Banking Security

How poor data-stripping can expose organisations to Spear Phishing attacks

A survey for the BBC has discovered that poor data-stripping on websites leaves information in place which provides valuable intelligence for Spear Phishing attackers. By not removing key metadata, organisations are providing potential hackers with a doorway into systems which are otherwise well-defended.

This survey comes at a time when the number and extent of breaches continues to rise, with hacking reportedly accounting for 41% of disclosed breaches. At the same time, organisations are racing to comply with the General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018. With significantly larger fines in prospect, many organisations will do well to include data-stripping in their information security defence strategy or risk being unknowing victims of a sophisticated breach.

In the BBC’s research, target websites were ‘scraped’ for several days, with samples taken from files, pictures, PDFs, spreadsheets and other publicly available documents. During this process, metadata was retrieved which betrayed key information about the people who created the files, when they did it, and the version of the software and machine which they used.

This type of data cache provides a perfect starting point for a sophisticated Spear Phishing attacker to relate the names buried in the documents to real people. Using social media, useful information on individuals can be obtained. The more information hackers can obtain, the better they will be able to customise their attack.

Emails are then sent out which appear to the majority of recipients to be authentic. But they contain booby-trapped attachments. In some cases, the virus code that attackers bury in the malicious attachments can lurk until it hits the device used by a particular target.

This is because Chief Executives and senior directors are rarely targeted directly. It is much more usual for their assistants or teams to be the first point of contact. These people are often in positions where they will have access to company sensitive information or records as well as direct online access to the real targets. Sometimes even passwords are secured this way and all this happens long before any breach is discovered. Emails requesting information will not in these instances be seen as suspicious and once armed with details a range of criminal activities can be undertaken from re-directing payments to the criminals’ bank accounts to demanding ransomware payment from the organisation itself.

It is, of course, wise to include meta-searching for information from website files and stripping out data as part of routine security. While it is policy in many firms to do so, however, there is not always the due diligence and process to do it. A public information search can, however, be included as a phase within a penetration test. Penetration tests conducted by qualified experts will provide intelligence on specific areas of weakness within a system. If included in the scope, meta-searching and data-stripping can ensure that the company’s digital footprint leaves no traces for potential hackers to exploit.

Bespoke Penetration Testing

Time running out for GDPR compliance

Time is running out for UK businesses. By 25th May 2018 every business, charity and organisation needs to be ready for the General Data Protection Regulation (GDPR). Because from that date, EU regulators will start enforcing compliance. Yet a recent survey found that only 11 per cent of companies said their preparations are ‘well underway’ while 61 per cent admitted they had not even started the task of GDPR implementation. There are just 300 days to go.

GDPR compliance requires commitment and action and with only ten months to go the pressure is on to take it very seriously indeed. An estimate by Gartner states that only 50 per cent of companies will be ready by the end of 2018, let alone May. With the power to impose much larger fines, GDPR needs to be taken very seriously indeed. To put it in context, the fines imposed on UK organisations by the Information Commissioner’s Office (ICO) last year totalled £880,500. Under GDPR those fines would be closer to £69 million.

So, why are British companies lagging behind? Perhaps some feel that the challenge and expense of embedding GDPR in their organisation is mitigated by the fact that only a few will be caught by regulators during the early bedding-in period. This may be true to an extent. We are unlikely to see thousands of cases being brought. But it is possible that EU regulators will go for shock and awe tactics in the first few months, imposing bold enforcement actions and large fines on a few transgressors to serve as a lesson to all. No one wants to be made an example of.

In the end, however, it is not fear of punishment but pressure from within that will push GDPR compliance forward. With processors, vendors, data controllers and suppliers all tied in to each other’s compliance, those that do not comply will be dropped in favour of those that do.

To support GDPR readiness, the ICO has produced a range of guidelines to help businesses with the implementation of GDPR. This includes  website pages dedicated to the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations. The practical realities of assessing your existing level of readiness together with a targeted schedule of actions is best produced in partnership with a specialist information security consultant. In this way, you can prioritise and plan according to your organisation’s unique requirements.

SRM has a wide range of knowledge and practical experience. Our teams are GCHQ approved and GDPR practitioners, working with clients to build robust and cost-effective defences. Because hackers are ingenious and constantly changing their tactics, breaches can and do occur. However, with appropriate defences in place a business would be much better placed when it comes to an ICO investigation. Our consultants are ready to help you understand the risks to your information and to provide the strategic and practical guidance to manage that risk effectively.

GDPR – The General Data Protection Regulation

GDPR: the impatient tiger

 

Emerging Trend: Persistent JavaScript Ecommerce Malware

Our analysts report another trend that Administrators should be aware of.  This is a JavaScript-based eCommerce malware that enables the malware to re-infect websites automatically upon incomplete removal.  It has been identified as a new technique being used by cyber criminals.

This type of malware obtains its persistence by modifying databases to force the injection of a malicious JavaScript file into an eCommerce webpage. By targeting databases, the malware therefore becomes resilient to normal removal attempts. Cyber criminals have recently used this technique to target eCommerce merchants by successfully injecting the JavaScript code into a database field of a merchants website and compromising payment card data.

This malware reinfection method can be used on any eCommerce platform that uses database fields to populate content on the shopping cart webpage. Reinfection of websites can be done with the following processes:
1. A database trigger is added to the order table, which injects the malicious JavaScript link into the website template fields.
2. The trigger is executed every time a new order is made.

Scanning for malicious code in HTML files is not sufficient enough to detect this malware alone. Analysis of the database is required to ensure a proper clean-up of JavaScript eCommerce malware is conducted.
Regular scanning of webservers for malware is one recommended mitigation measure eCommerce websites can take to identify security vulnerabilities. Another recommended best practice is to check for malicious database triggers on eCommerce websites and subsequently remove these.

If you are in doubt, contact the SRM  team who can arrange to run a check for you!

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Ransomware – Could it be you?….

Complacency has always been the enemy of safety; in today’s world, we are all vulnerable!

The digital (cyber) environment may sometimes be opaque and difficult to understand, but it is a contested environment. If we seek to operate within it, and exploit its advantages, we must actively engage or expect to become a victim.

As I write a number of organisations worldwide, are reeling under the hammer of what appears to be a thoroughly industrialised Cyber Attack. Many of these affected organisations have (or claim) a reputation for strong governance. There is no-one, reading this, who doesn’t have actions that they should have taken or should be taking now.

Whilst it is tempting to view this sort of event as spectators, anyone reading this is unlikely to be invulnerable, whether we are part of an organisation or an individual. There are steps we should all be taking to reduce risk to ourselves or our organisations. We ignore these responsibilities at our peril.

Those who are responsible for the safety of organisations will have already taken actions to ensure that they are as safe as possible. This is part of baseline governance needed in today’s world and no organisation can claim to be competently run if it doesn’t have an effective Information or Cyber Security Management System. If you have one – you will probably know about it!

If you haven’t – then now is a good time to start – and if necessary get in touch with someone who can help you. (if you can’t think of anyone specific or are worried, www.srm-solutions.com is a good place to start!) There are a number of excellent schemes and established practices that you can use to raise the bar for attackers. If you have done nothing else yet – at least look at the Cyber Essentials Scheme as a first step.

If you don’t know who is responsible in your company – check – it could be you!

As individuals, however, we are still potential victims of attacks like this, but if we practice basic Cyber Hygiene we dramatically reduce the risks to ourselves and those around us.

Make sure our defences are strong:

Ensure our Anti Virus (even on a mac!), firewalls and software are all up to date and switched on.
Scan our systems with Anti Virus, and do this regularly when attacks are going on.
Stay alert to any suspicious emails, messages and don’t open anything suspicious. If someone sends you something suspicious. Contact them separately to check it is legitimate.
Check that we are using difficult to guess passwords, and that we are not exposing the password protecting our “crown jewels” on untrusted internet sites or unprotected devices.
Check our bank and card statements – Regularly!
Think it through from an attacker’s perspective.

Make sure we are resilient:

Ensure our information is backed and kept somewhere where it isn’t connected to the internet or our main system (e.g. a CD or a Backpack Drive).
Ensure we keep all backup data safe – and if possible encrypted. Ideally under lock and key.
Ensure that any critical information is held safely so that it will be available in the event that our main system is unavailable.

Make sure we know what to do if we are compromised:

Write down a simple plan – stick it on the fridge or the filing cabinet – somewhere we can find it!
Don’t pay ransoms – we shouldn’t need to!
Know who we are going to contact for further advice in emergency.

Don’t Assume – Check that you are as safe as you think you are. Do this periodically and when the risk rises:

Check our Backups are being taken (and that your drive is not full). Check that we can restore them and that they are not corrupted.
Check that you can access your critical data and files if your main system is down.
If you don’t know how to do any of this – learn now – these are basic survival skills! If you have friends or family members who may not be able to do this – it may be worth contacting them to check they are not exposing themselves inadvertently.

Whether we are acting as individuals or are responsible for the safety of an organisation, this is no longer something for someone else to do – we all have a part to play, and must play it to the best of our ability.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Changes to the Issuer Identification Number (IIN) standard

The numbers on payment cards are going to become longer. This is because of changes which are being made to the international standard (ISO/IEC 7812) under which Issuer Identification Numbers (IINs) are issued. The changes have come about because of the increasingly dwindling number of IINs that remain open for registration.

IINs currently appear as the first six digits on payment cards. The leading digit is the major industry identifier (MII), followed by five digits, which together make up the IIN. But due to an increasing demand for these unique identifying numbers, the International Organization for Standardization (ISO) is expected to publish revised standards which will change IINs from six to eight digits. The overall Primary Account Number (PAN), which is generally understood to reflect the IIN plus the unique number assigned to an individual or company, may consequently increase in length to reflect this change.

Visa announced in July 2015 that it expected that they would continue to support a PAN length of 16 digits. This was after stakeholder consultation within the industry. A change that is seemingly as minor as this turns out to have some significant ramifications to any entity that accepts payment cards in that the application are generally designed to expect card numbers of certain lengths, depending on the card issuer. Changing these values would require updated software in all devices or systems that accept a payment card – no small task.

So what about the security implications of this change? If the IIN is increased to 8 digits and the PAN remains 16 digits, the unique value assigned to the card has in effect been reduced from 10 to 8 digits. Does this pose a potential security weakness to card numbers? This point has not been missed by the industry and discussions are afoot to try and counteract this change.

The draft of the revised standard has been approved by ISO members and is due to be published in early 2017. Businesses and organisations which require IINs should be aware of these imminent changes and should begin a process of planning and analysis to identify any potential system and process impacts. At the moment it is all conjecture, but it seems likely that something will have to change at a standard level before vendors start to make updates to their software and merchants start rolling these changes out.

 

The main points of the revised version of the ISO/IEC 7812 standard are:

  • The Registration Authority (RA) will start assigning eight-digit IINs to any institution applying for a single IIN or block of IINs.
  • Issuers with eight-digit IINs will be required to issue a minimum PAN length of ten digits. The maximum will continue to be 19 digits in length, (with Visa supporting the current standard of 16).
  • Existing six-digit IINs will be converted into a block of a hundred eight-digit IINs. As the majority of issuers are unlikely to need all one hundred of these, they are encouraged to return any unused eight-digit IINs to the RA.
  • Any ISO/IEC standards referencing ISO/IEC 7812-1 should be reviewed for potential impacts.

All users of ISO/IEC 7812-1 are strongly advised to begin planning and analysis to identify any potential system and process impacts associated with their plans to adopt the new standard.

The security implications of the extended IIN lie in the detail. Visa are currently undertaking systems analysis and development, which they expect to be complete by 2019, three years ahead of the proposed change. Currently the PCI standard is only built to accommodate the masking of the first six and last four of the sixteen digit card number. It may be that the PCI council will have to have a look at changing the standard to accommodate this new field length without altering the security posture of the masking.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.