Law Firm IT

Hack3rCon in Today's Charleston Daily Mail

2010-08-30T05:48:00.006-04:00

There is a nice story about Hack3rCon in today's Charleston Daily Mail with info about the conference and interviews with me and Rob Dixon. Being a former journalist it is ofter uncomfortable to be the subject of an interview, but Paul Fallon does a pretty good job of not misquoting me.

For more information about Hack3rCon visit http://hack3rcon.org/. A portion of the proceeds will benefit Hackers for Charity.

Welcome to Hack3rCon 2010 from The 304 Geeks on Vimeo.

Hack3rCon

2010-08-21T16:09:00.001-04:00

The 304Geeks will be hosting "Hack3rCon", the first of its kind Information Security Conference in this State!

http://www.hack3rcon.org

Register Now!

Events:
Ethical Hacking Workshops with the guys that created, teach and develop Backtrack, the most widely distributed open source penetration testing toolkit.

We have a full day of special gust discussion on everything from advanced password cracking in 2010 to detecting and stopping intruders to hands on hacking lads.

That is right, we will be holding a hacking village all weekend. Get hands on experience on our private network. Experience mentor will be on hand to guide you through the exercises. Prizes***

We will also be hold a Hacker's Capture the Flag event! Go against other ethical hackers in an attempt to get all the flags first!!!

*****WINNER GETS A NETBOOK PREINSTALLED WITH BACKTRACK!!!

Special Guests:

Dave Kennedy a.k.a. Rel1k Creator of SET
Adrian Crenshaw a.k.a. Irongeek - Security Researcher
Dennis Boas - **Classified**
Martin Bos a.k.a Purehate - Core Developer Backtrack-Linux
Lee Baird a.k.a. LeeRock - Security Consultant, Ciphent
Mark Baggett - SANS Instructor, Security Blogger - Pauldotcom

$10 Hack3rCon All Access Weekend Pass when you purchase a CharCon weekend pass. (requires pre-registration before the event)

Keep an eye out for technology driven events and contest that will be host by the 304geeks!!

The 304Geeks is a local technology group here in Charleston. It was founded in 2009 by Rob Dixon and myself.

More on Hack3rCon to come!!

Appalachian Institute of Digital Evidence First Annual Conference

2010-06-10T13:22:00.002-04:00

Appalachian Institute of Digital Evidence
First Annual Conference
July 27- 30, 2010
Marshall University Forensic Science Center

Seating is limited. To reserve a seat, email John Sammons at sammons17@marshall.edu with name, agency and contact information.

July 27 - 0800 to 1600 Cyber Security & Network Forensics

Schedule coming soon!

July 28 - 0800 to 1600 Law Enforcement

Today's Smoking Gun: An Introduction to Digital Evidence
John Sammons, Assistant Professor, Marshall University

Are you leaving evidence behind? Computers are everywhere and as such, they need to be considered as a vital source of potential evidence. Valuable digital evidence may be discovered in nearly any case, not just child pornography and identity theft. Homicide, robbery, drug violations are just a few of the cases that could be solved with digital evidence.

In this course learn the fundamentals of digital evidence, how it's different, how it's collected and how it could benefit your investigations.

Internet Investigations
Josh Brunty
Marshall University Forensic Science Center

Investigating a cybercrime and/or cybercriminal can be one of the most complex tasks facing the law enforcement professional today and requires a multidisciplinary approach supported by technical expertise that was once not needed with traditional crime. This session will focus on investigations and operations centered on the use of the internet and its many communities that are being exploited for criminal activity.

This session will teach investigators how to retrieve and/or extract such evidence using a variety of tools and techniques.

These two classes have already been submitted and approved for LET credit (4 hrs per).

July 29 0800 – 1600 – Digital Forensics

Windows 7 Forensics and USB Device Tracking

This technically intensive class is designed for the experienced digital forensic investigator. This class will provide an introduction to the Windows 7 operating system from a forensic standpoint. It will also cover the techniques used to track USB devices. The course is taught by Dustin Hurlbut, an Instructor from AccessData. AccessData is the world's largest provider of digital forensic software.

NOTE: LET credit approval pending

July 30 0800 – 1600 – Electronic Discovery

“Zubulake Revisited” - 2010 Guidance on Preservation Obligations and Spoliation
Douglas Crouse
(50 min.)

Tips For Developing an E-Discovery Response Action Plan
Matthew A. Kelly
(50 min.)

“Cull,” “Image,” “Early Case Assessment,” and Other Key Vocabulary
Jill McIntyre
(25 min.)

How to Assess Reasonable Accessibility
Jill McIntyre
(25 min.)

eDiscovery Collection
Dustin Hurlbut
(50 min.)

eDiscovery Analysis
Dustin Hurlbut
(50 min.)

Reforms of Civil Pretrial Discovery on the Horizon
Jill McIntyre
(50 min.)

Data as Evidence: Issues Governing the Admissibility of Electronically
Stored Information at Trial and in Summary Judgment Practice
Douglas Crouse
(50 min.)

Controlling E-Discovery Costs in Litigation
Jill McIntyre
(50 min.)

A Chilling Article About Law Firms Becoming Targets of Cyber Criminals

2010-03-20T10:03:00.003-04:00

I have long said that law firms are lucrative targets for hackers. Today a story appears on page DC - 1 of the San Francisco Chronicle called "Law firms are lucrative targets of cyberscams".

Last spring, a Long Beach law firm received an e-mail from a Hong Kong businessman seeking help collecting debts from American customers. An attorney with the firm saw it as a great opportunity to reel in more business during the economic downturn and agreed to help.

After a month of signing paperwork and exchanging telephone calls with his client, the attorney received word from one debtor who sent a $200,000 cashier's check to pay off his balance. The attorney deposited it in his firm's account, subtracted his $10,000 fee and wired the remaining amount to his Hong Kong client.

An hour-and-a-half later, the attorney's bank called and told him the check bounced. Fortunately, the bank was able to prevent the wire transfer from reaching its destination. He almost had been duped out of $190,000.

"They send me a nice, big, worthless check," said the attorney, who asked to remain anonymous. "Needless to say that was not a fun day. They were the hardest 24 hours of my life.

The threat has been very real for a long time. Scammers have moved from just scamming "rich americans" and have moved on to targeting "rich american lawyers". The best defense against these sorts of scams are a good spam filter and user education.

If you don't have a user education program at your firm, start one. Your IT staff should be trained in security as well. Something like the CompTIA Security+ certification is a good start. Even the MCSE has track has security some great security components to it. You should also probably have a CEH or a CISSP on staff as well, or at least a security professional you can bring in to consult on a contract basis.

...Alex Stamos, a founding partner at iSEC Partners, a San Francisco security consulting firm that recently published research identifying about 100 organizations hit by the attack, said that law firms are on the list of organizations most at risk of being targets in the future.

"Most law firms are going to be in trouble if this is the level of adversary they're going to deal with," he said. "It's impossible even for the largest law firms to have a dedicated security team that can hold their own against these people."

This threat isn't going away anytime soon. Be alert and be careful. The threat is no long the 14 year old in the basement. It's organized crime.

How Cybercriminals Steal Money

2010-02-26T00:10:00.000-05:00

Two Great Novels

2010-02-25T23:55:00.007-05:00

Daemon and its sequel, FreedomTM may be the best novels I have ever read. Below is a video of the author, Daniel Suarez, speaks on "Bot-Mediated Reality".

Bots, or hardware and software robots, are already a large part of human life. Including botnets used to send spam or generally threaten the Internet.

The Internet is Evil John Strand Louisville Infosec Conference Video

2009-10-30T18:59:00.005-04:00

I had to miss Louisville InfoSec, but Irongeek comes to the recuse with videos from the conference.

Below is a talk by Law Firm IT favorite John Strand. John is a SANS instructor and a member of the PaulDotCom crew, called "The Internet is Evil". Thanks to Irongeek for taking the time to record, post and host these on his site.

Zeus, King of the Underground Crimeware Toolkits

2009-08-27T07:39:00.006-04:00

This blog post and video explains how Zeus, currently the world's largest botnet, works.

OWA+Weak Passwords=Big Trouble

2009-08-25T04:28:00.003-04:00

Now's the time to make sure your users are using strong passwords. As pointed out in this post from the RedSpin Security Blog, Outlook Web Access makes getting email on the go very easy for users, but it opens up yet another attack surface that is pretty easy to attack using commonly used tools.

This an another example of why law firm IT folks needs to encourage the use of strong passwords.

What's so interesting about the TJX Hacker Charged With Heartland, Hannaford Breaches

2009-08-23T05:42:00.006-04:00

Here's a few details I find interesting in this story:

* The hackers allegedly stole more than 130 million credit and debit card numbers from Heartland and Hannaford combined.
* Gonzalez and 10 others were charged in May and August 2008 with network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain and other companies.
* The attack vector was SQL-injection
* The hackers tested their malware against some 20 different antivirus programs to make sure they wouldn’t be detected, and also programmed the malware to erase evidence from the hacked networks to avoid forensic detection.
* The thieves captured card account numbers and expiration dates and, in 20 percent of cases, the customer’s name as well.
* Gonzalez called his credit card theft ring “Operation Get Rich or Die Tryin.”
* Another hacker linked to the crime committed suicide in 2008.
* Gonzalez goes to trial in New York on September 14th for the Dave & Buster’s hack.
* Next year, Gonzalez faces trial in Massachusetts on the TJX hack and may eventually face trial in New Jersey on new charges levied against him this week for allegedly hacking into five other companies, including Heartland Payment Systems and 7-11, and stealing more than 130 million credit and debit card numbers — the largest data breach prosecuted in the United States to date.

Some are wondering if Gonzalez was hired to do these jobs for the Russian mob. I can find no coverage of such a link.

Two of my debt cards were involved in these breaches. One was replaced. My bank give me one year of free fraud monitoring on the other.

While we as law firm IT don't usually process credit card transactions, most of us have SQL databases, many of them Internet facing or running our websites.

As defenders what can we learn from the breach? Secure your web applications. SQL-injection is a common thread in many recent breaches. It's a quick and easy way to get behind your firewall.

What a OS X exploit looks like

2009-06-28T13:54:00.003-04:00

This video helped to convince me that I needed an antivirus program for my Mac. I didn't purchase Sophos since it requires a Windows server to manage the client installation on a Mac. I downloaded and installed ClamXAV. It's free.

Video: Simple Tips to Pick a Strong Password

2009-06-27T10:55:00.002-04:00

Facebook Spear Phishing, New 419 Scam

2009-05-25T09:48:00.008-04:00

I received the follow email via Facebook last night that is a new variation on the old 419 scam:

Wilson sent you a message.

--------------------
Subject: Attn: Bill Gardner

Alexander JLO - Solicitors
11 Lanark Square
Glengall Bridge
London E14 9RE
United Kingdom.
TEL:+44 794 4145 981
Fax:+44 794 4416 262

Good day: Bill ,

This is a personal E-mail directed to you and I request that
it be treated as such.

I am Barrister Wilson Baker, a solicitor at law. I am the personal attorney/sole executor to the late Engr Gerald Gardner herein after referred to as'my client' who worked as an independent oil magnate in my country and who died in a plane crash with his immediate family in December 2003.

Since the death of my client, I have written several letters to the embassy with an intent to locate any of his extended relatives whom shall be
claimants/beneficiaries of his abandoned personal estate and all such efforts have been to no avail.

More-so, I have received official letters in the last few weeks suggesting a likely proceeding for confiscation of his abandoned personal assets in line with existing laws by the bank in which my client deposited a notably high amount of money.

On this note i decided to search for a credible person and finding that you bear a similar last name, I was urged to contact you, that I may with your consent, present you to the "trustee" bank as my late client's surviving family member so as to enable you put up a claim to the bank in that capacity as a next of kin of my client.

I find this possible for the fuller reasons that you bear a similar last name with my client making it a lot easier for you to put up a claim in that
capacity.

I propose that 35% of the net sum will accrue to you at the conclusion of this deal in so far as I do not incure further expenses.

Therefore, to facilitate the immediate transfer of this funds, you need, first to contact me via my private email:(wilsonbaker3@yahoo.co.uk) for better confidentiality, signifying your interest and as soon as I obtain your confidence I will immediately appraise you with the complete details as well as fax you the documents, with which you are to proceed and i shall direct you on how to put up an application to the bank.

However, you will have to accent to an express agreement which I will forward to you in order to bind us in this transaction.

Upon the receipt of your reply,I will send you by fax or E-mail the next step to take.I will not fail to bring to your notice that this proposal is hitch-free and that you should not entertain any fears as the required arrangements have been made for the completion of this transfer.

Like I said, I require only a solemn confidentiality on this.

Best regards,
Wilson Baker Esq
--------------------

I have to admit this version of the scam is compelling enough to make me actually read the email. This version of the scam actually lists an address and telephone number, but why would a lawyer use a Yahoo email address? This is just another example of how far people will go to attempt to get between you and your money.

Lessons learned from the WV State Bar breach

2009-05-15T07:15:00.011-04:00

According to the FAQ released by the WV State Bar yesterday, the data breach reported a couple of weeks ago was the result of a unpatched Linux sever being compromised. The Bar further says it has "an unsupported FoxPro database containing member information" some where on its network that was also compromised.

It's unclear from the FAQ how the hacker or hackers took control of the Bar's webserver and started serving malware. The bar does say, "The State Bar will no longer host its own website internally, it will be hosted off-site at a secure location with a company that specializes in website development and internet security. The State Bar website will be completely re-written in a more secure manner."

Netcraft shows the Bar site was running on Windows 2000 on Apache/2.0.54 Win32 PHP/5.0.4 on 22-Mar-2006. Previously the site ran Windows 2000, Microsoft-IIS/5.07 as of Nov-2004 according to Netcraft.

As far as secruity, they say they had a firewall, "The State Bar's computer system was equipped with a firewall, which previously was believed to be secure. However, the State Bar's forensic computer experts have advised that no firewall would have prevented the sophisticated hack of the website and database. The State Bar is taking extraordinary measures, as set forth in response to question number 1 above, to prevent a security breach from occurring again in the future."

The Bar has pulled the unpatched Linus box off its network, has stopped hosting it's website internally, and has removed social security number from it's databases. Also it says it's website is being rewritten in a more secure manner.

So what can we learn from the breach. First, don't run unpatched servers, Linux, Windows, or any other OS on your network.

Second, attacks on webservers are very much in style by hackers. Since most of us have deployed firewalls, antivirus, patch management, vulnerability scanners, and intrusion detection systems, the webserver is often the weekest link in some networks. As a result, web application security has becoming very important. Secure you web apps and use web application firewalls. Also don't host websites in-house or on the same network as your production network.

Third, know what applicatons, operating systems, and servers are on your network and where they are, and document eveything. The Bar says, "Further complicating matters, there existed no documentation regarding the State Bar network layout, hardware, software and/or legacy applications. As such, the upgrade process has been a cycle of discovery and repair which has taken longer than anyone could have expected or foreseen."

As far as the breach itself, the Bar say, "The State Bar had social security numbers for approximately 4,000 members. Members whose social security numbers are believed to have been contained on the State Bar's database should have received a second and third email notifying them of that fact. Some members do not have an email address on file with the State Bar. For those members, a separate letter was mailed to them through the United States Postal Service."

The Bar has turned hard drives over to the FBI and says it will keep it's member up-to-date on the investigation.

The West Virginia State Bar Has Posted An FAQ on Its Recent Data Breach

2009-05-14T14:43:00.003-04:00

The West Virginia State Bar has posted an FAQ on its recent data breach.

COMPUTER SECURITY BREACH FAQ

By now, most members of The West Virginia State Bar have received either one or two emails regarding the security breach at the State Bar website. If you received only one email, as far as the State Bar is aware, your social security number was not in the State Bar's database. Approximately 4,000 of the 7,000 State Bar members received a second email advising that we had your social security number was in the State Bar's database. As of this date, the State Bar has no knowledge that the hackers have looked at any personal information in the State Bar database and the State Bar has received no reports that any of its members have suffered any identity theft. Nonetheless, and out of an abundance of caution, the State Bar provided an alert to each of its members regarding this security breach. This alert has led to numerous questions which the State Bar has attempted to answer below so that all of its members will continue to be informed about this situation.

1. Does the Bar have any idea of how this could happen?

In late 2006 or early 2007, the State Bar determined that it needed to upgrade its computers, its network, its member database, and its website. All of these were hosted by the State Bar onsite. Since 2007, the State Bar has been working with computer consultants to upgrade the computers, network and security at the State Bar. The upgrade process has been hampered by the existence of an outdated Linux server, and an unsupported FoxPro database containing member information. Further complicating matters, there existed no documentation regarding the State Bar network layout, hardware, software and/or legacy applications. As such, the upgrade process has been a cycle of discovery and repair which has taken longer than anyone could have expected or foreseen.

In working with the computer consultants, it was learned very recently that outside computer hackers were able to enter the State Bar computer system through the Linux server and State Bar website. From there they create access to the remainder of the State Bar network, including the member database. It is not possible for the computer consultants to determine whether the hackers did or did not look at the member database, they can only advise that the hackers had the opportunity to look at any and all computer data on the State Bar's network.

2. What will the State Bar do to make sure this does not happen again?

The State Bar has now shut down its Linux server and its website. The Linux server will be eliminated. All hard drives in the State Bar network and individual work stations were replaced. The hard drives are being turned over to the Federal Bureau of Investigation. The State Bar will no longer host its own website internally, it will be hosted off-site at a secure location with a company that specializes in website development and internet security. The State Bar website will be completely re-written in a more secure manner. These steps combined should prevent similar security breaches in the future.
The State Bar has worked with its computer consultants to delete all social security numbers from the FoxPro database and no records will be kept in the future regarding social security numbers.

3. Why did the State Bar have my social security number and when did it get it?

At various points in time prior to 2007, the State Bar collected social security numbers. Many people provided this information at the time they were admitted to the State Bar. In addition, some social security numbers were collected by the State Bar when the West Virginia Supreme Court of Appeals first considered the possibility of e-filing. More recently, members provided social security numbers at the time they applied for a photo identification card. Beginning immediately, all communications regarding the applications for new photo identification cards will be via U.S. Mail and in paper form. No electronic records will be kept by the State Bar.

4. Did the State Bar have my social security number or not?

The State Bar had social security numbers for approximately 4,000 members. Members whose social security numbers are believed to have been contained on the State Bar's database should have received a second and third email notifying them of that fact. Some members do not have an email address on file with the State Bar. For those members, a separate letter was mailed to them through the United States Postal Service.

5. Why did the State Bar wait so long to notify me of the breach?

The State Bar acted very quickly after the computer consultants advised The Bar of the potential for a security breach. The State Bar Linux server and website were immediately brought down. The Linux server housed the State Bar's listserv which was its prior method of communicating with all members.
The State Bar's Board of Governors was advised of the security breach and it authorized the dissemination of a press release. The Supreme Court of Appeals of West Virginia was contacted and provided technical assistance in sending out a press release advising of the compromise of the State Bar's network. During this time, the State Bar did not have any ability to mail or email its members as its membership database was inaccessible. The State Bar has now created a new email system to communicate with all members of the State Bar that have their emails on file. The State Bar sent an email to its members within a few hours of its membership database and email listserv being reinstated.

6. What information did the hackers get in the security breach?

It is not possible for the computer consultants to advise the State Bar that any information was reviewed during the security breach. The computer consultants can only advise that the outside hackers had access to the member database and all other data on the State Bar network. The computer consultants reviewed the data in the member database. They have advised that it is not infected with any virus.

7. Why wasn't the site secure?

The State Bar's computer system was equipped with a firewall, which previously was believed to be secure. However, the State Bar's forensic computer experts have advised that no firewall would have prevented the sophisticated hack of the website and database. The State Bar is taking extraordinary measures, as set forth in response to question number 1 above, to prevent a security breach from occurring again in the future.

8. Did the State Bar report this to the credit reporting agencies?

The State Bar has notified the credit reporting agencies of this security breach. The State Bar has also provided the contact information for all three major credit reporting agencies to our members and it has encouraged each member to separately contact those agencies.

9. Is the State Bar going to pay for my credit monitoring costs?

Some State Bar members have requested the State Bar to pay for credit monitoring. Unfortunately, the State Bar has no unallocated funds to pay for any credit monitoring services. To put such a program in place could require an assessment of the members as a whole. Given the lack of any reported identity theft affecting any of its members, the State Bar believes that a special dues assessment to pay for this credit monitoring is an unnecessary expense for its members at this time.

10. Has this been reported to a law enforcement agency so I can file a 7 year report?

Yes, this matter has been turned over to the Federal Bureau of Investigation. They are conducting a formal investigation of the security breach. Within the next few days, it is anticipated that the FBI will begin its forensic analysis of the removed hard drives. The FBI has assured the State Bar that it will pursue location and prosecution of the individual or individuals who breached the State Bar's system.

11. Will we be advised of any information the State Bar receives from the FBI?

Yes, the State Bar will keep its members up to date regarding any public results of the FBI investigation.

Since 2007, the State Bar has been working to correct the flaws in the old computer system and to insure that a completely safe and fully operational system is up and running as soon as possible. The State Bar regrets any inconvenience to its members.

The West Virginia Record Malware Problem Fixed

2009-05-08T07:57:00.005-04:00

The problem with ads serving malware at the West Virginia Record was corrected quickly after they learned of the problem, Chris Dickerson, Editor of the Record told me yesterday. He said the issue was with a compromised ad server that was a part of a ad network serving 100s of newspapers.

Attorneys Receiving Individual Notification of Social Security Number Compromise in Recent WV State Bar Data Breach

2009-05-05T15:44:00.006-04:00

Individual attorneys began receiving notices this afternoon that their social security numbers we involved in the resent breach of the WV State Bar website and other computer system.

Important Notice to Members Regarding Social Security Information

From:
The West Virginia State Bar
2006 Kanawha Boulevard, East
Charleston, WV 25311-2204

The West Virginia State Bar has learned that there are two sets of persons whose Social Security numbers were contained on its computer system, which was recently hacked.　The first group of persons are those who recently completed applications to receive the new West Virginia State Bar photo ID card.　 Those persons included their Social Security numbers on the application forms, which were sent to Cheryl Wright at The State Bar, scanned into The State Bar's computer system, and e-mailed or faxed back to the requesting members.

　　
The other group of persons whose Social Security numbers were contained on The State Bar's computer system are those who provided their Social Security numbers to The State Bar at some point in time during their membership tenure.　These Social Security numbers existed on The State Bar's membership database along with the members' names, addresses, telephone numbers, email addresses, and dates of admittance.　It was not until late in the day on May 4, 2009, that The State Bar's retained experts were able to retrieve this information.　

Unfortunately, you are receiving this email because you are among one or both of these groups of people.　Although, as has been explained in the two prior notices, The State Bar has received no evidence or reports of any identity theft, fraud or other unauthorized use of any member's personal information, because your Social Security number was contained on The State Bar's computer system, there is a possibility that it may have been viewed by the hackers.　

The West Virginia State Bar has notified the three major credit reporting agencies of this potential security breach and is working with the FBI to identify the person(s) or entity(s) responsible.　 If you have any evidence that your personal information has been compromised, please contact The West Virginia State Bar immediately.　 In addition, you also may wish to contact the major credit reporting agencies to ask that a fraud alert be placed in your file to notify potential creditors and others that you may be a victim of identity theft.　The contact information for the credit reporting agencies is as follows:

Equifax Information Services
PO Box 740256
Atlanta, GA 30374
1-877-576-5734
www.fraudalerts.equifax.com

　
Experian
NCAC
PO Box 9556
Allen, TX 750131-888-397-3742
www.experian.com/fraud

　
TransUnion
Customer Disclosure Center
TransUnion Consumer Relations
PO Box 2000
Chester, PA 19022-2000
1-800-680-7289
www.transunion.com

The West Virginia State Bar deeply regrets any concern or stress that this has caused you.　If you have any additional questions, please send them to Anita Casey, Executive Director of The West Virginia State Bar.　Ms. Casey will work with The State Bar's Ad Hoc Technology Committee to respond to your questions as quickly as possible.

WV State Bar Sends Member Notice of Data Breach

2009-05-05T08:27:00.005-04:00

The West Virginia State bar sent notice of the breach of it's site and internal servers by hackers yesterday. The notice, posted below, shreds no new light on what happen or if person data was compromised, but it does disclose the FBI is now involved.

Important Notice to Our Members

From:
The West Virginia State Bar
2006 Kanawha Boulevard, East
Charleston, WV 25311

Using a sophisticated computer hack, an unknown person or entity gained unauthorized access to The West Virginia State Bar website and internal computer network, potentially compromising certain personal information The State Bar maintains about its current and former members.

The security breach was discovered recently during an upgrade of The State Bar's website. The website was taken offline on Friday, April 17, 2009. The State Bar has retained forensic computer experts to help investigate the suspected security breach. The State Bar is also working with the FBI to investigate the breach and attempt to locate the responsible party(s).

The West Virginia State Bar's Ad Hoc Technology Committee met with its retained forensic computer experts and learned that the security breach extended beyond the web server to the Bar's internal computer network. Given the sophistication of this security breach, and out of an abundance of caution, the Committee is considering all personal information on The State Bar's network as potentially compromised.

The State Bar provided notice to all of its members regarding this security breach through a press release issued on April 28, 2009, with the assistance of the West Virginia Supreme Court of Appeals as The West Virginia State Bar did not have computer access to its member lists until May 4, 2009. This second notice is being sent to all members at this time because the State Bar's listserv capability was reinstated late this afternoon.

Members of the Ad Hoc Technology Committee, representatives of the company which has been working with The State Bar's computer system for the past several years, and the forensic computer experts worked all last week and over the weekend to remediate the problem.

While the website itself contained no personal data, the website was connected to The State Bar's internal database server which houses the membership data. Membership data includes names, mailing addresses, email addresses, birth dates, lawyer identification numbers, and some members' and former members' social security numbers. The State Bar Ad Hoc Technology Committee also has just obtained a list of the names of its members whose social security numbers were on the system. Those members will receive a separate e-mail communication from The State Bar.

Importantly, the Ad Hoc Technology Committee has confirmed that information provided by clients to their attorneys has never been maintained on The State Bar's computer systems and, therefore, such information is unaffected by this recently discovered security breach.

The Ad Hoc Technology Committee has been advised by its forensic computer experts that it is impossible to determine exactly when the security breach occurred. The State Bar has no evidence and has received no reports of any identity theft, fraud or other unauthorized use of its members' personal information at this time. If any members of The West Virginia State Bar have any evidence that their personal information has been compromised, they should contact The West Virginia State Bar immediately. Members may also contact the major credit reporting agencies to ask that a fraud alert be placed in their files to notify potential creditors and others that they may be victims of identity theft.

Equifax Information Services
PO Box 740256
Atlanta, GA 30374
1-877-576-5734
www.fraudalerts.equifax.com

Experian
NCAC
PO Box 9556
Allen, TX 75013
1-888-397-3742
www.experian.com/fraud

TransUnion
Customer Disclosure Center
TransUnion Consumer Relations
PO Box 2000
Chester, PA 19022-2000
1-800-680-7289
www.transunion.com

All questions should be directed to:

The West Virginia State Bar
2006 Kanawha Blvd., East
Charleston, WV 25311
c/o Anita Casey, Executive Director

Problems with the State Bar website go back to September 2009, and I've posted previously about problems with the Bar's website hosting malware.

Another West Virginia Law Related Website Compromised

2009-05-04T11:08:00.003-04:00

The WV Record, a local newspaper that covers state legal matters, is server ads containing malware. It doesn't appears the site itself, www.wvrecord.com, is compromised this morning. The site is serving compromised ads. Until they get this problem cleared up, I wouldn't go there.

This is the second WV law related site to be compromised recently. The WV State Bar reported last week that its webserver and a number of internal servers were compromised.

FDA Rule on Appying Windows Patches on Medical Devices Could Put Human Life at Risk

2009-05-03T06:20:00.006-04:00

One of the scariest uses of Windows OS is that it is installed on medical devices. As a result, every piece of malware coming down the pike can infect this medical devices, putting human life at risk. SANS announced last week that it had discovered Conficker worm infections on medical devices, including MRI machines.

A few weeks ago, we discovered medical devices, MRI machines, infected with Conficker," said Marcus Sachs, director of the Internet Storm Center, an early warning system for Internet threats that is operated by the SANS Institute.

Around March 24, researchers monitoring the worm noticed that an imaging machine used to review high-resolution images was reaching out over the Internet to get instructions — presumably from the programmers who created Conficker.

The researchers dug deeper and discovered that more than 300 similar devices at hospitals around the world had been compromised. The manufacturer of the devices told them none of the machines were supposed to be connected to the Internet — and yet they were. And because the machines were running an unpatched version of Microsoft's operating system used in embedded devices they were vulnerable.

Normally, the solution would be simply to install a patch, which Microsoft released in October. But the device manufacturer said rules from the U.S. Food and Drug Administration required that a 90-day notice be given before the machines could be patched.

Yes you read that correctly. Windows patches for medical devices must be approved by the FDA, and the FDA must receive a 90-day notice to apply patches. The result is epic fail that could put human life at risk. This FDA rule needs to be revisited.

WV State Bar Data Breach

2009-04-29T08:09:00.004-04:00

The WV State Bar reported yesterday that the Bar's website and servers on its internal network have been compromised. The compromised data might include members' names, mail and email addresses, lawyer identification numbers, and the Social Security numbers of some members and former members.

The Bar says there is no evidence that the information listed above has been used for identity theft or fraud, but that members who have concerns should check their credit reports.

The WV State Bar site remains offline this morning. The Bar has called in data forensics experts to try to determine the extent of the breach. They are in the process of rebuilding the site from scratch.

The Bar's website first showed signs of problems back in September when it was blocked by Google's Safe Browsing feature for serving malware. And I' ve posted about the Bar's website hosting malware earlier this month.

Elite User Conference 2009 coming up Jun 9-11

2009-04-23T08:16:00.004-04:00

Just saw a thread on the FWMI ProLaw Yahoo Group about the Elite User Conference 2009 coming up Jun 9-11 at the Hilton San Diego Bayfront in San Diego, CA. As in past years, Thomson is rolling Prolaw into the Elite Conference.

Thomson is offering Individual and Multiple Registration discounts:

Receive a $100 discount off the $1,495 Standard Registration Fee when you register before May 8th. That means you attend for just $1,395.

Multiple Registrations: Register multiple employees before May 8th and receive even more discounts. The second person you register pays only $1,095 and the third person pays just $795!

It would be nice to see Prolaw have its own user conference again. I'm not sure how useful the Elite Conference is to Prolaw users.

WV State Bar Site Remains Offline After Last Malware Infection

2009-04-23T05:54:00.007-04:00

The WV State Bar site remains offline today. The site was taken offline last Friday, four days after it was discovered the site was hosting malware yet again.

In an email, the Bar published information the site would be offline for maintenance:

“SPECIAL EDITION BAR BLAST”

* wvbar.org is currently offline for maintenance
* For Casemaker access, click here - https://demo.lawriter.net - login and password are westva (lowercase)
* For registration & other inquiries regarding the 2009 Annual Meeting, please contact Cheryl L. Wright at
cheryl@wvbar.org or 304.558.0828
*For Information regarding pro hac vice admissions, please contact Cheryl L. Wright at cheryl@wvbar.org or
304.558.0828

This is the same information currently on the website at http://www.wvbar.org/. It appears the site has been taken down to fix whatever problem was causing the site to be compromised on an almost monthly basis.

While my firm has not reported any infections that can be traced to the Bar's website, it remains to be seen if others firms have been so lucky.

Microsoft April 2009 Security Bulletin Webcast Video

2009-04-18T05:39:00.003-04:00

In case you missed it, here it is. I signed up for it, but had to miss it.

Video: Gozi trojan

2009-04-18T04:30:00.003-04:00

A member of my team forwarded this video to me last week. (I'm sorry I can't embed the video. Embedding disabled by request) The video shows the Russian Business Network (RBN) partners HangUP Team and 76service subscription-based data mining service for stolen data gathered by the Gozi trojan.

It's another fascinating look a tool build for hacker by hackers for profit rather than fun. For another fascinating look at a current hacking tool, take a look at the GhostNet video I previously posted.