[ISN] Worms meet corporations in legal minefield

InfoSec News isn at c4i.org
Fri Aug 19 03:39:19 EDT 2005


By Charlie Demerjian
18 August 2005

I SPENT MOST OF Tuesday morning at a financial services provider, and
the talk of the morning was all about a large financial services giant
and the Zotob worm.

Any guesses why? It was claimed that said large financial giant was
another notch in the Zotob author's belt, and while they were not down
per se, it caused problems, slow networks, and downed services.

Another day, another massive bot infection. When will these people
learn trusted computing and Microsoft promissory press releases are
not worth the paper they are printed on? And yes I know they are not
on paper anymore. Here is when they'll learn, when someone notices
that getting infected violates a whole bunch of laws, and that brings
down the legal hammers on them.

What do I mean? Well, for this said large financial organisation,
there are several new regulations that are now in force, but the one
that I am specifically thinking of is SarbOx. If they were an HMO or
hospital, they would have HIPPA to contend with too. These laws have
some pretty onerous data access and authenticity requirements backed
up by civil and criminal penalties. Several states like California
also have laws on notification and reporting on top of these.

So, what's the problem? The large financial organisation just got
potentially owned bad, it was infected by a bot carrying worm that
allows outside access to the computers, the data carried within, and
potentially the servers. Keyloggers? Maybe. Things riding on the back
of Zotob? Maybe. I don't know, do you? Do you think the large
financial organisation does either?

So, on one side you have a company that got screwed through sloppy
patch practices and an impossible task of keeping a Microsoft network
patched. I do say impossible on purpose, I mean it in the literal
sense, not the conversational one. On the other side, you have
organisations like the SEC looking for heads to nail to the wall. They
don't take excuses like 'we didn't know' or 'we didn't foresee that
one' with a smile and a laugh, this is 'buy your way out with
political contributions' territory.

So, a large financial org got hit, and hundreds of computers were
compromised. Did any of them have sensitive and/or customer data on
them? Are you sure? Can you prove that? Has any of the data been
tampered with? The answers most likely are a yes privately, no
publicly, no, no and no clue respectively. To be honest, this is not
just a big financial organisation's problem either, there are probably
a bunch of others in the same boat, I just happened to overhear a
phone call between someone and this said corporation.

What will happen? Nothing this time. I am sure the SEC is way too busy
picking up real bad guys to enforce the letter and intent of the law,
but that will change as soon as something really bad happens on a
future bot attack. That kind of thing can rewrite enforcement
priorities in a stunningly short amount of time. So, what then? Then
they go back with a give everyone they can think of the auditing
equivalent of a body cavity search, and the questions like I am posing
get asked.

This is a legal time bomb people, and even the latest and greatest MS
solutions put into place are rather impotent. This one only affected
Win2K, but that is more a fluke than anything else, there have been
several that ran rampant over the 'invulnerable' XP SP2 already, and
it is a matter of time before the next one hits. Maybe this one will
be enough to make companies and Microsoft take security seriously. If
not, anyone have the phone number for the SEC? µ

More information about the ISN mailing list