"Crimeserver" Full of Personal/Business Data Found 114
Presto Vivace sends news of a server found by security firm Finjan that contained a 1.4-GB cache of stolen data, accumulated over a period of less than a month from compromised PCs around the world. The "crimeserver," as Finjan dubs it, "provided command and control functions for malware attacks in addition to being a drop site for data harvested from compromised computers. ... The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain." Oddly enough, the data was stored in the open, with not even basic auth to protect it. Finjan notes in their press release that this huge trove of data gathered over a short period of time indicates that the crimeware problem is far larger than most observers have been assuming. Update: 05/08 12:29 GMT by T : Note, the security firm involved is spelled "Finjan," not "Finjin" as originally shown.
Why would they need basic auth? (Score:5, Insightful)
Re:Why would they need basic auth? (Score:5, Insightful)
Re:Why would they need basic auth? (Score:4, Insightful)
So you have to a CISSP to run a script now? (Score:5, Insightful)
Re:WTF (Score:3, Insightful)
I know it's just a rehash of a press release, likely taken out of context from what was originally said, but - WTF?
If it's that easy, I'm gonna try it....
Security company finds unsecure server (Score:5, Insightful)
So they're not trying to help at all. What they're trying to do is sell their services and using this pseudo-news article to do it. Shame on them.
HoneyPot (Score:3, Insightful)
Sounds like they found a honeypot [wikipedia.org] or a decoy to me. Now that the bad guys know that the good guys are on to them, they can disappear into the ether for a while until the heat dies down.
Re:Why would they need basic auth? (Score:3, Insightful)
Unprotected maybe for a reason: (Score:5, Insightful)
If you think about it, if you just hacked into a users pc and nicked something (credit card info, passwords, whatever) and used them quietly to some degree, wouldn't you WANT someone else to use them, perhaps not so quietly? I mean, you want a fall guy right? Let the next script kiddie run through and take the fall. With a bit of luck, they will pin all the activity on the new guy rather than the guy who carefully used this once, then let the information loose on the masses.
It's not "accidentally" or "stupidly" left unprotected, it's a perfect smoke screen to cover tracks if you ask me.
Re:Security company finds unsecure server (Score:3, Insightful)
Even white hats have to deal with the PHB who wants to blame you for their problem.
Re:Why would they need basic auth? (Score:1, Insightful)
Maybe our "crimeserver" is really a "harvester?" (Score:5, Insightful)
Indeed. If I were writing botnet software I'd distribute multiple copies of the collected data across a number of the compromised computers. The press release and article abstract indicate that the botnet control programs and the data were located in the same place. That doesn't seem like a particularly good architecture for this type of system. I'd keep the command programs far away from the harvested data. My hunch is that the data aren't that valuable as I outline below.
I can accept that buying, installing and running a botnet could be as easy as installing an RPM. What appears more disturbing is the reported "timeframe of less than a month" to harvest over 5,000 records. But what kind of records are these? Finjan tells us [finjan.com] that the data "consisted of 5,388 unique log files [my emphasis]. Both email communications and web-related data were among them."
They go on to list some specific examples:
Compromised patient data
Compromised bank customer data
Business-related email communications
Captured Outlook accounts containing email communication
I'd be curious to see how much actual "patient" or "bank customer" data is revealed in "log files."
Still if all they got after a month were logs, I'm not sure how valuable they would be unless the goal was harvesting addresses for spamming or phishing. Capturing the logs of compromised mail servers would certainly yield a pretty high proportion of legitimate addresses, especially recipient addresses. This method seems especially attractive if you're trying to identify targets for "spear-phishing." If you can compromise some corporate mail servers, you can build up a nice list to "spear."
So I'm guessing Finjan found a machine containing some 5,600 mail server "log files" totalling 1.4 GB. Since the logs are worthless once the addresses are harvested, protecting them isn't much of a priority. I suppose competitive spammers might want to keep these potentially higher-yielding names to themselves, but given the volumes at which spammers operate, they probably don't care.
I think I'll go take a look at my mail servers now just to ease my mind.
Re:Why would they need basic auth? (Score:4, Insightful)
Re:HoneyPot (Score:3, Insightful)
Second 24Ga wire cant carry any current it smokes out right away.
Thirdly it does in FACT smoke the modems that were made back in the 80's and early 90's Hayes and USR modems back then could be eaten alive easily by 120VAC at any strength inot the phone port, better would be to also run a pair of wires to the modem's power supply side as well.
Fourthly it also pop's the Telco gear at the Switching station dropping the line off so when you call it it does not ring. A very clever way of setting a tripwire.
Remember back in the 80's the police and judges were not a corrupt as now. They did not throw in extra added bullshit for fun. Now the scumbag fuckers will add all kind of charges just to show you who owns the populace.