TaoSecurity Blog

In my first book I wrote the following on p 170: WHO WROTE PRIVMSG? The author of Privmsg served one year in prison after pleading guilty in a U.S. District Court to a single count of computer intrusion. In May 1998 he compromised numerous government, military, and academic servers running BIND and installed back doors on those systems. He was caught thanks to skillful use of session data by analysts at the AFCERT and by Vern Paxson from Lawrence Berkeley Labs. See http://www.lbl.gov/Science-Articles/Archive/bro-cyber.html for more information on Paxson’s use of Bro and the “boastful and self-justifying” e-mail the intruder sent to Paxson. For details on the intruder, see Wired’s account at http://www.wired.com/news/culture/0,1284,54838,00.html . Kevin Poulsen’s story at http://www.securityfocus.com/news/203 has more details. The bottom line is it does not pay to infiltrate government machines -- especially Air Force servers or computers monitored by IDS researchers. I didn...

Thanks to 27B Stroke 6 I learned that cybercriminal Jerome Heckenkamp (sorry Kevin, he's no "superhacker") will stay a criminal. The U.S. 9th Circuit Court of Appeals refused to overturn Heckenkamp's conviction. According to this DoJ announcement : Mr. Heckenkamp's sentence results from his guilty pleas in January 2004 to two counts of gaining unauthorized access into a computer and recklessly causing damage, in violation of 18 U.S.C. §§ 1030(a)(5)(B). In pleading guilty, Mr. Heckenkamp admitted that he gained unauthorized access to eBay computers during February and March 1999. Using this unauthorized access, Mr. Heckenkamp admitted that he defaced an eBay Web page using the name "MagicFX," and that he installed "trojan" computer programs - or programs containing malicious code masked inside apparently harmless programs - on the eBay computers that secretly captured usernames and passwords that Mr. Heckenkamp later used to gain unauthorize...

Eight years ago this week news sources buzzed about the Melissa virus . How times change! Vulnerabilities and exposures are being monetized with astonishing efficiency these days. 1999 seems so quaint, doesn't it? With the release of TJX's 10-K to the SEC all news sources are discussing the theft of over 45 million credit cards from TJX computers. I skimmed the 10-K but didn't find details on the root cause. I hope this information is revealed in one of the lawsuits facing TJX. Information on what happened is the only good that can come from this disaster. It's important to remember that TJX is a victim, just as its customers are victims. The real bad guys here are the criminals who compromised TJX resources and stole sensitive information. TJX employees may be found guilty of criminal negligence, but that doesn't remove the fact that an unauthorized party attacked TJX and stole sensitive information. Unfortunately I believe the amount of effort directed ...

I haven't said anything about the intrusions affecting TJX until now because I haven't felt the need to contribute to this company's woes. Today I read TJX Faces Suit from Shareholder : The Arkansas Carpenters Pension Fund owns 4,500 shares of TJX stock, and TJX denied its request to access documents outlining the company's IT security measures and its response to the data breach. The shareholder filed the lawsuit in Delaware's Court of Chancery Monday afternoon under a law permitting shareholders to sue for access to corporate documents in certain cases, The Associated Press reported. The pension fund wants the records to see whether TJX's board has been doing its job in overseeing the company's handling of customer data, the news agency said. Imagine having your security measures and incident response procedures laid bare for everyone to see. (It's possible there might not be anything to review!) How would your policies and procedures fare? The fol...

If you read my coverage of the UBS trial , you'll remember the controversy involving Karl Kasper's "hacker" background. I said in that post: All the wanna-be hacker kiddies should remember that grown-ups don't trust the opinions of "hackers" in courts of law. If you wouldn't trust what a "hacker" says in court, would you trust software sold by an intruder? Yesterday I read this article: Ex-hacker helps companies get defensive . It contains this news: A reformed computer hacker is winning big clients for open-source software and hardware products that protect a company's network from intruders... The 27-year-old [name deleted] got his start at the U.S. Department of Defense in an auspicious way: He agreed to work in information warfare after he was arrested at age 17 for hacking into a government network. In return, he served no jail time. I'm appalled by this story. First, it demonstrates the press' obsession with using the ...

It sounds to me like the Duronio defense team has nothing left in its tank, so it's attacking Keith Jones directly. The latest reporting, UBS Trial: Defense Suggests Witness Altered Evidence , shows how ridiculous the defense team sounds: "So when you talked about putting pieces of the puzzle together, you were missing three-quarters of the pieces for the [central file server] alone?"" [defense attorney] Adams asked. "The puzzle pieces I had to put together formed the picture I needed," Jones replied. "If the puzzle was of a boat, then I had enough pieces to form the picture of the boat." Adams countered, "But you might not see all the other boats around it." Jones replied, "But the second boat won't get rid of the first boat. It's simple mathematics that when you add data, you don't subtract data. There was nothing in that data set that could remove the data I already had." It sounds like Keith has more testifyin...

Logic bomb is a term often used in the media, despite the fact that almost all reporters (there are notable exceptions ) have no clue what it means. Well, now we can look at a real one, thanks to forensics work by Keith Jones . He found a real logic bomb while doing forensics on the United States v. Duronio case. I worked the very beginning of this case while Keith and I were both at Foundstone. My small part involved trying to figure out how to restore images of AIX machines from tape. I even bought an AIX box on eBay for experimentation. You can read about Keith's testimony in this Information Week article. This is the "logic bomb" Keith recovered: One of the neat aspects of this case is its age: over four years. The media and elsewhere are abuzz with stories of "insider threats," but this has been a problem for a very long time. Congratulations to Keith for testifying on such an important case. If the jury has a clue, the defendant doesn't h...

I'd like to congratulate the United States Attorney's Office, Central District of California for indicting a bot net controller. According to the press release and the indictment (.pdf), up to 400,000 victims were compromised. You can track the progress of this case through the Post Indictment Arraignment Calendar . This is exactly the sort of work that needs to be done. Security professionals cannot win against intruders if only the "vulnerability" variable of the risk equation is addressed. We need law enforcement to reduce the "threat" variable as well. The suspect in this case is a 20-year-old living in California. This is the sort of perpetrator who can be deterred, unlike a foreign intelligence agent or member of organized crime. The more bot net operators who are put in jail, the fewer lower-end threats we will need to stop.

During the Mike Lynn affair I found Brian Krebs' reporting to be invaluable. Now he has provided an excellent story on the arrest of the Zotob and Mytob worm authors. I recommend you read the story linked from Brian's blog . Highlights include: "Both of the suspects' nicknames can be found in the original computer programming code for Zotob, according to the FBI and Microsoft... The author of the original Blaster worm remains at large, and Microsoft has offered a $250,000 bounty for information leading the arrest and conviction of that person... [E]vidence indicates Ekici paid Essebar to develop the worms, which the two used for financial gain... [T]he two men are alleged to have forwarded financial information stolen from victims' computers to a credit card fraud ring. [P]olice who raided Essebar's home found a computer that contained the original programming instructions for the first version of the Zotob worm." I am glad to see action against a diff...

I just received a call from a computer at Citicards, the company that issued one of my credit cards. Twice in the past few years that card was stolen by credit card number thieves. I found the exchange with the computer interesting. First it announced that it was calling from the Citicards fraud department. Next it asked if I was "Richard Bejtlich," using the best pronounciation of my last name a computer could muster. (It's "bate-lik", by the way.) Then it asked me to verify the zip code of the billing address for the credit card. At this point I figured providing a zip code was a low-risk activity, in the event this was a sophisticated social engineering attempt. Once I "authenticated" via zip code, the computer asked if I had made a purchase of $6.37 yesterday at "fast food" something-or-other. I recognized this as the dinner I bought at the incredibly high-brow Chick-fil-A drive-thru window at 9 pm last night. I pressed "...

More details are emerging regarding the Paris Hilton cellphone incident . I'd like to use this case to take a look at the various approaches used to perform incident response. The first two methods are technical, and the third is non-technical. First we have the assessment approach. This involves probing target systems which may have been involved in the incident. Assessors look for security weaknesses in services and applications they believe could have yielded the information acquired by the intruders. Jack Koziol's recent blog entry is an example of this approach. In my opinion this method is least likely to yield useful information, and is often a waste of time, as far as determining the details of the incident at hand. The assessment approach is largely speculation, albeit with access to some or all of the systems which could have been victimized. From a forensic standpoint, this is a poor way to investigate an intrusion. Assessors typically interact directly wit...

Adam Shostack posted a response to my Thoughts on Digital Crime blog entry. Essentially he questions the "bandwidth" of the law enforcement organizations I listed, i.e., their ability to handle cases. The FBI CART Web page says "in 1999 the Unit conducted 2,400 examinations of computer evidence." At HTCIA I heard Mr. Kosiba state that thus far, in 2004, CART has worked 2,500 cases , which may involve more than one examination per case. The 50+ CART examiners and support personnel and 250 field examiners have processed 665 TB of data so far this year! The CART alone spends $32,000 per examiner on equipment when they are hired, and another $12,500 per year to upgrade each examiner's equipment. This is a sign that the DoJ is pouring money into combatting cyber crime. Of course local and state police do not have the same resources, but especially at the state level we are seeing improvements. If more resources are being plowed into cybercrime, what ...

Last week I spoke at and attended the High Technology Crime Investigation Association International Conference and Expo 2004 . The keynote speaker was US Attorney General John Ashcroft. Although I spent time furiously copying notes on his speech, the text is online . Not printed in that text was the AG's repeated theme: the US Department of Justice and Federal Bureau of Investigation are committed to "protecting lives and liberty." I thought this was a curious stance given the recent efforts to scale back the Patriot Act . The AG mentioned that "protect[ing] the United States against cyber-based attacks and high-technology crimes" is the number 3 FBI priority . I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to op...