Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Crimeserver" Full of Personal/Business Data Found

Posted by kdawson on from the gotta-store-it-somewhere dept.

Presto Vivace sends news of a server found by security firm Finjan that contained a 1.4-GB cache of stolen data, accumulated over a period of less than a month from compromised PCs around the world. The "crimeserver," as Finjan dubs it, "provided command and control functions for malware attacks in addition to being a drop site for data harvested from compromised computers. ... The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain." Oddly enough, the data was stored in the open, with not even basic auth to protect it. Finjan notes in their press release that this huge trove of data gathered over a short period of time indicates that the crimeware problem is far larger than most observers have been assuming. Update: 05/08 12:29 GMT by T : Note, the security firm involved is spelled "Finjan," not "Finjin" as originally shown.

21 of 114 comments (clear)

  1. Why would they need basic auth? by morgan_greywolf · · Score: 5, Insightful

    Why would they need basic auth? After all, the security on the compromised computers was bad enough for them, complete random strangers to the owners of the PCs, to bypass system authentication and authorization controls to grab the data in the first place.

    --
    My blog
    1. Re:Why would they need basic auth? by kcbanner · · Score: 5, Insightful

      Because all scammers aren't friends with each other.

      --
      Obligatory blog plug: http://www.caseybanner.ca/
    2. Re:Why would they need basic auth? by CodeBuster · · Score: 3, Insightful

      Well, if they were planning to sell the pilfered information then it helps if their...ahem...customers cannot simply help themselves.

    3. Re:Why would they need basic auth? by NoobixCube · · Score: 5, Interesting

      My first thought was, surely someone who accumulates this kind of data would go to some lengths to secure it. That leads me to believe that this "crime server" is owned by an amateur. The computer crime equivalent of a petty thief. Imagine how many properly run and hidden crime servers must exist. And think how many more petty thieves must own similar ones.

      --
      Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
    4. Re:Why would they need basic auth? by Anonymous Coward · · Score: 3, Insightful

      Maybe its a free sample?

    5. Re:Why would they need basic auth? by Opportunist · · Score: 5, Interesting

      This might come as a surprise, but scammers are not necessarily more tech savvy than their victims.

      This isn't the first completely unprotected (or default password protected) scammer server. Actually, a certain security company which I won't name (but you can guess it...) will have a hard time working with certain other security companies from now on since there are things you don't yap about. Those hardly-if-ever protected ID-theft servers is one of those things.

      The reason is twofold. First of all, those criminals with a minimal technical knowledge (most of the times, those drop servers are part of the package you buy from someone who does actually know how to use a computer and write the necessary client/server package to steal information) might start wisening up and protect their servers better, making our work harder. It's the whole "the less your enemy knows about you and the more you know about your enemy, the better" thing.

      The second reason, though, is even more important. When it becomes "mostly common" knowledge that there are servers stuffed with stolen information, a second part of the criminal chain opens. Well, opens isn't the right word, it already opened, but it will have a wider, let's say, audience. People who want that information for their own goals won't infect your machine but rather try to steal from the thieves, multiplying the problem in proportions that cannot even be measured anymore. So far, we have a pretty good picture of the threat and problem, knowing (or at least being able to estimate) how many people are infected by a certain trojan, what information is siphoned and by the actions taken thereafter, we can draw a picture of the threat, the goals of the group that siphoned the information and so on.

      If now many criminals start working with the same data base, it becomes a damn lot harder to even try working out a threat scenario.

      That's why this is being kept on a low profile, and why nobody so far went out into the broad public about it. It's one of those "don't give them ideas" doctrines. I was certainly not in favor of the idea when it was presented, because withholding information does rarely lead to more security. I just couldn't offer a better solution. Or at least a better broom to keep the ocean at bay.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Why would they need basic auth? by dbIII · · Score: 3, Insightful

      The slang is "script kiddie".

  2. WTF by ColdWetDog · · Score: 3, Interesting

    The person that operated this server had no clue on security, he had no clue about how to configure a Web server. He just took a ... toolkit and started to use it and in three weeks he managed to have this fortune, this treasure on his server."

    I know it's just a rehash of a press release, likely taken out of context from what was originally said, but - WTF?

    I don't think that malware is so advanced that all you have to do is "use a toolkit" and poof - magically financial and personal data will just show up on the hard drive. Maybe the guy's server was pawned - he is at least acting like he doesn't know what he is doing, but come on.

    If it's that easy, I'm gonna try it....

    --
    Faster! Faster! Faster would be better!
    1. Re:WTF by Bryansix · · Score: 4, Funny

      If it's that easy, I'm gonna try it....
      I'll make sure to alert the authorities.
    2. Re:WTF by epiphyte42 · · Score: 3, Insightful

      I know it's just a rehash of a press release, likely taken out of context from what was originally said, but - WTF?

      If it's that easy, I'm gonna try it....

      Did you consider the fact that the stuff that does all the hard work is actually .... software?! In other words, if some black hat makes a nice package with a decent installer and good documentation it could well be that it is less complicated to setup such a server then, say, setting up a decent webserver. The app in question would then do something like: 1: look for vulnerable pc's 2: infiltrate weak ones with preprogrammed stuff 3: send data back to simple integrated webserver 4: goto 1 The components at 2 could even fit into a nice plugin architecture to enable other black hats to extend the functionality. Yes, this stuff exists and yes, this stuff is easy to use.
    3. Re:WTF by commodoresloat · · Score: 4, Funny

      Maybe the guy's server was pawned Why would you take a server with all that valuable data to a pawn shop?
  3. So you have to a CISSP to run a script now? by mungmaster2000 · · Score: 5, Insightful

    "The server was not secure at all. It indicates that these people that are doing the crime today, they are not security experts, they are not computer science experts." Uhhh....So someone knocks over a liquor store with a 9 mm. Does that mean that he's a gunsmith or a sharpshooter, or skilled in advanced war-fighting techniques of some kind? No...Chances are he's a just a guy with a gun. People use whatever they can to take what they want. Film at eleven.

    1. Re:So you have to a CISSP to run a script now? by moderatorrater · · Score: 4, Informative

      People use whatever they can to take what they want. Film at eleven. The news is that this stuff is now as easy to use as a 9mm.
  4. Security company finds unsecure server by Whuffo · · Score: 5, Insightful
    Must be a slow news day for this kind of astroturf to bubble to the top. Notice how carefully they count how many people in each country had their data stolen and stored on this server. Also notice how many of those people these security folks notified of the data breach. Yup, exactly zero.

    So they're not trying to help at all. What they're trying to do is sell their services and using this pseudo-news article to do it. Shame on them.

    1. Re:Security company finds unsecure server by camperslo · · Score: 4, Informative

      Notice how carefully they count how many people in each country had their data stolen and stored on this server. Also notice how many of those people these security folks notified of the data breach. Yup, exactly zero.

      People may not have been contacted directly, but those in a good position to quickly mitigate damage were notified:

      "Finjan Inc said it had notified the U.S. Federal Bureau of Investigation, police in various countries and more than 40 financial institutions in the United States, Europe and India about the discovery of the so-called "crimeserver".

      So they're not trying to help at all. What they're trying to do is sell their services and using this pseudo-news article to do it.

      Do you actually have any evidence of this? What were they trying to sell to who?
      I would expect a press-release type of promotional piece to have more information about the services the company offers.

  5. Re:Where do you think the data came from by antic · · Score: 4, Funny

    Can you at least obfuscate my email address if you're going to be so rude as to post it publically? Plus the screensaver was really quite super cool.

    --
    'Thats they exact same thing a banana wrench monkey.'
  6. Unprotected maybe for a reason: by Fluffeh · · Score: 4, Insightful

    Perhaps this data was intentionally left out in the open by whoever had it first?

    If you think about it, if you just hacked into a users pc and nicked something (credit card info, passwords, whatever) and used them quietly to some degree, wouldn't you WANT someone else to use them, perhaps not so quietly? I mean, you want a fall guy right? Let the next script kiddie run through and take the fall. With a bit of luck, they will pin all the activity on the new guy rather than the guy who carefully used this once, then let the information loose on the masses.

    It's not "accidentally" or "stupidly" left unprotected, it's a perfect smoke screen to cover tracks if you ask me.

    --
    Moved to http://soylentnews.org/. You are invited to join us too!
  7. Re:HoneyPot by Lumpy · · Score: 4, Interesting

    Actually that's called a tripwire. Back in the 80's when I knew some hackers really well I helped set up several tripwires. They went hand in hand with modem hop points. You Social engineer into an office building, best is a multi business place. get to the phone room and fine a couple of demarc boxes that are old and gut them. Install a pair of modems back to back and you can hop from one phone line to another to mask your call if it's traced.

    to make a tripwire you add in a second box like that, have your outgoing line go into and out of the box, install a isolation relay or switch that when the box is opened it dumps 120VAC into the phone lines This typically smokes a modem hard making it impossible for them to recover any info inside it. (mostly designed to piss off the feds/cops) but it disables the modem and the line tipping you off that that relay has been compromised.

    worked well, One "friend" had 5 of his relays compromised in one night, tipping him off that something big was happening and he laid low for a while.

    --
    Do not look at laser with remaining good eye.
  8. Screen Saver... by Belial6 · · Score: 3, Interesting

    Is there any legitimate reason that screen savers in every single OS should not be 100% sandboxed? Is there even one OS that does sandbox the screen savers? Heck, there are not even that many screen savers that have a use for network access. You should have to explicitly authorize your sandboxed screen saver to have network access. As far as I know, every single OS is guilty of this security hole.

  9. Maybe our "crimeserver" is really a "harvester?" by yuna49 · · Score: 4, Insightful

    Unless the criminal is a complete idiot there's more than one drop spot...

    Indeed. If I were writing botnet software I'd distribute multiple copies of the collected data across a number of the compromised computers. The press release and article abstract indicate that the botnet control programs and the data were located in the same place. That doesn't seem like a particularly good architecture for this type of system. I'd keep the command programs far away from the harvested data. My hunch is that the data aren't that valuable as I outline below.

    I can accept that buying, installing and running a botnet could be as easy as installing an RPM. What appears more disturbing is the reported "timeframe of less than a month" to harvest over 5,000 records. But what kind of records are these? Finjan tells us that the data "consisted of 5,388 unique log files [my emphasis]. Both email communications and web-related data were among them."

    They go on to list some specific examples:

    Compromised patient data
    Compromised bank customer data
    Business-related email communications
    Captured Outlook accounts containing email communication

    I'd be curious to see how much actual "patient" or "bank customer" data is revealed in "log files." /var/log/maillog on my servers would certainly reveal "business-related email communications" in the sense of senders and recipients. Mail logs might also contain some entries for mail between providers and patients or between banks and their customers. Apache logs wouldn't be so useful, though they do contain the usernames when Basic Authentication is used. But none of those logs would reveal much about the content of those communications. I don't know anything about Outlook so I have no idea how its logs might reveal "captured Outlook accounts containing email communication."

    Still if all they got after a month were logs, I'm not sure how valuable they would be unless the goal was harvesting addresses for spamming or phishing. Capturing the logs of compromised mail servers would certainly yield a pretty high proportion of legitimate addresses, especially recipient addresses. This method seems especially attractive if you're trying to identify targets for "spear-phishing." If you can compromise some corporate mail servers, you can build up a nice list to "spear."

    So I'm guessing Finjan found a machine containing some 5,600 mail server "log files" totalling 1.4 GB. Since the logs are worthless once the addresses are harvested, protecting them isn't much of a priority. I suppose competitive spammers might want to keep these potentially higher-yielding names to themselves, but given the volumes at which spammers operate, they probably don't care.

    I think I'll go take a look at my mail servers now just to ease my mind.

  10. Re:HoneyPot by Anonymous Coward · · Score: 3, Insightful

    First telephone wires carry over 90VAC on them all the time.

    Second 24Ga wire cant carry any current it smokes out right away.

    Thirdly it does in FACT smoke the modems that were made back in the 80's and early 90's Hayes and USR modems back then could be eaten alive easily by 120VAC at any strength inot the phone port, better would be to also run a pair of wires to the modem's power supply side as well.

    Fourthly it also pop's the Telco gear at the Switching station dropping the line off so when you call it it does not ring. A very clever way of setting a tripwire.

    Remember back in the 80's the police and judges were not a corrupt as now. They did not throw in extra added bullshit for fun. Now the scumbag fuckers will add all kind of charges just to show you who owns the populace.