Posts by GarWarner

Normal Behaviour?

RE: "Let’s be clear: this is not hacking, this is routine activity that looks like normal behaviour."

If downloading 53 or 56 million accounts is "normal behaviour" on your network you should fire your security staff and start fresh. Access control is about classification, categorization, and rate of flow. Audit controls should be established that address all three. (1) Do I trust this user for this level of sensitivity, (2) Does the category of data being accessed relate to the role held by this user, (3) Is the volume of data being requested consistent with the roles and responsibilities held by this user.

If you are exceeding authority in any of those categories via cyber means, you are not performing "normal behaviour" - you are hacking!

Gary Warner - UAB Computer Forensics

Reveton?

John,

Curious why you say this is Reveton? Pretty sure this was NOT Reveton. Is this an assumption that "Police Lock" = Reveton? There are at least four copycat rings doing "PoliceLock" malware, but that are not Reveton. I haven't seen anything that would cause me to believe this was Reveton.

Thanks for the story though! If you have a reliable source calling this Reveton, please let me know! Would like to talk with them!

_-_

gar