[SecurityRatty] tag: destroy

Logging Poll #9 Analysis: Log Security

Fri, 05 Sep 2008 09:48:00 +0000

This is the analysis of my last poll; the responses are here and also below.

First, the most obvious conclusion: people still don't care much about log security; I am saying that since this was BY FAR the least popular of my polls. Only 24 people responded, so everything below is pretty unscientific :-) A good way to explain it: look at the recent media? Do these people care about their key business data and their customer data security? Nope. So, how on Earth do you make them care about securing their log data?

Second, it is entirely unsurprising that 83% of respondents want "Authenticated access to log server." In fact, I'd opine that 100% of people want authenticated access to any of their servers :-) But, this was my "red herring" to set the baselines for the rest of the questions...

However, this is where the buck stops: other security measures are notably less popular.

Third, "Logging all access to logs" is my favorite and I am happy to see it reported as popular. But do you really do it? Do you log access to log server OR access to actual logs? Think about it... I think a lot of people who do the latter still answered "yes" to this one.

Fourth, "Reliable / acknowledged network transfer of log data" and "Encryption of log data in transit " are two true "no-brainer" security features; they took the next spot at 45% and 50% of those who answered. They are simple, they are easy, they make sense - and, obviously, they don't make logs entirely secure so you need to do more. Why only 50%? Where is THE OTHER 50%?!

Fifth, "all things crypto" are below 40%. "Cryptographic hashing of stored logs", "Cryptographic signing of stored log data" and "Encryption of stored log data" all hover at around 30%. I attribute them to general disregard of log security AND reliance on "system security" (separate server, etc) over "data security" measures for log protection.

Finally, I am embarrassed to say that I missed the obvious security measure "Separate server for logging, not accessible from the Internet;" one of my readers added this using "Other security measures" choice. Indeed, this is a good point - and a good idea to do it. Another option mention there was "Destroy old logs." Amen to that too!

Possibly related posts:

The Russia vs Georgia Cyber Attack

Mon, 11 Aug 2008 15:35:55 +0000

Last month's lone gunman DDoS attack against Georgia President's web site seemed like a signal shot for the cyber siege to come a week later. Here's the complete coverage of the coordination phrase, the execution and the actual impact of the cyber attack so far - "Coordinated Russia vs Georgia cyber attack in progress" :

"Who’s behind it? The infamous Russian Business Network, or literally every Russian supporting Russia’s actions? How coordinated and planned the cyber attack is, and do we actually have a relatively decent example of cyber warfare combining PSYOPs (psychological operations), and self-mobilization of the local Internet users by spreading “For our motherland, brothers!” or “Your country is calling you!” hacktivist messages across web forums. Let’s find out, in-depth. With the attacks originally starting to take place several weeks before the actual “intervention” with Georgia President’s web site coming under DDoS attack from Russian hackers in July, followed by active discussions across the Russian web on whether or not DDoS attacks and web site defacements should in fact be taking place, which would inevitably come as a handy tool to be used against Russian from Western or Pro-Western journalists, the peak of DDoS attack and the actual defacements started taking place as of Friday."

Some of the tactics used :
distributing a static list of targets, eliminate centralized coordination of the attack, engaging the average internet users, empower them with DoS tools; distributing lists of remotely SQL injectable Georgian sites; abusing public lists of email addresses of Georgian politicians for spamming and targeted attacks; destroy the adversary’s ability to communicate using the usual channels -- Georgia's most popular hacking portal is under DDoS attack from Russian hackers.

Some of the parked domains acting as command and control servers for one of the botnets at 79.135.167.22 :
emultrix .org
yandexshit .com
ad.yandexshit .com
a-nahui-vse-zaebalo-v-pizdu .com
killgay .com
ns1.guagaga .net
ns2.guagaga .net
ohueli .net
pizdos .net
googlecomaolcomyahoocomaboutcom.net

Actual command and control locations :
a-nahui-vse-zaebalo-v-pizdu .com/a/nahui/vse/zaebalo/v/pizdu/
prosto.pizdos .net/_lol/

Consider going through the complete coverage of what's been happening during the weeked. Considering the combination of tactics used, unless the conflict gets solved, more attacks will definitely take place during the week.

Summarizing July's Threatscape

Fri, 01 Aug 2008 12:08:24 +0000

July's threatscape -- consider going through June's summary as well -- once again demonstrated that nothing is impossible, the impossible just takes a little longer where the incentive would be the ultimate monetization of the process.

Russian hacktivists attacking Lithuania and Georgia, several Storm Worm campaigns, a couple of new malware tools, Neosploit team abandoning support for their web malware exploitation kit, CAPTCHA for several of the most popular free email providers getting efficiently attacked in order to resell the bogus accounts registered in the process, several copycat SQL injects next to the evasion techniques applied by the copycats, botnets continuing to commit click fraud and generate revenue for those who own or have rented them, an infamous money mule recruitment service taking advantage of the fast-fluxed network provided by the ASProx botnet - pretty interesting month indeed.

01. Decrypting and Restoring GPcode Encrypted Files -
The GPcode authors read the news too, and are catching up with the major weaknesses pointed out in their previous release in order to come with a virtually unbreakable algorithm. And since more evidence of who's behind the GPcode ransomware was gathered, vendors and independent researchers realized that the latest release is also susceptible to a plain simple flaw, namely the encrypted files were basically getting deleting and not securely erased making them fairly easy to recover.

02. Chinese Bloggers Bypassing Censorship by Blogging Backward -
When you know how it works, you can either improve, abuse or destroy it in that very particular order. Chinese bloggers are always very adaptive in respect to spreading their message by obfuscating their messages in a way that common keywords filtering software wouldn't be able to pick them.

03. Gmail, Yahoo and Hotmail’s CAPTCHA Broken -
This has been an urban legend for a while, but with more services starting to offer hundreds of thousands of pre-registered accounts at these providers, it's surprising that spam and phishing emails coming from legitimate email providers is increasing. The "vendors" behind these propositions are naturally starting to "vertically integrate" by offering value-added services for extra payments, namely, scripts to automatically abuse the pre-registered accounts for automatic registration of splogs and anything else malicious or blackhat SEO related.

04. The Antivirus Industry in 2008 -
If it were anyone else but a security vendor to come up with such a realistic cartoon aiming to stimulate innovation by emphasizing on how prolific and sophisticated malware groups have become, it would have been a biased cartoon. However, this one is courtesy of a security vendor, and it's pretty objective.

05. Lithuania Attacked by Russian Hacktivists, 300 Sites Defaced -
This attack is a good example of a decent PSYOPS operation. Of course they have already build the capabilities to deface and even execute DDoS attacks against Lithuania, so why not put them in a "stay tuned" mode, by speculating on the upcoming attack and then executing it making it look like they delived what they've promised? This a lone gunman mass defacement given that the sites were all hosted on a single ISP, with no indication of any kind of coordination whatsoever. The same for the Georgia President’s web site which was under DDoS attack from Russian hackers later this month. Despite that the hacktivists behind it dedicated a separate C&C for the attack, one that hasn't been used in any type of previous attacks so far, they did a minor mistake by using a secondary command and control location that's known to have been connected with a particular "botnet on demand" service in the past. The second attack once again proves that you don't need to build capacity when you can basically outsource the process to someone else.

06. The ICANN Responds to the DNS Hijacking, Its Blog Under Attack -
The ICANN finally issued a statement concerning the DNS hijacking of some of their domains, which is in fact what Comcast.net and Photobucket.com should have done as well, next to stating it was a "glitch". The ICANN also took advantage of the moment and also pointed out that their blog has also been under attack during the month. There's no better example of how the combination of tactics can result in the hijacking of the domains of the organizations implementing procedures aiming to protect against these very same attacks. And while Photobucket.com remained silent during the entire incident, the hosting provider that was used by the Netdevilz team in the two attacks, since they were also responsible for the ICANN and IANA DNS hijackings, technological and social engineeringissued a statement.

07. The Risks of Outdated Situational Awareness -
Security vendors are often in a "catch-up mode" and if I were an average Internet user not knowing that real-time situational awareness speaks for the degree to which my vendor knows what going on online, I'd be pretty excited. However, I'm not. Prevx were catching up with a service which I covered approximately two months ago, I even had the chance to constructively confront with one of the affected sites on how despite their security measures in place, this attack was still possible. Recently Prevx have once again demonstrated an outdated situational awareness by coming across a banking malware in July 2008, whereas the malware has been around since July 2007, and earlier depending on which version you're referring to.

08. Fake Porn Sites Serving Malware - Part Two -
Yet another domain portfolio of fake porn sites serving rogue codecs and live exploit URLs, just the tip of the iceberg as usual, however their centralization is greatly assisting in tracking them down.

09. Storm Worm's U.S Invasion of Iran Campaign -
Stormy Wormy is once again making the headlines with their ability to actually make up the headlines on their own.

10. Mobile Malware Scam iSexPlayer Wants Your Money -
The best scams are the ones to which you've personally agreed to be scammed with without even knowing it. Like this one, which was tracked down and analyzed a couple of hours once a uset tipped on it.

11. The Template-ization of Malware Serving Sites -
The increase of fake porn and celebrity sites is due to the overall template-ization of these, with the people behind them basically implementing several malicious doorways to ensure that the domains get rotated on the fly. Despite that they all look the same, they all sever different type of malware, and zero porn of celebrity content at all except the thumbnails.

12. Violating OPSEC for Increasing the Probability of Malware Infection -
No better way to expose your affiliations and several unknown bad netblocks so far, by adding the netblocks and the malicious domains as trusted sites upon infecting a PC with the malware. Of course, the usual suspects lead the "trusted netblocks".

13. Monetizing Compromised Web Sites -
Several years ago, a script kiddie would install Apache on a mail server, they claim that they defaced it. Today, these amusing situations are replaced by monetization of the compromised sites, by reselling the access to them to blackhat SEO-ers, malware authors, phishers, or personally starting to manage a scammy infrastructure on them, by earning money on an affiliate based model, like this particular attack.

14. Malware and Office Documents Joining Forces -
A recent DIY malware kit, sold as a proprietary tool basically crunching out malware infected office documents, whose built-in obfuscation makes them harder to detect. It will sooner or later leak out, turning into a commodity tool, a process that's been pretty evident for web malware exploitation kits as well.

15. Are Stolen Credit Card Details Getting Cheaper? -
Depends on who you're buying them from, and whether or not they offer discounts on a volume basis, namely the more you buy the cheaper the price of a card is supposed to get. With the current oversupply of stolen credit card details, what used to be an exclusive good once where they could enjoy a higher profit-margin, is today's commodity good.

16. The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit -
Since alll the web malware exploitation kits are open source, and leaked in the wild at large, their modularity allows everyone to easily embed any type of exploit that they want to, resulting in Neosploit's single most beneficial feature, the fact that certain versions include all the publicly available exploits targeting Internet Explorer, Firefox and Opera. Moreover, the open source nature of the kit is resulting in a countless number of modified versions yet to be detected and analyzed, therefore keeping track of the exploits included in a malware kit can only be realistic if you take into considered the exploits that come with the default installation.

17. Obfuscating Fast-fluxed SQL Injected Domains -
Now that's a very good example of different tactics combined to attack, ensure survivability, and apply a certain degree of evasion in between.

18. The Unbreakable CAPTCHA -
There's never been a shortage of ideas, there's always been an issue of usability.

19. The Ayyildiz Turkish Hacking Group VS Everyone -
That's a pretty inspiring mission if you are to ensure your future in the next couple of years, by targeting everyone, everywhere that has ever publicly stated their disagreement with the Turkish foreign policy.

20. Money Mule Recruiters use ASProx's Fast Fluxing Services -
A true multitasking in action with a botnet that's been crunching out phishing emails, SQL injecting and now hosting a well known money mule recruitment service.

21. SQL Injecting Malicious Doorways to Serve Malware -
Constantly switching tactics and combining different ones to achive an objective that used to be accomplished by plain simple techniques, is only starting to take place. In this case, instead of a hard coded SQL injected domain, we have the typical malicious doorways the result of the converging traffic management tools with web malware exploitation kits.

22. Impersonating StopBadware.org to Serve Fake Security Warnings -
Typosquatting popular security vendors and services is nothing new, by having HostFresh providing the hosting for the parked domains promoting the rogue security software, is a privilege and flattery for the success of the Stopbadware initiative.

23. Coding Spyware and Malware for Hire -
Customerization -- not customization -- has been taking place for a while, that's the process of tailoring your upcoming products to the needs of your future customers, compared to the product concept myopia where the malware coder would code something that he believes would be valuable to the potential customers. End user agreements, issuing licenses for the malware tool, as well as forbidding the reverse engineering of the malware so that no remotely exploitable flaws could be, are among the requirements the coder assists on.

24. Lazy Summer Days at UkrTeleGroup Ltd -
Taking a random snapshot of the current malicious activity at a well known provider of hosting services for rogue security applications, live exploit URLs and botnet command&control locations, always provides an insight into what are their customers up to. In this case, centralization of their scammy ecosystem, and parking a countless number of rogue domains on the same server.

25. Email Hacking Going Commercial -
Cybercrime is in fact getting easier to outsource, and while the number of scammers trying to offer non-existent services, or at least services where they cannot deliver the goods, the business model of this service that is that you only pay once they show you a proof that they've managed to hack the email address you game them. How are they doing it? Social engineering and enticing the user to click on live exploit URL from where they'll infect the PC and obtain the email password, of course, next to definitely abusing it for many other purposes in the process.

26. Vulnerabilities in Antivirus Software - Conflict of Interest -
You can easily twist the number of vulnerabilities found in your antivirus solution, but not recognizing them as vulnerabilities at the first place. It's all a matter of what you define as a vulnerability, or perhaps what you admit as a serious vulnerability - remote code execution through a security software, or a flaw that's allowing malware to bypass the security solution itself.

27. Counting the Bullets on the (Malware) Front -
Emphasizing on the number of malware/threats/viruses/worms/slugs your solution detects may be marketable in the short-term, but is damaging the end user's understanding of the threatscape in the long-term. So, by the time he catches up with what exactly is going on, he'll recall the moment in time where he was using the number of threats his solution was detecting as the main benchmark for its usefulness. In reality through, the number is irrelevant from a pro-active point of view, with zero day malware like the one coded for hire undermining the signatures based scanning model.

28. Smells Like a Copycat SQL Injection In the Wild -
It was pretty obvious that copycats seeing the success of SQL injections the the huge number of sites susceptible to exploitation, would also starting taking advantage of the practice. Some are, however, targeting local communities and trying to avoid detection by using targeted SQL injections.

29. Click Fraud, Botnets and Parked Domains - All Inclusive -
The scheme is nothing new, what's new is that the botnet masters are trying to limit the revenues that used to go out to affiliate networks they were participating in, and are trying to own or rent the entire infrastructure on their own.

30. Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings -
With access to Storm Worm sold and resold, and new malware introduced on Storm Worm infected hosts used as foundation for the propagation of the new malware in this case, it's questionable whether or not the Storm Worm-ers themselves are sending out the junk emails, or are they people who've rented access to the botnet doing it.

31. Neosploit Team Leaving the IT Underground -
Pretty surprising at the first place, but in reality it clearly demonstrates that when you cannot enforce the end user agreement on your crimeware kit, but continue seeing it used in a very profitable malware operations, you basically shut down the support for the public version. The team is not going to stop innovating for their own purposes, and in the long-term they may in fact re-appear with an updated malware kit that's converging different services next to the product itself.

32. Dissecting a Managed Spamming Service -
Managed spamming services using botnets as the foundation for the campaigns are starting to introduce improved metrics for the delivery, as well as experienced customer support ensuring the spam messages make it through spam filters, or at least increase the probability of making the happen. This is an example of a random service emphasizing on the improved metrics they're capable of delivering.

33. Storm Worm's Lazy Summer Campaigns -
Looks like a "cybercrime intern" launched this campaign, lacking any of the usual Storm Worm evasive practices, no exploitation of client side vulnerabilities, as well as no survivability offered by their usual fast-flux nodes.

World War II Deception Story

Tue, 29 Jul 2008 09:50:05 +0000

Great security story from an obituary of former OSS agent Roger Hall:

One of his favorite OSS stories involved a colleague sent to occupied France to destroy a seemingly impenetrable German tank at a key crossroads. The French resistance found that grenades were no use.
The OSS man, fluent in German and dressed like a French peasant, walked up to the tank and yelled, "Mail!"

The lid opened, and in went two grenades.

Hall's book about his OSS days, You're Stepping on My Cloak and Dagger, is a must read.

Mailing error at the University of Maryland exposes student information

Fri, 18 Jul 2008 05:18:07 +0000

Technorati Tag: Security Breach

Date Reported:
7/17/08

Organization:
University of Maryland

Contractor/Consultant/Branch:
Department of Transportation Services

Victims:
All students registered for Fall 2008 classes

Number Affected:
23,727

Types of Data:
Names, addresses, and Social Security numbers

Breach Description:
On July 1st, 2008, the University of Maryland Department of Transportation Services mailed an on-campus parking brochure to all students registered for Fall 2008 classes as of June 15, 2008. Recipient Social Security numbers were inadvertently exposed on the mailing labels.

Reference URL:
University of Maryland
ABC Channel 7 News
WTOP FM 103.5 News

Report Credit:
University of Maryland

Response:
From the online sources cited above:

On July 1st, 2008, the University of Maryland’s Department of Transportation Services sent all students registered at the time, by U.S. mail, a brochure with on-campus parking information.

On July 8, 2008, the University discovered that the labels on that mailing included the addressees’ Social Security numbers.
[Evan] Sheesh, a fraudster doesn't even have to tamper with the mail if the Social Security number is on the label.

The error was discovered on the morning of July 8 when calls were made to the University.

This parking mailer was sent to all individuals registered for Fall 2008 classes at the University of Maryland as of June 15, 2008.

The mailing list numbered 23,727 individuals.

In our annual effort to provide parking and transportation information to the University community, the names and addresses of all registered students was requested internally at the Department of Transportation Services for the purpose of creating mailing labels for a brochure.

This information was generated by a computer query and included names, addresses and what was believed to be University identification numbers (UIDs).
[Evan] When writing and executing database queries, isn't it a good idea to check the results and see if the information displayed is the information you were looking for? I wonder if UIDs are also nine digits long like Social Security numbers are.

Our normal process is to remove the University ID numbers prior to mailing.
[Evan] Is it safe to assume that "normal process" was not followed in this instance? If so, then why not? There is no mention in the school's response.

It was not apparent to departmental staff that these numbers not only still existed within the file, but were Social Security numbers, and not University ID numbers.
[Evan] Not apparent? They were on the labels!

The numbers were not identified as Social Security numbers and did not show the normal spacing between digits.
[Evan] So it would be xxxxxxxxx instead of xxx-xx-xxxx. What percentage of people would recognize the first set of nine digits as a SSN?

This mailer was sent using third class, bulk mail delivery and may not have been delivered to you yet.

Currently, there is no evidence that anyone's Social Security number has been misused.

The University apologizes and deeply regrets this unfortunate mistake.

We are initiating immediate action to ensure that this error does not recur.
[Evan] Like what? Maybe train people to review their query results and follow "normal process"?

The University of Maryland values the critical importance of your personal information.

We strongly recommend that you take appropriate precautions to mask, black out or destroy this document after use.

In unfortunate situations like this, it is possible that dishonest people may contact you asking for personal information in the guise of offering assistance from the University.
[Evan] Equally unfortunate is the fact that there are a lot of dishonest people.

Please note that the University WILL NOT contact you by phone, e-mail or in any other way requesting personal information regarding this incident.

Please do not release any personal information in response to contacts claiming to be from the University.

In response to this incident, the University, and specifically the Department of Transportation Services, has moved to severely restrict access to sensitive student and faculty/staff information; we believe the fewer individuals who have access to this data will only increase our ability to protect sensitive information.

If individuals feel that they would like to take extra steps beyond the fraud alert, the University has arranged with Equifax to make available, at no cost to them, a 12-month service that includes credit monitoring, customer care, fraud expense reimbursement insurance and access to their credit report.

If you have not received this mailer and are unsure if you are included in the affected group, please call toll-free 1(877) 935-2428, Monday - Friday, 8:30 a.m. - 5 p.m. EST.

You may contact us in one of the following ways:
By telephone: Toll-free 1(877) 935-2428, Monday-Friday, 8:30 a.m. - 5 p.m. EST
Via e-mail: parkingmailer@umd.edu
Mailing address: Regents Drive Garage, Building #202, College Park, MD 20742

Commentary:
The lack of attention to detail coupled with lack of control leads to an increase of risk of confidential information disclosure. Not all that uncommon.

Past Breaches:
Unknown

Houston law firm threw confidential client information in the trash

Thu, 17 Jul 2008 10:59:25 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Weber Law Firm

Contractor/Consultant/Branch:
"his wife"

Victims:
Clients

Number Affected:
"hundreds"

Types of Data:
"personal financial records, documents with Social Security numbers, people's medical files and more"

Breach Description:
"HOUSTON -- Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday."

Reference URL:
KHOU-TV News (original)
KHOU-TV News (follow-up)

Report Credit:
Jeremy Desel, KHOU-TV

Response:
From the online sources cited above:

Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday.

The records were mostly bankruptcy case files from a Houston attorney's office that found their way into a dumpster belonging to a Houston day care.
[Evan] There is little doubt about the sensitivity of the information found in a person's bankruptcy files. Don't you think that an attorney should know better?

The discovery came in a trash bin in the 9100 block of Jones Road, with box after box of records including personal financial records, documents with Social Security numbers, people's medical files and more.

When the sheriff's office first arrived, the responding deputies had no idea what to do with the records.

So, they called the law office from where the records had come from. 11 News called the law offices of William Weber as well.
[Evan] Mr. Weber's bio is pretty extensive.

Weber, who eventually arrived to pick up the discarded records, told both 11 News and the sheriff's office that it was "no big deal"
[Evan] Obviously, this answer probably doesn't go over very well. In hindsight, I am guessing that Mr. Weber wishes he could take these words back.

Still, at the insistence of the sheriff's office, Weber did arrive to pick the boxes up.

Weber had a different answer for 11 News when he showed up to retrieve the 32 boxes.

"It's a mistake," he said. "We regret it. We regret it. They weren't intended to be put here. I didn't put them here. It was a misunderstanding between me and my wife."
[Evan] Ugh. Blaming the wife would not be a good idea in my house, even if it were my her fault.

He added it was a one-time problem.

But he also said his firm does not have a policy for disposing of sensitive documents.
"No, I do not. I don't think there is a formal disposal policy. Legally," he answered.

Don't tell that to Radio Shack or Select Medical Corporation. Both settled lawsuits with the Texas Attorney General's Office this week for violating the Texas ID Theft Law that was passed in 2005.

It requires businesses to destroy any documents that contain sensitive information. Select Medical dumped 4,000 documents in its own dumpster, but did not destroy them first.

Both companies settled this week with the state for hundreds of thousands of dollars in fines.
[Evan] Don't forget about EZMONEY, L.P. and EZPAWN L.P. They agreed to pay $660,000 to the Texas Attorney General. Don't mess with Texas!

However, it's not just a civil law question. It is also an ethics question.

"If a customer of Radio Shack had an interest in privacy and an interest to have their identity protected (and) not just tossed to the wind, I can assure you that a medical provider or a lawyer has a higher duty," said 11 News legal expert Gerald Treece.

The sheriff's office is looking into the possibility laws were broken by throwing away the records in that dumpster, but were unsure if anything illegal happened.

As a matter of fact, there's a good possibility no laws were broken.
[Evan] Not criminal. This case may be ripe for a civil proceeding, however.

Weber spent several minutes loading the boxes into his car, but he also spent a lot of time avoiding the 11 News cameras as he picked up the discarded records.

Eventually, he left the scene, leaving a few boxes behind when he was confronted by 11 News cameras.

In his rush to get away, a box was left on the trunk lid of his vehicle and some of the papers inside flew out as he sped off.
[Evan] Embarrassed?

Weber told 11 News that all the documents were shredded on Wednesday morning.
[Evan] Any thought given to notifying the affected individuals? If not, it is probably too late now.

Weber also said he has talked with an attorney at the attorney general's office and told them he would cooperate fully.

11 News also spoke with one of the clients whose file was found in the dumpster on Monday. She said she's angry and feels betrayed.

Commentary:
We have read about organizations dumping sensitive confidential information in dumpsters before, but this is the first time I have read about a lawyer being responsible (or his wife). Mistakes do happen, but I question how much of a mistake this actually was due to Mr. Weber's initial "no big deal" reaction.

Past Breaches:
Unknown

Using a File Erasure Tool Considered Suspicious

Tue, 15 Jul 2008 09:36:03 +0000

By a California court:

The designer, Carter Bryant, has been accused by Mattel of using Evidence Eliminator on his laptop computer just two days before investigators were due to copy its hard drive. Carter hasn't denied that the program was run on his computer, but he said it wasn't to destroy evidence. He said he had legitimate reasons to use the software. [...] But the wiper programs don't ensure a clean getaway. They leave behind a kind of digital calling card. "Not only do these programs leave a trace that they were used, they each have a distinctive fingerprint," Kessler said. "Evidence Eliminator leaves one that's different from Window Washer, and so on." It's the kind of information that can be brought up in court. And if the digital calling card was left by Evidence Eliminator, it could raise some eyebrows, even if the wiper was used for the most innocent of reasons.

I have often recommended that people use file erasure tools regularly, especially when crossing international borders with their computers. Now we have one more reason to use them regularly: plausible deniability if you're accused of erasing data to keep it from the police.

How Can I Find Them? They Haven't Gone Missing!

Wed, 09 Jul 2008 08:45:35 +0000

I've often highlighted the utterly worthless spam messages that seem to endlessly circulate on Facebook, usually warning not to add (insert random name here) because they're an evil hacker and will destroy your PC, kill your family and so on.

Well, today I came across another such message:

.....insert gag about them being related to Chuck here....but underneath that message was something far more interesting:

Sounds serious, right? It seems personal, because it's their friend missing which adds a little more urgency - they provide a contact email address to notify them on, and it mentions a real world example of someone who went missing and was found via the Internet.

However.

Dig into this a little bit, and it all becomes clear quite quickly that something isn't quite right here. For starters, search for the missing persons name and there is no mention of him ever "going missing". Nothing on websites, news pages....it's like the whole thing is a work of fiction. In fact, buried in unrelated entries is the following snippet from a page on myyearbook.com:

Click to Enlarge

Check out the name of the "hacker" you shouldn't add. It seems someone has simply swiped the name and started pasting it into spam messages. A quick search of Facebook confirms the name and face go together.

A quick search for the email address listed as a contact brings up more interesting posts, this time posted to a personal blog:

Click to Enlarge

Same text....same reference to "real world" example....same email address. This person sure does get through a lot of missing friends! Note that this "missing person" chain letter has now stepped outside of Facebook and into other websites and networks.

At this point, you're probably wondering about the validity of the "real world" example, aren't you? Well, that would be a good idea! Notice they don't give any detail - it simply says "That is how the girl from Stevens Point was found by circulation of her picture on TV", and expect you to accept it as is. If you go searching for that phrase, it doesn't take long to find a page on Snopes.com regarding a missing girl hoax that stretches back some years:

"Please look at the picture, read what her father says, then forward his message on. Maybe if everyone passes this on, someone will see this child. That is how the girl from Stevens Point was found by circulation of her picture on tv..."

An email hoax, wrapped up and repackaged for the Facebook generation.

Have you googled, HR security breaches lately?

Tue, 08 Jul 2008 05:38:15 +0000

Blogger: Randall Gamby

As briefly mentioned in a Burton Group IdPS blog and a ZDNet Australia published article on July 3, 2008, HR data from Google was stolen from one of their previous HR outsource partners. It seems that the partner, Colt Express Outsource Partners, had equipment stolen that contained HR data from some of its clients, including Google. The data was unencrypted and stored on systems that were apparently portable.

So what does this mean for all of us?

First, it shows that even large SaaS companies like Google can be bitten by a lack of security at their partners, just like many of us can. Burton Group has been warning clients for a long time about the dangers of sending confidential information to outsource partners without proper security and audit processes in place. Of course this should also be backed by strong contractual language.

Second, be prepared to pay. Even if Google had breach mitigation terms in their contract, Colt Express announced that it was in financial difficulty. So Google has had to pay for financial reporting and other compensation to its own employees, even though Google did nothing wrong.

Third, a Google representative stated "We take the security of our employees very seriously and require outside vendors to meet appropriate security standards. We review and update these standards on an on-going basis.” Does this mean that Google doesn’t require encryption of its confidential information since encryption of the data was not deployed at Colt Express? When working with third parties, whether it’s financial data or confidential personal data, this information needs to be protected from unauthorized access. One of the simplest ways is encrypting the data while at rest, regardless of where it’s located.

Final, the Colt Express breach brings to mind a question Burton Group is always asking: “What is your exit strategy if the contract is terminated with your outsourcing partner?” A lot of effort is expended in creating an outsourcing agreement around use and protection of data, but what happens when the contract is ended? Do you obtain and retain the information the outsource partner maintained? Do you have the outsource partner destroy the information and any archives of it (and verify this was done)? Do you create a custodial contract with the outsourcing partner for them to maintain the information and archives on your behalf (ensuring the data is properly protected)? As was found in this incident, after their contract with Google was terminated the outsourcing partner apparently retained the employee data unencrypted on their servers. This was the fatal mistake that allowed the breach to occur.

So as you work with your outsourcing and SaaS vendors, you should not only consider how day-to-day operations should be secured to maintain the confidentiality of your data. You should also think about how that data is being maintained over time, and what are your procedures should the unthinkable happen if your partner allows your data to be compromised.

Press takes on the hard drive

Wed, 18 Jun 2008 20:00:00 +0000

Tales abound of how best to destroy a hard drive. Some organizations remove the disk platters' magnetic coating with a power-sander, others use high-powered metal shredders, and PCs used on military operations may have explosive charges built in to prevent their analysis after capture.