Tenable Blog

(This column is one of what I am going to call "afterbites" - extended random commentary on topics raised in SANS' Newsbites column. As some of you know, I am one of the volunteer editors/commenters on the weekly Newsbites and it probably won't surprise you to discover that sometimes the discussions we have on the editors' mailing list can get - interesting. Usually, there's not enough space to rant at length, so I'm going to periodically fire unaimed salvoes from the safety of my blog, here.)

The story:

Parking Tickets as Cyber Attack Social Engineering Vector
(February 4 & 5, 2009)

Cyber criminals in Grand Forks, North Dakota planted phony parking
violation notices on cars. The notices direct the users to a website
for more information, which leads the users through a set of links
that downloads malware onto their computers. That malware then urges
users to download an anti-virus scanner that is worthless.
http://www.techweb.com/article/showArticle?articleID=213200005&section=News
http://news.bbc.co.uk/2/hi/technology/7872299.stm
http://isc.sans.org/diary.html?storyid=5797

A few years ago, I was sitting in a hotel bar at a security conference, matching my tequila-drinking skills against all comers, when we got to discussing the next generations of identity theft attacks. One of the ideas I suggested was related to what we see above, and I'm really unhappy to see that The Bad Guys are showing no sign of stopping their creative engines.

(This column commences what I am going to call "afterbites" - extended random commentary on topics raised in SANS' Newsbites column. As some of you know, I am one of the volunteer editors/commenters on the weekly Newsbites and it probably won't surprise you to discover that sometimes the discussions we have on the editors' mailing list can get - interesting. Usually, there's not enough space, nor would it be appropriate for the editors to engage in hand-to-hand combat, so I'm going to periodically fire unaimed salvoes from the safety of my blog, here.)

The story:

 --London Hospitals' Worm Infection "Entirely Avoidable"
(February 2, 2009)
A review of the worm infection that affected three London hospitals last
November found that the incident was "entirely avoidable." The Mytob
worm infected 4,700 PCs at St. Bartholomew's, the Royal London Hospital
in Whitechapel and The London Chest Hospital; as a result, some
ambulances were rerouted and some recordkeeping had to be done with pen
and paper. While administrative systems were running again within three
days, it took two additional weeks to scan all the machines to ensure
they were clear of infection. The review determined that the initial
infection resulted from misconfigured anti-virus software and spread so
widely due to a decision by administrators to disable security updates
because they had caused some computers to reboot while surgery was
underway.
http://www.theregister.co.uk/2009/02/02/nhs_worm_infection_aftermath

There is so much wrong with this picture, that it's hard to know for sure where to start. "Ambulences rerouted" could be extremely unpleasant if you were, say, waiting patiently for help after a car crash, or something. "Recordkeeping with pen and paper" is, perhaps, a useful survival drill. The part that makes my blood run cold is "caused some computers to reboot while surgery was underway." I know that if I were a patient and heard the distinctive "cdrom-whirr, beep" of a computer rebooting, I would leap off the table and make a bloody trail toward the taxi stand, if I had working legs.

Have you ever been in the situation where you have found a server or desktop Windows system that was infected with a virus, Trojan, rootkit or malware and you wanted to scan your network to see if other systems had similar issues?  Nessus ProfessionalFeed and Security Center users can leverage the compliance auditing features of Nessus to look for evidence of hostile software on their network.

Background

The videos from the January DojoSec meeting are now online. Marcus Carey's introduction, Dale Beauchamp's talk on memory forensics and my talk on all things related to compliance and IT are available on Vimeo. To watch the talks, click below. My talk is 45 minutes and it should make you think hard about how to articulate compliance, configuration management, and mono-cultures to your management or your team.

I was recently asked by Carpathia Hosting to contribute to an eBook being written by their CTO, Jon Greaves. The book is titled 'The Datacenter of the Future'. 

The initial chapter describes the evolution of security and privacy as we've progressed from issues such as the Morris worm of 1988 to today's "it's in the cloud" attitude. There are some very good insights in the chapter which explain how the past evolution of technology will influence the types of offerings ISPs and hosting companies will provide in the next decade.