We are pleased to be a part of the DoD CyberCrime Conference in chilly St. Louis Missouri.  Conference goers should feel free to stop by, say hello, and check out the demonstrations of our NextGen software.

For the second time in 18 months, Monster.Com has suffered a massive security breach.  In both cases, user account information was stolen, along with the email addresses and names of job seekers.  When this happened in August of 2007, 1.3 Million accounts were taken when an employee of the company divulged his credentials via a Trojan Horse program.  Within days of that attack, users of Monster.com who had their account information stolen found they were victims of targeted malware phishing attacks and, since hackers assume Monster.Com users are out of a job, many were invited to become money laundering mules for criminal hacker organizations.

In the latest breach, Monster put a notice here on their website that says:

As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database. We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. The information accessed does not include resumes. Monster does not generally collect – and the accessed information does not include – sensitive data such as social security numbers or personal financial data.

Immediately upon learning about this, Monster initiated an investigation and took corrective steps. It is important to know the company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information.

Now let’s flash back to 2007 and their statement to the press regarding that breach:

Sal Iannuzzi, the company’s chairman and chief executive, said the company was improving its surveillance of how the site is used as well as limiting the way data can be accessed. Iannuzzi declined to provide specific details about how the new security measures will work, saying he didn’t want to make them vulnerable to potential hackers.

Whatever improvements were made in Monster’s network surveillance and security measures were not adequate to deal with the severity of the threats the organization is facing from sophisticated adversaries.  In light of this second breach, Monster should review what went wrong with their previous remediation plan and develop something better to help them identify data breaches quickly and lock down their customer records.  Monster, as many enterprises today, simply needs better and deeper visibility into their network traffic.

NetWitness NextGen provides a new paradigm for network security monitoring.  Full packet capture and session analysis provides the ultimate truth about data crossing the wire because you are dealing with ALL the data — not just signatures or statistics or scans.  Your security managers actually will know what types of information is crossing network interfaces, will better understand the risks of that data in motion, and can therefore make better decisions about reducing those risks.  And regardless of how the hacker tries to exfiltrate the data -  via the web, trojanized control port to the internal network, or a disgruntled insider- NetWitness helps you close the gaps.

For Monster users, please change your password on the site.  Other bloggers are reporting that usernames and passwords were stored in clear text.  If so, and you use the same username and passwords on other accounts, you may wish to change those credentials as well.

If you have dined out at a local family restaurant in the past few months, or perhaps paid for books for your college-bound kids, or even paid for gasoline at the pumps with a credit card, you may have inadvertently allowed hackers to steal your credit card number during the transaction phase that takes place on Heartland Payment Systems’ backend network.

The Washington Post’s Brian Krebs broke the story yesterday. He writes on his SecurityFix blog here:

Heartland, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments

40 percent of transactions the company processes are from small to mid-sized restaurants across the country.

Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. It wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.

Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

“The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Heartland said.

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

In many cases where a processor experiences a breach, the affected banks may simply re-issue new cards to some customers. In other cases, consumers may spot the first signs of fraudulent activity by reviewing their bank statements.

Heartland Payment systems also went on to declare to the Wall Street Journal that the breach was due to a magnificent piece of malware that was “lightyears” ahead of what other hackers could do.

Heartland was targeted with malicious software that was “light-years more sophisticated” than malevolent programs commonly downloaded from the Internet.

NetWitness understands that cyber breaches happen.  Maybe this piece of malware was more sophisticated than than usual, but it was still malware that evaded standard security software detection capabilities.  Firewalls and intrusion detection systems alone cannot alert security personnel to activity that was designed by criminals to evade detection. 

Exfiltrated data can be recorded as it happens, along with how the malware came to be downloaded to the network.  And those packet collections can be preserved so when reports come in that data is being used fraudulently, you don’t have to pour over audit trails, IDS alerts and firewall logs looking for the problem.  You have the network traffic itself for audit.  And with NetWitness Investigator, analysts can easily spot the problem communications.  No need to wait for the Secret Service to show up with a forensics team.

In the meantime, keep an eye on your credit card bills for any suspicious charges.  Any fraudulent activity should be reported to your financial institution immediately.

I am not sure anyone really can understand how hard it is, to make a computer tutorial video that looks even remotely watchable on youtube.  It took quite a few trys to figure out how far I needed to zoom in, to make it readable at a resolution that was cutting edge in 1992.

In my searches for options, I stumbled on ViddYou.  Consider it a youtube clone, that will allow HD content for about 3 dollars a month.  The tutorial is now there as well – in a much clearer format.

On monday of this week, we released Investigator 8.6, and we released it free.  I thought I would take to this poor, neglected blog and write some thoughts about it.  So far the reaction has been very positive.  It seems people like what they see, and we are very happy with the many blog posts, and positive feedback we are getting.  I thought I would answer some questions here directly.

The number one question from the press, blogs, and friends – was “Why?”

It would be easy to say that this is simply a good thing for the security community - and we wanted to contribute.  To be sure – there was a lot of that in our discussions.  But the truth is – we really don’t sell Investigator.  What we sell – are enterprise class, distributed network appliances that perform very high speed network capture, and all the analysis you see in Investigator — in real time — providing weeks and months of historic visibility.

Investigator – is simply the front end for that solution.  If you want to know what we do as a company, and what we sell — it is simple.  If you like what Investigator does on a gigabyte of packet captures – just imagine it working over 100 Terabytes or more.  Imagine having that power over every every bit and byte that has entered or left your network over the last month.  To be sure – there are reporting engines and alerting engines we sell that automate common analysis – but with Investigator you should get the idea of what we offer enterprise customers.

The number two question that we get – always seems to involve Wireshark, in some sort of competition skew.

Again – the simple truth is that the products are not competitive at all.  In fact, they work together to make both products better.  In the demonstration videos – I even show how easy it is to open sessions in wireshark.  We use wireshark every day.  And those of you who used to – will still use it.  What we hopefully let you do – is find those sessions that need to be looked at – 100 times faster than before.  Perhaps a thousand…  In the end - I bet wireshark developers will use Investigator as well.  The products compliment – not compete.

The next question is about registration.  It seems everyone thinks it is a bit cumbersome.

There are several reasons for this.  First – we are a small – private – commercial company.  We are not a charity, a think tank, or a group of cyber crime fighters.  So if we require people to register – it can help us see which industries we should be focusing on, and other marketing needs.  We are not going to be overzealous in this regard, but the information will help us be a better company.

Next – there are quite a few ways we have built in extensibility in the product.  From custom alert rules – to custom threat and intelligence feeds – to full on custom session protocol parsing – users of investigator can contribute by creating extensions.  I wanted – personally above all else as CTO - to get a community of users that are pushing the product forward.  That is why your registration also registers you for the community.  The video tutorial did not focus on this aspect yet – but I will extend it soon.  For now – if you are interested in those aspects – you will have to make do with the manuals and the community forums.

The last question - seems to be “Windows – Really?”

Well – remember – this is our front end client software to enterprise solutions.  We actually are working in the background to make the client more cross platform.  All of our enterprise solutions work on dedicated – very high speed, open Linux architectures.  As a small company – we can move faster by picking our battles with technology.  All of the database technology that we have written, all of the core components for processing and extracting data, essentially all of our core components – are all already cross platform.  When we have time – we will work on getting the UI components there as well.

In the end – we really hope you enjoy Investigator.  We hope it makes your jobs easier.  Please provide us feedback.  We will listen – and we will update often with new capabilities.

The recent public disclosures at Hannaford Bros of millions of credit card numbers lost to professional carder gangs again raises questions regarding the state of preparedness of retail security and other industries to protect customer data in the current cyber threat environment.  In the case of Hannaford, these gangs may have followed a pattern familiar to network forensics researchers with whom we work – a weak link in the security program is exploited as a foothold to open a command and control channel on the victim network.  After that, it is just a matter of time before critical POS servers or store terminals are Trojanized, and are automatically transmitting perfectly valid customer credit card numbers directly to carder gang members. 

The amount of ensuing punditry is astounding.  First, the horror and shock from some corners that PCI Standards did not prevent this debacle.  For good or bad, PCI was the credit card companies’ much needed attempt to enforce some level of basic information security on organizations with merchant accounts.  The security controls in PCI were designed years ago, and are focused on well-understood and documented threats and essential security practices.  But, PCI compliance, due to its very nature, is not going to provide adequate protection against a well-funded and committed professional adversary who can design specific malware to circumvent these basic security controls. 

There also have been calls to jettison PCI.  The premise in these statements is that if the card companies would simply take responsibility for the storage and security of credit card numbers from the moment of card-swiping forward, there would be no need for retailers to comply with some key aspects of PCI.  This position, while seemingly attractive at the surface from a security perspective, is untenable in a multi-trillion dollar consumer facing industry.  The reality is that the same architectural, procedural, technological, and financial constraints preventing retailers from adequately protecting their data in many cases will prevent the card companies from implementing the suggested changes. 

Having spent time with top retailers over the past several years, I can tell you that there are many very good security people working at these organizations, but with limited ability to get things done.  These I/T professionals would benefit greatly from two things:  1) A self-directed industry effort to develop voluntary, model security standards that would deal effectively with today’s actual threat environment, versus force them to follow check lists.  This process requires leadership, organization and resources; and 2) A greater focus on operational security efficacy.  PCI was only good in the sense that it jolted retailers to focus on “Security 101” but it is not the end – simply a catalyst.  Retailers and other industries that handle PII now must take matters in their own hands and move beyond PCI and other regulations to recognize that today’s threat environment requires a deeper degree of security monitoring and network visibility, especially at the application layer.   

You can’t get this visibility from once-a-quarter scanning, annual audits, or even from most of the perimeter sensors deployed today.  If you are not doing full packet capture and session analysis with NetWitness you will miss indications and warnings of these TJX and Hannafords-like problems, and also will lack the evidence to figure out the scope and damage of the incident.   – Eddie Schwartz