Monday, May 25, 2009

Facebook Spear Phishing, New 419 Scam

I received the follow email via Facebook last night that is a new variation on the old 419 scam:
Wilson sent you a message.

--------------------
Subject: Attn: Bill Gardner

Alexander JLO - Solicitors
11 Lanark Square
Glengall Bridge
London E14 9RE
United Kingdom.
TEL:+44 794 4145 981
Fax:+44 794 4416 262


Good day: Bill ,



This is a personal E-mail directed to you and I request that
it be treated as such.

I am Barrister Wilson Baker, a solicitor at law. I am the personal attorney/sole executor to the late Engr Gerald Gardner herein after referred to as'my client' who worked as an independent oil magnate in my country and who died in a plane crash with his immediate family in December 2003.

Since the death of my client, I have written several letters to the embassy with an intent to locate any of his extended relatives whom shall be
claimants/beneficiaries of his abandoned personal estate and all such efforts have been to no avail.

More-so, I have received official letters in the last few weeks suggesting a likely proceeding for confiscation of his abandoned personal assets in line with existing laws by the bank in which my client deposited a notably high amount of money.

On this note i decided to search for a credible person and finding that you bear a similar last name, I was urged to contact you, that I may with your consent, present you to the "trustee" bank as my late client's surviving family member so as to enable you put up a claim to the bank in that capacity as a next of kin of my client.

I find this possible for the fuller reasons that you bear a similar last name with my client making it a lot easier for you to put up a claim in that
capacity.

I propose that 35% of the net sum will accrue to you at the conclusion of this deal in so far as I do not incure further expenses.

Therefore, to facilitate the immediate transfer of this funds, you need, first to contact me via my private email:(wilsonbaker3@yahoo.co.uk) for better confidentiality, signifying your interest and as soon as I obtain your confidence I will immediately appraise you with the complete details as well as fax you the documents, with which you are to proceed and i shall direct you on how to put up an application to the bank.

However, you will have to accent to an express agreement which I will forward to you in order to bind us in this transaction.

Upon the receipt of your reply,I will send you by fax or E-mail the next step to take.I will not fail to bring to your notice that this proposal is hitch-free and that you should not entertain any fears as the required arrangements have been made for the completion of this transfer.

Like I said, I require only a solemn confidentiality on this.

Best regards,
Wilson Baker Esq
--------------------

I have to admit this version of the scam is compelling enough to make me actually read the email. This version of the scam actually lists an address and telephone number, but why would a lawyer use a Yahoo email address? This is just another example of how far people will go to attempt to get between you and your money.

Labels: ,

Friday, May 15, 2009

Lessons learned from the WV State Bar breach

According to the FAQ released by the WV State Bar yesterday, the data breach reported a couple of weeks ago was the result of a unpatched Linux sever being compromised. The Bar further says it has "an unsupported FoxPro database containing member information" some where on its network that was also compromised.

It's unclear from the FAQ how the hacker or hackers took control of the Bar's webserver and started serving malware. The bar does say, "The State Bar will no longer host its own website internally, it will be hosted off-site at a secure location with a company that specializes in website development and internet security. The State Bar website will be completely re-written in a more secure manner."

Netcraft shows the Bar site was running on Windows 2000 on Apache/2.0.54 Win32 PHP/5.0.4 on 22-Mar-2006. Previously the site ran Windows 2000, Microsoft-IIS/5.07 as of Nov-2004 according to Netcraft.

As far as secruity, they say they had a firewall, "The State Bar's computer system was equipped with a firewall, which previously was believed to be secure. However, the State Bar's forensic computer experts have advised that no firewall would have prevented the sophisticated hack of the website and database. The State Bar is taking extraordinary measures, as set forth in response to question number 1 above, to prevent a security breach from occurring again in the future."

The Bar has pulled the unpatched Linus box off its network, has stopped hosting it's website internally, and has removed social security number from it's databases. Also it says it's website is being rewritten in a more secure manner.

So what can we learn from the breach. First, don't run unpatched servers, Linux, Windows, or any other OS on your network.

Second, attacks on webservers are very much in style by hackers. Since most of us have deployed firewalls, antivirus, patch management, vulnerability scanners, and intrusion detection systems, the webserver is often the weekest link in some networks. As a result, web application security has becoming very important. Secure you web apps and use web application firewalls. Also don't host websites in-house or on the same network as your production network.

Third, know what applicatons, operating systems, and servers are on your network and where they are, and document eveything. The Bar says, "Further complicating matters, there existed no documentation regarding the State Bar network layout, hardware, software and/or legacy applications. As such, the upgrade process has been a cycle of discovery and repair which has taken longer than anyone could have expected or foreseen."

As far as the breach itself, the Bar say, "The State Bar had social security numbers for approximately 4,000 members. Members whose social security numbers are believed to have been contained on the State Bar's database should have received a second and third email notifying them of that fact. Some members do not have an email address on file with the State Bar. For those members, a separate letter was mailed to them through the United States Postal Service."

The Bar has turned hard drives over to the FBI and says it will keep it's member up-to-date on the investigation.

Labels: ,

Thursday, May 14, 2009

The West Virginia State Bar Has Posted An FAQ on Its Recent Data Breach

The West Virginia State Bar has posted an FAQ on its recent data breach.

COMPUTER SECURITY BREACH FAQ

By now, most members of The West Virginia State Bar have received either one or two emails regarding the security breach at the State Bar website. If you received only one email, as far as the State Bar is aware, your social security number was not in the State Bar's database. Approximately 4,000 of the 7,000 State Bar members received a second email advising that we had your social security number was in the State Bar's database. As of this date, the State Bar has no knowledge that the hackers have looked at any personal information in the State Bar database and the State Bar has received no reports that any of its members have suffered any identity theft. Nonetheless, and out of an abundance of caution, the State Bar provided an alert to each of its members regarding this security breach. This alert has led to numerous questions which the State Bar has attempted to answer below so that all of its members will continue to be informed about this situation.

1. Does the Bar have any idea of how this could happen?

In late 2006 or early 2007, the State Bar determined that it needed to upgrade its computers, its network, its member database, and its website. All of these were hosted by the State Bar onsite. Since 2007, the State Bar has been working with computer consultants to upgrade the computers, network and security at the State Bar. The upgrade process has been hampered by the existence of an outdated Linux server, and an unsupported FoxPro database containing member information. Further complicating matters, there existed no documentation regarding the State Bar network layout, hardware, software and/or legacy applications. As such, the upgrade process has been a cycle of discovery and repair which has taken longer than anyone could have expected or foreseen.

In working with the computer consultants, it was learned very recently that outside computer hackers were able to enter the State Bar computer system through the Linux server and State Bar website. From there they create access to the remainder of the State Bar network, including the member database. It is not possible for the computer consultants to determine whether the hackers did or did not look at the member database, they can only advise that the hackers had the opportunity to look at any and all computer data on the State Bar's network.

2. What will the State Bar do to make sure this does not happen again?

The State Bar has now shut down its Linux server and its website. The Linux server will be eliminated. All hard drives in the State Bar network and individual work stations were replaced. The hard drives are being turned over to the Federal Bureau of Investigation. The State Bar will no longer host its own website internally, it will be hosted off-site at a secure location with a company that specializes in website development and internet security. The State Bar website will be completely re-written in a more secure manner. These steps combined should prevent similar security breaches in the future.
The State Bar has worked with its computer consultants to delete all social security numbers from the FoxPro database and no records will be kept in the future regarding social security numbers.

3. Why did the State Bar have my social security number and when did it get it?

At various points in time prior to 2007, the State Bar collected social security numbers. Many people provided this information at the time they were admitted to the State Bar. In addition, some social security numbers were collected by the State Bar when the West Virginia Supreme Court of Appeals first considered the possibility of e-filing. More recently, members provided social security numbers at the time they applied for a photo identification card. Beginning immediately, all communications regarding the applications for new photo identification cards will be via U.S. Mail and in paper form. No electronic records will be kept by the State Bar.

4. Did the State Bar have my social security number or not?

The State Bar had social security numbers for approximately 4,000 members. Members whose social security numbers are believed to have been contained on the State Bar's database should have received a second and third email notifying them of that fact. Some members do not have an email address on file with the State Bar. For those members, a separate letter was mailed to them through the United States Postal Service.

5. Why did the State Bar wait so long to notify me of the breach?

The State Bar acted very quickly after the computer consultants advised The Bar of the potential for a security breach. The State Bar Linux server and website were immediately brought down. The Linux server housed the State Bar's listserv which was its prior method of communicating with all members.
The State Bar's Board of Governors was advised of the security breach and it authorized the dissemination of a press release. The Supreme Court of Appeals of West Virginia was contacted and provided technical assistance in sending out a press release advising of the compromise of the State Bar's network. During this time, the State Bar did not have any ability to mail or email its members as its membership database was inaccessible. The State Bar has now created a new email system to communicate with all members of the State Bar that have their emails on file. The State Bar sent an email to its members within a few hours of its membership database and email listserv being reinstated.

6. What information did the hackers get in the security breach?

It is not possible for the computer consultants to advise the State Bar that any information was reviewed during the security breach. The computer consultants can only advise that the outside hackers had access to the member database and all other data on the State Bar network. The computer consultants reviewed the data in the member database. They have advised that it is not infected with any virus.

7. Why wasn't the site secure?

The State Bar's computer system was equipped with a firewall, which previously was believed to be secure. However, the State Bar's forensic computer experts have advised that no firewall would have prevented the sophisticated hack of the website and database. The State Bar is taking extraordinary measures, as set forth in response to question number 1 above, to prevent a security breach from occurring again in the future.

8. Did the State Bar report this to the credit reporting agencies?

The State Bar has notified the credit reporting agencies of this security breach. The State Bar has also provided the contact information for all three major credit reporting agencies to our members and it has encouraged each member to separately contact those agencies.

9. Is the State Bar going to pay for my credit monitoring costs?

Some State Bar members have requested the State Bar to pay for credit monitoring. Unfortunately, the State Bar has no unallocated funds to pay for any credit monitoring services. To put such a program in place could require an assessment of the members as a whole. Given the lack of any reported identity theft affecting any of its members, the State Bar believes that a special dues assessment to pay for this credit monitoring is an unnecessary expense for its members at this time.

10. Has this been reported to a law enforcement agency so I can file a 7 year report?

Yes, this matter has been turned over to the Federal Bureau of Investigation. They are conducting a formal investigation of the security breach. Within the next few days, it is anticipated that the FBI will begin its forensic analysis of the removed hard drives. The FBI has assured the State Bar that it will pursue location and prosecution of the individual or individuals who breached the State Bar's system.

11. Will we be advised of any information the State Bar receives from the FBI?

Yes, the State Bar will keep its members up to date regarding any public results of the FBI investigation.


Since 2007, the State Bar has been working to correct the flaws in the old computer system and to insure that a completely safe and fully operational system is up and running as soon as possible. The State Bar regrets any inconvenience to its members.

Labels: ,

Friday, May 08, 2009

The West Virginia Record Malware Problem Fixed

The problem with ads serving malware at the West Virginia Record was corrected quickly after they learned of the problem, Chris Dickerson, Editor of the Record told me yesterday. He said the issue was with a compromised ad server that was a part of a ad network serving 100s of newspapers.

Labels: , ,

Tuesday, May 05, 2009

Attorneys Receiving Individual Notification of Social Security Number Compromise in Recent WV State Bar Data Breach

Individual attorneys began receiving notices this afternoon that their social security numbers we involved in the resent breach of the WV State Bar website and other computer system.
Important Notice to Members Regarding Social Security Information

From:
The West Virginia State Bar
2006 Kanawha Boulevard, East
Charleston, WV 25311-2204


The West Virginia State Bar has learned that there are two sets of persons whose Social Security numbers were contained on its computer system, which was recently hacked. The first group of persons are those who recently completed applications to receive the new West Virginia State Bar photo ID card.  Those persons included their Social Security numbers on the application forms, which were sent to Cheryl Wright at The State Bar, scanned into The State Bar's computer system, and e-mailed or faxed back to the requesting members.

  
The other group of persons whose Social Security numbers were contained on The State Bar's computer system are those who provided their Social Security numbers to The State Bar at some point in time during their membership tenure. These Social Security numbers existed on The State Bar's membership database along with the members' names, addresses, telephone numbers, email addresses, and dates of admittance. It was not until late in the day on May 4, 2009, that The State Bar's retained experts were able to retrieve this information. 


Unfortunately, you are receiving this email because you are among one or both of these groups of people. Although, as has been explained in the two prior notices, The State Bar has received no evidence or reports of any identity theft, fraud or other unauthorized use of any member's personal information, because your Social Security number was contained on The State Bar's computer system, there is a possibility that it may have been viewed by the hackers. 


The West Virginia State Bar has notified the three major credit reporting agencies of this potential security breach and is working with the FBI to identify the person(s) or entity(s) responsible.  If you have any evidence that your personal information has been compromised, please contact The West Virginia State Bar immediately.  In addition, you also may wish to contact the major credit reporting agencies to ask that a fraud alert be placed in your file to notify potential creditors and others that you may be a victim of identity theft. The contact information for the credit reporting agencies is as follows:

Equifax Information Services
PO Box 740256
Atlanta, GA 30374
1-877-576-5734
www.fraudalerts.equifax.com

 
Experian
NCAC
PO Box 9556
Allen, TX 750131-888-397-3742
www.experian.com/fraud

 
TransUnion
Customer Disclosure Center
TransUnion Consumer Relations
PO Box 2000
Chester, PA 19022-2000
1-800-680-7289
www.transunion.com


The West Virginia State Bar deeply regrets any concern or stress that this has caused you. If you have any additional questions, please send them to Anita Casey, Executive Director of The West Virginia State Bar. Ms. Casey will work with The State Bar's Ad Hoc Technology Committee to respond to your questions as quickly as possible.

Labels: , , ,

WV State Bar Sends Member Notice of Data Breach

The West Virginia State bar sent notice of the breach of it's site and internal servers by hackers yesterday. The notice, posted below, shreds no new light on what happen or if person data was compromised, but it does disclose the FBI is now involved.

Important Notice to Our Members

From:
The West Virginia State Bar

2006 Kanawha Boulevard, East
Charleston, WV 25311

Using a sophisticated computer hack, an unknown person or entity gained unauthorized access to The West Virginia State Bar website and internal computer network, potentially compromising certain personal information The State Bar maintains about its current and former members.

The security breach was discovered recently during an upgrade of The State Bar's website. The website was taken offline on Friday, April 17, 2009. The State Bar has retained forensic computer experts to help investigate the suspected security breach. The State Bar is also working with the FBI to investigate the breach and attempt to locate the responsible party(s).

The West Virginia State Bar's Ad Hoc Technology Committee met with its retained forensic computer experts and learned that the security breach extended beyond the web server to the Bar's internal computer network. Given the sophistication of this security breach, and out of an abundance of caution, the Committee is considering all personal information on The State Bar's network as potentially compromised.

The State Bar provided notice to all of its members regarding this security breach through a press release issued on April 28, 2009, with the assistance of the West Virginia Supreme Court of Appeals as The West Virginia State Bar did not have computer access to its member lists until May 4, 2009. This second notice is being sent to all members at this time because the State Bar's listserv capability was reinstated late this afternoon.

Members of the Ad Hoc Technology Committee, representatives of the company which has been working with The State Bar's computer system for the past several years, and the forensic computer experts worked all last week and over the weekend to remediate the problem.

While the website itself contained no personal data, the website was connected to The State Bar's internal database server which houses the membership data. Membership data includes names, mailing addresses, email addresses, birth dates, lawyer identification numbers, and some members' and former members' social security numbers. The State Bar Ad Hoc Technology Committee also has just obtained a list of the names of its members whose social security numbers were on the system. Those members will receive a separate e-mail communication from The State Bar.

Importantly, the Ad Hoc Technology Committee has confirmed that information provided by clients to their attorneys has never been maintained on The State Bar's computer systems and, therefore, such information is unaffected by this recently discovered security breach.

The Ad Hoc Technology Committee has been advised by its forensic computer experts that it is impossible to determine exactly when the security breach occurred. The State Bar has no evidence and has received no reports of any identity theft, fraud or other unauthorized use of its members' personal information at this time. If any members of The West Virginia State Bar have any evidence that their personal information has been compromised, they should contact The West Virginia State Bar immediately. Members may also contact the major credit reporting agencies to ask that a fraud alert be placed in their files to notify potential creditors and others that they may be victims of identity theft.

Equifax Information Services
PO Box 740256
Atlanta, GA 30374
1-877-576-5734
www.fraudalerts.equifax.com

Experian
NCAC
PO Box 9556
Allen, TX 75013
1-888-397-3742
www.experian.com/fraud

TransUnion
Customer Disclosure Center
TransUnion Consumer Relations
PO Box 2000
Chester, PA 19022-2000
1-800-680-7289
www.transunion.com


All questions should be directed to:

The West Virginia State Bar
2006 Kanawha Blvd., East
Charleston, WV 25311
c/o Anita Casey, Executive Director

Problems with the State Bar website go back to September 2009, and I've posted previously about problems with the Bar's website hosting malware.

Labels: , , ,

Monday, May 04, 2009

Another West Virginia Law Related Website Compromised

The WV Record, a local newspaper that covers state legal matters, is server ads containing malware. It doesn't appears the site itself, www.wvrecord.com, is compromised this morning. The site is serving compromised ads. Until they get this problem cleared up, I wouldn't go there.

This is the second WV law related site to be compromised recently. The WV State Bar reported last week that its webserver and a number of internal servers were compromised.

Labels: ,

Sunday, May 03, 2009

FDA Rule on Appying Windows Patches on Medical Devices Could Put Human Life at Risk

One of the scariest uses of Windows OS is that it is installed on medical devices. As a result, every piece of malware coming down the pike can infect this medical devices, putting human life at risk. SANS announced last week that it had discovered Conficker worm infections on medical devices, including MRI machines.
A few weeks ago, we discovered medical devices, MRI machines, infected with Conficker," said Marcus Sachs, director of the Internet Storm Center, an early warning system for Internet threats that is operated by the SANS Institute.

Around March 24, researchers monitoring the worm noticed that an imaging machine used to review high-resolution images was reaching out over the Internet to get instructions — presumably from the programmers who created Conficker.

The researchers dug deeper and discovered that more than 300 similar devices at hospitals around the world had been compromised. The manufacturer of the devices told them none of the machines were supposed to be connected to the Internet — and yet they were. And because the machines were running an unpatched version of Microsoft's operating system used in embedded devices they were vulnerable.

Normally, the solution would be simply to install a patch, which Microsoft released in October. But the device manufacturer said rules from the U.S. Food and Drug Administration required that a 90-day notice be given before the machines could be patched.

Yes you read that correctly. Windows patches for medical devices must be approved by the FDA, and the FDA must receive a 90-day notice to apply patches. The result is epic fail that could put human life at risk. This FDA rule needs to be revisited.

Labels: , , ,