[Sometimes-I-wonder-why-I-bother department ...]
I saw this in three separate mailings, on three separate security lists:
> From SANS Newsbytes
>
> "Hacking the Hill: One of the very best cyber security stories of the
> year was published this morning in the National Journal with details
> about the hacking of Congress.�
>
> http://www.nationaljournal.com/njmagazine/cs\_20081220_6787.php
I'm really surprised that SANS made such a big deal of it, especially with that "very best cyber security stories of the year" line.� This is not a very good story.� It points out that some very basic precautions are not being taken in the highest levels of the United States government, it doesn't tell us very much about information security and protection, and it makes some really fantastic leaps of "cloud" logic.
Basically, what we have here is a report that someone found a keylogger and RAT (remote access trojan) on a machine used by someone important.� (As usual, malware terminology is badly misused in the article, and you have to read between the lines to figure out what was actually found.� It's possible that the malware came via an email virus, but these days it seems more likely it was off a Website.)� Well, if you don't take proper precautions THIS IS GOING TO HAPPEN TO YOU.� There is nothing strange about it.� I'm seeing fewer of these things in the spam I'm getting directly than I did a few months ago, but that only means that another model of distribution is getting more popular.� (And "less" means I'm down to a few a week rather than several per day.� On an unused account which happens to be a convenient spam honeypot.)
Very few details are given in the story, but it appears that this malware program was found by using some form of signature scanner.� Nothing wrong with signature scanners, as such.� However, the implication seems to be that nobody is doing defence in depth.� Activity monitoring would probably have caught this beast earlier.� Egress scanning (of the type that is a kind of specialized form of activity monitoring) could also have detected the transfer of files "out there," and the connections to remote machines in order to download additional malware modules.
I'm not really impressed with the "cyber-forensic specialists," at least according to the information reported.� You don't need to bag the hard drive to get that kind of data: a "goat" machine (or, even better, a virtual one) with the malware installed and a network monitor will get you that.� Has anyone done any software forensics on this?
No, probably not.� Because the next thing we find is a tremendous leap of faith to the supposition that the Chinese are responsible for this.� (Well, I'll allow as how that might be possible.� "The Chinese" make up a sizeable proportion of the total human population, so if you have to take a random guess at identity that's probably the best bet.)� China was suspected in some earlier electronic shenanigans, so obviously they are guilty now.� (It couldn't be some twerp in a basement in Des Moines.)
Finally, the story talks about security awareness training.� (Actually, even that part of the article muddies the water with some inclusions about cyber-terrorism.)� Yes, I'm all for security awareness training.� Open sessions, closed sessions, "write a letter to your Congresscritter and tell them not to do dangerous things with Blackberries," any kind of security training.� Let's just do it, OK?