be an untenable situation for any real confrontation of identity theft. Service providers have to have a common list (or nearly common), and covered entities should expect to pay extra if they levy additional custom Red Flags on their service providers.
While the 26 Red Flags are certainly not a checklist or prescriptive, they should be regarded as a highly effective “over the counter” inoculation against a red flags violation, torturing a metaphor. Covered entities should start with the 26 Red Flags but should also review their operations for other red flags, and include their own experience with identity theft to complete their Identity Theft Prevention Program.

—-

(This is a virtually identical post to a post made on the LinkedIn Red Flags Forum on Saturday the 12th. It is included here because many Rook clients are following Red Flags but not everyone has access to the other forum, which is for customers of LinkedIn.)

Related posts:

1. Identity Theft Red Flags for Medical Providers
2. ‘Red Flag’ Requirements for Financial Institutions and Creditors
3. FTC Red Flags Primer (Screen Cast)