According to this story posted on Wired yesterday, a keylogger has been found on laptops being used in the space station. The reported malware, W32.Gammima.AG (see here for description on Symantec's web site), has been around since August 2007 and steals passwords from a few (rather obscure here in the United States) online games.
You are thinking "So what? What risk does an online game keylogger pose to a laptop on the space station? Why should I care?"
As you know, we like to think bigger picture here.
Let's start with the obvious question of why the anti-virus software running on the laptop didn't immediately identify and stop a one year old virus? I don't know about you, but that sends up lots of red flags to me! This obviously begs the question of how long this keylogger has actually been resident on the laptop and if there are other, yet undetected, rootkits and keyloggers on those machines? Also, what other computers were potentially exposed to these infected machines that this virus could have propagated to? What information has been exposed to theft or compromise either from the laptops or from other exposed machines on the NASA network? What was done with these laptops once the virus was detected? Were they merely cleaned to the virus scanners standards (which clearly aren't that high!) or was the computer completely taken out of commission so that it could be wiped to Department of Defense specifications and re-imaged before it was redeployed?
Obviously there are a lot of unanswered questions in relation to this story, and of course NASA will never make the answers to those questions public, but this certainly calls into question the validity of the security measures employed by one of the most important programs of the 20th and 21st centuries. Where else within the federal government does the potential for similar security breaches exist? Are potential data leakages like this something that the Department of Homeland Security is focused on preventing? If not, they should be! Let's be sure we aren't aiding and abetting the bad guys by giving them the exact information we are looking to protect!
Posted by smasiello at 2:22 PM at MX Logic
The Computer Security Institute's annual Computer Crime and Security Survey reports that insider attacks are now surpassing computer viruses as the most common cause of security incidents within organizations. It also says, however that the losses incurred are not significant. The fact that insider threats have surpasses viruses in prevalence makes sense to me, but the argument that damage is minimal does not. Companies have been fighting the virus wars for years now. Granted, insider espionage has been a potential issue for much longer than computer viruses, it has generally not received the same level of attention.
It is estimated that a little less than one third of all security incidents are the result of an insider, whether the incident was a result of malicious intent or an honest mistake. What is not accounted for here, however is the level of ease by which insiders can obtain potentially damaging company confidential information. Some users have access to it by default as a result of their position within an organization. Others gain access by finding security weaknesses within the company's infrastructure. Either way, I believe that the reason companies are saying that the resulting losses from the insider threat are not the biggest cost is because they don't know how to estimate the damage.
Do they know how much data was really altered/copied/deleted? Do they have a good idea as to how much that data is really worth? Are the values being underestimated because they don't want to lose face in their respective industries? Do they not want to give their competitors ammunition to use against them? Do they not want their customers to lose confidence in them as a provider of a good or a service?
I think all of those are valid points to consider, but the real question at the root of the entire issue is not "Will you have a security incident?", rather "When will you have a security incident?" and are you equipped to respond?
We generally spend so much time trying to make sure that the bad guys can't get in from the outside, but we need to also consider the possibility that they are already "in" and have been for quite some time.
Do not underestimate the insider threat and the ease by which they can cause damage to your organization. Chances are that someone who may cause either inadvertent or intentional data leakage/deletion already has access to the information they need....they don't have to break in or be sneaky to get it.
Posted by smasiello at 8:49 AM at MX Logic
According to this story posted on Wired yesterday, a keylogger has been found on laptops being used in the space station. The reported malware, W32.Gammima.AG (see here for description on Symantec's web site), has been around since August 2007 and steals passwords from a few (rather obscure here in the United States) online games.
