NTP attack - By rolling back the time

Interesting and simple:


From the article:

• First Attack - Involves the use of a so-called Kiss-of-Death packet to exploit a rate-limiter built into NTP. The attacker can exploit this situation from anywhere—an off-path attack—by spoofing a single Kiss of Death packet and can stop a client from querying a server for years
• Second Attack - a denial of service attack where even if the Kiss-of-Death packet vulnerability is patched, an attacker could still use the packet to disable NTP on the victim’s client 
• Third attack - Requires an attacker be in man-in-the-middle position and able to hijack traffic to an NTP server using BGP or DNS hijacks. The attack rolls back time on the server’s clients that circumvents a 16-minute panic threshold built into NTP and allows an attacker to manipulate the client’s cache and cause, for example, a cryptographic object to expire, they wrote. 
• The final attack is carried out by an off-path attacker and also rolls back time on the client side by exploiting problems in IPv4 packet fragmentation 

For more info:
https://threatpost.com/novel-ntp-attacks-roll-back-time/115138/

From Fitbit to Sickbit in 1O Seconds. This sickbit could also make other computers sick.

Good news is that it is supposed to be a Proof Of Concept. (Do you feel safe?)


From the article:

A vulnerability in FitBit fitness trackers first reported to the vendor in March could still be exploited by the person you sit next to on a park bench while catching your breath

This malware can be delivered 10 seconds after devices connect, making even fleeting proximity a problem. Testing the success of the hack takes about a minute, although it is unnecessary for the compromise.

For more info:
http://www.theregister.co.uk/2015/10/21/fitbit_hack/

Knowledge Is Power - PGP Desktop Video

This lesson looks at PGP Desktop features available such as Virtual Disk, PGP Zip, and the PGP Shredder.


Link:
http://www.symantec.com/connect/videos/pgp-universal-server-32-desktop-102-install-config-other-pgp-desktop-features

Basics - What is a VPN?

Link:
https://blogs.sophos.com/2015/10/19/what-is-a-vpn/

Knowledge Is Power - Symantec Endpoint Encryption (SEE) Videos

Link

http://www.symantec.com/connect/videos/symantec-endpoint-encryption-see-videos

If you think you are using Google Chrome , check again , it could be "eFast Malware" in disguise

Nice , simple but an very effective trick.



From the article:

According to security bloggers at Malwarebytes, the malware installs itself as the default internet browser and the default program for various popular file types, including .html, .jpg, .gif and .pdf, as well as a number of web links such as http, https and irc.


eFast is able to mirror the aesthetics of Chrome as it uses the same source code, available across the open-source project Chromium.

eFast places ads across existing web pages, linking to third-party e-commerce sites or other malicious platforms.


For More info:
https://thestack.com/security/2015/10/20/efast-malware-hijacks-browser-with-chrome-clone/

Hacking Chip-and-PIN is not "improbable" (according to EMVCo and the UK Cards Association) anymore.

All truth passes through three stages. 

First, it is ridiculed. 

Second, it is violently opposed. 

Third, it is accepted as being self-evident.

— Arthur Schopenhauer, German philosopher (1788 – 1860)

From the article:

When in 2010 a team of computer scientists at Cambridge University demonstrated how the chip and PIN system used on many modern payment cards can be bypassed by making the POS system accept any PIN as valid, the reaction of the EMVCo and the UK Cards Association was to brand the attack as "improbable".

The FUNcard chip was programmed to intercept the POS systems' PIN query and return an answer that says that the PIN is correct.

The card itself didn't look suspicious - the "double" chip still allowed the card to be inserted into POS systems.

Thusly modified cards were used in France by a group of fraudsters that were ultimately arrested in 2011 and 2012 because they repeatedly used them at the same few locations.

According to Wired, the French authorities estimated that before getting arrested, they managed to spend nearly 600,000 euros.

For More info:

http://www.net-security.org/secworld.php?id=19003

Center for Internet Security (CIS) presents the CIS Critical Security Controls for Effective Cyber Defense Version 6.0 - is now available

Check it out:

The new Controls include a new Control for "Email and Web Browser Protections," a deleted Control on "Secure Network Engineering," and a re-ordering to make "Controlled Use of Administration Privileges" higher in priority. This version also includes a new metrics companion guide.

A study by the Australian government indicates that 85% of known vulnerabilities can be stopped by deploying the Top 5 CIS Controls.

Get it here:
http://www.cisecurity.org/critical-controls.cfm

Another day , Another Breach - Latest Victim is Dow Jones

From the article:

Attackers may have had access to the company’s systems as far back as August 2012, until July of this year. 



For more information:
https://threatpost.com/dow-jones-company-latest-financial-firm-hit-with-data-breach/115002/

Threatened with legal action - For trying to expose the vulnerability.

I guess the researcher should create an exploit and sell it in the black market.

Remember:

1. Any system that claims to be secure but does not allow to be inspected is WORSE than a insecure system.
2. In security what you don't know CAN HURT YOU.

From the article:

While the vendors' descriptions made large claims about how secure their cameras were, Gnesa found undocumented backdoors and remotely exploitable vulnerabilities

He would have presented all of this information at next week's conference until he was threatened with legal action from an unnamed vendor of one of the cameras.

Garcia and a number of other researchers discovered that millions of vehicles were vulnerable to remote hacking and effective immobilisation.
When they presented their research to Volkswagen in 2013, they were promptly smacked with an injunction in the UK high court and their work was suppressed until recently.

For more information:
http://www.scmagazineuk.com/security-expert-cancels-talk-on-back-of-legal-threat/article/444136/

Nosey Smurf, Dreamy Smurf, Tracker Smurf, Paranoid Smurf - These scary stuff turns our smart phone in to a spied-upon phone

Always presume someone can always collect information about you
We cannot stop others from collecting our information, we can definitely reduce how much they can collect


From the article:

“Nosey Smurf” turns on a phone's microphone to use it for audio surveillance.
“Dreamy Smurf”, which he says can turn a phone on or off.
“Tracker Smurf” is a geo-location tool
Another Smurf can operate a smartphone's camera.
“Paranoid Smurf” does its best to hide the activities of the other Smurfs,

The Smurf army arrives by TXT messages, Snowden says, without users ever being aware of the message or its payload arriving or altering their phones in any way.


For More info:
http://www.theregister.co.uk/2015/10/06/gchqs_smurf_army_can_hack_smartphones_says_ed_snowden/

Do you know how much information is in your Boarding Pass?

What you don't know CAN (sometimes) hurt you

From the article:

Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” Cory said. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked 

The information contained in the boarding pass could make it easier for an attacker to reset the PIN number used to secure his friend’s Star Alliance frequent flyer account. 

Fore more info:

http://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/

Another Day , Another Breach - It is Scottrade's turn

In security , one of the imporatant rule is

"Prevention is Ideal but Detection is a MUST"

What bothers me is this line?

Scottrade claims that it didn’t find out about the breach until federal authorities contacted the company to tell them they were investigating “cybersecurity crimes” involving the theft of information from Scottrade and other financial services companies. 

First:

Scottrade is and investment and brokerage firm. In simple words they deal with people's money 

Second:

They are not a brick-and-mortar company, they are a e-commerce company yet, they were not

So, why were they unable to detect the Breach?

From the Article

The St. Louis-based company confirmed that information such as customers’ Social Security numbers, email addresses, and other data, were on the same system that was accessed, but that at this time it believes contact information was the main focus of the attack (really?).

When authorities arrested four men in Florida and Israel over the summer in connection to another financial services hack, the breach of JPMorgan Chase, court proceedings revealed the attack may have been the beginning of a complex spam email chain campaign. As part of a “multiyear campaign” the hackers were apparently hoping to leverage millions of spam emails to trick well-connected investors into investing in otherwise menial stocks. 

For more info:

https://threatpost.com/scottrade-breach-affects-4-6-million-customers/114914/

If you are one of the 15 Million T-Mobile - Then you might want to read it

Here is a funny statement:

"Experian stored users’ Social Security numbers and ID numbers in “encrypted fields,” but admits in that “Experian has determined that this 

encryption may have been compromised.” 

So, the company that we entrust our Credit History and personal information has implemented encryption but not in a secure way.

So, Let's remember:

Encryption is NOT EQUAL to SECURITY.

It is just a technology so, it can help security but does not become security.

We still need proper Design, Implementation and processes in place to get  (one layer)  of security.

Defense in Depth is the key.

From the Article:

News broke last night however that any customers who applied for a credit check for service or device-financing over the last few years may have had their information compromised in the breach.

Specifically, information stored on a server at one of Experian’s business units pertaining to T-Mobile USA customers from Sept. 1, 2013 to Sept. 16, 2015 appears to have been accessed. 

Several years ago the credit agency indirectly sold a cache of consumer information to a Vietnamese national, Hieu Minh Ngo after he maintained he was a private investigator. Ngo essentially got access to a database of social security numbers for some 200 million Americans and then sold that information via identity theft websites. 

For more info:

https://threatpost.com/experian-breach-spills-data-on-15-million-t-mobile-customers/114901/

Fingerprints stolen? - Sounds weird but it happened. Now. have you thought of the consequences?

Nice one from my all time favorite Security Guru

From the article:

The news from the Office of Personnel Management hack keeps getting worse. In addition to the personal records of over 20 million US government employees, we've now learned that the hackers stole fingerprint files for 5.6 million of them.

There are three basic kinds of data that can be stolen. 

1. The first, and most common, is authentication credentials.
2. The second kind of data stolen is personal information
3. The third - Biometric data

The problem with biometrics is that they can't be replaced. So while it's easy to update your password or get a new credit card number, you can't get a new finger.

And we really don't know the future value of this data. If, in twenty years, we routinely use our fingerprints at ATM machines, that fingerprint database will become very profitable to criminals. If fingerprints start being used on our computers to authorize our access to files and data, that database will become very profitable to spies.

Not every use of biometrics requires the biometric data to be stored in a central server somewhere. Apple's system, for example, only stores the data locally: on your phone. That way there's no central repository to be hacked. And many systems don't store the biometric data at all, only a mathematical function of the data that can be used for authentication but can't be used to reconstruct the actual biometric. Unfortunately, OPM stored copies of actual fingerprints.

For More info:

http://motherboard.vice.com/read/stealing-fingerprints

StageFright 2.0 - Affects 1 Billion Android devices?

Previously we only had to worry about the number of vulnerabiltities

Now, we have to be concerned about the number of hosts that are affected and the level of expertise and awareness of the users.

From the article:

Stagefright is an over-privileged application with system access on some devices, which enables privileges similar to apps with root access. Stagefright is used to process a number of common media formats, and it’s implemented in native C++ code, making it simpler to exploit.

“That process, you would think, would be sandboxed and locked down as much as it could because it’s processing dangerous, risky code, but it actually has access to the Internet,” Drake said. “Android has a group enforcement where it allows [Stagefright] to connect to the Internet. This service is on all Android devices. I’d rather not have a service that’s doing risky processing have Internet access.”

For More Info:

https://threatpost.com/stagefright-2-0-vulnerabilities-affect-1-billion-android-devices/114863/