In today’s information technology world, security is an increasingly important topic and having the right tools for the job is utterly necessary. So, you ask yourself, how can a NetFlow and sFlow analysis tool help you? Scrutinizer gives you the ability to monitor all the traffic on your network to identify IP addresses, bandwidth and port usage, possible threats, and any IPFIX or Flexible NetFlow custom fields, but what if you could go even deeper?

Read more »

To celebrate the release of Version 7.0 of Scrutinizer NetFlow and sFlow Analyzer, which is absolutely free, I thought I’d share with you three fabulous free resources for Cisco network administrators. Read more »

“I have talked to many payments leaders who are also concerned about the increasing success and frequency of cyber crime attacks,” stated Robert O. Carr, Heartland’s founder, chairman and chief executive officer of Heartland Payment systems.  Heartland Payment systems is a large provider of credit and debit payment and check management services based in NJ.

In a Networkworld.com article, “Debit-card processor claims data breach part of global fraud operation”, Ellen Messmer, senior editor for Networkworld.com, explains how Heartland was hit by a massive security breach that compromised customer card data that crossed Heartland’s network. 

Robert H.B. Baldwin Jr., Heartland’s president and CFO, said “About 100 million card transactions per month occur on the affected systems which provide processing to merchants and businesses.”

I’m sure several initial questions were asked like, “How did this happen?”  “Why didn’t the firewall and IDS prevent this?”  “Why didn’t antivirus pick this up?”  “What security do we have?!!!” I wonder what the answers were.  Crickets with the occasional whimper?  “Yes, it is a problem and we are working on it…” , “I don’t know.” 

Baldwin says the computer forensics conducted by the company has uncovered evidence of multiple instances of malicious software on the Heartland network, although he didn’t disclose the exact number of identified instances.

In the Heartland Official statement there was a clue as to how the breach was carried out.  “Cyber criminals to use the same or slightly modified techniques over and over again.”

So the picture is starting to look like a modified worm and or trojan was created to circumvent antivirus was introduced to the network internally, or through an open port.  Once the right nodes or servers were infected, open season on credit card information collection was initiated.

The last paragraph of the Networkworld article Baldwin states “The company is taking steps to improve its network security by adding what it referred to as “a next-generation program designed to flag network anomalies in “real-time” to better identify possible criminal activity but didn’t go into details.”

In today’s world anybody can learn how to hack and create worms and viruses by a simple Google search, increasing the sophistication and the number of people looking to steal information.  At the core of the attack, symptoms and network behavior are actually very similar.  This is why real-time network traffic anomaly detection is a critical step in securing a network and by Heartland’s published statements they seem to agree.

A tool that would have likely caught this breach is the Netflow Behavior Analysis(NBA) module for the Scrutinizer Netflow Analyzer.  It’s a system designed to look for malicious traffic trends that are flying under the radar of existing conventional countermeasures.

Scrutinizer NBA continually tallies and sizes up the conversations from all flow sending devices and helps identify:

• Zero-day worms, SYN Floods and DoS attacks
• ICMP Destination Unreachable
• Bleeding Edge Attacks
• Policy violations and internal misuse
• Poorly configured and unauthorized devices
• Unauthorized Application Deployments
• Suspicious NetBIOS-based services
• Excessive Multicast Traffic
• Unauthorized or incorrectly configured server activity
• P2P traffic, such as Bit Torrent (even if encrypted)
• Root causes of network slow downs
• Serious vs. trivial network incidents

What happened to Heartland is an example of why having a real-time network behavior analysis tool in place like Plixer’s Netflow Behavior Analysis module can be the key to avoiding catastrophic security breaches.

Plixer offers free evaluations of Scrutinizer and The Flow Analytics/NBA module, so there’s no reason why you shouldn’t check it out, if you don’t already have it.

Check out the Netflow Behavior Analysis Brochure on the Plixer website.

Good luck to Heartland and I hope they’re able to recover from this.

Raul Duran

I had an interesting call today.  A customer who works for a government agency needs to protect very sensitive data within Scrutinizer. He asked if they could control which IP addresses were allowed to connect to his Scrutinizer Web Interface.  Specifically, he wanted to deny all connections except for when Scrutinizer was accessed from the local server.

We can do this with a simple edit of the apache httpd.conf file.  The file is located in the Scrutinizer/Apache2/conf/ directory.  Before making any modifications, you make a copy of the current httpd.conf file so that you can revert to it in case of any problems.

Within the http.conf file look for the following lines:

Mofify the lines above to look like the lines below and save the file.

Restart the Scrutinizer_apache2 service so that the changes are applied.

This server will now deny every host attempting to connect to Scrutinizer Web interface with the exception of IP address – 127.0.0.1.

This configuration now forces users to Log in from the local server just to be able to access the webinterface subjecting them to any security measures applied to users logging on to a server.

ALthough this configuration limits access to only one specific IP, it is possible to specify which domains and networks have access and those that don’t.

Milton