We’ve hacked several more financial institutions using old exploits…

December 19, 2008

Microsoft released an “out of band” Security Bulletin again this week (MS08-078).  See Microsoft.com for more details.

The bulletin addresses security weaknesses in Internet Explorer, Microsoft Search tool, Word, Excel and numerous other products.  And Microsoft is not alone, Apple also released 21 security patches this week bundled as the OS X 10.5.6 update.  This is not the type of news you will typically find on the TrustCC blog.  So why post this information?

Well, over the last several weeks we have hacked (under contract) in to several more financial institution’s (FIs) servers using exploits remediated by the Microsoft update named MS08-067.  We were successful because the FIs aren’t keeping servers and workstations patched.  An alarming point of interest is that MS08-067 was released as a critical patch on October 23, 2008, nearly two months ago.

Why aren’t FIs keeping their systems patched?

There are actually many “compelling” answers to the question… 1) There are so many patches and so many servers, we can’t keep up!  2) We have a hard time keeping track of all the updates.  3) We don’t want to be early adopters of patches as we don’t want to “break” our systems, etc., etc., etc.

If you are reading this post and sympathising at least in part with the answers above, good!  You understand the complexities of managing operating systems and application patches.  But don’t get sucked in by these answers.  Yes, it is tough but YOU HAVE TO PATCH IN A TIMELY MANNER or you will eventually be front page news “Bank/CU hacked, millions transferred.”

Here’s some recommendations:

  1. Set up an automated infrastructure for patch management.  For most community banks and credit unions this will at minimum include WSUS for managing Windows OS patches.  It should also include sufficient staffing for patch management.
  2. Use your automated patch management systems to automatically deploy workstation patches within a day or two of release from Microsoft.
  3. Have a process, even if manual, to methodically apply patches to servers, networking devices, and applications (Adobe, Veritas, etc).  This process should include:  a) subscribing to email lists for patch/updates to all OS and applications in your environment, b) reviewing all received emails for applicability and severity, c) scheduling of manual patches/updates so they are applied in a timely manner, and d) logging of any patches applied and not applied, including a reason for not applying a security patch.
  4. Have regular security testing performed (2 or more times a year) to identify lingering threats and to validate whether or not compensating controls may be sufficient to prevent exploitation.  (Please consider using TrustCC for this service… ;))

I am sure in the coming weeks that we’ll gain access to more customer/member data exploiting MS08-067 and the new MS08-078.  But we hope not.  Like you, we believe protecting customer/member data is of critical importance.

– TrustCC


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: