Tuesday, April 29, 2014

WATCH OUT - If you (still) an AOL subscriber


Remember the Queen song, Another one bites the dust.....


According to the article:-

Monday AOL's security team, said in a security update that third-party digital forensic investigators hired by the company found "unauthorized access to information regarding a significant number of user accounts." The information accessed by attackers "included AOL users' email addresses, postal addresses, address book contact information, encrypted passwords, and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information."


The breach is a further reminder that people should never reuse the same password on multiple sites. In the wake of the AOL breach, accordingly, "if you were using the same password for any other online account -- which is, as we have discussed many times before, very bad practice -- then you need to change those passwords too,"



The link below has more information:-

Posted by at No comments:
Labels: ,

HeartBleed - How to extract the private Key?



The author provides details.



The link below has more information:-

http://arstechnica.com/security/2014/04/how-i-used-heartbleed-to-steal-a-sites-private-crypto-key/
Posted by at No comments:
Labels: ,

Thursday, April 24, 2014

Little obscurity in Security might actually be a good thing



I kind of agree as long as 
  • It is an additional layer
  • One does not rely on the obscurity factor fully
  • the cost benefit ration is in favor of Obscurity



According to the article:-


Supplementary defenses include
  1. Changing a server’s default port 
  2. Server header masquerading
  3. Use non-standard naming conventions




The link below has more information:-

Posted by at No comments:
Labels: ,

Wednesday, April 23, 2014

Free Web Assessment Tool - RAWR



RAWR – Rapid Assessment of Web Resources

It does have a few pre-reqs


The link below has more information:-
http://www.darknet.org.uk/2014/04/rawr-rapid-assessment-of-web-resources/

Posted by at No comments:
Labels: ,

Tuesday, April 22, 2014

Jail broken iPhones have a new app "UNFLOD" - A Malware that steals Apple passwords.



According to the article:-

readers reported their jailbroken iOS devices recently started experiencing repeated crashes, often after installing jailbroken-specific customizations known as tweaks that were not a part of the official Cydia market, which acts as an alternative to Apple's App Store.

security researcher Stefan Esser has performed what's called a static analysis on the binary code that the reddit users isolated on compromised devices. In a blog post reporting the results, he said unflod hooks into the SSLWrite function of an infected device's security framework. It then scans it for strings accompanying the Apple ID and password that's transmitted to Apple servers. When the credentials are found, they're transmitted to attacker-controlled servers.

reddit readers said unflod infections can be detected by opening the SSH/Terminal and searching the folder /Library/MobileSubstrate/DynamicLibraries for the presence of the Unflod.dylib file. Compromised devices may possibly be disinfected by deleting the dynamic library, but since no one so far has been able to figure out how the malicious file is installed in the first place, there's no guarantee it won't somehow subsequently reappear.


The link below has more information:-

Posted by at No comments:
Labels: , , , ,

Monday, April 21, 2014

Apparently, even the most secure cloud storage may not be so secure


Isn't that  common sense?

If possible/practical the simplest solution is to encrypt it before uploading to cloud



According to the article:-

Whenever data is shared with another recipient through the cloud storage service, the providers are able to access their customers' files and other data,

It's like discovering that your neighbors left their door unlocked. Maybe no one has stolen anything from the house yet, but don't you think they'd like to know that it would be simple for thieves to get inside?


The link below has more information:-

Posted by at No comments:
Labels: ,

Thursday, April 17, 2014

SQL Injection attack - Still successful according to Ponemon Institute.

I guess , it does not matter if  Injection attack is #1 in OWASP top 10.


According to the article:-
52% of respondents said that their organizations don’t even test or validate third-party software they use to see if it’s vulnerable to SQL injection.


Other findings in the study include:

  1. Nearly half (46 percent) were familiar with the term “WAF Bypass” 56 percent agreed or strongly agreed that determining the root cause of SQL injection is becoming more difficult because of the trend for employees to use their personally owned mobile devices in the workplace (BYOD)
  2. 52 percent of respondents indicated that they don’t test or validate any third party software to ensure it’s not vulnerable to SQL injection
  3. 44 percent utilize professional penetration testers to identify vulnerabilities in their IT systems; but only a third (35 percent) of those penetration tests included testing for SQL injection vulnerabilities
  4. 88 percent of respondents had a favorable or very favorable opinion of the use of behavioral analysis technology for detecting SQL injection attacks
  5. 52 percent indicated they either had begun replacing or would be replacing their signature-based IT security systems with behavioral analysis based IT security systems within the next 24 months
  6. 49 percent said they would be using behavioral analysis based systems specifically for database transaction security


The link below has more information:-
Posted by at No comments:
Labels: ,

Five Ways to Chase Away Your Best Analysts



If you are in security and related to incident response, this article is for you.
I personally had experienced a few listed here

The link below has more information:-
http://ananalyticalapproach.blogspot.com/2014/04/five-ways-to-chase-away-your-best.html
Posted by at No comments:
Labels: ,

Windows XP Support available, cheaper than expected (with strings attached) - Only for (Very) large customers


Looks like a good business move but will these customers respect respect the time line and move to new version particularly, when they have sat on their ass for 10+ years?


According to the article:-

"We've made custom support more affordable so large enterprise organizations could have temporary support in place while they migrate to a more modern and secure operating system," a Microsoft statement admits

But my sources tell me that the deals enterprises are getting on custom XP support are far better than seems possible. In fact, many companies are seeing a savings of over ten times. In one dramatic example, a large bank was able to haggle an $85 million annual contract for XP support down to just $3 million.


Microsoft COO Kevin Turner returned from a series of customer meetings in early April and alerted the Windows team that far too many of these customers were affected by XP's support expiration and that the firm would need to "effectively give away custom support" to accommodate a lengthier transition to more modern Windows versions. This decision was literally made in the final week leading up to the April 8, 2014 "XPocalypse."

The link below has more information:-
Posted by at No comments:
Labels:

Another day , Another Credit card Breach - Michaels



While  web servers (and other application) using OpenSSL are (Heart)Bleeding Credit card data breach continuous - Michales had a 8 month long breach leading up to 3 Million  cards.


According to the article:-

According to Michaels, the affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. 

The company’s statement says the attack on Michaels’ targeted “a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014.”


This incident marks the second time in three years that Michaels Stores has wrestled with a widespread compromise of its payment card systems.

Michaels says that while the Company has received limited reports of fraud, it is offering identity protection, credit monitoring and fraud assistance services through AllClear ID to affected Michaels and Aaron Brothers customers in the U.S. for 12 months at no cost to them. 

Incidentally, credit monitoring services will do nothing to protect consumers from fraud on existing financial accounts — such as credit and debit cards — and they’re not great at stopping new account fraud committed in your name. The most you can hope for with these services is that they alert you as quickly as possible after identity thieves have opened or attempted to open new accounts in your name.



The link below has more information:-


Posted by at No comments:
Labels: , ,

Wednesday, April 16, 2014

Finally LaCie admits that it had Credit Card Breach




According to the article:-

Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.

On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software.

It is unclear how many customer records and credit cards may have been accessed during the time that the site was compromised; Over said in his email that the company did not have any additional information to share at this time.


The link below has more information:-
Posted by at No comments:
Labels: , ,

Should we trust Google?



My theory is - When a company provides free services - you are their product. They use your information to make money. from that point of view Google is #1.


The following article that brigs forward what you always had in the back of your mind.


The link below has more information:-
http://www.infoworld.com/d/consumerization-of-it/too-big-trust-googles-growing-credibility-gap-239815
Posted by at No comments:
Labels: ,

Tuesday, April 15, 2014

TrueCrypt - First phase of Audit finds no evidence of backdoor.



This is definitely good news as it is a popular tool used by everyone and let's hope the 2nd part of the audit has similar results.

Will this ever happen in a closed source world?
Will the  vendors selling security products allow us to audit their product. After all, 
  1. We are paying them millions purely based on trust 
  2. We also know that many of them were have been hacked before.


The link below has more information:-
Posted by at No comments:
Labels:

Are you still on Android 4.1.1 /4.2.2 - Don't get bitten by the (HeartBleed) Bug.



According to the article:-
Chief among vulnerable devices are those running Android. While exploiting vulnerable handsets often isn't as simple as attacking vulnerable servers, the risk is high enough that users should tightly curtail use of their Android devices until users are sure their handsets aren't susceptible


What's more, the threat of a vulnerable Android device being exploited by someone on the same Wi-Fi network as the targeted user, or by someone combining a Heartbleed attack with a separate exploit, should be enough to give people pause, even if they don't intend to visit banking sites or connect to Web-based e-mail or other sensitive services, Rogers counseled.



The link below has more information:-

http://arstechnica.com/security/2014/04/vicious-heartbleed-bug-bites-millions-of-android-phones-other-devices/

Posted by at No comments:
Labels: , ,

Monday, April 14, 2014

CSRF & XSS - Lethal Combo



A nice article on how this combination can be devastating



Check it out:
http://www.acunetix.com/blog/web-security-zone/csrf-xss-brothers-arms
Posted by at No comments:
Labels: ,

Gogo in-flight Wi-Fi provider - Voluntarily decided to turn your data over to the government.



How Nice!

And Gogo not the only one

According to the article:-

According to a letter Gogo submitted to the Federal Communications Commission, the company voluntarily exceeded the requirements of the Communications Assistance for Law Enforcement Act, or CALEA, by adding capabilities to its service at the request of law enforcement. The revelation alarms civil liberties groups, which say companies should not be cutting deals with the government that may enhance the ability to monitor or track users.


Although FCC rules “do not require licensees to implement capabilities to support law enforcement beyond those outlined in CALEA…,” Hastings noted, “[n]evertheless, Gogo worked with federal agencies to reach agreement regarding a set of additional capabilities to accommodate law enforcement interests. Gogo then implemented those functionalities into its system design.

But it apparently is not the only company cutting deals with law enforcement. An FCC notice of proposed rule making (.pdf) published in December notes that Panasonic Avionics negotiated with law enforcement “regarding lawful interception … and network security functionality to be deployed” in the company’s eXConnect system, which provides Wi-Fi to American Airlines and United.

“The Gogo document and Panasonic documents really reflect this process of these companies sitting down with the government and making deals so the FCC wouldn’t get on their back. These are not agreements that are taking place in the sunlight. These are secret deals that are definitely not being made in the best interest of the public.”

The link below has more information:-


Posted by at No comments:
Labels: , ,

HeartBleed - One line of coding - Entire whole world immersed in misery



Interesting...........


According to the article:-

On New Year's Eve in 2011, at one minute before 11pm, a British computer consultant named Stephen Henson finished testing a new version of a popular piece of free security software. With a few keystrokes he released OpenSSL version 1.0.1 into the public domain. Now, more than two years later, the events of that night have shaken the foundations of the internet.

What Henson didn't realise when he released the new version, is that he missed a tiny bug in a new feature called Heartbeat. This feature, written by a German graduate student named Robin Seggelmann, had the best of intentions

Unfortunately, both Seggelmann and Henson missed the fact that this check can be abused to trick the listening computer into replying with up to 64 000 characters of data directly from its memory. The asking computer simply lies about the length of the word it is sending ("cat is 64 000 letters long"), and the replying computer doesn't bother to check – it just spits the data out of its memory.

And here's where it gets really ugly. That data can contain literally anything loaded into memory including passwords, email addresses and encryption keys. Instead of attacking the armoured car, the hackers now have a secret back door into the warehouse and the codes to the safe.


The link below has more information:-
Posted by at No comments:
Labels: , , ,

Sunday, April 13, 2014

Was NSA exploiting the Heartbleed bug? - "YES" , according to Bloomberg



I am sure everyone had this in their mind, and now we have an answer.


According to the article:-

Friday afternoon, Bloomberg reported that the National Security Agency has been aware of and actively exploiting the Heartbleed bug for at least two full years, citing "two people familiar with the matter."


The link below has more information:-

Posted by at No comments:
Labels: , , , ,

IoT - More players, less (or no)security (anyone surprised?)


If you are surprised then you are not in IT Security.


According to the article:-

Problem is that entrepreneurs are not security minded people. They have no experience with it and no budget,” he said. “And they don’t know why other people want to break their stuff.”

 “the barrier to entry (for developers) is very low. It is cheap hardware with unlimited possibilities.”

They had found 19 vulnerabilities, including unencrypted storage of customer data, information leakage, poor password security, lack of authentication for customer data and poor mobile security in a single IoT device.



The link below has more information:-

Posted by at No comments:
Labels: ,

Saturday, April 12, 2014

HEARTBLEED (bug) - Cloudflare says it is hard to steal private keys and sets up a challenge - Fedor Indutny and Illkka Mattila have succeeded.




Dan Kaminsky has a few  nice thoughts

http://dankaminsky.com/2014/04/12/bloody-cert-certified/
Posted by at No comments:
Labels: ,

FREE - Ethical Hacking Course on Udemy.



It may not be the best but it is free and a good starting point newbies.

Follow this link:
https://www.udemy.com/learn-the-basics-of-ethical-hacking-and-penetration-testing/?couponCode=shareit
Posted by at No comments:
Labels: ,

Thursday, April 10, 2014

New Bill - Consumer Data Breach Protection Act - To make retailers financially responsible.

If there is no incentive to protect our data, they won't do it.
Now, there is one (in the form of surviving penalty).




According to the article:-

Banks and credit card companies have been stuck paying for the damages stemming from hacking of payment data in such crimes, but a new law introduced in California last week seeks to pass the buck right on back to the retailers that spawn the breaches

The bill, AB 1710, would make retailers responsible for notifying customers of any data breach incident, as well as hold them liable for reimbursing customers' financial damages.

The link below has more information:-
Posted by at No comments:
Labels: , ,

HeartBleed (bug) - Not just websites, extends beyond them?



More bad news 

Also, has a few slides to explain the issue.


According to the article:-

Leaked memory could give attackers hints at how to take the axe to other software, turning known bugs that are currently seen as “hard to exploit” into easy kills.

In the cloud. If you're running VMs in a cloud environment: admins must find their cloud machines and make sure their code base isn't Heartbleed vulnerable.

End-users are going to have to be trained to check certificate issue dates, to make sure that their trusted services (like the bank) have re-issued their certificates.

Thousands of “shoestring budget” VPN concentrators in smaller businesses that will be vulnerable and probably won't be updated




The link below has more information:-

Posted by at No comments:
Labels: , , ,

Wednesday, April 9, 2014

CrowdResponse - A Good example on signature detection from SANS on its usage



This would be good example for those who have never used CrowdResponse


Check it out:
http://digital-forensics.sans.org/blog/2014/04/09/signature-detection-with-crowdresponse
Posted by at No comments:
Labels: ,

Split Tunnelling Debate - A never ending one



This article discusses both sides of the story

For corporate users with VPN access, this is a common debate.

My philosopy is again based on RISK. If split tunnelling poses certain risks , then they can be minimized.
If the organization wants to be security conscious and disable split tunneling then
They should have enough bandwidth
Proxy admins available to make exceptions to all the false positives and resolve all other issues that users face.

In my previous job, the nature of the business mandated that we enable split tunneling and we implemented a few compensatory controls to reduce the risk
  1. Juniper SSL VPN ( pure web traffic including RDP)
  2. Endpoint compliance check through Host Checker
  3. Selective (Ports / IP Address/ Users) Layer 3 Tunnel VPN with stricter Endpoint Check.


I guess everything boils down to layered security and remembering that our ultimate goal is to  enable the business and part of that is keeping security transparent to users.



DISCLAIMER:

"I am not GOD so, I admit that I could be wrong anywhere between 0 - 100%"



The link below has more information:-

Posted by at No comments:
Labels: , ,

2013 (alone) - 552 Million user info compromised through data breach. (According to Symantec)



According to the article:-

Symantec detected a 91 percent increase in targeted attack levels in 2013

Symantec reported 779 targeted attack campaigns in 2013,
16 percent of which were designed to infiltrate government departments. 
Professional services were the second most targeted group, attracting 15 percent of attacks.

The company detected 660,000 ransomware campaigns in December 2013.


The link below has more information:-
Posted by at No comments:
Labels: ,

Heartbleed (bug) - What is it?



Here is an article has few details

According to the article:-

A scanner was released before anyone had chance to patch it and huge sites like Yahoo! Mail were vulnerable and exposing user passwords to anyone who used Heartbleed against it.


Hashing is irrelevant in this case, as the hash and hash comparison are done on the server side, so the plain text password is stored in memory at some point

The bad part of it is that there’s no way to tell if it’s been exploited as there’s no crash, no damage, it just spits out the data to whoever runs the exploit


The link below has more information:

Posted by at No comments:
Labels: , ,

Homeopathic remedies — they are useless for human health



According to National Health and Medical Research Council of Australia

According to the article:-

Homoeopathy is a 200-year-old form of alternative medicine based on the principle that substances that produce symptoms in a healthy person can be used to treat similar symptoms in a sick person.

The theory is that homeopathic remedies stimulate the body’s ability to fight infection by using molecules in highly diluted substances that retain a ‘memory’ of the original substance.


The NHMRC report also raised questions about how colleges that provide homoeopathy training could continue to meet government training rules and regulations, he said.


The link below has more information:-
Posted by at No comments:
Labels:

Tuesday, April 8, 2014

For curious minds - DDoS checklist



Even if you are not involved with DDoS protection. This check list might still be informative



The link below has more information:-
http://blog.radware.com/security/2014/04/are-you-covered-heres-a-ddos-checklist-to-help-you-find-out/

Posted by at No comments:
Labels: , ,

OpenSSL Bug - Fix already available



Check here:

https://blogs.akamai.com/2014/04/fix-released-for-heartbleed-openssl-flaw.html
Posted by at No comments:
Labels: , , ,

'Sysdig' Linux Troubleshooting tool - Something like strace + tcpdump + lsof + more



(from Darknet)
Sysdig captures system calls and other system level events using a linux kernel facility called tracepoints, which means much less overhead than strace.

It then “packetizes” this information, so that you can save it into trace files and filter it, a bit like you would do with tcpdump. This makes it very flexible to explore what processes are doing.



Check it Out

http://www.sysdig.org/
Posted by at No comments:
Labels: , ,

OpenSSL Bug - Bad for websites



The strange part is  that it appears to have been introduced in 2011, and known since March 2012.


According to the article:-

Known as the Heartbleed bug, the vulnerability allows anyone on the Internet to read the memory of systems that run vulnerable versions of OpenSSL, revealing the secret authentication and encryption keys to protect the traffic.

User names, passwords and the actual content of the communications can also be read.


No man-in-the-middle techniques of interception are required to exploit the out-of-bounds memory bug, and attacks leave no trace on vulnerable systems.


The link below has more information:-

Posted by at No comments:
Labels: , ,

Monday, April 7, 2014

MDM Security is old news, it is time for IoT related issues.


Here is a first one that suggests 6 that could affect enterprise security. Nothing new but lists the key concerns in one place.



According to the article:- 

1.  The IoT will create billions of new (insecure) end points
A vast majority will have little to no protection against common online attacks. The operating system, firmware and patch support that IT organizations have long been accustomed to, will not always be available with these devices.


2.  The IoT will inevitably intersect with the enterprise network
Regardless of whatever network segmentation techniques and air gaps that an enterprise might employ, there will be points where the IoT will intersect with the enterprise network. Those touch points will be highly vulnerable to attack.

If you can hack into a web-enabled device which also happens to have connectivity to the corporate network or infrastructure, you can create a bridge to pass traffic back and forth," from the enterprise, Yoran said.

3.  The IoT will be a world of heterogeneous, embedded devices
The IoT universe will be very different from the layered software model to which IT and IT security groups are so accustomed.

For one thing, the devices themselves will be highly heterogeneous and IT will have a hard time getting everyone to use the same technology, Pescatore said.


4.  The IoT will enable physical and physiological damage
Hackers have already shown how IP-enabled insulin pumps, glucose monitors and pacemakers can be compromised to cause physiological damage to the wearer of such devices. Attacks like those enabled by Stuxnet show how physical equipment can be damaged via cyberattacks.

With the IoT, such attacks will also be possible against such products as cars, smart heating, ventilation and air conditioning systems, Web-enabled photocopiers, printers and scanners and virtually every other device with an IP address. The only reason that attackers haven't gone after such devices already in a major way is because there is so much other low-hanging fruit to attack, Sutton said.


5.  The IoT will create a new supply chain
"Like BYOD, traditional enterprises will need to adapt to developing policy and systems that integrate with and potentially manage many more devices than IT has ever worked with before,"


6.  The IoT will exacerbate the volume, stealth and persistence of online attacks
Companies that have experience managing complex technology integrations will be the ones most likely to succeed in an IoT environment, 


The IoT includes every device that is connected to the Internet.Dealing with the sheer scale of the problem could be a huge challenge for IT organizations.



The link below has more information:-


Posted by at No comments:
Labels: , ,

Zeus malware variant - Uses vaild digital signature (claims Comodo)



According to the article:- 

What is alarming about this is that the file is digitally signed with a valid certificate, making it appear trustworthy at first glance. The digital certificate is issued to “isonet ag”.


There  are three components to an attack launched by Zeus:
  1. The Downloader: Delivered to the user system by an exploit or an attachment in a phishing email. It will download the rootkit and malware component of the attack.
  2. The Malware: In this case it is a data stealer, the program that will steal valuable user data, login credentials, credit card info, etc. that the user keys into a web form.
  3. A Rootkit: A rootkit hides the installed malware component, protecting it from detection and removal.



The link below has more information:-

Posted by at No comments:
Labels: ,

Experian Statement - It is NOT our fault (for legally letting someone access to data)


According to them , they just bought a company (to make money so, why bother about securing its data)




According to the article:- 

(Experian's Statements below)

No Experian database was accessed (and the company you bought is not Experian?)

Further, Experian’s only involvement was that it purchased the assets of a company, (so, you are not responsible for that company's security , how about the profit it generates?)

Court Ventures was selling the data in question to the criminal for over a year before Experian acquired (So, you did not bother checking)

Furthermore, any implication that there was a breach of 200 million records is entirely false and misleading – while the size of the database may be 200 million, that does not mean the total number of records were accessed. (do you have any proof ?)

Lastly, Experian discontinued the sales of this data immediately upon learning of the problem and worked closely with law enforcement to bring this criminal to justice (were you doing a favor? or did you have a choice NOT to do it?)


The link below has more information:-

Posted by at No comments:
Labels: ,

Power Worm - Not your garden variety - This one uses Windows PowerShell.



Everyday is exciting in the security world


According to the article:- 

This particular threat arrives as an infected Word or Excel document, which may be dropped by other malware or downloaded/accessed by users. When opened, right away it downloads two additional components from two well-known online anonymity projects:  the Tor network, and Polipo, a personal web cache/proxy.


Using the installed Tor and Polipo software, it accesses its command-and-control server. The URL it uses contains two GUIDs, as seen below:

{C&C server}/get.php?s=setup&mom={GUID #1}&uid={GUID #2}

The link below has more information:-
http://blog.trendmicro.com/trendlabs-security-intelligence/word-and-excel-files-infected-using-windows-powershell
Posted by at No comments:
Labels: ,

Attack of the drones - No Kidding.



We know we can hurt ourself accidentally but, our trusting mind never imagines that it can be hacked and used with malicious intent. However, we always lock our house even when we have zero incidents of theft in the area.

Maybe it is because technology is changing at the speed of light and our brains haven't caught up with the threats that technology could pose.

Maybe - Three is an easier explanation.
Simple malfunction and vendor does not want to own it.

According to the article:- 

A competitor in an Australian triathlon apparently failed to complete an event over the weekend after being felled by an unmanned aerial vehicle.

The owner of the drone, a local outfit named “New Era Photography and Film”, told the site “it looks as though someone has hacked into our system.”



The link below has more information:-

Posted by at No comments:
Labels: ,

Friday, April 4, 2014

TCP/IP could have been more secure, if NSA would have allowed

This is coming from Vint Serf , the Internet Guru


According to the article:- 

Vint Cerf revealed that he did have access to some really bleeding edge cryptographic technology back then that might have been used to implement strong, protocol-level security into the earliest specifications of TCP/IP. Why weren't they used, then? The culprit is one that’s well known now: the National Security Agency.

Cerf told host Leo Laporte that the crypto tools were part of a classified project he was working on at Stanford in the mid 1970s to build a secure, classified Internet for the National Security Agency.

“During the mid 1970s while I was still at Stanford and working on this, I also worked with the NSA on a secure version of the Internet, but one that used classified cryptographic technology. At the time I couldn’t share that with my friends,” Cerf said. “So I was leading this kind of schizoid existence for a while.”

The link below has more information:-

 http://blog.veracode.com/2014/04/cerf-classified-nsa-work-mucked-up-security-for-early-tcpip/
Posted by at No comments:
Labels: ,

This is funny - Hacker uses SQL Injection to clear speeding record (I am not sure if this true)

This is funny -  Hacker uses SQL Injection to clear speeding record (I am not sure if this true)

Take a look at the picture in the article

http://hackaday.com/2014/04/04/sql-injection-fools-speed-traps-and-clears-your-record/

Posted by at No comments:
Labels: ,

Fly free without buying a ticket - By fooling the ticket scanner .

NOTE:
Europe's aviation authority disagrees and this has not been verified

According to the article:- 

Andrew Hariton, an 18 year-old computer science undergrad from the University of Crete in Greece, revealed a bypass he claims to affect the ticket scanners used before passengers step onto the jetway to board a plane.

Anyone with knowledge of the bypass can board a plane from a European Union airport to a destination of their choice by creating a fake boarding pass within Apple's Passbook app, he said.


The link below has more information:-

http://www.itnews.com.au/News/381803,hacker-holds-key-to-free-flights.aspx
Posted by at No comments:
Labels:

Xbox password flaw discovered - by a 5 year old



By entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account


The link below has more information:-
http://www.bbc.co.uk/news/technology-26879185
Posted by at No comments:
Labels: , ,

Linix Distro - For anonymous browsing , email and other activity.



TAILS - This Linux distro is built for Anonymity. All connections to the internet go trough TOR and no traces left on your computer.


Check It out:

https://tails.boum.org/
Posted by at No comments:
Labels: ,

Surveillance by observing web cookies.




We all know that by collecting bits and pieces from the net we can build a profile now, that is take to the next level as web cookies provide much more details.


According to the Doc:- 

Our work starts with two insights. 

  1. The presence of third-party cookies on most web pages, albeit pseudonymous, can tie together all or most of a user’s web traffic without having to rely on IP addresses
  2.  Although most popular web pages now deploy HTTPS for authentication, many web pages reveal an already logged-in user’s identity in plain text



You can download the PDF from the link below:-


Posted by at No comments:
Labels: , ,

Thursday, April 3, 2014

iOS Bug could allow deactivating "Find My iPhone"


Nasty one but..........
Apparently, not so easy (if that makes you feel better)



According to the article:- 



This is not good news for iPhone users, as it means that a thief can disable tracking for the device and can easily remove its owner's information.
At present, the only fix for this bug is to add a passcode to the device. Apple has yet to acknowledge the problem so it's unclear if a fix is coming, 

The link below has more information:-

Posted by at No comments:
Labels: , ,

I like the headline "Lower the ROI of hackers"


Means, make it hard for hackers.

Nothing new, good presentation of ideas (mainly, data security and defence-in-depth)


According to the article:- 

That is the consensus of other experts. “If you make it more difficult and less rewarding for the non-targeted, financially motivated attacker, she or he will likely move on to an easier mark,” said Deena Coffman, CEO of IDT911 Consulting.

Few things that the hackers are after and need to be protected

  • Credit cards remain a valuable asset for enterprises, “and the one that is easiest to sell.”
  • Customer emails, “are the foundation of any business. They are sold and rented on underground forums for a specific amount of money. Often they are sold to multiple cyber-criminals, so the profit, even if small, is constant.”
  • Source code is another asset that prompts mixed opinions. Coffman described its value as, “very high as the attackers now know how to compromise the application in a way that is unlikely to be detected.”
  • Corporate intellectual property (IP), which has, “a very limited set of buyers – the competitors of the company – so when it is targeted it is likely a nation state or a focused effort sponsored by a pre-identified buyer of the data.”
  • Social Security numbers (SSN) can be enormously valuable, “because we are still using them as a means for verifying identity



Few Layers of Protection

Strong encryption
Install patches promptly
focus more on restricting access
(I would also add endpoint protection)



The link below has more information:-

Posted by at No comments:
Labels: , ,

Incident Reporting - Measuring the right stuff


The author makes some good points that people tend to ignore


According to the article:- 


Instead of starting with preconceived notions of what is or what should be, focus on:
  1. Connecting people to value: their own, as well as the value of others, the business, and how security helps protect what's important
  2. Context: finding a shared understanding of the current culture
  3. Conversation: listening and learning before telling, building relationships that guide and improve the overall cultural evolution



For metrics to be successful, they need to be:
  1. Accessible
  2. Actionable
  3. Auditable



The link below has more information:-


Posted by at No comments:
Labels: ,

HOW TO - Symantec DLP - DLP Policy for Non-AD or random group of users - For EDM


Thought this might be useful.

Then same article also contains a link for creating policy for Groups based on AD

http://www.symantec.com/connect/articles/use-edm-create-dlp-group-policy
Posted by at No comments:
Labels: ,

Another day another Data Breach - Latest news-maker is Samsung Boxee



Yielded 158,000 customer passwords !!!


According to the article:- 

Boxee’s main corporate page still contains an upbeat message about its recent deal with Samsung, and its social feeds contain no mention of the hack


The attackers posted an 800MB file of user data, and it was left to independent security researchers

The file appears to contain 172,000 email addreses, plus 158,128 cryptographically scrambled email addresses – as well as birth dates, IP addresses, message histories, and password changes.


The link below has more information:-

http://www.welivesecurity.com/2014/04/02/attack-on-samsungs-boxee-tv-service-leaks-158000-passwords-and-emails
Posted by at No comments:
Labels: , ,

FireEye (and AhnLab) - score low in NSS Lab test


I am sure, Marketing teams from both companies are already working overnight to prove how this report is biased or the test conditions were wrong.


According to the article:- 

NSS Labs gave the products from FireEye and AhnLab the bottom scores in this evaluation and an overall rating of “caution” to buyers. NSS Labs indicates the “caution” designation means products “offer limited value for money given the 3-year TCO [total cost of ownership] and measured security effectiveness rating.”


NSS Labs tested how well malware would be caught by the AhnLab MDS, FireEye’s Web MPS 4310 and Email MPS 5300, the General Dynamics’ product Fidelis XPS Direct 1000 , the Fortinet FortiSandbox 3000D, Cisco’s Sourcefire Advanced Malware Protection, and Trend Micro’s Deep Discovery Inspector Model 1000. NSS also tested for stability and reliability, and estimated the cost effectiveness of each product.

AhnLab MDS had a 94.7% security effectiveness and the FireEye breach-detection systems had 94.5%, which placed them below the other vendor products tested which were said to range between 98% to 99.1% effective.

The test results indicate the lower score for AhnLab MDS arose in part because it “misidentified 7% of legitimate traffic as malicious (false positives),” plus detected only 94% of email malware, and 90% of exploits. It detected 100% of HTTP malware.

The FireEye MPS had a zero false positive rate as tested, but only detected 93% of exploits, 96% of email malware, and 95% of HTTP malware.



The link below has more information:-

Posted by at No comments:
Labels:

New kid in the block - SANDROID - Android Botnet



Targets Android smartphone users who bank at financial institutions in the Middle East.

Infected more than 2,700 phones, and has intercepted at least 28,000 text messages.


According to the article:- 

bundled with Android apps made to look like mobile two-factor authentication modules for various banks, including Riyad Bank, SAAB (formerly the Saudi British Bank), AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank.



The link below has more information:-
http://krebsonsecurity.com/2014/04/android-botnet-targets-middle-east-banks/
Posted by at No comments:
Labels: , , , ,

In February - 5 Million Home Routers used in DNS Amplification Attack


According to the article:- 

24 million home routers have open DNS proxies which potentially expose ISPs to DNS-based DDoS attacks.

Using home routers helps mask the attack target making it harder for ISPs to trace the ultimate recipient of the waves of amplified traffic.

"Even if ISPs employ best practices to protect their networks, they can still become victims, thanks to the inherent vulnerability in open DNS proxies".



The link below has more information:-

http://betanews.com/2014/04/02/millions-of-home-routers-expose-isps-to-ddos-attacks/
Posted by at No comments:
Labels: , ,

Wednesday, April 2, 2014

Liquor Chain Credit card breach - What's special - It started on 10/31/2012



Highlight is  that the financial information stolen in a sophisticated computer scam that persisted for a year and a half,


According to the article:- 

More than half a million customers at 34 liquor stores owned by Spec's may have had critical financial information stolen in a sophisticated computer scam that persisted for a year and a half, the company announced Friday.

"This was a very sophisticated attack by a hacker or hackers who went to great lengths to cover their tracks," spokeswoman Jenifer Sarver said. "It took professional forensics investigators considerable time to find and understand the problem then make recommendations for Spec's to fully address and fix them."


"This was a very sophisticated attack by a hacker or hackers who went to great lengths to cover their tracks," spokeswoman Jenifer Sarver said. "It took professional forensics investigators considerable time to find and understand the problem then make recommendations for Spec's to fully address and fix them."

I'm surprised the investigation went on so long without them discovering the root problem," said Erlin,

The link below has more information:-


Posted by at No comments:
Labels: ,

Smart TV with Stupid Security


Philips Smart TV security feature highlights:

  1. WiFi Miracast feature is switched on by default.
  2. Hs a fixed password
  3. Doesn't request permission for new WiFi connections.

and that;s a Smart TV!!!!

The link below has more information:-

http://www.theregister.co.uk/2014/04/02/smarttv_dumb_vuln_philips_hardcodes_miracast_passwords/
Posted by at No comments:
Labels: , ,

SMS Authentication - Is it Good enough.




We have two piece of information.


  • SMS message is used for 2-factor authentication.
  • SMS messages can be intercepted.


So, how secure is it and does it meed our needs?


The author evaluates it based on fundamentals like

  1. Requirement
  2. Simplicity
  3. Convenience (Ease of Use)
  4. Risk versus Rewards
  5. End result (Better or Worse than before)




The link below has more information:-

http://www.csoonline.com/article/2136755/security-leadership/why-you-need-to-rethink-the-benefits-of-sms-authentication-to-improve-security.html
Posted by at No comments:
Labels: ,

Incident Response - 7 Tips on what you could do when you have an Incident



Here, the author refers to the Buffer site hack but, offers a few tips on incident response


According to the article:- 

For most incidents, the initial response should be some flavor of the following steps:

  1. Understand, as quickly as possible, that you have an incident, and communicate this to internal and external shareholders. Obviously the decision about exactly who are the stakeholders is highly variable, depending on an incredibly long list of considerations – I wouldn't recommend everyone go public – in many cases that is exactly what not to do. But if the cat is out of the bag (that is, say, if a half-million of your customers are now advertising diet pills in their social media timelines), this decision may have been made for you.
  2. Understand, as quickly as possible, the initial scope of the incident (much of what you learn and assume in these early hours will be wrong, but you should work hard to get the most complete sense of what is happening and what systems are affected — you'll be coming back to this step repeatedly).
  3. Once you have a scope, devise a plan to, in this order, stop the bleeding, secure what you have, and re-assess the scope and breadth of the incident.
  4. Develop an understanding of your available resources as mapped to the plan you've just made, determine the Deltas between what you have and what you need. This requires a brutally honest self-assessment, and almost certainly must be something you've considered in advance; you can develop this awareness after the fact, but you're increasing exponentially the cost of the incident response — put another way, every dollar you spend doing this work in advance is worth $5 when the defecation hits the ventilation.
  5. Work with partners to fill the gaps between what you have and what you need. Rapidly.
  6. Repeat the last four steps until you feel you have positive control.
  7. Continue to communicate what you know, when you know it, to appropriate and appropriately growing groups of stakeholders. Don't make promises you can't keep or statements not based on fact, but don't shut up until you have facts if stakeholders are visibly or audibly nervous. "We have had a security incident that we understand has affected ____________, and with our staff and partners we are working quickly to determine the extent of the damage and we will report back regularly with progress," is much better than not saying anything and allowing speculation to fester.



The link below has more information:-

http://www.csoonline.com/article/2134108/emergency-preparedness/incident-response-matters.html

Posted by at No comments:
Labels: ,

Disaster Recovery Preparedness - In a disastrous state.


3 in 4 companies at risk, failing to prepare for Disaster Recovery


According to the article:- 

(When Disaster Strikes)
  • More than one-third (36%)of organizations lost one or more critical applications, VMs, or critical data files for hours at a time over the past year, while nearly one in five companies have lost one or more critical applications over a period of days. 
  • Even more alarming, one in four respondents said that they had lost most or all of a datacenter for hours or even days!
  • Reported losses from outages ranged from a few thousand dollars to millions of dollars with nearly 20% indicating losses of more than $50,000 to over $5 million


(How about the plan)
  • More than 60% of those who took the survey do not have a fully documented DR plan and another 40% admitted 
  • The DR plan they currently have did not prove very useful when it was called on to respond to their worst disaster recovery event or scenario
  • When companies do test their DR plans, the results are most disturbing. More than 65% do not pass their own tests!


Full Report here:

Posted by at No comments:
Labels: ,

Incident Response - 5 Useful Tips



Organizations spend money on Prevention and Detection but most fail in IR.

So, IR has always been one of my favorite topics.


According to the article:- 

TIPS:
  1. Know your target data
  2. Document plans for various scenarios
  3. Establish a base of operations
  4. Nominate a single point of contact
  5. Update and maintain


Incident response is something that is developed and something that changes with the organization over time.

"So they spend all this time, and all this training, and all this education that they've got, and all the money that they invested in parameter defense, and even internal defenses, but they didn't spend a dime on incident response.
Incident response tends to be, in most cases, an ad-hoc thing that's put together as needed; it's almost like a volunteer fire department. The only difference is that the volunteer fire department is properly trained, they have the right processes, [and] they have the right tools."

Unless plans were developed and tested beforehand, then these common problems show themselves at the worst possible time; during an actual incident.

"What IT gets right is that they know their infrastructure. They know where their data of value is, they know ingress points [and] they know egress points. It's their network, they understand how it works. What they get wrong is they don't use the working knowledge that they have of the network to understand how and incident would occur," 

One of the often repeated problems with incident response is that organizations rarely understand those who are attacking them, what the attacker is looking for, and how they are trying to get it.

Knowing all the routes and access points to the critical data is a must, so that when something happens you can accurately flag the incident and deal with it appropriately.




No matter how good the plan is, it never survives its first real test. Make sure there is an after action report made, and that any mistakes, problems, or failures are learned from. Adjust plans and policies as needed



The link below has more information:-


Posted by at No comments:
Labels: ,

20 Famous Hacks - Vendors and some are in security business





Since, yesterday's hack is old news today , our Brain seem to forget those that happened day-before yesterday.



This slideshow should remind us that
  1. Security vendors don't "Walk the walk"
  2. Our information stored by (any) vendors are always at risk.


So, let's be cautious and store less data and keep them encrypted (don't lose the keys)


Slideshow Link:

Posted by at No comments:
Labels: ,

Free Software - to Address top 4 critical controls and Prevent 85% of cyber-attacks



It is called "Qualys Top 4"

Try it because:

  1. Free
  2. Nothing to Install on your systems






According to the article:- 

Qualys Top 4 is a free tool that builds on the popular QualysGuard Cloud Platform, and enables customers to scan their environments to determine whether or not Windows PCs have effectively implemented the top four security controls:  

  1. Application Whitelisting—only allowing approved software to run
  2. Application Patching—keeping applications, plug-ins and other software up to date
  3. OS Patching—keeping operating systems current with the latest fixes
  4. Minimizing Administrative Privileges—preventing malicious software from making silent changes




The link below has more information:-

Posted by at No comments:
Labels: , ,

Would you believe this - NSS Labs claims IE better than other browsers in Malware detection


Fact is stranger than fiction

According to the article:- 


Microsoft's combination of application reputation technology and URL filtering gave Internet Explorer a malware block rate that blew pass Google Chrome, Mozilla Firefox and Apple Safari.

The latest tests from NSS Labs showed IE with a 99.9 percent block rate for what the security tester calls socially engineered malware (SEM). Chrome had a rate of 70.7 percent while Firefox and Safari hovered around 4 percent.

Microsoft and Google use a combination of application reputation technology and URL filtering in detecting malware. The difference is Microsoft relies more on URL filtering, while Google does the opposite


NSS Labs also tested three leading browsers from China. The Liebao Browser, developed by anti-virus vendor Kingsoft, came in second behind IE with a block rate of 85.1 percent.

Liebao surpassing Chrome is unexpected because most browser makers have turned toward application reputation, also called content-agnostic malware protection (CAMP), because it is believed to be the most effective.

The link below has more information:-

Posted by at No comments:
Labels: , , ,

eBay ProStore vulnerability related to credit card took more than a month to fix.


Is that the fastest turn around time?
Particularly when this flaw is detected by an outsider.

According to the article:- 

Mark Litchfield, an infosec pro at Securatary, told us he discovered a flaw in eBay-owned ProStores that not only opened the door to store account hijackers, but also leaked "full access to all their customers PII [Personally identifiable information] as well as their full credit information in clear text."

"Like the gostorego vulnerability (also eBay), we could shop for free by giving ourselves store credit or gift cards or created our own orders for free," Litchfield told The Reg.

Securatary said it had reported the problem to eBay on 11 February but it was only fixed on 20 March. 

The link below has more information:-

Posted by at No comments:
Labels: , , ,

njRat (not New Jersey Rat) Malware - infect 24K computers, and is used by 487 groups.



This is the downside of (evil)code that can easily be ported or shared.


According to the article:-

"Symantec analysed 721 samples of njRAT and uncovered a fairly large number of infections, with 542 control and command (C&C) server domain names found and 24,000 infected computers worldwide," read the post.

"Nearly 80 percent of the C&C servers were located in regions in the Middle East and North Africa, including Saudi Arabia, Iraq, Tunisia, Egypt, Algeria, Morocco, the Palestinian Territories and Libya. 

The malware grants hackers basic powers, such as the ability to download and execute additional malware on infected systems, execute shell commands, read and write registry keys, capture screenshots, log keystrokes and hijack control of webcams.


The link below has more information:-


Posted by at No comments:
Labels: ,

Wearable Tech - A third of the "early adopters" turn into "early droppers"



Apparently, Marketing and Hype and reality are not in sync here.

I find one of the reasons funny (obviously painful to the buyer)

The other came from someone who definitely wanted it, and used it - but was disappointed when it was superseded within months by the newer version, released by Samsung at Mobile World Congress. "Is that the old one?" the owner was asked by informed friends


According to the article:- 

The advert was blunt: a second-hand Samsung Galaxy Gear smartwatch for sale, priced at "£100 ONO". For a device which cost £299 in September, surely that's a bargain?

Yet after a week advertised on the intranet of an non-technical organisation with more than 10,000 staff, it was still unsold

That observation is strengthened by research from Endeavour Partners in the US, which found that one-third of American consumers who have owned a wearable product stopped using it within six months. What's more, while one in 10 American adults own some form of activity tracker, half of them no longer use it.


The link below has more information:-

Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)