Security Test Prompts Federal Fraud Alert 36
itwbennett writes "Johannes Ullrich, chief research officer at the SANS Institute, took great interest in a National Credit Union Administration (NCUA) warning issued earlier this week, thinking, 'Finally this is in the wild, because I've only seen it in pen tests before.' Unfortunately for Mr. Ullrich, the letter and 2 CDs that caused the kerfuffle were part of a sanctioned security test of a bank's computer systems conducted by Ohio-based security company MicroSolved. 'It was a part of some social engineering we were doing in a fully sanctioned penetration test,' said MicroSolved CEO Brent Huston. For his part, NCUA spokesman John McKechnie did not have much to say about his organization's alert, except that 'at this point, it appears that this is an isolated event.'"
Patch subscriptions (Score:5, Insightful)
The best way to pull something like this off is to create CDs that look like they are part of a patch subscription. Before the spread of ubiquitous online access, many Unix and enterprise application vendors would send patches via some package carrier (Fed Ex, UPS, USPS, etc.). Many still do. Some admins automatically install anything they get in the mail without first verifying its contents.
As well they should... (Score:4, Insightful)
Social Engineering is the more likely cause of all major hacking issues. People saying their password out loud in a crowded office. My favorite is when you ask them for their password then add 'you can probably take everything I have because I use that for EVERYTHING'.
I have found people like "convenience", 'why should I have to log into ANOTHER computer to do the Banking?' - and 'can i get some speakers for that computer so i can listen to online radio while i do the banking?'...
I am glad to see that an "Alert" was produced from it, most businesses would have done the whole cover-up 'it never happened - now don't do it again' bit.
They detect the breach but fail (Score:4, Insightful)
They fail proper incident response by leaking incident data to the public. I would expect someone on their incident response team to be aware of the pen test, provide proof, and for the report to never leak out of the company.
I don't think proper incident response involves posting an alert based on an isolated incident and tipping off the attacker before law enforcement can move in.
Even if the attack was real, the institution might not want to reveal it to others, especially if the attack resulted in compromise; it could scare customers aware if they were informed that a security compromise had occured.
So it's a bit unusual that the report got out.
large bureaucratic hierarchies like banks... (Score:5, Insightful)
Re:They detect the breach but fail (Score:3, Insightful)
Um - did you even read the articles in question (while sober)? Because what you posted has about nothing to do with the sequence of events.
Re:large bureaucratic hierarchies like banks... (Score:3, Insightful)
It sorta defeats the point of a penetration test if the president is sitting right there. Especially as the president is probably going to be in on it. You're supposed to test the most vulnerable staffer, as that is who would actually be attacked.
I know what you mean, though. In any sort of problem, they'd personally contact someone who has the ability to make decisions and override the rules, in addition to just following the rules.
Re:... but what will we call such a hypothetical p (Score:1, Insightful)
Wow, you sure fooled me. I was thinking Norton.
You must manage communication first (Score:3, Insightful)
FFS, EVERY sensible organisation must run tests on various aspects, I run annual crisis management tests to ensure the plans they have actually work (we're talking about major, this-will-tank-the-company stuff which requires a military model of management to handle). It's fun dreaming up a realistic scenario, but it is ESSENTIAL that you manage the I/O to the crisis management team to ensure your test doesn't create a disaster in itself.
Let me give you an example: a VERY major news outlet was system testing years ago, and the twits didn't isolate properly. If it hadn't been for an alert operator they would have put out the story that a US president had died in an accident. Can you imagine the impact that would have had?
Good that the testers did what they did, exceptionally bad that they didn't verify communication paths beforehand. That suggests they were not employed at a high enough level or the security comms in the company sucks and needs to be improved as a matter of urgency. Bad PR also costs money, and from what I've seen they could improve there too.
Full marks for testing, but the test results suggest to me a couple of things need an overhaul pretty quickly. They are exposed as far as I'm concerned. Having said that, my standards in this are quite high..