New and a more dangerous class of attack through USB.

We knew a few dangers from USB but , this one is more scary.

(From the article)

Nohl said his firm has performed attacks by writing malicious code onto USB control chips used in thumb drives and smartphones. Once the USB device is attached to a computer, the malicious software can log keystrokes, spy on communications and destroy data, he said.

Computers do not detect the infections when tainted devices are inserted because anti-virus programs are only designed to scan for software written onto memory and do not scan the "firmware" that controls the functioning of those devices, he said.

The link below has more information:-

http://www.watoday.com.au/it-pro/security-it/hackers-can-tap-usb-devices-in-new-attacks-researcher-warns-20140731-zz8cx.html

Internet Of Things Contains Average Of 25 Vulnerabilities Per Device

The headline says it all

However, it will not stop most people from adopting it after all we are not the target for hackers (really?)

(From the article)

what makes IoT devices different is their multi-faceted nature. "When you think about what all is involved in an Internet of Things device, you've got the device itself, network access, authentication, the Internet component; and all these pieces together are what stack up to be the Internet of Things device. If you're not looking at the big picture, you're missing a lot of stuff."

HP Security Research found an average of 25 vulnerabilities per device. Seven out of 10 of the devices when combined with their cloud and mobile applications gave attackers the ability to identify valid user accounts through enumeration. Nine out of 10 devices collected at least one piece of personal information through the device or related cloud or mobile app; and six of the devices had user interfaces vulnerable to a range of web flaws such as persistent XSS.

"It's not just cloud, it's not just the device, and it's not just network security," says Miessler. "People shouldn't view it as a one-dimensional problem."

The link below has more information:-

http://www.darkreading.com/vulnerabilities---threats/internet-of-things-contains-average-of-25-vulnerabilities-per-device/d/d-id/1297623

At least half of the 50 most popular Android mobile apps have inherited security vulnerabilities

through the reckless re-use of software libraries.

As long as we have

• Compressed schedules
• Functionality trumping security
• Reckless programmers

The code will always be insecure

(From the article)

More concerning is when “developers act intentionally,” Jarva said.

“Some people might have been providing a vulnerability on purpose in order to do something nasty” once the code has been distributed.

Who are they working with? Do they have sideline jobs somewhere else? The developers might be getting their dollars from ad networks," Jarva said.

One in ten apps send either the user’s device ID (IMEI code) or location data to a third party, and one even sends the user’s mobile phone number. One in ten applications connected to more than two ad networks.

The study found that over 30 percent of the apps transmit private data in plain text and plenty more are not encrypting the transfer of this data to best practice.

“The issues are invisible to users,” Jarva said. “A lot of things are happening behind the scenes, it only afterwards they know what has been done.”

The link below has more information:-

http://www.itnews.com.au/News/390365,popular-android-apps-inherit-bugs-from-recycled-code.aspx

BYOD leads to BYOC (Bring Your Own Confusion)

Why maybe because:

1. Security folks want to lock down access to corporate data
2. Common folks don't want company security stuff on their device but like to access corporate data. (have the cake and eat it too?)

I think the common folks have not yet grasped the idea their device is actually a computer about which they have no understanding.

Security folks know that the devices are computers but don't have a proper security policy/procedures in place.

Don't believe me, check below.................

(From the article)

For instance, 98% of the IT managers surveyed said their companies had BYOD security polices in place. About a third said their companies required employees to install an IT-mandated security application on their mobile devices while 20% said that personal devices can access their corporate network only if the devices had the requisite security controls in place.

Yet, fewer than 20% of the IT managers surveyed said their companies had yet to create way to enforce the policies.

Despite BYOD policies and controls IT managers say have been implemented at their companies, less than 20% of workers connected to corporate networks said they had installed a full security app on their personal devices.

The survey also revealed a reluctance on the part of workers to allow IT personnel install security software on their devices.

More than half of the employees surveyed feared that the company would gain access to their personal data via corporate security tools. Some 46% of workers said they feared personal data would be lost if they left the company. The same number feared a company-mandated security app installed on personal devices would let managers track their location.

Nearly half of worker said they would stop using personal devices at work if they were required to install a company-mandated security application.

The link below has more information:-

http://www.csoonline.com/article/2452654/security/theres-still-a-security-disconnect-on-byod.html#tk.rss_compliance

Built a free botnet that generates $US1750 a week using free cloud: -

This is not fiction, 2 researches actually did it.

Moral of the story:

Cyberattacks might become more common

Security is still our problem not cloud provider's.

(From the article)

They used automatic tools and processes to spread a currency-mining botnet across some 150 popular free services that each generated about 25 cents a day -- all on the providers' electricity bill.

The bot was bult on free and fast tools including Mandrill and FreeDNS.afraid.org for email address registration, variations on public data breach databases, a custom program on Google App Engine, and the Python Fabric to manage scripts controlling the hundreds of cloud instances.

The link below has more information:-

http://www.theregister.co.uk/2014/07/25/boffins_build_free_supercomputer_from_signup_trials/

Interesting Idea - On-line advertising - Beat your competitors by exhausting their Online AdWord budget

Hmm, I am impressed.


(From the article)

fraudsters engage in an opposite scam involving AdWords, in which advertisers try to attack competitors by raising their costs or exhausting their ad budgets early in the day.

The service, which appears to have been in the offering since at least January 2012, provides customers both a la carte and subscription rates. The prices range from $100 to block between three to ten ad units for 24 hours to $80 for 15 to 30 ad units. For a flat fee of $1,000, small businesses can use GoodGoogle’s software and service to sideline a handful of competitor's ads indefinitely.


The link below has more information:-

http://krebsonsecurity.com/2014/07/service-drains-competitors-online-ad-budget/

Like it or not you are being (canvas) fingerprinted

Unless you are using TOR(Browser)

It is sad there is not much choice against Canvas fingerprinting.

As usual browsers will find a solution and after a few months , there will be another way to track us

(From the article)

A lot of sites use AddThis, so a lot of users are being tracked, the article/research states 5% of the top 100,000 websites. So at least 5000 high traffic sites are capturing user data in this rather underhanded way.

It’s all pretty shady, but honestly we have to assume people are doing this type of stuff because one of those most valuable things you can create from the Internet is user data. Especially usage/consumption patterns, even if it doesn’t tie to specific humans – the data itself is very valuable to people making marketing decisions based on it.

The link below has more information:-

http://www.darknet.org.uk/2014/07/clear-cookies-cant-escape-canvas-fingerprinting/

WireShark coloring rules with a few use cases

Short and sweet whitepaper from SANS

https://www.sans.org/reading-room/whitepapers/detection/wireshark-guide-color-packets-35272

Free poster - SANS Smartphone Forensics

Get it here

http://digital-forensics.sans.org/blog/2014/06/24/getting-the-most-out-of-smartphone-forensic-exams-sans-advanced-smartphone-forensics-poster-release

Attackers install a backdoor on an estimated 30,000 to 50,000 websites;

Here is the strange part:

Atackers have exploited the bug to install a backdoor on an estimated 30,000 to 50,000 websites, some that don't even run WordPress software or that don't have MailPoet enabled, according to Daniel Cid, CTO of security firm Sucuri.

"To be clear, the MailPoet vulnerability is the entry point," he wrote in a blog post. "It doesn't mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website." In an e-mail to Ars, he elaborated:

The link below has more information:-

http://arstechnica.com/security/2014/07/mass-exploit-of-wordpress-plugin-backdoors-sites-running-joomla-magento-too/

Nmap - 3 part tutorial

A good one for beginners


Nmap Cheat Sheet: From Discovery to Exploits, 

Part 1: Introduction to Nmap
Part 2: Advance Port Scanning with Nmap And Custom Idle Scan
Part 3: Gathering Additional Information about Host and Network



Part-1
http://resources.infosecinstitute.com/nmap-cheat-sheet/

Part-2
http://resources.infosecinstitute.com/nmap-cheat-sheet-discovery-exploits-part-2-advance-port-scanning-nmap-custom-idle-scan/

Part-3
http://resources.infosecinstitute.com/nmap-cheat-sheet-discovery-exploits-part-3-gathering-additional-information-host-network-2/

Multi-faceted hack attack against Swiss banks

looks like we have more and more creative people getting involved with hacking.

Or, is it being crowdsourced got better results.

From the Article

That tactic was accomplished by Malware that manipulated a victims' DNS settings and installed an SSL certificate for the phishing sites before wiping itself clean to remove evidence of infection.

Users who fell for the email campaign and subsequently installed the malware would be prompted to install an Android app to purportedly secure their banking transactions, but which would serve to steal second factor SMS tokens and furry it off to an attackers' command and control server or mobile phone number.

Follow this link for additional details:

http://www.theregister.co.uk/2014/07/23/ruskie_vxers_change_dns_nuke_malware_in_swiss_bank_raids/

Another day another Breach - Now it is Goodwill (Victim 8)

I am getting tired of tracking(check my list at the end)

(From the article)

According to sources in the financial industry, multiple locations of Goodwill Industries stores have been identified as a likely point of compromise for an unknown number of credit and debit cards.

t remains unclear how many Goodwill locations may have been impacted, but sources say they have traced a pattern of fraud on cards that were all previously used at Goodwill stores across at least 21 states

those same financial industry sources say the breach could extend back to the middle of 2013.

Financial industry sources said the affected cards all appear to have been used at Goodwill stores, but that the fraudulent charges on those cards occurred at non-Goodwill stores, such as big box retailers and supermarket chains. This is consistent with activity seen in the wake of other large data breaches involving compromised credit and debit cards, including the break-ins at Target, Neiman Marcus, Michaels, Sally Beauty, and P.F. Chang’s.

The link below has more information:-

http://krebsonsecurity.com/2014/07/banks-card-breach-at-goodwill-industries/

Previous Victims: (Count started in March 2014)

7. SPEC Liquor Chain - Half a million cards (Lasted 18 Months)

http://martin-news-bytes.blogspot.com/2014/04/liquor-chain-credit-card-breach-whats.html

6. Anonymous claims 800 Million credit card 

http://martin-news-bytes.blogspot.com/2014/03/not-sure-how-true-this-anonymous.html

5. California DMV

http://martin-news-bytes.blogspot.com/2014/03/another-day-another-data-breach.html

4. US Navy

http://martin-news-bytes.blogspot.com/2014/03/someone-forgot-to-patch-their-databases.html

3. Korea Telecom

http://martin-news-bytes.blogspot.com/2014/03/12-million-customer-records-stolen-korea.html

2.  Comixology

http://martin-news-bytes.blogspot.com/2014/03/another-day-another-data-breach-current.html

1. Sally Beauty

http://martin-news-bytes.blogspot.com/2014/03/beauty-chain-sally-beauty-turns-ugly.html

BYOD - You thought you knew it all, how about 7.1 Billion mobile subscription (did you expect this)

It is normal to expect a disconnect between what we know and what is real.

Sometimes , there is a big disconnect.



Follow this link for additional details and get ready to get surprised:

http://www.darkreading.com/cloud/infographic-with-byod-mobile-is-the-new-desktop/a/d-id/1297436?image_number=1

Firefox OS - Now available on 7 devices in 15 countries

Not the greatest of news but something good about my favorite company



The link below has more information:-

http://www.theregister.co.uk/2014/07/17/firefox_os_global_expansion/

What is PNR - it is something that contains your full credit card # and sent to government by Booking agencies.

This one shocks me!

PNR -  Passenger Name Records

From the Article

My own PNRs include not just every mailing address, e-mail, and phone number I've ever used; some of them also contain:

The IP address that I used to buy the ticket

My credit card number (in full)

The language I used

Notes on my phone calls to airlines, even for something as minor as a seat change

Follow this link for additional details:

http://arstechnica.com/tech-policy/2014/07/ars-editor-learns-feds-have-his-old-ip-addresses-full-credit-card-numbers/

Re-use your passwords - Says Microsoft.

Not exactly, suggestion is to re-use for low risk sites;

Still, I don't agree fully.

(From the article)

Now Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada, have shot holes through the security dogma in a paper Password portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts (PDF).

The trio argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites.

The link below has more information:-

http://www.darknet.org.uk/2014/07/microsoft-says-re-use-passwords-across-sites/

You think only IT guys screw up , how about guys who store viruses and bacteria.

The first paragraph from the article:
The same federal scientist who recently found forgotten samples of smallpox at a federal lab also uncovered over 300 additional vials, many bearing the names of highly contagious viruses and bacteria.


The link below has more information:-

http://www.koaa.com/news/300-vials-labeled-influenza-dengue-found-at-lab/

How many FAKE mobile apps are floating around - Almost a million (According to Trend)

Some are highly successful, here is a sample:
Scammers charged $3.99 for the fake app, which promised to prevent harmful apps from being installed. It was removed by Google after a few days, but not before it fooled thousands of users and even became a "top new paid app" in the Play Store. Trend said it was "perplexing" how the app achieved "top" status


The link below has more information:-
http://www.computerworld.com/s/article/9249779/Almost_a_million_fake_apps_are_targeting_your_phone

LibreSSL not safe - Culprit is PRNG

I am not losing hope (yet)



(From the article)

The first "preview" release of OpenSSL alternative LibreSSL is out, and already a researcher says he has found a "catastrophic failure" in the version for Linux.

The problem resides in the pseudo random number generator (PRNG) that LibreSSL relies on to create keys that can't be guessed even when an attacker uses extremely fast computers.



The link below has more information:-

http://arstechnica.com/security/2014/07/only-a-few-days-old-openssl-fork-libressl-is-declared-unsafe-for-linux/

Apple + IBM - What happens when a giant in Consumer Mobile computing space joins hands with Enterprise computing space.

Apple and IBM are coming together. Which is good news for Enterprise admins.

Apple devices have been the favorites of upper management but there were not many players who would integrate them well with the IT space.

Now that IBM is here we can expect something.

Since, Apple is not cheap, I presume IBMs  offering will not be either (was IBM ever less expensive?)

(From the article)

The joint statement offered more detail, saying the partnership will provide:

• More than 100 industry-specific enterprise solutions including native apps, developed exclusively from the ground up, for iPhone and iPad;
• IBM cloud services optimized for iOS, including device management, security, analytics and mobile integration;
• New AppleCare service and support tailored for the enterprise;
• New "packaged offerings" from IBM for mobile device activation, supply and management

The link below has more information:-

http://www.computerworld.com/s/article/9249748/Update_Apple_and_IBM_team_up_on_historic_enterprise_push?source=CTWNLE_nlt_datamgmt_2014-07-16

FYI - 1 TB data in postage stamp sized memory device.- RRAM

(From the article)

Rice University’s breakthrough silicon oxide technology will allow manufacturers to fabricate “resistive random-access memory” (RRAM) devices at room temperature with conventional production methods, the researchers say. In a new paper in Nano Letters, a Rice team led by chemist James Tour compared its RRAM technology to more than a dozen competing versions.



The link below has more information:-

http://www.kurzweilai.net/rices-silicon-oxide-memories-catch-manufacturers-eye

Crooks have been compromising hotel business center PCs with keystroke-logging malware

If you are surprised, then I am sure you are not in IT Security.

From the Article

“In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software,” the advisory reads.

“The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts,” the warning continues. “The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”

The truth is, if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer. But don’t take my word for it. This maxim is among the “10 Immutable Laws of Security” as laid out by none other than Microsoft‘s own TechNet blog, which lists law #3 as: “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.”

Follow this link for additional details:

http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-centers/

If you are using DropCam , you might want to read this

Moral of the story - Bug fix and patch management are NOT common in consumer devices.





From the Article

They found that weaknesses in the devices could allow an attacker to view video and "hot-mike" audio on the cameras to spy on the targets, as well as inject their own video frames into the DropCam feed or freeze frames in order to hide malicious activity, such as a physical break-in.

Wardle and Moore say DropCam runs older software components, including the Heartbleed-vulnerable version of OpenSSL, and an outdated and unpatched version of BusyBox, an open source Unix toolkit typically found in embedded devices and Android devices.



Follow this link for addtional details:

http://www.darkreading.com/dropcam-vulnerable-to-hijacking/d/d-id/1297275

How Questionaires can have unexpected bad results in IT Risk Management.(GRC)

I am not a big fan of Questionaires when it comes to GRC, I am happy that someone shares my sentiment.

Andrew also provides some important pointers.

Important Lesson for GRC -  Garbage In - will result in Gargabe Out

(From the article)

Do you sincerely believe that an incompetent person is going to respond to a questionnaire in a manner that highlights their incompetence? For example, imagine an incompetent or lazy system administrator.  His work is poor, his attention to detail weak, perhaps he is distracted with personal or financial problems.  On a questionnaire, it asks this system administrator to explain how often he checks systems for updated patches.  He knows that company policy mandates that every system is checked monthly.  However, he has not checked them in months.

Incompetent people often overstate and inflate their skill set where as highly competent people tend to understate their skills

If the data gathered from staff does not paint a representational picture of the environment, then whatever risk analysis comes from that data is faulty.  This is merely a variant on the “garbage in, garbage out” cliché.

Threats are evolving so rapidly, that what was important to the organization 12 months ago could be radically different now.  As such, any questions written 12 months ago, are not as relevant now.  Standardization of questions assumes the threat landscape never changes. 

The link below has more information:-

http://blog.anitian.com/flawed-risk-management/

"Gameover Zeus" is back - This time with "Fast Flux Hosting"

looks like it was aptly named ZEUS (Greek God) because, it refuses to die.

From the Article

The company found that the malware shares roughly 90 percent of its code base with Gameover Zeus.

This new Gameover variant is stripped of the P2P code, and relies instead on an approach known as fast-flux hosting. Fast-flux is a kind of round-robin technique that lets botnets hide phishing and malware delivery sites behind an ever-changing network of compromised systems acting as proxies, in a bid to make the botnet more resilient to takedowns.

Like the original Gameover, however, this variant also includes a “domain name generation algorithm” or DGA, which is a failsafe mechanism that can be invoked if the botnet’s normal communications system fails. The DGA creates a constantly-changing list of domain names each week (gibberish domains that are essentially long jumbles of letters).

In the event that systems infected with the malware can’t reach the fast-flux servers for new updates, the code instructs the botted systems to seek out active domains from the list specified in the DGA. All the botmasters need to do in this case to regain control over his crime machine is register just one of those domains and place the update instructions there.

This discovery indicates that the criminals responsible for Gameover’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers and takedowns in history,” 

Follow this link for addtional details:

http://krebsonsecurity.com/2014/07/crooks-seek-rivival-of-gameover-zeus-botnet/

What's common between Gates and Buffet

What makes some people more successful?

Luck
Sure a little bit

but..........

Qualities , I think is a greater factor.

This article has an interesting take on "FOCUS"


https://www.linkedin.com/today/post/article/20140707144749-8353952-the-one-word-answer-to-why-bill-gates-and-warren-buffett-have-been-so-successful?trk=object-title