[SecurityRatty] tag: jackson

Hacker Rips Off $12K in Calls Using Homeland Security Phones

Sat, 23 Aug 2008 15:10:02 +0000

According to security consultant John Jackson, the hacking was very low-tech and old school, which probably would make Steve "Blue Box" Wozniak proud, but it was an embarrassment for the...

76Service - Cybercrime as a Service Going Mainstream

Wed, 13 Aug 2008 04:08:43 +0000

Disintermediating the intermediaries in the cybercrime ecosystem, ultimately results in more profitable operations. Controversial to the concept of outsourcing, some cybercriminals are in fact so self-sufficient, that the stereotype of a mysterious 76service server offered for rent could in fact easily cease to exist in an ecosystem so vibrant that literally everyone can partion their botnet and start offering access to it on a multi-user basis. Evil? Obviously. Extending the lifecycle of a proprietary malware tool? Definitely.

The infamous 76service, a cybercrime as a service web interface where customers basically collect the final output out of the banking malware botnet during the specific period of time for which they've purchases access to the service, is going mainstream, with 76Service's Spring Edition apparently leaking out, and cybercriminals enjoying its interoperability potential by introducing different banking trojans in their campaigns.

In this post, I'll discuss the 76service's spring.edition that has been combined with a Metaphisher banking malware, an a popular web malware exploitation kit, with two campaigns currently hosting 5.51GB of stolen banking data based on over 1 million compromised hosts 59% of which are based in Russia. Screenshots courtesy of an egocentric underground show-off.

Some general info on the 76service :

"Subscribers could log in with their assigned user name and password any time during the 30-day project. They’d be met with a screen that told them which of their bots was currently active, and a side bar of management options. For example, they could pull down the latest drops—data deposits that the Gozi-infected machines they subscribed to sent to the servers, like the 3.3 GB one Jackson had found. A project was like an investment portfolio. Individual Gozi-infected machines were like stocks and subscribers bought a group of them, betting they could gain enough personal information from their portfolio of infected machines to make a profit, mostly by turning around and selling credentials on the black market. (In some cases, subscribers would use a few of the credentials themselves). Some machines, like some stocks, would under perform and provide little private information. But others would land the subscriber a windfall of private data. The point was to subscribe to several infected machines to balance that risk, the way Wall Street fund managers invest in many stocks to offset losses in one company with gains in another."

The 76service empowers everyone who is either not willing to spend time and resources for building and maintaining a botnet, launching campaigns, and SQL injecting hundreds of thousands of sites in order to take advantage of the long tail of malware infected sites that theoretically can outpace the traffic that could come from a SQL injected high-profile site.

Next to the spring.edition, the winter edition's price starts from $1000 and goes to $2000, which is all a matter of who you're buying it from, unless of course you haven't come across leaked copies :

"Assuming that the dealer offering what he claimed was the 76service kit was correct, the profit is not only in the kit, but in selling value added services like exploitation, compromised servers/accounts, database configuration, and customization of the interface. Prices start between $1000 to $2000 and go up based on added services. The underground payment methods generally involve hard-to-track virtual currencies, whose central authority is in a jurisdiction where regulation is liberal to non-existent, and feature non-reversible transactions. The individual or group called "76service" was easy to track down on the Web, but not in person."

It's interesting to monitor how services aiming to provide specific malicious services are vertically integrating by expanding their portfolio of related services -- taka a spamming vendor that will offer the segmented email databases, the advanced metrics, and the localization of the spam messages to different languages -- or letting the buyer have full control of anything that comes out of a particular botnet for a specific period of time in which he has bought access to it. For instance, DDoS for hire matured into botnet for hire, which evolved into today's "What type of stolen data do you want?" for hire mentality I'm starting to see emerging, next to the usual interest in improving the metrics and thereby the probability for a more succesful campaign.

Ironically, this cybercrime model is so efficient that the people behind it cannot seem to be able to process all of the stolen data, which like a great deal of underground assets loses its value if not sold as fast as possible. The result of this oversupply of stolen data are the increasing number of services selling raw logs segmented based on a particular country for a specific period of time.

Time for a remotely exploitable vulnerability in yet another malware kit about to go mainstream? Definitely, unless of course backdooring it and releasing it doesn't achieve the obvious results of controlling someone else's cybercrime ecosystem.

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Malware as a Web Service
Coding Spyware and Malware for Hire
Are Stolen Credit Card Details Getting Cheaper?
Neosploit Team Leaving the IT Underground
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Pinch Vulnerable to Remotely Exploitable Flaw
Dissecting a Managed Spamming Service
Managed "Spamming Appliances" - The Future of Spam

CNN Daily Top 10 Videos Spam

Tue, 05 Aug 2008 14:50:01 +0000

Like me, you've probably had quite a few "CNN Top 10" emails through over the last day or so. Here's just two of the many, many mails I've had through to various mailboxes:

If you opened up any of the mails, you'd have seen this:

Click to Enlarge

The first clue that something might have been amiss is the strangeness of some of the titles ("Michael Jackson sued by his own dog" isn't something I'd expect to see on CNN, at least not yet). Of course, the giveaway is that regardless of what link you click on, each one takes you to a website that isn't CNN.com - in fact, they all point to the same "video".

Click to Enlarge

If you download and install the file offered up, horrible things will start happening to your PC. Let's put it this way - anyone expecting to see Michael Jacksons dog in a courtroom is going to be severely disappointed.

Before long, your desktop will look like this:

Click to Enlarge

You'll have warnings like these:

And a rogue antivirus product will magically appear on your desktop:

Click to Enlarge

Worst of all, look at the name of one of the fake infections they try to scare the user with.

There's subtlety, then there's this:

....if you want to avoid your computer contributing to the "terrorist threat", don't open up any emails claiming to contain CNN videos.

Even if its Michael Jackson and his dog.

William Jackson on FISMA: It Works, Maybe

Mon, 30 Jun 2008 17:03:54 +0000

Article from William Jackson in Government Computer News: Security policies remain a burden to federal IT managers, but they are producing results.

First off, GCN, come into the modern Web 2.0 era by letting people comment on your articles or at least allow trackbacks. Having said that, let’s look at some of Mr Jackson’s points:

NIST Special Publications: They’re good. They’re free. The only problem is that they’re burying us in them. And oh yeah, SP 800-53A is finally final.
Security and Vendors/Contractors: It’s much harder than you might think. If there’s interest, I’ll put out some presentations on it in my “copious amounts of free time”. In the meantime, check out what I’ve said so far about outsourcing.
Documentation and Paperwork: Sadly, this is a fact of life for the Government. The primary problem is the layers of oversight that the system owner and ISSO have. When you are as heavily audited as the executive branch is, you tend to avoid risks and overdocument. My personal theory is that the reason is insistence on compliance instead of risk management.
Revising FISMA: I’ve said it time and time again, the law is good and doesn’t need to be changed, the execution is the part that needs work.

Bookmark to:

Pocono Mountain School District "irregularities"

Mon, 02 Jun 2008 08:36:33 +0000

Technorati Tag: Security Breach

Date Reported:
5/30/08

Organization:
Pocono Mountain School District

Contractor/Consultant/Branch:
None

Victims:
Students and parents

Number Affected:
Unknown*

*"SCHOOL DISTRICT ENROLLMENT (2007-2008) 11,500 students K-12 (Current as of Oct. 17, 2007)"

Types of Data:
"Student ID, network password, SSN if provided, ethnicity, gender, birthdate, grade, grade year, building no., building name, homeroom no., homeroom teacher, attendance code (if absent today), dietary allergies (for food services), bus assignment, free/reduced lunch status, home phone, primary home mailing address, secondary mailing address, parent names, parent phone numbers, emergency contact names, and emergency contact phone numbers"

Breach Description:
"An apparent cyber break-in of Pocono Mountain School District's computer system has put at potential risk personal information about students and parents, the district announced Friday.

District Superintendent Dwight Pfennig sent home letters on Friday afternoon telling parents about the apparent breach, which the district found out about the previous evening, according to Wendy Frable, director of public information."

Reference URL:
Pocono Mountain School District "Letter to Parents"
Pocono Record
The Morning Call

Report Credit:
Pocono Mountain School District

Response:
From the online sources cited above:

A hacker apparently broke into the computers at Pocono Mountain School District and may have tapped into confidential information concerning students and their parents, the district's superintendent said Friday.
[Evan] This statement is provided by Joe McDonald of The Morning Call. It is unclear if a "hacker" breached the system or if there was another cause for the "irregularities" reported at the school.

District Superintendent Dwight Pfennig sent home letters on Friday afternoon telling parents about the apparent breach, which the district found out about the previous evening, according to Wendy Frable, director of public information.
[Evan] This is a quick notification. I think it is possible to be too quick in notifying victims, almost like The Boy Who Cried Wolf. It seems as though the school has not gathered the facts required to make a proper notification. Judge for yourself.

Frable said the district's technical staff had noted some irregularities during a routine security check Thursday night. "They detected some activity that seemed a little unusual," she said.

The technical staff is checking to see to what extent any personal information — and to whom it may belong — had been compromised.

The district referred the matter to Pennsylvania State Police at Swiftwater for further investigation, Frable said.

The information that may have been compromised includes the following: Student ID, network password, SSN if provided, ethnicity, gender, birthdate, grade, grade year, building no., building name, homeroom no., homeroom teacher, attendance code (if absent today), dietary allergies (for food services), bus assignment, free/reduced lunch status, home phone, primary home mailing address, secondary mailing address, parent names, parent phone numbers, emergency contact names, and emergency contact phone numbers.

"We don't know if anything was accessed," she said, adding that the district will contact anyone whose data had been found to be compromised. Frable also said that very few records include children's Social Security numbers.
[Evan] A breach involving children's personal information is especially bothersome.

We have conducted an internal investigation and suggest you take the following preventative measures now to help prevent and detect any misuse of your or your child’s information.

"As a first step to protect yourself from the possibility of identity theft, we recommend you closely monitor any accounts that may contain any or some of this information," Pfennig wrote in his letter to parents.

If you see any unauthorized activity, promptly contact your service provider and or office of the Executive Director of Technology at (570) 873-7121 Ext. 10151.

"We're just trying to do what's right by everyone," Frable said. "There's no reason to panic anyone, but people should just be cautious."
[Evan] Understandable, but some people will panic anyway. This is why it’s a good idea to gather facts before notification.

Parents got the letters when their children returned at the end of the school day, and at least one parent felt the school was being rather nonchalant.

''It sounds to me like they're trying to downplay it,'' said Ralph Ortega, who lives in Jackson Township. ''It's incredibly vague.''
[Evan] I agree. I question whether this is because there aren't enough facts available yet, or whether the school is not being square with the victims.

Commentary:
This breach leaves us with more questions than answers. People will speculate where there is a lack of clarity. I hope students and parents get the answers to the questions that they should demand answers too.

Past Breaches:
Unknown

Notes from IEEE Web 2.0 Security and Privacy Workshop (W2SP2008)

Tue, 27 May 2008 18:45:00 +0000

Thursday 5/22 I was at the IEEE Web 2.0 Security and Privacy Workshop. I figured I'd learn a few things, and also make sure that no new exploits were announced against my employer, and/or make sure we weren't the only examples people gave of problems.

I was pretty successful on goal #1, not 100% successful on goal #2.

This post is mostly brain dump of notes about the talks followed by a few things of architectural interest that I think were discussed enough at the workshop. A quick preview - the first half of the conference was spent talking about general security holes in Web-1.0 that we still haven't solved technically/architecturally/culturally. With that in mind its hard to see how we're going to have much success with Web-2.0 security.

I'll start by saying though that I was ever so slightly disappointed with the makeup of the attendees. Conferences and workshops held by the IEEE and ACM do generally tend towards the seriously geeky and academic side of things. You're much more likely to find papers that are suitable for journals with plenty of academic references, peer review, CS technical terms, formulas, etc. At the same time though workshops do tend towards the less academic and more practical side. It was disappointing therefore that, though the workshop focused a lot of time on things like secure mashups, social networks, and Web-2.0 security models, to the best of my knowledge very few of the players in this space were present. I didn't meet anyone from any of the really interesting mashup companies and none of the social networks were there (minus google, who was well represented). Perhaps in the future people attending and organizing workshops like these can actually get the folks at the relevant companies interested, specifically invite them, etc.

Now, onto the papers/presentations themselves:

Session 1: Authentication and Authorization

Daniel Sandler and Dan S. Wallach. must die!
Daniel presented some good idea on how to move password authentication into the browser chrome to improve our defenses against javascript malware such as javascript keyloggers, etc.

While the work Daniel did was quite cool in that it doesn't require any protocol modifications, to be truly useful in implementing authentication inside browser chrome you probably need involvement from the site itself to hint, tweak, etc. Once you start doing that though, you start looking at doing stuff like cardspaces to actually get to a better architectural solution.

Ben Adida. Web Authentication by Email Address

Ben focused on usability concerns in OpenID and the idea that email addresses (or things that look like email addresses) are much better identifiers than URLs. He sketched out how to modify OpenID to use email addresses or lookalikes for authentication rather than URLs. Some of his proposals hinge on using DNS lookups for a domain to find the authentication server much like we use MX records for email. While potentially risky, DNSSEC could theoretically be used to mitigate some of the problems.

I must say I haven't kept up with OpenID as much as I'd like to, and so I'm 99% sure lots of the nuance of Ben's proposal was lost on me.

Session 2: Browser Security Models and Isolation

Collin Jackson and Adam Barth. Beware of Finer-Grained Origins

Collin Jackson presented some work he and Adam have done on how the browser security model, namely the same-origin policy, isn't nearly granular enough to handle most web applications and sites that host them.

For example:

http://cs.stanford.edu/~abarth
http://cs.stanford.edu/~cjackson

both have the same origin from the browsers point of view, but don't necessarily have the same security policy per use intent. Because the web browser can't really distinguish between them, we don't have a clean way of separating the security policies here.

Collin went on to show a multitude of problems in the same origin policy between sites, and problems in the upgrade/downgrade of security indicators in a browser. I won't rehash all of his results but suffice it to say we desperately need things like ForceHTTPS embeded in browsers in the near future to prevent some of these problems.

Kapil Singh and Wenke Lee. On the Design of a Web Browser: Lessons learned from Operating Systems

Kapil presented some research his team has been doing on modeling web browsers more like operating systems. You might have seen some related work recently as part of the OP Browser project. The idea is that the internal implementation of most browsers is pretty dicey from a security perspective. There is no clean separation between policy and mechanism. All code operates at the same privilege level. Plugins cannot be constrained in what they can do, etc.

I haven't seen any analysis yet comparing what MS did with IE7 on Vista in protected mode as compared to OP or Kapil's work. It is pretty clear that MS didn't fully segment IE7, but I wonder how close they got to ideal on the sandboxing side of things.

That said, I think our biggest problem in browser security isn't the implementation and internal segmentation. Our biggest problem is that we don't have any idea what security policies we really want to implement. Sure, having a flexible architecture under the hood makes it easier to implement flexible and finer-grained policies, but unless we have some idea what those are, perhaps we're putting the cart before the horse in terms of robust internal implementation.

Mike Ter Louw, Prithvi Bisht and V.N. Venkatakrishnan. Analysis of Hypertext Markup Isolation Techniques for XSS Prevention

My favorite presentation of the day was this one by Mike Ter Louw. Mike talked all about the multiple ideas circulating out there related to content restrictions. He showed the different failure modes for several of the proposals, showed how some of them can be rescued, and pointed towards areas that need more research.

The idea of content restrictions and server-indicated security policy that clients interpret and enforce is a really hot idea right now, and I'm hoping to catch up with Mike in the not too distant future.

Mike - if you see this, drop me a note :)

Session 3: Social Computing Privacy Issues

Adrienne Felt and David Evans. Privacy Protection for Social Networking Platform

Adrienne presented some work she's done on weaknesses in the security model of social networks and paltforms such as Facebook. She analyzed a bunch of Facebook applications to understand whether they really ought to be granted all of the rights over user data that they are. She proposed some mechanisms for limiting what types of applications get access to what data by enhancing the FBML tags to allow an application to get more data without API access. She also showed how you can solve some data sharing rules with just FBML and a few permissions extensions without resorting to full API access.

What Adrienne didn't come out and say is that in some contexts things like vetting are actually important. Most people in the social networking space and Web-2.0 space don't want to look at things like vetting, legal relationships, etc. as a model for achieving security. While a preventative model looks great on paper, solving some of the data safety/privacy concerns can really only be handled through contracts, vetting, etc. No amount of hoping developers will do the right thing and develop least-privilege applications will solve this problem.

Monica Chew, Dirk Balfanz, and Ben Laurie. (Under)mining Privacy in Social Networks

Monica presented some research on how we can inadvertently leak data from social networks by a multitude of means. While it was an interesting talk on how you can aggregate data from multiple locations to pin down more details than you ought to, since I'm not a heavy user of social networks I found myself less than interested in the general problem. If you're going to post large amounts of personal data online in multiple online sources, you're going to have people aggregating them together. There is only so much we can do to protect ourselves against that sort of aggregation.

Session 4: Mashups and Privacy

D. K. Smetters. Building Secure Mashups

D.K.'s talk was quite short on technical details and yet was one of the better talks of the day. Whereas I had a few complaints about Kapil's talk earlier in the day being a solution looking for a problem, D.K.'s talk was about the problem itself - namely - how do we actually define the security policy we're trying to achieve in the mashup space, what sorts of general rules ought to govern application behavior, security properties, etc.

This was the first talk of the day to really talk about user expectations for security, what we should generally understand to be user intent, and how to actually try and implement that in a mashup application.

Tyler Close. Web-key: Mashing with Permission

Tyler's talk may have been the most entertaining of the day, if only because of his obvious frustration with what the web has become. Tyler's main claim was that we ought to be using capability URLs to handle our authentication and authorization concerns. URLs that encode both authentication and authorization data bring us back to the original intent of the web, where the link is everything.

It was nice to see someone railing against a bit of what the web has become, but it almost felt like an original internet user lamenting the end of the end-to-end internet. A decent architectural argument, and yet one that isn't likely to yield a lot of converts. I don't think I understood a few of Tyler's points about how to prevent these URLs from leaking out and/or how to revoke access should they happen to. There are a multitude of user acceptance, behavior, and expectation questions to be answered. It was a nice twist though on how to perhaps make access-controlled content more in keeping with the spirit of the web.

Mihai Christodorescu. Private Use of Untrusted Web Servers via Opportunistic Encryption

Mihai's presentation was about how to take advantage of networked services/web-applications while proividing them with only opaque data references created with cryptography. His main example was about how to use Google's Calendar product without ever sending them your real data, and sending them only client-side encrypted data instead.

While it seems like a nice idea, and while parts of his solution were technically elegant, I think again it was a solution looking for a problem. If you're so concerned about a networked service having your data that you're willing to reverse engineer the service to make it store your individual data elements encrypted, then perhaps a networked service isn't the one for you. TYhe architectural challenges in achieving what he was able to with Google's calendar are nearly impossible with a more complicated service. And, in order to make it work you have to give up many of the feature's you'd really like from a service - full text searching, etc.

I'm guessing there are a few places where's Mihai's ideas are feasible, but its hard for me to see the value prop in building what he proposed.

Some Final Thoughts:

We haven't come close to solving the security problems in a Web-1.0 world
We don't know what the security policies really ought to look like for the web, consequently we don't know what the architecture and implementation look like either.
Browsers are lacking fundamental architecture and policy around security.
Web-2.0 only makes things worse

Apart from all of the unsolved security challenges, the biggest point that struck me from the workshop was the general belief (or I assume belief, I didn't challenge people on it) that mashups are here to stay, and that we're just going to have to back into a security model for them.

I remain unconvinced that a client-side application mashup between datasets is the only way to build new and innovative applications, and that if there were any liability concerns or even contracts that held some of these companies/services even semi-accountable, perhaps we'd have a very different architecture than we're seeing as part of the mashup space.

We're spending time and money working on specs like XDR, HTML5-access-control, and we still haven't solved some of the fundamental security problems of the web. I didn't see anything at this workshop to dissuade me from that perception either.

Its like the old saying goes - "If it ain't fixed - don't break it more". Well, ok, that isn't an old saying, but maybe a few of the people working on mashups and social networks could actually operate with that as their motto we'd make some progress on all of this.

Iron Man Cameo - Samuel L. Jackson is Nick Fury

Mon, 05 May 2008 19:30:40 +0000

Late Friday night, I was one of the millions of weekend viewers that help make Iron Man the second-best premiere ever. I am surprised by those results, but only because Iron Man isn't so well-known as other Comic Book heroes like Superman or Batman.

Yes, I liked it and was pretty sure I would even before I wnt. However, Robert Downey Jr. really did an excellent job as Tony Stark and the movie was faithful to the Origin Story, though it was updated to modern times. I love to see the casting of good actors to make these characters into movies.

I had heard that there was an extra clip after the credits (which were super long, btw), so I stayed around until they were over and then snapped the picture to the left of the final scene and thought I'd share it with you.

And the cameo dialog seems to mean there will be a follow-up movie of some sort from Marvel, though maybe not Iron Man 2:"... I'm here to talk to you about the Avengers Initiative."

700,000 records on stolen CCB server

Tue, 22 Apr 2008 10:57:38 +0000

Technorati Tag: Security Breach

Date Reported:
4/18/08

Organization:
Numerous*

*See Commentary section for list of businesses

Contractor/Consultant/Branch:
Central Collection Bureau ("CCB")

Victims:
Individuals who were referred to CCB for debt collection purposes by Indiana businesses, on or before March 20, 2008

Number Affected:
~700,000

Types of Data:
"personal information, including names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes"

Breach Description:
"Indiana residents are hereby alerted to a security breach at Central Collection Bureau (CCB, located at 7510 South Madison Avenue, Indianapolis, Indiana. This breach potentially exposed the personal information, including names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes."

Reference URL:
Central Collection Bureau
Chicago Sun-Times (Associated Press)
NBC Channel 13 Eyewitness News

Report Credit:
Central Collection Bureau

Response:
From the online sources cited above:

SECURITY BREACH NOTIFICATION ALERT:
CENTRAL COLLECTION BUREAU
Dated April 18, 2008

Indiana residents are hereby alerted to a security breach at Central Collection Bureau (CCB, located at 7510 South Madison Avenue, Indianapolis, Indiana.

This breach potentially exposed the personal information, including names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes.

These individuals were referred to CCB for debt collection purposes by Indiana businesses, on or before March 20, 2008

Approximately 700,000 files may have been breached.

The businesses that engaged CCB for debt collection during that period of time are listed below.

Please note that only a very small percentage of the individuals who were patients or customers of the businesses below—i.e., those who ultimately were referred for debt collection—would have their personal information included in the CCB database.

Some of the information might be outdated. St. Vincent Health System said it had not given any billing business to Central Collection in more than three years, so all of the missing billing information is several years old.
[Evan] This was a question that my colleagues and I were debating about this breach. 700,000 records seems like an awful lot of "active" collection accounts. CCB would need quite a few collection agents to service this many accounts, if in fact they were all active. I think we can assume that only a fraction of the 700,000 records were actually "active" and CCB did not effectively destroy information that they no longer needed to keep.

Other patients and customers of those companies are not affected by this breach.

The theft occurred on Friday, March 21, 2008, at CCB's location in Indianapolis.

On that date, thieves broke into the company's offices and stole 8 computers, as well as one of its servers (databases).

The server was password protected and protected by three locked doors. The 8 computers did not contain personal information.

The information was protected by two passwords but was not encrypted, Klene said.

"Our server was password protected. We have obviously spoken to some IT people who feel that a good computer hacker could get through those passwords," he said.
[Evan] It doesn't even take a "good computer hacker" to get through the passwords.

CCB promptly contacted the police and is working with the Indiana Attorney General's office.

The company also promptly installed additional locks, a security system, and a motion detection system to help minimize the risk of any further unauthorized access to its information.
[Evan] These will help with physical security. Full-disk encryption and a effective data retention policy wouldn't hurt for logical security, eh? Us information security guys would refer to multiple defensive layers as "defense in depth". Brilliant!

CCB apologizes to its clients and all Indiana residents affected by this incident.

"We're obviously heartsick about this," said Chet Klene, Central Collection Bureau president. "We've been in business since 1972, and nothing like this has ever happened before."
[Evan] I don't doubt that CCB is "heartsick" by this incident. I feel bad for them and the fact that they probably did not know any better. Maybe this is partly a failure on the part of the information security profession as a whole.

While the company has no information suggesting that the breach occurred for purposes of identity theft, it nevertheless has contacted the three national credit bureaus to place a fraud alert.

Please go to the CCB website at www.ccbinc.net, call CCB at 317-887-5165 or 1-800-878-5165 or email CCB at theft@ccbinc.net for more information

Commentary:
Clients of CCB with information on the stolen server include:

Academy Animal Hospital, Advanced Interventional Pain, Advanced Physical Therapy, Alternative Care Experience, Anderson General Surgery, Andrew Dick MD, Anesthesia, Aqua Systems, Associated Billing, "Barbara Sturm, MD", Brad Sammons DDS, Brien Grow DO, Buchanan Counseling Services, Campion Barrow & Assoc., Cardiothoracis Surgeons, Cardiovascular Diagnostic Services, Carl Foster MD, Caryn Guba DDS, Center For Orthopaedic Surgery, Central Indiana Phys Medicine & Rehab, Charles Howe Professional Medical Corp, Charles Kelley III DPM, Charles Kerkhove Jr DDS, Charles Tomich DDS, Chiropractic Thereputics, Citizens Gas & Coke, City of Franklin Ambulance, Clarian Radiology, Clinical Laboratory Physicians, Comdent, Comprecare, Culligan Water Conditioning, Cummins Behavioral Health System, D.E. Kelley DDS, Daniel Feeny MD, David Pennington III MD, David Shaw MD, David Szentes MD, Denture By Design, Dermatopathology Lab, Diagnostic Medicine, Dunlap Urgent Care, Edward J Diekhoff MD, Emily Cline MD, Emergency Medical Group Physicians, Forest Creek Family Dental, Friendly Village of Indy, Gary Hunt DDS, Gary Taylor DDS, Generations In Dentistry, George Small Jr MD, Gial Anesthesiology Service, Grandmas House Child Care, Greg Hardin MD, Hamilton Anesthesia Group, Hearing Center, Henderson Drugs & Home Health, House of Kids, Howard Alig MD, Howard Regional Health System, Indiana Radiology Partners, Indiana Spine Group, Indiana General Surgery, Indiana Medical Network, Indpls Neurosurgical Group, Internal Medicine Plus, JCB Anesthesia & Pain Mgt, Jeffrey Stevens DPM, Jennifer Siegel DDS, JMH Health Affiliates, John Jackson DC, John Norris MD, Johnson Co Anesthesia, Johnson County REMC, Johnson Memorial Hospital, Joseph Meek DDS, Julie Chao MD, Kenny Stall MD, Kerry Mays MD, Kevin Macadaeg MD, Khalil Wakim MD, Kidd Pediatrics, Knowledge Learning Corp, Koehring & Sons, Kokomo Sports Center, Larry Buckel MD, Laura Steiner MD, Laura Stitle MD, Laurette Robey MD, Laverne Tubergen MD, Lawrence Falender DDS, Library Park Immediate Care, Lora Overton DO, Madison Anesthesia Group, Madison Avenue Flower Shop, Mark Ellis DDS, Mark Kahn DDS, Mark Ogle MD, Mark Yamanaka MD, Martinsville Dental Center, Memory Maker Studios, Mere Image Sportswear, Meridian Veterinary Clinic, Methodist Arthritis Physicians, Methodist Medical Group, Michael Arnold DDS, Michael Cozzi MD, Michael Harper, Midamerica Surgery Center, Milto Cleaners, Mitchell Foster MD, Muncie Cataract & Laser Center, Nancy Zinni MD, Northside Surgical Specialists, Northside Anesthesia Services, Northwest Medical Pain Control, Nufinity, Orthopaedic Supplies Inc., Panchapakesan Harlan MD, Paul Batties MD, Paul Johnson DDS, Paul Johnson DDS, Paul Strange MD, Philip Borders MD, Pioneer Anesthesia Consultanta, PT Buntin MD, R.D. McQuiston MD, Rebecca De La Rosa DDS, Richard Herd Jr DDS, Rick Stephens Builder, Riley Bennett & Egloff LLP, Robert Smith MD, Robert's Salon & Day Spa, Ronald Wines DDS, RW Armstrong, Sandhya Nanda MD, Sarah Akard DDS, Scot Hagadorn MD, South Emerson Anesthesia Assoc., South Emerson Pain Management, South Emerson Surgery Center, Southeast Family Physicians, Southside Animal Hospital, Southside Family Medical Group, Southside Pediatrics, St. Vincent Health and related entities, Stephen Stitle MD, Stephen Szynal DO, Stonehedge Apartments, Stop 11 Animal Hospital, Sun Medical, Surgical Associates of Madison Co, Susan Wagner DDS, Thomas Eads MD, Thomas Ferrara MD, Tim Schafer DDS, University Family Physicians, University Pediatric Associates, University Surgeons, USF Inc, Valle Vista Guidance Center, Valle Vista Hospital, Walker Family Dentistry, Wells & Marvel PC

Past Breaches:
Unknown

The Federal government is a leader in NAC adoption

Wed, 09 Apr 2008 06:53:43 +0000

I had to comment on an article in GCN by William Jackson on network access control. William I am sure with the best of intentions set out to do an article on different types of NAC that are available in the network and its continued adoption rates. However he made the mistake of positioning his article on the federal governments NAC adoption evolution based upon just speaking to Greg Stock over at Mirage Networks and some of the folks at Enterasys. Neither company has any real NAC presence in the federal government. So of course the perspective would be that the federal government has not been an early adopter of NAC. You know what they say, when you are a hammer, everything looks like a nail. The fact that Stock even brings up a NAC managed service as a potential option for the federal space screams that we are talking about someone who knows nothing about the Federal space.

So let me add a voice of experience and and some truth here. The federal government has not only been an early adopter of NAC, but it has been a leader in driving NAC standards and functionality. Go talk to the DoD and the armed forces about what they have been doing around NAC. Go talk to DISA about NAC deployments. Speak to Homeland Security, FCC, Transportation, USDA or any number of other federal agencies who have been looking at and using NAC for years already and than try to tell me that the Feds are lagging on NAC adoption. Go ask Cisco how much NAC they have sold into the federal space.

I wish Mr Jackson would do a little more digging besides talking to vendors with little or no presence in the federal market and in some cases even less experience in it. GCN readers deserve better!

Customers of 14 Advance Auto Parts stores are victims of intrusion

Mon, 31 Mar 2008 17:45:18 +0000

Technorati Tag: Security Breach

Date Reported:
3/31/08

Organization:
Advance Auto Parts, Inc.*

*Headquartered in Roanoke, Va., Advance Auto Parts is the second-largest retailer of automotive aftermarket parts, accessories, batteries, and maintenance items in the United States, based on store count and sales. As of December 29, 2007, the Company operated 3,261 stores in 40 states, Puerto Rico, and the Virgin Islands. The Company serves both the do-it-yourself and professional installer markets.

Contractor/Consultant/Branch:
None

Victims:
Customers that made purchases and one of 14 retail stores

Number Affected:
56,000

Types of Data:
"financial information" including "credit card, debit card and checking account information"

Breach Description:
"Advance Auto Parts Inc. (AAP) said data from 14 of its stores may have been affected by a network intrusion, potentially compromising financial information of up to 56,000 customers."

Reference URL:
Advance Auto Parts News Release
CNNMoney
Reuters via Forbes.com
eWeek.com

Report Credit:
Advance Auto Parts, Inc.

Response:
From the online sources cited above:

ROANOKE, Va.--(BUSINESS WIRE)--March 31, 2008--Advance Auto Parts, Inc. (NYSE:AAP), a leading automotive aftermarket retailer of parts, accessories and maintenance items, released information today regarding the Company becoming the victim of a network intrusion.
[Evan] I don't think of the company as a "victim". I think of the people and possibly the banks that may have to reissue cards and reimburse the people as victims.

The investigation by Advance Auto Parts revealed that data from 14 of its stores may have been impacted, potentially compromising customer financial information of up to 56,000 customers.

The following 14 Advance Auto Parts stores were affected by this network intrusion:

Affected Store Address             City              State
----------------------------------------------------------------------
2920 Martin Luther King Jr. Drive Atlanta           Georgia
----------------------------------------------------------------------
6100 Old National Highway          College Park      Georgia
----------------------------------------------------------------------
1354 Harrisburg Pike               Columbus          Ohio
----------------------------------------------------------------------
950 E Boston Street                Covington         Louisiana
----------------------------------------------------------------------
2055 South Locust St.              Canal Fulton      Ohio
----------------------------------------------------------------------
422 US Highway 80 W                Garden City       Georgia
----------------------------------------------------------------------
2414 Belle Chase Highway           Gretna            Louisiana
----------------------------------------------------------------------
1370 Ashland Road                  Mansfield         Ohio
----------------------------------------------------------------------
6645 E. Shelby Dr.                 Memphis           Tennessee
----------------------------------------------------------------------
179 Sgt Prentiss Drive             Natchez           Mississippi
----------------------------------------------------------------------
5185 Jimmy Carter Blvd.            Norcross          Georgia
----------------------------------------------------------------------
936 N. Gospel St.                  Paoli             Indiana
----------------------------------------------------------------------
6300 W. Broad St.                  Richmond          Virginia
----------------------------------------------------------------------
1802 Teall Ave.                    Syracuse          New York
----------------------------------------------------------------------
[Evan] I don't recognize any pattern in the store locations. I wonder if there is a pattern elsewhere. Why these stores, or is this just all that is known at this point?

Advance has notified its credit, debit and check processors.

As a precautionary measure, the Company has also started sending letters directly to the impacted customers whom it has been able to identify. Customers who purchased products in the 14 stores and who do not receive a letter can call the toll-free number listed below to determine if they have been impacted.

Advance is also working with the appropriate law enforcement officials who are conducting a criminal investigation.

The Company believes that the incident has been contained. However, the Company is continuing to investigate and has partnered with a leading global third party security expert to assist in the investigation.

In addition, Advance continually partners with leading experts to enhance the security of information technology systems.
[Evan] Like who? What makes a person a leading expert?

"Safeguarding our customers' confidential financial information is extremely important to Advance Auto Parts, and we take this responsibility very seriously," said Darren Jackson, President and Chief Executive Officer.
[Evan] I respect the fact that the CEO of the company addresses the public regarding this breach. It demonstrates that Mr. Jackson understands his role and ultimate responsibility for information security.

Advance has also established a special toll-free number with dedicated resources for potentially impacted customers who made purchases in the 14 stores to call to ask questions. The special toll-free number is 1-800-704-1154. Customer service representatives will be available to answer questions seven days a week from 8 am until 12 midnight EDT through May 31, 2008.

Advance is offering the affected customers a credit monitoring product from a national credit reporting agency at no cost for one year.

"We sincerely apologize for any inconvenience this attack on our network may cause. Advance Auto Parts has been dedicated for the past 75 years to earning customer trust and for providing Legendary Customer Service. We strive to serve each and every customer better than anyone else," said Jackson. "We truly appreciate the business of each Advance Auto Parts customer."

Commentary:
There are many many details missing from this news release. I expect more details to follow as people continue to ask questions and demand answers. A "network intrusion" is very general and implies an outsider attack. Why these 14 stores?

Stay tuned...

Past Breaches:
Unknown