Hackers put security tool that finds payment card data into their arsenal

Card Recon

Like a crowbar, security software tools can be used for good and evil.

Bootleg versions of a powerful tool called "Card Recon" from Ground Labs, which searches for payment card data stored in the nooks and crannies of networks, have been appropriated by cybercriminals.

This month, the security companies Trend Micro and Arbor Networks published research into point-of-sale malware, which has been blamed for data breaches at retailers such as Target and Neiman Marcus, sparking concerns over the security of consumer data.

Both companies found that unauthorized copies of Card Recon had been incorporated into a malware program and a toolkit designed for finding and attacking POS terminals.

"Card Recon looks to be a useful tool when wielded by an auditor or security staff, but it is clearly dangerous in the wrong hands," Arbor Networks wrote in its report.

Card Recon is intended for organizations seeking to comply with the Payment Card Industry's Data Security Standard (PCI-DSS), a set of recommendations to safeguard payment card data.

The software tool scans all parts of a network to see where payment card data is stored. Often, companies find card details stashed in unlikely and unknown places. Card Recon compiles a thorough report, and companies can then move to secure the data.

The software requires license authorization before it will run, which prevents direct illegitimate use, said Stephen Cavey, Ground Labs' co-founder and director of corporate development, via email. But it's impossible to restrict access to Card Recon's software executable after a genuine customer has obtained it.

More than 300 security auditors worldwide and thousands of merchant companies use Card Recon, he said.

"This is the unfortunate reality for all software vendors: It is common for criminals to acquire a copy of commercial software via unauthorized means and then reverse engineer that software to circumvent the licensing mechanisms that are designed to prevent its unauthorized use," Cavey said.

Numaan Huq, a senior threat researcher for Trend Micro, wrote on Wednesday that a version of Card Recon dating from three years ago was being used to validate payment card details in a type of POS malware.

When Card Recon is scanning, it has to be able to separate 16-digit numbers and other random data it finds from valid 16-digit credit card numbers. Credit card numbers can be validated by using a checksum formula called the Luhn algorithm.

The malware Huq studied used Card Recon to validate and identify cards by brands such as Discover, Visa and MasterCard. Using Card Recon was faster than other validation methods, especially for large volumes of card data, he wrote.

Arbor Networks wrote in its report that the attack toolkit it observed contained two cracked copies of Card Recon. In that instance, it appears Card Recon was being used for its intended purpose -- to find card numbers -- but for cybercriminals.

If anything, the abuse of Card Recon strengthens a case for its legitimate use. Ground Labs' Cavey said the best defense is to remove sensitive data.

"They can't steal what is no longer there," he said.

TrueCrypt Shut Down; What to Use Now to Encrypt Your Data

If you use TrueCrypt to encrypt your data, you need to switch to a different encryption software to protect your files, and even whole hard drives.
The open source and freely available TrueCrypt software has been popular for the past ten years because it was perceived to be independent from major vendors. The creators of the software have not been publicly identified. Edward Snowden allegedly used TrueCrypt, and security expert Bruce Schneier was another well-known supporter of the software. The tool made it easy to turn a flash drive or a hard drive into an encrypted volume, securing all the data stored on it from prying eyes.
The mysterious creators abruptly shut down TrueCrypt on Wednesday, claiming it was unsafe to use. "WARNING: Using TrustCrypt is not secure as it may contain unfixed security issues," read the text on TrueCrypt's SourceForge page. "You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform," the message said.
"It's time to start looking for an alternative way to encrypt your files and hard drive," wrote independent security consultant Graham Cluley.
Consensus: Not a HoaxAt first, there were concerns that some malicious attackers had defaced the site, but it's becoming increasingly clear this is not a hoax. The SourceForge site now offers an updated version of TrueCrypt (digitally signed by the developers so this isn't a hack) which pops up an alert during the installation process to inform users they should use BitLocker or some other tool.
"I think it's unlikely that an unknown hacker identified the TrueCrypt developers, stole their signing key, and hacked their site," said Matthew Green, a professor specializing in cryptography at Johns Hopkins University.
What to Do NextThe site, as well as the popup alert on the software, has instructions on transferring TrueCrypt-encrypted files to Microsoft's BitLocker service, which is built into Microsoft Vista Ultimate and Enterprise, Windows 7 Ultimate and Enterprise, and Windows 8 Pro and Enterprise. TrueCrypt version 7.2 lets users decrypt their files but won't let them create new encrypted volumes.
While BitLocker is the obvious alternative, there are other options to look at. Schneier told The Register he is switching back to Symantec's PGPDisk to encrypt his data. Symantec Drive Encrpytion ($110 for a single user license) uses PGP, which is a well-known encryption method. There are other free tools for Windows, such as DiskCryptor. Security expert The Grugq put together a list of TrueCrypt alternatives last year, which is still useful.
SANS Institute's Johannes Ullrich recommended that Mac OS X users stick with FileVault 2, which is built into OS X 10.7 (Lion) and later. FileVault uses the XTS-AES 128-bit cipher, which is the same one used by the NSA. Linux users should stick with the built-in Linux Unified Key Setup (LUKS), Ullrich said. If you use Ubuntu, the operating system installer has the option to turn on full disk encryption right from the start.
However, users will need a different tool for portable drives that move between different operating system. "PGP/GnuPG comes to mind," Ullrich said on the InfoSec Handlers Diary.
German company Steganos is offering an older version of their encryption tool (version 15 is their latest, but the offer is for version 14) for free to users, which isn't really that ideal.
Unknown VulnerabilitiesThe fact that TrueCrypt may have security vulnerabilities is jarring considering that an independent audit for the software is currently under way and there had been no such reports. Supporters raised $70,000 for the audit because of concerns the National Security Agency has the capability to decode significant amounts of encrypted data. The first phase of the investigation which looked at the TrueCrypt bootloader was released just last month. It "found no evidence of backdoors or intentional flaws." The next phase, which would examine the cryptography used by the software, was scheduled to complete this summer.
Green, who was one of the people involved with the audit, said he did not have advance warning of what the TrueCrypt developers planned. "Last I heard from Truecrypt: 'We are looking forward to results of phase 2 of your audit. That you very much for all your efforts again!'" he posted on Twitter. The audit is expected to continue despite the shutdown.
It's possible that the creators of the software decided to stop development because the tool is so old. Development "ended in 5/2014 after Microsoft terminated support of Windows XP," said the message on SourceForge. "Windows 8/7/Vista and later offered integrated support for encrypted disks and virtual disk images." With encryption built into many of the operating systems by default, the developers may have felt the software was no longer necessary.
To make things even murkier, it appears a ticket was added May 19 to remove TrueCrypt from the secure operating system Tails (also another Snowden favorite). Whatever is the case, it's clear nobody should be using the software at this point, Cluley warned.
"Whether hoax, hack, or genuine end-of-life for TrueCrypt, it's clear that no security conscious-users are going to feel comfortable trusting the software after this debacle," wrote Cluley.

US cybercrime laws being used to target security researchers

Industry experts are concerned that America's anti-hacking laws are being applied without proper discretion, leaving security researchers vulnerable to prosecution. Photograph: Epoxydude/fstop/Corbis

Some of the world’s best-known security researchers claim to have been threatened with indictment over their efforts to find vulnerabilities in internet infrastructure, amid fears American computer hacking laws are perversely making the web less safe to surf.
Many in the security industry have expressed grave concerns around the application of the US Computer Fraud and Abuse Act (CFAA), complaining law enforcement and lawyers have wielded it aggressively at anyone looking for vulnerabilities in the internet, criminalising work that’s largely benign.
They have also argued the law carries overly severe punishments, is too vague and does not consider context, only the action.
HD Moore, creator of the ethical hacking tool Metasploit and chief research officer of security consultancy Rapid7, told the Guardian he had been warned by US law enforcement last year over a scanning project called Critical.IO, which he started in 2012. The initiative sought to find widespread vulnerabilities using automated computer programs to uncover the weaknesses across the entire internet.

'Law enforcement are killing careers'

Jeremiah Grossman, CEO of cyber research firm Whitehat Security, believes that the aggressive application of the law will lead to researchers quitting before they’ve found serious problems on the internet, leading to a degradation of its overall security.
“Right now they are probably killing careers, because they're not accounting for intent,” said Grossman.
“The chilling effect is on the problems we don't know about yet. The canaries in the coalmine? They just killed them all. So now we're going to suffer the consequences.”
The project that landed Moore in trouble, Critical.IO, uncovered some serious, widespread vulnerabilities, including one case where between 40 and 50 million network machines could have been compromised due to weaknesses in a network protocol, known as Universal Plug and Play (UPnP).
Yet US law enforcement continued to pursue Moore, even though he was transparent with his role and the reasons for his scanning, he claimed, without naming the government body that was responsible.

'The law doesn't encourage experts with the skill to investigate threats'

Moore said the actions by law enforcement were partly responsible for him taking a break from the industry, from which he has just returned. But his biggest fears surround the overall effect on internet security.
“You need people who can get into the detail with these systems, people who know how to manipulate the technology to their advantage as a criminal would,” he added.
“You need these people to help users understand the threats, and to work with vendors to help them fix them. At the moment, the law doesn’t encourage this. It doesn’t make any distinction between bona fide research and criminal activity. It doesn’t help consumers understand their risk.”
Many other researchers are believed to have had similar issues. Zach Lanier, senior security researcher at Duo Security, said many of his team had “run into possible CFAA issues before in the course of research over the last decade”.

'We warned of a vulnerability - but they claimed we were hacking their systems'

Lanier said that after finding severe vulnerabilities in an unnamed “embedded device marketed towards children” and reporting them to the manufacturer, he received calls from lawyers threatening him with action.
"We had tried to work with them and sent them all the details," said Lanier. "When it finally got to the point that we were going to talk [publicly] about this... a lawyer called us. As is often the case with CFAA things when they go to court, the lawyers and even sometimes the technical people or business people don't understand what it is you actually did. There were claims that we were 'hacking into their systems'."
The threat of a CFAA prosecution forced Lanier and his team to walk away from the research.
"The looming threat of CFAA as ammunition for anyone to use willy-nilly was enough … and had a chilling effect on our research," Lanier added.
The people running organisations who wield CFAA aggressively when vulnerabilities are reported to them "probably don't really think about anything other than dollar signs", he said.
Current attempts at CFAA reform appear to be foundering. Researchers had hoped the case of Andrew “weev” Auernheimer would be useful in fighting for reform. Auernheimer was convicted under CFAA for his part in releasing information on an AT&T website flaw that was hacked to reveal data belonging to iPad consumers. But when Auernheimer succeeded in having his conviction overturned, it was because the judge agreed the case should not have been heard in New Jersey, rather than because of any underlying problem with the nature of the CFAA.
Many are still hopeful Aaron’s Law, named after the late internet activist Aaron Swartz who killed himself in 2013, will pass. Swartz’s family blamed the attempts to prosecute Swartz under CFAA, after he downloaded documents from online resource Jstor from a server at the Massachusetts Institute of Technology without proper authorisation, were partly to blame for his death. He was potentially facing 50 years in prison for what many considered a minor act.

Lawmakers want more severe penalties for hacking

The US Congresswoman Zoe Lofgren had not offered any comment at the time of publication on claims that Aaron’s Law would not be passing through the House or the Senate.
The digital rights lawyer Marcia Hoffman says Congress remains divided on the issue. After high-profile breaches, such as the hack of US retailing giant Target and alleged Chinese state-sponsored espionage of various American organisations, many want to see CFAA punishments made more severe.
“On one side of things there are members of Congress who say hacking is a big problem and what we ought to be doing is making penalties tougher. Then on the other side there are people saying the CFAA is not written in a way that is very clear, it's not entirely apparent what behaviour is legal under it and the last thing we should be doing is making penalties tougher.”
According to Hoffman, the wording of the CFAA makes it difficult to understand what is illegal. In particular, an internet user who “intentionally accesses a computer without authorisation or exceeds authorised access” is breaking the law, even though it doesn't actually explain what authorisation actually is, Hoffman added. “Judges have been forced to figure out how one expresses authorisation.”
There are also worries that if CFAA were to be weakened in favour of the security industry, criminal hackers would simply claim in their defence they were carrying out research. Moore said there should be better ways to “define or prove what bona fide research is”.
“For example, is it the way you disclose the findings? Is it the type of information you access? This isn’t easy to solve, but it’s important and worth doing if we want to protect ourselves.”

U.S. companies seek cyber experts for top jobs, board seats

  Some of the largest U.S. companies are looking to hire cybersecurity experts in newly elevated positions and bring technologists on to their boards, a sign that corporate America is increasingly worried about hacking threats.

JPMorgan Chase & Co, PepsiCo Inc, Cardinal Health Inc, Deere & Co and The United Services Automobile Association (USAA) are among the Fortune 500 companies seeking chief information security officers (CISOs) and other security personnel to shore up their cyber defenses, according to people with knowledge of the matter.
While a CISO typically reports to a company's chief information officer (CIO), some of the hiring discussions now involve giving them a direct line to the chief executive and the board, consultants and executives said. After high-profile data breaches such as last year's attack on U.S. retailer Target Corp, there is now an expectation that CISOs understand not just technology but also a company's business and risk management.    "The trend that we are seeing is that organizations are elevating the position of the CISO to be a peer of the CIO and having equal voice associated with resource priorities and risk decisions," said Barry Hensley, executive director at Dell SecureWorks' Counter Threat Unit.
    With many companies looking for security executives with military or defense backgrounds, people with the right expertise can command increasingly higher salaries.
Large corporations have recently hired CISOs for between $500,000 and $700,000 a year, according to Matt Comyns, global co-head of the cybersecurity practice at search firm Russell Reynolds Associates. Compensation for CISOs at some technology companies with generous equity grants have reached as high as $2 million, he said.
In comparison, CISOs who have been with a company for five or more years are on $200,000 to $300,000 per year, Comyns said.
NEW URGENCY
Security experts have often criticized corporate America for being too complacent about cyber risks and for not doing enough to protect their computer networks from hackers.
A recent PwC survey found the vast majority of cybersecurity programs fell far short of guidelines drafted by the Commerce Department's National Institute of Standards and Technology (NIST). Only 28 percent of more than 500 executives surveyed said their company had a CISO or Chief Security Officer.
But high-profile data breaches, such as the one at Target, have injected a new sense of urgency, executives said. Target ousted its CEO, Gregg Steinhafel, earlier this month, and its chief information officer, Beth Jacobs, resigned in February. The retailer is now searching for a CISO, a newly created role.
    "This is ringing bells at the C-suite," Charlie Croom, vice president of cybersecurity solutions at U.S. defense contractor Lockheed Martin Corp told the Reuters Cybersecurity Summit.
Recruiters and executives said companies are increasing both the size and budget of their security teams. By the end of 2014, JPMorgan's annual cybersecurity budget will rise to $250 million from $200 million in 2012, CEO Jamie Dimon said in April. And the largest U.S. bank will have about 1,000 people focused on cybersecurity, compared with 600 people two years ago, he said.
A JPMorgan spokesman said the bank will continue to invest and expand its security team, but declined to confirm if the firm was looking for a CISO.
Cardinal Health CIO Patty Morrison said the healthcare services company was looking to hire a vice president of security to bring in "new talent and new ideas." USAA Chief Security Officer Gary McAlum confirmed the diversified financial services group was looking for a CISO.
Deere representatives were not available for comment, while a spokesman for PepsiCo declined to comment. The soft drink and snack maker lost its CISO, Zulfi Ahmed, to MetLife Inc earlier this year.
CHANGING FACE OF BOARDS
As companies look for CISOs, many boards are seeking directors with technology know-how so that they can better understand cyber risks. Matt Aiello, co-head of the cyber practice at Heidrick & Struggles, said he is seeing "unprecedented" demand for CIOs to serve on boards.
"Boards don't feel they have the right expertise to draw upon. It is not that they don't understand it is a risk; they don't want to blunder uninformed into it," said David DiBari, managing partner at the law firm Clifford Chance in Washington. 
Retired Accenture CIO Frank Modruson, former Department of Defense CIO Teresa Takai, Dell SecureWorks chief Mike Cote and AT&T Inc CISO Ed Amoroso have all been approached to serve as potential directors, according to people with knowledge of the situation.
Takai said she is "looking at a couple of things," including with a security technology company. Cote, through a Dell spokeswoman, confirmed he has been approached by several companies about serving on their boards. An AT&T spokesman declined to comment on behalf of Amoroso. Modruson was not available for comment.
Pamela Craig, who serves on the boards of Akamai Technologies Inc, Wal-Mart Stores Inc and software maker VMWare Inc, expects demand for CIOs to serve on public boards to increase. "You need people who have direct first-hand experience in the boardroom," she said. 
    Some boards are also considering moving responsibility for network security to risk committees from audit committees, as cybersecurity is increasingly viewed as a business risk more than a compliance issue, according to Mary Galligan, director of Cyber Risk Services at Deloitte & Touche LLP.
RSA Security Senior Vice President Amit Yoran said boards are looking for experts who can help them build security into products in development, rather than bolting it on at the last minute.
"CISOs are being brought to the business table more often," Yoran said. "This is a realization that in many cases a business's survival relies on the security of the technology."