Posted by Tate Hansen
Fri, 08 Dec 2006 18:02:00 GMT
This is a follow-up from this post: (recap: large financial org w/fully compromised internal systems)
The path of the compromise was pegged to an errant firewall rule put in place during the pilot/testing phase of deploying a security point solution: SSH was open to any. The password lacked sufficient strength to avoid brute force guessing and the system was compromised from the external side within days.
Check this out - this security point solution is a device that sits on a SPAN port and looks for any confidential information on its way out. It records anything that triggered a “hit” in simple flat text files on the local system. It was a gold mine: text files with first name, last name, SS #, mother’s maiden name, account #s, addresses, and phone information.
The catch on all this is this is one of those vendor point security solutions designed to be deployed near the perimeter. It lacks the defense in depth muscle used to protect this type of sensitive data. Even if SSH was closed this org did not protect it as if it contained customer data.
Additional lessons learned:
-
Remember to consider anything (security product or not) eavesdropping and recording traffic as potentially holding super sensitive information and take the necessary precautions.
-
This org was told by the vendor the data was safe. If you hear that, sit back and think for a few minutes then fire off some questions that will help you understand what they mean by “safe”.
I keep thinking how offering a simple and cheap continuous port scanning service would’ve saved this org big time. Maybe I’ll add that as a feature to nmapTweaker.
Tags ClearNet Security, compromise, customer data, point solution, security, Tate Hansen | no comments
Posted by Tate Hansen
Fri, 01 Dec 2006 20:20:00 GMT
I debated whether to write on this, but I think it’s funny and freaky. It’ll be a struggle to make this short and to the point without losing you, but here it goes:
-
A former exec of a company we all worked for now evidently works with google in some capacity
-
We stay connected with other ex-colleagues from this same company
So the other day I was looking to offload some javascript work and I used google to search for former engineering colleagues from this same company that specialize in UI stuff, knowing most UI developers like to show off their works. I found and surfed around their sites -- half out of boredom and half to check out the skills they were marketing, what’s new, etc.
Come the next evening I get a message to stop viewing their web sites. I thought WTF! Damn, am I compromised? I fire off a few questions for sanity and to see if this is a joke. I get back snippets of info like:
-
IP address (it was one of mine -- I wasn’t using a proxy to hide)
-
Google searches performed (I couldn’t remember what I did, but the terms sounded familiar)
More bizarre is I get word this exec called the UI developers and said I was “stalking” them based on my googling and surfing patterns. Wow. Is this for real? Whatever the facts end up being I had a couple of thoughts regardless:
1) This sucks; it seems deranged of someone to equate the viewing of public web pages to “stalking”… and especially to take it far enough to actually call and “warn” people. Crazy, right?
2) It’s an excellent reminder that it is not difficult for people that have no business keeping tabs on your online activity from learning more about you. Google records everything (source IP, search criteria, what you select) – mix that with a little advanced IP geolocation (or hit up your friend on the inside) and you’ve got the account holder’s details (e.g. address, names).
For speed sake I usually avoid hiding behind proxies. Then again thinking about insiders at some search company collecting and sharing all my searches is not exactly appealing.
Tags ClearNet Security, Tate Hansen, tracking | 1 comment
