How the FBI and Secret Service Know Your Network Has Been Breached Before You Do 72
coondoggie writes "By all accounts, many of the massive data breaches in the news these days are first revealed to the victims by law enforcement: the Secret Service and Federal Bureau of Investigation. But how do the agencies figure it out before the companies know they have been breached, especially given the millions companies spend on security and their intense focus on compliance? The agencies do the one thing companies don't do. They attack the problem from the other end by looking for evidence that a crime has been committed. Agents go undercover in criminal forums where stolen payment cards, customer data and propriety information are sold. They monitor suspects and sometimes get court permission to break into password-protected enclaves where cyber-criminals lurk."
Here's how I found out.... (Score:5, Interesting)
The way I spotted the issue was through an open terminal window that was tailing the apache access log. I'd glance at it every once in a while as traffic trickled over the blog. I saw a request come in from the PENTAGON domain. I thought it was odd because my blog was about skateboarding and didn't think it would be of interest to anyone working at the Pentagon. I looked at the referrer and it was a site I was unfamiliar with: http://www.zone-h.org/.
So I browsed over to that server and saw that the page linking to my site was a list of defaced sites. Then I checked my own homepage and sure enough, Wordpress had been compromised by an exploit and someone had posted an article on the front page.
So, it seems like someone at the pentagon had a script scraping the defacement indexing sites and was then visiting each affected server and scraping that. Never got an email or phone call or anything.