posted by: on January 21, 2009 3:46 AM

filed in: Threat Advisories - Advisories
tagged: , ,

Heartland Corporation: Malware Causes Largest Data Breach In History

Holy Crap! Heartland, a card processing service for more that 250,000 small businesses discloses a malware generated breach on inauguration day. The scope is unfathomable. If each of the customers had only 10 credit card customers…you do the math.

Like vultures feeding on roadkill, no doubt every security vendor will call on Heartland telling them how they can help but because many of them are based on ports and protocols, their promises and claims will go unfulfilled.

Could Palo Alto Networks have helped – hard to say without knowing what happened. But at the risk of calling ourselves vultures, here’s my assessment of how we might have been able to help:

  • Isolate the servers: Using security interfaces, VLANs and security zones, we could have isolated the servers and then applied policies to control both who and what had access to those servers. Because of our ability to see and control applications, users and content, the policies would have been far more granular than port-based solution policies.

  • Control applications accessing the servers: With the ability to ID more than 750 applications, we may have been able to apply access control rules for the servers that allowed only certain applications MS-SQL, Oracle, Sybase) to access it, thereby stopping the malware form getting to the server.

  • Control the users accessing the servers: Because we can leverage the user data in Active Directory as the basis of the security policy, we may have been able to stop the malware from accessing the server by controlling the specific users who had access.

  • Prevent threat from accessing the servers: Using the high speed threat prevention, policies can be applied to monitor inbound traffic (to the servers) for all manner of threats, blocking them when they are found.

  • Watch for CC#s: Leveraging the in-depth traffic analysis we perform, we can detect CC# and SSN patterns in the traffic and alert on the detection or block the traffic altogether. So in the case of Heartland, we could have set a policy that monitored the traffic outbound from the server, looking for card holder data and alerting or blocking the traffic.

  • Monitor and log the traffic: Like any security device, we collect a wealth of log data – but the key difference is that the data we have is based on actual applications, uses and content as opposed to IP addresses, ports and protocols. The result is a far richer and meaningful set of data that can be used for daily analysis or in the worst case, forensics. In the Heartland case, an admin might have been able to see unusual application activity from the server farm. From a forensics perspective, they would have at their fingertips the name of the applications, the users and the types of threats that were accessing (or attempting) the servers.

Without knowing their environment, the assessment is purely hypothetical, but worth taking a look at because is not the first breach of this type (malware intercepting card data) – the same thing happened at Hannaford supermarkets last year – and it certainly won’t be the last. It’s time to fix the firewall.

No Comments

posted by: on November 11, 2008 8:50 AM

filed in: Threat Advisories - Advisories
tagged: ,

Microsoft Security Bulletin – November 2008

Microsoft announced their scheduled November security bulletin today at 10am PST which covers 4 Microsoft vulnerabilities. Palo Alto Networks released coverage for the Microsoft vulnerabilities covered in the November security bulletin in content version 94 which was released today at 1pm PST.

Here are the vulnerabilities that were released by Microsoft today:

Microsoft Windows SMB Authenticate by Replay Host Remote Code Execution Vulnerability
Vendor ID: MS08-068
CVE: CVE-2008-4037

Microsoft Internet Explorer MSXML3 Race Condition Memory Corruption Vulnerability
Vendor ID: MS08-069
CVE: CVE-2007-0099

Microsoft MSXML DTD Cross-Domain Scripting Vulnerability
Vendor ID: MS08-069
CVE: CVE-2008-4029

Microsoft MSXML Header Request Vulnerability
Vendor ID: MS08-069
CVE: CVE-2008-4033

Click here to view the Microsoft Security Bulletin for November 2008.

No Comments

posted by: on October 22, 2008 5:00 PM

filed in: Threat Advisories - Advisories
tagged: ,

Out-of-Band Microsoft Security Bulletin

Microsoft announced an unscheduled security bulletin today at 10AM PST that they have a critical vulnerability (MS08-067) which affects Windows 2000, XP, 2K3 Server, Vista, and 2K8 operating systems. This vulnerability is a buffer overflow in the Windows Server service. The vulnerability exists in the way the Server service handles Remote Procedure Call (RPC) requests. The vulnerability allows a remote, unauthenticated attacker to send a specially crafted RPC request to take advantage of the vulnerability and gain remote code execution privileges on the victim machine. For systems running Vista and 2K8 Server, the result of the vulnerability exploit would be a system crash instead of remote code execution.

Palo Alto Networks released coverage for this Microsoft vulnerability shortly after Microsoft announced the vulnerability. Palo Alto Networks customers received a signature for this vulnerability in emergency content release version 90.

Click here to view the Microsoft Security Bulletin.

No Comments

← Newer posts Older posts →