Adding Insult to Injury
So... they were stealing banking credentials of people who are out of work and getting financial assistance from the government.
That's just MEAN.
Computers operated by the state of Massachusetts were infected for more than three weeks with a sophisticated piece of malware that security researchers say stealthily stole more than a gigabyte's worth of sensitive data over the past 10 days. Not all of the banking credentials, email passwords and other data lifted by the …
The shit's gonna hit the fan here. The DUA has company officers' and directors' SSNs on file. And employer bank accounts. They SAY most of those weren't stolen, but their credibility is already tarnished. Now that some influential people are getting hurt, maybe something will be done about this useless, dysfunctional agency and its POS information systems.
@Fred Pilcher: Wasn't that the place that hounded its CIO out of his job a few years ago for daring to suggest that they abandon Windows in favour of Linux?
No, Louis Gutierrez got fired for suggested Massachusetts move to an Open Document Format
http://www.computerworld.com/s/article/9012760/Q_A_Former_Mass._CIO_feels_bittersweet_pride_after_battles_with_Microsoft_legislature?source=rss_news50
http://www.computerworld.com/s/article/85563/Former_stake_CTO_Dan_Geer_on_Microsoft_report_firing?taxonomyId=017
Peter Quinn was forced out as CIO for the same reason. So was Eric Kriss, apparently.
http://www.cio.com/article/19965/A_Win_for_Microsoft_in_Massachusetts_
Same thing happened to me in 2008, three months after I landed an IT job in the state college system. We were using Linux and Django for web apps... there was a department coup... bye bye Linux. Then the college received a nice gift of... free MS crap software for the students. Arrrgh....
... its own data breach notification law, one of the first enacted in the US, against intense lobbying by financial institutions and merchants offering online access to goods and services.
So, at least in this instance, there's no "Do-As-I-Say-Not-As-I-Do"-style mud-slinging (yet).
However, if the present State administration wants to minimise potential fallout, it better move faster than Sony did in offering some sort of ID-theft insurance. The fact that the infection worked it's way so deep into a government services agency that processes so much personal info makes responding to the theft in an urgent and efficient manner all the more important...
"W32.Qakbot is a worm that has been seen spreading through network shares, removable drives, and infected webpages, and infecting computers since mid-2009 .. The worm arrives as an EXE file that is UPX packed with an additional custom encryption layer. Within the EXE is a DLL that contains the core functionality of Qakbot. The executable accepts the following command line arguments:
The autorun.inf file allows Qakbot to autoexecute in certain versions and configurations of Windows when the removable drive is inserted."
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf
Hmm, apart from making the usual smug comments about the the most hacked system in history, it strikes me this is such a typical attack that any competently secured installation of Windows should have survived. Symantic say "the visiting computer is subjected to various application exploits" but no more details.
Have I missed the idiot factor?
It was zero day strike. Norton, McAfee and other anti-virus products simply failed to detect and/or remove the virus. The virus was categorized as low threat, and very little info existed on Symantec, McAfee about that trojan. (before May 2011)
It takes advantage of a security flaw of many enterprises: Technical support and System Administrators often have full access to everything.
We traced our infection thru an email. It infected the user's computer. She reported that her computer ran strange and weird errors. (she did not have administrator access to her own computer). Tech visited and logged into computer to diagnose. (the virus then enumerated every C$/$admin share that it could see using the logged in Tech's identity to infect other machines. (Tech had administrator access so it simply took advantage of his access and infected everything possible)
(It needed Zero Day to get into the enterprise, but then took advantage of given access to remote install itself everyone else.)
McAfee still didn't see the virus. Before you know it, all your systems are keylogging like crazy, you have a random named task scheduler service, and your ftp is busy.
It's it me or does it feel like another excuse for rolling out some new laws by senators who don't know nothing about securing boxes?
I mean Sony... Christ sony, hire a high-school kid, and have em roll out mod sec on apache or nginx and static pages or something... 10000 attempts from one IP? Heard of BFD? pf firewall?
iptables -j DROP
0.0.00/8
1.0.0.0/8
...
255.0.0.0/8
Gee no packets anymore in under 40 seconds!
Norway and html mail? I'd be ripping all email programs out of all boxes. Read your ****ing mail elsewhere. Got TEXT? How about ripping out all code from the email? Filter?
it's not computer security vuln's, it's utter incompetence and lack of accountability.
These companies ought to be SUED for incompetence.
And for the military, Why do they even HAVE email at all on a so called "secure system?"
Got encryption? how about a 2048 AES? Seriously wtf?!
Of course this is my opinion.