F-Secure is reporting that 9 million PC’s are now infected with the conficker/downup/downadup/kido worm (here), which would make it one of the largest and most infectious worms we have seen in a long time. In an era of sophisticated, stealthy, financially motivated cybercrime it is interesting, to say the least, that this worm is garnering so much attention, but what is far more disturbing is how many computers were infected and how easily this could have been avoided through more effective and efficient patch management, antivirus updating, and basic security controls. It is absolutely astonishing that this worm has been able to infect as many computers as it did when all of the infection points take advantage of basic security lapses and why it is more critical now than ever that we revamp our ability to maintain the health and improve the security of our computing infrastructure
No one knows exactly how many computers have now actually been infected. Another thing that’s hard to explain is why the Conficker worm should be so successful. After all, a patch to plug the hole, through which it penetrates Windows, was issued some three months ago.
It doesn’t just spread via an old Windows vulnerability, however, but also via network shares. Clearly it’s exploiting administrator accounts that are “protected” with weak passwords. It also infects USB sticks. When an infected stick is plugged into the computer, the computer does ask what action is desired, rather than immediately running the worm. However, as the Internet Storm Center says, the worm can induce a user to click on the Start option by using fake icons.
In other news, according to a recent article by Brian Krebs in the Washington Post (here) a data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have led to the theft of more than 100 million credit and debit card accounts, and represent the largest breach ever (that we know of)
The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Baldwin said. “At this point, though, we don’t know the magnitude of what was grabbed.
The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.
“The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address,” Baldwin said. As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants “is not impossible, but much less likely.”
Hacking a magnetic strip isn’t terribly difficult as I posted (here), so I don’t agree with Badlwin’s analysis. the unfortunate aspect is that according to online records Heartland Payments Systems was PCI compliant (here)…
So it begs the question of how the breach occurred and what can be done to avoid such a breach in the future, and if it could not be avoided how to limit the impact.
But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.
Malicious software slurping up credit card numbers from transactions being processed through HPS – unfortunately without forensic evidence it would be very difficult to determine the nature of the intrusion, assuming this is an external intrusion and not a case of an internal employee compromising internal systems. What I would say is that we already know based on the infection velocity of the conficker worm and the simple steps an organization could have taken to protect themselves,combined with the inability for most organizations to implement even a basic level of operational security that it is conceivable that this incident could have been avoided if HPS had full visibility and control over their networking infrastructure.