The US DoJ released a press announcement two days ago that says a virtualized environment administrator has admitted to a serious breach.

In the early morning hours of February 3, 2011, Cornish gained unauthorized access to Shionogi’s computer network. Cornish used a Shionogi user account to access a Shionogi server, then took control of a piece of software that he had secretly installed on the server several weeks earlier.

Cornish then used the secretly installed software program to delete the contents of each of 15 “virtual hosts” on Shionogi’s computer network. These 15 virtual hosts (subdivisions on a computer designed to make it function like several computers) housed the equivalent of 88 different computer servers.

That “secretly installed software program” they are talking about sounds really nefarious, but it is actually just VMware vSphere. It is explained better in the formal complaint.

…on or about January 13, 2011, defendant Cornish accessed the CVAULT account and used that to install vSphere — the software program believed to have been used to delete Shionogi’s virtual hosts…officials advised that there was no legitimate business reason for vSphere to be installed or running on the SPVC01 Server.

The press release says Cornish did not attempt a sophisticated attack. He accessed his ex-employer and installed vSPhere from his home network. When he connected again to cause harm (two weeks later) he went to a McDonalds and used his credit card to buy breakfast before using the free wifi.

The investigation by the FBI’s Cyber Crimes Task Force revealed that the attack originated from a computer connected to the wireless network of a Smyrna McDonald’s where Cornish had used his credit card to make a purchase minutes before the attack. Cornish also gained unauthorized access to Shionogi’s network from his home Internet connection using administrative passwords to which he had access as an employee.

The formal complaint again gives more detail.

According to McDonald’s business records, a Visa credit card number ending in 8291 (“the 8291 Visa”) was used at the Smyrna McDonald’s to make an approximately $4.96 purchase…approximately 5 minutes before the attack…

Approximately $4.96? I’d like to see a more exact purchase record.

It seems like he either wanted to be caught or didn’t care much about the risk. Google confirmed that the same credit card number that bought breakfast was linked to an email account used by Cornish. And the credit card issuer, BofA, confirmed that Cornish is the account holder.

Given the timeline and the software and network details this case really boils down to termination procedures and risk management. It’s not about secret software. It’s about a bad actor who abused trust. Cornish worked for Shionogi from 2009 to 2010. The complaint suggests his attack was successful because he could authenticate and use systems many months after his departure without being noticed.

So, on the one hand the DoJ press release is a success story. Logs were available from multiple sources for at least six months of activity and were used to quickly apprehend and get an attacker to admit the crime. On the other hand the details of the attack beg a question of precautions and operational awareness.

It is unfortunate that Shionogi was a victim of this crime but will someone say they should have taken better care, like changing passwords after staff were terminated or left? In other words should a company be externally required to take precautions against an availability loss if there is no impact outside the company (e.g. no regulated data risk)?

It’s a classic case of attack economics. Should a business invest in thicker glass, replace their glass altogether, or improve the chances of catching someone who throws bricks? A related question would be whether and when a victim should realize the level of risk. Did Shinonogi make a conscious decision to leave themselves exposed, or were they somehow led to believe they were safe from easy but devastating harm ($300,000) by former employees?

It’s a good case study of security and compliance as well as the double-edge of remote administration tools in virtual environments.

VMware’s vCenter Orchestrator has a plugin now to develop and automate workflow with the Advanced Message Queuing Protocol (AMQP) — manage brokers and run custom operations.

With this new plug-in, organizations will be able to define policies that automatically trigger specific workflows based on certain AMQP messages. For instance, as part of a vApp pre-provisioning activity in vCloud Director (vCD), vCenter Orchestrator (vCO) can intercept the provisioning request and automatically fetch an IP address from an external system before telling vCD to proceed with the provisioning activity. Or, upon detecting that the vApp provisioning operation is complete, vCO can update CMDBs and other management systems with information about the new vApp instance. What’s more, the AMQP plug-in provides the ability to not just monitor but also publish AMQP messages and conduct administrative tasks such as configuring AMQP brokers and managing queues. Finally this plug-in supports VMware vFabric RabbitMQ as well as other implementations of AMQP.

AMQP is a wire-level protocol, as I mentioned earlier with regard to sniffing.