http://www.theinquirer.net/?article=25509 By Charlie Demerjian 18 August 2005 I SPENT MOST OF Tuesday morning at a financial services provider, and the talk of the morning was all about a large financial services giant and the Zotob worm. Any guesses why? It was claimed that said large financial giant was another notch in the Zotob author's belt, and while they were not down per se, it caused problems, slow networks, and downed services. Another day, another massive bot infection. When will these people learn trusted computing and Microsoft promissory press releases are not worth the paper they are printed on? And yes I know they are not on paper anymore. Here is when they'll learn, when someone notices that getting infected violates a whole bunch of laws, and that brings down the legal hammers on them. What do I mean? Well, for this said large financial organisation, there are several new regulations that are now in force, but the one that I am specifically thinking of is SarbOx. If they were an HMO or hospital, they would have HIPPA to contend with too. These laws have some pretty onerous data access and authenticity requirements backed up by civil and criminal penalties. Several states like California also have laws on notification and reporting on top of these. So, what's the problem? The large financial organisation just got potentially owned bad, it was infected by a bot carrying worm that allows outside access to the computers, the data carried within, and potentially the servers. Keyloggers? Maybe. Things riding on the back of Zotob? Maybe. I don't know, do you? Do you think the large financial organisation does either? So, on one side you have a company that got screwed through sloppy patch practices and an impossible task of keeping a Microsoft network patched. I do say impossible on purpose, I mean it in the literal sense, not the conversational one. On the other side, you have organisations like the SEC looking for heads to nail to the wall. They don't take excuses like 'we didn't know' or 'we didn't foresee that one' with a smile and a laugh, this is 'buy your way out with political contributions' territory. So, a large financial org got hit, and hundreds of computers were compromised. Did any of them have sensitive and/or customer data on them? Are you sure? Can you prove that? Has any of the data been tampered with? The answers most likely are a yes privately, no publicly, no, no and no clue respectively. To be honest, this is not just a big financial organisation's problem either, there are probably a bunch of others in the same boat, I just happened to overhear a phone call between someone and this said corporation. What will happen? Nothing this time. I am sure the SEC is way too busy picking up real bad guys to enforce the letter and intent of the law, but that will change as soon as something really bad happens on a future bot attack. That kind of thing can rewrite enforcement priorities in a stunningly short amount of time. So, what then? Then they go back with a give everyone they can think of the auditing equivalent of a body cavity search, and the questions like I am posing get asked. This is a legal time bomb people, and even the latest and greatest MS solutions put into place are rather impotent. This one only affected Win2K, but that is more a fluke than anything else, there have been several that ran rampant over the 'invulnerable' XP SP2 already, and it is a matter of time before the next one hits. Maybe this one will be enough to make companies and Microsoft take security seriously. If not, anyone have the phone number for the SEC? µ _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Fri Aug 19 2005 - 01:10:37 PDT