Security managers at InfoSec World 2005 conference in April in Orlando, Fla., said they’re combating the risks posed by outsider attacks and insider exploits by thinking — and sometimes acting — like hackers.
The Hartford Financial Services Group, which has 35,000 employees, is using stealth tactics in nabbing the bad apples in its midst. “(Y)our employees are your biggest threat,” said Matthew Fiddler, assistant director for information security at The Hartford in Connecticut, who spoke on security issues. “We had one guy tunnelling porn, a lot of porn — 53 megs.”
Based on suspicions, The Hartford’s IT staff swept the employee’s desktop computer to remotely scoop up the porn evidence using the forensics tool, Encase Enterprise Edition, which can remotely monitor and capture data without the employee knowing.
“He doesn’t work for Hartford anymore,” Fiddler said. The advantage of using the remote data-capture tool is that it saves IT staff from traveling. “I was having to send guys out to California to do a black-bag job, but now we can do it with a WAN.”
In another case, The Hartford suspected an employee had posted intellectual property on an online message board. The Hartford couldn’t initially pinpoint the source of these posts other than a single e-mail address. So, staff decided to use a tactic based on phishing — sending an e-mail to lure someone to a fake Web site — to draw out the perpetrator.
Fiddler said he heard about the tactic from Chicago, Ill.-based CNA Financial Corp., which did something similar. Hartford staff embedded a hidden 1×1 pixel image in the e-mail as a “hidden web bug.” Then they spoofed an outside e-mail address to send the web bugged e-mail to the address associated with the leaked company information.
Because The Hartford told its intrusion-detection system to respond if it detected the hidden web bug, the system flagged the recipient of the e-mail by IP address inside the corporate network when the e-mail was downloaded. “We hooked our phish,” Fiddler said.
Know what you’re up against
Variants of corporate phishing are catching on, say some security experts. David Rhoades, a member of Maven Security Consulting, described a project he calls “ethical phishing” that he did for an insurance company whose name he couldn’t divulge. Like ethical hacking, where a business hires “White Hat” hackers to show how it’s possible to break into corporate resources, ethical phishing involves showing how a company can be compromised via phishing scams, Rhoades said.
Ethical phishing is said to work a number of ways. One way is to create the tiny 1×1 pixel web bugs in HTML-based e-mail, and after identifying corporate employees to attack — perhaps by perusing the corporate Web site for e-mail addresses — sending them the e-mail with specialized script in it. When the mail is opened, the victim is pulled to a Web site set up to grab the IP address of the agents. At this point, ethical phishing calls for carrying out a quick port scan of the IP address and an attempt to discover weaknesses, such as trivial passwords.
In another twist, a corporation gives the ethical phishing team the names of employees who have access to important data. “This is catch-and-release phishing where we throw the phish back,” Rhoades said.
In a classic phishing attack, the employee is directed to a fake corporate Web site and told to log on — information an attacker might want. Some companies have changed their procedures after seeing how easy it is to have phishing used against them, Rhoades said. His own advice: “when it comes to HTML e-mail, just say no. E-mail was intended to be text only.” He adds that the tiny 1×1 pixel image in HTML-based e-mail is “hacker GPS because they now have your IP address, and they know exactly where you are.”
Train staff to be flawless
JP Morgan Chase, in New York, advocates learning hacker tricks in order to not fall victim to them. “Common mistakes made by your developers are easy to exploit,” said Michael Li, information security lead in JP Morgan Chase’s IT risk-management department in the application security group. “The development community just doesn’t realize this issue.” As part of its developers training, JP Morgan Chase created a demo Web site called XYZBank that has the kind of fund transfers, account displays and customer log-on that might be found in an online banking site.
XYZBank, based on BEA Systems’ WebLogic and Microsoft SQL Server, was well-designed except for what Li said were minor mistakes in input validation and error handling.
Li and Anthony Meholic, vice-president of application security and manager of the ethical hacking team at JP Morgan Chase, gave a live demonstration of XYZBank to show how hackers can break in by exploiting just a few minor flaws. “We use it to show our developers the security problems,” Li said.
Li said that corporate policy unfortunately didn’t allow JP Morgan Chase to provide it to others.