The WV State Bar reported yesterday that the Bar's website and servers on its internal network have been compromised. The compromised data might include members' names, mail and email addresses, lawyer identification numbers, and the Social Security numbers of some members and former members.
The Bar says there is no evidence that the information listed above has been used for identity theft or fraud, but that members who have concerns should check their credit reports.
The WV State Bar site remains offline this morning. The Bar has called in data forensics experts to try to determine the extent of the breach. They are in the process of rebuilding the site from scratch.
Just saw a thread on the FWMI ProLaw Yahoo Group about the Elite User Conference 2009 coming up Jun 9-11 at the Hilton San Diego Bayfront in San Diego, CA. As in past years, Thomson is rolling Prolaw into the Elite Conference.
Thomson is offering Individual and Multiple Registration discounts:
Receive a $100 discount off the $1,495 Standard Registration Fee when you register before May 8th. That means you attend for just $1,395.
Multiple Registrations: Register multiple employees before May 8th and receive even more discounts. The second person you register pays only $1,095 and the third person pays just $795!
It would be nice to see Prolaw have its own user conference again. I'm not sure how useful the Elite Conference is to Prolaw users.
WV State Bar Site Remains Offline After Last Malware Infection
The WV State Bar site remains offline today. The site was taken offline last Friday, four days after it was discovered the site was hosting malware yet again.
In an email, the Bar published information the site would be offline for maintenance:
“SPECIAL EDITION BAR BLAST”
* wvbar.org is currently offline for maintenance * For Casemaker access, click here - https://demo.lawriter.net - login and password are westva (lowercase) * For registration & other inquiries regarding the 2009 Annual Meeting, please contact Cheryl L. Wright at cheryl@wvbar.org or 304.558.0828 *For Information regarding pro hac vice admissions, please contact Cheryl L. Wright at cheryl@wvbar.org or 304.558.0828
This is the same information currently on the website at http://www.wvbar.org/. It appears the site has been taken down to fix whatever problem was causing the site to be compromised on an almost monthly basis.
While my firm has not reported any infections that can be traced to the Bar's website, it remains to be seen if others firms have been so lucky.
A member of my team forwarded this video to me last week. (I'm sorry I can't embed the video. Embedding disabled by request) The video shows the Russian Business Network (RBN) partners HangUP Team and 76service subscription-based data mining service for stolen data gathered by the Gozi trojan.
It's another fascinating look a tool build for hacker by hackers for profit rather than fun. For another fascinating look at a current hacking tool, take a look at the GhostNet video I previously posted.
There are eight patches on tap for tonight. Five are listed as Critical. Two are listed as Important. One is listed as moderate. They all may require restarts.
Twitter is buzzing tonight with news of a fast spreading worm. Here is a Postmortem of what's being called the “StalkDaily Worm” by Damon Cortesi: "What’s happening here is that it looks like somebody realized they could save url encoded data to the profile URL field that would not be properly escaped when re-displayed. This is particularly nasty because you could get infected simply by viewing somebody’s profile page on Twitter that was already infected. If you visited an infected profile, the JavaScript in the profile would execute and by doing so tweet the mis-leading link, and update your profile with the same malicious JavaScript thereby infecting anybody that then visits your profile on twitter.com."
If this video is what it claims to be, it is truly a piece of his history. The poster of the video writes: "Steals a copy of SATAN, Dan's remote network security probing tool.
In the course of tracking the attacker(kevin), a great deal of network traffic was captured by a specially modified version of tcpdump (here's information on the legality of the acquisition of this evidence), and then a program written by Tsutomu was used to produce playable logs."
Kevin is Kevin Mitnick the famous hacker. Dan is Dan Farmer, one of the developers of SATAN (Security Administrator Tool for Analyzing Networks) and Tsutomu is Tsutomu Shimomura, the security researcher credited with tracking down Kevin Mitnick in 1995. Shimomura and New York Times reporter John Markoff wrote a book about Shimomura's pursuit and assistance in the arrest of Mitnick. The book is called Takedown and is a pretty good read, although most Mitnick supporters say the book is mostly a work of fiction and that Shimomura broke into his own computer in order to have an excuse to go after Mitnick.
This footage appears to be from Feb. 1995 while Tsutomu Shimomura was monitoring Mitnick and shows Mitnick actually breaking into Farmer's computer to steal a copy of SATAN.
It should be noted that Kevin says he simply copied software and that he never used any software he copied for any financial gain.
Symantec Video: Using Backdoor.Ghostnet Toolkit for Attacks
Once the exe is built using Backdoor.Ghostnet and installed on the victim computer, it can be controlled using the toolkit built into Backdoor.Ghostnet. One of the tricks being used by attackers is to view the webcams of the victim computers and view the users actually sitting in front of their keyboards. Rather creepy. It doesn't appear there is anything keeping the attacker from turning on the victim computers built-in microphones as well.