Hacking Congressional media

["Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade () shaw ca>]

> From SANS Newsbytes today
>
> "Hacking the Hill: One of the very best cyber security stories of the
> year was published this morning in the National Journal with details
> about the hacking of Congress.  
>
> http://www.nationaljournal.com/njmagazine/cs_20081220_6787.php

[Sometimes-I-wonder-why-I-bother department ...]

Yeah, I saw that in three separate mailings, on three separate lists.  I'm really 
surprised that SANS made such a big deal of it, especially with that "very best 
cyber security stories of the year" line.  This is not a very good story.  It points 
out that some very basic precautions are not being taken in the highest levels of 
the United States government, it doesn't tell us very much about information 
security and protection, and it makes some really fantastic leaps of "cloud" logic.

Basically, what we have here is a report that someone found a keylogger and RAT 
(remote access trojan) on a machine used by someone important.  (As usual, 
malware terminology is badly misused in the article, and you have to read between 
the lines to figure out what was actually found.)  Well, if you don't take proper 
precautions THIS IS GOING TO HAPPEN TO YOU.  There is nothing strange 
about it.  I'm seeing fewer of these things in the spam I'm getting directly than I 
did a few months ago, but that only means that another model of distribution is 
getting more popular.  (And "less" means I'm down to a few a week rather than 
several per day.  On an unused account which happens to be a convenient spam 
honeypot.)

Very few details are given in the story, but it appears that this malware program 
was found by using some form of signature scanner.  Nothing wrong with signature 
scanners, as such.  However, the implication seems to be that nobody is doing 
defence in depth.  Activity monitoring would probably have caught this beast 
earlier.  Egress scanning (of the type that is a kind of specialized form of activity 
monitoring) could also have detected the transfer of files "out there," and the 
connections to remote machines in order to download additional malware modules.

I'm not really impressed with the "cyber-forensic specialists," at least according to 
the information reported.  You don't need to bag the hard drive to get that kind of 
data: a "goat" machine (or, even better, a virtual one) with the malware installed 
and a network monitor will get you that.  Has anyone done any software forensics 
on this?

No, probably not.  Because the next thing we find is a tremendous leap of faith to 
the supposition that the Chinese are responsible for this.  (Well, I'll allow as how 
that might be possible.  "The Chinese" make up a sizeable proportion of the total 
human population, so if you have to take a random guess at identity that's 
probably the best bet.)  China was suspected in some earlier electronic 
shenanigans, so obviously they are guilty now.  (It couldn't be some twerp in a 
basement in Des Moines.)

Finally, the story talks about security awareness training.  (Actually, even that 
part of the article muddies the water with some inclusions about cyber-terrorism.)  
Yes, I'm all for security awareness training.  Open sessions, closed sessions, "write 
a letter to your Congresscritter and tell them not to do dangerous things with 
Blackberries," any kind of security training.  Let's just do it, OK?

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
A conference is a gathering of important people who singly can do
nothing, but together can decide that nothing can be done.
                                                        - Fred Allen
victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.