Tuesday, June 2, 2009

Mysterious New Virus / Spyware / Grayware

Strange but true,

Yesterday I happen to identify a new virus / spyware / grayware that is interestingly a mysterious stuff.  I suddenly suspected something fishy on my machine and the initial diagonosis using Trend Micro revealed Nothing.  I restarted my machine and there while the processes were being started saw a new process - "Beast.Exe" being initiated.

Tried looking for beast.exe in the location where the process was getting triggered for, result - Nill.

Trend Micro, Symantec and McAfee, seemingly the leading AV don't have any signatures for it.  Interesting isn't that?

Well the steps followed then were - 

1. Used sysinternals Process Explorer to identify the processes running - Beast.exe was indeed running
2. Location of Beast.exe was confirmed to be - C:\DATA\FILES, the entire tree being Hidden Directory and with misleading Folder Icons.
3. Beast.Exe not visible at the Location, though is present and to unveil that I used - Simple File Shredder that I use to wipe the data (that was not a smart move, that was interestingly accidental discovery)
4. Killed the Process using sysinternals Process Explorer 
5. Wiped the traces of Beast.exe from the reported folder using Simple File Shredder.

Symptoms and impacts are something that I didn't actually make note of, but a slight research on goolgle reveals that the it impacts the Microsoft Office Files and corrupts them.  Though I was working on some Excel Sheets when the incident happened, luckily they were opened from Outlook and were residing in the "temp" folder.

As stated above, it was interesting to not find any definition from the three leading AV product companies.


Saturday, March 7, 2009

Information Security Breach - Minimize Points of Entry to the Network

Information Security Breach can be referred to as the compromise with Confidentiality of Data / Information with an Unauthorized and Unwarranted access. However a breach might not always result in Data Theft, but as the Information Guardian, the Information Security Team of an organization must vigilantly secure access to the Information Assets hosting/processing critical information including Personally Identifiable Information (PII) of customers, vendors, employees and other associated entities, Card Holder Data (ChD, that includes, PAN, Expiry Data, Name as on Card and other such information as identified under PCI-DSS v 1.2).

The Information Security Team and the IT operations team must be aware of the Security Scams and the methods that may be used to attempt and effect the Breach.  General methods deployed for the purpose are - 
  • Theft of Physical Equipment/s
  • Social Engineering
  • Phishing
  • Hacking
  • DoS, DDoS, Ping of Death, Syn Flood Attack
  • Defacement of Website
  • URL / IP redirects (also referred as Pharming, normally is man-in-middle attack)
  • Malware implants (trojans, worms, viruses to capture keyboard inputs, sniff network activity etc)
To reduce the chance and to reduce the impact of any breach, it is always a good practice to identify the entry points to the corporate network and reduce them to the minimum.  With minimized entry points the steps that must be taken to reduce the impact of any attempt or breach therein are - 
  • Firewall / IDS / IPS and System logs must be reviewed on a regular basis to identify any sign of security Breach or attempt therein
  • Consider deployment of an effective event-correlation mechanism to help you in root cause analysis and establishing the entry point and the probable target system.
  • Ensure that the Mobile Equipments are configured with Data Security and Protection measures like File / Hard Disk encryption
  • Employee awareness must be maintained with regards to the procedures for reporting suspicious activities, system issues, mails etc
  • Engage Interaction with external parties (Law Enforcement, Security Consultants, Industry Associations etc) to be informed about the porabable or possible Security Breach
The steps discussed above are just the preliminary steps and organizations need to do more than just guarding the gates / entry points. 

I would discuss the road ahead in next post.

Regards
Mayank Trivedi
E-mail - mayank.a.trivedi@gmail.com
Being Proactive Saves Time and Money

Thursday, February 19, 2009

Email Hacking - How to avoid

We often get to hear that Email accounts are hacked and someone else has logged in email addresses and sent out mails to the address list. 

No this certainly is a case where one gets worried about the misuse of email account.  But then who is responsible?  Certainly we ourselves as we either do not change our passwords or we keep them so simple that anyone having knowledge what we call Personally Identifiable Information (like our / family member birthday, our location zip/pin or similar information) can recover or reset our password.  

Yes it indeed is alarming as email account hacking, specifically if it is from a web based email service provider, does not require any special tool or any special skill.  All you have to know is the answers to few questions that thesee web mail services post when trying to retrieve passwords or may be change them.  

IT pretty easy to do this when you know the subject (person whose account you are hacking).

Hence it is quite important that along with password you change your secret question and answer at a regular interval and keep it to yourself.  Also, small tweaking may be done in the ZIP / PIN change (where applicable) as that also plays an important role in password recovery or changing.