Author: Dave Lewis
August 22, 2008 at 10:37 am · Filed under Incident Response, Linux
It turns out that last week Fedora servers, including one that is used to sign packages, were compromised. Red Hat claims that the servers were taken offline as soon as the breach was “quickly” discovered.
The question lingers. When were they breached?
From Redhat.com:
One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.
While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys.
Running Fedora? You might want to check your systems just to be safe. Also, the folks at Red Hat are asking for anyone that has information on this breach to contact their legal folks via “fedora-legal SHIFT2 redhat com”. They make a point of noting that the Fedora and Redhat servers are separate. The Red Hat servers also use a different key that was not accessed.
Article Link
Author: Dave Lewis
May 16, 2008 at 5:27 pm · Filed under Incident Response, Legal Aspects
It seems that more and more stories about fake Cisco gear are popping up. And, shocker, most of the gear originated in China. This has led to the inevitable thrust and parry of the media’s lust for anything scandalous. “If it bleeds it leads” my old editor used to tell me. Which is funny when you consider I was on the entertainment desk back then.
But, is there something to this? Or are folks hunting rabbits out of season? Or is this just a story of contractor greed that has spiraled out of control? Robert O’Harrow Jr. has a nice summary piece that wraps up some of the angles in this story.
From the Washington Post:
After federal agents discovered and seized faux Cisco gear in Defense Department computers — apparently produced in China — there was some speculation that spies had tried to build in backdoor paths to sensitive or classified information.
The New Yorks Times’ John Markoff had a typically facinating piece about the investigation.
“The new law enforcement and national security concerns were prompted by Operation Cisco Raider, which has led to 15 criminal cases involving counterfeit products bought in part by military agencies, military contractors and electric power companies in the United States. Over the two-year operation, 36 search warrants have been executed, resulting in the discovery of 3,500 counterfeit Cisco network components with an estimated retail value of more than $3.5 million, the F.B.I. said in a statement.”
In one part of the piece O’Harrow points to an article written by Joab Jackson at GCN. He touches on the aspect that it could be the GSA (General Services Administration) that is responsible for this mess. The GSA is a little vague with respects to policies and practices. Just look at per diems for gov employees and contractors. They hand you a chunk of money for the day for food and such. But, you don’t have to show any receipts (at least that was the case several years ago). Not a bad deal for the employee. There is apparently even more ambiguous language concerning sub-contracting.
The back door may have been left open. But, rather than the spectre of Chinese hackers planting backdoors in faux equipment (albeit possible), it seems that there may be bigger threat is in the room.
Plain old greed.
Article Link
Author: Dave Lewis
May 15, 2008 at 8:44 am · Filed under Data Security, Incident Response
There has been a large number of data security breaches recently involving financial institutions. Here is a write up by Inno Eroraha on the response to a breach.
From SC Magazine:
Financial institutions are heavily regulated. They are required to implement security programs following regulations such as SOX, GLBA, SEC, NASD, etc. In fact, most of these organizations are required to execute an annual security assessment as a key compliance measure. Because an annual assessment may not discover all vulnerabilities, these organizations should be prepared to deal with security incidents involving physical facilities, network infrastructures, systems, applications, and most importantly, data.
Obviously, an entity that has no proactive mechanism to detect data, information, or system compromise wastes enormous amounts of time and money addressing an actual compromise without a response plan. To be able to deal with computer or IT related compromises, certain measures should be implemented by the institution. The following outlines example precautionary steps recommended for a bank, but some of the measures are valid for any institution.
Preparing for the inevitable
A banking institution must involve all of its resources in its security operation, including people, process and technology. Consider the following:
For the full piece read on.
Article Link
