Update: Insider threats and the TJX hack’s sterling pedigree
Posted by Paul Roberts on November 6th, 2008 under Anti Data Leakage, Breaches, Data Protection, Database Transaction Monitoring, Malware, Penetration Testing, Policy & Regulations, SaaS.
One of the lingering questions behind the massive theft of data at retailers like Hannaford Supermarkets and TJX Corp. in recent years has been the source of the malicious software used to carry out those attacks. Much is now known about the scope of hacks like the theft of data on more than 45 million credit and debit card accounts used at TJX-owned stores between 2005 and 2007.
We know roughly how much data was taken, and a timeline of when the company became aware of it. We can guess at the sophistication of the attack by noting, for example, that almost 18 months passed between the initial compromise and the company learning that its network had been compromised. However, details in the press are often lacking. We hear that “malicious software” was used, that it stole data in transit, or from a database and stored it in files that were later transferred off the network.
What’s missing is the provenance of the malware itself — was it a variant of a common, information stealing program like Torpig, or a custom application developed specifically for the attack in question? The answer to those types of question suggests a lot about the amount of effort and investment that preceded an attack — was it merely a target of opportunity, caught up in the net cast by a massive spam run, or did the criminals in question have their sites set on the victim from the outset?
With arrests in some of these cases, those with knowledge of them are now beginning to flip in an effort to avoid harsh sentences. That, in turn, is leading to more arrests and more details about the eye-popping data breaches that have dominated headlines. Those details are reason for concern, particularly for high profile companies that might be worried about the threat posed by rogue insiders and targeted attacks.
Take the case of Stephen Watt, the New York man who was named in an indictment filed in U.S. District Court in Massachusetts on October 29. According to some published reports, Watt was part of a criminal ring that engaged in wire fraud, identity theft, money laundering and unlawful access to computers — all part of a scheme to steal more than 45 million credit and debit card account numbers from TJX, authoring the sniffer program used to steal the credit card information. That program, dubbed “blabla” was apparently written and then repeatedly modified by Watt for Albert Gonzalez, a co-conspirator who is believed to be the mastermind of the TJX scheme. Gonzalez, otherwise known as “Segvec,” was acting as a federal informant at the time he was also engaged in pilfering data from TJX.
Watt hasn’t been convicted of anything yet. Moreover, not much is known about the government’s case against him. It’s entirely possible that he developed the blabla application in a vacuum and with penetration testing, rather than data exfiltration in mind,–completely ignorant of Gonzalez’s larger plan. Time will tell.
What is clear is that Watt was a talented developer and security mind with the resume to match. His LinkedIn profile shows him working currently for Imagine Software Inc., a company that makes trading system software used by “hedge funds, pension funds, investment banks, brokerages, and sovereign wealth funds.” His LinkedIn profile claims stints at financial services giant Morgan Stanley, where he worked on “Application infrastructure development and inhouse security toolkit development.” It also claims he worked at SaaS based vulnerability scanning firm Qualys where he says he “conducted research and development for an industry-leading network vulnerability scanner..and developed proof-of-concept exploits for discovered vulnerabilities,” among other things.
UPDATE: Qualys says the LinkedIn information is inaccurate. According to company HR records, Watt worked as a summer intern for two summers, in 2001 and 2002, where he helped test that company’s scan engine. He never conducted research and development for Qualys, according to the company.
His work for Morgan and Imagine overlaps with the period of the TJX hack and his alleged work on blabla. Troubling.
The questions for security-conscious organizations of all stripes are obvious:
1) Given that you can’t stop a determined hacker from gaining access to your network, what is the proper means of protection from a hacking outfit that’s employing a top-notch developer to write custom malware just for you? 18 months between compromise and detection doesn’t sound so outrageous if TJX (and the layered defenses it employed) were just looking for stuff that looked like other stuff that was out there. They weren’t going to find Watt’s “blabla,” because nobody had ever seen blabla before. Forget that Watt was allegedly providing regular updates to the software as the hack was in progress, as is alleged in the indictment.
2) Given the hunger for IT development talent, and the unfathomable and largely anonymous world of malicious and recreational hackers, how can firms trust that their star new developer isn’t donning a black hat when he’s at the office — or even when he gets back home? This is ultimately an HR question, but its unlikely that most employers are doing the kind of “three letter agency” caliber due diligence on IT staff that would uproot questionable associations like Watt’s.
Surveys of end users that we’ve conducted show acute interest in anti fraud technology that can provide intelligence about threats posed by insiders regardless of seniority, from the low-level call-center agent and receptionist, up through senior managers. Firms like call center giant NICE have already invested in this space, marrying anti-fraud to their existing monitoring platforms.
Companies like Guardian Analytics have come out with software that they claim can analyze and model user behaviors to spot weirdness that might indicate an account takeover or compromise. But most of these products are focused on transaction-based security - fraud and money laundering. Watt poses an even hairier problem: what posture do you take towards your realtime trading system software — say — once you realize that one of your developers was donning a black hat — at least some of the time? Better yet, what internal controls can you institute that will help connect the dots leading to a questionable developer. Is it merely a matter of hiring nosey managers and smart QA people, or is some extra layer of scrutiny needed? All of this assumes, of course, that there was some bleed over between white hat and black hat. That may not be the case every time. But as word of this indictment spreads, I wouldn’t be surprised to hear that there are some heated conversations and hastily arranged audits to assess the collateral damage — if any.
Comments
Comment from ErikC
Time: 7 November 2008, 2:52 am
Given that you can’t stop a determined hacker from gaining access to your network, what is the proper means of protection from a hacking outfit that’s employing a top-notch developer to write custom malware just for you?
You can’t, you sometimes just get lucky and wait for the blackhats to make a mistake that you can notice…just as these blackhats did.
If they would have kept their operations a little more low scale, they would have never been caught…never.
Defense in depth just means that there are more places for blackhats to make mistakes, nobody is perfect….if their imperfection collides with a recognized anomaly, then you lucked out and caught them! It only took TJX 18 months to luck out.
Comment from ToddH
Time: 10 November 2008, 1:31 pm
Great post Paul. I gave a presentation on TJX last week but hadn’t seen the Watt indictment.
You are right that the details have remained pretty obscure. Personally I think there is a desire to keep the techiques under wraps, especially the secret to cracking the debit card PIN’s which were thought to be unbreakable.
Comment from Philippe Langlois
Time: 13 November 2008, 2:51 am
Since I was CTO of Qualys when I recruited Stephen Watt, I can say for sure that he was indeed conducting research and development, not a minor “scan engine testing” 
In the HR system, it may be well recorded as “Internship” as Stephen was in University at the beginning of his involvement.
Whatever the case may be, people should not try downplay the relationship. Stephen Watt has been an important team worker of the company, as everybody involved at that stage of the company, and tremendously helped with a good, playful spirit and not at all a “criminal mind” as many would like to depict him. His character, ironic humor and truth-telling habit did not gain him only friends in the computer security research area.
He definitely liked to make “efficient proof of concepts”, and I can perfectly believe that he could have developed what someone may call an “effective sniffer”, what other could call an “evil data evasion malware targeted at theft and terrorism”. I doubt he would have done it on purpose of defrauding people.
Now you know, in the security research field, you give your development to many people you know online, and especially private research is disseminated in a private relationship way. You know someone, he will test the software and give you feedback, patches, ideas. Obviously, even some federal intelligence professionals were fooled by Gonzalez, so why should a security researcher have better judgment?
This overall polemic of “OMG, this guy has Weapons of Mass Internet Destruction” is to me clearly the old obscurantist line against transparency and open security research. And if there’s a case and we can take a few more independent-minded researcher down the hole, why not do it? What now, are we going to have “security researcher authorized certificate”? Well, indeed the witch-hunt seem to have started long time ago and some may have not finished trying.
Pingback from StorefrontBacktalk - Techniques, Tools, and Tirades about Retail Technology and E-Commerce
Time: 14 November 2008, 6:32 am
[...] Web is overflowing with analysis of the TJX data breach disaster, but this one posting from Plausible Deniability does a better job than most. But what’s intriguing is the possibility that some of the indicted suspects may have worked [...]
Comment from Ray
Time: 19 November 2008, 9:54 pm
The one big question I have is how the data got out of the company. There are numerous ways for it to get in (email, infected web site, USB drives in the parking lot, demo CDs in the mail, etc.) but how did it get out? Were they allowing unrestricted outbound traffic, even from the servers?
If you read any of the World Bank articles, the first thing they did was block outbound traffic from their servers. Did TJX make the same mistake of allowing their servers to talk to the Internet?
Pingback from Plausible Deniability » Kasperskonality and other notes from Moscow
Time: 5 December 2008, 7:25 pm
[...] to work in its labs. It’s a fair enough question for any security company (especially given recent revelations in the TJX case), but I didn’t hear it asked of anyone at Symantec Vision in Las [...]
Write a comment