Hackers compromise ...
 
Notifications
Clear all

Hackers compromise Guidance Software customer data...

10 Posts
7 Users
0 Likes
572 Views
(@doppleganger)
Posts: 2
New Member
Topic starter
 

If you are a customer of Guidance you may want to closely scrutinize credit card statements, or even cancel the cards, you or your agency used to purchase Encase…

Guidance alerted customers to the incident in a letter sent last week, saying it discovered on Dec. 7 that hackers had broken into a company database and made off with approximately 3,800 customer credit card numbers.

http//www.washingtonpost.com/wp-dyn/content/article/2005/12/19/AR2005121900928.html

- Dop

 
Posted : 20/12/2005 1:28 pm
(@chris55728)
Posts: 49
Eminent Member
 

More to the point, are Guidance going to be fined the $500,000 per violation (retaining the CVV numbers indefinitely). Given that the hackers got away with approx. 3800 credit card details I make that a rather hefty fine.

It'll be interesting to see how this progresses.

 
Posted : 20/12/2005 2:07 pm
(@jonathan)
Posts: 878
Prominent Member
 

Very slack; although Guidance do produce good products I sometimes feel that their market dominance perhaps gets in the way of innovation and perhaps in this case an arrogance regards to the impermeability of thier own network.

Here is a post from admin on their messageboards;

We would like to apologize to all who were inconvenienced by our message board being down. As many of you know, on December 7, 2005, we discovered a security breach of our electronic records. We quickly investigated the incident and determined that in November 2005, a hacker penetrated our perimeter defenses and obtained unauthorized access to one of our servers.

Guidance took this matter very seriously. Upon learning of the incident on December 7, we began investigating the unauthorized network activity and we remediated the hacker’s method of access. Although this event is extremely troubling, we are confident, based on an immediate forensic analysis, that the intrusion has now been effectively terminated and our network has been secured. As part of our investigation, we took some of our internet-facing systems off-line, which included the message board. Our team wanted to ensure the security of the message board before it was placed back on line.

So the hacker had access for a over a week before they discovered it and now they are only 'confident' that the breach has been terminated rather than know for sure. 😯

 
Posted : 20/12/2005 3:11 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Jonathan,

I'm not entirely clear on how your opinion of Guidance Software as a company relates to the issue at hand.

Guidance produces a software product that is used for incident response and computer forensic investigations.

How does their "market dominance" get in the way of innovation? Technology Pathways produces ProDiscover, AccessData produces FTK, and there are other freeware products such as Sleuthkit and PyFlag. In addition to the products, there is no end of opportunities for training and services.

Keep in mind that the folks who maintain/manage the web servers are very often completely different from the folks who create, sell, and implement the company's products. Also, they aren't a web server security product and/or consulting company.

Finally, where have you seen the arrogance with regards to "the impermeability[sic] of thier[sic] own network"?

Thanks,

Harlan

 
Posted : 20/12/2005 4:28 pm
(@jonathan)
Posts: 878
Prominent Member
 

I believe from my experience in dealing with Guidance that the incident was perhaps indicative of the 'culture' that has developed within the company. It's my opinion, not a statement of fact.

For instance on the launch on EnCase 5 and being invited to one of their seminars, the event was shabby from start to finish, no demo disks as promised, their marketing guys hadn't been issued with business cards so had to write their details on scraps of paper and follow up letters coming weeks late. Also when you buy their products in the UK they deliver them with a 2-pin US power lead, which they are aware are useless to their UK clients. Although their customers credit card details (with CVV numbers) were found to be comprised on the 7th December their sent postal letters out to customers on the 13th December which have only been received in the UK yesterday and today. Unforgivable - why on earth not send emails out on the 7th or 8th?

The companies I have worked for wouldn't allow this to happen so why should Guidance? As I said in my original post they do make some good products but they tend to overlook client care in my experience and in the examples I have outlined in the paragraph above. To me this indicates arrogance, and I said that this perhaps is reflected elsewhere within the corporation. I do accept your point that the web server people may be complete different - but then again it is Guidance's responsibility to ensure that they source and control their suppliers accordingly.

As for Guidance's market dominance, see Microsoft for an example of a company with dominance in an IT sector charging top rates for their software where innovation is the last thing on their mind and where security also suffers.

Thanks,

Jonathan

 
Posted : 20/12/2005 5:10 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

Jonathan,
I take it you have never been at the discovery end of an incident that involves disclosure of sensitive information. Discovery on the 7th leads to investigation for the next week. Several items MUST be verified before notifying..such as ensuring that the database contents (or database itself) were actually taken. Then you must make sure that all of the addresses are valid, and in a letter, someone at the top must sign it for authenticity – Ever try to hand sign 3800 letters? Not to mention they must prepare their legal defense team for what may inevitably come..which is a lawsuit. The secret service and the FBI are involved in the case, so therefore it takes time.

On another note, we as outsiders can not determine that the database was stored on the webserver. If it was then yes, shame on guidance but as any good company should do..the dbase should be on a different server. Servers get compromised..it's a fact of life. What bothers me, as others have pointed out is that it took them two weeks to notice. In a company like this I would expect better.

On another note, if guidance was smart about this they could turn it in to a marketing ploy.."when we were hacked we used encase to discover who did it"….

 
Posted : 20/12/2005 6:42 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

I have been impressed with how Guidance handled this incident. As both a law enforcement and a private customer I received two letters, each addressing the particular concerns with the two different accounts. I am not concerned about a delay in being notified, so long as there is no delay in the investigation.

In my years of dealing with Guidance I have not seen the "air of arrogance" that Jonathen speaks about. Further, while they certainly don't have a perfect product, a lack of innovation is the last criticism that comes to mind.

 
Posted : 20/12/2005 7:04 pm
skip
 skip
(@skip)
Posts: 57
Trusted Member
 

If you are a customer of Guidance you may want to closely scrutinize credit card statements, or even cancel the cards, you or your agency used to purchase Encase…

Guidance alerted customers to the incident in a letter sent last week, saying it discovered on Dec. 7 that hackers had broken into a company database and made off with approximately 3,800 customer credit card numbers.

http//www.washingtonpost.com/wp-dyn/content/article/2005/12/19/AR2005121900928.html

- Dop

Could be interesting if this was a Red Herring. The hackers were really after the source…either this version or the next. They take the source hoping that they could find a vulnerability that, when exploited, would allow them to avoid detection/investigation.

So, here is a question, have the stolen credit cards been used? And when used will they lead to the villain or to a patsy/hacker that got the credit card numbers in exchange for the source?

DOM DOM DOmmmmmmm!

)
Skip

EDITremember this thread
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=548

 
Posted : 20/12/2005 11:43 pm
(@jonathan)
Posts: 878
Prominent Member
 

Jonathan,
I take it you have never been at the discovery end of an incident that involves disclosure of sensitive information.

No I haven't. However that doesn't bar me as a paying customer of Guidance from airing an opinion on the matter. I find it alarming that a company that sells itself as "Find out where and how your network has been compromised — at unparalleled speeds, with 100% accuracy" to take three weeks to tell its European customers that their credit cards have been compromised and then to post a message on their site that far from having "100% accuracy" on the breach that they are merely "confident" that they know what has happened.

Discovery on the 7th leads to investigation for the next week. Several items MUST be verified before notifying..such as ensuring that the database contents (or database itself) were actually taken. Then you must make sure that all of the addresses are valid, and in a letter, someone at the top must sign it for authenticity – Ever try to hand sign 3800 letters?

Maybe this is unique to US law - that the top person is obliged to sign every letter to their customers on discovery of a security breach? They could have still emailed us here in the UK however.

Not to mention they must prepare their legal defense team for what may inevitably come..which is a lawsuit. The secret service and the FBI are involved in the case, so therefore it takes time.

Shouldn't a leading global company in IT security have business continuity plans and contingency measures in place that swing into action after such incidents?

 
Posted : 21/12/2005 2:29 am
(@jonathan)
Posts: 878
Prominent Member
 

I have been impressed with how Guidance handled this incident. As both a law enforcement and a private customer I received two letters, each addressing the particular concerns with the two different accounts. I am not concerned about a delay in being notified, so long as there is no delay in the investigation.

In my years of dealing with Guidance I have not seen the "air of arrogance" that Jonathen speaks about. Further, while they certainly don't have a perfect product, a lack of innovation is the last criticism that comes to mind.

I think storing their customer's names, addresses, telephone numbers, card numbers and CVV numbers (going against merchant guidelines published by both Visa and MasterCard) in unencrypted databases at minimum shows a blase attitude to the valuable data they hold on behalf of their customers.

The CEO of Guidance John Colbert said regular mail was the quickest way to inform their customers. "We don't have email addresses for everybody, and we found that their physical addresses are more permanent than their email addresses," he said. Then why not send emails to those clients that he did have emails for? Is it even possible to order Guidance products without providing an email address?

 
Posted : 21/12/2005 2:57 am
Share: