PenFed Breach Shows That Endpoint Compromise Can Affect Database Security

Infected laptop led to database breach, credit union says

While many database security pros worry about insider threats and privileged access, a recent breach at Pentagon Federal Credit Union suggests that a simple endpoint malware infection could be just as dangerous to sensitive data stores.
An intrusion found by PenFed investigators in December came to light last week, following the publication of a notification letter sent by the financial outfit to the Attorney General of New Hampshire, which informed the state government of a breach that affected 514 New Hampshire residents -- and potentially thousands more across the country.
PenFed discovered on or about December 12, 2010 that a laptop had been infected with malware that permitted unauthorized access to a database containing names, addresses, Social Security numbers, PenFed account numbers, credit card numbers, and/or debit card numbers for PenFed members, joint owners, former members, employees and beneficiaries, wrote PenFeds attorney Mark Schreiber.
While credit union officials have not disclosed the total records exposed by this breach, the number of New Hampshire residents affected offers a good clue that it likely will hit tens of thousands of current and former Pentagon workers. By comparison, a recent breach of Twin America that exposed 100,000 records affected a little more than half the number of New Hampshire residents affected by the PenFed breach.
According to the Privacy Rights Clearinghouse database, malware-induced database breaches made up about 33 percent of all publicly disclosed breach incidents tracked by the organization in 2010. And the recent 2010 State of Endpoint Security report released by Ponemon Institute on behalf of Lumension found that 43 percent of respondents reported a dramatic uptick in malware in 2010.
Seemingly inconsequential endpoints could be convenient launching pads for hackers to pry their way into sensitive databases, experts say. According to Roger Kay, of analyst firm Endpoint Technologies Associates, hackers depend on simple social engineering attacks to gain footholds within endpoints that enable more complicated attacks further down the line.
All it takes is an unwary individual to actuate the payload, and youre in business, Kay says. Lets say that an executive goes to the wrong site or has an email that looks like its from a friend and says, Click on a link. And then the link takes them to a drive-by situation where they get a download they didnt want.
From there, malware packages have evolved to the point where they can be installed in several stages.
Packages can be assembled from multiple places around the Web, Kay explains. You start off where someone gets a component, and maybe that component doesnt do that much -- but it knows how to call back to the Web, asking for different components from other servers.
And so the next time its connected, it says, Give me that second piece of the payload, Kay continues. And then it starts to assemble itself, and even has the ability to recompile itself in the computer -- until finally, you have a payload thats pretty dangerous.
The dangerous malware can start exploring within the network and probe for vulnerable databases and caches of information, Kay says. Behavioral analysis of database activity can go a long way toward detecting anomalous behavior from endpoints that might typically access database information only on a limited basis, he says.
But todays savvy hackers have automated ways to slowly leak information in a way that could look similar to normal user behavior. Kay believes better authentication and verification of endpoint protection prior to connection with important assets could help.
So lets say you have a trusted platform module in there, and it has some unique identifier, Kay says. And during your load sequence, youve basically told it, Heres John Doe, this is his user name, this is his password, here is a summary of his biometric information, here is a summary of his equipment.
All that stuff has to blend and create a hash that matches on the inside before you let him do anything, Kay explains. Lets say he doesnt quite meet it -- or his antivirus has fallen out of date -- then you can send that system to a remediation area thats walled off from the rest of the database.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
PenFed Breach Shows That Endpoint Compromise Can Affect Database Security