STE WILLIAMS

Google Groups blunder exposes THOUSANDS of Japanese govt emails

Customer Success Testimonial: Recovery is Everything

The Japanese government has admitted sharing thousands of email conversations with world+dog after a mix-up over Google Groups’ privacy settings.

Officials from several ministries shared messages on the free web-based service without realising that the default setting is for public access to all discussions, the Daily Yomiuri reported.


Staff at the Environment Ministry; Land, Infrastructure, Transport and Tourism Ministry; Agriculture, Forestry and Fisheries Ministry; and Reconstruction Agency all seem to have leaked.

“Our security awareness was weak,” an Environment Ministry official told the paper.

Blunders at the ministry exposed emails sent back in January relating to government negotiations at the Minamata Convention on Mercury, including those of its chief negotiator Ryutaro Yatsu.

All offending messages have now been made private, however, the ministry has apparently begun an investigation into the accidental leak, suspecting the use of Google Groups may have violated internal regulations.

“We have our own internal system to share e-mails, but we used Google because it was convenient,” an official told the Yomiuri.

The Japanese government is not the only institution to be left red-faced after the revelations. Data affecting 5,000 people was apparently exposed in the same way by various private businesses and medical institutions.

Although not mentioned in its own story, the Yomiuri has also admitted some of its journalists accidentally revealed draft stories and interview transcripts thanks to Google Groups blunders, AFP claimed.

Ensure Ease of Recovery with Asigra’s Agentless Software

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/12/yomiuri_japan_data_leak_google_groups/

Snowden leak: Microsoft added Outlook.com backdoor for Feds

Agentless Backup is Not a Myth

There are red faces in Redmond after Edward Snowden released a new batch of documents from the NSA’s Special Source Operations (SSO) division covering Microsoft’s involvement in allowing backdoor access to its software to the NSA and others.

Documents seen by The Guardian detail how the NSA became concerned when Microsoft started testing Outlook.com, and asked for access. In five months Microsoft and the FBI created a workaround that gives the NSA access to encrypted chats on Outlook.com. The system went live in December last year – two months before Outlook.com’s commercial launch.


Those Outlook users not enabling encryption get their data slurped as a matter of course, the documents show. “For Prism collection against Hotmail, Live, and Outlook.com emails will be unaffected because Prism collects this data prior to encryption,” an NSA newsletter states.

Microsoft’s cloud storage service SkyDrive is also easy to access, thanks to Redmond’s work with the NSA. The agency reported on April 8, 2013 that Microsoft has built PRISM access into Skydrive in such a way as to remove the need for NSA analysts to get special authorization for searches in Microsoft’s cloud.

“Analysts will no longer have to make a special request to SSO for this – a process step that many analysts may not have known about,” the leaked NSA document states. “This new capability will result in a much more complete and timely collection response. This success is the result of the FBI working for many months with Microsoft to get this tasking and collection solution established.”

The documents also detail how Microsoft and Skype have also been working with the intelligence agencies to install monitoring taps. Work began on integrating Prism into Skype in November 2010, they state, three months before the company was issued with an official order to comply by the US Attorney General.

Data collection began on February 6, 2011, and the NSA document says the planned systems worked well, with full metadata collection enabled. It praised Microsoft for its help, saying “collaborative teamwork was the key to the successful addition of another provider to the Prism system.”

Work to integrate Skype into Prism into Skype didn’t stop there, however. In July 2012 an NSA newsletter states Microsoft installed an upgrade that tripled the amount of Skype videos that can be monitored by NSA analysts.

“The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete ‘picture’,” it says.

In a statement, Microsoft said that it only complies with legal demands for customer information for law enforcement and national security purposes, and that the company isn’t involved in giving “the kind of blanket orders discussed in the press over the past few weeks.”

“When we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely,” it said.

Not that Microsoft hasn’t been making a big thing about the privacy of its communications systems in the past. Its Gmail Man ad campaign lambasted Google for snooping in people’s mail to match them with advertisers, and the tagline “Your email is your business” seems somewhat ironic these days. The advert is no longer on Microsoft’s YouTube channel.

The leaked documents come from the NSA’s Special Source Operations (SSO) division, which handles commercial company liaison for data collection by the agency. The documents show that, once collected by Prism, the NSA shares its data directly with the CIA and FBI via a custom application.

“The FBI and CIA then can request a copy of Prism collection of any selector…” the document says. “These two activities underscore the point that Prism is a team sport!”

In a joint statement, Shawn Turner, spokesman for the director of National Intelligence, and Judith Emmel, spokeswoman for the NSA, told The Guardian that the wiretapping referred to in the document was court-ordered and was subject to judicial oversight.

“Not all countries have equivalent oversight requirements to protect civil liberties and privacy,” they said. “In practice, US companies put energy, focus and commitment into consistently protecting the privacy of their customers around the world, while meeting their obligations under the laws of the US and other countries in which they operate.” ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/11/snowden_leak_shows_microsoft_added_outlookencryption_backdoor_for_feds/

Seoul-blackening disk wipe badness linked to 4-year SPY CAMPAIGN

What you need to know about cloud backup

The March attack that hit tens of thousands of computers in South Korea was part of a much larger campaign waged against the Asian nation since at least 2009. That’s according to a new report by security biz McAfee.

About 30,000 PCs in banks, insurance companies and TV stations were knackered a few months ago on 20 March in an assault dubbed the Dark Seoul Incident.

South Koreans from Busan to Namyangju couldn’t draw money or transfer cash as they were shut out of their online banking accounts and entire networks of cash machines in the country fell over.

The McAfee report avoids leaping to the obvious conclusion that the attacks may be sponsored by North Korea. McAfee’s EMEA CTO, Raj Samani, said the firm didn’t want to second-guess a South Korean government investigation into the attacks.

What actually happened on 20 March

Spear-phishing emails – precisely targeted messages booby-trapped with attack code – were sent in the preceding three months and were used to open back doors on the PCs. The compromised Windows machines were then told to download and run the data-wiping malware on 20 March.

The software nasties unleashed on computers on the day wiped their master boot records, which are needed to successfully start up the machines.

The attack shouldn’t have been particularly damaging beyond being an absolute pain in the neck for IT workers to fix, which is why no one linked the affair to an attempt to snaffle data rather than merely to wipe it.

Beware of Norks snoops bearing gifts

However, security bods at McAfee theorise that malware used in the attack emerged from a hidden years-long campaign. The security firm has dubbed it “Operation Troy” after repeated citations of the ancient city were found in file path strings present in malware associated with the attacks.

The report (PDF) stated:

McAfee Labs can connect the Dark Seoul and other government attacks to a secret, long-term campaign that reveals the true intention of the Dark Seoul adversaries: attempting to spy on and disrupt South Korea’s military and government activities.

McAfee researchers who analysed the malware deployed for Dark Seoul said it shared some of the code in the NSTAR Trojan and other nasties linked to attacks launched against South Korea some three years ago, as McAfee explains:

The history of Operation Troy starts in 2010, with the appearance of the NSTAR Trojan. Since the appearance of NSTAR, seven known variants have been identified. Our investigation into Dark Seoul has found a long-term domestic spying operation underway since at least 2009. The operation, all based on the same code, has attempted to infiltrate specific South Korean targets.

The Operation Troy control process historically involved routing operating commands through concealed Internet Relay Chat (IRC) servers, the researchers said. The first three Troy variants were managed through a South Korean manufacturing website in which the attackers installed an IRC server. This all changed just before the Dark Seoul incident.

The “Concealment” Troy variant, which appeared earlier this year, broke with this dependance on a hardcoded IRC control server control network and moved to running command and control through a more sophisticated (but harder to manage) botnet-based system.

Timeline of the development of Dark Seoul’s malware

The Troy-era malware is based on the same source code used to create these specialized variants and shares many commonalities, such as bs.dll and payload.dll, which are found consistently throughout the families. The attackers have attempted since 2009 to install the capability to destroy their targets using an MBR wiper component, as seen in the Dark Seoul incident.

Raj Samani, EMEA CTO at McAfee, told El Reg that behind “noisy” DDoS attacks against South Korean targets, a far more insidious espionage campaign is taking place. “The attacks involve destruction, disruption and espionage,” said Samani, adding that the espionage campaign had featured military-themed keywords such as brigade. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/11/mcafee_dark_seoul_analysis/

Seoul-blackening disk wipe badness linked to 4-year SPY CAMPAIGN

What you need to know about cloud backup

The March attack that hit tens of thousands of computers in South Korea was part of a much larger campaign waged against the Asian nation since at least 2009. That’s according to a new report by security biz McAfee.

About 30,000 PCs in banks, insurance companies and TV stations were knackered a few months ago on 20 March in an assault dubbed the Dark Seoul Incident.

South Koreans from Busan to Namyangju couldn’t draw money or transfer cash as they were shut out of their online banking accounts and entire networks of cash machines in the country fell over.

The McAfee report avoids leaping to the obvious conclusion that the attacks may be sponsored by North Korea. McAfee’s EMEA CTO, Raj Samani, said the firm didn’t want to second-guess a South Korean government investigation into the attacks.

What actually happened on 20 March

Spear-phishing emails – precisely targeted messages booby-trapped with attack code – were sent in the preceding three months and were used to open back doors on the PCs. The compromised Windows machines were then told to download and run the data-wiping malware on 20 March.

The software nasties unleashed on computers on the day wiped their master boot records, which are needed to successfully start up the machines.

The attack shouldn’t have been particularly damaging beyond being an absolute pain in the neck for IT workers to fix, which is why no one linked the affair to an attempt to snaffle data rather than merely to wipe it.

Beware of Norks snoops bearing gifts

However, security bods at McAfee theorise that malware used in the attack emerged from a hidden years-long campaign. The security firm has dubbed it “Operation Troy” after repeated citations of the ancient city were found in file path strings present in malware associated with the attacks.

The report (PDF) stated:

McAfee Labs can connect the Dark Seoul and other government attacks to a secret, long-term campaign that reveals the true intention of the Dark Seoul adversaries: attempting to spy on and disrupt South Korea’s military and government activities.

McAfee researchers who analysed the malware deployed for Dark Seoul said it shared some of the code in the NSTAR Trojan and other nasties linked to attacks launched against South Korea some three years ago, as McAfee explains:

The history of Operation Troy starts in 2010, with the appearance of the NSTAR Trojan. Since the appearance of NSTAR, seven known variants have been identified. Our investigation into Dark Seoul has found a long-term domestic spying operation underway since at least 2009. The operation, all based on the same code, has attempted to infiltrate specific South Korean targets.

The Operation Troy control process historically involved routing operating commands through concealed Internet Relay Chat (IRC) servers, the researchers said. The first three Troy variants were managed through a South Korean manufacturing website in which the attackers installed an IRC server. This all changed just before the Dark Seoul incident.

The “Concealment” Troy variant, which appeared earlier this year, broke with this dependance on a hardcoded IRC control server control network and moved to running command and control through a more sophisticated (but harder to manage) botnet-based system.

Timeline of the development of Dark Seoul’s malware

The Troy-era malware is based on the same source code used to create these specialized variants and shares many commonalities, such as bs.dll and payload.dll, which are found consistently throughout the families. The attackers have attempted since 2009 to install the capability to destroy their targets using an MBR wiper component, as seen in the Dark Seoul incident.

Raj Samani, EMEA CTO at McAfee, told El Reg that behind “noisy” DDoS attacks against South Korean targets, a far more insidious espionage campaign is taking place. “The attacks involve destruction, disruption and espionage,” said Samani, adding that the espionage campaign had featured military-themed keywords such as brigade. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/11/mcafee_dark_seoul_analysis/

BlackBerry gives Indian spooks BBM and BIS access

Agentless Backup is Not a Myth

BlackBerry has finally given in to demands from the Indian government to access its consumer messaging services, although enterprise communications will remain safe from prying eyes.

An internal Department of Telecommunications document seen by Economic Times apparently declared that the “lawful interception system for BlackBerry services” is now ready.


The report seems accurate, as BlackBerry has issued statement with the following soothing words:

The lawful access capability now available to BlackBerry’s carrier partners meets the standard required by the Government of India for all consumer messaging services offered in the Indian marketplace. We also wish to underscore, once again, that this enablement of lawful access does not extend to BlackBerry Enterprise Server.

Enterprise customers will remain safe from India’s spooks after BlackBerry presumably persuaded the authorities that it doesn’t have – and indeed never did have – the BES encryption keys for individual corporates to hand over.

But the report suggests India’s mobile operators will henceforth be able to let local authorities intercept in emails, email attachments and web traffic on devices using the BlackBerry Internet Service (BIS) and check whether BlackBerry Messenger (BBM) chats have been “delivered” or “read”. Such interception will be possible in real time

BlackBerry BIS and BBM communications will now presumably be made available through Indian’s controversial Central Monitoring System (CMS), when it finally comes online.

BlackBerry will be hoping it can now put the long-running dispute with the Indian government behind it and concentrate on turning the company around.

Its devices remain popular in the sub-continent, which given the explosive growth in smartphones there is surely important. Sadly, as elsewhere around the world, its new Z10 and Q10 handsets have been met with cautious reviews. ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/11/blackberry_gives_indian_spooks_access/

BlackBerry gives Indian spooks BBM and BIS access

Agentless Backup is Not a Myth

BlackBerry has finally given in to demands from the Indian government to access its consumer messaging services, although enterprise communications will remain safe from prying eyes.

An internal Department of Telecommunications document seen by Economic Times apparently declared that the “lawful interception system for BlackBerry services” is now ready.


The report seems accurate, as BlackBerry has issued statement with the following soothing words:

The lawful access capability now available to BlackBerry’s carrier partners meets the standard required by the Government of India for all consumer messaging services offered in the Indian marketplace. We also wish to underscore, once again, that this enablement of lawful access does not extend to BlackBerry Enterprise Server.

Enterprise customers will remain safe from India’s spooks after BlackBerry presumably persuaded the authorities that it doesn’t have – and indeed never did have – the BES encryption keys for individual corporates to hand over.

But the report suggests India’s mobile operators will henceforth be able to let local authorities intercept in emails, email attachments and web traffic on devices using the BlackBerry Internet Service (BIS) and check whether BlackBerry Messenger (BBM) chats have been “delivered” or “read”. Such interception will be possible in real time

BlackBerry BIS and BBM communications will now presumably be made available through Indian’s controversial Central Monitoring System (CMS), when it finally comes online.

BlackBerry will be hoping it can now put the long-running dispute with the Indian government behind it and concentrate on turning the company around.

Its devices remain popular in the sub-continent, which given the explosive growth in smartphones there is surely important. Sadly, as elsewhere around the world, its new Z10 and Q10 handsets have been met with cautious reviews. ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/11/blackberry_gives_indian_spooks_access/

Crowdsourced flaw-finding cheaper than in-house bug hunters

Agentless Backup is Not a Myth

A study into the once-controversial practice of vulnerability rewards programs (VPRs) – paying researchers bug bounties for reporting security flaws – has found that for browser builders, the practice is not only more effective at spotting problems that hiring code-checkers, it’s also much better value for the money.

“We find that VRPs appear to provide an economically efficient mechanism for finding vulnerabilities, with a reasonable cost/benefit trade-off, “the paper from the University of California, Berkeley computer science department states. “In particular, they appear to be 2-100 times more cost effective than hiring expert security researchers to find vulnerabilities.”


The paper, “An Empirical Study of Vulnerability Rewards Programs” by Matthew Finifter, Devdatta Akhawe, and David Wagner, uses three years of data from two vulnerability reward programs run by Google’s Chrome and Mozilla’s Firefox. Google paid out $579,605 in bounties during that period; Mozilla shelled out $570,000.

This translates to between $485 and $658 a day for the two companies, while “an average North American developer” costs around $500 per day, assuming a $100,000 salary with a 50 per cent overhead for costs such as healthcare and office space.

Over the three-year period, Google paid bounties for outsiders who spotted 371 Chrome flaws, well outperforming its best internal security researcher who got 263. With Firefox, the crowd found 148 flaws, compared to just 48 for the best internal team member, although Mozilla doesn’t have anything like the hiring budget of the Chocolate Factory.

In addition, the range of flaws the bounty programs produced is much more broad because of the range of people trying different techniques to find them. While this study concentrates on browsers, the researchers suggest the model works for the rest of the software industry.

“The cost/benefit trade-off may vary for other types of (i.e., non-browser) software vendors; in particular, the less costly a security incident is for a vendor, the less useful we can expect a VRP to be,” the study states. “Additionally, we expect that the higher-profile the software project is (among developers and security researchers), the more effective a VRP will be.”

The Lottery Effect

Google decided to start a VRP program in January 2010, paying a fee of $500 for serious security holes and a special bonus $1337 reward for critical or clever flaw discoveries. But Google also offers big bucks at its Pwnium hacking contests, with $3.14159m up for grabs at the most recent hackathon.

Firefox takes a very different approach. It was one of the first to adopt a formal VRP program in 2004, copying Netscape’s example in 1995, and initially paid $500 per serious flaw before increasing the fee to $3,000 in 2010 after Google came on the scene. It’s a set fee for serious flaws.

Of the two systems, the researchers found Google’s approach works best, thanks in part to the Lottery Effect. Just over 84 per cent of Google’s bounty payments are $1,000 or less, but the big money events lure researchers into the field with a few very big cash prizes, and so the Chocolate Factory gets a lot more flaws reported than Firefox.

But Google gets good value for its big prizes as well, the study found. One Pwnium contest winner uncovered a flaw so serious that Google conducted a full review of the Chrome kernel file API and found a rat’s nest of other vulnerabilities stemming from the same issue.

Based on the study data, being an independent bug-rustler isn’t a career that’s going to pay the rent on its own. One Firefox researcher earned $141,000 over the three-year period and three Chrome flaw-finders made $80,000 apiece, but only six and five people respectively made $20,000 or more.

“Contributing to a single VRP is, in general, not a viable full-time job, though contributing to multiple VRPs may be, especially for unusually successful vulnerability researchers,” the team hypothesizes.

However, it may be a route to full-time employment for those looking to get into the field. Successful flaw finders get noticed and hired by firms that specialize in the field, or by the browser manufacturers themselves, the team suggests.

Meanwhile El Reg suggests that Apple and Microsoft take a good long look at the study. Microsoft has recently broken its bug-bounty virginity with a $150,000 hacking contest at this year’s Black Hat security conference, but there’s no sign that Apple’s likely to budge on its longstanding policy of not paying for bugs. ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/10/study_finds_crowdsourcing_flawfinding_is_better_economics_than_hiring/

HP admits to backdoors in storage products

Agentless Backup is Not a Myth

Hewlett-Packard has agreed that there is an undocumented administrative account in its StoreVirtual products, and is promising a patch by 17 July.

The issue, which seems to have existed since 2009, was brought to the attention of The Register by Technion, the blogger who earlier published an undocumented backdoor in the company’s StoreOnce products.


Since then, some HP users have confirmed the backdoors in e-mail to The Register, providing evidence of the account names and passwords that allow access to the devices. The Reg can report those credentials would not pass complexity tests required by many websites as they use no numerals, symbols or capital letters.

HP has now issued this security advisory, stating:

“This vulnerability could be remotely exploited to gain unauthorized access to the device.

“All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today.

“HP has acknowledged this vulnerability and will provide a patch that will allow customers to disable the support access mechanism on or before July 17, 2013.”

The company states that “Root access to the LeftHand OS does not provide access to the user data being stored on the system”.

Although data isn’t accessible via the backdoor, one user with around 50 TB of StoreVirtual capacity said the account gave sufficient access to reboot nodes in a cluster, “and so cripple the cluster”.

“It lets you browse to “SMH » Security » Trusted Management Servers” though, (“Certificates are used to establish the trust relationship between Systems Insight Manager or Insight Manager 7 and the System Management Homepage.”) You can use that to import a certificate to trust another Systems Insight Manager box,” said that user, who asked not to be identified.

And, of course, there’s the “reset factory defaults” option, which would nuke all a user’s data. ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/11/hp_prepping_fix_for_latest_storage_vuln/

Windows kernel bug-squish, IE update star in July Patch Tuesday

Steps to Take Before Choosing a Business Continuity Partner

Microsoft’s Patch Tuesday for July landed overnight with a bumper crop of seven bulletins, six of which cover critical flaws that carry remote code execution risks.

And the Windows 8 giant today revealed that one of these, CVE-2013-3163, is currently under active attack online.


Every supported operating system, every version of MS Office, Lync, Silverlight, Visual Studio and .NET will need patching – creating plenty of work for sysadmins worldwide.

The patch batch grapples with a total of 34 vulnerabilities, with the emphasis very firmly on workstation (PC) rather than server software.

Altogether three of the bulletins patched flaws roughly matching the profile of the Windows kernel security issue that Google’s Tavis Ormandy disclosed back in May (CVE-2013-3660).

The top two patching priorities are a Windows kernel issue (MS13-053) and the Internet Explorer patch bundle (MS13-055), which addresses 17 vulnerabilities in Microsoft’s browser software.

Microsoft revised the latter, bulletin 55, just after publication to announce that it is “aware of targeted attacks attempting to exploit the vulnerability described in CVE-2013-3163 through Internet Explorer 8”. Redmond said that the application of the update would protect customers from any exploits of the vuln.

Also, for the first time ever, Microsoft is addressing a single vulnerability (CVE-2013-3129) in three different advisories (MS13-052, MS13-053, and MS13-054).

“This issue relates to TrueType Font processing and legitimately affects different components,” explained Ross Barrett, senior manager of security engineering at Rapid7.

“By splitting this out, Microsoft is directly addressing a complaint about previous ‘rolled up’ advisories where it was difficult to properly prioritise the multiple patches required to remediate the problem, and component patches were frequently missed.”

A visual overview of the patching menu for July can be found in a blog post by the SANS Institute’s Internet Storm Centre here.

Crap apps and Flash patch dash

Microsoft also announced a policy change related to the Windows marketplace. In future, any “app” that is affected by a security issue will be removed from the store if it is not patched within 180 days of confirmation of a potential problem. Security watchers will be interested to see in Google or Apple adopt a similar policy.

In other patching news, Adobe released security updates for Adobe Shockwave (APSB13-18), Coldfusion (APSB13-19) and Adobe Flash player (APSB13-17).

“Users of Internet Explorer 10 and Google Chrome already have [Flash] updates integrated and do not need to worry about installing the new version themselves,” notes Wolfgang Kandek, CTO of cloud security firm Qualys.

“Everybody else, including Mac OS X users, should apply this critical update as quickly as possible.”

Those at the security coalface will have little time to kick back after installing these updates. Oracle will be releasing their quarterly update for all of their software (except Java) next week on Tuesday, 19 July. ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/10/fix_everything_patch_tuesday/

US gov SMASHES UP TVs and MICE to nuke tiny malware outbreak

SaaS data loss: The problem you didn’t know you had

A US Department of Commerce agency has been chastised for spunking $2.7m chasing down a supposed major malware infection that was actually limited to a handful of PCs.

The Economic Development Administration adopted a scorched earth policy – isolating itself from the internet before destroying more than $170,000 worth of equipment including printers, TVs, and even computer mice – in a comically inept attempt to resolve the phantom outbreak.


The physical destruction of equipment only ceased after the department’s disposal budget was exhausted. “The destruction of IT components was clearly unnecessary,” the Office of the Inspector General’s (OIG) auditor said in an official report released last month.

EDA’s CIO concluded that the risk, or potential risk, of extremely persistent malware and nation-state activity (which did not exist) was great enough to necessitate the physical destruction of all of EDA’s IT components.

EDA’s management agreed with this risk assessment and EDA initially destroyed more than $170,000 worth of its IT components, including desktops, printers, TVs, cameras, computer mice, and keyboards. By August 1, 2012, EDA had exhausted funds for this effort and therefore halted the destruction of its remaining IT components, valued at over $3 million.

EDA intended to resume this activity once funds were available. However, the destruction of IT components was clearly unnecessary because only common malware was present on EDA’s IT systems.

The EDA, which promotes economic development in underperforming US regions, went into panic mode after receiving notification of a malware outbreak from the US Department of Homeland Security’s CERT (Computer Emergency Response Team) in December 2011.

The agency hired an outside security contractor, at an eventual cost of $823,000, in late January 2012. After some initial false positives, the contractor decided EDA’s systems were mostly clean. Common-or-garden malware was found on six systems, a problem that could have been repaired by reimaging the affected machines. The unnamed “common malware [was] contained in archived e-mail attachments and temporary Internet browser files”, according to OIG’s report.

Confusion and miscommunication meant that an outbreak reckoned by the Department of Commerce’s computer security response team to be limited to two components was treated as something that had spread to more than half of the EDA’s 250 computers. It was treated as an advanced persistent attack internally by the EDA, despite little evidence to substantiate this belief.

EDA’s CIO, fearing that the agency was under attack from foreign cyber-intelligence, isolated its systems from the net and initiated the policy of physical destruction. Unnecessary destruction of IT equipment alone cost $175,000.

Staff were given temporary laptops requisitioned from the Census Bureau, along with internet access and interim e-mail capability in a programme that eventually cost $1.06 million. Entire mail servers were shut down, quite unnecessarily, because of some relatively innocuous malware on a small number of client PCs.

The EDA also spent $688,000 on contractors to come up with a long-term response to the incident. The whole mess was eventually sorted out within five weeks, but even this process didn’t begin until February 2013 – over a year after the initial incident. In total the agency spunked $2.7 million – more than half its 2012 annual IT budget – in grappling with the problem.

The National Oceanic and Atmospheric Administration received the same notice from the CERT but came up with a far more measured response, isolating and cleaning up the problem by January 2012. In contrast, the EDA was still ineptly grappling with the problem until outside agencies stepped in during February the following year.

Despite the wholesale trashing of perfectly good gear, the EDA is not wholly to blame for the mess. An inexperienced staffer in the CERT initially told the EDA that it was dealing with 146 infected components. This assessment was quickly revised downwards to just two infected items in a follow-up notice issued a day later, but, crucially, the EDA were not told that the initial notice was inaccurate and misleading.

“EDA thought there were 146 infected components [which] influenced everyone’s perception of the incident and contributed to EDA’s unnecessary recovery and remediation activities,” OIG explains. EDA took drastic actions through misplaced fears that the malware infection would spread to other government bureaux.

“Deficiencies in the Department [of Commerce]’s Incident Response Program… significantly contributed to EDA’s inaccurate belief that it experienced a widespread malware infection,” OIG explains. “Consequently, the Department of Commerce Computer Incident Response Team (DOC CIRT) and EDA propagated inaccurate information that went unidentified for months after EDA’s incident.”

The OIG added:

We found that DOC CIRT’s incident handlers did not follow the Department’s incident response procedures, that its handler for EDA’s incident did not have the requisite experience or qualifications, and that DOC CIRT did not adequately coordinate incident response activities.

OIG is clear, however, that the main blame for the whole sorry episode rests with EDA, whose recovery efforts were misdirected and inept. “EDA focused its recovery efforts on replacing its IT infrastructure and redesigning its business applications. EDA should have concentrated its resources on quickly and fully recovering its IT systems (e.g. critical business applications) to ensure its operational capabilities.”

The auditor’s report, Malware Infections on EDA’s Systems Were Overstated and the Disruption of IT Operations Was Unwarranted, can be found here (PDF, 33 pages, fairly large). The report notes that the EDA’s IT infrastructure has been systematically mismanaged and insecure for years, with poor handling of patch management and other routine tasks. Many of these problems date back as far as early 2006. ®

What you need to know about cloud backup

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/10/us_gov_agency_smashed_mice_tvs_malware_oig_eda/