Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Data Redaction: You're Doing it Wrong

Published: 2010-04-22
Last Updated: 2010-04-23 11:58:02 UTC
by John Bambenek (Version: 1)
10 comment(s)

PDF files are a common way to distribute documents on the Internet and even are used for distributing documents with redacted (removed) content.  However, when you distribute redacted documents make sure that the data you don't want out there isn't, in fact, still in the file.

Case in point, take the upcoming trial of former Governor Rod Blagojevich. He just submitted a motion to force President Obama to testify during his criminal trial.  As you can imagine, there is sensitive information in the motion.  You can read the motion here. The areas that are redacted are pretty obvious.  Now, hit Control-A.  Open a text editor or Microsoft Word (or the like).  Hit Control-C.

Hello, Mr. Face.  Meet, Mr. Palm. This particular mistake isn't new. There was a well-publicized SNAFU involving the US Department of Defense publishing a redacted document that contained classified information which was happily leaked on the Internet using the same method.

If the data is important enough to redact, it is probably important enough to verify that the data is actual gone.  Of course, this is a problem for more than just PDF documents.  An amusing HR trick is to take a look at Microsoft Word resumes, particular the "Track Changes" history.

The take away is to make sure to use commercial tools (or tools specifically designed for the task) to delete, not just mask, redacted information and to check to ensure that the redacted information is not easily retrievable... especially with something as trivial as "Copy-Paste".  If you are too stingy for a commercial software package, just print the document with the redacted portions and re-scan it as PDF to ensure the text is gone.

(You can read about the issue from this article which is heavy on the facts of the particular trial in question).

--
John Bambenek
bambenek at gmail /dot/ com

Keywords: data redaction pdf
10 comment(s)
If you had a larger network affected by the McAfee signature: We are interested to hear about your lessons learned. How long to fix it? What worked/didn't?

Don't Be Fooled by Twitter Spam in Your Inbox

Published: 2010-04-22
Last Updated: 2010-04-22 15:25:05 UTC
by Deborah Hale (Version: 1)
4 comment(s)

I have received several emails today "from" support@twitter.com. (Of course they really aren't from support.). We are also receiving reports from our readers that they are seeing the
same thing.    The emails claim that you have unread messages from Twitter and contain a link that you can supposedly click on to view the messages.  The links are to various
locations other than Twitter.  Don't be fooled.  The emails are not from Twitter and the links are not at Twitter.  Just a reminder NEVER click on links in emails.  Always login to your
account to check it out.  I have contacted Twitter and reported the emails. 
 

Thanks to Alex for reporting his receipt of the emails to us.

 

Deb Hale Long Lines, LLC

Keywords: Twitter spam
4 comment(s)

How McAfee turned a Disaster Exercise Into a REAL Learning Experience for Our Community Disaster Team

Published: 2010-04-22
Last Updated: 2010-04-22 00:17:00 UTC
by Deborah Hale (Version: 1)
8 comment(s)

Our community has a unified disaster system.  We have several organizations, local government, county government, city government, hospitals, school district and businesses involved in Disaster Planning and Response. Because we are in the northwest corner of the state of Iowa with border neighbors in Nebraska and South Dakota we often have regional exercises.  Several times a year we have Disaster Exercises where all of our teams "play together".

Today was one of those days.  At 8AM this morning the team started to gather at the local event center to prepare for the arrival of the exercise "victims".  The victims were made up of students from local high schools and colleges and a few "adult chaperone" victims.  The scenario was to be a Bioterrorist event at a sold out concert at the local event center.  All of the players arrived and were briefed on the activities of the day.  At precisely 9AM the exercise began.  The first call went out to our 911 Center to notify them that an event was unfolding at the local event center.  Information was being relayed to the 911 operator that something was going on at the Event Center with approximately 130 victims exhibiting various breathing/respiratory symptoms. The 911 operator was going through their normal fact finding questions when about 3 minutes into the call the 911 operator indicated that her computer had just quit.  She was about to transfer the call to another dispatcher when all of the computers in the 911 center began to power down.  At this point they knew something was going on but just not sure what. 

Our on scene team at first thought that this was someone's idea of adding a little twist to the exercise.  The 911 operator assured us that it was not.  A call was made to the IT department and the
911 center soon discovered that the problem was not limited to their computers but that computers all over the system were shutting down.  The local county and city governments share the network, resources and support staff for the computer systems.  They began getting calls from city and county employees from all areas, police, fire, emergency management, financial, HR, etc.  The first thing that came to mind was that a worm/virus was wrecking havoc on the City/County network.  They began an emergency shutdown of all equipment in the network to prevent spread and additional damage from being done. 

About an hour into their investigation they discovered that the culprit for the shutdown was not a worm/virus but an update that was being pushed out for the McAfee Antivirus program.  The IT staff will have a long night tonight getting all of the machines that were damaged repaired and ready to go for the morning startup. They expect to have 80% of the machines backup by tomorrow morning and 99% back up by lunch time tomorrow.

So you may assume that the loss of the 911 Center caused the Disaster Exercise to be called.  After all, how can you have a Disaster without your 911 Operators, Right? Not us.  When the 911 Center went offline at 9:05am we had to decide if we were to continue the exercise or call it due to the loss of 911.  Our EMS Director for the County decided to continue the exercise.  He began to do dispatch and communication using our 800Mhz shared radio system.  We continued the exercise, decontaminated and transported roughly 120 people to the local hospitals. We successfully completed the exercise at 11 am. 

While we were in the Hot Wash Debriefing we received a call letting us know that it was not a worm/virus but was the McAfee update that caused the entire City/County to come to a screeching halt.  Many of the individuals in the debriefing grabbed cell phones to call back to the office with the news of what happened.  For a few it was too late, the updates had already run and their organizations too were experiencing the same problems.  For those that hadn't updated yet the updates were turned off. Others were relieved to find out that they were using the competitors AV and were not in any danger.

Thanks to McAfee we were forced to test our response to a Disaster while in the midst of a real "disaster".  The positive that came out of the exercise is the fact that we had a successful exercise while using our "backup" communication system.  It was a true test of our ability to adjust to and respond to a disaster in less than perfect circumstances.  Isn't that really what our goal was?  We all know that many "disasters" having multiple components and today we saw firsthand how true that is.

 

Deb Hale Long Lines, LLC

8 comment(s)

MS10-025 Security Update has been Pulled

Published: 2010-04-22
Last Updated: 2010-04-22 00:05:52 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

The MS10-025 security update (affects only Windows 2000 Server) has been pulled today because Microsoft has found it did not address the underlying issue effectively. A re-release of the update is planned for next week. Additional information available here.

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Keywords: MS10025 removed
0 comment(s)
Diary Archives