Vulnerabilities / Threats
09:44 PM

Five Significant Insider Attacks Of 2012

From the recent theft of counterterrorism data from Switzerland's intelligence agency to remotely wiretapping boardroom videoconferencing systems, a number of attacks had an inside component

Insider attacks continued to haunt government agencies and companies alike in 2012. From rogue PIN pads at Barnes & Noble to disgruntled employees walking out with a nation's secrets, organizations suffered a wide variety of attacks.

While studies have found that insiders typically account for a minority of incidents, they tend to cause more damage, especially when privileged users, who have access to a company's crown jewels, go rogue. In addition, negligent insiders cause nearly 40 percent of all data breaches, and malicious attacks account for a third of incidents, according to a March study.

"The difference with insiders is they can inflict measurable financial, measurable IP, measurable brand and reputation damage -- more so than an outsider can," says Jim Butterworth, chief security officer for HBGary, a subsidiary of ManTech International. "Make sure that your employees, especially those with access to the crown jewels, are held accountable."

While insiders are usually only marginally involved in the theft of many types of data, incidents involving intellectual property are the exception, according to a Verizon report. In two-thirds of cases, regular employees played some role in the loss of intellectual property, the report stated.

The definition of "insider threat" continues to broaden. Once used to describe any attack by a rogue employee, the term now encompasses attacks that use insider-like access to compromise systems and data, such as employees who bring infected devices inside the firewall or companies that allow Internet-facing resources -- such as remote-desktop applications and videoconferencing -- unfettered access to the inside of their networks.

"In those cases, the breach would have never occurred if not for the insider making a mistake," says Rob Sobers, technical marketing manager for data-protection firm Varonis.

[Protecting intellectual property against insiders is tough enough when the insiders are a company's own employees, but the problem becomes even more difficult when a third party has access to confidential information. See When Someone Else's Insider Is Your Threat.]

Here are five significant attacks involving insiders in 2012.

5. Infrastructure As An Insider: Barnes & Noble
In October, retail book chain Barnes & Noble announced that rogue PIN pad devices had been found at 63 of its 700 stores, allowing criminals to siphon off credit- and debit-card numbers as well as the PINs to victims' bank accounts. Because the affected stores were located in different geographic areas, the attack is thought to be the work of an organized group of criminals.

Less than 1 percent of the devices were compromised with hardware "bugs," making the attack unlikely to be a supply-chain issue, Barnes & Noble stated. The incident showed that compromised infrastructure -- whether corrupted somewhere in the supply chain or later on-site -- is a major insider issue, said Gunter Ollmann, then vice president of research at Damballa, at the time.

"There is very little that can be done to protect these devices than what is already being done today," he said. "In essence, an insider threat is the most insidious."

4. Bug In The Boardroom: Rapid7 Videoconferencing Research
In January, researchers at vulnerability management firm Rapid7 published research showing that many videoconferencing systems were directly accessible from the Internet, essentially giving attackers a direct line into conference and meeting rooms.

The company's researchers scanned about 3 percent of the Internet's address space, finding that some 5,000 systems were set to automatically answer calls from the Internet. Statistically, that indicates a total of 150,000 systems are likely accessible from outside corporate networks. In lab tests with similar equipment, the researchers found that they could listen in on nearby conversations and even read information on whiteboards and sticky notes.

"People definitely want to be familiar with the products they are deploying," said Joshua Talbot, security intelligence manager at Symantec, at the time. "Companies that adopt a new technology should become aware of the security risks that they are bringing into the environment."

Later research found that remote-access software, used to administer a client's systems, could be a major security issue for companies that did not configure the software correctly, giving attackers a backdoor into the enterprise.

3. Data Walk Out: From Cityville To Kixeye
In August, Alan Patmore left Zinga and moved over to a small San Francisco startup, Kixeye. Just before leaving, he created a Dropbox folder and used it to transfer 760 files to the cloud, Zynga claimed in an October lawsuit. The data included a description of Zynga's methods for measuring success of game features, an initial assessment of Cityville, and design documents for nearly a dozen unreleased games, Zynga stated in its complaint. "Patmore transferred this data from Zynga in violation of his obligation and without Zynga's knowledge or consent," the company stated.

Kixeye countersued under California's business codes, claiming that the information is not proprietary and Zynga was attempting to stem an exodus of employees using legal tactics. The saga continues in the Superior Court of California.

Insiders walking out with proprietary data to which the workers believe they have some ownership rights is a common problem for companies. Educating employees about a company's intellectual-property concerns is a must. In addition to legal protections, companies should focus on limiting employees' access to data they do not need to do their work.

"Always make sure that people have access to only what they need," Varonis' Sobers says. "Just because they are an executive, they don't need to have access to everything in the company."

2. The Inadvertent Insider: South Carolina's Dept. Of Revenue Breach
In mid-August, attackers obtained the login credentials for an employee of the South Carolina Department of Revenue, essentially gaining insider access to the agency's systems. The attack, detected in October, resulted in the theft of some 3.6 million Social Security numbers belonging to state residents, as well as 387,000 credit- and debit-card numbers. Total cost: $14 million and growing.

Mandiant, the security firm that conducted the forensics investigation (PDF) into the breach, theorized that the attackers used spearphishing e-mails to compromise a worker's system and collected the credentials. Such a scenario is quite common, Varonis' Sobers says.

"Most of the time, the insider component of these attacks is not malicious," Sobers says.

Organizations should limit their workers' access to information that those employees need to know. The S.C. Department of Revenue did not do that, allowing the Social Security numbers to be stored unencrypted.

1. The Disgruntled Insider: Swiss Intel Leak
Rivaling the leak of U.S. State Department memos by a U.S. military serviceman, the Swiss intelligence agency, NDB, told its American and British counterparts that a disgruntled system administrator had reportedly taken terabytes of classified information from its systems. The employee reportedly had unrestricted rights to the intelligence service's systems and had carried out hard drives containing the stolen data, according to a Reuters report published earlier this month.

"Here is an administrator with root privileges, and there were no measures in place to restrict what that administrator could do," says Todd Thiemann, senior director of product marketing for data-protection provider Vormetric.

While authorities do not believe that the rogue employee sold or transferred the data, they have no way to be sure, sources told Reuters.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
12/19/2012 | 7:57:53 PM
re: Five Significant Insider Attacks Of 2012
Great examples of how an "insider threat" isn't just a disgruntled employee.

Kelly Jackson Higgins, Senior Editor, Dark Reading-
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.