Cyber Risk Management « Risk Analytics

Archive for the ‘Cyber Risk Management’ Category

How is Microsofts SeaPort.exe Affecting Your Network?

Wednesday, August 25th, 2010

computer_inspection If you’ve recently installed the Microsoft Live service in the last few weeks, months or even years you may or may not have noticed a not-so-quiet program called SeaPort.exe running in the background that’s eating up processing speed and even chews up a fair amount of network bandwidth (especially when you’ve got multiple workstations).

Research has indicated this process may be detrimental to your network security and workstation operating capacity.

What is it?

SeaPort.exe typically comes bundled as part of the Microsoft Live Search Enhancement application pack. In addition, there’s a plethora of “helpful” web downloads from Microsoft including the Bing and MSN toolbars that this application is included as a part of.

You’ll notice in the description field of the Services Administrator Tool that Microsoft describes that it:

“Enables the detection, download and installation of up-to-date configuration files for Microsoft Search Enhancement Applications. Also provides server communication for the customer experience improvement program. If this service is disabled, search enhancement features such as search history may not work correctly”.

How does it affect the workstation?

From the description one might infer that this “enhancement” should only run while browsers are open and actively searching history, etc. But Seaport.exe runs not only on boot-up (drawing out an already lengthy startup process for your workstation), but also in the background on your OS whether any searches have been performed or not, or even whether or not there are any browsers open.

The service is automatic and begins churning and eating up approximately 4-7 MB (reports vary) of RAM upon install. All this activity for a little used function, and in some cases a never-used function, seems like a waste of resources for what is already an overworked OS.

How could it be harmful?

The Microsoft description above is really quite open-ended for a service that indicates it’s transmitting some type of information about the workstation back to the mothership.

Researchers have published detailed evidence that Full URLs are being sent back to Microsoft for analysis by the Microsoft customer experience improvement program. In addition, if you’re using poorly coded web applications that include the session ID, or even worse, username and password in them, it’s frighteningly possible that this information is being passed to Microsoft through SeaPort.exe.

What steps should I take?

Removing SeaPort.exe from any workstations running the process is the first step. Once accomplished, use of good risk management techniques such as monitoring your users and applications/processes that are installed on their workstation should be continued. A policy should be implemented against installing various toolbars and unauthorized applications and processes.

Brian Nelson from brighthub.com has a step-by-step process for deleting the Seaport.exe service. You can view his blog by clicking HERE.

What does this mean going forward?

To date, most security analysts operate under the presumption that Spyware is defined as anything that “reports private information or activity to a remote host that the user may not be aware of”. In most cases, SeaPort.exe is installed without the front-end user knowingly doing so. When installing Microsoft Live, there’s no option to skip the Seaport.exe portion of the application set, it’s included no matter what selections are made.

SeaPort.exe should be considered armed and dangerous and network administrators need to understand that this process is gaining access and information about workstations that is better kept private. In short, we’re not ready to call Seaport.exe “Spyware” but it’s teetering on the edge of the definition, which is uncharted territory for a major OS vendor.

Posted in Cyber Risk Management, Spyware, Technical Safeguards | No Comments »

Trojan Linked to 2008 Spanair Plane Crash

Monday, August 23rd, 2010

plane_lock Authorities investigating the recent 2008 plane crash of Spanair flight 5022 discovered that there is a probability that the central computer system that’s used to monitor technical issues with the plane was infected with malware.

The plane, a McDonnell Douglass MD-82, held 172 passengers and crew, crashed upon takeoff rolling to the right and split into two, exploding almost immediately. 154 people died and only 18 survived the crash, which was Spain’s deadliest in 25 years.

According to a preliminary report by the U.S. National Transportation Safety Board, the aircraft took off with its flaps and slats retracted, and there was no alarm that notified of the issues because the central computer system that typically delivers the power and message to the take-off warning system had failed. In addition, there were two smaller earlier events that also were not reported by the system. In short, built-in safeguards that would have prevented the crash, failed to do so.

Head researcher, Jamz Yaneeza for Trend Micro indicated that malware on the infected computer system was a type of Trojan horse. While there are a number of ways the malware could have entered the computers system, the most likely scenario is it was transferred via a USB stick. This type of transfer of malicious code is not new to the transportation, or hi-tech industry, as the International Space Station was also infected in this manner in 2008. Another possibility is that the infection occurred through a remote VPN connection.

A complete report is due in December of 2010 regarding the full investigation. Researchers have indicated that a preliminary investigation indicates that it does not appear that the malware was specifically intended for the planes computer systems.

However, what this does bring to light is the bridging of the gap between two distinct types of risk management that historically have been on either end of the ravine. Conventional risk management such as employee health and safety, transportation safety, process safety, and environmental protection are typically managed by a “risk manager” at most larger organizations while the cyber security is managed by a “technical officer” (or similar designation).

As technology develops, and cyber criminals begin to expand their operations, directed attacks towards this type of exposure can and should be expected, especially with regards to extortion and blackmail. This incident is a classic example where the health and safety of employees, the public, owned materials and vehicles, company image and network security were all adversely impacted.

In this case, it’s likely that malware was not the direct cause for the flaps to be at the dangerous 0 degree angle, but they were a contributing factor to the crash occurring since the computer systems did not respond and communicate accordingly as they should have when alarming on the problem. It is certainly possible in the future that we’ll see more customized malicious attempts to hijack planes, vehicles and even automated equipment run by computers in an attempt to create harm or havoc for financial or terrorist gain.

UPDATE:

New information is now surfacing 3 days after this initial story ran at MSNBC and TechNewsDaily. Apparently the internal Spanair Report that reported many of these issues and came to some of the determinations outlined in this blog may not have been entirely accurate according to security experts around the web. So while the accuracy of this initial report is still up in the air, the overall message and threat of malware and cyber security concerns with integrated systems is still valid. As technology develops, so too will the criminals and malicious entities that take advantage of it.

Posted in Administrative Safeguards, Business Process Risk Management, Cyber Risk Management, Technical Safeguards, Transporation Management | No Comments »

New and Dangerous Zeus Variant hitting users Bank Accounts

Wednesday, August 11th, 2010

A new and dangerous variant of the Zeus trojan has been discovered that uses a complex, highly skilled methodology to empty victims bank accounts.

Primarily hitting in the UK in the month of July, a new variant of Zeus is using web exploits, a money mule network and a highly skilled back-end command and control system to steal well over one million dollars from victims bank accounts.

The new variant, dubbed Zeus version 3, is now using encryption via https to communicate with the command and control networks. The initial exploit that infects users systems are coming from on-line advertising banner ads and legitimate websites that have been compromised.

Few anti-virus vendors are able to mitigate the attack and most intrusion prevention systems will have a difficult time detecting valid https traffic from the Zeus command and control due to the encryption being utilized.

Once user systems are compromised and under the control of the cyber-criminals, a network of “money mules” are used to transfer the funds from the victims accounts. Money mules are hired by cyber criminals posing as legitimate business companies that pay fees to recruited users for transferring funds.

This complex network of web based exploits, encryption and the theft of small dollar amounts that stay under the radar of anti-fraud systems at banks make this exploit extremely dangerous.

There are ways to mitigate systems and users against this exploit.

RiskAnalytics Cyber-RiskTools can actively block Zeus command and control activity in real time and escalate information on compromised systems to administrators in real time.

http://www.riskanalytics.com/cyberrisk.htm

Tags: bank fraud, Botnets, cyber crime
Posted in Botnets, Cyber Risk Management, Email Scams, Technical Safeguards | No Comments »

Rite Aid to Pay Out $1 Million to Settle HIPAA Privacy Case

Wednesday, July 28th, 2010

In yet another groundbreaking privacy case, Rite Aid has recently agreed to pay out $1 million in a privacy case involving policy controls and procedures where employees where voluntarily disposing of prescription containers with Personal Identifiable Information (PII) written on them. This action is a direct violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, in addition there were violations that occurred that violate the Federal Trade Commissions (FTC) FTC Act.

Rite Aid is one of the nations largest chains of drug stores and will be required to implement best practices and corrective actions to prevent the violations from occurring in the future. Policies, programs and procedures should be implemented in this case as well as a strict education and training program for the employees handling and exposed to these types of containers with customers PII on them. Amazingly, this is no the the first time this type of violation has occurred in the drugstore industry. In February of 2009, CVS Caremark Corp. agreed to pay $2.25 million to settle identical violations of the HIPAA rule. One might think a corporation would learn from their competitors mistakes, but this is yet another instance where corporations appear to not take the HIPAA rules seriously, and understand there are serious ramifications that can occur when not complied with.

Rite Aid was cited for several infractions from the Office of Civil Rights (OCR) and FTC, who handle HIPAA compliance:

Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;
Rite Aid failed to adequately train employees on how to dispose of such information properly; and
Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Under the HHS resolution agreement, RAC agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes:

Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
Training workforce members on these new requirements;
Conducting internal monitoring; and
Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

Pretty straightforward controls that ALL companies that fall under HIPAA regulations should follow. RiskAnalytics CyberRiskTools (CRT) Software platform provides the necessary policies and programs, training materials and best practice assessment tools to provide compliance and risk assessment for all of the above infractions. Implementing the training, tracking the testing, and monitoring results are all benefits such a company can achieve by utilizing our innovative platform to achieve proper cyber risk management.

Click Here to read the official U.S. Department of Health & Human Services (HHS) news release.

Posted in Administrative Safeguards, Cyber Risk Management, HIPPA, Regulations | No Comments »

Dodd-Frank Act Signed into Law

Thursday, July 22nd, 2010

President Obama signed the Dodd-Frank Wall Street Reform and Consumer Protection Act (to be aptly named the “Dodd-Frank Act for short) into law on Wednesday July 21, 2010. The complete act covers every bit of 2,300 pages and has bearing on almost every single financial services company and industry in the country.

The goals and basis of the Act include restoring “public confidence” in the United States financial system, preventing future crisis and predicting and foreshadowing future financial asset bubble inflations. In addition, additional regulation of the financial services industry will spur change in the way financial institutions do business.

To read the bill in it’s entirety Click Here.

Below are some quick links to pertinent Business Process and Cyber Security related legislation within the Act:

Section 929I: Protecting Confidentiality of Materials Submitted to the Commission

Section 1071: Small Business Data Collection

Section 1082: Amendments to the Privacy Act of 1974

Section 1093: Amendments to the Gramm-Leach-Bliley Act

Section 1494: Study of Effect of Drywall Presence on Foreclosures

Section 1503: Reporting Requirements Regarding Coal or Other Mine Safety

Whether you manage Environmental Health & Safety or your businesses Cyber Security Risk, the Dodd-Frank Act will have an impact on your risk management efforts. Continue to check back and read our blog about current events, regulations and risk identification, mitigation and controls to support your business operations.

Tags: Act, Frank-Dodd, Law, Regulations
Posted in Administrative Safeguards, Business Process Risk Management, Construction, Cyber Risk Management, Dodd-Frank, Regulations | No Comments »

Microsoft confirms zero day outbreak that can effect SCADA systems

Monday, July 19th, 2010

Microsoft has confirmed the presence of a zero-day vulnerability in Windows, following reports of sophisticated malware-based hacking attacks on industrial control systems that take advantage of the security flaw.

Security shortcomings in the Windows shortcut (.lnk files) are being exploited by the Stuxnet rootlet, an information stealing threat that targets industrial and power plant control systems. The malware – which has been detected in the wild – executes automatically if an infected USB stick is accessed in Windows Explorer.

All versions of Windows – including Win XP SP2, widely used despite the discontinuation of further security updates earlier this month – are vulnerable. Disabling Windows AutoPlay and AutoRun – the normal defense against malware on USB sticks – has no effect.

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives.

Additional information can be found on the Internet Storm Center site: Click Here.

Tags: malware, scada, windows
Posted in Botnets, Cyber Risk Management, Physical Safeguards, Technical Safeguards | No Comments »

States becoming more aggressive in HIPAA enforcement

Monday, July 19th, 2010

Connecticut Attorney General Richard Blumenthal has sued Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach.

Blumenthal is also seeking a court order blocking Health Net from continued violations of HIPAA (Health Insurance Portability and Accountability Act) by requiring that any protected health information contained on a portable electronic device be encrypted.

This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA.

Obviously, the best policy is to ensure safeguards are in place to prevent these breaches from happening in the first place.

Administrative policy combined with technical controls and employee education are key to preventing these episodes from occurring. Breaches can effect an organization financially and can result in decreased productivity.

Tags: data breach, HIPAA, regulation
Posted in Administrative Safeguards, Cyber Risk Management, HIPPA, Personal Identifiable Information (PII) | No Comments »

FBI Warns of New Social Networking Scam

Wednesday, July 7th, 2010

The FBI is warning of e-mail and social networking accounts being compromised and used in a social engineering scam to swindle consumers. Portraying themselves as the victim, the hacker uses the victim’s account to send a notice to their contacts. The notice claims the victim is in immediate need of money due to being robbed of their credit cards, passport, money, and cell phone; leaving them stranded in London or some other location. Some claim they only have a few days to pay their hotel bill and promise to reimburse upon their return home. A sense of urgency to help their friend/contact may cause the recipient to fail to validate the claim, increasing the likelihood of them falling for this scam. If you receive a similar notice, you should always verify the information before sending any money.

Tags: Email Scam
Posted in Cyber Risk Management, Email Scams, Phishing | No Comments »

Microsoft XP and Server 2003 Vulnerability

Wednesday, July 7th, 2010

Microsoft is warning of increased attacks against a security vulnerability in the Windows Help and Support Center function that is delivered with supported editions of Windows XP and Windows Server 2003. Microsoft says it is working a patch to fix the flaw, but in the interim suggests users apply a short-term fix that disables the vulnerable component. The short-term fix is available from Microsoft at: http://support.microsoft.com/kb/2219475.

Tags: Vulnerabilities
Posted in Cyber Risk Management, Technical Safeguards | No Comments »

Microsoft will retire XP SP2 July 13th

Monday, June 7th, 2010

Half of the enterprise computers running the aged Windows XP operating system are still relying on the soon-to-be-retired Service Pack 2 (SP2), a researcher said today.

SP3 was released two years ago. Similar situations have existed with Internet Explorer 6 being phased out and being a security risk but users are reluctant to upgrade.

Microsoft will officially retire Windows XP SP2 on July 13. After that date, although it will continue to provide security updates for XP SP3, it will stop issuing patches for the older SP2.

This will make defending XP SP2 systems increasingly more difficult.

Patching is one leg in a multi-layer defense in depth security strategy. Many forms of malware are easily defeated by keeping systems patched and up to date. Other tiers of that strategy need to include network monitoring for malware and dynamic blacklisting, all features of RiskAnalytics Cyber Risk Tools S2 sensor.

Tags: patching
Posted in Administrative Safeguards, Cyber Risk Management, Physical Safeguards, Technical Safeguards | No Comments »

Blog