Jaime Chanaga, CISSP, CISA

The U.S. Federal Bureau of Investigation (FBI) has announced via  a press release (http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm) that 1 million IP addresses (computers/systems) have been identified as being compromised by botnet software. 

The FBI news release states:

"A botnet is a collection of compromised computers under the remote command and control of a criminal “botherder.” Most owners of the compromised computers are unknowing and unwitting victims. They have unintentionally allowed unauthorized access and use of their computers as a vehicle to facilitate other crimes, such as identity theft, denial of service attacks, phishing, click fraud, and the mass distribution of spam and spyware. Because of their widely distributed capabilities, botnets are a growing threat to national security, the national information infrastructure, and the economy."

The FBI is providing information (http://www.fbi.gov/page2/june07/botnet061307.htm) for anyone who may suspect their system is affected.  The U.S. Federal Trade Commission (FTC) is also providing information (http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt132.shtm) for consumers on the dangers, impact, and suggestions for consumers regarding botnets.

This news story is one more example that information security is everyone's responsibility. 

Take these basic steps to secure your home computer today:

1. Scan your computer with updated anti-virus/anti-spyware software.
2. Install software vendor patches such as Windows Update.
3. Ensure your computer has a software or hardware firewall protecting it.

In protecting your home computer you will be also reducing the possibility that hackers will steal your identity and personal information from files stored on your home computer.   These three basic steps won't guarantee 100% protection but will significantly reduce the possibility that your home computer will be compromised by botnets and other malicious attacks.

ABC News - FBI Takes Down Cyber Hijackers
http://abcnews.go.com/TheLaw/story?id=3274261&page=1

Wikipedia - Botnet
http://en.wikipedia.org/wiki/Botnet

Connecticut Attorney General's (AG) Office is investigating a data security breach at Pfizer Inc.  (Press Release: http://www.ct.gov/ag/cwp/view.asp?Q=383962&A=2788).  The information of 17,000 current and former employees including names, social security numbers, and some payroll information including bonuses.  The information was compromised on a laptop that had file sharing (peer-to-peer) network software installed and exposed the confidential information to third parties. In a letter (http://www.ct.gov/ag/lib/ag/consumers/pfizerdatabreachletter.pdf) dated June 6, 2007, Connecticut AG Richard Blumenthal asked Pfizer to explain in detail the policies and actions Pfizer takes to protect sensitive information.

As a security professional, I applaud AG Blumenthal's quick action to open an investigation into any incident that demonstrates irresponsible behavior towards the protection of personal information by any organization.

In today's era of security breaches, organizations must be more careful about storing sensitive personal information on laptops and making sure that their employees understand their responsibility for protecting that sensitive information.   We have the technology today and the lessons of the past to be able to effectively protect sensitive information.  It is time to end the excuses and get serious about the protection of personal information.

The University of Virginia has issued a press release (http://www.virginia.edu/uvatoday/newsRelease.php?id=2217) confirming a data security breach that occurred between May 20, 2005 and April 19, 2007.  During this time period the University's ongoing investigation has uncovered that hacker's were able to access the names, social security numbers, and dates of birth affecting 5,735 faculty members. 

Currently the University of Virginia Police coordinating with the U.S. Federal Bureau of Investigation (FBI) on the ongoing criminal investigation.  Initial findings suggest that the hackers were able to retrieve the information from a database through sophisticated web application attacks.  In simple terms, the hackers manipulated an Internet facing web application to retrieve the personal information from an internal database server.

This fact is not surprising considering the rise in application layer attacks in recent years.  Most organizations fail to adequately secure web applications or test them for exploitable vulnerabilities.  Organizations, including Universities, should do more to test web applications for vulnerabilities that could allow attackers to escalate their privileges and attempt to gain unauthorized access to sensitive databases.   Application security testing is not the final answer in the "arms race" between security professionals and attackers, but it is a step in the correct direction.

It sounds like an action movie plot, but the real life story of Brett Shannon Johnson, as being reported by Wired.com (http://www.wired.com/politics/law/news/2007/06/secret_service) is an unbelievable story.   

For 10 months, Johnson was working undercover with the U.S. Secret Service (USSS) office in Columbia, South Carolina to help the Secret Service catch identity thieves.   While working with the Secret Service, Johnson let his greed get in the way and continued his illegal identity theft activities.  During this time Johnson committed id theft fraud totaling around $2 million dollars, most done under the radar of the Secret Service who were using him as a paid informant!   Once the Secret Service became aware of his crimes, Johnson decided to run away and disappear.  Not the smartest move he could make.

Last week a federal judge fined Johnson $300,000 and sentenced him to six (6) years in jail for his crimes.

Go ahead read the story on Wired.com (http://www.wired.com/politics/law/news/2007/06/secret_service) for more twists on this story!

Today I read about an interesting freeware software plug-in for email security.   FireGPG (http://firegpg.tuxfamily.org/)  is a FireFox web browser extension that has been created under the GPL (General Public License) and is available as free software.  FireGPG allows users of the FireFox web browser to use GnuPG to encrypt, decrypt, and sign email messages using GMail web mail account. 

Although most consumers can buy commercial email encryption products such as commercial PGP, this free plugin provides an easy way for anyone using Gmail web mail to send and receive secure email communications.  Perhaps email software vendors will take note of the fact that many consumers use free web mail services such as Yahoo Mail, Hotmail, GMail, etc. and provide integration with ther email encryption products.

In the end, all web mail users will benefit from the integration of email encryption and messaging solutions.  Remember, email is an insecure medium for transmitting sensitive information.  Encryption software can help protect your sensitive information, including while being sent via email.

Kudos to the developers who began the idea of FireGPG.