Last week I tweaked my Information Security Incident Classification chart. Given recent events I might consider extending it to include Crisis 3, 2, and 1 levels. Perhaps they would look like this. I previously alluded to "11" in my original post.
- Crisis 3. 11 / Intruder has publicized data loss via online or mainstream media.
- Crisis 2. 12 / Data loss prompts government or regulatory investigation with fines or other legal consequences.
- Crisis 1. 13 / Data loss results in physical harm or loss of life.
I thought about these situations because of the latest Crisis 3, now affecting T-Mobile, as posted to Full-disclosure yesterday:
From: pwnmobile_at_Safe-mail.net
Date: Sat, 6 Jun 2009 15:18:06 -0400
Hello world,
The U.S. T-Mobile network predominately uses the GSM/GPRS/EDGE 1900 MHz frequency-band, making it the largest 1900 MHz network in the United States. Service is available in 98 of the 100 largest markets and 268 million potential customers.
Like Checkpoint[,] Tmobile [sic] has been owned for some time. We have everything, their databases, confidental documents, scripts and programs from their servers, financial documents up to 2009.
We already contacted with their competitors and they didn't show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder.
Please only serious offers, don't waste our time.
Contact: pwnmobile_at_safe-mail.net
Name Type Team Application Name ApplicationID Application Operating System IP Address Facility Blank Blank Blank Tier 1 Apps Tier 2 Apps ? Prod
protun03 Prod IHAP Caller Tunes 64 CallerTunes 10.1.16.185 HP-UX 11.11 BOTHELL_7 #N/A 64 1
protun04 Prod IHAP Caller Tunes 64 CallerTunes 10.1.16.186 HP-UX 11.11 BOTHELL_7 #N/A 64 1
protun05 Prod IHAP Caller Tunes 64 CallerTunes 10.1.16.187 HP-UX 11.11 BOTHELL_7 #N/A 64 1
protun06 Prod IHAP Caller Tunes 64 CallerTunes 10.1.16.188 HP-UX 11.11 BOTHELL_7 #N/A 64 1
...edited out 505 more server entries...
proxfr03 Prod Infra Connect Direct 106 Connect Direct 10.133.33.130 HP-UX 11.11 NEXUS #N/A #N/A 1
proxfr04 Prod Infra Connect Direct 106 Connect Direct 10.133.65.37 HP-UX 11.23 NEXUS #N/A #N/A 1
Talk about monetizing an intrusion. Can you imagine your company's data posted to a public forum like this?
This sort of incident is becoming more common. Remember the 8 million Virginian patient records from April?
ATTENTION VIRGINIA
I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(
For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid. Now I don't know what all this shit is worth or who would pay for it, but I'm bettin' someone will. Hell, if I can't move the prescription data at the very least I can find a buyer for the personal data (name,age,address,social security #, driver's license #).
...truncated...
Something similar happened to Express Scripts last year.
If this isn't enough to convince management that every active remote command and control channel presents clear and present danger to the enterprise, I don't know what is. All of these incidents started with an intruder gaining access to at least one system. If the organization doesn't take these incidents seriously, the next step could be public humiliation. You might say "the Feds will grab these guys." True, but what is the cost to the reputation of the victim organization?
Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.
0 comments:
Post a Comment