Security Watch

Bank Heist via Malware

Hackers breach bank's site with barrage of exploits. Plus: unhealthy security policies and data-filled hard drives on eBay.

• By Russ Cooper
• 10/17/2007

This breach is very significant in the fact that it is such a high profile and popular site, combined with the fact it is the type of site that you’d never expect to be compromised or to serve up malware. Unlike the MySpace hack, customers doing their Web banking would never expect to be attacked by their bank’s site.

Many stories have been published in the past stating that high profile sites were compromised, but none have been substantiated the way this one has. Sunbelt displayed the source of the home page that contained the link to the criminal iframe, and the complete list of malware they were delivered by the site. Such high profile sites should seriously consider the method they deliver their pages, and consider whether they can deliver it from a CD or some other non-modifiable sources.

We would also like to point out that while the story suggests this is “like the Superbowl site hack”, the site that was compromised during the Superbowl this year was, in fact, the site for the stadium and not the site for the Superbowl -- a very significant difference there, and here.

An Unhealthy Security Policy
A former IT employee of the Council of Community Health Clinics was convicted of hacking into his former employer’s computer systems. Jon Paul Oson resigned after a poor performance review. Two months later, he broke into the systems and disabled patient data backup processes. A couple of days later he broke in again and deleted data and software from several servers. The data included patient histories, diagnosis, treatment plans, and appointment schedules. (Read the story here.)

Oson faces 10 years in prison and two fines of up to $250,000 each. Considering his actions could have killed people, one has to wonder whether the sentence is stiff enough.

On the CISSP forum, discussion about this case brought about the recommendation that HR inform IT when it is going to give someone a bad evaluation. Presumably IT might pay closer attention to such employees. We, however, would like to know how the former employee, after resigning and leaving the company, was still able to get back into the network remotely. All passwords should have changed in the interim to ensure such access was not possible.

Arkansas Governor's Hard Drive Goes to Highest Bidder
The hard disk of the Director of the Arkansas Democratic Party managed to find its way, intact, onto eBay and into the hands of an IT consultant who purchased it. The drive was bought, via eBay, from another IT consultant who assisted the gubernatorial campaign last year that saw the current governor elected. The director damaged his laptop, and the drive was believed beyond repair. It was given to the consultant as part payment for his efforts. The drive contained sensitive information about the campaign, including talking points and private phone numbers. The data was unencrypted.

If you can’t recover the drive or use it over again, then put a punch through it or destroy it with a mallet. If the drive was unusable, then why would the consultant have wanted it? If it was usable, then it should have been kept, or steps should have been taken to ensure it was completely cleaned by whomever originally owned it.

If you can’t verify that the data is removed, or encrypted, then destroy the drive. Surely $69, the amount the drive was finally sold for, isn’t worth the aggravation or even the potential aggravation.

Finally, a warning from our resident hardware guy Jon McCown: "Just remember to put your hand on the counter-clockwise side of the drill when you’re holding drives to put holes in them. When the bit locks up, it gets ugly!”