Archive for February, 2006

US-CERT, the cyber division of the Department of Homeland Security introduced 4 posters today with the hopes that businesses will print them out and hang them in break rooms across America- hopefully between the water cooler and the half-eaten box of donuts.

You can see the posters here:

To be fair, the first poster is a pretty concise list of best practices that should be adopted by any organization’s IT department. But the second poster urges everyone to report to US-CERT knowledge of “anyone in your organization receiving suspicious e-mails that include unsolicited attachments.” What a monumental waste of time it is to report virus attachments to the Feds.

If anyone reports an incident to US-CERT, they will be given an incident number.

…

That’s it. Just a number. It doesnt mean that US-CERT will do anything about your incident, such as report it to a law enforcement office, or help you recover from your incident. For instance, you receive a malicious attachment in an email, and you open it, and it installs a network-based keylogger. If you report this to US-CERT, they will gladly give you a number and tell you to have a nice day.

You are much better off particiating with an ISAC or an Information Sharing Analysis Center, which is an industry-focused information security analysis center. Those folks are much better equipped to actually respond and provide assistance than DHS, and if law enforcement is needed, a referral from an ISAC will garner a more immediate response than a citizen report.

President Bush has allocated 93 Million Dollars for NCSD in his 2007 budget. Details are here:

Cyber security is a key element of homeland security. The consequences of a cyber attack could cascade across multiple infrastructures and imperil public safety. The National Cyber Security Division (NCSD), now a part of the Preparedness Directorate, carries out the Department?s cyber security responsibilities. It was established in 2003, in response to the President?s National Strategy to Secure Cyberspace, as the national focal point for cyber security. Recognizing today?s interconnected environment, NCSD works collaboratively with public, private, and international entities to secure cyberspace and America?s cyber assets. The Budget includes $93 million for the NCSD?s program and activities.

A core component of NCSD is the U.S. Computer Emergency Response Team (US-CERT). US-CERT operates a round-the-clock cyber watch, warning, and incident response center. The center coordinates responses to cyber incidents, monitors the network activity of Federal agencies, and provides a web portal for secure communications with private and public sector stakeholders. US-CERT also operates a public website (www.us-cert.gov) and the National Cyber Alert System, which provides timely information to the public. In addition to its watch and warning function, US-CERT conducts malicious code analysis, improves the security of software, and conducts cyber threat and vulnerability analysis.

And they make nifty break-room posters.

Yesterday, I blogged about how McAfee was screwed over by their own auditing company that they hired to make sure that they were in compliance with Federal Law and best practices. Well now, Sun Micrososystems has been screwed over by their own auditing company too.

TheRegister has the exclusive scoop here:

Ernst & Young fails to disclose high-profile data loss

Sun CEO’s social security number exposed

Ernst and Young has lost a laptop containing data such as the social security numbers of its customers. One of the people affected by the data loss appears to be Sun Microsystems CEO Scott McNealy, who was notified that his social security number and personal information have been compromised.

“We deeply regret that a laptop containing confidential client information was stolen, in what appears to be a random act, from the locked car of one of our employees,” said Ernst and Young spokesman Charles Perkins. “The security and confidentiality of our client information is of critical importance to us. The computer was password-protected, and we have no reason to believe the data itself was targeted or that the information was accessed by anyone. We are notifying those clients whose information was contained on the computer.”

Ernst and Young declined to comment on whether or not McNealy was affected.

However, at last week’s RSA security conference, McNealy noted that he received an e-mail from an “anonymous partner” detailing a loss of his private data. “We determined that your name and social security number were among the data (lost),” the partner wrote to McNealy.

“This is an organization that we spend an enormous amount of money on to determine whether we are Sarbanes-Oxley compliant,” McNealy said.

Translation: These assholes who charge us a fortune to make sure we follow the rules were negligent with the our data.

Digging through Sun’s financial filings, you’ll discover that Ernst and Young serves as the company’s auditor and handles Sarbanes-Oxley consulting for Sun. A spokesman at Sun confirmed that Ernst and Young is still the company’s auditor but declined to out the firm that lost McNealy’s data.

Ernst and Young declined to return our phone calls seeking more information about the breach and why it has “no reason to believe” the password could be cracked. It makes no mention of stronger security than simple password protection.

Auditing companies need to be held to a higher standard than the typical corporation. After all, the level of trust is much higher with auditing companies, and more than anyone, they should practice what they preach. In addition, auditing companies need to put their money where their mouth is, at least contractually. When they begin an audit, they become keepers of the trust of much private corporate and personal data. If that trust gets broken, then the auditor should have to pay recompence for their error.

A self-encrypting shell overlay would also be very useful for protecting all mobile data processing equipment, be it laptop, thumbdrive or CDRom. If any personal or corporate data is allowed to exit its internal layers of security, it should do so only in an encrypted manner. And auditing companies should ensure that this is the case as well.

And someone should smack that E&Y employee across the back of his head for being so stupid as to leave the laptop in his car.

A botnet herder that goes by the handle of “0×80″ wanted to brag about his “l33t sk1llz” to a Washington Post reporter. The hacker, wisely, asked for his identity to be protected (ironic, considering he uses botnets to commit identity theft), and the WaPo agreed to do so. However, the metadata of the photo that was posted online in the WaPo article included information about the location of the photo shoot.

You can read the whole article here at E-Week.

The Washington Post’s online arm has apparently been caught in a metadata gaffe that exposed the whereabouts of a 21-year-old hacker who confessed to controlling thousands of compromised PCs for malicious use.

The hacker agreed be interviewed by Washington Post reporter Brian Krebs on the condition that he not be identified by name or home town, but when the article was posted on the newspaper’s Web site, an accompanying photograph included metadata that pinpointed the location to Roland, Okla., a small town with a population of 2,842.

In the feature story titled Invasion of the Computer Snatchers, the hacker known online as “0×80″ (pronounced X-eighty) openly boasted about breaking into thousands of computers around the globe and infecting them with malware that turned them into botnet drones.

In 0×80′s case, the hacker openly admitted to illegally installing adware and spyware on infected computers and earning money from online marketing companies that pay for advertisements delivered to users.

However, because of the metadata slip-up by the Washington Post, it is very likely that law enforcement authorities will be looking in the direction of Roland, OK to find the hacker, who was described in the story as “tall and lanky, with hair that falls down to his eyebrows,” and speaking with a “heavy Southern drawl and Midwestern nasality.”

The reporter also wrote that 0×80 lives with his religious parents in a small town in Middle America where the nearest businesses are a used-car lot, a gas station and convenience store and a strip club, where 0×80 claimed he recently dropped $800 for an hour alone in a VIP room with several dancers.

The article was published with several photographs, including one with a doctored image of half of the hacker’s face.

But, as eagle-eyed Slashdot posters discovered, the online images by photographer Sarah L. Voisin contained tags about the location of the shoot.

Immediately after the metadata discovery, the images were removed from the Washington Post’s Web site.

The Slashdot community, however, insisted on attempting to track down the hacker. Using Google Maps and other search-related data, the posters were able to figure out that the male population of Roland, Okla., was just over 1,300.

“Any flatfoot could find him in an hour,” said one Slashdot commenter who posted details of the metadata from the online image.

In internet lore, being “slashdotted” means that Slashdot.com links to your server or an online article that was written, and the crush of traffic coming from the slashdot article causes the site to go under. In this case, however, the hacker in Podunk, OK has discovered a new definition to being slashdotted. He will likely end up in jail soon, experiencing another type of lapdance, but he won’t have to spend $800 bucks on it.

And how is it that the American Media insists on protecting the identity of criminals? From the leakers of national secrets to hackers, the media believes that protecting the identities of criminals is more important than public safety and security. Way to go, WaPo. Your ineptness is what helps keep this nation safe. And congrats to slashdot for their mob justice.

Seems like a light sentence to me for breaking into a system that houses such critical information. I think this highlights a problem that data and commercial systems are not classified by sensitivity- meaning that crimes against more sensitive data would be given harsher sentences that those against non-critical systems. I wonder what this hacker did with his data? From CNET here:

A bulk e-mailer who looted more than a billion records with personal information from a data warehouse has been sentenced to eight years in prison, federal prosecutors said Wednesday.

Scott Levine, 46, was sentenced by a federal judge in Little Rock, Ark., after being found guilty of breaking into Acxiom’s servers and downloading gigabytes of data in what the U.S. Justice Department calls one of the largest data heists to date. Acxiom, based in Little Rock, says it operates the world’s largest repository of consumer data, and counts major banks, credit card companies and the U.S. government among its customers.

In August 2005, a jury convicted Levine, a native of Boca Raton, Fla., and former chief executive of a bulk e-mail company called Snipermail.com, of 120 counts of unauthorized access to a computer connected to the Internet. The U.S. government says, however, there was no evidence that Levine used the data for identity fraud.

Prosecutors had asked for a longer sentence, but expressed satisfaction with an eight-year prison stay. “This sentence reflects the seriousness of these crimes,” said U.S. Attorney Bud Cummins of the Eastern District of Arkansas. It also includes a $12,300 fine; restitution has not yet been determined.

According to court documents, Levine and others broke into an Acxiom server used for file transfers and downloaded an encrypted password file called ftpsam.txt in early 2003. Then they ran a cracking utility on the ftpsam.txt file, prosecutors said, discovered 40 percent of the passwords, and used those accounts to download even more sensitive information.

In early 2003, the most common vulnerabilities on servers that would house this type of information were SQL Injection bypasses, or probable backdoors leftover from the Code Red/Nimda worms. Regardless, the thief took a sam file from the server.

When it was in operation, Snipermail.com drew fire from antispam advocates for falsely claiming to operate only “opt-in” lists. The company’s now-defunct domain shows up on the Register of Known Spam Operations compiled by the Spamhaus Project, and dozens of sightings of spam from Snipermail.com appear on Usenet’s news.admin.net-abuse.sightings discussion group.

Acxiom has said that after the 2003 intrusion, it improved its intrusion detection, vulnerability scanning and encryption systems.

This is not the first prosecution to arise out of poor security practices on Acxiom’s file transfer protocol server (FTP). An Ohio man named Daniel Baas previously pleaded guilty to illegally entering Acxiom’s FTP site. That investigation led federal police–including the FBI and Secret Service–to Levine, according to the Justice Department.

On Axciom’s website, they have a special Cyber Security Statement Here. It says,

Acxiom maintains security procedures to help ensure that information will not be made available to any unauthorized person or business. We use a variety of multi-level security systems to control access to our services and information products. All users at client locations, as well as all Acxiom associates, must have the appropriate access codes and be expressly authorized to access certain data and applications.

Nothing assures someone more than locking the barn doors after the horses have escaped.