Security Breaches Reminder For IBM i Shops To Up Their Games
October 6, 2014 Alex Woodie
The recent revelation that cybercriminals compromised more than 80 million JPMorgan Chase accounts and 56 million Home Depot accounts is a stark reminder that cyber criminals have upped their game and that even the biggest corporations must adapt to survive. It should also serve as a warning to smaller companies, including IBM i shops, security experts say.
Russian hackers are believed to be behind a massive data breach at JPMorgan Chase that began over the summer and was first revealed to the public last month. The company last week admitted that hackers accessed contact information, such as name, address, and phone numbers, for 76 million households and 4 million small businesses. More sensitive data, such as account numbers and PINs, were not compromised, the company says. Nor did the attackers obtain any “proprietary software,” the firm said.
The fact that hackers left this valuable information seemed to puzzle law enforcement officials. The attack, which is being investigated by the FBI and the Secret Service, breached more than 90 internal servers, according to a story in The New York Times, and was likely the result of Russian hackers “as a possible retaliation for government-sponsored sanctions,” according to a story on Bloomberg.
Russian hackers are also believed to be behind the recent Home Depot hack, which came to light last month after several banks traced a pattern of credit card fraud back to the home improvement store. According to the security website Krebs on Security, which broke the story September 2, Home Depot’s Windows-based point of sale (POS) systems had been infected with a new variant of “BlackPOS” (also known as “Kaptoxa”), the same piece of malware that had infected Target’ POS. About 56 million credit and debit cards were compromised in the Home Depot breach, making it one of the largest retail breach ever; the Target breach affected 40 million cardholders, while an additional 70 million had less sensitive data comprised.
The BlackPOS malware works by siphoning data from cards when they are swiped at the POS terminal and then storing them on a compromised server before FTPing it home to the hackers. The stolen Home Depot card data showed up on the same underground hacker website that distributed Target data, according to Brian Krebs of Krebs on Security. He traced the BlackPOS attack to a group of Russian hackers who, Krebs says, has an axe to grind against Americans following U.S. intervention in Ukraine, Libya, Syria, and Egypt.
The fact that Russians appear to be behind many of the recent attacks should be no surprise. As we reported in August, a gang of Russian hackers dubbed the CyberVors successfully used advanced hyperscale computing techniques to perpetrate a massive heist of more than 1.2 billion unique user name and password combinations associated with 542 million email addresses from 400,000 (poorly protected) websites.
Your user ID and password are probably among them. “The battle for identity theft has already been lost,” Monty Faidley, director of market planning for LexisNexis, told IT Jungle recently. “Effectively, if you look at data breaches that have already occurred, pretty much every American’s ID is already floating around out there somewhere and is available for sale.”
So what does all this mean for IBM i shops? You could put your head in the sand and pretend this isn’t happening, that your passwords and user IDs are still secure, that nobody knows what an IBM i server is anyway. Or you can stand up and do what every security professional does–assess the situation and plan a course of action to combat the problem.
“IBM i customers can work to meet these challenges, but must not be complacent,” says Patrick Townsend, the founder and CEO of Townsend Securitysays. “The IBM i [operating system] has good security, but that security is only as strong as all of the PCs, servers, and other devices on the network. The attackers will probably not go after the IBM i. They will capture the IBM i credentials from a user, from memory and keyboard scraping routines, or after compromising a Web server.”
Monitoring all of these connected systems is no easy task. Security information and event management (SIEM) products are now commonplace at most of the Fortune 500 companies, which have complex, heterogeneous environments to manage. Increasingly, small and midsize firms will need SIEM or SIEM-like products to prevent hackers from exploiting the complex attack surfaces that heterogeneous, geographically distributed IT environments expose to hackers.
New data analytic technologies are helping companies keep their systems safe. Last week a company called Fortscale launched a new product that runs within Hadoop and uses machine learning algorithms to monitor the behavior of every user within a company. If the user starts doing things that are out of character for him or his peer group–accessing different files or directories, logging on in the middle of the night, or mistyping his password–then it triggers alarms. This sort of fine-grained capability is not possible with SIEM products.
The folks at LexisNexis have their own massively distributed version of Hadoop called HPCC that they use to power big data security solutions. It’s not monitoring individual users closely, but instead providing an extra layer of authentication in front of valuable services. “The focus now and where we’re channeling our big data solution is around how to find identify fraud, when identity thieves are using the identities to break the laws and request cash refunds, to apply for insurance benefit or Medicaid benefits,” Faidley says.
In an IBM i environment, one of the best courses of actions may be to add another layer of security atop of authentication mechanism for certain classes of users, such as powerful administrators, and in front of business processes involving very sensitive data and large sums of money. Earlier this year Townsend Security rolled out a two-factor authentication system that requires users to properly enter a PIN code, sent via a mobile text or an automated voice call, before being allowed on the system.
The addition of this extra layer of security can compensate for poor security elsewhere, such as succumbing to a sophisticated phishing email that tricks you into logging in to a maliciously crafted website. “All it takes is one slip-up, and user’s PC can be compromised with malware that performs keyboard scraping or memory scraping,” Townsend says. “In a blink your IBM i account and password can be been stolen. That’s all that is needed to mount an attack on your IBM i server.”
Two factor authentication (2FA) is the primary defense against this type of loss, Townsend says. “We are rapidly approaching the time when the use of passwords alone will be considered an embarrassing security failure, and a failure of governance,” he says. “There are well-known and mature solutions for 2FA, and IBM i customers should implement them as fast as possible. We have to do a lot of things to make our IBM i systems secure, and this is one of the core technologies that must be added to the arsenal.”
As consumers adopt so-called chip and PIN technologies, products like Townsend’s two-factor authentication will likely see greater adoption. It’s not a silver bullet, but it keeps the good guys one step ahead of the CyberVors of the world.