PRWeb gets it wrong twice; TechCrunch gets it wrong once – and right once

PRWeb issued a press release stating that Google had taken over ICOA. TechCrunch ran a story on it. ICOA’s share price went through the roof on it. But it was all false and both were wrong about it.

We all make mistakes. Years ago when I was running ITsecurity.com I ran a news story on 1 April – I’d lost track of the date and fell for a cleverly phrased hoax. It happens. It’s what you do next that matters.

PRWeb issued a statement:

PRWeb transmitted a press release for ICOA that we have since learned was fraudulent. The release was not issued or authorized by ICOA. Vocus reviews all press releases and follows an internal process designed to maintain the integrity of the releases we send out every day. Even with reasonable safeguards identity theft occurs, on occasion, across all of the major wire services. We have removed the fraudulent release and turned the matter over to the proper authorities for further investigation.

That little word ‘sorry’ is soooooo hard to say. Instead, PRWeb removed the evidence, blamed the criminal, and spread the problem ‘across all of the major wire services’: it wasn’t really their fault. Bad show.

TechCrunch, however, left its original story intact, with an update saying:

We were wrong on this post, for not following up with Google and the other company involved but posting rather than… waiting on a solid confirmation beforehand from either source. We apologize to our readers, to the companies involved, and we’ll be sure to act in a more responsible manner for future stories…

but couldn’t quite resist adding a short stab at PRWeb:

rather than trusting the word of a website that doesn’t necessarily hold itself up to any journalistic standards.

Good show – well, 99% good show diminished only slightly by the quick stab at PRWeb.

So, all in all, kudos to TechCrunch for owning up to the mistake, apologising, and not trying to hide it. Shame on PRWeb for trying to avoid its responsibility – and especially for removing the offending fraudulent release. It happened. No true journalist would try to change history.

Which just leaves one small point. Who did it and why? Was it a simple hoax or an elaborate share fraud? I guess the financial authorities will be pouring over the details of who sold shares in ICOA when the price was high…

GCHQ and Southampton University – a partnership made in hell

ZDNet has a brief story about GCHQ, which only goes to show how little GCHQ understands about business and security. The UK’s primary electronic spy agency is partnering with Southampton University to develop better biometric security. “GCHQ,” says the report, “will be working closely with the University of Southampton‘s new research hub on issues facing UK security, such as human identification and data privacy in a bid to help protect the country from cyberattacks.”

That’s good. Biometric access control at the door will stop people getting into secure facilities; biometric access at the keyboard will stop bad actors accessing the networks. So what are they working on? Fingerprints? Iris? Facial or vocal recognition? Hand scans? Finger vein prints? Any of those might work.

No. According to the report, “The new thing we’re looking at is soft biometrics,” said Professor Mark Nixon, an academic at the university, working in the new cybersecurity centre. “You can describe someone as tall, thin, or fat and then use that information to retrieve people from a video.”

“The two main themes we are looking at are data privacy and identity management,” added Professor Vladimiro Sassone.

This is where I think I need to explain some basic security facts to GCHQ: statement two is simply non sequitur to statement one. Unless you are videoing everybody in the country at all times (to catch the mobile cyberterrorist on his tablet in the street) and also have a video record of everybody in the country along with details of who they are to compare him/her with, then this is not going to work.

Unless… you don’t think… oh shit.

The evolution of a hack – South Carolina hack analysed by Mandiant

In late October the South Carolina Department of Revenue disclosed that it had been hacked, and 3.6 million social security numbers together with 387,000 bank card details (many unencrypted) were stolen. (My report on Infosecurity Magazine is here.) A law enforcement agency, thought to be the Secret Service, notified the Department and recommended that Mandiant be brought in to clear things up.

Mandiant has now published a Public Incident Response Report, including a step-by-step history of the hack itself. The whole report (it’s really quite short) is worth reading; but the history of the hack should be required reading for all students of security:

• August 13, 2012: A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised. The malware likely stole the user’s username and password. This theory is based on other facts discovered during the investigation; however, Mandiant was unable to conclusively determine if this is how the user’s credentials were obtained by the attacker.

• August 27, 2012: The attacker logged into the remote access service (Citrix) using legitimate Department of Revenue user credentials. The credentials used belonged to one of the users who had received and opened the malicious email on August 13, 2012. The attacker used the Citrix portal to log into the user’s workstation and then leveraged the user’s access rights to access other Department of Revenue systems and databases with the user’s credentials.

• August 29, 2012: The attacker executed utilities designed to obtain user account passwords on six servers.

• September 1, 2012: The attacker executed a utility to obtain user account passwords for all Windows user accounts. The attacker also installed malicious software (“backdoor”) on one server.

• September 2, 2012: The attacker interacted with twenty one servers using a compromised account and performed reconnaissance activities. The attacker also authenticated to a web server that handled payment maintenance information for the Department of Revenue, but was not able to accomplish anything malicious.

• September 3, 2012: The attacker interacted with eight servers using a compromised account and performed reconnaissance activities. The attacker again authenticated to a web server that handled payment maintenance information for the Department of Revenue, but was not able to accomplish anything malicious.

• September 4, 2012: The attacker interacted with six systems using a compromised account and performed reconnaissance activities.

• September 5 – 10, 2012: No evidence of attacker activity was identified.

• September 11, 2012: The attacker interacted with three systems using a compromised account and performed reconnaissance activities.

• September 12, 2012: The attacker copied database backup files to a staging directory.

• September 13 and 14, 2012: The attacker compressed the database backup files into fourteen (of the fifteen total) encrypted 7-zip archives. The attacker then moved the 7-zip archives from the database server to another server and sent the data to a system on the Internet. The attacker then deleted the backup files and 7-zip archives.

• September 15, 2012: The attacker interacted with ten systems using a compromised account and performed reconnaissance activities.

• September 16, 2012 – October 16, 2012: No evidence of attacker activity was identified.

• October 17, 2012: The attacker checked connectivity to a server using the backdoor previously installed on September 1, 2012. No evidence of additional activity was discovered.

• October 19 and 20, 2012: The Department of Revenue executed remediation activities based on short term recommendations provided by Mandiant. The intent of the remediation activities was to remove the attacker’s access to the environment and detect a recompromise.

• October 21, 2012 – Present: No evidence of related malicious activity post-remediation has been discovered.