Vulnerabilities / Threats

8/13/2008
09:46 AM
50%
50%

At Countrywide, One Overlooked PC Led to Loss of 2M Records

Insider used the one machine that hadn't been 'fixed' to prevent use of external storage devices

If your primary defense against portable storage devices is to seal up the USB ports on your users' computers, you'd better be pretty darn good with a glue gun.

That's the message that's emerged from court documents surrounding the recently revealed security breach at Countrywide Home Loans, where an employee siphoned off about 20,000 customer records a week for more than two years and sold them to a third party. (See Ex-Countrywide Employee Charged With Selling Customer Data.)

An affidavit by an FBI special agent assigned to the case reveals exactly how the insider attack took place. It states that in an effort to prevent users from loading unauthorized data onto memory sticks or other portable storage media, Countrywide had sealed the USB ports on all of its employees' machines -- all, that is, except one.

Rene Rebollo Jr., 36, a former senior financial analyst with Countrywide Home Loan’s subprime mortgage division, found that one machine near his own workspace, according to the affidavit. And so, every Sunday night for about two years, Rebollo brought a memory stick over to that machine and downloaded personal information on approximately 20,000 customers.

Countrywide had not deployed any method for detecting or managing downloads to portable storage devices, since its policy was to block their use entirely on all employee machines. As a result, the downloads went undetected for years, leading to the compromise of some 2 million records, according to court documents.

A criminal complaint against Rebollo said that he earned about $65,000 a year at Countrywide and had opened a personal bank account for holding what he estimated to be up to $70,000 in proceeds from Countrywide data sales. Experts have said that Rebollo woefully underestimated the value of the mortgage data, which is difficult to get on the black market and can fetch several dollars per record.

Disabling USB ports -- either logically through the registry or physically, by sealing them with glue or some other permanent substance -- is a simple way to prevent users from accessing portable storage devices, experts said. But it can prove fallible.

"This is certainly a quick way to lower the risk of information transfer," said Tom Olzak, director of information security at HCR Manor Care, in a recent blog. "It isn't difficult, especially in a Windows environment. A simple registry hack on each workstation, easily deployed via login scripts, can completely shut down USB and Firewire ports.

"But this might cause a problem if you deploy USB or Firewire devices like keyboards, mice, displays, etc.," Olzak noted. "A direct registry modification to achieve a security result is not my idea of a good time." For many enterprises, encryption or granular control of USB ports may prove to be better options than disabling USB altogether, he suggested.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11354
PUBLISHED: 2018-05-22
In Wireshark 2.6.0, the IEEE 1905.1a dissector could crash. This was addressed in epan/dissectors/packet-ieee1905.c by making a certain correction to string handling.
CVE-2018-11355
PUBLISHED: 2018-05-22
In Wireshark 2.6.0, the RTCP dissector could crash. This was addressed in epan/dissectors/packet-rtcp.c by avoiding a buffer overflow for packet status chunks.
CVE-2018-11356
PUBLISHED: 2018-05-22
In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the DNS dissector could crash. This was addressed in epan/dissectors/packet-dns.c by avoiding a NULL pointer dereference for an empty name in an SRV record.
CVE-2018-11357
PUBLISHED: 2018-05-22
In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the LTP dissector and other dissectors could consume excessive memory. This was addressed in epan/tvbuff.c by rejecting negative lengths.
CVE-2018-11358
PUBLISHED: 2018-05-22
In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the Q.931 dissector could crash. This was addressed in epan/dissectors/packet-q931.c by avoiding a use-after-free after a malformed packet prevented certain cleanup.