A senior Unix administrator known only as “SK” admitted she got lucky when she found the malicious script planted in a development server on the network.  “The malicious script was at the bottom of the legitimate script, separated by approximately one page of blank lines, apparently in an effort to hide the malicious script within the legitimate script,” states an affidavit filed against Rajendrasinh Makwana, an Indian citizen living in the United States under a work visa.  Makwana is accused of illegally accessing Fannie’s network after being fired from the job. Had the script executed as planned, 4000 servers at Fannie would have been wiped clean tomorrow, January 31st.

According to an InformationWeek article here:

The discovery occurred on Oct. 29. Makwana had been terminated as a Fannie Mae contractor on Oct. 24, around 1 or 1:30 p.m., the affidavit says, but his network access was not terminated until late that evening. Makwana was fired for allegedly creating a computer script earlier that month that changed server settings without the permission of his supervisor.

Makwana was not required to turn in his badge or Fannie Mae-supplied laptop until the end of the day on Oct. 24. According to Nye’s affidavit, it was during that afternoon that Makwana is alleged to have planted the malicious script.

Makwana had planted his script by using his existing credentials over an encrypted channel.  Since his accounts were still active and his access rights still in place, no technological solution could have prevented or stopped such an attack.  But it clearly highlights the threats posed by internal users.

Information security is sometimes more about enforcing procedures than policies.  In Makwana’s case, the policies were followed for a termination in that accounts were disabled by the end of the employee’s last working day, but the procedures perhaps could have included building security escorting the employee and  the timely confiscation of corporate equipment.

Everyone wants to trust their employees as friends and colleagues.  And enforcing a procedure that requires a security guard to watch the employee pack his things and turn in building passes, credentials, laptops, phones, and other personal items just makes your company look like a cruel, bullying entity.  However, not following such a process could jeopardize your data.

We are pleased to be a part of the DoD CyberCrime Conference in chilly St. Louis Missouri.  Conference goers should feel free to stop by, say hello, and check out the demonstrations of our NextGen software.

For the second time in 18 months, Monster.Com has suffered a massive security breach.  In both cases, user account information was stolen, along with the email addresses and names of job seekers.  When this happened in August of 2007, 1.3 Million accounts were taken when an employee of the company divulged his credentials via a Trojan Horse program.  Within days of that attack, users of Monster.com who had their account information stolen found they were victims of targeted malware phishing attacks and, since hackers assume Monster.Com users are out of a job, many were invited to become money laundering mules for criminal hacker organizations.

In the latest breach, Monster put a notice here on their website that says:

As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database. We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. The information accessed does not include resumes. Monster does not generally collect – and the accessed information does not include – sensitive data such as social security numbers or personal financial data.

Immediately upon learning about this, Monster initiated an investigation and took corrective steps. It is important to know the company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information.

Now let’s flash back to 2007 and their statement to the press regarding that breach:

Sal Iannuzzi, the company’s chairman and chief executive, said the company was improving its surveillance of how the site is used as well as limiting the way data can be accessed. Iannuzzi declined to provide specific details about how the new security measures will work, saying he didn’t want to make them vulnerable to potential hackers.

Whatever improvements were made in Monster’s network surveillance and security measures were not adequate to deal with the severity of the threats the organization is facing from sophisticated adversaries.  In light of this second breach, Monster should review what went wrong with their previous remediation plan and develop something better to help them identify data breaches quickly and lock down their customer records.  Monster, as many enterprises today, simply needs better and deeper visibility into their network traffic.

NetWitness NextGen provides a new paradigm for network security monitoring.  Full packet capture and session analysis provides the ultimate truth about data crossing the wire because you are dealing with ALL the data — not just signatures or statistics or scans.  Your security managers actually will know what types of information is crossing network interfaces, will better understand the risks of that data in motion, and can therefore make better decisions about reducing those risks.  And regardless of how the hacker tries to exfiltrate the data -  via the web, trojanized control port to the internal network, or a disgruntled insider- NetWitness helps you close the gaps.

For Monster users, please change your password on the site.  Other bloggers are reporting that usernames and passwords were stored in clear text.  If so, and you use the same username and passwords on other accounts, you may wish to change those credentials as well.

If you have dined out at a local family restaurant in the past few months, or perhaps paid for books for your college-bound kids, or even paid for gasoline at the pumps with a credit card, you may have inadvertently allowed hackers to steal your credit card number during the transaction phase that takes place on Heartland Payment Systems’ backend network.

The Washington Post’s Brian Krebs broke the story yesterday. He writes on his SecurityFix blog here:

Heartland, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments

40 percent of transactions the company processes are from small to mid-sized restaurants across the country.

Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. It wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.

Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

“The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Heartland said.

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

In many cases where a processor experiences a breach, the affected banks may simply re-issue new cards to some customers. In other cases, consumers may spot the first signs of fraudulent activity by reviewing their bank statements.

Heartland Payment systems also went on to declare to the Wall Street Journal that the breach was due to a magnificent piece of malware that was “lightyears” ahead of what other hackers could do.

Heartland was targeted with malicious software that was “light-years more sophisticated” than malevolent programs commonly downloaded from the Internet.

NetWitness understands that cyber breaches happen.  Maybe this piece of malware was more sophisticated than than usual, but it was still malware that evaded standard security software detection capabilities.  Firewalls and intrusion detection systems alone cannot alert security personnel to activity that was designed by criminals to evade detection. 

Exfiltrated data can be recorded as it happens, along with how the malware came to be downloaded to the network.  And those packet collections can be preserved so when reports come in that data is being used fraudulently, you don’t have to pour over audit trails, IDS alerts and firewall logs looking for the problem.  You have the network traffic itself for audit.  And with NetWitness Investigator, analysts can easily spot the problem communications.  No need to wait for the Secret Service to show up with a forensics team.

In the meantime, keep an eye on your credit card bills for any suspicious charges.  Any fraudulent activity should be reported to your financial institution immediately.