Alert – Financial Processes Targeted

I normally avoid spreading word about specific attacks, as it is better for overall security to continuously strengthen your defenses and keep an eye out for strangeness.  Focusing on attack types and general security practice tends to have a better overall result then trying to play whack-a-mole and knock down individual people or pieces of malware.

That said, there is a current threat that people should know about, so I want to do my part to boost the signal.

At issue is a specific piece of malware that is targeting people with access rights to financial systems.  It generally arrives in the form of a targeted email (spear phishing) which then installs the malware.  Once installed, the malware monitors the computer for financial transactions and will then make some additional ones.

What’s different here is that small businesses are being singled out.  This is largely because they tend to have weaker security and audit controls when compared to the larger firms.  So, though the larger firms tend to have more money to steal, stealing a smaller amount from a great many other business can net just as much.  And after, a dollar is worth a dollar, no matter who it’s stolen from.

To protect against this attack, you have to keep one thing in mind — there is no guaranteed way to prevent it.  All you can do it do your best to protect yourself and check transfers regularly to make sure that you’ve not been hit.  In short, if your account people are not doing all of the below, your business is facing some serious risk:

  • Using a two-factor authentication system (RSA tokens are the most popular) to login to the banking system.
  • Using a dedicated workstation for financial transfers.  This system should not have any email client installed and be firewalled to only access the necessary web systems.
  • Enter into an agreement with your bank so that all transfers must be confirmed.  A verbal confirmation originating from the bank is best, as that way the attackers cannot initiate a transfer and then call the bank to confirm it.  If they cannot do that and you have to stay with them, look into email or SMS-based confirmation systems.
  • Using a bank-enforced 24-48 hour hold on transfers.
  • Check your accounts regularly and reconcile all transactions.

Check out the following links for more information:

I would like to thank Rob Lee for alerting many of us to this situation.

Small Business Defense – Web Filtering

The term Web Filtering has many connotations.  On one side, employees (often younger ones) view it as a form of censorship.  On the other, business owners do have the right to require that employees spend their time doing what they are paid to do.  As is often the case, the best answer doesn’t really match either extreme.

Filtering technologies come in many flavors.  They range from highly simplistic technologies that block specific domains to complex deployments that set rules for each user, matching them against a set of categories to block or allow.  They can also give fine-grained control over operations like file downloading and updates.

The costs vary too.  Generally, the more control you want, the more it will cost.  While there are some open source solutions that you could deploy for free, they tend not to be robust enough to work well in enterprise environments.  The dedicated appliances work well, but often require rearchitecting the network for implementation.  Lastly, there are modules that can plug into your existing network equipment, but they may be a bit more expensive than you would like.

Of course, the challenge of using such a technology is often not technical.  The problem is primarily a social one.  Do you have the political environment where it is acceptable to monitor Internet traffic?  Will users allow you to block access to sites that they’re used to visiting?  Will management have a problem with you knowing the browsing habits of your fellow employees?

As usual, it’s best to start with a policy that specific controls what you will be doing and how the technology should work.  Then you can start implementing the technology using the policy as a guide.  At a minimum, you will want to define:

  • which types of sites are to be permitted and which are not.
  • which types of downloads are to be permitted (if any).
  • what to do when employees are regularly found to be attempting to visit blocked sites.
  • what “regularly found” may mean.

Lastly, before you implement the technology, it may be good to identify which types of applications you are using.  Some of these filters support a “transparent” mode but some must be run as a proxy.  Both methods work fine, but some applications may not be proxy-aware.  This can determine both the solution selected and the mode of deployment.

Small Business Attack – Web Browsing

As much as we dislike it, a part of most people’s jobs these days involves waiting.  Though they keep making computers faster and faster, there is still a bit of downtime involved.  While in the past, this time might have been spent talking with coworkers, these days it is more likely to be spent online.

There are many ways to spend your time online, from shopping to reading news to social media.  While there is nothing inherently wrong with being online, there are some concerns.  From a business perspective, managers may be concerned about productivity.  From a legal perspective, H.R. may be concerned about “inappropriate” sites.  And, of course, from a security perspective, we would concerned that sites could be the source of a compromise of user data.

At issue is the fact that, while most malware runs directly on the computer, web malware can run inside the browser. If it doesn’t run locally, and is sourced from a web site, it cannot be blocked with traditional anti-malware (though newer malware is aware of this attack vector). If all the malware accesses is data, there isn’t a good way to identify valid data access from unintentional leaks.

So, how to you protect against this particular threat vector without completely banning employees from accessing the Internet? How do you manage to classify which websites are OK and which ones are not?

Security Lessons from Nature – Cacti

Recent research has shown that some species of cactus manage to grow on bare rocks with the help of bacteria.  Basically, the bacteria breaks down the rock to give the roots crevices into which to grow as well as provide nutrients to the cactus.  In turn, the cactus likely shelters the bacteria and allows it to grow and spread.

There are two items of interest in the article.  First, there is the basic observation that, though neither plants nor bacteria are capable of living exposed on bare rock (well, mostly), through combining forces, they manage to live in an inhospitable environment.  Since the environment is also inhospitable to many competitors, they can expend more energy towards growth and less towards defense.  Second is the realization that the cacti have managed to shelter the bacteria within their seeds.  This way, not only do the cacti themselves manage to thrive but their children get the same benefit.

From a security perspective, it’s important to remember that the ultimate goal of security is to maximize protection while minimizing resource expenditure.  Commonly, this is done by erecting barriers and monitoring them to make sure that only the right people can get through.  However, alternate methods do exist.  Taking a lesson from the cacti, one would look for business niches that difficult for other businesses to thrive within.  Then, one would seek out business partnerships to make it easier.

Such a path would not be for everyone, and after all, live as a cactus may be a tad… prickly. However, if you are starting a new business, this sort of partnership may allow you to protect your business simply by making it more difficult for competitors to gain a foothold, and allow you to focus more directly on growth.

Mythic Monday – Brünnhilde Sleeps

In Wagner’s Ring Cycle, Brünnhilde is cursed by Odin for fighting on the wrong side of a battle. She is put into a coma and hidden behind a wall of impenetrable fire until a rescued by a brave hero. (For those that want more detail, but don’t want to spend 15 hours listening to an opera, look here.) As is always the case in myths and legends, the hero shortly arrives, gets through the fire alright and rescues the “damsel” (who was truly a Valkyrie).

Now, the Ring Cycle is amazingly complex and even this tiny little bit lends itself to a great many security-focused interpretations (firewalls, penetration testing, identity theft), but today I want to look into encryption and steganography.

Essentially, when Brünnhilde upset Odin, he hid her inside a mortal woman (steganography) and isolated her from access to all but one person (the encryption key). Just as in business, there are risks inherent to Odin’s plan. If the encryption is too weak, Brünnhilde might be rescued by someone other than Siegfried, her intended. On the other hand, if it is too strong, or Siegfried happens to fall upon some trouble prior to the rescue, she might never be freed.

Luckily for aficionados of myth and fifteen hour long operas, literary convention protects us from a story involving Brünnhilde roasting behind a wall of flame for millennia or one in which she is rescued by Fred the Handyman. Alas for us though, literary convention does not protect businesses.

When a business protects it’s data with encryption, it takes the risk the the keys may be lost. If they are, it’s all up to the level of encryption used. If the encryption is too strong, the data is effectively lost (Brünnhilde sleeps forever). If, however, it’s too weak, the data may be recoverable by you (or your competitor, Handy Fred).

Similarly, Odin’s plan of hiding his Valkyrie within the form of a mortal woman is quite clever. However, it’s only useful so long as it is rare. If every mortal woman (or even a reasonably large percentage of them) were truly an otherworldly warrior woman, someone who wished to engage in the practice of uncovering the Valkyrie within (never wise) would simply need to get a decent sample of mortals and start decryption activities. In business, this would be like an attacker checking every file on a website for evidence of steganography. Once found, they would know which ones to check out for hidden data.

There are two main lessons to learn from this myth. First of all, if you encrypt something, be sure to have a key. If you think that there is a reasonable risk that your key may be lost (Siegfried did have a troubling habit of battling dragons and otters), it may make sense to make backup copies. Though having a stash of emergency backup heroes would make for a pretty poor myth, it is essential in the business world.

Quite to the opposite, while steganography works well in myth, it’s less effective in the business world. If you hide your vital data (or Valkyries) in other files (or mortals), it’s only useful so long as you remember where it’s hidden. If you want to share the vital data, you have to let others know where it’s hidden… and a shared secret is only good so long as both parties keep it and no third parties listen in. After all, if you have a secure channel through with to share the existence of the steganographic file, you might as well just share the data. Heck, even in the myth, the fact that we know that Odin hid Brünnhilde within a mortal means that the secret wasn’t kept.

That’s not to say that steganography is useless, but it is quite limited within a traditional business environment. Better, perhaps to focus on the encryption side and make sure that the data cannot be read even if found. Then you don’t have to worry about supporting back channels and can devote all your resources to protecting known data rather than trying to hide it. (On the defense side, being aware of steganography as a back channel is very useful, but protecting against it and using it operationally are very different things.)

So, in the end, it would be wise to use encryption where you can, not be distracted by steganography, and avoid Norse sagas as they never really work out well for anyone involved.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.