Security

Avoiding the Heartland Breach

Leave a comment

You will not get an argument against end-to-end encryption, especially since I’ve been working on exactly such a solution since 2004. I think it is great that everyone seems to be headed this direction finally. A CFO once told me he would not approve the dollars for encryption until he saw it become mainstream news…well, we have arrived. With that in the pocket there is another element in the Heartland story that needs more discussion.

Would a well-configured monitoring/SIEM solution have helped prevent the heartland breach?

The clue to finding the malware was a set of orphaned .tmp files. In other words, an unknown/hidden application in slack space dumped a few files to the OS that were not recognized. StorefrontBacktalk has details:

While the first team was working, Heartland had a second forensic team brought in to check the entire system. “That first firm had a very specific scoping of their assignment. The second firm was working in parallel on the rest of that processing.”

That second team “was nearing conclusion” and was about to make the same assessment the first team did: clean bill of health. But one of the last things that external, qualified risk assessor did was to try and match various temp files with their associated application. When some orphans—.tmp files that couldn’t be matched to any application or the OS—were turned over to Heartland’s internal IT group, they also couldn’t explain them, saying that it was “not in a format we use,” Baldwin said. More investigation ultimately concluded that those temp files were the byproduct of malware, and more searching eventually located the files in the unallocated portions of server disk drives.

Had the system been alerting on tmp files, the malware would have been identified earlier. That’s a great way to catch malware, since you can guarantee that the attackers will have a hard time eliminating tmp files being written to spaces they do not anticipate. In other words, they will have to program far more cleanly to avoid a dirty software detector such as SIEM.

Fun, no?

History, Security

Turkish and Israeli leaders clash

Leave a comment

Without getting into the murky waters of the detailed issues at hand, I find it interesting that the Turkish PM storms off in Gaza row:

Turkish Prime Minister Recep Tayyip Erdogan has stormed off the stage at the World Economic Forum in Davos after an argument with Israel’s president.

Mr Erdogan clashed with Shimon Peres in a discussion on the recent fighting in the Gaza Strip, telling him: “You are killing people.”

How can Erdogan assert such a passionate role given the recent history of Turkish relations with the PKK?

Iraq’s foreign minister has warned of serious consequences if Turkey launches a ground assault against Kurdish rebels based in northern Iraq.

Hoshyar Zebari told the BBC that the current crisis was “dead serious” and accused Turkey of not seeking a peaceful solution.

He said Turkey had shown no interest in Iraqi proposals to calm the situation.

Turkey has 100,000 troops near the border and is threatening to attack the Kurdistan Workers’ Party (PKK) in Iraq.

More recently, after the US negotiated the withdrawal of Turkish forces from northern Iraq, Turkey bombed the Kurds:

Turkish air strikes in northern Iraq this week left more than 150 Kurdish rebels dead, the Turkish army says. […] Turkey has staged several cross-border raids into northern Iraq over the past few months in pursuit of the rebels.

Will Turkey use the Gaza conflict to come to terms with its own issues? Will they back down on the PKK and seek EU membership under conditions of human rights for Kurds that were formerly rejected?

Security

Winter Risk Management

Leave a comment

Some recent fun in the fluffy stuff. Ride safely:

Just like information security on a large corporate network. Want me to explain how to achieve NERC CIP 002-009 compliance, or perhaps avoid HIPAA fines…let’s go skiing. Speaking of tips, when in Vail on a big powder day head for Red Square:

Way to go Heath!