Bank Heist via Malware
Hackers breach bank's site with barrage of exploits. Plus: unhealthy security policies and data-filled
hard drives on eBay.
The home page of the Bank of India was hacked recently and an iframe tag added that pointed to a criminal
site. The criminal site served up, says this
from ComputerWorld, no fewer than 22 different pieces of known malware. It is unknown how
long the site was offering up the malware, but it appears to have been in this condition for at least
several hours to a day.
This breach is very significant in the fact that it is such a high profile and popular site, combined
with the fact it is the type of site that you’d never expect to be compromised or to serve up malware.
Unlike the MySpace hack, customers doing their Web banking would never expect to be attacked by their
Many stories have been published in the past stating that high profile sites were compromised, but none
have been substantiated the way this one has. Sunbelt displayed the source of the home page that
contained the link to the criminal iframe, and the complete list of malware they were delivered by the
site. Such high profile sites should seriously consider the method they deliver their pages, and consider
whether they can deliver it from a CD or some other non-modifiable sources.
We would also like to point out that while the story suggests this is “like the Superbowl site hack”, the
site that was compromised during the Superbowl this year was, in fact, the site for the stadium and not
the site for the Superbowl -- a very significant difference there, and here.
An Unhealthy Security Policy
A former IT employee of the Council of Community Health Clinics was convicted of hacking into his former
employer’s computer systems. Jon Paul Oson resigned after a poor performance review. Two months later, he
broke into the systems and disabled patient data backup processes. A couple of days later he broke in
again and deleted data and software from several servers. The data included patient histories, diagnosis,
treatment plans, and appointment schedules. (Read the story here.)
Oson faces 10 years in prison and two fines of up to $250,000 each. Considering his actions could have
killed people, one has to wonder whether the sentence is stiff enough.
On the CISSP forum, discussion about this case brought about the recommendation that HR inform IT when it
is going to give someone a bad evaluation. Presumably IT might pay closer attention to such employees.
We, however, would like to know how the former employee, after resigning and leaving the company, was
still able to get back into the network remotely. All passwords should have changed in the interim to
ensure such access was not possible.
column was originally published in our weekly Security
Watch newsletter. To subscribe, click here.
Arkansas Governor's Hard Drive Goes to Highest Bidder
The hard disk of the Director of the Arkansas Democratic Party managed to find its way, intact, onto eBay
and into the hands of an IT consultant who purchased it. The drive was bought, via eBay, from another IT
consultant who assisted the gubernatorial campaign last year that saw the current governor elected. The
director damaged his laptop, and the drive was believed beyond repair. It was given to the consultant as
part payment for his efforts. The drive contained sensitive information about the campaign, including
talking points and private phone numbers. The data was unencrypted.
If you can’t recover the drive or use it over again, then put a punch through it or destroy it with a
mallet. If the drive was unusable, then why would the consultant have wanted it? If it was usable, then
it should have been kept, or steps should have been taken to ensure it was completely cleaned by whomever
originally owned it.
If you can’t verify that the data is removed, or encrypted, then destroy the drive. Surely $69, the
amount the drive was finally sold for, isn’t worth the aggravation or even the potential aggravation.
Finally, a warning from our resident hardware guy Jon McCown: "Just remember to put your hand on the
counter-clockwise side of the drill when you’re holding drives to put holes in them. When the bit locks
up, it gets ugly!”
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.