Interested in Pen Test - Check out these 10 slide decks

1. Crazy Sexy Hacking - Mark Baggett
2. Hacking in Meatspace - Matt Linton
3. Hacking to Get Caught - Raphael Mudge
4. How To Give the Best Pen Test of Your Life - Ed Skoudis
5. iOS Game Hacking - How I Ruled the Worl^Hd and Built Skills for AWESOME Mobile App Pen Tests - Josh Wright
6. Kicking the Guard Dog of Hades - Attacking Microsoft Kerberos - Tim Medin
7. Penetration Testing is Dead - Katie Moussouris
8. Pentesting Web Frameworks - Justin Searle
9. Secret Pen Testing Techniques, Part 2 - David Kennedy
10. The State of the Veil Framework - Will Schroeder and Chris Truncer
11. Use of Malware by Penetration Testers - Wesley McGrew

Follow this link for additional details:

http://pen-testing.sans.org/blog/pen-testing/2014/12/02/pen-test-hackfest-talks-some-great-reads

A chain is only as strong as its weakest link, - You (Example :- JP Morgan) will get hacked even if you spend $250 Million every year

There are two thinks I always remember

1. A chain is only as strong as its weakest link (So, know what you want to protect and then find the the right method (simple is always best) to protect it)
2. Security is Part philosophy (Sometimes what you think and believe may not be the best method of protection so, listen well and adapt quickly)

From the Article

Big corporations like JPMorgan spend millions — $250 million in the bank’s case — on computer security every year to guard against increasingly sophisticated attacks like the one on Sony Pictures. But the weak spot at JPMorgan appears to have been a very basic one.

JPMorgan’s security team had apparently neglected to upgrade one of its network servers with the dual password scheme (2 Factor) , the people briefed on the matter said. That left the bank vulnerable to intrusion.

Follow this link for additional details:

http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/?_r=0

If you shopped in STAPLES - Keep an eye on your credit card activity

Target is old news - STAPLES is the latest - 1.2Million Credit Card information lost

From the Article

“At 113 stores, the malware may have allowed access to this data for purchases made from August 10, 2014 through September 16, 2014,” 

While the Staples breach is dwarfed in the number of lost records by Home Depot and Target, the common link is poorly secured point-of-sale systems and effective malware targeting those platforms and stealing payment card data before it is encrypted.

Follow this link for additional details:

http://threatpost.com/staples-confirms-1-2-million-cards-lost-in-breach/110030

SS7 Vulnerability - Be careful about what you say on your Cell Phone,

From the Article

The German researchers found two distinct ways to eavesdrop on calls using SS7 technology. 

• In the first, commands sent over SS7 could be used to hijack a cell phone’s “forwarding” function -- a service offered by many carriers. Hackers would redirect calls to themselves, for listening or recording, and then onward to the intended recipient of a call. Once that system was in place, the hackers could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere in the world.
• 
  
• The second technique requires physical proximity but could be deployed on a much wider scale. Hackers would use radio antennas to collect all the calls and texts passing through the airwaves in an area. For calls or texts transmitted using strong encryption, such as is commonly used for advanced 3G connections, hackers could request through SS7 that each caller’s carrier release a temporary encryption key to unlock the communication after it has been recorded.

Follow this link for additional details:

http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/

Another short-n-sweet advice from Schenier - Lessons from the Sony Hack

If one can condense the wisdom from an entire book then this article would be it.




From the Article

To understand any given episode of hacking, you need to understand who your adversary is, I've learned to separate opportunistic attacks from targeted ones.

You can characterize attackers along two axes: skill and focus

Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.

Follow this link for additional details:
https://www.schneier.com/blog/archives/2014/12/lessons_from_th_4.html

Ever heard of "Certificate Transparency"

Certificate Transparency is a proposal from engineers at Google that would help resolve some of the issues with certificate authorities, fraudulent certificates and stolen certificates. The framework would provide a public log of every certificate that’s issued by compliant CAs and also would provide proof to users’ browsers when each certificate is presented. Google is planning to implement CT in Chrome, and now Mozilla officials say that the company will implement in Firefox, but the process will be a gradual one.


Follow the link below for more details

http://threatpost.com/mozilla-to-support-certificate-transparency-in-firefox/109819

Scary Statement: “The malware authors are flashing the malware variants onto the firmware of phones headed to consumers."

A new Chinese Trojan?


According to the article

DeathRing is disguised as a ringtone app but in reality downloads SMS and WAP content from its command-and-control server to the victim’s phone, according to mobile security vendor Lookout.

This enables the attackers to phish personal information via fake texts or prompt the victim to download more malware disguised in APKs, the firm claimed.


More details below:
http://www.infosecurity-magazine.com/news/deathring-chinese-trojan-preloaded

Where there is a will there is a way.

It is not all Doom and Gloom in this world.

Here is a story of a man who went from someone to homeless and eventually bounced back



http://www.popsci.com/article/diy/how-one-man-hacked-his-way-out-homelessness

Believe it or NOT - Some ATMs are still running Windows XP

You would expect banks to be careful because they deal with money.

Apparently it is not true.

And also some of them had USB ports and CD ROM enabled

From the article:

Jacco Van Tuijl, who conducts penetration testing (sanctioned hacking into systems to determine their vulnerability to attacks) for banks in the Netherlands, pointed out that many ATMs still use the now-obsolete, 13-year-old Windows XP operating system

"The ATM is basically a computer. We have conducted penetration tests and were able to access USB ports inside of ATMs by cutting through the metal.

Police said the suspects hacked the machines by inserting a disc into the ATMs' CD-ROMs that would then infect the machines with a virus or malware.

For more details follow the link below:

http://www.thestar.com.my/News/Nation/2014/10/24/ATM-hack-must-update-systems/

Security is only as good as the weakest link - micro-chipped credit cards are no exception

Hackers didn't hack the cards. They hacked the bank and are processing fake transactions with the more secure cards.

From the Article

Each microchipped credit card has something called a cryptogram. It tells the bank whether a card or transaction has been modified in any way.But the hackers got control of a payment terminal, they could change the data and make a fraudulent purchase.

So what happened with the cryptograms and the card security? The Consumerist says the banks were relying on them to be secure... and no one actually checked the transaction reports! 

Follow this link for additional details:

http://www.wfmynews2.com/story/news/local/2-wants-to-know/2014/10/29/hackers-microchipped-credit-cards/18129591/

Identity Theft is much easier than you think - Don't believe me check this article

• When Google offered email - we surrendered part of our privacy
• When someone offers free WiFi  and we connect without bothering to check - we deserve whatever happens next

There are three  ways of getting information:

1. Hard way - Break into someone else system
2. Easy way - Make them connect to your fake WiFi and let them provide you with all the information.
3. Depends on need/user - Social Networking

From the Article

Wouter removes his laptop from his backpack, puts the black device on the table, and hides it under a menu. A waitress passes by and we ask for two coffees and the password for the WiFi network. Meanwhile, Wouter switches on his laptop and device, launches some programs, and soon the screen starts to fill with green text lines. It gradually becomes clear that Wouter’s device is connecting to the laptops, smartphones, and tablets of cafe visitors

Follow this link for additional details:

https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6

Another day , Another Breach - it is STAPLES('s) turn

From the Article

It appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.


Follow this link for additional details:

http://krebsonsecurity.com/2014/10/banks-credit-card-breach-at-staples-stores/

Putting Windows XP to full use - By creating 500,000 PC Botnet

Well, Someone is putting it to good use

From the Article

What the attackers are after is online banking logins, which form half the business, and PCs that can be sold on to other criminals as compromised machines inside interesting organisations. These can also then be used a proxies for third-party attacks

Perhaps the real story is the incredible ease with which Qbot has found victims, 75 percent of which are based in the US. Significantly, 52 percent of these are running Windows XP, 39 percent Windows 7 with 7 percent Windows Vista.

Anyone who uses XP and still can't patch the old software on their system is probably beyond reach

Follow this link for additional details:

http://www.csoonline.com/article/2692528/cyber-attacks-espionage/windows-xp-flaws-help-russian-qbot-gang-build-500000-pc-botnet.html

USB Hack - Unfixable? - Once infected, computers and their USB peripherals can never be trusted again

Sometime back I pointed to an article "Can you or your computer detect a compromised USB device? - NO !!!"

So, if you were not careful before, change now !!

This is a follow-up.




(From the article)

Two security researchers, Adam Caudill and Brandon Wilson, have reverse-engineered a popular USB firmware from Taiwanese firm Phison, which powers hundreds of millions of devices. With the right exploit, USBs can become an injection conduit for malicious code—so, a flash drive could emulate a keyboard and issue commands on behalf of the logged-in user, to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer

The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.


The two are replicating research from SR Labs’ Karsten Nohl, who gave a talk at the Black Hat security conference discussing the exploit, which he dubbed BadUSB. However, given the persistent nature of the issue, he decided not to release it.

“No effective defenses from USB attacks are known,” he said in his information page on the issue.


To make matters worse, cleanup after an incident is nigh impossible.

“Simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root,” Nohl said. “The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive.”

In case we missed the point, he added, “Once infected, computers and their USB peripherals can never be trusted again.”


But the decision not to disclose is one that Caudhill and Wilson feel is a grand mistake. So now, they’ve thrown the exploit code up on Github to bring attention to the issue.

“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience in Louisville, Ky. Last week. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”

Government agencies and high-end espionage groups are probably already using it, Caudhill told WIRED.

The link below has more information:-
http://www.infosecurity-magazine.com/news/unfixable-usb-hack-threatens-life/?utm_source=twitterfeed&utm_medium=twitter



Previous Article

http://martin-news-bytes.blogspot.com/2014/08/can-you-or-your-computer-detect.html

Detailed review of iOS 8

There have been many short blogs but this one goes into a few fine details.




http://www.anandtech.com/show/8321/the-ios-8-review/

The most important Internet security group you’ve never heard of

Interesting....

From the Article

The FIDO Alliance includes technology heavyweights like Google, Lenovo, Microsoft and Samsung; payments giants Discover, MasterCard, PayPal and Visa; financial services companies such as Aetna, Bank of America and Goldman Sachs; and e-commerce players like Netflix and Salesforce.com. 

FIDO was founded by Lenovo, PayPal, and security technology companies AGNITiO, Nok Nok Labs and Validity Sensors

Two new authentication standards have been published for peer review, half a dozen companies showcased FIDO-Ready solutions at the 2014 Consumer Electronic Show (CES)

Follow this link for additional details:

http://www.zdnet.com/the-most-important-internet-security-group-youve-never-heard-of-7000033537/

You are not safe any more - Malvertising hits websites such as YouTube, Amazon and Yahoo

If three of the most popular sites are being targeted by Malware how, can a common man survive.

If you have not done this before , do it now. 

1. Install AV / Firewall 
2. Regularly patch your system (Free tools like PatchMyPC does a good job)
3. Take away admin privileges for your regular account and use "Run As" when you need admin rights
4. Use Browsers like Sandboxie.

A combination of all the above will still not stop all Malware but will be a powerful defence against most of them.

Oh , I forgot the most important thing.

Don't click on anything or any email that you receive ( this will help you a lot)

From the Article

The network has been nicknamed “Kyle and Stan” due to those names appearing in subdomains of more than 700 websites the attackers have set up to distribute the malware, Pelkmann wrote.

“The large number of domains allows the attackers to use a certain domain just for a very short time, burn it and move on to use another one for future attacks,” he wrote “This helps avoiding reputation and blacklist based security solutions.”

When a victim is redirected by one of the ads, the computer downloads a piece of malware with a unique checksum, making it harder for security software to detect. The download may also contain legitimate software such as a media player. 

Follow this link for additional details:

http://www.pcworld.com/article/2604480/malicious-advertising-hits-amazon-youtube-and-yahoo-cisco-says.html

WireTapping - Now OutSourced

• We can't trust the ISP but we know them
• We can't trust Government but we know that,
• Now we have shady middle men (organization) that do the dirty work and we don't know them

From the Article

But when one Atlanta, Georgia-based Internet provider was served a top-secret data request, there wasn't a suited-and-booted federal agent in sight.

Why? Because the order was served on a so-called "trusted third-party," which handles the request, served fresh from the secretive Washington D.C.-based Foreign Intelligence Surveillance (FISA) Court. With permission from their ISP customers, these third-parties discreetly wiretap their networks at the behest of law enforcement agencies, like the Federal Bureau of Investigation (FBI), and even intelligence agencies like the National Security Agency (NSA).

By implementing these government data requests with precision and accuracy, trusted third-parties — like Neustar, Subsentio, and Yaana — can turn reasonable profits for their services.

Little is known about these types of companies, which act as outsourced data brokers between small and major U.S. ISPs and phone companies, and the federal government.

Follow this link for additional details:

http://www.zdnet.com/the-most-important-tech-companies-you-have-never-heard-of-7000032573/

Banks Hacked- News gets more and more interesting

Apparently it is 7 banks now

Some had their records deleted




The link below has more information:-


http://www.cnet.com/news/jpmorgan-hackers-altered-deleted-bank-records-says-report/

DLP function now available for SharePoint (Office 365)

We know it is available for Exchange now it is extended to SharePoint

From the Article

Microsoft has extended the data loss prevention features in Office 365 so that they are available not only for its email tools but also for data in SharePoint Online and OneDrive for Business.

Administrators will be able to search for content across SharePoint Online and OneDrive for Business, zeroing in on 51 predefined sensitive information types, like credit card numbers, passport data, and Social Security information. If they identify policy breaches, they'll be able to export a report and take the appropriate action. DLP tasks are managed from Office 365's eDiscovery Center console.

Follow this link for additional details:

http://www.infoworld.com/d/cloud-computing/microsoft-rolls-out-dlp-sharepoint-online-and-onedrive-business-249318

New member to the list of credit card hacked companies - it is UPS now

News might be new but

It started infiltration started in January and attacks in March

And...........

We only know now

Customers’ credit and debit card information at 51 franchises in 24 states may have been compromised.


Follow this link for additional details:

http://time.com/3151681/ups-hack/

How to steal encryption keys - Just by touching the computer !!!

I did not know that we are born with embedded hacking tools (I am excluding the Brain here).

From the Article

There are flaws and weaknesses in human flesh and bones that make it easier than it should be to force someone to offer up the key to decrypt something.

This research is a side-channel attack. The metal parts of a laptop, such as the shielding around USB ports, and heat sink fins, are notionally all at a common ground level. However, this level undergoes tiny fluctuations due to the electric fields within the laptop. These variations can be measured, and this can be used to leak information about encryption keys.

the researchers also experimented with using a smartphone connected to Ethernet shielding via its headphone port, and found that this was sufficient to perform some attacks.

Robust protection is hard to do, because 

1. The side-channel is largely a feature of the hardware. 
2. Faraday cages can protect against electromagnetic side channels, 
3. insulation can protect against this kind of "touching metal parts" attack, 
4. optical fibres can protect against measuring fluctuations in Ethernet connections

but all these drive up costs and are of limited practicality.

Follow this link for additional details:

http://arstechnica.com/security/2014/08/stealing-encryption-keys-through-the-power-of-touch/

Hacking Traffic Lights Is Apparently Really Easy

It is not the headline that bothered me.

What shocked me is what makes it easy

The Michigan team identified three main weaknesses in traffic control systems in the U.S.: 

1. use of un-encrypted wireless communication signals 
2. default usernames and passwords, 
3. use of a traffic controller—the machine that interprets sensor data and controls lights and walk signs, etc.—that is vulnerable to known hacks.

Follow this link for additional details:

http://time.com/3146147/hacking-traffic-lights-is-apparently-really-easy/

NUKE REGULATOR HACKED BY SUSPECTED FOREIGN POWERS

Not once but, THRICE.

The methods adopted by the hackers is really interesting

1. Malware in the cloud
2. Email from legitimate account

From the Article

Nuclear Regulatory Commission computers within the past three years were successfully hacked by foreigners twice and also by an unidentifiable individual,

One incident involved emails sent to about 215 NRC employees in "a logon-credential harvesting attempt,"

A dozen NRC personnel took the bait and clicked the link. 

hackers also attacked commission employees with targeted spearphishing emails that linked to malicious software. A URL embedded in the emails connected to "a cloud-based Microsoft Skydrive storage site," which housed the malware,

In another case, intruders broke into the personal email account of an NRC employee and sent malware to 16 other personnel in the employee's contact list. A PDF attachment in the email contained a JavaScript security vulnerability. One of the employees who received the message became infected by opening the attachment, McIntyre said. 

Follow this link for additional details:

http://www.nextgov.com/cybersecurity/2014/08/exclusive-nuke-regulator-hacked-suspected-foreign-powers/91643/

70 Percent of World's Critical Utilities Breached

78 percent of the senior security officials responded that a successful attack is at least somewhat likely within the next 24 months



The link below has more information:-

http://www.darkreading.com/attacks-breaches/infographic-70-percent-of-worlds-critical-utilities-breached/a/d-id/1298006

iPhone vulnerable? - Yes when connected to a computer

Apple seems to have too much trust in USB 

From the Article

The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.

Their attack requires the victim's computer to have malware installed

Wang and the researchers developed a man-in-the-middle attack that can trick an Apple device that's connected to a computer into authorizing the download of an application using someone else's Apple ID.

Wang's team found they could sneak a developer provisioning file onto an iOS device when it was connected via USB to a computer. A victim doesn't see a warning.

That would allow for a self-signed malicious application to be installed. Legitimate applications could also be removed and substituted for look-alike malicious ones.

"The whole process can be done without the user's knowledge," Wang said

The host computer has access to a device not only through iTunes but also via a protocol called Apple File Connection, which is used for accessing images or music files

The researchers recovered login cookies, including those for Facebook and Google's Gmail. 

Follow this link for additional details:

http://www.computerworld.com.au/article/552416/biggest_iphone_security_risk_could_connecting_one_computer/

Complex Passwords - Are not really safe anymore

I am more or less 100% in agreement with the author.

Summary

pinning your security on an insanely complex password is a fool’s wager. 

From the Article

According to Alex Holden, Hold Security’s founder, the “vast majority” of the passwords he uncovered had been stored in plain text on company servers.

says Donna Dodson NIST’s chief cyber security advisor. “Putting the burden of security on the end-user and making it more complex just doesn’t work,” she says. “The security has to be usable for the end-user. Otherwise they’re going to find workarounds.”

The cracking software that’s out there has known about all of these tricks for more than a decade,” says Herley. 

What’s more, system administrators need to spend more time securing the passwords they store. If sysadmins had been taking care of business before the Russian hack—locking down their websites and protecting their users passwords with cryptography instead of storing them in plain text—users would be a lot better off. 

Follow this link for additional details:

http://www.wired.com/2014/08/passwords_microsoft/

Chip-n-Pin may be better than swipe card but still vulnerable

(From the article)

His team found that several devices were not, in fact, made to the security specifications they claimed to follow. With a minimum of effort, he said they could wiretap the devices and extract the PIN during a sale.

Scammers installed their evil wares into card readers before they were even delievered to merchants.

In order to get European merchants to switch, the banks promised merchants that they would be responsible for fraudulent charges. With swipe cards, a fraudulent charge is simply reversed to the merchant. 

The victims of fraud were frequently blamed by the banks, who accused them of exposing their PINs somehow. In other cases, the banks simply changed their minds and reversed charges to the merchants. In extreme cases, banks and credit card companies declined to press charges against known scammers, apparently out of embarrassment.

The link below has more information:-

http://securitywatch.pcmag.com/hacking/326213-chip-and-pin-cards-more-secure-than-swipe-cards-also-pretty-awful

Creative hacking - Hackers use Google to steal data

(From the article)

What was unique about the attackers was how they disguised traffic between the malware and command-and-control servers using Google Developers and the public Domain Name System (DNS) service of Fremont, Calif.-based, Hurricane Electric.

In both cases, the services were used as a kind of switching station to redirect traffic that appeared to be headed toward legitimate domains, such as adobe.com, update.adobe.com and outlook.com.


The link below has more information:-

http://www.csoonline.com/article/2462409/data-protection/how-hackers-used-google-in-stealing-corporate-data.html

Free course on Cyber Security

Check This link

http://www.cyberaces.org/courses/

XML Vulnerability that can take down an entire website or server almost instantly.

(From the article)

Impacts the popular website platforms WordPress and Drupal.

The vulnerability uses a well-known XML Quadratic Blowup Attack — and when executed, it can take down an entire website or server almost instantly.

This is a big deal because WordPress and Drupal are used by millions of websites. The latest statistics from the World Wide Web Consortium (WC3) show WordPress alone powers nearly 23% of the web.

The XML vulnerability Goldshlager discovered affects WordPress versions 3.5 to 3.9 (the current version) and works on the default installation. It affects Drupal versions 6.x to 7.x (the latest version) and also works on the default installation.

When the vulnerability is exploited, the results can basically render a website or web server unusable. The vulnerability can cause 100% CPU and RAM usage, cause the server to become unavailable and also create a Denial of Service attack on the MySQL database program

The good news is that both WordPress and Drupal have released patches for their applications. 

The link below has more information:-

http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/

Interesting - Malware that fully resides in Registry

We always knew someone would do it so, finally it is done.

http://www.darknet.org.uk/2014/08/windows-registry-infecting-malware-files/

AV Zero day detection - Does anyone still believe it?

This should not come as a surprise

(From the article)

Kyle Adams wrote what he describes as "ridiculously obvious" malware that most major antivirus products ultimately failed to detect. 

His research shows that code emulation and sandboxing aren't really working anymore.

What can AV vendors do to beef up their code emulation? For one thing, "they should start penetration-testing their own AV software."

The link below has more information:-

http://www.darkreading.com/vulnerabilities---threats/how-malware-writers-cheat-av-zero-day-detection/d/d-id/1297771

If you own Synology's NAS devices , you might want to disconnect it.

This  advise is coming from the he vendor.

To avoid being affected by ransomware that uses strong encryption to lock files on the brand’s machines and demands US$350 for the decryption key.

The SynoLocker “service” asks for 0.6 Bitcoins to unlock the encrypted files, which at today’s exchange rate is around USD$350

The link below has more information:-

http://www.cso.com.au/article/551527/synolocker_demands_0_6_bitcoin_decrypt_synology_nas_devices/

Can you or your computer detect a compromised USB device? - NO !!!

DOn't believe me. read further.........

(From the article)

The infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. 

he malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.

“These problems can’t be patched,” says Nohl,

‘IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES A NON-TRUSTED COMPUTER.’

 It can even impersonate a USB keyboard to suddenly start typing commands. “It can do whatever you can do with a keyboard, which is basically everything a computer does,” says Nohl.

The malware can silently hijack internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases. Or if the code is planted on a phone or another device with an internet connection, it can act as a man-in-the-middle, secretly spying on communications as it relays them from the victim’s machine.

The link below has more information:-

http://www.wired.com/2014/07/usb-security/

76,000 email addresses + 4000 passwords exposed, How? - bad script!!!!

C'mon mozilla , It is a shame

(From the article)

he breach was caused by a bad script that on July 23 was found to have inadvertently published the records online over the previous month.

"As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure," they said.

The exposed passwords were salted hashes but further technical details have not been revealed

The link below has more information:-

http://www.theregister.co.uk/2014/08/03/mozilla_gaffe_exposed_76000_email_addresses_4000_passwords/

MPTCP - New concern for security folks? ;

I guess the security tools have a lot to catch up

(From the article)

If any of your security decisions, tools, thought-processes, manual processes, if they rely on any of... these four things, then something in those is going to break," he says. 

1. If you expect to see all app layer data within a TCP stream; 
2. if you expect to differentiate clients from servers based on the connection direction; 
3. if you expect to tamper with or close bad connections midstream; 
4. if attempt to associate logical connections to IP addresses. 

If you make any security decisions based on any of those, then those security mechanisms are going to break in the face of MPTCP.

The link below has more information:-

http://www.darkreading.com/analytics/security-monitoring/some-security-tools-fail-with-multipath-tcp/d/d-id/1297733

Apple scammed 42 time - by a 24 Year old:-

Simple but brilliant..............

From the article)

Parrish allegedly tricked Apple Store employees in 16 states starting around December 2012 into accepting fake authorization codes to purchase $309,768 worth of Apple goods.

Here’s how it works: Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank — except, he wasn’t really calling his bank.

he would offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override

“It does not actually matter what code the merchant types into the terminal,” the U.S. Attorney’s Office in New Jersey said publicly after a similar case occurred there in February. “Any combination of digits will override the denial.”

The link below has more information:-

http://www.businessinsider.com/sharron-laverne-parrish-jr-charged-with-apple-credit-card-scam-2014-7

New and a more dangerous class of attack through USB.

We knew a few dangers from USB but , this one is more scary.

(From the article)

Nohl said his firm has performed attacks by writing malicious code onto USB control chips used in thumb drives and smartphones. Once the USB device is attached to a computer, the malicious software can log keystrokes, spy on communications and destroy data, he said.

Computers do not detect the infections when tainted devices are inserted because anti-virus programs are only designed to scan for software written onto memory and do not scan the "firmware" that controls the functioning of those devices, he said.

The link below has more information:-

http://www.watoday.com.au/it-pro/security-it/hackers-can-tap-usb-devices-in-new-attacks-researcher-warns-20140731-zz8cx.html

Internet Of Things Contains Average Of 25 Vulnerabilities Per Device

The headline says it all

However, it will not stop most people from adopting it after all we are not the target for hackers (really?)

(From the article)

what makes IoT devices different is their multi-faceted nature. "When you think about what all is involved in an Internet of Things device, you've got the device itself, network access, authentication, the Internet component; and all these pieces together are what stack up to be the Internet of Things device. If you're not looking at the big picture, you're missing a lot of stuff."

HP Security Research found an average of 25 vulnerabilities per device. Seven out of 10 of the devices when combined with their cloud and mobile applications gave attackers the ability to identify valid user accounts through enumeration. Nine out of 10 devices collected at least one piece of personal information through the device or related cloud or mobile app; and six of the devices had user interfaces vulnerable to a range of web flaws such as persistent XSS.

"It's not just cloud, it's not just the device, and it's not just network security," says Miessler. "People shouldn't view it as a one-dimensional problem."

The link below has more information:-

http://www.darkreading.com/vulnerabilities---threats/internet-of-things-contains-average-of-25-vulnerabilities-per-device/d/d-id/1297623

At least half of the 50 most popular Android mobile apps have inherited security vulnerabilities

through the reckless re-use of software libraries.

As long as we have

• Compressed schedules
• Functionality trumping security
• Reckless programmers

The code will always be insecure

(From the article)

More concerning is when “developers act intentionally,” Jarva said.

“Some people might have been providing a vulnerability on purpose in order to do something nasty” once the code has been distributed.

Who are they working with? Do they have sideline jobs somewhere else? The developers might be getting their dollars from ad networks," Jarva said.

One in ten apps send either the user’s device ID (IMEI code) or location data to a third party, and one even sends the user’s mobile phone number. One in ten applications connected to more than two ad networks.

The study found that over 30 percent of the apps transmit private data in plain text and plenty more are not encrypting the transfer of this data to best practice.

“The issues are invisible to users,” Jarva said. “A lot of things are happening behind the scenes, it only afterwards they know what has been done.”

The link below has more information:-

http://www.itnews.com.au/News/390365,popular-android-apps-inherit-bugs-from-recycled-code.aspx

BYOD leads to BYOC (Bring Your Own Confusion)

Why maybe because:

1. Security folks want to lock down access to corporate data
2. Common folks don't want company security stuff on their device but like to access corporate data. (have the cake and eat it too?)

I think the common folks have not yet grasped the idea their device is actually a computer about which they have no understanding.

Security folks know that the devices are computers but don't have a proper security policy/procedures in place.

Don't believe me, check below.................

(From the article)

For instance, 98% of the IT managers surveyed said their companies had BYOD security polices in place. About a third said their companies required employees to install an IT-mandated security application on their mobile devices while 20% said that personal devices can access their corporate network only if the devices had the requisite security controls in place.

Yet, fewer than 20% of the IT managers surveyed said their companies had yet to create way to enforce the policies.

Despite BYOD policies and controls IT managers say have been implemented at their companies, less than 20% of workers connected to corporate networks said they had installed a full security app on their personal devices.

The survey also revealed a reluctance on the part of workers to allow IT personnel install security software on their devices.

More than half of the employees surveyed feared that the company would gain access to their personal data via corporate security tools. Some 46% of workers said they feared personal data would be lost if they left the company. The same number feared a company-mandated security app installed on personal devices would let managers track their location.

Nearly half of worker said they would stop using personal devices at work if they were required to install a company-mandated security application.

The link below has more information:-

http://www.csoonline.com/article/2452654/security/theres-still-a-security-disconnect-on-byod.html#tk.rss_compliance

Built a free botnet that generates $US1750 a week using free cloud: -

This is not fiction, 2 researches actually did it.

Moral of the story:

Cyberattacks might become more common

Security is still our problem not cloud provider's.

(From the article)

They used automatic tools and processes to spread a currency-mining botnet across some 150 popular free services that each generated about 25 cents a day -- all on the providers' electricity bill.

The bot was bult on free and fast tools including Mandrill and FreeDNS.afraid.org for email address registration, variations on public data breach databases, a custom program on Google App Engine, and the Python Fabric to manage scripts controlling the hundreds of cloud instances.

The link below has more information:-

http://www.theregister.co.uk/2014/07/25/boffins_build_free_supercomputer_from_signup_trials/

Interesting Idea - On-line advertising - Beat your competitors by exhausting their Online AdWord budget

Hmm, I am impressed.


(From the article)

fraudsters engage in an opposite scam involving AdWords, in which advertisers try to attack competitors by raising their costs or exhausting their ad budgets early in the day.

The service, which appears to have been in the offering since at least January 2012, provides customers both a la carte and subscription rates. The prices range from $100 to block between three to ten ad units for 24 hours to $80 for 15 to 30 ad units. For a flat fee of $1,000, small businesses can use GoodGoogle’s software and service to sideline a handful of competitor's ads indefinitely.


The link below has more information:-

http://krebsonsecurity.com/2014/07/service-drains-competitors-online-ad-budget/

Like it or not you are being (canvas) fingerprinted

Unless you are using TOR(Browser)

It is sad there is not much choice against Canvas fingerprinting.

As usual browsers will find a solution and after a few months , there will be another way to track us

(From the article)

A lot of sites use AddThis, so a lot of users are being tracked, the article/research states 5% of the top 100,000 websites. So at least 5000 high traffic sites are capturing user data in this rather underhanded way.

It’s all pretty shady, but honestly we have to assume people are doing this type of stuff because one of those most valuable things you can create from the Internet is user data. Especially usage/consumption patterns, even if it doesn’t tie to specific humans – the data itself is very valuable to people making marketing decisions based on it.

The link below has more information:-

http://www.darknet.org.uk/2014/07/clear-cookies-cant-escape-canvas-fingerprinting/

WireShark coloring rules with a few use cases

Short and sweet whitepaper from SANS

https://www.sans.org/reading-room/whitepapers/detection/wireshark-guide-color-packets-35272

Free poster - SANS Smartphone Forensics

Get it here

http://digital-forensics.sans.org/blog/2014/06/24/getting-the-most-out-of-smartphone-forensic-exams-sans-advanced-smartphone-forensics-poster-release

Attackers install a backdoor on an estimated 30,000 to 50,000 websites;

Here is the strange part:

Atackers have exploited the bug to install a backdoor on an estimated 30,000 to 50,000 websites, some that don't even run WordPress software or that don't have MailPoet enabled, according to Daniel Cid, CTO of security firm Sucuri.

"To be clear, the MailPoet vulnerability is the entry point," he wrote in a blog post. "It doesn't mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website." In an e-mail to Ars, he elaborated:

The link below has more information:-

http://arstechnica.com/security/2014/07/mass-exploit-of-wordpress-plugin-backdoors-sites-running-joomla-magento-too/

Nmap - 3 part tutorial

A good one for beginners


Nmap Cheat Sheet: From Discovery to Exploits, 

Part 1: Introduction to Nmap
Part 2: Advance Port Scanning with Nmap And Custom Idle Scan
Part 3: Gathering Additional Information about Host and Network



Part-1
http://resources.infosecinstitute.com/nmap-cheat-sheet/

Part-2
http://resources.infosecinstitute.com/nmap-cheat-sheet-discovery-exploits-part-2-advance-port-scanning-nmap-custom-idle-scan/

Part-3
http://resources.infosecinstitute.com/nmap-cheat-sheet-discovery-exploits-part-3-gathering-additional-information-host-network-2/

Multi-faceted hack attack against Swiss banks

looks like we have more and more creative people getting involved with hacking.

Or, is it being crowdsourced got better results.

From the Article

That tactic was accomplished by Malware that manipulated a victims' DNS settings and installed an SSL certificate for the phishing sites before wiping itself clean to remove evidence of infection.

Users who fell for the email campaign and subsequently installed the malware would be prompted to install an Android app to purportedly secure their banking transactions, but which would serve to steal second factor SMS tokens and furry it off to an attackers' command and control server or mobile phone number.

Follow this link for additional details:

http://www.theregister.co.uk/2014/07/23/ruskie_vxers_change_dns_nuke_malware_in_swiss_bank_raids/

Another day another Breach - Now it is Goodwill (Victim 8)

I am getting tired of tracking(check my list at the end)

(From the article)

According to sources in the financial industry, multiple locations of Goodwill Industries stores have been identified as a likely point of compromise for an unknown number of credit and debit cards.

t remains unclear how many Goodwill locations may have been impacted, but sources say they have traced a pattern of fraud on cards that were all previously used at Goodwill stores across at least 21 states

those same financial industry sources say the breach could extend back to the middle of 2013.

Financial industry sources said the affected cards all appear to have been used at Goodwill stores, but that the fraudulent charges on those cards occurred at non-Goodwill stores, such as big box retailers and supermarket chains. This is consistent with activity seen in the wake of other large data breaches involving compromised credit and debit cards, including the break-ins at Target, Neiman Marcus, Michaels, Sally Beauty, and P.F. Chang’s.

The link below has more information:-

http://krebsonsecurity.com/2014/07/banks-card-breach-at-goodwill-industries/

Previous Victims: (Count started in March 2014)

7. SPEC Liquor Chain - Half a million cards (Lasted 18 Months)

http://martin-news-bytes.blogspot.com/2014/04/liquor-chain-credit-card-breach-whats.html

6. Anonymous claims 800 Million credit card 

http://martin-news-bytes.blogspot.com/2014/03/not-sure-how-true-this-anonymous.html

5. California DMV

http://martin-news-bytes.blogspot.com/2014/03/another-day-another-data-breach.html

4. US Navy

http://martin-news-bytes.blogspot.com/2014/03/someone-forgot-to-patch-their-databases.html

3. Korea Telecom

http://martin-news-bytes.blogspot.com/2014/03/12-million-customer-records-stolen-korea.html

2.  Comixology

http://martin-news-bytes.blogspot.com/2014/03/another-day-another-data-breach-current.html

1. Sally Beauty

http://martin-news-bytes.blogspot.com/2014/03/beauty-chain-sally-beauty-turns-ugly.html

BYOD - You thought you knew it all, how about 7.1 Billion mobile subscription (did you expect this)

It is normal to expect a disconnect between what we know and what is real.

Sometimes , there is a big disconnect.



Follow this link for additional details and get ready to get surprised:

http://www.darkreading.com/cloud/infographic-with-byod-mobile-is-the-new-desktop/a/d-id/1297436?image_number=1

Firefox OS - Now available on 7 devices in 15 countries

Not the greatest of news but something good about my favorite company



The link below has more information:-

http://www.theregister.co.uk/2014/07/17/firefox_os_global_expansion/

What is PNR - it is something that contains your full credit card # and sent to government by Booking agencies.

This one shocks me!

PNR -  Passenger Name Records

From the Article

My own PNRs include not just every mailing address, e-mail, and phone number I've ever used; some of them also contain:

The IP address that I used to buy the ticket

My credit card number (in full)

The language I used

Notes on my phone calls to airlines, even for something as minor as a seat change

Follow this link for additional details:

http://arstechnica.com/tech-policy/2014/07/ars-editor-learns-feds-have-his-old-ip-addresses-full-credit-card-numbers/

Re-use your passwords - Says Microsoft.

Not exactly, suggestion is to re-use for low risk sites;

Still, I don't agree fully.

(From the article)

Now Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada, have shot holes through the security dogma in a paper Password portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts (PDF).

The trio argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites.

The link below has more information:-

http://www.darknet.org.uk/2014/07/microsoft-says-re-use-passwords-across-sites/

You think only IT guys screw up , how about guys who store viruses and bacteria.

The first paragraph from the article:
The same federal scientist who recently found forgotten samples of smallpox at a federal lab also uncovered over 300 additional vials, many bearing the names of highly contagious viruses and bacteria.


The link below has more information:-

http://www.koaa.com/news/300-vials-labeled-influenza-dengue-found-at-lab/

How many FAKE mobile apps are floating around - Almost a million (According to Trend)

Some are highly successful, here is a sample:
Scammers charged $3.99 for the fake app, which promised to prevent harmful apps from being installed. It was removed by Google after a few days, but not before it fooled thousands of users and even became a "top new paid app" in the Play Store. Trend said it was "perplexing" how the app achieved "top" status


The link below has more information:-
http://www.computerworld.com/s/article/9249779/Almost_a_million_fake_apps_are_targeting_your_phone

LibreSSL not safe - Culprit is PRNG

I am not losing hope (yet)



(From the article)

The first "preview" release of OpenSSL alternative LibreSSL is out, and already a researcher says he has found a "catastrophic failure" in the version for Linux.

The problem resides in the pseudo random number generator (PRNG) that LibreSSL relies on to create keys that can't be guessed even when an attacker uses extremely fast computers.



The link below has more information:-

http://arstechnica.com/security/2014/07/only-a-few-days-old-openssl-fork-libressl-is-declared-unsafe-for-linux/

Apple + IBM - What happens when a giant in Consumer Mobile computing space joins hands with Enterprise computing space.

Apple and IBM are coming together. Which is good news for Enterprise admins.

Apple devices have been the favorites of upper management but there were not many players who would integrate them well with the IT space.

Now that IBM is here we can expect something.

Since, Apple is not cheap, I presume IBMs  offering will not be either (was IBM ever less expensive?)

(From the article)

The joint statement offered more detail, saying the partnership will provide:

• More than 100 industry-specific enterprise solutions including native apps, developed exclusively from the ground up, for iPhone and iPad;
• IBM cloud services optimized for iOS, including device management, security, analytics and mobile integration;
• New AppleCare service and support tailored for the enterprise;
• New "packaged offerings" from IBM for mobile device activation, supply and management

The link below has more information:-

http://www.computerworld.com/s/article/9249748/Update_Apple_and_IBM_team_up_on_historic_enterprise_push?source=CTWNLE_nlt_datamgmt_2014-07-16

FYI - 1 TB data in postage stamp sized memory device.- RRAM

(From the article)

Rice University’s breakthrough silicon oxide technology will allow manufacturers to fabricate “resistive random-access memory” (RRAM) devices at room temperature with conventional production methods, the researchers say. In a new paper in Nano Letters, a Rice team led by chemist James Tour compared its RRAM technology to more than a dozen competing versions.



The link below has more information:-

http://www.kurzweilai.net/rices-silicon-oxide-memories-catch-manufacturers-eye

Crooks have been compromising hotel business center PCs with keystroke-logging malware

If you are surprised, then I am sure you are not in IT Security.

From the Article

“In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software,” the advisory reads.

“The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts,” the warning continues. “The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”

The truth is, if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer. But don’t take my word for it. This maxim is among the “10 Immutable Laws of Security” as laid out by none other than Microsoft‘s own TechNet blog, which lists law #3 as: “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.”

Follow this link for additional details:

http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-centers/

If you are using DropCam , you might want to read this

Moral of the story - Bug fix and patch management are NOT common in consumer devices.





From the Article

They found that weaknesses in the devices could allow an attacker to view video and "hot-mike" audio on the cameras to spy on the targets, as well as inject their own video frames into the DropCam feed or freeze frames in order to hide malicious activity, such as a physical break-in.

Wardle and Moore say DropCam runs older software components, including the Heartbleed-vulnerable version of OpenSSL, and an outdated and unpatched version of BusyBox, an open source Unix toolkit typically found in embedded devices and Android devices.



Follow this link for addtional details:

http://www.darkreading.com/dropcam-vulnerable-to-hijacking/d/d-id/1297275

How Questionaires can have unexpected bad results in IT Risk Management.(GRC)

I am not a big fan of Questionaires when it comes to GRC, I am happy that someone shares my sentiment.

Andrew also provides some important pointers.

Important Lesson for GRC -  Garbage In - will result in Gargabe Out

(From the article)

Do you sincerely believe that an incompetent person is going to respond to a questionnaire in a manner that highlights their incompetence? For example, imagine an incompetent or lazy system administrator.  His work is poor, his attention to detail weak, perhaps he is distracted with personal or financial problems.  On a questionnaire, it asks this system administrator to explain how often he checks systems for updated patches.  He knows that company policy mandates that every system is checked monthly.  However, he has not checked them in months.

Incompetent people often overstate and inflate their skill set where as highly competent people tend to understate their skills

If the data gathered from staff does not paint a representational picture of the environment, then whatever risk analysis comes from that data is faulty.  This is merely a variant on the “garbage in, garbage out” cliché.

Threats are evolving so rapidly, that what was important to the organization 12 months ago could be radically different now.  As such, any questions written 12 months ago, are not as relevant now.  Standardization of questions assumes the threat landscape never changes. 

The link below has more information:-

http://blog.anitian.com/flawed-risk-management/

"Gameover Zeus" is back - This time with "Fast Flux Hosting"

looks like it was aptly named ZEUS (Greek God) because, it refuses to die.

From the Article

The company found that the malware shares roughly 90 percent of its code base with Gameover Zeus.

This new Gameover variant is stripped of the P2P code, and relies instead on an approach known as fast-flux hosting. Fast-flux is a kind of round-robin technique that lets botnets hide phishing and malware delivery sites behind an ever-changing network of compromised systems acting as proxies, in a bid to make the botnet more resilient to takedowns.

Like the original Gameover, however, this variant also includes a “domain name generation algorithm” or DGA, which is a failsafe mechanism that can be invoked if the botnet’s normal communications system fails. The DGA creates a constantly-changing list of domain names each week (gibberish domains that are essentially long jumbles of letters).

In the event that systems infected with the malware can’t reach the fast-flux servers for new updates, the code instructs the botted systems to seek out active domains from the list specified in the DGA. All the botmasters need to do in this case to regain control over his crime machine is register just one of those domains and place the update instructions there.

This discovery indicates that the criminals responsible for Gameover’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers and takedowns in history,” 

Follow this link for addtional details:

http://krebsonsecurity.com/2014/07/crooks-seek-rivival-of-gameover-zeus-botnet/