Category Archives: Vulnerabilities

Analysis of Vulnerabilities

87 weaknesses in 7 FDA systems

The Government Accounting Office (GAO) was asked to examine and assess seven key Food and Drug Administration (FDA) information systems.  The assessment was based on the effectiveness to which the FDA may have implemented information security controls intended to protect the confidentiality, integrity, and availability of information.  In the assessment, security policies, procedures, reports, and other documents were reviewed along with an examination of the FDA network infrastructure and interviews of FDA personnel.

The findings by GAO specifically state that the FDA did not always 

  1. adequately protect the boundaries of its network
  2. consistently identify and authenticate system users
  3. limit users’ access to only what was required to perform their duties
  4. encrypt sensitive data
  5. consistently audit and monitor system activity
  6. conduct physical security reviews of its facilities
# of GAO identified weaknesses at FDA
Control Area # of weaknesses # of recommendations
Access Controls 58 122
Configuration Management 23 37
Contingency Planning 5 6
Media protection 1 1
Total 87 166

 

NorQuest College woes of alleged harassment in IT data theft

NorQuest College is in Edmonton, Alberta and Clarence Orleski was the manager of technology infrastructure until being terminated on December 4, 2012 by executives Shawn Terlson and John Smith.  Apparently, Orleski did not get along with Smith and on a September 20, 2012 morning of a planned meeting Smith received an email from Orleski stating:

"I've been wanting to touch base with you and get the name (and contact info) of the lady you introduced to me back in the late fall last year…

I forget her name, but she is the one that you and her thought no one was in the office at the time. I was going to interrupt the two of you, but I felt I might be intruding on something, so I just hung around for a while. đź™‚

…I think her name was (woman's name)"

Orleski then went to the meeting and exclaimed he couldn't stand the sight of Smith and requested to work from home until his planned retirement of March 2013.  The request was denied and Orleski was given a disciplinary warning.

The next day, September 21, Orleski allegedly ran DBAN on his NorQuest work laptop to wipe his hard disk.  A few days later, Orleski was reprimanded by Smith for a $10,000 phone bill on his work phone and iPad while on vacation in Europe.  Smith told Orleski that he was not expected to be available (i.e. not to expect the college to pay the bill.)  Orleski then went on sick leave for two months until his firing.

January 21, 2013, NorQuest college then terminated Terlson.  Terlson then received an email:

"I guess what I'm trying to figure out is which one are you? 'Dumb' or 'Dumber'… Don't worry, Mr. pretty boy (Smith) won't be far behind you…

On February 19, 2013, dozens of executives and staff at NorQuest college received an email full of PDFs which started with:

"What you're about to read is correspondence of a sexual nature between myself (John Smith) and my little playful sweetie"

On March 1st, 2013, a court order was issued and Orleski's personal computer, iPad, phone, and other storage were confiscated by that afternoon.  A $2 million claim of damages was made by the college but a settlement was made in 2015 and the lawsuit ended in January 2016.  In the end, a privacy breach was uncovered of unrelated materials stored on the 2.4 gigabytes of 45,920 files in a folder on Orleski's computer including financial data, employee personnel information, and an employment contract of the college president. 

FBI concludes: North Korean government responsible in SPE cyber terrorism

While the semantics of the term “cyber terrorism” are still being argued, it is apparent to the FBI that Sony Pictures Entertainment has been the victim of great economic impact outside the bounds of acceptable state behavior.
TheInterview
And most recently on Tuesday, December 16, 2014, the “Guardians of Peace” posted a message threatening 9/11-type attacks on theaters that screen The Interview. The note was posted on Pastebin labeled “Christmas gift: Michael lynton.”  Lynton is the CEO of Sony Pictures’.  The message read:

Warning

We will clearly show it to you at the very time and places “The Interview” be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to.

Soon all the world will see what an awful movie Sony Pictures Entertainment has made.

 The world will be full of fear.

Remember the 11th of September 2001.

We recommend you to keep yourself distant from the places at that time.

(If your house is nearby, you’d better leave.)

Whatever comes in the coming days is called by the greed of Sony Pictures Entertainment.

All the world will denounce the SONY.

SonyHack-Screen-Shot-2014-11-24-at170249PM
Following the threat, a number of major theater companies announced they would not show the film. The East Coast premiere of the comedy was then subsequently canceled.

Today, the FBI released a followup statement reinforcing the determination that the recent intrusion into Sony Pictures Entertainment (SPE) by a group calling itself the “Guardians of Peace” leads a trail directly to the North Korean government.  In the statement, it was noted

…The FBI takes seriously any attempt—whether through cyber-enabled means, threats of violence, or otherwise—to undermine the economic and social prosperity of our citizens…

The biggest clues are based on other previously identified malware developed by North Korean actors and the similar lines of code, encryption algorithms, data deletion methods, and infrastructure used such as IP addresses.  Some previous incidents involve last year’s South Korean bank hacks in March which were identified to have been performed by the North Korean government.

FBI-UpdateOnSonyHack

$2.7M Schools First Credit Union IT embezzlement

In a four-count mail and wire fraud case, David Lugo, Vice President of Information Technology (IT) has signed a plea agreement which outlines how he embezzled nearly $2.7 million in IT funds.  He apparently used funds to pay for his daughter's USC tuition, new cars, lavish vacations and jewelry, and cosmetic dental work.Schools First embezzlement

He initially started as a systems administrator and worked his way to the level of the IT leadership as vice president for his (former) employer SchoolsFirst Credit Union (SFCU.)  SFCU is local to Santa Ana, California and has $10 billion in assets and approximately 45 branches.  Lupo eventually began to buy unnecessary equipment such as Cisco routers which he would turn around and privately re-sell at a personal profit.  Unfortunately, the inventory, effective use, and disposal of these purchases were not adequately monitored.  As a precaution, Mr. Lugo later tried to delete his purchasing history from the computing environment.

The fraud was only detected a few months ago and eventually reported to the FBI.

Mr Lugo is slated to appeart in court on October 6, 2014 and eventually to formally enter a guilty plea.  The maximum prison term for this embezzlement is 80 years in prison.

Insider threats such as employee theft can manifest under some of these organizational factors:

  • Availability and ease; allowing access to those who don't need it
  • Information/assets are not adequately labeled, identified, nor inventoried upon purchase, use, decomissioning, or dispoal
  • Ability to exit a worksite or expected location while undetected with assets
  • An organizational perception that security is lax and theft consequences are minimal/non-existent
  • Rushed deadlines on projects or systems which encourage inadequate consideration or actual protection to assets
  • A lack of support for training how to properly protect information/assets