4 posts from August 2013
August 27, 2013
 Trade Secrets Leaked for Two Years without Audit
Pin It

KeyToday, an article on TheRegister caught my eye. It was also reported on Bloomberg. Two ex-employees of a Wall Street trading company – Flow Traders – are facing criminal charges for leaking trading evaluation algorithms from their previous employer.

Now this is your typical information leakage story, where an employee steals company assets for personal gain. But here’s what’s truly astonishing.

Consider this quote:

“Vuu was charged with 20 counts of each offense, having emailed himself various materials related to Flow Traders' trading strategies and valuation algorithms over the period from August 2011 to August 2012” (emphasis is mine).

Not only did the trading company have an insider active for a year, the charges and investigation of the story comes out only now – one year later. From the beginning of the data leakage to the point of prosecution, two full years have elapsed. Only recently has one of the offenders left the trading firm, reportedly in March 2013.

Here is another quote from one of the ex-employee’s lawyers:

“I’m confident that when the DA’s office has completed their investigation they will find Flow Traders did not suffer any economic loss.”

Let’s step back for a second.

It’s difficult to assess the damage that results from data theft. But the potential fallout is truly mind boggling. A trading firm’s evaluation algorithms are their most precious IP. They are the unique factor that measures and automates buy/sell decisions. A firm loses that – and it’s out of business, period. Two years is ample time to sell stolen information to the highest bidder and destroy a business.

Companies with employees at different levels who access IP must take precautions to ensure that data is monitored and audited. In today’s data-driven world, a company simply cannot afford a breach that goes unnoticed for two years.

Flow Traders may have dodged a bullet. But future companies may not be so lucky.


August 19, 2013
 Our take on the NSA’s decision to cut back on sys admins
Pin It

NavalA couple of weeks ago, the NSA Director, General Alexander was quoted in a Reuters article saying that in order to limit data access and potential leakage, they will cut back on 90% of NSA system admin staff.

This statement drove lots of criticism, since it makes no sense to cut back on critical staff in a very disproportionate way, which makes us believe that there is something else there…

"At the end of the day it's about people and trust," Alexander said.

Maybe he should have phrased things a little differently: "At the end of the day it's about people and trust, plus monitoring the people you trust."

It seems like the real issue is not the number of people, but rather the number of people who hold administrative privileges. What you really need to cut is administrative privileges from 90% of the people.

Administrators should not be immune to scrutiny. In order to refrain from the next Snowden-like issue, segregation of control should be implemented, necessitating a collusion of at least two individuals of different teams to leak the data.

To do so, the security team should be supplied with a compensating monitoring system over files and database access which:

  • The administrator has no control of
  • Can only monitor access to the data rather than actually accessing the data(eliminating another potential backdoor)

”In God We Trust, All Others We Monitor”


August 13, 2013
 TIME and again: an SSL breach before BREACH
Pin It

Img_https_failLast week at Black Hat 2013, one of the briefings that garnered a lot of attention was ‘SSL, GONE IN 30 SECONDS – A BREACH BEYOND CRIME.’. The briefing detailed an extension of 2012’s CRIME attack.  While the original CRIME attack targeted a compression information leakage vulnerability in order to expose secrets contained in compressed and encrypted HTTP requests, the new BREACH attack exposed secrets in HTTP responses.  The briefing and accompanying paper successfully explain a complex subject that involves different domains (compression, encryption, web protocols, etc.) in a very clear way.

At Black Hat Europe earlier this year, I presented on a similar topic. The briefing, called “A PERFECT CRIME? ONLY TIME WILL TELL,“ discusses this extension of the CRIME attack as well as some timing based attacks on SSL. The abstract includes some specific mentions on “the relevancy of compression ratio information leakage for HTTP responses,” which is discussed in detail in the publicly available white paper .

Our work did not stop at applying the CRIME attack to responses. Digging deeper, we were able to determine that the compression vulnerability can be exploited even if the attacker does not have any eavesdropping capability, by using timing inference.

This is one of the reasons why conferences like Black Hat is so important. We have been in touch with the authors of the BREACH paper, who have added a note about it in their website and will mention our work in their paper. We hope that the renewed interest in the attack will motivate browser’ and server vendors to find a solution for it, including the grave, additional timing issues which our TIME attack had exposed.

For more information, follow these links:


August 08, 2013
 Thoughts on the FBI’s Preso at Black Hat
Pin It

ArmyguyAttending BlackHat is something that most security professionals look forward to. It’s an opportunity to meet similar folks on both sides of the security aisle, have a drink, share stories and compare notes.

FBI at Black Hat

One presentation really stood out for me at this year’s conference:  the Insider Threat presentation by FBI’s former CISO, Patrick Reidy. In the presentation, Reidy talks about the FBI’s approach to combating insider threats. What I really enjoyed was the striking similarity between the FBI’s analysis and what Imperva has been talking about for the past year. Even the FBI’s own resourceful research conclusions are in line with ours.

I used to look at all insider threat cases in more or less the same way. I always assumed that at one point, there would be an attempt to capture credentials or hack/use a system admin/privileged account in order to gain access to data. While CERT (CMU) would definitely agree with me on this point (see next paragraph), the FBI’s conclusions tell a different story. This makes me believe that there is a fundamental difference in cybercrime that occurs in government and non-government targets.

Interesting Findings

While CMU marked 90% of all IT sabotage coming from system admins, in the FBI’s case – only 0.8% were system admins, and only 1.5% of all incidents included privileged system administrator account usage.


The numbers indicate a very significant difference between the expected targeted users who own system privileges in government versus non-government organizations. The number of Insider incidents originating in system admins are very high everywhere except within government. Common sense says that since government employees in agencies such as the FBI must have access to privileged and sensitive information, the Insider in government organizations could be anyone.

Are you malicious?

One other interesting fact from Reidy’s presentation was the difficulty in uncovering malicious insiders. During the presentation, he talked about a major problem in detecting users in an organization that start out with no malicious intent, but turn in time to the dark side for money or other ulterior purposes.

I agree. It is close to impossible to monitor each employee’s connections and private affairs outside of an organization, and to keep the finger on the pulse of things like financials and friends to gauge whether there is a potential problem that should be flagged.  This means that someone has ample opportunity to become an insider threat or engage in espionage.


(Source: Patrick Reidy, Combating the Insider Threat at the FBI: Real World Lessons Learned – BlackHat USA 2013)

5 Lessons Learned

Reidy summarizes key lessons learned in his research with some calls to action for organizations:

1. Insider threats are not hackers
  • Frame and define the threat correctly and focus on the insider threat kill chain
2. Insider threat is not a technical or “cyber security” issue alone
  • Adopt a multidisciplinary “whole threat” approach
3. A good insider threat program should focus on deterrence, not detection
  • Create an environment that discourages insiders by crowd sourcing security and interacting with users
4. Avoid the data overload problem
  • Gather HR data and data egress/ingress logs
5. Detection of insider threats has to use behavioral based techniques
  • Base detection on user’s personal cyber baselines

Want to learn more?

Last month, we presented a webinar on Insider Threats and concluded with an 8 step plan on how to remedy them.

Imperva has also released an eBook to help educate and simplify the understanding of insider threats and the remediation process.






Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Monthly Archives
Email Subscription
Sign up here to receive our blog: