Tuesday 8 May 2007

Information Security: What to do with those Trojans?!?

What do we do when a client brings in a system that has multiple infections? How do we know for sure when the system was infected or whether anyone still has any kind of control over the system?

We always advise a flattening of the system. Only non-active data such as documents and images would be recovered before the system is flattened by a system we have setup for this task.

What about the TJX security breach? The Wall Street Journal has an up to date article on where the initial breach has come from: How Credit-Card Data Went Out Wireless Door.

Ouch! *wince*

So, can the forensic experts guarantee that TJX's systems are now free of any further Trojans or Rootkits? I mean 100% free? As in, totally secure?

I don't think so.

Think about this for a minute. You have free access to a treasure of immeasurable proportions. You can come and go as you please. You can do this for months at a time, with no one none the wiser.

So, what do you do? Build a couple of back doors? Maybe. Build a large number of backdoors? Likely. Build time released back doors? Very likely. Hide those backdoors in the maze of locations on a network? Extremely likely.

Imagine if you will, that the folks who were on the up and up as to their credit card and debit card statements were not paying attention. Thus, there would have been no calls to their banks or credit card institutions questioning their statements and mysterious charges on them.

Where would we be now? Surely further along than the crooks in Florida and else where that have been fingered with credit card and debit card numbers procured via TJX.

Kudos to those people who vigilantly monitor their credit and debit card statements. It is solely due to your vigilance that more pain and sorrow, financial and identity losses have not taken place.

From the article:
The problems first surfaced at credit-card issuers such as Fidelity Homestead, the Louisiana savings bank. Its customers were dealing with the aftermath of Hurricane Katrina when they began seeing strange transactions on their credit-card bills in November 2005, says Richard Fahr, Fidelity's security officer. First there were unauthorized transactions from Wal-Mart stores in Mexico, and then fraud started surfacing in Southern California, Mr. Fahr says.
Gives a whole new meaning to, "An ounce of prevention can prevent a pound of pain".

Monitor your statements folks. Even better, get online with your financial institutions and check those online statements regularly. Question any seemingly benign transaction that you know doesn't fit your spending habits or purchase locations.

Sometimes the crooks will put through a small $2 or $3 transaction to test whether people are paying attention. If the credit/debit card number is still good in a couple of weeks, that person is likely not checking their statements.

Again, from the article:
Lobbying by banking associations since disclosure of the TJX breach has helped persuade lawmakers in several states and in Congress to consider new legislation. One bill in Massachusetts would impose full financial responsibility for any fraud-related losses, including costs of reissuing of cards, on companies whose security systems are breached. Another bill, in Minnesota, would bar any company from storing any consumer data after a transaction is authorized and completed.

Massachusetts Rep. Barney Frank, chairman of the House Financial Services Committee, said in March he believes Congress will move to require a company responsible for allowing a breach to bear the costs of notifying customers and reissuing cards.
Um, TJX, you messed up. You messed up real bad. This is beyond a mistake. This is a critical no turning back error. You are responsible for all costs of this breach. Not the banks, not the credit card institutions.

Governments should not have to institute laws to protect their citizens from companies that do not do due diligence.

I do believe that the lawsuits that stem from this incident will teach other companies that it a lot more expensive to deal with a breach than to protect their client's data from a breach in the first place.

UPDATE: Just made some minor grammatical changes.

Philip Elder
Microsoft Small Business Specialists

No comments: