The Maverick Cyber-Defense Threat Feed

Maverick Fed Gov Security Topic 05Oct09-01 > "SOA Security Is An Oxymoron

2009-10-05T07:17:00.001-07:00

SOA: Service-Oriented Architecture

I am sitting presently in a Mitre-sponsored SOA conference for the Federal Government. The 40 or so folks are supposed to represent the Fed Gov community when it comes to SOA and what it can do / is doing for the government. So far, I'm not feeling it.

We have a data issue in government. No one would dispute that. Terabytes or more of data, emails, images, files, all need to be categorized, linked, and accessible. At this conference there are lots of discussions about architecture, data structure, and even data standardization for platform independence. All important things, and necessary.

But what was missing, as usual, was any thought whatsoever to security: security of data, security at rest, security in transit, access controls, or encryption. Nothing. So of course, I asked, I asked the same question different ways for different presentations, just to see how different presenters would respond. This would give me a good sense of whether or not I was dealing with people who understood security, cared about security's role in their efforts, or even considered it at all.

It was the last, unfortunately. The last on that list...the last thing considered - if at all.

One presentation showed that 19 government agencies had agreed to SOA data standards for platform independence. A great feat, to be sure, getting 19 government agencies to agree on anything. ...but security was, as the presenter told me, "orthaganal". ie: ignored. Someone else's problem.

The best statement that came out of the conference was the following quote: "There is a huge difference between building something and executing on it."

When we create a standards-driven architecture that makes data connectivity interactive, easy, and operable, we make it a HUGE target. We also make it way easier for the bad guys to suck the teet of our government until they are fat with data.

If we are to remain the number one power on the planet, we must drive security as part of the process. It is key, or we are toast.

We are told in the government that disparate bits of data, though unclassified, when put together can tell an enemy too much. Yet with SOA, that is exactly what we are building towards.

Link to Fannie Mae Hacker Story

2009-01-31T06:58:00.000-08:00

http://www.wusa9.com/news/local/story.aspx?storyid=81025&catid=158

This video will be on the New Maverick web site in the next two weeks as well. If you have any questions, or require more assistance, contact Maverick.

Maverick Analysis: Lessons From The Fannie Mae Hacker

2009-01-30T17:46:00.000-08:00

Rajendrashinh Makawa, a 35 year-old Indian Unix system administrator contractor for OmniTech, was arraigned this week in Maryland for attempting to hack Fannie Mae - the company he was subcontracted to. After being fired in the early afternoon of October 24th, Makawa was allowed to continue working. By the time he turned in his badge and laptop in at the end of the day he had written and implanted four separate scripts in the Fannie Mae system. These were designed to wipe all of the data from the over 4,000 servers and storage devices in a revenge attempt. Luckily, another sys admin uncovered one of the malicious scripts and the plan was thwarted.

The biggest lesson to be learned from this incident is in the behavior of Fannie Mae and OmniTech during the dismissal of Makawa. Makawa's access should have been revoked just prior to his dismissal and he should have been immediately escorted from the building. Instead, he was allowed to finish his day and - in barely 4 hours' time - put thousands and thousands of Fannie Mae clients' records and millions of the company's dollars at risk.

Remember: the termination process should take place swiftly and should begin with the removal of all access of the person to be terminated.

30JAN09-02: No Hacking Required - U.S. Consulate in Israel Auctions Sensitive Information

2009-01-30T08:17:00.000-08:00

The U.S. consulate in Israel held an auction in December 2005 to get rid of old furniture and reportedly sold cabinets containing hundreds of files with Social Security numbers of U.S. Marines and state department staff stationed in Israel. The files also included U.S. State Department bank account numbers and documents tracking the U.S. funding of local political movements. Among the files was a dossier marked "Secret" detailing an encounter between a U.S. Marine and a young Israeli woman in a Jerusalem hotel bar.

The woman who bought the filing cabinets, an American-Israeli, recently returned them to U.S. control but only after the Israeli police intervened and threatened her with unspecified charges.

SOURCE: http://blog.wired.com/27bstroke6/2009/01/us-consulate-in.html

30JAN09-01: Russian "Cyber-Militia" Takes Kyrgyzstan Offline

2009-01-30T08:12:00.000-08:00

Kyrgyzstan's two main Internet service providers -- ns.kg and domain.kg – recently came under a massive online assault. Details have emerged that the cyber-attack was orchestrated by Russia-based "cyber militia," shutting down more than 80 percent of Kyrgyzstan's bandwidth. Speculation is that the attack was meant to thwart Kyrgyzstan's embattled political opposition -- which depends on the Internet to organize -- or to pressure Kyrgyzstan's government, which hosts a U.S. airbase outside of the capital, Bishkek.

SOURCE: http://blog.wired.com/defense/2009/01/cyber-militia-t.html

Welcome to the NEW Maverick Cyber-Defense Threat Feed!

2009-01-30T07:49:00.000-08:00

You may access this blog FREE as a courtesy service of Maverick Cyber-Defense. As we know many of our clients already have their own daily analysis shops, we provide this blog as a collector for cyber-indicators and information you can use to analyze and generate intelligence applicable to your own organization.

Each Thursday, Maverick will provide analysis of some topic related to cyber-security. Sometimes the posts will be topical, based upon major events of the week. Other times, we will post periodic intelligence we feel our clients need to stay ahead of the global threat.

If you have suggestions for topics or other inputs, feel free to contact us. We always try to tailor our intelligence to meet your needs. Just email us at info (at) maverick-security.com (replace the (at) with @ ).