Tuesday, December 20, 2005

Guidance Software 0wn3d

This morning I read stories by Brian Krebs and Joris Evers explaining how Guidance Software, maker of host-based forensics suite Encase, was compromised. Guidance CEO John Colbert claims "a person compromised one of our servers," including "names, addresses and credit card details" of 3,800 Guidance customers. Guidance claims to have learned about the intrusion on 7 December. Victim Kessler International reports the following:

"Our credit card fraud goes back to Nov. 25. If Guidance knew about it on Dec. 7, they should have immediately sent out e-mails. Why send out letters through U.S. mail while we could have blocked our credit cards?"

Guidance could face severe financial trouble. According to reporter Joris Evers:

"Guidance stored customer names and addresses and retained card value verification, or CVV, numbers, Colbert said. The CVV number is a three-digit code found on the back of most credit cards that is used to prevent fraud in online and telephone sales. Visa and MasterCard prohibit sellers from retaining CVV once a transaction has been completed."

Reporter Krebs explains the implications:

"Companies that violate those standards can be fined $500,000 per violation. Credit card issuers generally levee such fines against the bank that processes payment transactions for the merchant that commits the violations. The fines usually are passed on to the offending company."

Since Guidance's customers include "hundreds of security researchers and law enforcement agencies worldwide, including the U.S. Secret Service, the FBI and New York City police," I don't think those customers will tolerate this breach of trust.

Why did it take Guidance at least 12 days (from the first known fraudulent purchases on 25 Nov to the reported discovery on 7 Dec) to learn they were owned? I think this is an example of a company familiar with creating host-centric forensic software, but unfamiliar with sound operational security and proper policy, architecture, and monitoring to prevent or at least detect intrusions. Furthermore, who will be fired and/or fined for storing CVVs indefinitely?


MZ said...

What we are going to see here is yet another "CardSystems effect" where an entire company disappears.

The competition will have a merry Xmas indeed.

Anonymous said...

I wonder if who did this realizes that the credit card numbers are really not worth that much compared to the WHO'S WHO list they have of people who bought Encase, have been trained on it, and therefore use it.

Let me see, that would be law enforcement (LE) at the local, state, and Federal level. For Federal LE - there is Secret Service, FBI, IRS, ATF, etc.

Beyond Federal LE you've got the Intelligence Community (IC). So everyone from the military intelligence analysts out in the field to people working for the three letter agencies behind vaulted doors.

A treasure trove indeed!

Chris Walsh said...

I thought about the intelligence-gathering aspect of this as well, and came to a different conclusion. Encase is the market leader, so it isn't surprising that LEOs all over the place use it. Learning that the PD in your town has it would not be very surprising and, IMO, wouldn't add much -- wouldn't an adversary assume that such tools were available?

Also, even if some super-secret Feds use this stuff, do they pay for it with their personal CC? Sounds unlikely.

Whether there will be a CardSystems effect is a very good question. One could say that CardSystems "should have known better" because this was their core competency, and they were duly punished once their ineptitude dragged MasterCard's reputation into the mud, too. I do not see that happening with this firm. If I had to guess, I would say they will come out looking like yet another inept retailer. They're DSW Shoes, but they sell software, not high heels. My personal opinion is that anyone who stores CVV info is either reckless, arrogant, or stupid, but it's not as clear to me that the law-enforcement customers we're looking at here will drop them the way CardSystems got dropped. Switching costs for the decisionmaker(s) are higher in this situation than they were with CardSystems.

Anonymous said...

Because of the cost of the products Guidance sells, feds would most likely use a purchase order. Purchase orders still require a lot of details that would presumably be in Guidance's customer database.

The usefulness of things besides CC numbers probably depends what sort of information was in the database and tied to each customer. Did it have a purchase history? Did it have support contract information? Did it have the number of current licenses? Information like this might be useful and would definitely be more useful than just knowing a certain agency was at one point a Guidance customer. I can think of a number of uses for information of this nature, for example using it to assess the size of a particular Guidance customer's infosec department or using the customer information to assist with social engineering.

Anonymous said...

This in response to Chris Walsh's comment.

The intel value is not in the credit card number - it is in the people's names that are users of the software. Big deal a whole bunch more DoD VISA IMPAC card numbers are compromised, those cards are probably more closely monitored than personal accounts because there is a two person check - the card holder and the certifying official. I won't go into details.

It allows someone to build a list of users and from there do further research on their organizations.

Anonymous said...

Seems odd that all of the media mentions of the attack discuss the CVVs being stolen when in the supposed letter from Guidance they specifically mention that no credit card data was stolen. Is this letter a fake? Lying? Or did the media exaggerate?


Richard Bejtlich said...

This story says "The Pasadena, Calif.-based company notified all its approximately 9,500 customers about the attack and has called in the U.S. Secret Service, which has started an investigation, Colbert said." Notice my original post said Colbert admitted theft of credit card information for 3,800 customers. Perhaps there are two letters -- one for the 3,800 who lost credit card data, and one for the remaining 5,700 who did not? The letter you link to would be the letter for the 5,700 others.

Anonymous said...

There are indeed two letters. I received the general notice because I have not used any credit cards with GSI, but a coworker who did received a different letter stating that his information (including CC#) was obtained.

alberthaanstra said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.