"Crimeserver" Full of Personal/Business Data Found 114
Presto Vivace sends news of a server found by security firm Finjan that contained a 1.4-GB cache of stolen data, accumulated over a period of less than a month from compromised PCs around the world. The "crimeserver," as Finjan dubs it, "provided command and control functions for malware attacks in addition to being a drop site for data harvested from compromised computers. ... The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain." Oddly enough, the data was stored in the open, with not even basic auth to protect it. Finjan notes in their press release that this huge trove of data gathered over a short period of time indicates that the crimeware problem is far larger than most observers have been assuming. Update: 05/08 12:29 GMT by T : Note, the security firm involved is spelled "Finjan," not "Finjin" as originally shown.
Why would they need basic auth? (Score:5, Insightful)
Re:Why would they need basic auth? (Score:5, Insightful)
Re: (Score:3, Interesting)
I think they recognize that getting the information was as easy as walking through a door, and so they don't trust any security measures other than physical security.
Re: (Score:2)
When you can collect that much data that quickly it has very little value.
Even if all the data were compromised and all the CC/Acct numbers changed before the harvester could use it, the only thing truly lost is the opportunity costs involved in gathering the data itself.
It just makes no sense to spend time securing the data and coming up with an authentication mechanism (After all, this server needs to accept uploaded data from their botnet.)
That time would be better spent just creating more system
Re: (Score:2)
When you can collect that much data that quickly it has very little value.
What's more, I suspect that the fact that all that data was harvested implies value.
Re: (Score:2)
Because in this particular case, the value of the data is nothing more than its sunk cost + opportunity cost.
It was collected so quickly, that those are both low.
If you can get 100 more CC numbers and bank accounts in a day/week/whatev the value of the data is less.
Kinda like how if you make $120 an hour you can justify spending $4 on a cup of coffee where you really can't if you're out there making $6.50 an hour.
So there you go, now r
Re:Why would they need basic auth? (Score:4, Insightful)
Re: (Score:3, Insightful)
Re:Why would they need basic auth? (Score:5, Interesting)
Re: (Score:2)
Maybe our "crimeserver" is really a "harvester?" (Score:5, Insightful)
Indeed. If I were writing botnet software I'd distribute multiple copies of the collected data across a number of the compromised computers. The press release and article abstract indicate that the botnet control programs and the data were located in the same place. That doesn't seem like a particularly good architecture for this type of system. I'd keep the command programs far away from the harvested data. My hunch is that the data aren't that valuable as I outline below.
I can accept that buying, installing and running a botnet could be as easy as installing an RPM. What appears more disturbing is the reported "timeframe of less than a month" to harvest over 5,000 records. But what kind of records are these? Finjan tells us [finjan.com] that the data "consisted of 5,388 unique log files [my emphasis]. Both email communications and web-related data were among them."
They go on to list some specific examples:
Compromised patient data
Compromised bank customer data
Business-related email communications
Captured Outlook accounts containing email communication
I'd be curious to see how much actual "patient" or "bank customer" data is revealed in "log files."
Still if all they got after a month were logs, I'm not sure how valuable they would be unless the goal was harvesting addresses for spamming or phishing. Capturing the logs of compromised mail servers would certainly yield a pretty high proportion of legitimate addresses, especially recipient addresses. This method seems especially attractive if you're trying to identify targets for "spear-phishing." If you can compromise some corporate mail servers, you can build up a nice list to "spear."
So I'm guessing Finjan found a machine containing some 5,600 mail server "log files" totalling 1.4 GB. Since the logs are worthless once the addresses are harvested, protecting them isn't much of a priority. I suppose competitive spammers might want to keep these potentially higher-yielding names to themselves, but given the volumes at which spammers operate, they probably don't care.
I think I'll go take a look at my mail servers now just to ease my mind.
Re: (Score:1)
p2p torrent download technology so that a file of 1.4 gb. can be shared by all
child nodes within a network if so chose to
Therefor, a botnet with 1000 pcs...could easily host a few hundred copies...
Re: (Score:1)
I'd be curious to see how much actual "patient" or "bank customer" data is revealed in "log files." /var/log/maillog on my servers would certainly reveal "business-related email communications" in the sense of senders and recipients. Mail logs might also contain some entries for mail between providers and patients or between banks and their customers. Apache logs wouldn't be so useful, though they do contain the usernames when Basic Authentication is used. But none of those logs would reveal much about the content of those communications. I don't know anything about Outlook so I have no idea how its logs might reveal "captured Outlook accounts containing email communication."
You are assuming that the discovered log files are logs copied verbatim from the victim machines. It is more likely that these are logs of collected data (e.g., keystrokes, mouse clicks, screen snapshots, actual emails) captured using spyware or keyloggers.
If that is the case (and the story does not make it clear), then such logs certainly contain credentials and other identifying information to allow anyone to access bank accounts, private patient data, and so on.
Re: (Score:2)
This means that the 1.4Gb of data, while containing some less useful information, is much more valuable than you have indicated above...
Having said that, and realizing that this data is not just a mail/http log file, one can really start to grasp the true meaning of suc
Re: (Score:1, Insightful)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
What's likely is that if you were to steal a credit card number, you'd also steal 20 others that day, and 20 more the next, and so on.
And all of a sudden the value of a given CC is almost zero.
A more apt analogy would be like a bank robber stealing $100,000 and fretting over each $100 bill. If YOU dropped $500 finding it would be your #1 priority. The same could not be said of that bank robber.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Why would they need basic auth? (Score:4, Insightful)
Re: (Score:2)
It's like the guy that steals your mail to get your account numbers. Do you think he shreds those when he's done with it?
The cost of data-loss to these criminals is so low to nearly be non-existent.
It's simple threat assessment / risk analysis.
Re:Why would they need basic auth? (Score:5, Interesting)
This isn't the first completely unprotected (or default password protected) scammer server. Actually, a certain security company which I won't name (but you can guess it...) will have a hard time working with certain other security companies from now on since there are things you don't yap about. Those hardly-if-ever protected ID-theft servers is one of those things.
The reason is twofold. First of all, those criminals with a minimal technical knowledge (most of the times, those drop servers are part of the package you buy from someone who does actually know how to use a computer and write the necessary client/server package to steal information) might start wisening up and protect their servers better, making our work harder. It's the whole "the less your enemy knows about you and the more you know about your enemy, the better" thing.
The second reason, though, is even more important. When it becomes "mostly common" knowledge that there are servers stuffed with stolen information, a second part of the criminal chain opens. Well, opens isn't the right word, it already opened, but it will have a wider, let's say, audience. People who want that information for their own goals won't infect your machine but rather try to steal from the thieves, multiplying the problem in proportions that cannot even be measured anymore. So far, we have a pretty good picture of the threat and problem, knowing (or at least being able to estimate) how many people are infected by a certain trojan, what information is siphoned and by the actions taken thereafter, we can draw a picture of the threat, the goals of the group that siphoned the information and so on.
If now many criminals start working with the same data base, it becomes a damn lot harder to even try working out a threat scenario.
That's why this is being kept on a low profile, and why nobody so far went out into the broad public about it. It's one of those "don't give them ideas" doctrines. I was certainly not in favor of the idea when it was presented, because withholding information does rarely lead to more security. I just couldn't offer a better solution. Or at least a better broom to keep the ocean at bay.
Re: (Score:2)
When it becomes "mostly common" knowledge that there are servers stuffed with stolen information, a second part of the criminal chain opens.
Just what we need -- thieves stealing from thieves. Except here the problem is that the information (your name, address, social security number, bank account numbers) is all digital and can be copied an infinite number of times. If a thief steals from a drug dealer ("rip and run") then the drug dealer knows he's been hit and is likely to take security measures. If thief steals from an identity thief, it might not even be obvious that anything was taken until it's already too late.
This is why it's VERY i
Re: (Score:3, Interesting)
I mean, it's not like we have regular drivebys, but Russian spammers keep getting found dead... You do the math.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
It's not secrecy. This isn't some top secrety conspiracy bullshit. It's simply a matter of making your work no harder than entirely necessary.
Re: (Score:1)
Anyone who doesn't see the humor and irony in that isn't look very hard.
Re: (Score:2)
Re: (Score:1)
I was hoping the article would say what kind of OS this crime server was running. It doesn't.
Forget the OS--I want to know what the IP address is. [evil grin]
WTF (Score:4, Interesting)
I know it's just a rehash of a press release, likely taken out of context from what was originally said, but - WTF?
I don't think that malware is so advanced that all you have to do is "use a toolkit" and poof - magically financial and personal data will just show up on the hard drive. Maybe the guy's server was pawned - he is at least acting like he doesn't know what he is doing, but come on.
If it's that easy, I'm gonna try it....
Re:WTF (Score:5, Funny)
Re: (Score:1)
I'll make sure to alert the authorities.
They will be expecting the usual payment.
I kind of was kidding when I started this joke, but I think it isn't really that much of a joke considering status they found that server in. It may well have been a gift of junk data, stuff they couldn't use anyway. If you can write malware and don't lock the server it goes to you are doing that for a reason not in error.
I not only look gift horses in the mouth I do DNA testing.
Re: (Score:2)
Bryansix, what part of this sounds like we should involve the authorities?
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
I know it's just a rehash of a press release, likely taken out of context from what was originally said, but - WTF?
If it's that easy, I'm gonna try it....
Did you consider the fact that the stuff that does all the hard work is actually .... software?!
In other words, if some black hat makes a nice package with a decent installer and good documentation it could well be that it is less complicated to setup such a server then, say, setting up a decent webserver.
The app in question would then do something like:
1: look for vulnerable pc's
2: infiltrate weak ones with preprogrammed stuff
3: send data back to simple integrated webserver
4: goto 1
The componen
Re: (Score:2)
Re:WTF (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
The stuff I see sometimes in
Re: (Score:2, Interesting)
Actually, it IS that easy. Tools like that have existed for years. Anybody with malicious intent and even a basic understanding of computers can easily run their own bot-net. Really. Literally a few button clicks, and the data is yours.
So you have to a CISSP to run a script now? (Score:5, Insightful)
Re:So you have to a CISSP to run a script now? (Score:5, Informative)
Re: (Score:2)
Re: (Score:1, Troll)
You realize that those things have SAFETY SWITCHES?!?!
What are you supposed to do with that thing? I'm no gun expert....does the orange dot mean it's on or off?!?! And does on mean the gun is on or the safetey is on? Ahhh!!! I really don't want that kind of confusion in a deadly weapon! I'll stick with a sword. No buttons, switches, or triggers. Pointy end goes into human. Done.
Re: (Score:2)
Re: (Score:2)
Yep (Score:2, Funny)
Re: (Score:2)
Re:So you have to a CISSP to run a script now? I'm (Score:1, Troll)
"Thief robs liquor store in 255 lines of Haiku; no weapons involved. Story at 11."
Bid #4325 (Score:1)
Turkey? (Score:1)
Re: (Score:2)
Security company finds unsecure server (Score:5, Insightful)
So they're not trying to help at all. What they're trying to do is sell their services and using this pseudo-news article to do it. Shame on them.
Re: (Score:2)
News flash, oh SlashDrones, Slashdot is like Google, a commercial money-making business . WORD...
Re: (Score:3, Insightful)
Even white hats have to deal with the PHB who wants to blame you for their problem.
Re:Security company finds unsecure server (Score:5, Informative)
People may not have been contacted directly, but those in a good position to quickly mitigate damage were notified:
"Finjan Inc said it had notified the U.S. Federal Bureau of Investigation, police in various countries and more than 40 financial institutions in the United States, Europe and India about the discovery of the so-called "crimeserver".
So they're not trying to help at all. What they're trying to do is sell their services and using this pseudo-news article to do it.
Do you actually have any evidence of this? What were they trying to sell to who?
I would expect a press-release type of promotional piece to have more information about the services the company offers.
Re: (Score:2)
HoneyPot (Score:3, Insightful)
Sounds like they found a honeypot [wikipedia.org] or a decoy to me. Now that the bad guys know that the good guys are on to them, they can disappear into the ether for a while until the heat dies down.
Re:HoneyPot (Score:5, Interesting)
to make a tripwire you add in a second box like that, have your outgoing line go into and out of the box, install a isolation relay or switch that when the box is opened it dumps 120VAC into the phone lines This typically smokes a modem hard making it impossible for them to recover any info inside it. (mostly designed to piss off the feds/cops) but it disables the modem and the line tipping you off that that relay has been compromised.
worked well, One "friend" had 5 of his relays compromised in one night, tipping him off that something big was happening and he laid low for a while.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You can get such relays [active123.com] for about six bucks, and if you shop around, I'm sure you could get them cheaper.
Re: (Score:1)
The most likely result would be to add "intent to do bodily harm" to the charge sheet, or worse if the telephone company technician was following the wires when someone opened the box :-(
Re: (Score:3, Insightful)
Second 24Ga wire cant carry any current it smokes out right away.
Thirdly it does in FACT smoke the modems that were made back in the 80's and early 90's Hayes and USR modems back then could be eaten alive easily by 120VAC at any strength inot the phone port, better would be to also run a pair of wires to the modem's power supply side as well.
Fourthly it also pop's the Telco gear at the Switching station dropping the line off so when you call it
Re: (Score:2)
Unprotected maybe for a reason: (Score:5, Insightful)
If you think about it, if you just hacked into a users pc and nicked something (credit card info, passwords, whatever) and used them quietly to some degree, wouldn't you WANT someone else to use them, perhaps not so quietly? I mean, you want a fall guy right? Let the next script kiddie run through and take the fall. With a bit of luck, they will pin all the activity on the new guy rather than the guy who carefully used this once, then let the information loose on the masses.
It's not "accidentally" or "stupidly" left unprotected, it's a perfect smoke screen to cover tracks if you ask me.
PRESS WHORES (Score:1)
Spelled: Finjan (Score:1)
Re: (Score:1)
Re: (Score:2)
Ever had Arabic coffee? "Cook" is a more appropriate term.
drugs on the table (Score:1)
safety in numbers (Score:2)
Maybe so - but conversely they may not be able to use all of it (at least for time-limited things like credit cards) before it's expired, making me happy that they have lots of data, because when (not if) my data gets stolen from somewhere, I'm less likely to be one of those exploited. Whee.
Old news (Score:1)
Unprotected Data == Deniable Data (Score:2)
Cool! A Minnie Driver / Anne Hathaway love scene! (Score:1)
> stolen data, accumulated over a period of less than a month from
> compromised PCs around the world. The "crimeserver," as Finjin dubs it,
> "provided command and control functions for malware attacks in addition
> to being a drop site for data harvested from compromised computers..."
Fucking Morpheus! Can't the feds ever stop this guy?!?!?
Was your data compromised? (Score:2)
Simply give me as many search terms as you can think of, and I'll let you know. Examples: Your name. SSN. Bank Account Routing and Transit numbers. Mother's Maiden Name. Any other search terms that you want me to search for.
Re: (Score:1, Offtopic)
Re:Where do you think the data came from (Score:5, Funny)
Screen Saver... (Score:4, Interesting)
Re: (Score:2)
The screensaver should be subject to the same HIGH security standards as everything else. There's no reason to give it more or less permission.
Re: (Score:1)
Yes and that is just insane (Score:3, Interesting)
Just to short cut the 'Screensavers need network access! I want my Flickr photos to display...or my Weather data to display', etc., IT IS A SCREEN SAVER. It's purpose is to secure and protect your computer and screen when you aren't using it. WTF are you doing sitti
Re: (Score:2)
Your solution wouldn't fix the problem. The "screen saver"'s "installer" can easily be the source of the virus or trojan or whatever instead of the actual "screen saver". And installers are expected to have to run with elevated privileges (especially in Vista since Program Files can't be written to without them).
Re: (Score:2)
Re: (Score:2)
And changing it now wouldn't solve much, users are used to running installers for screensavers and would continue to do so even if the screensavers themselves were forced to change to a bytecode format.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)