Daily Archives: February 11, 2016

Applauding the President’s Cybersecurity National Action Plan

Posted on February 11, 2016 | Leave a comment

CNAP_White-House-response

The Cybersecurity industry is fundamentally broken… and the problem is not technology, but mindset.”  These recent remarks by RSA President Amit Yoran have been echoed around the country and in the halls of government in the wake of serious breaches to the Federal government. From last year’s OPM breach, to last week’s breaches impacting DHS and FBI employees – there has been concern that the mindset protecting our government’s IT systems needed a refresh.

That’s why RSA applauds the President’s Cybersecurity National Action Plan (CNAP) issued this morning and will participate in many regards, but will also watch a couple of things to see if clarity really is brought to the federal government’s efforts. First, it will be interesting to see how the role of the federal CISO pans out. What real authority, accountability and responsibility will this new position entail that couldn’t have been executed by the President’s Special Assistant and Cybersecurity Coordinator? Second, how does the role of DHS change explicitly or implicitly?

This renewed approach to securing our government from our adversaries seeks to tackle the mindset that has limited cybersecurity effectiveness to-date. RSA has publicly endorsed one of the signature components of the President’s plan: driving widespread adoption of multi-factor authentication for email and other critical applications and systems. I’m proud of RSA’s efforts to raise awareness on this important issue. Multifactor authentication – even going beyond the government’s CAC/PIV infrastructure – is a vital step to delivering increased security. Organizations such as the National Cyber Security Alliance and many other organizations have worked hard to keep this issue on the forefront of our IT security consciousness.

Other components of today’s announcement are also very important to tackle, including:

  • Increased funding for cybersecurity.
  • A broad plan to modernize the government’s IT defenses.
  • Creation of a Federal CISO (empowered to cut through silos across civilian government, DOD, and the Intelligence community).
  • Activity promoting adoption of the NIST Cybersecurity framework, especially to the critical infrastructure community.
  • Efforts to enhance the quantity and capability of the Federal cyber workforce.

One additional aspect of today’s announcement is the launch of a Bipartisan Commission – with input from the private sector – that will focus on developing solutions to our most significant cyber challenges. RSA looks forward to supporting the work of this Commission. As the President noted in his OpEd in The Wall Street Journal, “we still don’t have in place all the tools we need, including ones many businesses rely on every day.” It’s imperative that funding and momentum focus on the capabilities that matter most in today’s advanced threat world. In broad terms, our vision to secure the Federal government consists of three pillars:

  1. Complete, real-time, visibility into threats across our critical infrastructure at the Federal CISO level and at the agency and program level.
  2. Deployment of new identity assurance and access governance technologies that are built natively for the cloud and mobile era.
  3. A mature enterprise risk management approach to identifying and prioritizing efforts to mitigate risk.

Today’s announcement by the president and previous efforts by our legislative branch show that our government and elected officials in congress are taking a renewed focus on “operationalizing cybersecurity.” Each one of us in the IT security industry has a role in this mission. I know it will be a key topic at this year’s RSA Conference – and it is certainly a ‘contest’ we can’t afford to lose.

Leave a comment

Posted in Network, Security, Technology

Tagged , , , ,

IRS Confirms It Was a Victim of an Automated Attack

Posted on February 11, 2016 | Leave a comment

 

hacker1The attack, which occurred in January, targeted the electronic filing PIN application form on the IRS.gov Website. Experts said there are lessons to be learned.

The U.S. Internal Revenue Service (IRS) is gearing up for another busy tax season, and it appears that hackers are getting ready, too. On Feb. 9, the IRS confirmed that it was the victim of an automated attack in January that targeted the electronic filing PIN application form on the IRS.gov Website.

According to the IRS, attackers made use of personal information, including Social Security numbers, that was stolen from other non-IRS Websites. The attackers then used that information in an attempt to generate fraudulent E-File PIN numbers on IRS.gov. With a PIN number, an attacker could have potentially been able to file a tax return or gain access to other taxpayer information.

The IRS investigation has found that 464,000 unique Social Security numbers (SSNs) were used in the attack, with 101,000 being successfully able to access the E-File PIN. The IRS is emphasizing that it has halted the attack and is contacting those who are affected.

“No personal taxpayer data was compromised or disclosed by IRS systems,” the agency stated. “The IRS also is taking immediate steps to notify affected taxpayers by mail that their personal information was used in an attempt to access the IRS application.”

In May 2015, the IRS reported that its Get Transcript service was attacked. Get Transcript enables users to get information about their tax account transactions. As is the case with the new attack against the E-File PIN, the Get Transcript service attack involved user information that was stolen from third-party sites. The success rate for the Get Transcript attackers, however, was higher than it was for the E-File PIN attackers, where 100,000 out of 200,000 hack attempts were successful.

Security experts contacted by eWEEK are not surprised that the IRS is once again reporting an attack against its systems. The fact that the IRS.gov site was attacked with SSNs stolen from other third-party sites is, however, somewhat ironic.

“One of the most successful ways hackers steal citizens’ Social Security numbers is through fraudulent phishing emails or phone calls that appear to be from the IRS,” Darren Guccione, CEO and co-founder of Keeper Security, told eWEEK.

Hackers know the public is terrified of being identity-theft victims and exploit this fear well, often by telling someone they’ve been a victim already and asking for their Social Security number, Guccione noted.

Lance James, chief scientist at Flashpoint, commented that one of the big concerns he sees with the latest IRS attack is the continued reliance on Social Security numbers. “We need to rethink what a Social Security number means these days when it comes to accessing data,” James told eWEEK. “It should not be the administrator password for a person’s life.”

Andy Hayter, security evangelist at G DATA Software, also commented on the risks associated with SSN disclosure. Every bit of an individual’s personally identifiable information that is collected via a breach is one more piece of information that can, and someday will, be used against a person, he said.
“As long as information such as Social Security numbers is used as identification, we will have bad actors trying to collect as much information about individuals to do harm, either through theft or worse,” Hayter told eWEEK.

Inga Goddijn, executive vice president at Risk Based Security, noted that taxpayers should be concerned that questionable security practices at organizations completely unrelated to the IRS have the potential of affecting their tax returns.

Though the IRS has stated that no personal taxpayer data was compromised or disclosed in the new attack, JP Bourget, CEO of Syncurity, noted that there is still a real risk.

“While maybe the IRS can in the end prevent any bad outcomes for taxpayers, I can imagine a few scenarios where a bad guy attempts to file a tax return for a refund that then holds up a valid refund to someone who is owed a refund, and even depending on that refund,” Bourget told eWEEK. “There’s also the angle of now your account is flagged and the uncertainty of how that affects a taxpayer over time and what hidden costs may arise from that.”

One potentially positive outcome that could result from the IRS attack is that lessons learned could help prevent the next attack. Goddijn said that it would be helpful if the IRS can share more detail as to how the agency detected the attack and ideas for preventing these types of enumeration attacks in the future. She added that the U.S. government has been pushing for more threat intelligence sharing and improved security practices for all organizations.

“Why not take this opportunity to lead the charge and share more about the attack with the security community,” Goddijn said. “That may help stop the next, similar assault on a high-value target.”

Leave a comment

Posted in Data Breach, Hacking, Hacks, Security

Hiding in Plain Sight – Obfuscation Techniques in Phishing Attacks

Posted on February 11, 2016 | 1 comment

Phishing
Unfortunately for the organizations and individuals they target, it’s no longer necessary for cybercriminals to code up their own sophisticated attacks. Phishing and spam kits, for example, are complete, off the shelf tools that even inexperienced cybercriminals can use to deploy fake websites and spam massive user lists to lure them to these sites. And these sites and lures are effective, especially when they resemble legitimate websites like Dropbox or Google.

These sites aren’t just effective, though. They are also increasingly difficult to detect, making use of advanced obfuscation techniques to hide their real purpose. Phishing kits use a variety of encoding and JavaScript to prevent both users and security vendors from determining that the landing pages are anything other than harmless text or benign functions for rendering HTML.

Proofpoint researchers analyzed seven different obfuscation techniques on phishing landing pages, ranging from a base64 refresh to multibyte xor encoding. The complete analysis can be found here with deep dives into the code behind these techniques that are appearing in modern phishing kits.

For individuals and organizations, the dealing with this level of sophistication requires a multifaceted approach. Not only should both endpoints and networks be protected against phishing email lures and potentially malicious web pages, but users need to be savvy about the warning signs of a phishing attack. Strange URLs and sites asking for personal information unexpectedly are both red flags, but comprehensive user education remains critical to protecting networks and users alike.

1 Comment

Posted in Hacking, Hacks, Network, Security