Skip to main content

tip of the data loss iceberg: worms == automated large scale intrusions

Recently there have been a spate of incidents in which U.S. federal government agencies reported data theft or loss, particularly data which could result in identity theft. The losses include the contact information and social security numbers of, literally, millions of federal employees and contractors. Most of these recent incidents were the result of stolen laptop hardware, USB Key fobs, or other computer hardware, although at least two involved unspecified intrusions (electronic theft of the data following a break-in to an online system). In the past several months, as the reports of stolen servers, hard drives, laptops, and USB key fobs have mounted, I've only seen two disclosed instance of an intrusion (in one case apparently targeted) which resulted in the theft of identity data concerning 1,502 people at the Department of Energy: Energy ups security efforts after loss of employee data and 26,000 people at the Department of Agriculture: U.S. Department of Agriculture hacked. Despite the sparse reports of such intrusions, we know that government PC systems are not uniquely protected from these threats. Although it hasn't been reported, there is ample reason to believe that significant data loss has also occurred over the past several years through worm, botnet, spyware, trojan and rootkit infestations. Such malware routinely scans the infected PC and mounted network drives or shares and uploads files and data into the arms of organized crime. This type of loss is harder for organizations to detect and remains underreported as a result. However, it has has undoubtedly resulted in many more exposures of similar magnitude than have theft of laptops. Many tens of thousands of computers in government agencies are infected with worms, bots, adware, spyware, viruses, trojans, and rootkits every year. The infection rates of many government agencies are not radically different from private industry. Why do we see so few reports about data loss from these types of large scale intrusions? The difference is that when a laptop is stolen, a bit of government-owned equipment goes missing. This produces a few unique circumstances that malware infections don't produce. Missing hardware:
  • can't be ignored due to strict property accounting requirements,
  • can't be denied due to the loss of a physical device,
  • and is more easily understood by all levels of oversight and management.
If hardware went missing, and bad guys have the hardware, they have the data that was on the hardware, too. People understand that. Malware infections on the other hand (really, these are often large scale intrusions) are complex, involving many layers of abstraction. Just mitigating the spread and cleaning up often consumes all available resources of a given IT shop, and when the cleanup is over, they are crushed under the catch-up load of the regular duties which were postponed to battle the worm, bot or other malware. Analysis is often limited to finding and plugging the security hole that let the malware in. Few organizations have the ability to demonstrate conclusively that a worm uploaded files to a remote server. Worms and botnets have begun using encrypted tunnels, so even if organizations have the ability today, it won't be effective for very much longer. We were able to uncover evidence of a large scale intrusion at a customer last year. It was clear that from the earliest moments of the outbreak remote attackers were under direct control of the infected PC systems on our Federal client's network. It was also clear that the techniques used were well-honed. Our client faced several variants of a particular worm within a short span of time, and one of those variants had a defect. Were it not for the defect, there would have been no direct evidence. Most of the time with automated large scale intrusions like worms and botnets, it's very easy for weary IT staff to assume that no real damage was done. The complexity of the attacks makes it easy for management and oversight to ignore the problem, too. Many tens of thousands of infected PC systems are cleaned up each year on government networks. Those systems include servers and desktop and laptop computers with large amounts of valuable and sensitive data. The organizations performing the cleanup are understaffed and overworked and typically don't have the skills, processes, tools, and budgeted time in place to analyze the data loss which occurred. Consequently, the problem is even bigger than it seems from the recent headlines.

Technorati Tags: , , , , , , , , , , ,


Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual domai…

Hacker 0x80 0wn3d by FBI (Arrested after Accidental Outing by Washington Post) [1]

What can the botmaster 0x80's impending misfortune [1] teach us about information security? Quite a bit. What the botmaster and the reporter didn't count on is a security risk known as "the aggregation problem" or "point and click aggregation". It's not surprising, as even practicing security professionals are often unaware of this problem, or vaguely aware of the concept but not the name. Information Security dictionaries online generally lack the terms, and don't mention them in their discussion of "disclosure" either. The aggregation problem happens when a series of small facts, any one of which if disclosed present a minimal security risk, combine to present a greater security risk when disclosed together. When aggregated, information from publicly available sources may accidentally disclose information that was intended to remain confidential. As it happens, an IETF glossary contains a definition of the basic term. RFC 282…

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident.

I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company.

Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber