2009 The Year of the Largest Security Incidents Since the Beginning of Forever


F-Secure is reporting that 9 million PC’s are now infected with the conficker/downup/downadup/kido worm (here), which would make it one of the largest and most infectious worms we have seen in a long time. In an era of sophisticated, stealthy, financially motivated cybercrime it is interesting, to say the least, that this worm is garnering so much attention, but what is far more disturbing is how many computers were infected and how easily this could have been avoided through more effective and efficient patch management, antivirus updating, and basic security controls. It is absolutely astonishing that this worm has been able to infect as many computers as it did when all of the infection points take advantage of basic security lapses and why it is more critical now than ever that we revamp our ability to maintain the health and improve the security of our computing infrastructure

No one knows exactly how many computers have now actually been infected. Another thing that’s hard to explain is why the Conficker worm should be so successful. After all, a patch to plug the hole, through which it penetrates Windows, was issued some three months ago.

It doesn’t just spread via an old Windows vulnerability, however, but also via network shares. Clearly it’s exploiting administrator accounts that are “protected” with weak passwords. It also infects USB sticks. When an infected stick is plugged into the computer, the computer does ask what action is desired, rather than immediately running the worm. However, as the Internet Storm Center says, the worm can induce a user to click on the Start option by using fake icons.

The Microsoft technet article (here) provides more information, including instructions on how to “clean” an infected system (here)

In other news, according to a recent article by Brian Krebs in the Washington Post (here) a data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have led to the theft of more than 100 million credit and debit card accounts, and represent the largest breach ever (that we know of)

The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Baldwin said. “At this point, though, we don’t know the magnitude of what was grabbed.

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

“The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address,” Baldwin said. As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants “is not impossible, but much less likely.”

Hacking a magnetic strip isn’t terribly difficult as I posted (here), so I don’t agree with Badlwin’s analysis. the unfortunate aspect is that according to online records Heartland Payments Systems was PCI compliant (here)…


So it begs the question of how the breach occurred and what can be done to avoid such a breach in the future, and if it could not be avoided how to limit the impact.

But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.

Malicious software slurping up credit card numbers from transactions being processed through HPS – unfortunately without forensic evidence it would be very difficult to determine the nature of the intrusion, assuming this is an external intrusion and not a case of an internal employee compromising internal systems. What I would say is that we already know based on the infection velocity of the conficker worm and the simple steps an organization could have taken to protect themselves,combined with the inability for most organizations to implement even a basic level of operational security that it is conceivable that this incident could have been avoided if HPS had full visibility and control over their networking infrastructure.

3 thoughts on “2009 The Year of the Largest Security Incidents Since the Beginning of Forever

  1. Amrit,

    I have hope and faith that this will help secure the Internet. That is why I wrote about it last night: Conficker/Downadup – Securing The Internet. That was actually posted right before our twitter-sation.

    You definitely have a better view of how companies and organizations are employing business and security technologies within their environments. But, as I stated in the post, hopefully this will help IT and Sec personnel understand the weaknesses in their infrastructures while also providing executive management with the realization of the importance of funding and managing their technologies and people properly.

    I think we both agreed last night. It really goes back to the basics. People are just not doing them correctly. And organizations need to determine why that is happening and fix it or we will just be paying for it all over again.

    Go forth and do good things,
    Don C. Weber

  2. We are in the era of Technology, where everything going digital at the same time we are not protecting our privacy and personal information. It’s being digitized and opened to so many other unknows people we are unaware of. Since interenet became so important to everyone’s life, everone has access to everyone file. it’s matter of time someone else find your information. people can find your health information from the internet.

    I have request to the President that to implement a rule/regulation to have more security in the government and hospital.

  3. Pingback: On Conficker: The Return of the High-Profile Mass Infection Worm « Amrit Williams Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s