You will not get an argument against end-to-end encryption, especially since I’ve been working on exactly such a solution since 2004. I think it is great that everyone seems to be headed this direction finally. A CFO once told me he would not approve the dollars for encryption until he saw it become mainstream news…well, we have arrived. With that in the pocket there is another element in the Heartland story that needs more discussion.

Would a well-configured monitoring/SIEM solution have helped prevent the heartland breach?

The clue to finding the malware was a set of orphaned .tmp files. In other words, an unknown/hidden application in slack space dumped a few files to the OS that were not recognized. StorefrontBacktalk has details:

While the first team was working, Heartland had a second forensic team brought in to check the entire system. “That first firm had a very specific scoping of their assignment. The second firm was working in parallel on the rest of that processing.”

That second team “was nearing conclusion” and was about to make the same assessment the first team did: clean bill of health. But one of the last things that external, qualified risk assessor did was to try and match various temp files with their associated application. When some orphans—.tmp files that couldn’t be matched to any application or the OS—were turned over to Heartland’s internal IT group, they also couldn’t explain them, saying that it was “not in a format we use,” Baldwin said. More investigation ultimately concluded that those temp files were the byproduct of malware, and more searching eventually located the files in the unallocated portions of server disk drives.

Had the system been alerting on tmp files, the malware would have been identified earlier. That’s a great way to catch malware, since you can guarantee that the attackers will have a hard time eliminating tmp files being written to spaces they do not anticipate. In other words, they will have to program far more cleanly to avoid a dirty software detector such as SIEM.

Fun, no?

Some recent fun in the fluffy stuff. Ride safely:

Just like information security on a large corporate network. Want me to explain how to achieve NERC CIP 002-009 compliance, or perhaps avoid HIPAA fines…let’s go skiing. Speaking of tips, when in Vail on a big powder day head for Red Square:

Way to go Heath!

A truly gut wrenching story is now being circulated about a WWII veteran who slowly froze to death after a utility company installed a device that shut off his power. The Star Tribune title gives a good indication of where things are headed: Freezing death of Mich. man in house sparks anger, soul-searching, resolve to prevent repeat

On Jan. 13, a worker with the city-owned utility installed a “limiter” on Schur’s electric meter after four months of unpaid bills. The device restricts power and blows like a fuse if usage rises past a set level. Electricity is not restored until the device is flipped back on by the homeowner, who must walk outside to the meter.

City Electric Light & Power did not contact Schur face-to-face to notify him of the device and explain how it works, instead following its usual policy by leaving a note on the door. But neighbors said Schur rarely, if ever, left the house in the cold.

At some point, the device evidently tripped and was not reset, authorities said. Schur’s home was heated by a gas furnace, not electricity, but some gas furnaces do not work properly if the power is out.

Should the neighbors have monitored his situation and intervened, should the utility have interfaced with their customer more? This all begs the question of monitoring and surveillance as well as privacy. Perhaps the most pressing issue for some is that the man was elderly and needed special care, but it is not clear how and when this level of detail can be managed before the utility enters into security issues around privacy? On the flip side, if a customer has paid their bill regularly for fifty years, how difficult can it be for a utility to wait a couple months until temperatures/conditions are safe before terminating power and starting an investigation?

Also worth noting is that the utility in question is a municipal entity and therefore escaped a law designed specifically to prevent this type of tragedy.