[ale] A story of Proactive Log Review and the best developer in the world.
JD
jdp at algoloma.com
Wed Jan 16 09:13:02 EST 2013
Summary:
* Security at small IT shop is actually proactively looking at system logs.
* They see a VPN connection from China. Suspicious.
* They are using RSA-based fob authentication. All commercial with vendor
support. (JD: A few yrs ago, RSA had a leak that made predicting the numbers on
a fob possible if the fob serial number was known. I think RSA had a spreadsheet
with that data stolen).
* Research shows the VPN connection is active every day
* the fob being used is always the same. It is assigned to a well-known,
respected, liked employee, family man, mid-40s. Always got excellent annual reviews.
* Security figures someone inside the company had their PC hacked
* Further research shows a few emails with PDFs from China to the mid-40s
programmer, so security thinks it is a targeted attack using PDF. A common
attack vector.
* Security mirrors his PC and scans for malware, rootkits, viruses.
* Security talks to the employee who finally volunteers that he had sent his fob
to a company in China to perform software development. He had "outsourced" his
coding.
* Further research finds that he's performing work for a few other "client
companies" and earning a few hundred $K annually.
I don't recall any concrete statement about non-disclosure agreements being signed.
This is all from memory, so please correct what I got wrong. Read it a few
hours ago.
On 01/16/2013 08:47 AM, Jim Kinney wrote:
> VERY short read:
>
>
> Error establishing a database connection
>
>
>
> :-)
>
> On Tue, Jan 15, 2013 at 11:18 PM, Brandon Wood <woody at 2143.net
> <mailto:woody at 2143.net>> wrote:
>
> This isn't a long read; well worth your time. :)
>
> http://securityblog.verizonbusiness.com/2013/01/14/case-study-pro-active-log-review-might-be-a-good-idea/
>
> Shamelessly stolen from Reddit.
>
More information about the Ale
mailing list