Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cleaning Up the Mess After a Major Hack Attack

Soulskill posted more than 2 years ago | from the cut-the-lines dept.

Security 100

Hugh Pickens writes "Kevin Mandia has spent his entire career cleaning up problems much like the recent breach at Stratfor where Anonymous defaced Stratfor's Web site, published over 50,000 of its customers' credit card numbers online and have threatened to release a trove of 3.3 million e-mails, putting Stratfor is in the position of trying to recover from a potentially devastating attack without knowing whether the worst is over. Mandia, who has responded to breaches, extortion attacks and economic espionage campaigns at 22 companies in the Fortune 100 in the last two years and has told Congress that if an advanced attacker targets your company then a breach is inevitable (PDF), calls the first hour he spends with companies 'upchuck hour' as he asks for firewall logs, web logs, and emails to quickly determine the 'fingerprint' of the intrusion and its scope. The first thing a forensics team will do is try to get the hackers off the company's network, which entails simultaneously plugging any security holes, removing any back doors into the company's network that the intruders might have installed, and changing all the company's passwords. 'This is something most people fail at. It's like removing cancer. You have to remove it all at once. If you only remove the cancer in your leg, but you have it in your arm, you might as well have not had the operation on your leg.' In the case of Stratfor, hackers have taken to Twitter to announce that they plan to release more Stratfor data over the next several days, offering a ray of hope — experts say the most dangerous breaches are the quiet ones that leave no trace."

cancel ×

100 comments

Sorry! There are no comments related to the filter you selected.

FIrst Post (-1, Troll)

Overzeetop (214511) | more than 2 years ago | (#38584008)

This thread has been hacked in record time!!

Re:FIrst Post (0)

Anonymous Coward | more than 2 years ago | (#38584040)

Hacked by this Mandia bloke, no doubt.

Re:FIrst Post (3, Interesting)

Tsingi (870990) | more than 2 years ago | (#38584936)

But were it an expert hack:

experts say the most dangerous breaches are the quiet ones that leave no trace.

You would not have known.

In fact, security experts would like that to be your last thought before you go to sleep at night, and your first thought when you wake up, and uppermost in your mind when they pad your bill with zeroes.

Re:FIrst Post (0)

Anonymous Coward | more than 2 years ago | (#38666352)

The goal isn't to collect data, it's to embarras companies. Being quiet doesn't achieve the latter.

Clean up? Start fresh (2, Insightful)

dbIII (701233) | more than 2 years ago | (#38584062)

Clean installs on everything, new passwords, and don't trust anything executable that has been on the compromised machines anywhere near the time it was hacked.
It's not a huge deal here anyway - because this lot have a high profile everyone forgets how small they really are. Your local newspaper probably has a bigger operation and a hell of a lot more subscribers.

Re:Clean up? Start fresh (4, Informative)

Anonymous Coward | more than 2 years ago | (#38584100)

Imagine that you have 1000 employees. Every workstation, every server, every switch, every usb-stick, every external drive could hold the seed to restoring hacker control on your network. You'd have to wipe all of them before allowing them to reconnect to the network.

Then, a week from now, someone asks IT for a file from the off-line backups, and your network is owned again.

Re:Clean up? Start fresh (1)

dbIII (701233) | more than 2 years ago | (#38584134)

These people do not have anywhere near 1000 employees. Even if they did that just makes it easier because you can justify putting more people into action, bringing in as many people from the outside as needed and getting the job done.

Then, a week from now, someone asks IT for a file from the off-line backups, and your network is owned again.

I really thought putting the advice to prevent this in the title would be obvious enough. Maybe bold and in capitals with a BLINK tag might help next time :(

Re:Clean up? Start fresh (0)

Anonymous Coward | more than 2 years ago | (#38584404)

I really thought putting the advice to prevent this in the title would be obvious enough. Maybe bold and in capitals with a BLINK tag might help next time :(

"Clean up? Start fresh" isn't applicable advice unless you want your board to go to jail at the next IRS audit (which you might, in which case disregard this comment).

Re:Clean up? Start fresh (5, Interesting)

Anonymous Coward | more than 2 years ago | (#38584198)

I did work for a Fortune 100 company. We had Disaster Recovery Plans which involve that exact sort of thing. We rehearsed it once for an entire market we operated in, it took about 11 staff and 12 hours to do. We did it during the night during a weekend to reduce impact. Many of the systems were still operating during the rehearsal. We did phones, servers, workstations, restoration of images/backups, phones, network infrastructure, most HSMs (Excluding CAs) etc. As for viruses coming back from at-rest data backups, well, we virus scan them before it's used and nearly all of them are digitally signed (so tampering after the fact is harder) but I can't think of what else you can do. We can load our own heuristics and signatures onto our distributed IDSs though, so if we did find any type malware on our system, we can identify it and add it to the IDS and it would be picked up when/if it was on offline backups and when/if it's restored. The biggest weaknesses we identified was network bottlenecks, outdated documentation and outdated client software to handle the procedures.

Re:Clean up? Start fresh (0)

Anonymous Coward | more than 2 years ago | (#38587514)

Jeeeeesus... just buy macs. ;)

Sorry, had to poke.

Re:Clean up? Start fresh (4, Insightful)

Lumpy (12016) | more than 2 years ago | (#38584210)

Not a problem here. we simply re store the workstation boot image from the creation CD and run all the updates on it.
Thumb drives, not a problem, thumb drives dont work here.

as for switches, I can update ios on every switch in 60 seconds. not a hard thing to do.

as for the "backups" problem. I have yet to see a hacker that can infect a machine using an odf file, I'm not backing up ANY executables.

Honestly I can do a complete wipe and restore in under 5 days for a company that has 1000 employees and 20 servers. IF the IT department was set up and run by competent people.

If it's a typical cluster-turd... far far longer.

Re:Clean up? Start fresh (1)

Xugumad (39311) | more than 2 years ago | (#38584436)

> as for the "backups" problem. I have yet to see a hacker that can infect a machine using an odf file

http://www.openoffice.org/security/bulletin.html [openoffice.org]

Although I'll admit, never seen any of those in a real use-case.

Re:Clean up? Start fresh (2)

fatphil (181876) | more than 2 years ago | (#38585038)

"I have yet to see a hacker that can infect a machine using an odf file"

Have you considered the possibility that you have insufficient experience in the field?

"I'm not backing up ANY executables."

What about the executable components that can be embedded in the ODF files you are so happily backing up? Are you deliberately not backing up emails? If so, your backups are useless. If you are backing up emails, then you cannot be sure you're not backing up executables.

Your whole stance looks like you have no understanding of the problems that can be faced.

Re:Clean up? Start fresh (2)

extra88 (1003) | more than 2 years ago | (#38586560)

Your whole stance looks like you have no understanding of the problems that can be faced.

Why assume the worst? More likely he wasn't inclined to go into that level of detail here.

If he's already going so far as to prevent the use of USB flash drives isn't it likely that email attachments are handled in a similarly aggressive manner (e.g. executables automatically removed, remaining attachments quarantined, etc.)? Workstation backups needn't include email; email belongs on email servers local copies are just a cache.

Re:Clean up? Start fresh (1)

fatphil (181876) | more than 2 years ago | (#38588730)

Why assume the worst? Because this was a scenario pertaining to security, and your security has been proved to be insufficient a priori. That's why. Big forehead-slapping Duh!

I love your assumption that the email servers haven't been compromised. That's a great one to save time in the restoration effort, I agree, but please don't waste your time applying for an IT role anywhere near where I work.

See FatFuckPhil run (0)

Anonymous Coward | more than 2 years ago | (#38589342)

Re:See FatFuckPhil run (1)

fatphil (181876) | more than 2 years ago | (#38598896)

Geee, I got a stalker, ain't I lucky!

Re:Clean up? Start fresh (1)

Lumpy (12016) | more than 2 years ago | (#38595072)

I guarantee my email servers are not compromised, they are sitting OFF in a storage room for the past 3 years. we switched to Gmail for Exchange hosting 3 years ago to get rid of having to manage the huge turd that Exchange server is.

Re:Clean up? Start fresh (4, Insightful)

wvmarle (1070040) | more than 2 years ago | (#38585454)

Honestly I can do a complete wipe and restore in under 5 days for a company that has 1000 employees and 20 servers.

That's not too bad. But of course any machine that's not been wiped and restored can not be allowed on the network. And for the employees that means up to five days of not being able to do much. That's a long time to wait.

Re:Clean up? Start fresh (1)

couchslug (175151) | more than 2 years ago | (#38588558)

Hand out a custom (or even standard) version of this for emergencies with an instruction sheet tucked into the CD cover.

Your taxes paid for it:

http://www.spi.dod.mil/lipose.htm [dod.mil]

Re:Clean up? Start fresh (0)

Anonymous Coward | more than 2 years ago | (#38586072)

Wait... i have a few ODF files i'd gladly let you backup for me... =)

Re:Clean up? Start fresh (0)

Anonymous Coward | more than 2 years ago | (#38587534)

I have yet to see a hacker that can infect a machine using an odf file .

How about PDF? SWF? XLS(x)? DOC(x)? Those are never the vector for code injection, right? And as for ODF... gotcha:

"Executable" ain't just EXE, COM, MSI and DLL anymore.

Re:Clean up? Start fresh (1)

Malvineous (1459757) | more than 2 years ago | (#38605826)

as for switches, I can update ios on every switch in 60 seconds. not a hard thing to do.

But how do you know the update was actually applied, and it wasn't rogue firmware falsely telling you it succeeded?

Re:Clean up? Start fresh (0)

Anonymous Coward | more than 2 years ago | (#38613832)

So I just want to be clear. Hypothetically...you're breached. You restore your systems from a clean image (manually run updates) despite the fact that you have clearly been a target. Which means you're reverting your infrastructure to an even more outdated version of the software then you had prior to the breach, increasing the surface area for intrusion. Sweet titties...Where do you work again?

Re:Clean up? Start fresh (3, Insightful)

Xugumad (39311) | more than 2 years ago | (#38584420)

> Imagine that you have 1000 employees. Every workstation, every server, every switch, every usb-stick, every external drive could hold the seed to restoring hacker control on your network. You'd have to wipe all of them before allowing them to reconnect to the network.

I wish people would remember this when they claim company's estimates of damage from a cracked system are excessive. You can bring an entire company to a standstill for an extended period of time by requiring (unless as a customer you're just fine with them taking risks with your data?) multiple critical systems to be isolated and rebuilt from scratch at the same time, even if there's no clear damage done, because you have no other way of verifying they're clear.

In a high security environment, destroying the physical machines to be sure (tampered firmware, stuff hidden in bad blocks on the hard drive, or who knows what else) is probably a sensible move.

Re:Clean up? Start fresh (1)

pclminion (145572) | more than 2 years ago | (#38586612)

I assume that by "wiping" you include re-flashing all the firmware (including BIOS), in all of your devices including printers, routers, etc. It ain't as easy as wiping a bunch of drives. In fact, probably cheaper to throw all the equipment right in the recycle truck.

Re:Clean up? Start fresh (4, Interesting)

Arrogant-Bastard (141720) | more than 2 years ago | (#38584240)

This also includes clean installs on employee portable systems (laptops, PDAs, tablets, phones) as well as anything they have at home that can connect to the corporate network.

Of course, this will never happen.

Then it's time to go through all backup media and sanitize it, since of course a potential future restore could re-initiate the breach.

Of course, this will never happen.

Meanwhile, forensic work needs to be done to figure out what the vector(s) was/were for this incident. It's not enough to just identify and deal with those, however; they need to be studied in context in order to achieve an understanding of what additional, latent vectors exist that could be used.

Of course, this will never happen.

And then it's time for a very pointed session with a copy of Marcus Ranum's "Six Dumbest Ideas in Computer Security", because chances are pretty high that this organization used all six.

Of course, this -- especially this -- will never happen.

Re:Clean up? Start fresh (0)

Anonymous Coward | more than 2 years ago | (#38587652)

Interesting read, and I agree with default permit, but the implication that patching holes found in software is stupid when 95 - 100% of the software a company uses isn't controlled by the company? Unless everybody is willing to write their own OS, web browser, image editing software, PDF reader, drivers, etc., we're kinda stuck with it. Even with "well designed" software, some flaws are found. Software is so interrelated that even if my code is perfect, a flaw in the OS / driver / plugin / whatever may end up being an attack vector.

Where things get tricky with default disallow is the web. It's become the "go to" place for knowledge, and it can take a lot longer to look something up without the web and a search engine. So does one rely on a service to white list all the known good sites - and keep that list up to date? (A site that was safe yesterday may have mallware today.) Google has the safe browsing api - and there are probably other services out there that do similar things. . .

Point 2 - it is possible in a medium sized business to know all the applications in use, but it's uncommon, and one must fight all the managers in all the departments to get this information.

I don't believe that most employees will get better about technology. Sure, they'll be comfortable using the newest gadgets, but they'll still be clicking on dubious links or attachments. One can do a fair amount of screening to try to weed these employees out, but if every person were a sysadmin, we'd never get anything done with that nice, secure IT infrastructure.

#5 is largely decent, but even with "safe" attachments there are attack vectors. .jpgs that exploit bugs in image viewers, .pdfs that exploit bugs in Adobe's reader, etc. So now we're back to virus scanners...

Re:Clean up? Start fresh (4, Insightful)

Arrogant-Bastard (141720) | more than 2 years ago | (#38588198)

What you're doing, although I don't think you intended to, is making excuses as to why those six mistakes are necessary. This is a fatal error. By justifying them, you ignore the consequences -- which are that you've just about guaranteed that you will be hacked the first time someone with sufficient expertise and resources decides to target you.

The trick is to recognize that you cannot make these mistakes. Period. No matter who you have to run over, who you have to piss off, who you have to overrule, who you have to upset, no matter what. You have to be, and yes I am, an arrogant bastard. Because the moment you compromise, you're doomed. We've seen it over and over and over and over again, we're seeing it again today, we'll see it again tomorrow. Every single data breach incident I've ever read about included at least one of those six mistakes, and most of them included several. Yet incompetent, weak-willed IT people insist on making them because "we've always done it this way" or "that can't work!" or "but it would break..." or for a thousand other reasons...none of which matter. (What good is having a spiffy computing environment if it's not secure?)

The problem isn't that we don't know what to do. We do. The problem is lack of will to do it.

Re:Clean up? Start fresh (3, Insightful)

Demonoid-Penguin (1669014) | more than 2 years ago | (#38584322)

Clean installs on everything, new passwords, and don't trust anything executable that has been on the compromised machines anywhere near the time it was hacked. It's not a huge deal here anyway - because this lot have a high profile everyone forgets how small they really are. Your local newspaper probably has a bigger operation and a hell of a lot more subscribers.

I seriously doubt your local newspaper has more money involved - or any local newspaper. Maybe some of the national broadsheets - but that's a moot point.

Cleanups aren't complicated - but fixes are - they just sound simple. And most commonly people seem to believe they are the same thing - I contend that they're not.

In my experience these things happen again and again to the same companies (though the majority put a lot of effort into keeping it secret). Not the same dog each time, but definitely the same leg action.

I've done a bit of due diligence on companies, listened in on workers at lunch, chatted to ex-staff, and hired investigators - and I've found few that are as clean as presented - it's like buying a pub where the bartenders or staff don't dip into the till, or regulars (and staff) have never dealt in drugs (rare as hen's teeth).

I'm not talking about defending against attackers - and I don't dispute that a determined, well resourced, intelligent attack will always succeed if time permits (it's like robbing armoured cash vans really - or so I've heard). I'm talking about the things that make it easy for attackers - I believe that if you raise the bar enough - all the hurdlers don't get better - just a few of them (and when you're robbed you're robbed, so number of occurrences is important)

What interests me is why there's always talk of plugging gaps and fixing procedures - but never any mention of fixing the primary problem. The primary problem being institutional psychology. Like storing your beer on the nature strip it having it stolen (surprise - people want your beer). Then "cleaning up" by making sure all liquor is secured inside the premises, and "fixing" the problem by telling people to store their beer in the fridge and lecturing them on physical security. It overlooks the possibility that only an untrustworthy idiot would put beer on the nature strip in the first place - and even if they don't put it on the nature strip again they will probably lose a house key, or leave a window open.

  • A. i don't know if that sort of stupidity can be "cured" (even with vigorous application of the stick of knowledge)*1.
  • B. I strongly suspect the problem starts at the top (board of directors) - but I'll allow for the possibility the shareholders (or the institutional representatives that vote on their behalf) play a part in the process.*2

*1 I don't believe lazy, stupid staff change if you send them to motivation and inspiration seminars either, certainly I've seen no evidence to support it.

I'm working on a theory that dumb travels downward - I call it "The Argument from Moron Motion"

Re:Clean up? Start fresh (1)

dbIII (701233) | more than 2 years ago | (#38584448)

I seriously doubt your local newspaper has more money involved

Which means more resources then doesn't it?
Then again, how much was a subscription with these guys? Remember not all the compromised cards are current accounts, so it adds up to something a lot smaller than the trumpet they are blowing. It's beginning to look like a small group that didn't have the resources to get a temporary hosted web presence going by now instead of a larger group that didn't have the competence to get something going.

Re:Clean up? Start fresh (1)

Demonoid-Penguin (1669014) | more than 2 years ago | (#38592916)

I seriously doubt your local newspaper has more money involved

Which means more resources then doesn't it? Then again, how much was a subscription with these guys? Remember not all the compromised cards are current accounts, so it adds up to something a lot smaller than the trumpet they are blowing. It's beginning to look like a small group that didn't have the resources to get a temporary hosted web presence going by now instead of a larger group that didn't have the competence to get something going.

I meant to try and find out something about their holding and earnings - but forgot. A cursory search didn't show much I could confirm. Apparently they have 20 full-time staff, mostly just analysts, they are a major customer of Media Monitors (which takes a few bucks) - the estimate I got was that they probably spend close to 7 figures per annum there. I'd guess they'd be using the other big 6 - all of which are more expensive - then there's the collectors and clippers I don't know about (probably heaps). Their list of private subscribers is what they seem so worried about keeping quiet - very big public subscription service (I've used them, there free resources have always been excellent).

Are they making money? It would appear so. Most newspapers are not making much money.

So I'd estimate they'd have to be grossing more than $10 million a year just to pay wages and the various new gathering companies (MediaMonitors are small and cheap on a global scale). I'm only *guessing* but I'd say they have very few resources - but their earning would dwarf those of any "local" paper (nothing unusual there).

I wouldn't try and read anything into a web presence - it's less an indicator of their financials than MacDonalds web presence. Stratfor's website was mostly their free feeds - you pay for anything other than a composite of the worlds media monitoring companies and you get one-on-one teleconferencing and emails - not a web feed or login. Take all that with a bit of salt - I've asked two people and spent more time typing this than I spent checking and thinking about it.

Re:Clean up? Start fresh (1)

dbIII (701233) | more than 2 years ago | (#38593668)

It's good to see somebody has actually thought about it and looked around instead of assuming thousands of employees with desktop PCs like another poster above.
I also should have written "capital city newspaper", which is what I really meant, instead of "local newspaper". Some people heard the "shadow CIA" line from some PR somewhere and assumed that this clipping service was a huge organisation of thousands instead of something smaller than places a lot of the readers would be working in.

Re:Clean up? Start fresh (1)

Demonoid-Penguin (1669014) | more than 2 years ago | (#38619144)

I also should have written "capital city newspaper", which is what I really meant, instead of "local newspaper".

I was pretty impressed with what so few people did with so much contradictory, nebulous, information. If you're not familiar with their work try google a "site:" search for a list of their (formerly) public releases, then "cache:" to read one.

I asked around to get a few opinions on my guesstimates for mid-western newspapers (I already has some on the few Australian equivalents), it was worth the trouble if only to feed a few red herrings to a gossipy journalist "friend" (May-te!). Right now he's probably at his usual position at club telling people I'm about to buy into American local newspapers.

Pity those [smh.com.au] mushrooms aren't on the menu.

Nature strip? What's that? (1)

sgtrock (191182) | more than 2 years ago | (#38585026)

Given the usage, it has to be a term that's fairly commonly known somewhere but I've never seen it.

Re:Nature strip? What's that? (1)

gknoy (899301) | more than 2 years ago | (#38588042)

http://en.wiktionary.org/wiki/nature_strip [wiktionary.org]

Australian term, meaning "An area of grass beside a roadway, possibly with a few trees or shrubs, lying in between the footpath part and the roadway proper". Basically: Fools store their beer in their front yard, and complain when people take them for free.

Re:Nature strip? What's that? (1)

Demonoid-Penguin (1669014) | more than 2 years ago | (#38589628)

http://en.wiktionary.org/wiki/nature_strip [wiktionary.org]

Australian term, meaning "An area of grass beside a roadway, possibly with a few trees or shrubs, lying in between the footpath part and the roadway proper". Basically: Fools store their beer in their front yard, and complain when people take them for free.

Pretty much - except that your nature strip, unlike your front yard, is not your property - it belongs to the local council (for all intensive purposes) though you maintain it. It's where you put your garbage, and thing you don't want (like old furniture) for public collection.

Though people will sometimes complain if things on the nature strip are taken by the public (like out of their rented rubbish skip) the complaint has no legal standing (much like the bullshit legal sounding jargon people append to their emails - modern day hexes).

Re:Clean up? Start fresh (2)

mcgrew (92797) | more than 2 years ago | (#38585932)

it's like buying a pub where the bartenders or staff don't dip into the till

Man, that's some 20th century thinking there. I don't know of a single tavern that doesn't have a camera pointed at the cash register.

Re:Clean up? Start fresh (1)

Demonoid-Penguin (1669014) | more than 2 years ago | (#38589694)

it's like buying a pub where the bartenders or staff don't dip into the till

Man, that's some 20th century thinking there. I don't know of a single tavern that doesn't have a camera pointed at the cash register.

Like that makes any difference. Your faith in technology and your own opinion are both misplaced, and have led you to ignore reality. Next you'll be declaring no convenience store staff fiddle the till because of the security camera and pickpockets died with Dickens.

reading comprehension fail (0)

Anonymous Coward | more than 2 years ago | (#38584350)

You fail reading comprehension. Cleaning up problems, not Servers/PCs. There is a more to incident response than cleaning up the hardware.Obviously you haven't been there at "upchuck hour".

Re:Clean up? Start fresh (0)

Anonymous Coward | more than 2 years ago | (#38594262)

Try than on a few thousand servers on similar fiigure subnets over ten or more datacenters giving hundreds of services, it gets tricky

Re:Clean up? Start fresh (1)

dbIII (701233) | more than 2 years ago | (#38595308)

With a company like the clipping service in the article that employs around twenty people full time it's a little bit different. WTF do you people get the "few thousand servers" from?

And, as usual... (4, Insightful)

AngryDeuce (2205124) | more than 2 years ago | (#38584086)

A bunch of people that had nothing to do with the breach will more than likely end up losing their jobs over it (often the same people that warn about these vulnerabilities beforehand), while the retards that caused the breach, either through their ineptitude or refusal to spend money on proper security, walk away unharmed.

Re:And, as usual... (2)

alphatel (1450715) | more than 2 years ago | (#38584102)

As any c-level will tell you: emails or it didn't happen.

Re:And, as usual... (1)

schitso (2541028) | more than 2 years ago | (#38584142)

Boss: Oh, sorry, I didn't get that email. It must not have gone through. Me: Why would just that one email not "go through"? Boss: I don't know, you're the IT guy.

Re:And, as usual... (5, Insightful)

Lumpy (12016) | more than 2 years ago | (#38584224)

Which is why I send the email 10 times with a receipt request. Boss is too stupid to turn off that feature, and I also get a reply from him saying, "PLEASE STOP EMAILING ME THIS!"

Never EVER trust your boss. he will burn you to save his own butt.

Re:And, as usual... (0)

Anonymous Coward | more than 2 years ago | (#38584746)

Which is why for anything that I don't agree with, that could be a problem, I send a "Do you still want us to do X" email. Only do it once you have it in writing.

It's sad that it needs to be done but the world is unfortunately not perfect. However, if you find your self doing this more frequently than not then it's time to find another job.

Re:And, as usual... (0)

Anonymous Coward | more than 2 years ago | (#38585474)

I do that as well. If I ask for confirmation after 17:00, I'm in the clear until the next day.

Re:And, as usual... (4, Insightful)

HereIAmJH (1319621) | more than 2 years ago | (#38584900)

Any job that requires a CYA email archive is not worth having.

Re:And, as usual... (0)

Anonymous Coward | more than 2 years ago | (#38585996)

Well, somebody has to clean this shit up. It all pays the same anyways, once this clusterfuck is straightened out regular ops will be smooth sailing.

Re:And, as usual... (0)

Anonymous Coward | more than 2 years ago | (#38588938)

Ever work for a governmental organization? Good gig, but CYA is an absolute requirement. If not for me, then to protect the boss.

Re:And, as usual... (1)

couchslug (175151) | more than 2 years ago | (#38591986)

Food, clothing, and shelter are nice to have.

Also, a CYA archive may protect you from one idiot in an otherwise good job.

Save it all.

Re:And, as usual... (0)

Anonymous Coward | more than 2 years ago | (#38587314)

A bunch of people that had nothing to do with the breach will more than likely end up losing their jobs over it (often the same people that warn about these vulnerabilities beforehand), while the retards that caused the breach, either through their ineptitude or refusal to spend money on proper security, walk away unharmed.

I hear ya. That is why I hate working with the clowns I work with, cause they just don't understand, and I don't care to explain it all to them...How ever I would happily give them the stack of books and tell them to have at it.

Re:And, as usual... (0)

Anonymous Coward | more than 2 years ago | (#38588748)

Yeah, but that's not really related to security; that's just what happens any time something goes wrong.

Call Kevin Mandia for your security needs (2)

GeneralTurgidson (2464452) | more than 2 years ago | (#38584094)

In all seriousness, there really needs to be a court recognized standard for IT security due diligence. There are too many organizations doing their own thing or using "compensating controls" that only work in some auditors dream world.

Re:Call Kevin Mandia for your security needs (1)

JRHelgeson (576325) | more than 2 years ago | (#38587516)

I'm working on that right now - I'm on the SBA Information Security Task Force - determining what really are the best practices out there. It's an all but impossible task.

Clean-up underway (0)

Anonymous Coward | more than 2 years ago | (#38584112)

First objective: Assure stake-holders and the public that Stratfor is handling things professionally, nevermind the stupid mistakes they made before. Those were probably some intern's doing, who has been sacked. It's all professional again now. It wasn't that bad in the first place, because the hackers are publishing information. Can you imagine how much worse it would have been if they had kept the secrets to themselves? You see, nothing happened and everything is in professional hands now. Stratfor, run by professionals who deserve your trust.

There goes my new year's resolution. I wanted to be less sarcastic and cynical this year. Damn you, Stratfor.

Uh huh. Yeah, sure. (2)

Hartree (191324) | more than 2 years ago | (#38584606)

"I wanted to be less sarcastic and cynical this year."

Tell us another one.

Government warnings?? (4, Interesting)

Anonymous Coward | more than 2 years ago | (#38584116)

I'm curious though. In the PDF Kevin Mandia states that 90% of private enterprises don't know their networks have been compromised until the government (DoD, etc) tell them. So, how does the government know that these companies are compromised ?
I mean, apart from seeing spammy emails coming out, or in the case of the spooks, them seeing information on another system somewhere that's obviously been "stolen" from a US bank or something, how would they know ?
What sort of things would have to happen for a company to get a "Hey, you have bad guys all over your network" visit from the government guys ?

Re:Government warnings?? (0)

Anonymous Coward | more than 2 years ago | (#38584158)

They watch their firewall traffic. When they see suspect network traffic coming in then they can guess that the remote site is compromised.

Re:Government warnings?? (0)

Anonymous Coward | more than 2 years ago | (#38584160)

Hmmmm... my guess is that the government sponsors insiders and private companies don't? That's just my guess.

Re:Government warnings?? (3, Funny)

Lumpy (12016) | more than 2 years ago | (#38584236)

If the DoD sees an attack from pepsi.com, IT's pretty easy from that point to figure out that pepsi.com is compromised. Even an MCSE can figure that one out.

Re:Government warnings?? (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38584678)

You miss the point.

If someone has access to a corporate network, and is smart, they're not going to blow it by using that companies internet facing machines to start running portscans on DoD machines, well, not unless they are script-kiddy stupid.

So, the target network is breached surreptitiously and information is quietly pilfered....al la corporate espionage........how's the DoD ever going to know ?

They should say "The government tells 90% of the small subset that do something stupid like launch DDoS attacks on DoD systems straight from the compromised machines.......the rest, no-one probably knows about".

Re:Government warnings?? (0)

Anonymous Coward | more than 2 years ago | (#38584622)

90% of private enterprises don't know their networks have been compromised...

It's worse for governments; that figure can go over 100%. If the Russians compromise the Chinese back door into your government network, that counts as 2.

Re:Government warnings?? (3, Informative)

httptech (5553) | more than 2 years ago | (#38584978)

It's pretty simple - the attackers install backdoor trojans which phone home to various command-and-control (C2) servers. In some cases when the USG identifies a high-value (i.e. involved in corporate and/or government espionage) C2 in the U.S. they get a warrant to monitor all network traffic to and from that host at the upstream. Once you have netflow or pcap data you can pretty easily tell who the compromised companies are when you see their corporate firewall IP hitting the C2 at regular intervals.

Private-sector researchers do this as well sometimes, but you need cooperation from the upstream. Or in some cases, the attackers are sloppy enough to leave behind publicly-accessible server logs ala Shady RAT.

Re:Government warnings?? (0)

Anonymous Coward | more than 2 years ago | (#38585188)

Now THAT makes sense, thank you.

The Gov can go off and pull it's "wiretap/interception" powers thing and make the upstream provider hand over their traffic logs for those particular machines, or sit and watch it for a while....gotcha!...

Excellllllllent....

Re:Government warnings?? (0)

Anonymous Coward | more than 2 years ago | (#38585566)

You are obviously not a server admin.

Setup your own box, throw it out on a public IP then watch your logs. After you crap yourself on how often you get attacked, start looking at those that attack you and how. ...Then, you'll have your answer.

Re:Government warnings?? (1)

datastew (529152) | more than 2 years ago | (#38586682)

In the second paragraph on page 4, Mr. Mandia says that over 90% of the private enterprises don't know their networks have been compromised until they learned from the FBI, DoD, or some other third party (emphasis added). However, in the last paragraph of page 5, he says that over 90% of the breaches his company responds to are first detected by the government.

The "some other third party" phrase seems more realistic to me unless he deals mostly with government agencies themselves.

Re:Government warnings?? (0)

Anonymous Coward | more than 2 years ago | (#38587980)

And he says "has told Congress that if an advanced attacker targets your company then a breach is inevitable"
Oh??? Lets see them hack a mainframe!!! No one has hacked one yet, so if they are really advanced hack a mainframe then I will call you advanced!!

Re:Government warnings?? (0)

Anonymous Coward | more than 2 years ago | (#38591216)

fed notification of breaches occurs because there are fed owned snort boxes on fisa warrants in a lot of places with fed developed apt signatures. apt is essentially espionage (well, not so much the stratfor one since that's in the hacktivism category), and there are people devoted to keeping an eye on that.

God says... (-1)

Anonymous Coward | more than 2 years ago | (#38584174)

steals pulse profane advising conversion DAMAGES signifies
Antony slumber demands drink endangers No toss interpreting
foreigner soughtest piercing clog incomparably vain secrecies
whencesoever Same prizes XII Portions need triumph endangers
is motions poets

Penis? (-1)

Anonymous Coward | more than 2 years ago | (#38584226)

Anyone else read "penis" when reading

"Kevin Mandia has spent his entire career"

?

quite breaches (2)

helix2301 (1105613) | more than 2 years ago | (#38584300)

I agree with the sentence "the most dangerous breaches are the quiet ones" the reason is you don't know you got hacked and you don't know what they got. When a hack is quite the hacker can come and go as they pleases and instead of getting in and getting out the hacker has time to explore and make more exploits and holes for themselves to get in and out on. The best and most dangerous hackers are the ones you don't know about or can't stop from getting in and out of your network. I remember my security instructor saying "If a hacker wants in he is getting in just a matter of how long it takes them. You can do your best to prevent and clean up after but you can't stop it. If a hacker wants in there going get in some how."

Good job, guys... (1)

catbertscousin (770186) | more than 2 years ago | (#38584302)

Anonymous published 50,000 credit card numbers online... and just whose interest is this attack in?... O_o

More effort into tracking and capturing hackers. (2)

jellomizer (103300) | more than 2 years ago | (#38584366)

That is why I think we really need to stop encouraging and supporting these criminal hackers and put more consolidated effort into finding them and stopping them.
What they are doing is about the same as saying. I don't like the rich so I will steel from the poor who has to pay him.

Ha Ha we will laugh at the company who didn't fix all their security patches in time and didn't block done that Zero Day vulnerability. Or in real life terms. It is the companies fault for not operating their business in an impenetrable fortress.

Re:More effort into tracking and capturing hackers (3, Insightful)

KiloByte (825081) | more than 2 years ago | (#38584670)

Uhm no, mere vandals need to be cherished and promoted; those who work for the Chinese govt won't tell you something is amiss.

It is the companies' fault for not following basic security practices, especially if what they take taxpayers' money for is "intelligence".

Re:More effort into tracking and capturing hackers (1)

Beeftopia (1846720) | more than 2 years ago | (#38585836)

That is why I think we really need to stop encouraging and supporting these criminal hackers and put more consolidated effort into finding them and stopping them. What they are doing is about the same as saying. I don't like the rich so I will steel from the poor who has to pay him.

It's not even that complicated. There's no sophisticated motive behind Anonymous other than simple vandalism. You see the behavior in small children who like to knock things down just to see them fall. People are looking for political, economic, social, etc reasons. There's no consistent thread. It's just vandalism.

Serious Hackers don't leave viruses/rootkits. (5, Interesting)

JRHelgeson (576325) | more than 2 years ago | (#38584714)

Like Kevin Mandia, I too clean up these messes professionally. Cleaning these things up starts with the data gathering and analysis, virus scans, offline analysis - and more that are not mentioned.

The MOST important thing that ANY admin should know is that the true professional hackers do not use rootkits. They will use exploits to gain their foothold, but rather than install a rootkit, they will install remote network admin utilities, such as Dameware NT utilities (old), or more recently I've seen LabTech Software.

From www.labtechsoftware.com
IT Systems Management Software providing a leading remote monitoring and management (RMM) solution for Managed Service Providers (MSP) and IT...

This software is great for Managed Service Providers - it also is a dream come true for cyber-criminals as it provides a backdoor into networks using signed code that will not appear on any antivirus, anti-malware or anti-rootkit scan. It can sit dormant for years, get backed up, and restored. Even if you do run anti-virus scans on your backups prior to restoring them - as one commenter stated above - it would be of no use.

So, when I am gathering the data dump, what I do is look for ALL network management tools, and I have created scripts that search for these.
        *****
        Google this: C:\WINDOWS\LTSVC\LTSVC.exe Hijackthis
        You will find examples of people who have run Hijackthis on their computer and posted the log online - the common complaint is that they keep getting reinfected and cannot figure out how. They've run {insert virus tools here} a number of times and cannot figure it out. They usually resort to reinstalling the OS.
        *****
Anyhow - gathering up all the logs from every device on the network, linking how they went from machine-to-machine, enumerating lists of installed software on each machine, and also performing offline analysis of drives, searching for any file/directory modifications based upon time stamp. It is FAR more involved, but it is the only way to enumerate the intrusion.

Removal must be done all at once. Either cut the network access of all the devices, then remove, or write a custom removal script and schedule it as a task to have everything be done at precisely the same moment.

I then have custom IDS signatures that look for any unauthorized Remote Management & Monitoring software.

Re:Serious Hackers don't leave viruses/rootkits. (1, Troll)

fatphil (181876) | more than 2 years ago | (#38585286)

"I then have custom IDS signatures that look for any unauthorized Remote Management & Monitoring software."

Is enumerating only a subset of badness better than, or worse than, attempting to enumerate all badness? There might be an answer at the end of a google search for "enumerating badness"...

Re:Serious Hackers don't leave viruses/rootkits. (2)

JRHelgeson (576325) | more than 2 years ago | (#38587148)

I am quite familiar with "enumerating badness".
This is only done as part of a clean-up effort.
If management tools are running where they should not be, I want to know about it.
"Enumerating badness" is precisely what is required when you are hunting down an intrusion. It is not the best policy to take when defending one.

The overarching lesson I've learned in all these years is that a secure network is a well managed network. If you do not actively manage your network - there are plenty of criminals that would be happy to manage it for you.

Re:Serious Hackers don't leave viruses/rootkits. (1)

dremspider (562073) | more than 2 years ago | (#38585400)

Just out of curiosity, do you have to travel a lot with your job. I do Security Engineering now and have done IDS and Log monitoring in the past and was thinking that I would enjoy incident handling, but the thing that has kept me out of it was the 100% on call, get on a flight now to fly who knows where.

Re:Serious Hackers don't leave viruses/rootkits. (1)

JRHelgeson (576325) | more than 2 years ago | (#38587424)

No, I have not flown out to respond for many years now. I do travel in state and neighboring states quite a bit, but for the most part there are enough good people in each market with sufficient capabilities.

Re:Serious Hackers don't leave viruses/rootkits. (1)

Midnight_Falcon (2432802) | more than 2 years ago | (#38586714)

This is very outdated knowledge unfortunately and I think the example is no longer relevant, and has been obsoleted. I'm also a security auditor, and Dameware NT utilities was a common installation on Windows NT, 2000 and some 2003 servers that were compromised.

Unfortunately, Dameware NT utilities requires an open port on the firewall. Before Windows 2003's adoption, most servers had a public IP and were using no firewall or a software firewall. Thus, someone could exploit a Windows 2000 machine and then install Dameware NT utilities to keep open a backdoor to the console. However, if a hardware firewall is blocking all the ports dameware needs, you'd need to also compromise their internal network/VPN/etc. Thus, it's become a much less common vector for remote control.

Rather than go with dameware, a simple VNC or shell daemon is preferred by hackers these days, in my observations at least. Nessus and other vulnerability scanners will detect the DameWare NT utilities etc being installed. Of course, some custom snort rules can also detect it, but then you need a mirrored switch port and the motions of setting up an entire IDS system, which may not be able to happen immediately in an incident response scenario.

Highly Sophisticated hackers these days do use rootkits and other backdoor exploits. They even use more sophisticated rootkits that can infect video card firmwares, etc, and be very difficult to remove.

Re:Serious Hackers don't leave viruses/rootkits. (2)

JRHelgeson (576325) | more than 2 years ago | (#38587408)

Midnight_Falcon - did you not notice that I put the word (old) AFTER Dameware NT? It is less common now, but did the issue just go away? No, they have updated their software.

The point I wish to make, and have done, is that many hackers do not leave rootkits behind. They simply set themselves up as rogue network administrators within your network.

Re:Serious Hackers don't leave viruses/rootkits. (2)

Midnight_Falcon (2432802) | more than 2 years ago | (#38588290)

I'd agree that some hackers don't leave rootkits and instead prefer to setup legitimate network access, use service accounts to get into the directory (LDAP/AD etc). Also, most remote access software has been changed/modified so that it's harder to use in an exploitative way -- look at Citrix GotoAssist or logmein -- hard to install those surreptitiously, or at least maintain them from there. That's why it's becoming less and less common to use legitimate software as an attack vector, along with lack of support for reverse_tcp connections to get around firewalls/etc has caused attackers to move on (and software like GTA or Logmein uses a central server to get around firewalls, which is less than appealing for some hackers). Something like a persistent meterpreter service may indeed work better for many.

However, I think there are some pretty serious hackers still using rootkits. How about Duqu/Stuxnet? Whoever wrote that seems fairly serious to me.

Re:Serious Hackers don't leave viruses/rootkits. (1)

JRHelgeson (576325) | more than 2 years ago | (#38588470)

I'm not talking about hackers that run botnets - yes, they use rootkits. Never at any point have I stated that rootkits are obsolete or no longer used. What I am saying, and what I have said quite clearly, is that some criminals that want to obtain and maintain access to a corporate network are using remote network admin software. So, be on the lookout for it. That is all.

Re:Serious Hackers don't leave viruses/rootkits. (1)

dbIII (701233) | more than 2 years ago | (#38591488)

They usually resort to reinstalling the OS.

With respect, shouldn't that be the first step? The system is no longer a known quantity and has been under the control of somebody else so nothing at all can be trusted at all without examining it from outside of that system.
Of course if it's a compost heap of poorly documented interdependant things some of which no install media or configuration details are available it is very tempting to just try to find what has been broken, fix it, and trust that the collection of people that developed the cracking tools and whoever deployed it is vastly less competant than youself. If it's not some stupid script kiddie with last years tool it's very difficult to be certain that every file on the machine is as it should be after somebody else has taken possession of the system. I'm probably preaching to the converted and you are probably writing about the situations where you have to make the best of a bad situation without trustworthy backups, but the above really did look a bit like advice to carry on as normal after a few scans.

Re:Serious Hackers don't leave viruses/rootkits. (1)

JRHelgeson (576325) | more than 2 years ago | (#38600750)

With respect, shouldn't that be the first step?

The first step of moving on, yes. I would agree - but due to many factors it is not practical for many users.

We're like Doctors in many respects - we can make all the recommendations we want, but the patient is going to do whatever they are going to do.

And referring to trustworthy backups - when the remote management software has been in place for x number of months, and it has been backed up, restoring the machine while doing virus scans profits you nothing if you are not looking for 'rogue' management tools.

NYT paid link (1)

Anonymous Coward | more than 2 years ago | (#38585020)

Its 2012, and only one goddamn place on the internet has a paywall, and thats the one story slashdot links to. It was bullshit when you did it in 1998, and its bullshit now. (and apparently, it will be bullshit when you are still doing it in 2022)

Re:NYT paid link (0)

Anonymous Coward | more than 2 years ago | (#38586424)

http://www.nytimes.com/2011/12/30/technology/hacker-attacks-like-stratfors-require-fast-response.html?_r=1

The most dangerous breaches are the quiet ones (1)

FunkyLich (2533348) | more than 2 years ago | (#38585270)

They could by all means be that. Or it could be that the "3 million +" emails that are being used as a threat are only the loud part of the breach, by the same logic therefore, the less dangerous part.

ahhahahaha (0)

Anonymous Coward | more than 2 years ago | (#38585452)

The most dangerous breaches are the ones you don't know about... lol... no shit
 

Don't ever mention Windows and malware :) (0)

Anonymous Coward | more than 2 years ago | (#38585464)

What ever you do, don't ever mention Windows in relation to malware ..

Step Back A Bit (0)

Anonymous Coward | more than 2 years ago | (#38588598)

The whole idea of a "corporate intranet" somehow being more secure than the general internets is a huge security risk. Instead, one should partition any corporate network into small networks which each have their own, full firewall. Servers should always be behind firewalls and expose just the ports which are needed to serve the specific protocols. Never, ever leave the stinking pile of insecurity called "Oracle" open for access from anyone, except designated application servers. I personally brought down an Oracle listener with the awful cracker tool called "telnet" and some random typing.
Some companies, such as BP, already follow this policy. Basically, don't expect your intranet to be "friendly". There is normally also no need that two PCs connect to each other, so eliminate that threat at the router. Don't have huge "file exchanges" where even unrelated people from your enterprise are all assembled. Also try to live with the smallest file server shares that are possible under the processes of your company.

In a big corporate network, there will nearly always be one infected machine, and if it is just the private computer some stupid person brought into the office.

Also, lock out all the "personal devices" crapola. Android is now a major virus platform and you should not take chances by allowing people to connect these devices to anything except a route to the general internet *and not more* !

If you take adopt this policy, all infections will be quite localized and can be easily dealt with.

Wake up and see the true corruption (0)

Anonymous Coward | more than 2 years ago | (#38592054)

US has been warned. These people are true to their word, true to their cause and will be as hard to stop as any fanatic(not all fanatics are evil). Wake up and see these companies for the corruption and manipulation of our economy and our "free" way of life for what they are America! Democracy is good, Capitalism will be our own demise. It's a shame that the people who these groups claim to be fighting for end up the victims! But, heck, thats the same thing the Military does over sea's! They just call it VIOLENT-PACIFICATION and COLLATERAL DAMAGE!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>