Recently, LendingTree announced that several former employees may have provided passwords to a handful of lenders which, in turn, allowed the lenders to access sensitive customer information between October 2006 and early 2008. The passwords allowed the lenders to access files that contained sensitive loan request data for LendingTree customers. The loan request data contained such sensitive information as names, addresses, email addresses, telephone numbers, Social Security numbers, and income and employment information.
How was this breach discovered? LendingTree stated that:
Our internal security uncovered this situation. We began an internal investigation and reported it to the authorities. We continue to assist the authorities and are telling our customers as soon as it was possible to do so.
This insider data breach begs the question: “Why couldn’t the employees trading this information have been caught in the act?”
In all honesty, I can’t think of a good reason why they couldn’t have been caught in the act. If proper security safeguards had been implemented this could have all been avoided. What safeguards you might ask?
A proactive data leakage awareness initiative, combined with a well researched acceptable use policy, could have been implemented. Both should detail the acceptable use of company, and customer, information in an easy to follow format. Although it’s been proven, time and time again, that company policies and awareness training will not stop the most dedicated employees from exploiting sensitive data, shouldn’t you explain to your employees how to spot someone not following the policy? It’s in the best interest of most employees to protect their company and customers. Some people might hate their jobs, but the odds are that most employees want/need their jobs and will do what’s right to protect them.
Training, training, and more training. If your security operations staff isn’t properly trained to handle incidents, in a timely and process-driven manner, then you are simply asking for trouble. There are numerous training options available that teach proper incident handling techniques. Everyone involved with handling incidents in your company, from the manager to the lowly security operations grunt, should take advantage of these training opportunities. Here are some words of wisdom:
Based on a 2006 InfoWatch survey on Global Data Leakage, 23% of data leaks are performed with malicious intent. The other 77% results from the actions of undisciplined employees. The bottom line is that you don’t want to focus only on leaks that occurred due to malicious intent. The responsible thing to do would be to ensure that you are watching all sensitive information attempting to leave your network. (Extrusion Detection is not a new idea here people…it’s been around for quite some time now). You might say, “Well that’s a lot of information to watch”, and you’d be correct. Fortunately there are powerful solutions available to help you with your problem.
A properly implemented Security Incident and Event Management (SIEM) solution helps you keep a trained eye on your network. This trained eye can alert the security operations staff of any suspicious, or potential malicious, activity on your network 24/7/365. Being able to correlate and normalize the device (e.g. IDS, firewall, etc.), application (e.g. Microsoft Exchange, Squid Web Proxy, etc.), and operating system (e.g. Windows XP, Red Hat Linux, etc.) logs with collected network level flows (e.g. NetFlow, sFlow, raw packet capture, etc.) provides the security operations staff with a complete view of the network they were hired to secure and protect.
I can only assume that someone had tipped off the folks at LendingTree that in turn, pulled the trigger on the investigation. Unfortunately, by the time they discovered the who and the how the damage had already been done. I hope for the sake of LendingTree, and their customers, a full review of their process and procedures will occur. Additionally, I truly hope that they are able to implement the necessary safeguards to change from a reactive monitoring posture to one that is proactive. If another breach should occur (and the odds are it will), I hope that it doesn’t take another 1.5 years to resolve.
Here is the list:
SVASE Guerrilla PR – Not security related but for those trying to heighten their PR presence it is certainly a good read.
A few days ago I was at a SVASE meeting and the topic was on guerrilla PR. This was my first SVASE meeting, so I didn’t really know what to expect. I felt like I was the only bootstrap startup, as everyone I talked to were funded by angels or VCs.
Free AV Scanners – Harlan was kind enough to point out a collection of free AV tools. Check it out.
Many times during an examination, you may want to do a little data reduction, by scanning your image for the presence of malware. While this should not be considered a 100% guarantee that there is no malware if there are no hits, this may lead you to something and narrow your search a bit. Again, this is just a tool, something that as a forensic analyst you can use.
Social Engineering Schemes Increase: Great Case Study From An Actual Event – I do love a good case study.
Just today I have already read in my daily news items 5 articles about social engineering! One in particular, “CUNA Mutual Warns on Costly HELOC Scam,” provides not only a great example of a current social engineering scam, but it would also make a great case study for social engineering training and within your awareness communications and activities. Here’s a quick overview…
The Worst IT Security Breaches of 2007 – They’re probably still fresh in your head but here is a link in case you need to reference them for a future presentation.
Every year sees a fresh crop of security breaches. Most go unreported, unless they involve consumers’ personal data, at which point companies are required to give timely public notice of security breaches. The following list of 2007’s worst security breaches consists mainly of such reportable incidents. The incidents are sorted in descending order of severity based on how many individuals were potentially affected.
Tips from an RHCE: Visualizing audit logs with mkbar – Log visualization on-the-cheep.
The 2.6 Linux kernel comes with a very flexible and powerful auditing subsystem called auditd. auditd is composed of two parts. The main work is done in kernel-space (kernel/audit.c, kernel/auditsc.c). In user-land, auditd is listening for generated audit events. auditd is able to log file-watches as well as syscalls. All LSM-based subsystems–for example, SELinux–are logging via auditd as well. All events are written to /var/log/audit/audit.log.
Steve Grubb wrote a small script called mkbar. It converts these lines into gnuplot-compatible data. Gnuplot is a 2D/3D plotting program which is able to produce nice-looking graphics. If you would like to get a graphic showing which SELinux file types are generating an AVC message (and in what proportions), just call aureport and pipe its output through mkbar…
Great Malware Visualizations – Wow…that IS really cool 🙂
Wow, these are tre’ cool. They are from Alex Dragulescu done for messagelabs‘ latest marketing. found via the always excellent infosthetics blog. Hit infosthetics for more information on the visualization technique.
Top IT Security Threats of 2008 – Hmmm…do you agree or disagree?
The SANS (SysAdmin, Audit, Networking and Security) Institute has released its list of the top 10 cybersecurity threats for 2008. The list includes new developments of evergreen security risks: new exploitations of browser vulnerabilities; worms with advanced P2P (peer-to-peer) technologies; and insider attacks by rogue employees, consultants or contractors.
malware unpacking tutorial videos – Good catch Michael. I agree with you…reverse engineering is cool but it’s not something that I think I could wrap my head around.
I’m not a big software de-engineering guy or reverser and I don’t see myself gaining those skills in the next couple years, but someday I might get interested in the topic. While books and blogs and personal contacts are good resources, I really like seeing everything put together and the end results. Here are two video tutorials on unpacking and examining malware from Frank Boldewin over at Offensive Security.
The growth of malware – This is somewhat alarming…
It’s worth noting that these numbers are also increasing because of variants — i.e. the same Trojan will be changed sometimes hourly or daily just to try and fool the scanners. So it’s not like there’s over 5 million unique pieces of malware. There are many that are variants of the same piece of malware.
NERC CIP Rules Out – Logs In! – You should check this out too.
NERC security rules [PDF], that were updated and became mandatory last week, might well become “a new PCI DSS” and trigger “a golden age” of security in the energy industry: the rules are mandatory, they are specific (more specific than a lot of other regulatory security guidance) and there is an enforcement body (NERC) that can make life miserable for those not complying.
Visa reports high compliance numbers – Good to see that compliance levels are high…repeat….compliance levels are high.
Visa Inc. announced today that as of the end of 2007, more than three-fourths of the largest U.S. merchants [Level 1] and nearly two-thirds of medium-sized merchants [Level 2] have now validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS). Merchants in these two categories account for approximately two-thirds of Visa’s U.S. transaction volume.
Bridging Security and Visualization – Cool post, and associated video, from Raffy.
OnSecrity just released another video of the conversation we recorded last year during RSA. I am talking about security visualization in light of the book I am working on. This video cast is the sequel to the first one that I posted a few days ago.
Top Ten Web Hacks of 2007 (Official) – Incredible. I’m having a hard time wrapping my head around the number of web hacks in 2007. Kind of makes you sick, doesn’t it?
The polls are closed, votes are in, and we have ten winners making up the Top Ten Web Hacks of 2007! The competition was fierce. The information security community put 80 of the newest and most innovative Web hacking techniques to the test. The voting process saw even some attempts at ballot stuffing, but to no avail, and very few techniques received zero votes. The winners though stood head and shoulders above the rest. Thanks to everyone who helped building the list of links, took the time to vote, and especially the researchers whose work we all rely upon. Congratulations!
Metasploit Framework GUI – Hot new MSF3 GUI.
I’m behind on my posting, but I’m going to do a quick post on the shiny new MSF3.1 GUI.
I’m not usually a GUI kinda guy but I do like the GUI specifically the browser option where you can just drag and drop files…way cool.
here is the post from the framework list talking about getting it up and running on linux and windows
I think its technically still in beta and not officially released but its working well and I would expect a release soon.
From the SANS Information Security Reading Room: