"Crimeserver" Full of Personal/Business Data Found

Presto Vivace sends news of a server found by security firm Finjan that contained a 1.4-GB cache of stolen data, accumulated over a period of less than a month from compromised PCs around the world. The "crimeserver," as Finjan dubs it, "provided command and control functions for malware attacks in addition to being a drop site for data harvested from compromised computers. ... The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain." Oddly enough, the data was stored in the open, with not even basic auth to protect it. Finjan notes in their press release that this huge trove of data gathered over a short period of time indicates that the crimeware problem is far larger than most observers have been assuming. Update: 05/08 12:29 GMT by T : Note, the security firm involved is spelled "Finjan," not "Finjin" as originally shown.

WTF

[ColdWetDog]

The person that operated this server had no clue on security, he had no clue about how to configure a Web server. He just took a ... toolkit and started to use it and in three weeks he managed to have this fortune, this treasure on his server."

I know it's just a rehash of a press release, likely taken out of context from what was originally said, but - WTF?

I don't think that malware is so advanced that all you have to do is "use a toolkit" and poof - magically financial and personal data will just show up on the hard drive. Maybe the guy's server was pawned - he is at least acting like he doesn't know what he is doing, but come on.

If it's that easy, I'm gonna try it....

Re:Why would they need basic auth?

[NoobixCube]

My first thought was, surely someone who accumulates this kind of data would go to some lengths to secure it. That leads me to believe that this "crime server" is owned by an amateur. The computer crime equivalent of a petty thief. Imagine how many properly run and hidden crime servers must exist. And think how many more petty thieves must own similar ones.

Re:HoneyPot

[Lumpy]

Actually that's called a tripwire. Back in the 80's when I knew some hackers really well I helped set up several tripwires. They went hand in hand with modem hop points. You Social engineer into an office building, best is a multi business place. get to the phone room and fine a couple of demarc boxes that are old and gut them. Install a pair of modems back to back and you can hop from one phone line to another to mask your call if it's traced.

to make a tripwire you add in a second box like that, have your outgoing line go into and out of the box, install a isolation relay or switch that when the box is opened it dumps 120VAC into the phone lines This typically smokes a modem hard making it impossible for them to recover any info inside it. (mostly designed to piss off the feds/cops) but it disables the modem and the line tipping you off that that relay has been compromised.

worked well, One "friend" had 5 of his relays compromised in one night, tipping him off that something big was happening and he laid low for a while.

Re:Why would they need basic auth?

[Kingrames]

I don't think that's it.

I think they recognize that getting the information was as easy as walking through a door, and so they don't trust any security measures other than physical security.

Screen Saver...

[Belial6]

Is there any legitimate reason that screen savers in every single OS should not be 100% sandboxed? Is there even one OS that does sandbox the screen savers? Heck, there are not even that many screen savers that have a use for network access. You should have to explicitly authorize your sandboxed screen saver to have network access. As far as I know, every single OS is guilty of this security hole.

Re:WTF

[DogDude]

I don't think that malware is so advanced that all you have to do is "use a toolkit" and poof - magically financial and personal data will just show up on the hard drive.

Actually, it IS that easy. Tools like that have existed for years. Anybody with malicious intent and even a basic understanding of computers can easily run their own bot-net. Really. Literally a few button clicks, and the data is yours.

Re:Why would they need basic auth?

[Opportunist]

This might come as a surprise, but scammers are not necessarily more tech savvy than their victims.

This isn't the first completely unprotected (or default password protected) scammer server. Actually, a certain security company which I won't name (but you can guess it...) will have a hard time working with certain other security companies from now on since there are things you don't yap about. Those hardly-if-ever protected ID-theft servers is one of those things.

The reason is twofold. First of all, those criminals with a minimal technical knowledge (most of the times, those drop servers are part of the package you buy from someone who does actually know how to use a computer and write the necessary client/server package to steal information) might start wisening up and protect their servers better, making our work harder. It's the whole "the less your enemy knows about you and the more you know about your enemy, the better" thing.

The second reason, though, is even more important. When it becomes "mostly common" knowledge that there are servers stuffed with stolen information, a second part of the criminal chain opens. Well, opens isn't the right word, it already opened, but it will have a wider, let's say, audience. People who want that information for their own goals won't infect your machine but rather try to steal from the thieves, multiplying the problem in proportions that cannot even be measured anymore. So far, we have a pretty good picture of the threat and problem, knowing (or at least being able to estimate) how many people are infected by a certain trojan, what information is siphoned and by the actions taken thereafter, we can draw a picture of the threat, the goals of the group that siphoned the information and so on.

If now many criminals start working with the same data base, it becomes a damn lot harder to even try working out a threat scenario.

That's why this is being kept on a low profile, and why nobody so far went out into the broad public about it. It's one of those "don't give them ideas" doctrines. I was certainly not in favor of the idea when it was presented, because withholding information does rarely lead to more security. I just couldn't offer a better solution. Or at least a better broom to keep the ocean at bay.

Re:Why would they need basic auth?

[Lobster Quadrille]

...As if there aren't already?

I mean, it's not like we have regular drivebys, but Russian spammers keep getting found dead... You do the math.

Yes and that is just insane

[dreamchaser]

I never understood why they didn't put in some sort of interpreter and make SCR files some kind of bytecode that can only display graphics data. SCR files are a HUGE vector of malware infection because of the absolutely insane design they used.

Just to short cut the 'Screensavers need network access! I want my Flickr photos to display...or my Weather data to display', etc., IT IS A SCREEN SAVER. It's purpose is to secure and protect your computer and screen when you aren't using it. WTF are you doing sitting there staring at your screensaver? Good pot?