Archive for May, 2015

I’m speaking at Penn State University in June

The title of this blog post is the same as my session for Web Conference. Following the recent security headlines at Penn State, the title of my session is either ironic or prophetic. I think I’ll go for ironic, since the security issue at Penn State encountered was not really like my title, but the FBI really did call!

If you have not already gathered, I work for FireEye, the company that owns Mandiant, the company that the FBI introduced to Penn State to perform incident response. This blog post is not going to be about the Penn State’s security breach. I just wanted to establish some context.

I have been working at FireEye for close to three years. I joined as an instructional designer, and now I am a manager running a team of 7 instructional designers. In the time that I have been at FireEye I have learned the most incredible things about network security, and the lengths that threat actors (the generic name we use for all the bad guys, be they nation state, criminal gangs, lone hackers, or groups like Anonymous) will go to in order to steal your data or interfere with your network.

I expect that if you are interested in security you are still reading. Rather than talk specifically about my session, I thought I could share with you some tidbits that could come up in any presentation of mine, or dinner conversation after I’ve had half a glass of wine. I’ll include links for further reading for the motivated learners among you.


Did you know that Target was breached through their HVAC contractor? Brian Krebs, a well known security researcher and blogger, published this report that goes into significant detail of how the breach occurred and unfolded. In short – the HVAC contractor was pwned when one of their employees fell for a phishing email that enabled the threat actors to steal credentials to Target’s network. Once the bad guys had that access, they were able to scan the network, learn the topology of the full network, and set about exploring servers, workstations and, most importantly, the POS (Point of Sale) terminals where millions of credit/debit card swipes occur daily. The most remarkable thing about this breach was it was the first time that our researchers had seen malware read card data direct from memory, thus bypassing any need to decrypt the data!

APT1 – The Comment Crew

In 2012, Mandiant published APT1: Exposing One of China’s Cyber Espionage Units. This explosive report describes, in great detail, the activities of a threat actor group that they codenamed APT1. The report tells the history of four main characters in the group, outlining their background and talking about their specific roles. It also pictures the building were 3,000 of China’s army are housed and perform worldwide hacking activities full time. And goes on to describe how China employs a total of around 300,000 soldiers in hacking activities. When I first read this report, the first thing I thought was “If this is what they are willing to disclose publicly, what else does Mandiant know that they cannot share?”

Why are they called the Comment Crew Steve?

Oh yeah – because they posted comments in online forums that were used by their malware to self-configure. So they installed malware on a victim machine, and the malware would at some point connect to the internet to discover its instructions for what to do next – download additional files, for instance.

Interestingly, this tactic has been used more recently: Chinese Snoops Hid Malware Commands on Microsoft Technet Site. Clearly the notion of ‘hidden in plain sight’ is not lost on the bad guys.

Clandestine Fox

Operation Clandestine Fox, as it was named by FireEye when it was discovered, is a fascinating case study, and one that shows the importance of keeping your security patches up to date. In brief, users could be attacked through a crafted web page that contained a specific set of files, including a Flash file that exploited a vulnerability in Internet Explorer. The vulnerability actually existed in all versions of IE from 6 to 11, and was considered so serious that Microsoft issued a patch within 24 hours of FireEye discovering Operation Clandestine Fox, and patched IE6 in Windows XP, even though official support for XP was long-ago ended.

Back to the Presentation

What is the likelihood that something that you develop or admin becomes the vector for an attack on your future employer? We can’t say for sure.

What’s the likelihood that something you develop or admin has a vulnerability that could be exploited? Probably 100%!

Is there anything you can do to mitigate such a possibility? Well there’s lots, and that’s what I’ll talk about. Since this is a Web conference, not a network security/admin conference I’ll keep it fairly light and talk about some of your considerations for web and app development, with some general dos and don’ts, best practices and a few little stories thrown in. If you want to learn more about the kinds of things the bad guys do, and what you, as a web developer, can do to defend against them, then come and see my session.

Read Full Post »

%d bloggers like this: