If the FBI e-mail network can get owned by a virus, what hope does the average joe have when it comes to keeping their e-mail secure?

It must be pretty serious too if it actually forced them to shut down the Internet facing e-mail network, it seems like it was down for at least a week and possible still unavailable to some users.

This demonstrates the problems self-propagating malware can cause to e-mail systems.

A virus has reportedly disrupted Web-based e-mail services at the U.S. Federal Bureau of Investigation.

The FBI confirmed Friday that it had been forced to shut down its Internet-facing unclassified network, but disputed a report that the incident had left the agency unable to e-mail counterparts in other intelligence and law enforcement agencies. “The external, unclassified network was shut down by the FBI as a precautionary measure,” the FBI said in a statement. “Within 48 hours of identifying the issue and mitigating risks, e-mail traffic was largely restored to the external, unclassified network.”

FBI agents can send e-mail on the agency’s more secure internal network or via BlackBerry, but many use this unclassified network to send messages via a Web-based e-mail system, said a source familiar with the situation. That webmail service was down throughout the week and continued to be unavailable for some users, the source said.

Where’s the full disclosure! We want details please, was this a normal virus that going around online? Was it something tailored to attack the FBI network? Was it seeded from inside or did it come in externally?

So many interesting questions, but no answers as usual.

It could be related to the recent QuickTime flaw with the DirectX rendering, the timing is about right – I guess we’ll never know though.

The FBI did not provide details on the security incident, but it looks as though hackers may have used maliciously encoded file attachments to hack into the network. In its statement, the FBI said it was now blocking users from sending or receiving attachments on the unclassified network “to give our technicians time to scan all the attachments that came into the e-mail system to make sure we have identified and mitigated all threats to the network.”

Malicious attachments are a constant security threat for computer users.

Microsoft warned Thursday that attackers are sending malicious QuickTime media files to victims, exploiting an unpatched flaw in Apple’s media format, in order to install malicious software on Windows systems.

It was first reported by NYPost and then later by CBS News.

I’ll be keeping an eye out to see if there are any further developments or news disclosure, if you’ve read anything relevant drop a link the comments.

Source: Network World

After our recent story about the trading of BlackBerries for data theft the issue has emerged again this time more towards the secure disposal of data stored on PC hard disks.

If a company or organisation has a decent data/information security policy in place (Like ISO27001 for example) they should have a secure destruction/disposal policy as part of that.

The current fiasco reminds me of the digital camera sold on eBay containing terrorist information from the MI6!

The recent discovery of a computer on eBay with data on a U.S. missile system underscores the importance of securing data when it is time to retire and dispose of a machine. Enterprises need to have proper plans and oversight in place to protect their information.

When reports that data on a U.S. missile system was found on a computer auctioned on eBay, enterprises were provided another example of what happens when they fail to securely manage data at the end of its life.

In this case, the consequences were nil, as the computer in question was purchased as part of a research project and has been turned over to the FBI. Still, the situation underscores the importance of having policies in place to protect data that extend all the way to the “death” of an organization’s machines.

The kind of information floating around in computers really needs to be kept under a tighter control, how can missile systems data be left on a computer sold on eBay? It just seems ridiculous.

Companies dealing with confidential information generally have data disposal policies in place, why do government organisations dealing with World security not have tight policies regarding disposal of decommissioned hardware?

For sensitive data, it’s best to do it using a disk degausser or seven-way random write algorithm, which some operating systems support either through tools or the command line, noted Forrester analyst Andrew Jaquith. There are also third-party tools that do this as well, he said.

“There’s also the physical option,” he added. “A sledgehammer to the memory card or hard disk is quite effective. It’s also usually faster and arguably more satisfying.”

Another layer of protection can also be found in encryption. Deguassing or physically shredding a drive can be costly, said Seagate’s Gianna DaGiau said. Overwriting a drive also may be incomplete if it doesn’t cover reallocated sectors or is thwarted by drive errors.

“Some corporations have concluded the only way to securely retire drives is to keep them in their control, storing them indefinitely,” said DaGiau, Seagate’s senior manager of enterprise security. “This cannot be considered truly secure, as large numbers of drives in close proximity can easily tempt employees and lead to some drives being lost or stolen.”

A 7 pass overwrite will be good enough in most situations, tools are available to do this for free like DBAN and Eraser so there is really NO excuse not to do it.

Personally if it’s important I’d recommend 7-pass overwrite, then degauss then bang the shit out of it with a baseball bat then burn it up (a blowtorch would be good).

I’d say your data should be pretty secure then, downside is no-one would want it buy it on eBay after you did that.

Source: eWeek

Ahah! More government cover-ups? This one was a while back too.

Digging on those archives right now yah.

A hacker stole a file containing the names and Social Security numbers of 1,500 people working for the Energy Department’s nuclear weapons agency, scary eh?

The US government security really does scare me sometimes, their internal departments have some of the lowest IT security scores…there are SO many data leaks and successful hacks, I mean I appreciate they have a sprawling infrastructure which makes it hard to maintain, but please, at least try?

For example Homeland Security scored an F again for Internal Security.

And this time it was covered up..

But the incident, somewhat similar to recent problems at the Veterans Affairs Department, was last September yet senior officials were informed only two days ago, officials told a congressional hearing Friday. None of the victims was notified, they said.

The data theft occurred in a computer system at a service center belonging to the National Nuclear Security Administration in Albuquerque, New Mexico. The file contained information about contract workers throughout the agency’s nuclear weapons complex, a department spokesman said.

NNSA Administrator Linton Brooks told a House hearing that he learned of the security breach late last September, but did not inform Energy Secretary Samuel Bodman about it. It had occurred earlier that month.

It was as always blamed on ‘miscommunication’ but it’s bullshit as the people involved meet every day..

The oversight and investigations subcommittee learnt of this and launched their panel into action.

The Energy Department spends $140 million a year on cyber security, Gregory Friedman, the DOE’s inspector general, told the committee. But he said that while improvements have been made, “significant weaknesses continue to exist,” making the unclassified computer system vulnerable to hackers.

Last fall, a so-called “Red Team” of DOE computer specialists — seeking to test the security safeguards — succeeded in hacking into and gaining control of a DOE facility’s computer system, the panel was told.

“We had access to sensitive data including financial and personal data…. We basically had domain control,” said Glenn Podonsky, director of DOE’s Security and Safety Performance Assessment. “We were able to get passwords, go from one account to another.”

Perhaps they really do need some lessons?

Source: Wired

Now this is a scary though, with the digitisation of the old analogue power stations and the accidental cross-over of networks (as we’ve seen before) people could soon be hacking nuclear power station control systems..

he nuclear power industry is going digital — replacing mechanical systems with more efficient, networked computer-controls.

If that makes you nervous in a season-four-of-24 kinda way, you’re not alone. Last week, the US Nuclear Regulatory Commission voted unanimously to add cyber security requirements to federal regulations governing nuclear power plant security.

Scary eh? Something straight out of a sci-fi movie.

The main concern is that the next generation of digital “instrumentation and control”, or I&C, systems could all-too-easily wind up linked to company business networks, and, through them, the internet — all but guaranteeing they’d be hacked.

The risk was illustrated in 2003, when the Slammer worm penetrated a network at the idled Davis-Besse nuclear plant in Ohio, disabling a safety monitoring computer for nearly five hours. The worm snuck in through the energy company’s corporate network, over an unmonitored connection from a contractor’s private LAN.

I think the whole world should be pretty nervous, don’t you?

At an NRC security briefing last March, commissioner (and Los Alamos veteran) Peter Lyons commented he was “very, very nervous” about such interconnections. The exchange that follows shows how nervous nuclear-types are about sounding nervous. From the transcript [PDF]

Oh dear..

Source: Wired Blog