Monday, March 31, 2014

AET - Dirty little secret weapons used by hackers.


Not in-depth but one of the few articles that talks about AET and offers a few pointers for protection.



According to the article:- 

Advanced Evasion Techniques - Weapons hackers use to bypass security systems and penetrate even the most locked-down networks

Because of the debate about the very existence of AETs, hackers continue to use these techniques successfully to exfiltrate information. This confusion allows hackers to further invest in increasingly sophisticated attacks, while staying “under the radar” even longer, resulting in damaging and costly data breaches

AETs are used by well-resourced, motivated hackers to execute APT attacks. While the AET is not an attack by itself, as the bits of code in the AET are not necessarily malicious, they are used to disguise an attack. The danger lies in that AETs provide the attacker with undetectable access to the network. By developing a set of dynamic AETs, the hacker creates a “master key” to penetrate any locked-down network to exploit and compromise their vulnerable target victims. 

AETs use a combination of evasion techniques, such as fragmentation and obfuscation, to bypass network security controls like firewalls and intrusion prevention systems (IPSs). AETs work by splitting up malicious payloads into smaller pieces, disguising them, and delivering them simultaneously across multiple and rarely used protocols. Once inside, AETs reassemble to unleash malware and continue an APT attack


Most network security systems on the market—IPS, intrusion detection system (IDS), unified threat management (UTM), and even next-generation firewalls— do not have the technology built-in to stop evasions, since they only analyze single-protocol layers and inspect individual segments. Finding a known exploit is easy—but finding AETs requires full-stack traffic analysis and normalization, protocol by protocol. This deep inspection requires a great deal of processing power, which can create a hit to throughput performance of some network security solutions. 


The false sense of security could be caused by publicized industry benchmarking tests on AET detection that some vendors prepare for in advance. These vendors, in turn, use the favorable, yet skewed, results to create the perception that they can identify evasions. One such vendor claims they can protect against only 60 AETs when more than 800 million known AET variants have been identified to date



Five Key Requirements of an AET Solution
  1. Protection against increasingly sophisticated threats
  2. Detailed, real-time inspection
  3. High availability
  4. Correlation capabilities and network visibility
  5. Simplicity and ease of management


You can download the full document (PDF) here-

Posted by at No comments:
Labels: , ,

The Top 10 Google Glass Myths - Someone finally dissects what Gooogle said and how different it is in the real world



I am happy someone took time to look at Google's information and compare that to what is happening in the real world.

According to the article:- 

The length of recording is irrelevant when privacy is being invaded. 

Technology-obsessed geekiness made a Glass user oblivious to the comfort of those around her.

The case of Nick Starr, the man who refused to take off his Glass in a Seattle restaurant and reportedly went on a rant, demanding that the waitperson in question be fired after he was asked to remove his Glass, is another case that shows that Glass-technology love can get out of hand.

Already, one woman was issued a traffic ticket in October 2013 for speeding and distracted driving after being stopped while wearing Glass.

Besides, a facial recognition app doesn't have to get onto MyGlass or Google Play to get onto your Glass. As mentioned, rooting Glass is straightforward, and as one of the spyware researchers noted, it's a wild, wild west with the non-Google-sanctified apps out there.


"Everywhere?" "EVERYWHERE?" Um... no. Not a real myth. They've been banned in some bars and restaurants, but I've never heard anybody shout out in full caps that 's they've been banned ubiquitously




The link below has more information:-


Posted by at No comments:
Labels: , ,

RSA and NSA relationship - Deeper than what we thought?



RSA was wishing this problem would disappear but, it only got worse.


According to the article:- 

Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency.

Group of professors from Johns Hopkins, the University of Wisconsin, the University of Illinois and elsewhere now say they have discovered that a second NSA tool exacerbated the RSA software's vulnerability

The professors found that the tool, known as the "Extended Random" extension for secure websites, could help crack a version of RSA's Dual Elliptic Curve software tens of thousands of times faster, according to an advance copy of their research shared with Reuters.

RSA, now owned by EMC Corp, did not dispute the research when contacted by Reuters for comment. The company said it had not intentionally weakened security on any produc

"If using Dual Elliptic Curve is like playing with matches, then adding Extended Random is like dousing yourself with gasoline," Green said.


The academic researchers said it took about an hour to crack a free version of BSafe for Java using about $40,000 worth of computer equipment. It would have been 65,000 times faster in versions using Extended Random, dropping the time needed to seconds, according to Stephen Checkoway of Johns Hopkins.

The link below has more information:-


Posted by at No comments:
Labels: , , ,

Can Surveillance be a business model of the Internet?



The headline says it all and it is written by Bruce Schneier and I respect his views.




According to the article:- 

The main focus of massive Internet companies and government agencies both still largely align: to keep us all under constant surveillance. When they bicker, it’s mostly role-playing designed to keep us blasé about what's really going on.

These companies are doing their best to convince users that their data is secure. But they're relying on their users not understanding what real security looks like.

And IBM’s spending $1.2B on data centers outside the U.S. will only reassure customers who don’t realize that National Security Letters require a company to turn over data, regardless of where in the world it is stored.

Google  could encrypt your e-mail so only you could decrypt and read it. It could provide for secure voice and video so no one outside the conversations could eavesdrop.
It doesn’t. And neither does Microsoft, Facebook, Yahoo, Apple, or any of the others.

Why not? They don’t partly because they want to keep the ability to eavesdrop on your conversations. Surveillance is still the business model of the Internet, and every one of those companies wants access to your communications and your metadata. Your private thoughts and conversations are the product they sell to their customers. We also have learned that they read your e-mail for their own internal investigations.

The biggest Internet companies don’t offer real security because the U.S. government won't permit it.

This isn't paranoia. We know that the U.S. government ordered the secure e-mail provider Lavabit to turn over its master keys and compromise every one of its users.



The link below has more information:-


Posted by at No comments:
Labels: , , , ,

FYI - SANS has a new check-list for Mobile Devices

.




Follow the link below:-

Posted by at No comments:
Labels: , ,

"Thingularity" - I like this buzzword and it makes sense to me.c


While we are getting carried away by the marketing buzz of IoT, someone is asking the right question.
How do we patch all these IoT stuff. I don't expect the manufacturers to something unless consumers ask for it.

According to the article:- 
It is what, some technology pundits describe the current rush to connect everything to the Internet -- is that we lack a way to keep billions of consumer devices updated with the latest security patches or firmware.

ATM manufacturer NCR says that of the world's 2.2 million ATMs, 95% still run an embedded version of Windows XP

Even vendors that make information security products haven't solved the challenge of keeping Internet-connected consumer devices up-to-date. Researchers at security firm Tripwire, for example, recently studied the 50 top-selling routers on Amazon and found that at least 74% were vulnerable to previously disclosed attacks, or bugs the researchers found with scant effort

In a separate study, Tripwire found that 68% of surveyed consumers didn't know how to update their wireless router's firmware. Fast forward: What happens when they're faced with critical updates for their baby monitors, webcams, door locks, and home automation systems? 

Thanks to widespread code reuse, furthermore, when vulnerabilities get found in one manufacturer's device, the same bugs often are present in similar types of devices built by their competitors, meaning all of them would need to be patched, and quickly.

The link below has more information:-


Posted by at No comments:
Labels: , , ,

Interesting - Contact lens with Infrared vision -


Sounds good but, would people take the pain of wearing contact lens , instead of a regular goggles?

According to the article:- 


Seeing the infrared spectrum has a number of applications that go beyond the nighttime war games glamorized in adventure flicks. Doctors can use the wavelengths to monitor blood flow, and civil engineers can use them to identify heat or chemical leaks

And it’s so thin that it could be integrated in cell phones, eyeglass-mounted computers and even contact lenses to provide an infrared-vision mode


The link below has more information:-


Posted by at No comments:
Labels: ,

No encryption/decryption , still simple and secure - Unfortunately , used by Chilean Drug Traffickers



We know how spelling is important and how its affect on Boston Bombing

In this case,, the communication excludes  spaces between words so, it will just be a sequence of alphabets. 



According to the article:- 

while criminal methods are constantly evolving, the most basic techniques can still throw authorities off the trail

n 2010, Chile's national police, the Carabineros, arrested Leonardo Yañez Sepulveda with 80 grams of cocaine in Santiago. In his wallet, they found notes that detailed a coded language used by the traffickers to communicate via text messages, reported La Tercera. The notes contained a full explanation of how to use the coded alphabet, and how to decipher incoming coded messages 


Prosecutor Macarena Cañas said that for the authorities who analyzed the note, the find was completely novel. "It's like the Rosetta Stone; you have a complete dictionary," he said.

The link below has more information:-
Posted by at No comments:
Labels:

(Someone can) Unlock your car remotely - Demonstrated in Singapore - Tesla Car


Like I always said, Even security companies produce/sell Trash so, how can we expect car companies to care about security

Luckily , it cannot be drive after the hack, but we could lose a few valuables left in the car

According to the article:- 

 Hackers could remotely unlock the car via a command transmitted over the internet. This is done by hacking the password that Tesla owners use to setup their account which can also be used to unlock the car.

 In fact Dhanjani stated that the hacking of the password is not dissimilar to how hackers hack passwords on regular computers via malware and so on. “It’s a big issue where a $100,000 car should be relying on a six-character static password.” 

The link below has more information:-

Posted by at No comments:
Labels: , , ,

Metadata - Another experiment that shows how much information it can reveal


Most people don't care about their data.
Some people care about data but ignore metadata
Few people care about metadata. I think everyone should care about data and metadata.



According to the article:- 


Despite the vast amount of data, it's just as easy to store as it is to interpret. “It works out to only a few kilobytes per person for everyone on the planet,” Weaver added. In other words, if I had the access, it'd cost just a few thousand dollars to have enough consumer-grade storage to keep data on everyone in the United States

Looking up that IP on myip.ms turned up not only the city, but one of two possible street addresses as well.

“The biggest reason why the NSA thinks Tor stinks is that it's actually really hard to link user activity to people,” he said. “Because the [Tor browser] bundle operates [by default] with no cookies and [doesn’t allow JavaScript]. The browser bundle is allowed to not have linkages across sessions. Every time you exit the tor browser it looks like a new user


The link below has more information:-

Posted by at No comments:
Labels: , ,

DDoS Threat Landscape report - Botnet Activity is up by 240%.



What surprises me is that it states, the top attack originating countries includes USA. The rest are India, China and Iran

According to the article:- 

The most common network attack method is a combination of two types of SYN flood attacks – one using regular SYN packets (exhaust resources) and another using large SYN (above 250 bytes) packets (for network saturation)

Almost 1 in every 3 attack exceeds 20Gbps.


The link below has more information:-




The full report can be downloaded from the following link
Posted by at No comments:
Labels: ,

Friday, March 28, 2014

Mobile Apps - Why are they considered to be of high risk?


The first thing that pops to our head is that they are on mobile devices.

This article provides more insight and suggestions for developers.



According to the article:- 

On Android, mobile apps are generally coded using Java, and on iOS in Objective C. Both of these languages are capable of significant processing functionality. 
As a result, mobile apps often perform more functions than just presentation-layer aesthetics. That's where the risks can hide.

Attackers can and do examine apps by reverse-engineering them and looking for exploitable defects. 

Defects essentially fall into two categories: 
  1. Implementation bugs 
  2. Design flaws.


Bugs make up coding mistakes such as using mutable SQL queries in the form of dynamically built query strings that can be injected with poisonous data. They're also generally quite easy to remediate,

Design flaws can be far more heinous and are usually substantially more difficult to remediate. Flaws can be quite costly to fix.

Whenever we build a mobile app and place that app out in an app store or market, we're giving away some clues about our software


So what are security-minded software engineers to do?

  1. Don't store things on the client. Unless absolutely essential. 
  2. Don't store anything remotely sensitive on the client. 
  3. If you must store something, use a container such as iOS's keychain. It's far from perfect, but it's still worlds better than storing in plain text.
  4. Don't put security controls on the client. All security (and other operational) decisions must be made on the server




The link below has more information:-

Posted by at No comments:
Labels: , ,

Google waze - Hacked, reroutes drivers due to a fake traffic jam.


Thankfully, this was a POC developed by two Israeli students

Few decades back, food shortage, wars and natural events would cause Chaos. In Today's world , we may be able to achieve that just by breaking/hacking technologies.


According to the article:- 

The system automatically creates multiple new fictitious users on Waze that report fake GPS locations to “trick” the navigation system into believing there is a traffic jam.

The students were able to simulate a traffic jam that lasted for hours on end causing motorists on Waze to deviate from their planned routes.




The link below has more information:-

Posted by at No comments:
Labels: , , ,

Spelling error helped the Boston Bomber to slip through Security

Who could have thought of this or can it be this simple

And, now, I start to wonder if name search is the only way the Intelligence agencies sift for terrorist data or did they simply find a issue to point fingers at.


According to the article:- 

Russia warned the US that Boston Marathon bomber Tamerlan Tsarnaev was a violent radical Islamist more than a year and a half before the April 2013 bombing, but he slipped past border guards on multiple trips undetected because someone had misspelled his last name in a security database


 The Russian intelligence service FSB - successor to the KGB - twice requested in 2011 that the FBI and the CIA keep an eye on Tsarnaev and let them know if he traveled back to Russia, given possible links to extremists in his ancestral home in Russia's North Caucasus.


 he FBI did, in fact, assess Tsarnaev to determine if he posed a terrorist threat, but it didn't find any evidence of terrorist activity.


The link below has more information:-

Posted by at No comments:
Labels: , ,

Communicating Risk to Executive Leadership -Common problem with security folks.



The article starts with the following

“I don’t get it!” said the CEO as he dropped the 300 page report on the conference table.

Our reports may not be 300 pages but our inability to speake the executive language is the issue.


According to the article:- 

Common complaints (from them) we heard, included:


  • “Why does it take so long? “
  • “I thought we had security controls in place to take care of this stuff?”
  • “How do we fix these problems?”
  • “What do these risk numbers mean? Are we in danger or not?”
  • “This is just busywork to keep the regulators happy.”



Challenges with current risk management techniques.

Challenge 1 – Difficult in Assigning Value
Challenge 2 – Risk and Security Language is Incomprehensible to Leadership
Challenge 3 – Numbers Can Deceive
Challenge 4 – Risk Data Gets Stale Quickly



Solutions:

Talk Like an Executive
Use Emotional Words Sparingly
Deliver Intelligence, Not Data
Communicate in the Now


How to Improve the Risk Conversation:

Step 1 – Agree on Six Words (Threat, Vulnerability,Control,Impact,Probability,Risk)
Step 2 – Establish a Lens (A lens is way to break-down a larger whole into manageable chunks)
Step 3- Express Security Issues in Terms of Threat
Step 4 – Get Data, Put it in the Backseat
Step 5 – Simplify Impact and Probability
Step 6 – Embrace Simplicity and Brevity in Reporting



The link below has more information:-

http://blog.anitian.com/communicate-risk-to-executives/
Posted by at No comments:
Labels: , , ,

Health Insurance provider penalized for Data breach.



The biggest benefactors may be the plaintiff's lawyer but, the company that lost money will now revisit the cost benefit analysis and hopefully protect the data better (out of their own selfish interest).

Again, I believe this is a good thing but there should be some consideration when non-profit organizations are involved. (One such incident here)


The link below has more information:-

Posted by at No comments:
Labels: , ,

Analysis of 3 billion attacks - No surprising results , companies are big part of the problem

Result state that many basic processes and procedures that companies are failing to implement are a major contributor for the problem.

Look at the solutions, not one of them is ground breaking. All of them are common sense solutions. They all need long term planning, patience and realistic metrics to measure their success.

It is not easy but, not impossible. When the stakes are high, what are our choices?


According to the article:- 

NTT has pooled the resources of its group companies and produced a threat report based on an analysis of 3 billion attacks.

NTT makes four primary proposals. 

Companies should still protect their perimeter, even thought that perimeter is continuing to change and shrink. The primary tool here is still up-to-date anti-virus. Although this would seem to be a given, NTT notes that "43% of incident response engagements were the result of malware against a particular end point," and that significant factors "were missing basic controls, such as anti-virus, anti-malware and effective lifecycle management."

Patch management needs to be improved. While accepting that this is not easy, and that "timely installation of every patch on every system is often impractical," the report stresses that companies must be aware of the issues "and need to ensure they are prioritizing countermeasures against these exploits."

Business needs to define and test incident response. "Too many organizations have untested, immature or non-existent incident response programs. This makes them unprepared for the inevitable attack." Appropriate incident response, it says, "is critical to minimize the impact of security breaches."

Business must learn to be as fast in exploiting new defense technologies as criminals are in exploiting new attack vectors. "The speed of exploit weaponization is increasing," says NTT, "and may surpass an organization’s ability to respond quickly and effectively (if it has not already). New technologies include capabilities such as application isolation techniques, micro VMs, sandboxing and machine learning. 


The link below has more information:-


Posted by at No comments:
Labels: , ,

Jargon - Threat Vector - What is it?



Everyone sprinkles these words to make their argument sound good.
So, I thought I will find a simple article that could explain it 


According to the article:- 

  • A Threat Vector is a path or a tool that a Threat Actor uses to attack the target.
  • Threat targets are anything of value to the Threat Actor. It can be a PC, PDA, Ipad, Your online bank account… or you(stealing your identity)


The ISACA link below has a presentation in PDF format:-

Posted by at No comments:
Labels: , ,

Jargon - Attack Surface - What is it?



Everyone sprinkles these words to make their argument sound good.
So, I thought I will find a simple article that could explain it 


According to the article:- 

There are three basic interrelated considerations that develop from our examples:
  1. Network Attack Surface, the attack will often be delivered via a network
  2. Software Attack Surface, with a primary focus on web applications
  3. Human Attack Surface, social engineering, errors, trusted insider, death and disease



The links below has more information:-

Posted by at No comments:
Labels: , ,

Thursday, March 27, 2014

Patch Management Failure - Key enabler of cybercrime



This should not be a surprise. The report only provides some numbers to confirm it.

Exploiting known vulnerability is the easiest method. Why go searching for a path when you can use  a GPS.

They also found pretty common problems (Inventory, Logging, Incident response issues)



According to the article:- 

Solutionary looked at the latest exploit kits used by hackers, which include exploits from as far back as 2006. Solutionary found that half of the vulnerability scans it did on NTT customers last year were first identified and assigned CVE numbers between 2004 and 2011.

That is, half of the exploitable vulnerabilities we identified have been publicly known for at least two years, yet they remain open for an attacker to find and exploit," Solutionary said in its Global Threat Intelligence Report. "The data indicates many organizations today are unaware, lack the capability, or don't perceive the importance of addressing these vulnerabilities in a timely manner."

A "There's kind of a throw it over the wall' mentality," says Don Gray, chief security strategist at Solutionary, noting vulnerability-assessment information wasn't being acted upon effectively in organizations.

The Solutionary report also notes that effective log monitoring remains a challenge for several reasons

During and after this "discovery process," about half of organizations realize there are IT assets they didn't even know about.


Solutionary found that 77% of the organizations involved had no incident response teams or procedures in place to respond effectively to a significant cyber incident, 



The links below has more information:-

Posted by at No comments:
Labels: , , ,

Four part article on Security Policy Management Maturity Model - From Algosec



Nice article with well placed sequence.

I have a strange feeling, many companies might be stuck at Level-1.



Part-1
http://blog.algosec.com/2014/01/security-policy-management-maturity-model-part1.html


Part-2
http://blog.algosec.com/2014/02/security-policy-management-maturity-model-benefits-moving-ladder-part-2-4.html


Part-3
http://blog.algosec.com/2014/03/security-policy-management-maturity-model-benefits-moving-ladder-part-3-4.html


Part-4
http://blog.algosec.com/2014/03/security-policy-management-maturity-model-benefits-moving-ladder-final-chapter-part-4-4.html

Posted by at No comments:
Labels: ,

Remember the saying "Birdie told me" now, the birdie can steal your credentials.



This is a POC , the researchers were able to steal credentials from a Drone.


According to the article:- 

Snoopy, “a distributed tracking and profiling framework," was developed by SensePost Research Lab researchers Daniel Cuthbert and Glenn Wilkinson and was claiming victims by 2012. 

Snoopy was mounted on a quadcopter and flying over London spoofing Wi-Fi networks. The researchers were able to obtain “network names and GPS coordinates for about 150 mobile devices” in less than one hour. They also stole Amazon, PayPal and Yahoo credentials.

Snoopy, like the WiFi Pineapple, can spoof Wi-Fi networks and trick your device into connecting to it.

CNN Money added, “Devices two feet apart could both make connections with the quadcopter, each thinking it is a different, trusted Wi-Fi network. When the phones connect to the drone, Snoopy will intercept everything they send and receive,” including passwords, usernames, sites visited, credit card numbers entered, and location data. Snoopy also scoops up the MAC address, tying the traffic to a specific device. The researchers were even able to track a phone to the owner's home.


The links below has more information:-

Posted by at No comments:
Labels: , , , ,

T-Mobile - Free International Roaming (120+ Countries) - Experience from one consumer



According to him , it was not all bad , considering the fact that it was free.

If I read it correctly, incoming was free, Outgoing was expensive. Hey, still if you can receive calls/ messages  for free , why not?


The links below has more information:-

http://www.cio.com/article/750324/On_the_Road_with_T_mobile_39_s_Free_International_Roaming

Posted by at No comments:
Labels:

Interesting question - How Do the FBI and Secret Service Know Your Network has Been Breached Before You Do?



We think we know the answer but, some details in this article could surprise you

According to the article:- 

In the course of all of this monitoring, Henry says, law enforcement often finds itself in the odd position of having to show companies evidence they have been victimized. And they aren't always thanked for their efforts. Sometimes, Henry says, companies say "'Please just go away.'" He adds,  "It happens all the time."

How frequently do the Secret Service and FBI come calling? "About 40% to 50% of our customer base have regular conversations with the FBI and other agencies that have warned that they have been breached," says Simon Crosby

In the course of that investigation it was discovered a laptop had malware on it that eluded anti-virus tools and the malware had been in contact with a botnet command-and-control server on the Internet. A "The FBI happened to be monitoring the C&C center" for that botnet, Stahl says.

One of the main questions then becomes, are the companies victimized ready to investigate it? Unfortunately, often they are not, say security experts at Solutionary, 

Solutionary last year was hired by a bank to conduct a forensics examination after the FBI showed up with evidence of a major breach that turned out to have been caused by SQL Injection attacks on the bank's website and had been going on for months. One difficulty, says Kraus, is the bank's logging system was weak and only stored log data for 2 and 1/2 months. Solutionary believes incident response capabilities remain tepid at best in companies today.

This raises the all-important question of how well companies defend their networks and whether their logging capabilities are sufficient to give them a clue about anything after a breach.


The links below has more information:-

Posted by at No comments:
Labels: , ,

"Data broker industry" - What is that? - In 2012 it generated $150 billion in revenue



Apparently, that's twice the size of the entire intelligence budget of the United States government

Read this one along with the my previous post, you get better picture


According to the article:- 

As 2013 came to a close, Sen. Jay Rockefeller (D-W.Va.) issued a scathing report about the role and unchecked power of data brokers. Following a year-long investigation by the Senate commerce committee into the collection, use and sale of consumer data for marketing purposes, he called these companies and their practices "the dark underside of American life."

Federal Trade Commissioner Julie Brill says "your smartphones are basically mini tracking devices" that supply "the kind of information that really talks about who you are on a day-to-day basis."

Brill says. "Consumers don't know who the data brokers are. They don't know the names of these companies."

The largest of these companies -- Acxiom, Datalogix, Epsilon and Experian (this company holds our credit history) -- are bridging together data from the online and offline worlds and selling it to the likes of Facebook, Twitter and others to enhance their respective ad products.


"I think consumers care less than we think in the moment. They care in the abstract sense," Kleinberg says



The links below has more information:


Posted by at No comments:
Labels: ,

Security,Smart-Devices and stretching Trust boundary - Are we losing control ?



We all know people are the weakest link and with smart devices it is easier to exploit.

This article discusses how Trust gets stretched and affects the security when it comes to Mobile Devices.

(Remember people  can also connect their mobile devices to  any WiFi networks increasing the risk.
Add IoT and it becomes a lot more fun)

Quote from the article:

“A process without input is a miracle, while one without output is a black hole. Either you’re missing something, or have mistaken a process for people, who are allowed to be black holes or miracles”



According to the article:- 

As a baseline, the company itself took the responsibility for trusting the OS to have provided a safe sandbox for all apps to play in, and the phone vendor to have only installed trustworthy apps as part of their customization. So our trust boundary is already extended beyond our company resources to the phone service provider, the phone manufacturer, the phone vendor, the phone OS developer and the security application company. All which we may have to just accept but should be aware of.


But our new employee has, unknown to the company, extended our trust boundary is several ways:

  • Adding Gmail account 
  • Adding games
  • Adding calendar app
  • Lastly the social media apps


I think that ultimately, none of this is all that egregious and should be a normal use case for IT distributing devices, but add this up over a 500 person company and your trust boundary grows far beyond your ability to manage it, making it effectively infinite. 



The links below has more information:-

Posted by at No comments:
Labels: , , ,

Biometrics - New virgin territory "Ear Wax" (after "Under Arm")



Who would of thought of it.

Now, does this mean , if this is successful , the employees will be instructed to keep their ear dirty. This will work for the company but not for those would like to keep your company.

And same thing goes for "Under Arm Odor". Does this mean , I should stop taking bath?


According to the article:- 

Scientists from the Monell Center analysed the chemicals that give earwax its distinctive, pungent smell – and found that compounds in the wax could be used to identify the wax creator’s racial origins, with ear wax differing markedly between East Asians and Caucasians.


“Our previous research has shown that underarm odors can convey a great deal of information about an individual, including personal identity, gender, sexual orientation, and health status,” said study senior author George Preti, PhD, an organic chemist at Monell. “We think it possible that earwax may contain similar information.”



The links below has more information:-

Posted by at No comments:
Labels: , ,

Six examples - How employee accounts could be compromised.



Everyone knows compromised accounts are hard (not impossible) to detect. 
One of the problem is that employees don't like it when their accounts have lesser privileges as they presume it is related to trust or prestige.


According to the article:- 

By the standards of today's black market for thieves, your employees are in the cross-hairs for some of the most serious attacks on your company.

Updates, you can do. Vulnerabilities can be patched. But people... are people.

(here is the sorry state)
76 percent of breached organizations needed someone else to tell them they've been hacked . Employee awareness could be worth more than the latest anti-malware software, and will save you millions in the race to prevent cyber theft. (Trustwave, 2013)



The links below has more information:-

Posted by at No comments:
Labels: , ,

Not sure how far this is true - Anonymous Ukraine has claimed responsibility for hacking over 800 million credit cards globally


The keyword here is "CLAIMED"


According to the article they have releases 1 million of those cards as proof of the attack


The links below has more information:-

https://www.alertlogic.com/card-data-released-anonymous-ukraine-takes-the-credit/

Posted by at No comments:
Labels: , ,

This headline confuses me - Smarter People Are More Trusting



We always learn something new everyday and sometimes fact is stranger than fiction.


According to the article:- 

Both vocabulary and question comprehension were positively correlated with generalized trust. Those with the highest vocab scores were 34 percent more likely to trust others than those with the lowest scores, and someone who had a good perceived understanding of the survey questions was 11 percent more likely to trust others than someone with a perceived poor understanding. The correlation stayed strong even when researchers controlled for socio-economic class.

(Here is the silver line)
The researchers posit that intelligent people might be better at correctly evaluating whether people are trustworthy, or whether a particular person is likely to act untrustworthily in a particular situation.


The links below has more information:

Posted by at No comments:
Labels: ,

"Win32:Zbot" dissected - This could come hidden in enticing pictures


Most of us are tempted to click on enticing pictures delivered from the net. Only few have the courage to withstand the temptation.

This article has some interesting details


According to the article:- 

In the sample group, we discovered that the malware  doesn’t open only pictures of women – surprisingly, pictures of men were used too, but images of women are leading over men at a ratio of 14:3. We spotted non-sexual images, but they are not very common.

The links below has more information:

Posted by at No comments:
Labels:

After Microsoft (which admitted) now, Google denies spying on Journalist



Corporations spend millions to look good and maintain their image. Anyone that can damage it is a threat so, why would they not do strange things. After all spying is harmless (according to them) and they can always turn around and say sorry.

If the crowd is still angry, throw a few bones (extra space, features).



According to the article:- 

Arrington took to his personal blog last week, saying that he was "nearly certain that Google accessed by Gmail account after I broke a major story about Google." Arrington, who claims the breach occurred years ago, said his source within Google was fired from the company after being presented with an email showing the person's correspondence with Arrington.

Google General Counsel Kent Walker said that Arrington's allegations are "serious." He added that while "terms of service might legally permit such access, we have never done this and it's hard for me to imagine circumstances where we would investigate a leak in that way." (we know, you are paid to say that)

(one of them is lying , Journalist or the Lawyer?)


The links below has more information:
Posted by at No comments:
Labels: , ,

NSS Report - Titled "Why your data breach is my problem:"



Finally, someone writes a report that we all knew for a long time.

Simple solution for organization to reduce risk.
  1. Don't store more than you need (ignored as it impedes data mining and Analytics)
  2. Have a data destruction policy (ignored for the same reason)
  3. Encrypt Data.
  4. Let the consumer have the right to request his information be purged.


This article also brings back a question " Why should SSN be a secret", it is an identification number and as far I know , it should not be used for any verification


DISCLAIMER:

"I am not GOD so, I admit that I could be wrong anywhere between 0 - 100%"



According to the article:- 

NSS Labs charted the ten largest data breaches worldwide that occurred over the past decade, including the breach of Adobe customer information and Target payment card data announced in the last quarter of 2013. The firm noted that half of the breaches happened last year, alone.

“This data demonstrates that many records overlap between the breaches (with a total of 512 million records lost for the United States alone) and that the PII of a considerable share of the population of the United States (319 million) was exposed,” the report said.


The links below has more information:

Posted by at No comments:
Labels: , ,

SANS - Cheat Sheets - Now has a new one for DFIR


The new DFIR poster is for windows systems.



You can get it here

http://digital-forensics.sans.org/community/cheat-sheets
Posted by at No comments:
Labels: ,

Wednesday, March 26, 2014

Looks like botnet market is getting competitive - BOT authors are advertising about its capability even before it is full ready



As per a March 18 update, Zorenium – which first popped up on the scene in January and allegedly also works on Windows and Linux machines – will now run on Apple mobile devices running iOS 5 through iOS 7

The strange part about this article is that Zorenium (Bot) is supposed to be multi-platform and they now claim they can compromise iOS.

The stranger part is no one was able to get a single piece of this code for analysis

Like vendors producing vapour-ware  could this be a vapour-bot?



According to the article:- 

Zorenium is still in beta, but its author claims it has many capabilities, including distributing banking trojans, carrying out distributed denial-of-service (DDoS) attacks, form grabbing, and Bitcoin mining, according to the post, which explains how the malware is well-protected against anti-virus and anti-malware solutions.

The bot is also said to feature fake shutdown modules, which trick victims into thinking they are shutting down their hardware. In reality, Zorenium is using fake shutdown images, dropping the device into standby, and delaying the fans to create the illusion the device is off.


The links below has more information:


Posted by at No comments:
Labels: ,

WATCHOUT - Malware targets MONSTER.COM and CAREERBUILDER.COM



This is sad because, (I presume) part of the crowd looking for the job may not be financially well-off and if their credentials are stolen, the situation might get worse for them.


According to the article:- 

Gameover is one of several Trojan programs that are based on the infamous Zeus banking malware

"A computer infected with Gameover ZeuS will inject a new 'Sign In' button [into the Monster.com sign-in page], but the page looks otherwise identical," they said.

After the victims authenticate through the rogue Web form the malware injects a second page that asks them to select and answer three security questions out of 18. The answers to these questions expose additional personal information and potentially enable attackers to bypass the identity verification process.


The links below has more information:

Posted by at No comments:
Labels: ,

Paying ransom does not guarantee access to your data



According to the article , Several victims do not get access to their data even after paying ransom to Cryptolocker.

This is bad for their business. However, I am wondering how does one know that it is the same gang or some other copycat gang that is doing it (and not unlocking the data).


According to the article:- 


A nearby dentistry practice had also been hit by the malware around the same time. It paid $550 in Bitcoins but received no unlock key, part of a now established theme; there is growing evidence that a substantial number of Crptolocker victims never see their data again no matter what they do,


This could be a comment on how people have been de-sensitised to the consequences of being infected by malware or just part of a deeper shift that views these events as simply a cost of doing business.

Probably the most notorious example of a willing payer was that of a Massachusetts police department that found itself stumping up $750 ransom using what must have been public money to get back important files.

A recent UK survey of computer users by the University of Kent found that 9 percent had experienced some form of ransom Trojan, with 3.4 percent encountering Cryptolocker. Forty percent chose to pay up with many reporting that no key was forthcoming.



The links below has more information:


Posted by at No comments:
Labels:

Insider Threat - 5 ways to limit them , according to ISACA.



"Insider Threat" - Dangerous. Difficult and mostly  ignored by organizations


According to the article:- 


  1. Trust, but verify
  1. Privileged user management
  1. Segmentation of duties
  1. Third-party monitoring
  1. Behavior monitoring




The links below has more information:

http://www.isaca.org/About-ISACA/-ISACA-Newsletter/Pages/at-ISACA-Volume-7-26-March-2014.aspx?cid=1004028&Appeal=EDMi#1
Posted by at No comments:
Labels: , ,

Technology - MYLAR - Build online services that can never decrypt or leak your data.



Another layer of security for data protection.

The idea looks good and it will need a good password escrow/vaulting (which requires additional Auditing)  solution to reduce accidental loss  of passwords.

Will this reduce the NSA and other snooping related fears?

According to the article:- 

Your data gets encrypted using your password inside your browser before it goes to the server,” Popa says. “If the government asks the company for your data, the server doesn't have the ability to give unencrypted data.” 


Popa developed the software with colleagues from MIT and a Web development software company, Meteor Development Group. A paper on Mylar will be presented at the Usenix Symposium on Networks Systems Design and Implementation next month.


The software is designed to work with a popular Web service building tool called Meteor, to make it easy for Web developers to use. Mylar’s design has code running inside a person’s browser take on most of the processing and presenting of information—work that a conventional service would do on its servers. But Mylar also includes some new cryptographic tricks that allow a server to do useful things with user data without having to descramble it.

Mylar also lets individuals share data with other users, thanks to a system that can distribute the necessary encryption key in a way that protects it from ever being disclosed either to the server or to someone monitoring communications. 

A big usability challenge is that if anyone loses their password, they can permanently lose access to their information. 




The links below has more information

Posted by at No comments:
Labels: , ,

Open Source Software - Do enterprises need them?



The author addresses a few myths that surround why Open Source software is not being embraced by IT (fully).


According to the article:- 

The first myth is that open source software is vulnerable to security threats due to access to code, which is not evaluated thoroughly. 

The next challenge that needs to be addressed is the perception that open source is not "enterprise-ready." 

Some companies believe that open source code is great for cutting-edge developers, but not IT operations

Finally, enterprises hesitate to adopt open source software as they believe that there is no responsibility for failures and it is hard to maintain open source code.




The links below has more information:

Posted by at No comments:
Labels: , ,

Tuesday, March 25, 2014

Credit Monitoring Useful? (or Not), the recent events seems to help those selling the service



I previous posted a link that questioned the usefulness of this service.

The conclusion was

“In short, they only give consumers limited help with a very small percentage of the crimes that can be inflicted on them,” Litan said. “And consumers can get most of that limited help for free via the government website or free monitoring from a breached entity where their data inevitably was compromised.”

Now that we have seen too many credit card breaches , these monitoring agencies are getting better business.

We seem to be averaging around 14 breaches per month


According to the article:- 


The number of AAA Southern California members opting in for the club's identity theft monitoring service — whether for free or for an extra charge — boomed in January, up 58% from December and up 32% from January 2013, spokesman Jeffrey Spring said.

Intersections Inc. said its Identity Guard identity theft protection and credit monitoring service generated $42 million in revenue in 2013 and is expected to exceed $100 million by 2017

The BillGuard credit monitoring application, launched in July, uses crowd-sourced reporting from its members to issue alerts about possible payment card security concerns. Since the Target breach, the app's user base has ballooned by nearly half a million participants and identified $1 million in fraud, Chief Executive Yaron Samid said.



The links below has more information

Posted by at No comments:
Labels: ,

Neiman Marcus and Target - Both missed the alerts/alarms. why?



This article is similar to my previous post but the author asks a few relevant questions.


In the article:- 

Some questions to consider when evaluating tools used in incident response include:


  • Do you have a way, when an event fires, to get more context in order to determine whether or not that event is real and deserves further investigation?
  • How expensive is it to obtain that context? Do you have to go out and look at the potentially infected computer, or do you have telemetry flowing back from that computer into a system that is accessible to the SOC that they can investigate?
  • If you have telemetry, what kind? Is it system-level telemetry that can be manipulated post breach, or is it network-level telemetry that is hard to manipulate?
  • How close to the source are you collecting telemetry – are you capturing everything that infected host is doing or just its communications out to the Internet?




The links below has more information:

http://www.lancope.com/blog/when-an-alarm-isnt

Posted by at No comments:
Labels:

Free - Book from Microsoft - Network Virtualization and Cloud Computing


Pretty Decent
Two Chapters - 94 Pages with good intro to Microsoft's version of SDN.


 Download Links:

PDF - http://aka.ms/683068pdf

EPUB - http://aka.ms/683068epub

Kindle - http://aka.ms/683068mobi
Posted by at No comments:
Labels: , ,

Bruce has a few open questions for IBM - Based on their Open letter about Government access to their data



IBM wrote the following  few days back

http://asmarterplanet.com/blog/2014/03/open-letter-data.html


Now, Bruce has a few questions for IBM.
As usual he does not disappoint us.




Check it out:
https://www.schneier.com/blog/archives/2014/03/an_open_letter_.html

Posted by at No comments:
Labels: , ,

Tools / Utilities - Free Security Tools - Top 125 Network Security Tools



This one is dynamic and the rating shows their popularity.

This is a good bookmark for all security folks



LINK:

http://sectools.org/
Posted by at No comments:
Labels: , , ,

Dangerous - Previewing the email alone is enough to infect your email.


Luckily , Microsoft has provided a temporary fix so, please apply ASAP. 


According to the article:- 

Although Microsoft states that the targeted attacks it has seen so far have been directed at users of its Word 2010 product, it’s clear that the remote code execution flaw also exists in Microsoft Word 2003, 2007, 2013, as well as Office for Mac 2011.

Microsoft Outlook 2007, 2010 and 2013 all use Word by default as the email reader.




The links below has more information:




My Yesterday's Blog
Posted by at No comments:
Labels: , ,

Off-Topic - Few excellent and inspiring quotes



This one is awesome:
In the age of information, ignorance is a choice.

Damon Miller



Einstien's Quote:

School failed me, and I failed the school. It bored me. The teachers behaved like Feldwebel (sergeants). I wanted to learn what I wanted to know, but they wanted me to learn for the exam. What I hated most was the competitive system there, and especially sports. Because of this, I wasn’t worth anything, and several times they suggested I leave. This was a Catholic School in Munich. I felt my thirst for knowledge was being strangled by my teachers; grades were their only measurement. How can a teacher understand youth with such a system? From the age of twelve I begun to suspect authority and distrust teachers.



Checkout this link

Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)