Brad Garnett

Welcome to my Digital Forensics and Incident Response oasis!

Digital Forensics, Incident Response, and Information Security

Filtering by Tag: Data Breach

Home Depot Breach: Senior Execs blame Windows

The Home Depot and Target Data Breach have a lot of similarities. Stolen vendor credentials, POS malware, etc. This article caught my attention today. It appears Home Depot Senior Executives are migrating from Windows to Macs. Historically, Macs have been not as targeted as Windows. With more Macs in the workplace, we are seeing more and more malware targeting Mac users. With Wirelurker and Masque Attack, iOS and Mac OS X are clearly targets. As more and more Macs are becoming common in the workplace, they will be targeted even more. 158 new pieces of malware are created every minute, or 158 new ways you are now vulnerable! Regardless, replacing hardware alone does not equate to security. 

Continue reading...

Senate Judiciary Committee hearing on Cyber Crime and Privacy

On Tuesday, February 4th Target and Neiman Marcus officials testified before the Senate Judiciary Committee. Symantec, Consumer Union, Justice Dept, U.S. Secret Service, and others testified before the committee. You can watch the entire 2 hours and 47 minutes of C-SPAN video here. The hearing focuses on protecting Americans' privacy and combating cyber crime. The Target and Neiman Marcus data breaches are highlighted, with much discussion on moving away from magnetic credit cards and direct impacts on "brick 'n mortar" stores.

In this hearing, the malware that targeted Target and Neiman Marcus is often referred to as "advanced" and how it was so sophisticated that it avoided multiple layers of detection systems (i.e. IDS, A/V, DLP, etc.), which is another topic for discussion when it comes to signature-based solutions. But just as my friend and colleague Brian Moran points out, the Target malware from the viewpoint of a seasoned incident responder and forensic examiner, is only as sophisticated as it needs to be to steal data. Brian states, "Cyber criminals will continue to use malware that is only as advanced as it needs to be to allow the compromise, collection, and exfiltration of data."  In my previous post, I also discussed of how we all can turn this information into actionable intelligence.

With data breaches, NSA data collection debate, and consumer privacy being at the forefront of news and debate...future legislation will have a direct effect on the entire country going forward. What are your thoughts? Leave me a comment. 

Target: Actionable Intelligence

There is a lot to be learned from the Target Data Breach.  Brian Krebs initially broke the story on this data breach. This story just posted late this evening caught my attention and I thought a quick blog post would be in order to share some thoughts. Those of us in the information security and digital forensics field understand that the user is the weakest link in the security chain. But, what immediate actions can be done to strengthen this area of opportunity? 

Licensed under the Creative Commons  license

Licensed under the Creative Commons license

Target announced this evening, "The ongoing forensic investigation has indicated that the intruder stole a vendor's credentials, which were used to access our system," Target spokeswoman Molly Snyder said in a statement referenced in the MSN story.

There are so many takeaways from the Target data breach. Not only for the information security industry, but the retail sector and general public as a whole. As our lives are connected to the Internet and we conveniently use our plastic cards as forms of payment, we tend to brush security off to the side, for the "freedoms" in the technological age for whatever is more convenient. I'm optimistic that this very large scale data breach will begin dialogue on the necessity of cyber-security collaboration amongst the government and private sector. Not through a coalition or task force, but through sharing actionable, intelligible information. No matter what industry you derive from, information sharing is always a challenge (or has many obstacles). However, when you look at what occurred with this data breach and can begin to decipher media reports and other data sources, there are many lessons to be learned and actionable intelligence. Brian Krebs does an excellent job in dissecting the intrusion. In the last month, we have Target, Neiman Marcus, and now Michael's Stores announcing data breaches. The question remains, "Who else?"


More on this at a later date...

Now, some DFIR actionable intelligence for us to explore from this data breach... Brian Moran of BriMorLabs has some great information up on his blog. Today, Mr. Moran shared his research on the Target POS Malware. Very easy to set up a test environment and see how this malware is exfiltrating payment data from POS (Point of Sale) systems.  In case you missed it, Jake Williams shared his joint anti-forensics ADD talk with Alissa Torres from Shmoocon here. Basically, ADD is a conceptual tool to create fake memory artifacts, but just as @jackcr methodically points out, forensic analysis is focused on collaborating multiple artifacts, not just a single artifact. The forensic analyst must be aware of anti-forensic techniques, how artifacts are legitimately created, and how they can be falsified. Understanding normal will help you detect the anomalies during your forensic analysis.