[SecurityRatty] tag: resold

TorrentReactor Compromised, 1.2M Users Database In the Wild

Thu, 16 Oct 2008 10:00:43 +0000

It appears that TorrentReactor.net, a highly popular torrent tracker, got compromised in September, with it's users database concisting of 1.2M users and TorrentReactor's source code stolen.

Despite that the attacker claiming responsibility is citing reputation enhancement as the reason for the attack, sooner or later the personal details will be sold and resold to spammers, with the possibilitity for spear phishing attacks left wide open.

Summarizing July's Threatscape

Fri, 01 Aug 2008 12:08:24 +0000

July's threatscape -- consider going through June's summary as well -- once again demonstrated that nothing is impossible, the impossible just takes a little longer where the incentive would be the ultimate monetization of the process.

Russian hacktivists attacking Lithuania and Georgia, several Storm Worm campaigns, a couple of new malware tools, Neosploit team abandoning support for their web malware exploitation kit, CAPTCHA for several of the most popular free email providers getting efficiently attacked in order to resell the bogus accounts registered in the process, several copycat SQL injects next to the evasion techniques applied by the copycats, botnets continuing to commit click fraud and generate revenue for those who own or have rented them, an infamous money mule recruitment service taking advantage of the fast-fluxed network provided by the ASProx botnet - pretty interesting month indeed.

01. Decrypting and Restoring GPcode Encrypted Files -
The GPcode authors read the news too, and are catching up with the major weaknesses pointed out in their previous release in order to come with a virtually unbreakable algorithm. And since more evidence of who's behind the GPcode ransomware was gathered, vendors and independent researchers realized that the latest release is also susceptible to a plain simple flaw, namely the encrypted files were basically getting deleting and not securely erased making them fairly easy to recover.

02. Chinese Bloggers Bypassing Censorship by Blogging Backward -
When you know how it works, you can either improve, abuse or destroy it in that very particular order. Chinese bloggers are always very adaptive in respect to spreading their message by obfuscating their messages in a way that common keywords filtering software wouldn't be able to pick them.

03. Gmail, Yahoo and Hotmail’s CAPTCHA Broken -
This has been an urban legend for a while, but with more services starting to offer hundreds of thousands of pre-registered accounts at these providers, it's surprising that spam and phishing emails coming from legitimate email providers is increasing. The "vendors" behind these propositions are naturally starting to "vertically integrate" by offering value-added services for extra payments, namely, scripts to automatically abuse the pre-registered accounts for automatic registration of splogs and anything else malicious or blackhat SEO related.

04. The Antivirus Industry in 2008 -
If it were anyone else but a security vendor to come up with such a realistic cartoon aiming to stimulate innovation by emphasizing on how prolific and sophisticated malware groups have become, it would have been a biased cartoon. However, this one is courtesy of a security vendor, and it's pretty objective.

05. Lithuania Attacked by Russian Hacktivists, 300 Sites Defaced -
This attack is a good example of a decent PSYOPS operation. Of course they have already build the capabilities to deface and even execute DDoS attacks against Lithuania, so why not put them in a "stay tuned" mode, by speculating on the upcoming attack and then executing it making it look like they delived what they've promised? This a lone gunman mass defacement given that the sites were all hosted on a single ISP, with no indication of any kind of coordination whatsoever. The same for the Georgia President’s web site which was under DDoS attack from Russian hackers later this month. Despite that the hacktivists behind it dedicated a separate C&C for the attack, one that hasn't been used in any type of previous attacks so far, they did a minor mistake by using a secondary command and control location that's known to have been connected with a particular "botnet on demand" service in the past. The second attack once again proves that you don't need to build capacity when you can basically outsource the process to someone else.

06. The ICANN Responds to the DNS Hijacking, Its Blog Under Attack -
The ICANN finally issued a statement concerning the DNS hijacking of some of their domains, which is in fact what Comcast.net and Photobucket.com should have done as well, next to stating it was a "glitch". The ICANN also took advantage of the moment and also pointed out that their blog has also been under attack during the month. There's no better example of how the combination of tactics can result in the hijacking of the domains of the organizations implementing procedures aiming to protect against these very same attacks. And while Photobucket.com remained silent during the entire incident, the hosting provider that was used by the Netdevilz team in the two attacks, since they were also responsible for the ICANN and IANA DNS hijackings, technological and social engineeringissued a statement.

07. The Risks of Outdated Situational Awareness -
Security vendors are often in a "catch-up mode" and if I were an average Internet user not knowing that real-time situational awareness speaks for the degree to which my vendor knows what going on online, I'd be pretty excited. However, I'm not. Prevx were catching up with a service which I covered approximately two months ago, I even had the chance to constructively confront with one of the affected sites on how despite their security measures in place, this attack was still possible. Recently Prevx have once again demonstrated an outdated situational awareness by coming across a banking malware in July 2008, whereas the malware has been around since July 2007, and earlier depending on which version you're referring to.

08. Fake Porn Sites Serving Malware - Part Two -
Yet another domain portfolio of fake porn sites serving rogue codecs and live exploit URLs, just the tip of the iceberg as usual, however their centralization is greatly assisting in tracking them down.

09. Storm Worm's U.S Invasion of Iran Campaign -
Stormy Wormy is once again making the headlines with their ability to actually make up the headlines on their own.

10. Mobile Malware Scam iSexPlayer Wants Your Money -
The best scams are the ones to which you've personally agreed to be scammed with without even knowing it. Like this one, which was tracked down and analyzed a couple of hours once a uset tipped on it.

11. The Template-ization of Malware Serving Sites -
The increase of fake porn and celebrity sites is due to the overall template-ization of these, with the people behind them basically implementing several malicious doorways to ensure that the domains get rotated on the fly. Despite that they all look the same, they all sever different type of malware, and zero porn of celebrity content at all except the thumbnails.

12. Violating OPSEC for Increasing the Probability of Malware Infection -
No better way to expose your affiliations and several unknown bad netblocks so far, by adding the netblocks and the malicious domains as trusted sites upon infecting a PC with the malware. Of course, the usual suspects lead the "trusted netblocks".

13. Monetizing Compromised Web Sites -
Several years ago, a script kiddie would install Apache on a mail server, they claim that they defaced it. Today, these amusing situations are replaced by monetization of the compromised sites, by reselling the access to them to blackhat SEO-ers, malware authors, phishers, or personally starting to manage a scammy infrastructure on them, by earning money on an affiliate based model, like this particular attack.

14. Malware and Office Documents Joining Forces -
A recent DIY malware kit, sold as a proprietary tool basically crunching out malware infected office documents, whose built-in obfuscation makes them harder to detect. It will sooner or later leak out, turning into a commodity tool, a process that's been pretty evident for web malware exploitation kits as well.

15. Are Stolen Credit Card Details Getting Cheaper? -
Depends on who you're buying them from, and whether or not they offer discounts on a volume basis, namely the more you buy the cheaper the price of a card is supposed to get. With the current oversupply of stolen credit card details, what used to be an exclusive good once where they could enjoy a higher profit-margin, is today's commodity good.

16. The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit -
Since alll the web malware exploitation kits are open source, and leaked in the wild at large, their modularity allows everyone to easily embed any type of exploit that they want to, resulting in Neosploit's single most beneficial feature, the fact that certain versions include all the publicly available exploits targeting Internet Explorer, Firefox and Opera. Moreover, the open source nature of the kit is resulting in a countless number of modified versions yet to be detected and analyzed, therefore keeping track of the exploits included in a malware kit can only be realistic if you take into considered the exploits that come with the default installation.

17. Obfuscating Fast-fluxed SQL Injected Domains -
Now that's a very good example of different tactics combined to attack, ensure survivability, and apply a certain degree of evasion in between.

18. The Unbreakable CAPTCHA -
There's never been a shortage of ideas, there's always been an issue of usability.

19. The Ayyildiz Turkish Hacking Group VS Everyone -
That's a pretty inspiring mission if you are to ensure your future in the next couple of years, by targeting everyone, everywhere that has ever publicly stated their disagreement with the Turkish foreign policy.

20. Money Mule Recruiters use ASProx's Fast Fluxing Services -
A true multitasking in action with a botnet that's been crunching out phishing emails, SQL injecting and now hosting a well known money mule recruitment service.

21. SQL Injecting Malicious Doorways to Serve Malware -
Constantly switching tactics and combining different ones to achive an objective that used to be accomplished by plain simple techniques, is only starting to take place. In this case, instead of a hard coded SQL injected domain, we have the typical malicious doorways the result of the converging traffic management tools with web malware exploitation kits.

22. Impersonating StopBadware.org to Serve Fake Security Warnings -
Typosquatting popular security vendors and services is nothing new, by having HostFresh providing the hosting for the parked domains promoting the rogue security software, is a privilege and flattery for the success of the Stopbadware initiative.

23. Coding Spyware and Malware for Hire -
Customerization -- not customization -- has been taking place for a while, that's the process of tailoring your upcoming products to the needs of your future customers, compared to the product concept myopia where the malware coder would code something that he believes would be valuable to the potential customers. End user agreements, issuing licenses for the malware tool, as well as forbidding the reverse engineering of the malware so that no remotely exploitable flaws could be, are among the requirements the coder assists on.

24. Lazy Summer Days at UkrTeleGroup Ltd -
Taking a random snapshot of the current malicious activity at a well known provider of hosting services for rogue security applications, live exploit URLs and botnet command&control locations, always provides an insight into what are their customers up to. In this case, centralization of their scammy ecosystem, and parking a countless number of rogue domains on the same server.

25. Email Hacking Going Commercial -
Cybercrime is in fact getting easier to outsource, and while the number of scammers trying to offer non-existent services, or at least services where they cannot deliver the goods, the business model of this service that is that you only pay once they show you a proof that they've managed to hack the email address you game them. How are they doing it? Social engineering and enticing the user to click on live exploit URL from where they'll infect the PC and obtain the email password, of course, next to definitely abusing it for many other purposes in the process.

26. Vulnerabilities in Antivirus Software - Conflict of Interest -
You can easily twist the number of vulnerabilities found in your antivirus solution, but not recognizing them as vulnerabilities at the first place. It's all a matter of what you define as a vulnerability, or perhaps what you admit as a serious vulnerability - remote code execution through a security software, or a flaw that's allowing malware to bypass the security solution itself.

27. Counting the Bullets on the (Malware) Front -
Emphasizing on the number of malware/threats/viruses/worms/slugs your solution detects may be marketable in the short-term, but is damaging the end user's understanding of the threatscape in the long-term. So, by the time he catches up with what exactly is going on, he'll recall the moment in time where he was using the number of threats his solution was detecting as the main benchmark for its usefulness. In reality through, the number is irrelevant from a pro-active point of view, with zero day malware like the one coded for hire undermining the signatures based scanning model.

28. Smells Like a Copycat SQL Injection In the Wild -
It was pretty obvious that copycats seeing the success of SQL injections the the huge number of sites susceptible to exploitation, would also starting taking advantage of the practice. Some are, however, targeting local communities and trying to avoid detection by using targeted SQL injections.

29. Click Fraud, Botnets and Parked Domains - All Inclusive -
The scheme is nothing new, what's new is that the botnet masters are trying to limit the revenues that used to go out to affiliate networks they were participating in, and are trying to own or rent the entire infrastructure on their own.

30. Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings -
With access to Storm Worm sold and resold, and new malware introduced on Storm Worm infected hosts used as foundation for the propagation of the new malware in this case, it's questionable whether or not the Storm Worm-ers themselves are sending out the junk emails, or are they people who've rented access to the botnet doing it.

31. Neosploit Team Leaving the IT Underground -
Pretty surprising at the first place, but in reality it clearly demonstrates that when you cannot enforce the end user agreement on your crimeware kit, but continue seeing it used in a very profitable malware operations, you basically shut down the support for the public version. The team is not going to stop innovating for their own purposes, and in the long-term they may in fact re-appear with an updated malware kit that's converging different services next to the product itself.

32. Dissecting a Managed Spamming Service -
Managed spamming services using botnets as the foundation for the campaigns are starting to introduce improved metrics for the delivery, as well as experienced customer support ensuring the spam messages make it through spam filters, or at least increase the probability of making the happen. This is an example of a random service emphasizing on the improved metrics they're capable of delivering.

33. Storm Worm's Lazy Summer Campaigns -
Looks like a "cybercrime intern" launched this campaign, lacking any of the usual Storm Worm evasive practices, no exploitation of client side vulnerabilities, as well as no survivability offered by their usual fast-flux nodes.

Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings

Mon, 28 Jul 2008 23:29:54 +0000

It used to be a case where a botnet would be used for a single purpose, spamming, phishing, or malware spreading. At a later stage, the steady supply of malware infected allowed botnet masters more opportunities to "sacrifice" the clean IP reputation and engage in several malicious activities simultaneously - today's underground multitasking improving the monetization of what used to be commodity goods and services.

Today, a botnet will not only be sending out phishing emails, automatically SQL inject vulnerable sites across the web, but also, provide fast-flux infrastructure to money mule recruitment services, all of this for the sake of optimizing the efficiency provided by the botnet in general. This optimization makes it possible for a single botnet to be partitioned and access it it sold and resold so many times, that it would be hard to keep track of all the malicious activities it participates in. Cybercrime in between on multiple fronts using a single botnet is only starting to take place as concept.

That's the case with Stormy Wormy, according to IronPort whose "Researchers Link Storm Botnet to Illegal Pharmaceutical Sales" :

"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy websites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow. "Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of (US)$150 million per year."

Murky until now? I can barely see in the room due to all the smoke coming from the smoking guns of who's what, what's when, and who's done what with who, especially in respect to Storm Worm whose multitasking on different fronts in the first stages of their appearance online made it possible to establish links between several different malware groups and the "upstream hosting providers", until the botnet scaled enough making it harder to keep track of all of their activities.

The Storm Worm-ers themselves aren't sending out pharma spam, the customers to whom they've sold access to parts of Storm Worm are the ones sending the pharma spam. Here's a brief analysis published in May - "Storm Worm Hosting Pharmaceutical Scams". What's in it for the scammers? Income based on a revenue-sharing affiliate program, a pharmacy affiliate program has been around for several years :

"This criminal organization recruits botnet spamming partners to advertise their illegal pharmacy websites, which receive a 40 percent commission on sales orders. The organization offers fulfillment of the pharmaceutical product orders, credit card processing and customer support services"

What's coming out of Storm Worm's botnet isn't necessarily coming from the hardcore Storm Worm-ers whose job today is more of a campaign-rotation related in order to ensure new bots are added, what's coming out of Storm Worm is coming from those using the access they've purchased to a part of the botnet.

Related posts:
Storm Worm Hosting Pharmaceutical Scams
All You Need is Storm Worm's Love
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game

Wee-Fi: iPhone 3G Plans, TAP-Fi, Free Boingo Day, St. Louis-Fi

Wed, 02 Jul 2008 07:52:38 +0000

iPhone 3G availability, pricing clarified for U.S.: AT&T released details on the full cost of iPhone 3G hardware and service, providing more detail than previously available. The phone is $199 (8 GB) or $299 (16 GB) to AT&T's existing 2G iPhone customers who want to upgrade, to customers with no current contract, or new customers. Existing customers with another phone contract in place pay $399 (8 GB) or $499 (16 GB). Monthly data pricing is a flat $30 for unlimited use--no 5 GB cap--and text messaging is extra, at either an absurd 20 cents each, or bundles starting at $5 per month for 200 messages. Old 2G iPhones can be resold or given away by those who upgrade, and still qualify for the cheaper 2G plans, that start at $20 per month for unlimited data and 200 SMSs. Or a 2G iPhone can be used as a Wi-Fi-only device.

TAP Portugal adds in-flight calling: OnAir's satellite-based call service is now in a trial on a single Airbus A319 in TAP's fleet. The six-month trial will determine how they move forward. TAP was originally slated to launch a trial nearly three years ago, but technical and regulatory issues have delayed in-flight mobile use in Europe. This isn't broadband, by the way: it's pricey per-minute calls, texts, and cell-based email.

Boingo offers free day pass for downloading connection software: The hotspot aggregator will give you 24 hours of use at a location in their network for downloading their lightweight connection software by 6-July-2008. The software identifies Boingo-partnered networks, and lets you sign in without any fuss.

AT&T launches downtown St. Louis network: The company found that it couldn't complete its city-wide proposal due to light pole issues. They've built out a square mile in the downtown, instead. The service is $8 per day and $16 per week, or free for up to 20 hours per month when ads are viewed. AT&T DSL, fiber, and remote business customers get free use of the network.

New Global Refurbishment Programs

Mon, 16 Jun 2008 15:13:58 +0000

A new program is starting in Uganda to refurbish and resell old computers the first world no longer wants, funded by Microsoft and the United Nations Industrial Development Organization. From Ars Technica:

The center will have the capacity to handle 10,000 computers a year, and the machines that are salvageable will be resold for the local equivalent of $175, about a third of the cost of new computers there. When a computer is deemed past the point of rescue, the centers are capable of recycling the components. RAM chips will be reused, metal and other valuable components recycled, and toxic substances handled safely.

Neat, this sounds like a good alternative and supplement to programs like the OLPC. There is a lot of toxic waste out there, but a lot of computers that we get rid of because they’re no longer good enough for our datacenters can still be useful to others, especially in the third world.

Wee-Fi: It's Catchup Time: O2 Adds Wi-Fi for iPhone Plan, SanDisk Buys MusicGremlin, Zyxel Offers Phone-Home Wi-Fi Camera

Wed, 11 Jun 2008 10:34:38 +0000

I apologize for the following deluge of Wi-Fi items, but I'm catching up after Apple's major product announcement on Monday: I was in San Francisco for the day, a neat trick from Seattle, and was able to see the Wi-Fi signal at one station on BART ride from SFO to the Moscone Center in the SoMa district of San Francisco. A loaner EVDO modem from Sprint came through during my keynote note taking and reporter with a consistent Internet connection and very little battery drain on my MacBook. Here's what I missed during my trip, recovery, and catch-up these last three days.

O2 will offer iPhone 3G for free along with extensive Wi-Fi coverage: AT&T may still be sorting out how Wi-Fi service will be included in its cell plans, but O2 had already provided free Wi-Fi to supplement scanty EDGE service in the UK. The new iPhone 3G will be offered fully subsidized to subscribers of £45 or higher tariffed services, along with 9,500 hotspots through BT OpenZone and The Cloud.

SanDisk buys MusicGremlin: The innovative Wi-Fi-enabled music player was and remains far in advance of the features found in the iPod touch, iPhone, and Zune, but the company behind the product couldn't get a fire lit under it. Sales figures were never disclosed, but it's never been on the list of top-selling players in the market. SanDisk's acquisition will shut down the product and its music service, but it will absorb the people and technology. I met with the founders of the company many years ago, and were impressed by how far ahead they were of everyone in the industry.

Zyxel introduces VOIP-connected Wi-Fi camera: I think they threw a bunch of buzzwords into a blender, but it's rather clever. The camera connects to a network via Wi-Fi, and has SIP (Session Initiation Protocol) embedded. SIP is used for VoIP and as part of gatewaying Internet telephony. The V750W gets its own phone number, and can be controlled remotely through either a real phone using the public telephone network, or a soft phone using SIP. It's being resold, not sold to consumers directly, as a monitoring tool. It includes two-way audio. The camera can also place a phone call if an intruder monitor is tripped. Why not just give it an IP address like other such cameras? SIP, if implemented correctly, can traverse private networks' NAT (Network Address Translation) gateway limits.

Stolen laptop affects thousands of current and former Stanford employees

Sun, 08 Jun 2008 19:12:08 +0000

Technorati Tag: Security Breach

Date Reported:
6/6/08

Organization:
Stanford University

Contractor/Consultant/Branch:
None

Victims:
current and former employees hired before September 28, 2007

Number Affected:
as many as 72,000

Types of Data:
Some or all of the following; First and last name, gender, birthdate, Social Security Number, Business title and office location, Work and home phone numbers, Home address, Salary, Stanford email address, Stanford ID card number and Stanford employee number

Breach Description:
"Stanford University determined yesterday that a university laptop, which was recently stolen, contained confidential personnel data. The university is not disclosing details about the theft as an investigation is under way."

Reference URL:
Stanford News Service
San Francisco Chronicle
KPIX Channel 5 News

Report Credit:
Stanford News Service

Response:
From the online sources cited above:

STANFORD (BCN) ? The personal information of as many as 72,000 people working for, or formerly employed by, Stanford University could be at risk after officials determined a recently stolen laptop contained confidential personnel data.
[Evan] Even a prestigious school like Stanford University is not immune. 72,000 confidential personal records on a laptop that appears to have not been encrypted is not representative of good information security practice.

The computer contained personal records of Stanford employees hired before Sept. 28, 2007

data on the laptop included some or all of the following: employees' names, birth dates, Social Security numbers, business titles, work and home phone numbers, home addresses, salaries, and Stanford e-mail addresses and employee identification numbers.

While the university does not believe the thief was aware of the records' existence on the machine, it is taking steps to assist anyone whose information might be misused.
[Evan] How many times have we read this in a breach notification? It is almost like a breach notification isn't a breach notification without it.

"We believe that the perpetrator of the crime was not seeking the records on the computer or even aware of them,"

"Often, such thefts are property crimes in which the laptop's hard drive is erased before the laptop is resold."
[Evan] Robert Richardson, director of the San Francisco-based Computer Security Institute responds "In the past, if a laptop was stolen from a cafe, it was reasonable to think it would be reformatted and sold as a new machine," "Now I wouldn't make that assumption. Even the dumbest criminals out there are on to the fact that the data is where the money is." I have stated this numerous times on The Breach Blog. Now you don't have to take my word for it. Check out the CSI blog.

While there is no evidence that any of the information on the stolen laptop has been accessed, the University is committed to taking steps to assist individuals whose personal data may be misused

The university is not disclosing the details of the crime, as an investigation is still under way.

This matter has been reported to law enforcement.

Stanford sent out an e-mail message Friday to all the current and former employees it could reach, advising them of the theft.

The university is sending e-mails and letters to current and former employees whose personal information may be at risk, as well as posting information on the Stanford homepage at: www.stanford.edu, and notifying the media.

The university said it will provide additional credit monitoring to help employees respond to the possible data breach and protect their identities from fraud.

"We will have services in place next week and Stanford is committed to assuming this cost,"

It is also looking at how to protect employee data better in the future.
[Evan] I hope that mobile device encryption is in the mix.

While the university has rigorous policies and guidelines designed to protect confidential information, events such as this demonstrate the need for heightened vigilance in this area.
[Evan] Information security always requires a "heightened vigilance". It is a continuous effort.

Vice President for Business Affairs and Chief Financial Officer Randy Livingston will lead a task force to review policies and practices regarding the safety and security of sensitive data.

Livingston said: "The university has guidelines that prohibit keeping sensitive information on unsecured computers. This effort will be redoubled after this incident."

We sincerely apologize for this incident.

You can call (650) 736-0099 and leave your contact information for a return call. You can also go to the Stanford home page for updates or email privacyquestions@stanford.edu with your full name and date of birth.

Commentary:
If an organization employs laptops and other mobile devices, it is only a matter of time that one (or more) will be lost or stolen. It is a fact of life, and it really doesn't matter how aware the users are. We either need to make sure that confidential information does not get stored on mobile devices, encrypt them (with secure key management) or preferably both. This is a simplistic view, but you get the point.

Breaches like this get old, but they still tick me off.

Past Breaches:
Unknown

AT&T management information on stolen laptop

Sun, 08 Jun 2008 14:28:48 +0000

Technorati Tag: Security Breach

Date Reported:
6/4/08

Organization:
AT&T

Contractor/Consultant/Branch:
None

Victims:
AT&T management personnel

Number Affected:
Unknown

Types of Data:
Compensation information, including employee names, Social Security numbers, and salary and bonus information.

Breach Description:
"An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop."

Reference URL:
PogoWasRight
SC Magazine
NetworkWorld

Report Credit:
PogoWasRight

Response:
From the online sources cited above:

An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop.
[Evan] Don't you think that a well known (and respected) company like AT&T would have had the forethought to encrypt laptops?

Employees were first alerted to the theft on the evening of May 22nd by email from Bill Blase, Senior Executive Vice President - Human Resources.

This is to alert you to the recent theft of an AT&T employee's laptop computer that contained AT&T management compensation information

The laptop was stolen May 15 from the car of an employee

The data on the computer was not encrypted -- a violation of company policy -- and included names, Social Security numbers and in some cases, salary and bonus information.

No customer or client data were on the stolen laptop.

the company would not disclose the number of affected individuals, but there is no reason to believe any of the data was being targeted when the machine was stolen.

AT&T repeatedly declined to disclose the number of employees affected "as a matter of policy."

"Usually these are property crimes in which the drive is wiped clean and resold for profit,"
[Evan] This used to be the case, but do you think the same still holds true today? If a thief is going to go through the trouble of wiping the drive, it seems plausible that he/she may also attempt to access/review the information contained on it. Hardware value = ~$1000, Information value = ~$10, $20, $50+ per record. Do the math and it soon becomes apparent that a thief can profit much more by selling the information. I presume that some thieves know this.

The employee who was in possession of the laptop when it was stolen has been disciplined.
[Evan] Was it the employee's responsibility to encrypt the information, or was it his/her responsibility to not store confidential information on it? If the employee was aware of his/her responsibilities, then I can understand the disciplinary action. If not, then AT&T has much bigger problems.

"There are a number of rules governing the handling of encrypted material and the mobile devices handling that material that employees must follow," Sharp said. "It is up to the employee to ensure that any sensitive material is encrypted."
[Evan] Really? It is "up to the employee" to ensure that sensitive material is encrypted? Most of the users I work with wouldn't know the first thing about how to encrypt information. This is why we usually implement policies, standards and procedures to encrypt the entire contents of hard drives as part of the standard laptop build. Encryption is then semi-transparent and we don't need to worry about an incident such as this. Take information security out of the hands of employees if feasible.

AT&T used the breach as a reminder that employees must follow policies.
[Evan] Hopefully this isn't the only time employees are reminded to follow policies.

We deeply regret this incident.

You will soon hear about additional steps we're taking to reinforce our policies to safeguard sensitive personal information and ensure strict compliance in order to avoid incidents like this in the future.

The telecom also says that it is "in the process of encrypting devices," but that may be small comfort to those whose data were on the stolen laptop.
[Evan] Sheesh, hundreds if not thousands of breaches involving lost and/or stolen laptops affecting millions of people and now AT&T is "in the process of encrypting devices"? To AT&T's credit, they do employ thousands of mobile devices which take time to encrypt and it's better late than never. Explain this to the people affected.

AT&T is offering free credit monitoring to those affected

Victim Reaction:
"I'm very disappointed in my company,"

"Eight days passed before we were notified ... and it took up to another 10 days to be informed about requesting a fraud alert and to be given instructions for signing up for credit watch."

"It is pathetic that the largest telecom company in the world -- with more than 100 million customers -- doesn't encrypt basic personal information,"

"I receive company internal e-mails reminding me to contact our legislators about relieving the company of the burdens of regulation," he says. "What happened here shows the company isn't ready to have those burdens lifted."

Commentary:
Excellent work at PogoWasRight.org. Their report contains copies of the actual AT&T correspondence. Obviously, AT&T should have known better.

The Breach Blog was notified via a comment from the wife of an affected employee on May 28th, but we did not have enough information to report. The comment was not approved by me either because the commenter used her real name (out of protection for her and her husband).

Past Breaches:
August, 2007 - AT&T Stolen Laptop, Unknown Number of Former Employees Affected

Matt Asay again shows that he doesn't know much about open source security

Thu, 15 May 2008 18:43:17 +0000

I often comment or blog disagreeing with Matt Asay and his views on open source and security. Frankly from the comments Matt leaves back, I think he views me as a pain in his butt and why if I don't agree with him do I read his blog. I read Matt's blog because I often do agree with him, but I also read it because I think it important that just because you don't agree with someones views, doesn't mean they have nothing to say. However, I also feel that I have the right to call BS when I see it. Matt's article yesterday on Tenable's new licensing is one of those times. Matt you don't know what you are talking about on this one. If you are not going to take the time to dig in than just stay out.

First a little background. Tenable announced the other day a change in their licensing of their NASL feed. For those who don't know, Tenable is the owner of the formerly open sourced Nessus vulnerability scanner. They also develop and publish a feed of NASL scripts which run in Nessus, which are likewise no longer and some say never were open sourced. I know Ron Gula pretty well and understand perfectly why Nessus is no longer under a GPL license for a few years now. I also understand the economics and reasons why they would charge for their NASL feed. I think it is good business and more power to Ron, Jack, Renaud and the rest of the Tenable gang. The change in their license is that now commercial customers will have to pay for the NASL feed, whereas before only people who resold the feed or otherwise profited from it would have to pay for the "registered feed". Now schools and charities can still get the feed for free, but others have to pay. Again, I don't have the slightest problem with this and wish them well.

Matt sticks his two cents here and at the same time sticks his foot in his mouth. For some reason Matt has not realized that Nessus has not been open sourced since the release of the 3.x version some time ago. It is not like this is a secret, Tenable is very "open" about it and there has been much written about it. Because they are still open in Matt's eyes, they can do little wrong. Matt this is just plain negligence on your part, go beyond the press release before writing! Matt talks about and links to Pierre Teilhard de Chardin's blog article about Tenable closing the source to Nessus and still doesn't take notice that it is no longer open source. Matt did you read the article you linked to?

Matt than goes on to try and claim that it is OK for Tenable to charge for the NASL scripts because "the code is free, but the information that flows through it (Up-to-date vulnerability information, for example) is not". Matt, NASL scripts are scripts. I would think the word scripts in the name would be a dead give away. Don't you think that implies some code?

Yes, you can "drill your own wells" as Matt says and write your own NASL scripts. We do it at StillSecure for our own VAM vulnerability product. But we also use our own customized version of Nessus based off of the old 2.x open source code.

The fact is there is nothing open sourced about the current version of Nessus and NASL scripts and Ron and company don't make any bones about it. Matt your readers expect more from you. Do a little homework before you spout off!

Laptop encryption

Fri, 09 May 2008 01:00:00 +0000

How much confidential business data has been compromised over the years as a result of the theft of laptop computers? It's a good question if you ask me because we're all under pressure to ensure that mobile computing devices employ encryption to ensure that appropriate risks are mitigated in the event of them being lost or stolen. Such pressure mounts when we also see organisations being fined when laptops go missing. For instance The Nationwide Building Society got hit last year for nearly £1m when a device that was taken from an employees home "contained confidential customer information and may have put millions at risk of identity theft." Full story here. Chances are that this was a nothing more than a random burglary committed by thieves who probably don't even have opposing thumbs capable of opening the lid. So, the chances of them being able to get any data out of it are slim. Most likely is that the drive was formatted by the new owner after it was sold for a quid and that it's now being used by a local education authority somewhere, in west Africa. As also stated on this blog, the "majority of laptop thefts are not targeted, they're just carried out by someone who sees the laptop as a portable asset that can be easily resold." But, let's suppose that the theft could have been targeted, and somebody could specifically have been after the data. A real enough scenario for some organisations. Encryption certainly mitigates the risk up to a point. However, if such effort is going into capturing a device then you can bet that some forethought would also be going into obtaining the relevant keys. For a good example, remember the case where car thieves cut off the index finger of the owner of a Mercedes in order to get around the biometric security. Where there are motivated, capable, and dangerous adversaries, operating for profit, then is your personal safety worth holding out on the password to your laptop? In my mind, a much better solution is to keep confidential data off mobile devices in the first place. But let's come back to the original point and question: How much confidential business data has been compromised over the years as a result of the theft of laptop computers? I don't know and it doesn't matter because if your laptops get stolen, and if they contain confidential or personal data, and if you have not used encryption, then you're stuffed because if the Press don't get you then the regulators will, and when encryption is so cheap and easy to implement these days then you've just been neglegent. So, in fact the biggest risks to your business may well be from the negative perception and the resulting fines and damage to your reputation than from the probability of the data being compromised and used. That is good enough reason even if you, like me, don't rate highly the risk of data actually being compromised in this way. So now all you have to do is choose your encryption product. And that's another story....