Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Test Prompts Federal Fraud Alert

Soulskill posted more than 5 years ago | from the in-the-not-so-wild dept.

Security 36

itwbennett writes "Johannes Ullrich, chief research officer at the SANS Institute, took great interest in a National Credit Union Administration (NCUA) warning issued earlier this week, thinking, 'Finally this is in the wild, because I've only seen it in pen tests before.' Unfortunately for Mr. Ullrich, the letter and 2 CDs that caused the kerfuffle were part of a sanctioned security test of a bank's computer systems conducted by Ohio-based security company MicroSolved. 'It was a part of some social engineering we were doing in a fully sanctioned penetration test,' said MicroSolved CEO Brent Huston. For his part, NCUA spokesman John McKechnie did not have much to say about his organization's alert, except that 'at this point, it appears that this is an isolated event.'"

Sorry! There are no comments related to the filter you selected.

Frosty piss (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29243235)

DRINK ME

i just got off the toilet (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29243249)

i shit out an obama.

plop!

btw... teddy? so long you fucking shit head pig. even nero was famous as a politician.

Johannes Ullrich? (-1, Redundant)

XPeter (1429763) | more than 5 years ago | (#29243331)

Am I the only one who thought that said Lars Ullrich, and started hearing a St.Anger drum solo?

Re:Johannes Ullrich? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29244083)

I find it sad that when you thought of Lars Ulrich and thus Metallica, that St. Anger comes to mind. Metallica died with Cliff.....

Re:Johannes Ullrich? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29244277)

I find it sad that you know that much about Metallica.

Patch subscriptions (5, Insightful)

morgan_greywolf (835522) | more than 5 years ago | (#29243351)

The best way to pull something like this off is to create CDs that look like they are part of a patch subscription. Before the spread of ubiquitous online access, many Unix and enterprise application vendors would send patches via some package carrier (Fed Ex, UPS, USPS, etc.). Many still do. Some admins automatically install anything they get in the mail without first verifying its contents.

Re:Patch subscriptions (0)

Anonymous Coward | more than 5 years ago | (#29245973)

Incompetent admins automatically install anything they get in the mail without first verifying its contents.

Fixed that for you.

As well they should... (3, Insightful)

Sfing_ter (99478) | more than 5 years ago | (#29243401)

Social Engineering is the more likely cause of all major hacking issues. People saying their password out loud in a crowded office. My favorite is when you ask them for their password then add 'you can probably take everything I have because I use that for EVERYTHING'.

I have found people like "convenience", 'why should I have to log into ANOTHER computer to do the Banking?' - and 'can i get some speakers for that computer so i can listen to online radio while i do the banking?'...

I am glad to see that an "Alert" was produced from it, most businesses would have done the whole cover-up 'it never happened - now don't do it again' bit.

They detect the breach but fail (4, Insightful)

mysidia (191772) | more than 5 years ago | (#29243433)

They fail proper incident response by leaking incident data to the public. I would expect someone on their incident response team to be aware of the pen test, provide proof, and for the report to never leak out of the company.

I don't think proper incident response involves posting an alert based on an isolated incident and tipping off the attacker before law enforcement can move in.

Even if the attack was real, the institution might not want to reveal it to others, especially if the attack resulted in compromise; it could scare customers aware if they were informed that a security compromise had occured.

So it's a bit unusual that the report got out.

Re:They detect the breach but fail (2, Insightful)

DerekLyons (302214) | more than 5 years ago | (#29244583)

Um - did you even read the articles in question (while sober)? Because what you posted has about nothing to do with the sequence of events.

Re:They detect the breach but fail (1, Informative)

Anonymous Coward | more than 5 years ago | (#29244985)

This was not a sanctioned event. Maybe it was sanctioned by the CU but not by the NCUA. So how was the NCUA supposed to know this was an isolated event? Hence the FIRST alert they sent. But the linked article fails to mention the SECOND alert the NCUA sent. http://www.ncua.gov/news/press_releases/2009/MR09-0828d.htm Basically they are chastising the Credit Union who started the mess.

Re:They detect the breach but fail (1)

mysidia (191772) | more than 5 years ago | (#29256185)

Exactly: The bogus alert was forwarded to NCUA

For all anyone who was unaware of the test is concerned, they could have been forwarding the letter to the very person at the NCUA who was an insider sending the fraudulent letter.

It means that someone in the organization reported a suspected breach to someone outside the organization.

Either their security incident response team wasn't properly informed of the "test" that was being conducted, to avoid sending frivolous and illegal security reports to law enforcement and others, OR, someone leaked the information improperly.

large bureaucratic hierarchies like banks... (4, Insightful)

Dr_Ken (1163339) | more than 5 years ago | (#29243479)

...are just begging for this kind of attack. More stupid stuff gets done because of a "memo from HQ" than for any other reason. Nobody questions or authenticates anything. The drones just do watch their told to and move on. Makes me wanna keep my life savings in deposit soda bottles in the basement instead my credit union.

Re:large bureaucratic hierarchies like banks... (1)

schnikies79 (788746) | more than 5 years ago | (#29243617)

That's why it's a good reason to stick with locally owned banks/credit unions. The president of my bank lives five miles from me (he is also my uncle). If there is any sort of test like the above, he is there. Not sitting 300mi away sending memos.

Re:large bureaucratic hierarchies like banks... (1)

schnikies79 (788746) | more than 5 years ago | (#29243633)

In before the grammar nazi. Yes I see the error.

Re:large bureaucratic hierarchies like banks... (0)

Anonymous Coward | more than 5 years ago | (#29244295)

'gb2 4chan', kiddo.

Re:large bureaucratic hierarchies like banks... (2, Insightful)

DavidTC (10147) | more than 5 years ago | (#29245035)

It sorta defeats the point of a penetration test if the president is sitting right there. Especially as the president is probably going to be in on it. You're supposed to test the most vulnerable staffer, as that is who would actually be attacked.

I know what you mean, though. In any sort of problem, they'd personally contact someone who has the ability to make decisions and override the rules, in addition to just following the rules.

Re:large bureaucratic hierarchies like banks... (1)

omz13 (882548) | more than 5 years ago | (#29243683)

The drones just do watch their told to and move on.

That really depends on the company. I've worked for some where this is very true... people never question anything and do things that are just plain stupid because they don't apply any common sense and check with somebody before they do something they know is stupid or could be just plain wrong.

On the other hand, I worked for one bank where you couldn't sneeze without several line managers signing off a change request. This meant that when things got done, it usually got done right; of course, getting several line managers to sign off is like trying to heard cats.

Re:large bureaucratic hierarchies like banks... (1)

Dr_Ken (1163339) | more than 5 years ago | (#29244027)

If only...our credit union "got a memo" from DHS stating that to open or renew a Jumbo CD (more than 10k$) you had to show a passport! Apparently the page of the eMail or fax that said this new regulation only applied to non-citizens got lost somewhere but they dutifully followed this instruction for two months! I wonder how much business that cost them?

Re:large bureaucratic hierarchies like banks... (0)

Anonymous Coward | more than 5 years ago | (#29254633)

So what if they did succeed in an attack and the thieves got the money in your bank account? You're not liable for that, the bank is. If nothing else, FDIC/NCUA insurance will kick in. You don't lose any money, so why worry about it? Makes me want to keep my life savings somewhere it will gain interest and be insured against loss...

Re:large bureaucratic hierarchies like banks... (1)

Hurricane78 (562437) | more than 5 years ago | (#29269647)

I'd recommend beer. Someone made a calculation, where that actually would make you more in interest, tat your bank ever could.

But I guess, before the "recession", gold would have been the best bet. Went up like crazy now, for obvious reasons.

AOL CD's??? (5, Funny)

DevConcepts (1194347) | more than 5 years ago | (#29243581)

Brain: Were going to ship AOL CD's to everyone as a "new upgrade version" that will give us full control of their computer.
Pinky: What if they don't use AOL?
Brain: There's 49 million sheep using AOL, it should be enough to do what we are going to do.
Pinky: Whats that brain?
Brain: The same thing we do every night, Try to take over the world.

Why bother taking "full control" (1)

voss (52565) | more than 5 years ago | (#29243687)

That triggers people to get their computer cleaned.

If someone really smart were gonna write a rogue program, they would create a program that does exactly what its supposed to but also
does X in a blackbox, x being whatever sneaky thing you want it to do. That X only taking up say 10% of cpu cycles and a like small
amount of bandwidth. It would keep less sophisticated rivals off the computer to keep the computer running fast. If someone's computer is "running fine"
then they dont clean it and they recommend the rogue program to their friends.

... but what will we call such a hypothetical prog (1)

Zero__Kelvin (151819) | more than 5 years ago | (#29245151)

"If someone really smart were gonna write a rogue program, they would create a program that does exactly what its supposed to but also"

That's a great new idea, but it needs a name. I propose something along the lines of "Trojan" after the Trojan Horse in the Illiad.

Re:... but what will we call such a hypothetical p (1, Insightful)

Anonymous Coward | more than 5 years ago | (#29245391)

Wow, you sure fooled me. I was thinking Norton.

Re:... but what will we call such a hypothetical p (0)

Anonymous Coward | more than 5 years ago | (#29246959)

"Iliad", it's not a Nas album. Also, few know that the original Trojan horse was actually a Trojan WOOSH!

Um, their first clue that these consultants sucked (3, Funny)

antifoidulus (807088) | more than 5 years ago | (#29243785)

should have been the fact that a security consulting company chose for their name the name of a company that has pretty much the WORST track record for security in the industry.....

Re:Um, their first clue that these consultants suc (3, Informative)

Mister Whirly (964219) | more than 5 years ago | (#29243991)

I know you were aiming for Microsoft bashing, but honestly in the 80s a good chunk of computer related companies were named Micro something or other. No idea if this company has been around that long (or may have even been named that as a throwback kind of kitschy idea) but it seemed like for a time "Micro" was really hot as a precursor to a company name.

Re:Um, their first clue that these consultants suc (1)

bertoelcon (1557907) | more than 5 years ago | (#29244315)

Just like adding E or I in the early 00s.

Re:Um, their first clue that these consultants suc (4, Informative)

TheRaven64 (641858) | more than 5 years ago | (#29244809)

it seemed like for a time "Micro" was really hot as a precursor to a company name.

The '80s was the height of the microcomputer revolution. For anyone who didn't live through it, a microcomputer is a computer which uses a microprocessor (a CPU on a single chip). This differentiates them from minicomputers and mainframes which, at the time, which typically had different parts of the CPU in several different chips. It wasn't until the mid '90s that even mainframes were using microprocessors; the first two generations of IBM's POWER series, for example, were multi-chip configurations.

The companies that rode the microcomputer wave were often not the companies that did well in the shrinking minicomputer and mainframe markets (and the minicomputer companies were often not established mainframe names either). They used micro- to differentiate themselves from the dinosaurs who were still clinging to the one-computer-per-company model. The implication was low-cost and flexible.

Re:Um, their first clue that these consultants suc (1)

DavidTC (10147) | more than 5 years ago | (#29245159)

Um, who said these consultants sucked.

Just because a company fails a penetration test and got caught doesn't mean it sucked. It might mean the company they were hired to test didn't suck.

The only person who 'sucked' here was the company that alerted the NCUA without realizing that they had, in fact, hired someone to do that. I suspect some over-eager security officer who not only discovered the attack, but alerted both his bosses and the NCUA before his bosses could inform him that this was, in fact, a penetration test.

In a sense, this was a good thing, for all anyone knew those CDs had been sent out to a dozen banks and right now they were sitting in the incoming mail or even already being inserted in computers. With something like this, it really could be a few hours that make the difference between two banks successfully attacked and twenty.

But, annoyingly, it was just a test. Thus demonstrating one of the problems of penetration testings...it might cause needless alarm and expense when detected, and that might even spread outside the organization. (The police, especially, get pissy when someone calls them.)

Not that warning people of intrusion vectors is a bad thing, but the NCUA presumed this was some actual attack and got pretty specific about a threat that no other bank is going to see, at least not in that specific manner, thus rather wasting people's times.

You must manage communication first (2, Insightful)

cheros (223479) | more than 5 years ago | (#29250205)

FFS, EVERY sensible organisation must run tests on various aspects, I run annual crisis management tests to ensure the plans they have actually work (we're talking about major, this-will-tank-the-company stuff which requires a military model of management to handle). It's fun dreaming up a realistic scenario, but it is ESSENTIAL that you manage the I/O to the crisis management team to ensure your test doesn't create a disaster in itself.

Let me give you an example: a VERY major news outlet was system testing years ago, and the twits didn't isolate properly. If it hadn't been for an alert operator they would have put out the story that a US president had died in an accident. Can you imagine the impact that would have had?

Good that the testers did what they did, exceptionally bad that they didn't verify communication paths beforehand. That suggests they were not employed at a high enough level or the security comms in the company sucks and needs to be improved as a matter of urgency. Bad PR also costs money, and from what I've seen they could improve there too.

Full marks for testing, but the test results suggest to me a couple of things need an overhaul pretty quickly. They are exposed as far as I'm concerned. Having said that, my standards in this are quite high..

Re:Um, their first clue that these consultants suc (1)

Zero__Kelvin (151819) | more than 5 years ago | (#29245183)

Actually it makes perfect sense. If you run Windows you have a Microsoft problem. If they magically lock the system down somehow anyway your Microsoft problem is MicroSolved ;-)

Re:Um, their first clue that these consultants suc (-1, Troll)

Anonymous Coward | more than 5 years ago | (#29245579)

Re your sig: An even better one is "I get laid about as often as I need to reboot my Linux computer"

Reasonable Response (3, Interesting)

mmccoombe (533146) | more than 5 years ago | (#29244915)

Perhaps I am missing something obvious (wouldn't be the first time), but it seems to me that the issuance of the alert was a very reasonable thing given that the credit union which received the CDs did not know that it wasn't a real attack when they issued it. Of course, you would think that whomever had requested the penetration test would have been watching for something like this and stopped the alert from going out, but that's a different problem...

This HAS been seen in the wild (1)

gujo-odori (473191) | more than 5 years ago | (#29249613)

This attack has been seen in the wild. About 10 years ago (IIRC), one of the first phishing attempts in Japan was done by sending CDs to the homes of potential victims. Phishing is still pretty rare in Japan (about 500K attempts per year, as of 2007), but this early attack was, IMO, one of the smartest. It worked on both technical and cultural/social levels, a brilliant social engineering attack.

Yes, I loathe these guys; I own the anti-phishing rule set at a major email security company and would like to see them jailed, but at the same time, I have to concede the best phishers show me a lot of ingenuity. If they weren't criminals, I'd want to hire them to work on my side of the fence.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?