News is circulating that T-Mobile servers have been breached. An anonymous message to the Full Disclosure mailing list on Saturday was the start of the topic. This message included a claim that T-Mobile has been owned for some time, and that the attackers “have everything” up for sale to the highest bidder. It also included a list of 511 production server details such as their hostname, IP address, OS and applications.

This situation raises two distinct questions. First, how can an organization best anticipate and detect breaches? The second question is how an organization can best respond to a breach, especially with regard to preventing another.

Before answering those questions, a quick look at the spreadsheet of servers raises several other questions. For example, do the 511 servers in the message have anything in common? Are they managed from a particular department or under a specific project? This kind of analysis could help reveal that the attack was a leaked document rather than a breach of network security. A quick review shows all of the systems listed are a UNIX flavor. Either the attackers did not want to reveal a more representative sample from their victims or they may really just have found a UNIX project manager’s USB in a parking lot.

Back to the core questions, the best way to anticipate and detect breaches is by analyzing logs. If the attackers were trying inventory systems on the network, for example, this activity would leave a trail of evidence in those system logs. All 511 servers listed should have the same or similar footprint left by the attackers. The network devices connecting the servers also would have log information to help identify attacks. This means a robust log archive and analysis system would need to be in place when attacks begin in order to capture enough information to identify the problem and alert administrators before the breach is successful or spreads. Log management is no longer just about operating systems and network devices, however. It also needs to incorporate detailed user information from identity systems, especially with regard to shared or system accounts. Identity integration means that if the attackers compromise the “root” account, logs can be correlated to show which user was really using root.

Log management is also critical in responding to a breach. Proving that there was no attack requires an archive of logs that can go back several years. This can be used to counter any claims that the servers have been breached for “some time”. The logs could show that a breach actually did not happen. On the other hand, the ability to identify attack signatures, as mentioned above, also helps with avoiding future breaches. When the attack vector is thorougly understood, an alert can be programmed into Security Information and Event Management (SIEM) systems. Every time a log or set of logs has a particular attack, or even just similarities to other attacks, the SIEM can send out an instant alert or start a watch list for administrators to investigate.

Perhaps most important of all is to recognize the potential cost of disruption from this kind of message. Does your organization have a system in place to rapidly assess the validity of an attack claim? Without an effective system of managing logs and security information, an anonymous message to a forum could pose a significantly high risk even without any validity or proof. The T-Mobile message raises a number of important points that organizations should reflect upon as they review their logs tonight.

Spiegel Online has the best analysis I have seen so far on the Air France crash. They highlight the Call for Airborne ‘Black Box’ Data Stream

If search teams fail to recover the flight recorder, which consists of two metal devices that record flight data and cockpit conversations, this question may never be answered. “It would be a real shame for aviation,” says Robert Francis, the former vice chairman of the National Transportation Safety Board, the agency that investigates aviation accidents in the United States. “If we want to avoid dramas like this in the future, we have to know what went wrong,” says the safety expert. For this reason, Francis wants to see all important flight data transmitted via satellite in the future, using ACARS technology. “This crash demonstrates how valuable this technology could be,” he says.

The technology exists today. A simple change to the black box program is all that would be necessary.

Krishna Kavi, an engineer and professor at the University of North Texas in Denton, presented the US Federal Aviation Administration (FAA) with a similar system 10 years ago. “The cost is low,” he says. For the 256 parameters recorded by a black box, Kavi came up with a volume of data requiring transmission of four to eight kilobits per second. “This is a fraction of what mobile wireless devices transmit today,” says Kavi.

There will be debates about the bandwidth necessary, the level of information to send, etc. just like with log management. This is a fascinating way to look at the problems that most organizations face everyday. Are you logging the right level of information to detect a failure in time and to avoid a repeat? It is not clear that AF 447 would have been avoidable with better monitoring systems, but it would certainly help with the speed and cost of post-incident analysis. Note that it is the pilots who seem to object most to increasing the signal rate and using surveillance. They claim privacy rights, to which the response obviously should be encryption.

The BBC tells how Chimps mentally map fruit trees

Chimpanzees remember the exact location of all their favourite fruit trees.

Their spatial memory is so precise that they can find a single tree among more than 12,000 others within a patch of forest, primatologists have found.

More than that, the chimps also recall how productive each tree is, and decide to travel further to eat from those they know will yield the most fruit.

Amazing. I’ll have to incorporate this into my next presentation on network monitoring. Although it seems thorough, the study left some things undone.

Intriguingly, female chimpanzees travelled shorter distances to eat than males. The researchers don’t know why, but speculate that it is either because females better remember the locations of trees, or because males simply compete with one another by ranging more widely through their territory.

Technology and data analysis can only get you so far, apparently, as the researchers leave this one open to interpretation. Who can crack the mystery of gender-based differences in chimpanzee navigation? Perhaps the females stop to ask for directions?

A man who worked in the State Department and his wife have been accused of spying for Cuba for 30 years:

The documents describe the couple’s spying methods changing with the times, beginning with old-fashioned tools of Cold War spying: Morse code messages over a short-wave radio and notes taken on water-soluble paper. By the time they retired from the work in 2007, they were reportedly sending encrypted e-mails from Internet cafes.

The criminal complaint says changing technology also persuaded Gwendolyn Myers to abandon what she considered an easy way of passing information, by changing shopping carts in a grocery store. The document quoted her as saying she would no longer use that tactic. “Now they have cameras, but they didn’t then.”

Store cameras as a deterrent for international spying? That’s a new one. Wonder if I could have added it to proposals and won even more funding?