Slashdot Mirror
Security Test Prompts Federal Fraud Alert
itwbennett writes "Johannes Ullrich, chief research officer at the SANS Institute, took great interest in a National Credit Union Administration (NCUA) warning issued earlier this week, thinking, 'Finally this is in the wild, because I've only seen it in pen tests before.' Unfortunately for Mr. Ullrich, the letter and 2 CDs that caused the kerfuffle were part of a sanctioned security test of a bank's computer systems conducted by Ohio-based security company MicroSolved. 'It was a part of some social engineering we were doing in a fully sanctioned penetration test,' said MicroSolved CEO Brent Huston. For his part, NCUA spokesman John McKechnie did not have much to say about his organization's alert, except that 'at this point, it appears that this is an isolated event.'"
The best way to pull something like this off is to create CDs that look like they are part of a patch subscription. Before the spread of ubiquitous online access, many Unix and enterprise application vendors would send patches via some package carrier (Fed Ex, UPS, USPS, etc.). Many still do. Some admins automatically install anything they get in the mail without first verifying its contents.
My blog
They fail proper incident response by leaking incident data to the public. I would expect someone on their incident response team to be aware of the pen test, provide proof, and for the report to never leak out of the company.
I don't think proper incident response involves posting an alert based on an isolated incident and tipping off the attacker before law enforcement can move in.
Even if the attack was real, the institution might not want to reveal it to others, especially if the attack resulted in compromise; it could scare customers aware if they were informed that a security compromise had occured.
So it's a bit unusual that the report got out.
...are just begging for this kind of attack. More stupid stuff gets done because of a "memo from HQ" than for any other reason. Nobody questions or authenticates anything. The drones just do watch their told to and move on. Makes me wanna keep my life savings in deposit soda bottles in the basement instead my credit union.
"If you want to know what happens to you when you die, go look at some dead stuff."
Brain: Were going to ship AOL CD's to everyone as a "new upgrade version" that will give us full control of their computer.
Pinky: What if they don't use AOL?
Brain: There's 49 million sheep using AOL, it should be enough to do what we are going to do.
Pinky: Whats that brain?
Brain: The same thing we do every night, Try to take over the world.
it seemed like for a time "Micro" was really hot as a precursor to a company name.
The '80s was the height of the microcomputer revolution. For anyone who didn't live through it, a microcomputer is a computer which uses a microprocessor (a CPU on a single chip). This differentiates them from minicomputers and mainframes which, at the time, which typically had different parts of the CPU in several different chips. It wasn't until the mid '90s that even mainframes were using microprocessors; the first two generations of IBM's POWER series, for example, were multi-chip configurations.
The companies that rode the microcomputer wave were often not the companies that did well in the shrinking minicomputer and mainframe markets (and the minicomputer companies were often not established mainframe names either). They used micro- to differentiate themselves from the dinosaurs who were still clinging to the one-computer-per-company model. The implication was low-cost and flexible.
I am TheRaven on Soylent News