Thursday, December 31, 2009

Backstopp - The Morning After Pill for Identity Management?

It has been a while since I have posted anything as I do not have the time (nor do I get paid) to look at what happens in the Identity Management space like I used to. That said, I still believe that it is the concrete in any infosec organization, technology stack, or IT organization.

I ran across a company that has what I thought was a crucial - as in I hope you dont need it but if you did you'll be glad you have it - piece of the puzzle oft ignored. I call it the morning after pill for data.

It destroys data after you lose control, posession, or ownership of it. Someone steals your laptop, you get to wipe it the next time it boots up. An employee quits while in posession of key data and you wipe their machine and the data in it from your company HQ.

Anyway, it answers the 'so what' question simply, effectively and inexpensively.

Check it out...

Monday, August 03, 2009


The hackers get hacked...

On the eve of the Black Hat security conference, malicious hackers posted a 29,000-line file detailing embarrassing attacks that took complete control of servers and websites run by several high-profile security researchers, including Dan Kaminsky and Kevin Mitnick.

The file posted on security mailing lists claimed to have obtained more than four years' worth of data from Kaminsky, and as proof, it offered a smattering of emails, instant messages, and other communications that laid out sensitive research work and intimate personal conversations. It also revealed multiple passwords Kaminsky used and back-end configurations for Kaminsky's website, which was yanked offline Tuesday afternoon and remained down at time of writing almost 24 hours later.

The data also documented attacks on the website of security expert Kevin Mitnick, who confirmed to The Register that his website was breached after hackers gained unfettered root access to machines used by his webhost. The 1MB text file capped weeks of hacks on several other security researchers, including penetration testing firm Matasano. The breaches highlight the often-overlooked reality that even seasoned security professionals are vulnerable to attacks that can expose sensitive business secrets.

"It's the illusion of invulnerability," said Mitnick, who said he purposely kept sensitive data off the servers that ran his website. "I was actually surprised that the other people would keep their email and work data on an internet-facing host. It appeared the boxes were actively used for work."

The breaches also raise the possibility that previously unpublished research about critical security vulnerabilities may have leaked into the public domain. Among the data published Tuesday was a Perl script exploiting Kaminsky's DNS cache poisoning bug. It also aired bash scripts showing security professional Jay Beale, who had an account set up on Kaminsky's server, performing nmap scans on a variety of domain names and IP addresses (presumably belonging to clients).

Kaminsky wasn't available for comment at time of writing. He scheduled a press conference for Wednesday evening. On his Twitter page, he wrote: "Messy, but heh. Walk onto a battlefield, you might get shot."

The attacks are reminiscent of ones that hit security researchers last year. In all of them, the attackers appear more interested in personally embarrassing the researchers and damaging their business reputations than in exposing vulnerabilities so they can be fixed.

So far, it's unclear how the attacks were carried out. Freelance reporter Robert Lemos, whose website was compromised Tuesday evening, said a vulnerability in blogging software WordPress is the most likely explanation. Security researchers gathered at Black Hat have revived rumors that there's a zero-day vulnerability that's being exploited in SSH applications, but so far, there is no evidence to support the suspicions.

Friday, April 10, 2009

Don' Mess with Texas, unless you are the FBI...

More on the Raid of the Core IP Networks data center Raid. Story from the Wired Blog.

I sincerely hope that the new CIO in the Obama Administration invests heavily in training. Specifically about why what the FBI did was not based on probable cause, as the judge ruled, but a legal system sponsored 'smash and grab'. A few metaphors come to mind:

Special Agent ____________, a high school buddy of yours told me you smoked marijuana in high school and kept your stash in a Box of Cheerios. We looked into it and you bought Cheerios last week. We have a warrant to seize your entire house and its contents. We just want to make sure you high school buddy was on the up and up and that you don't have a stash. There's a Motel 6 down the street you can stay at with your family - but be careful, the Latin Kings are set up in there...

I will contact my Infragard officers to volunteer to train Special Agents on the basics of the internet and data center business.

Here is the Rest of the Story...

A company whose servers were seized in a recent FBI raid on Texas data centers applied for a temporary restraining order to force the bureau to return its servers, but was denied by a U.S. district court last week.

The company, Liquid Motors, provides inventory management and marketing services to national automobile dealers, such as AutoNation. It was one of about 50 companies put out of business last week when the FBI seized the servers at Core IP Networks, one of two data centers and co-location facilities raided by the FBI's Dallas office in the last month in an investigation into VoIP fraud.

Although Liquid Motors was not a target of the investigation, the FBI took all of the company's servers and backup tapes in the raid.

"As a result, Liquid Motors, Inc. has been put out of business and is in breach of its contracts with automobile dealers throughout the country," the company wrote in its application for the restraining order (.pdf). "Those automobile dealerships ... may hold Liquid Motors responsible for all of their lost business, and may terminate their contracts with Liquid Motors, causing permanent and irreparable harm ... for which there is no adequate remedy at law."

The company noted that it maintained duplicate servers to prevent outages and housed those servers in a building "on a five power grid with a generator that can last for thirty days."
Only "a bomb to the building" or, as it happens, an FBI raid, could cause the servers to go down, the company stated.

The U.S. District Court for the Northern District of Texas denied the request (.pdf), however, after holding an ex parte discussion with FBI Special Agent Allyn Lynd, who led the raid. Lynd told the court that the owner of the co-location facility was being investigated for fraud and that even though Liquid Motors was not part of the investigation, its equipment might have been used to facilitate fraud by others.

The court found that the FBI had probable cause for seizing the equipment.

The FBI told the court it would work over the weekend to create mirror images of the data from Liquid Motors' servers and provide it to the company by Monday of this week. In order to do so, the FBI asked the company to provide the agency with blank hard drives for copying the data.
Mark Burack, executive vice president for Liquid Motors, said his company did get its data back after supplying the FBI with hard drives, but that the company had to buy all new servers to restore its business.

"We had to replace everything," he said, noting that they won't know how much the raid cost them financially for a while. He said the company has more than 750 customers who were affected by the raid, and that they're working on restoring service to those customers.
When asked if his company planned to pursue legal action further he replied, "I don't know. There are a lot of lawyers involved. We're backed by some very large investors so we just defer everything to them."

He added that he respects the job the FBI does.

"Catching bad guys is important," he said. "We support them and we know they have a tough job. And sometimes innocent people get hurt."

Wednesday, April 08, 2009

Scary Stuff...

The full text of this story can be viewed HERE

I have to say as a member of Infragard, a 15 year veteran of the hosting and colocation business from tech support to Security, and as an employee of a colocation company, that this is an apalling story.

I will call it now - this case will go to the Supreme Court so that there is a clear delineation between a business and it's customers and a clear message sent to federal agencies about what is and is not ok. Just because the servers in a facility were all interconnected does not mean they were all illegally operating. Interstate Highway 10 connects Florida to Texas but does that mean that Law Enforcement has jurisdiction to impound every car on the road because someone in Little Rock who used to live in Texas said that there was a light blue speeding vehicle on I-10 ?

I liken this story to an arms dealer working out of a hotel, and the FBI seizing the entire property and everything on it - from the extra towels, to the law abiding guests personal property, to the rental car companies' vehicles, because someone who got kicked out of the hotel for destroying property said there was an arms dealer in room 201. Like they would know.

Thank God they got the kids iPods and video game consoles though. I wouldn't want those playlists falling into the wrong hands or toddlers playing grand theft auto. That would be a travesty.

Here is a quick snippet:

The FBI on Tuesday defended its raids on at least two data centers in Texas, in which agents carted out equipment and disrupted service to hundreds of businesses.

The raids were part of an investigation prompted by complaints from AT&T and Verizon about unpaid bills allegedly owed by some data center customers, according to court records. One data center owner charges that the telecoms are using the FBI to collect debts that should be resolved in civil court. But on Tuesday, an FBI spokesman disputed that charge."We wouldn’t be looking at it if it was a civil matter," says Mark White, spokesman for the FBI's Dallas office. "And a judge wouldn’t sign a federal search warrant if there wasn’t probable cause to believe that a fraud took place and that the equipment we asked to seize had evidence pertaining to the criminal violation."

According to the owner of one co-location facility, Crydon Technology, which was raided on March 12, FBI agents seized about 220 servers belonging to him and his customers, as well as routers, switches, cabinets for storing servers and even power strips.

Authorities also raided his home, where they seized eight iPods, some belonging to his three children, five XBoxes, a PlayStation3 system and a Wii gaming console, among other equipment. Agents also seized about $200,000 from the owner's business accounts, $1,000 from his teenage daughter's account and more than $10,000 in a personal bank account belonging to the elderly mother of his former comptroller.

Mike Faulkner, owner of Crydon, says the seizure has resulted in him losing millions of dollars in revenue. It's also put many of his customers out of business or at risk of closure.

The raids are the result of complaints filed by AT&T and Verizon about small VoIP service providers whom the telecoms say owe them money for connectivity services. But instead of focusing the raid on those companies, Faulkner and others say the FBI vacuumed up equipment and data belonging to hundreds of unrelated businesses.

Thursday, April 02, 2009

What ever happened to Sky Marshalls?

I was in JFK yesterday and I was the number 2 person on the plane and it made me think back to when Sky Marshalls were #1 or #2. I havent seen one in a while.

Before someone writes the comment 'Thats the point' they were not too hard to spot - short cut hair, intimidating, trying to look like a regular passenger, always first or second on the plane, and they never sat in exit rows or 1st class.

Do I see a VH1 'Where are they now' segment?

Or a Government version of 'Where are they now?' on C-span? There's an idea to liven up C-Span - a reality show besides watching politiciand filibuster, or watching Pelosi whine about needing a bigger plane.

Thursday, February 19, 2009

Facebook or Facebalk?

I have not had the time to comment on the absurdity of the Facebook 'We own your ass even if it's not yours and will do what we want with it when we see fit' privacy policy. I was also a bit disappointed that by the time I was able to comment the overwhelming voice of the users won out and relieved Facebook came to their senses.

Having been a member of the IAPP (International Association of Privacy Professionals) and seeing the balancing act that companies go through to write a solid one, I can't help but wonder if Facebook will get a free membership out of this so that they can figure it out.

It was also interesting that no one freaked out when AOL and Yahoo changed their privacy policies - although their changes had a lot less potential harm embedded - and I have to wonder why Facebook and not AOL or Yahoo?

Better designed offering?
More Users?
Different demographics?
The ability to instantly share your views with friends of friend's friends
The absurdity of it?

I hope my old friends at the Berkman Center at Harvard Law School keep on teaching law students about this kind of stuff so that students of theirs never write drivel like that policy again.

Tuesday, February 03, 2009

Well Coordinated ATM hack nets $9M

My Source

Hackers orchestrated a highly coordinated, global attack on ATM cards involving the theft of a staggering $9 million from bank customers — and they could strike again, according to an investigation by FOX 5 TV in New York.

Customers' personal information might also have been compromised in what federal agents are calling one of the most well-coordinated such schemes they've seen, reported.

The FBI uncovered the plot and is investigating. The hackers are still at large and could orchestrate another attack.

In a matter of hours, thieves struck ATMs from 49 different cities — including New York, Atlanta, Chicago, Moscow and Montreal — just after 8 p.m. EST on Nov. 8.

Part of the heist was caught on security camera images obtained by the TV station. The photos show people known as "cashers" — low-level participants in the plot who used bogus ATM cards with stolen information — at the machines.

The scheme works as follows: Plotters hacked into a computer system for a company called RBS WorldPay, which allows employers to transfer workers' pay directly to a payroll card. The scam artists were then able to infiltrate the system and steal personal data needed to make duplicate ATM cards.

"We've seen similar attempts to defraud a bank through ATM machines but not, not anywhere near the scale we have here," FBI Agent Ross Rice told FOX 5. "We've never seen one this well coordinated."

The FBI has no suspects and has made no arrests thus far.