How to Avoid Kidnapping Children on Halloween

A useful guide....

from How to Avoid Kidnapping Children on Halloween

Leadership Course Experience: What to Expect

I know leaders are busy. Faced with the opportunity to engage in a course to improve your leadership and communication creates a natural reaction: Leaders that invest in themselves set the standard for the people around them. But that means knowing you’re investing in an experience that gets results. That was the challenge I took […]

The post Leadership Course Experience: What to Expect appeared first on Security Catalyst.

from Leadership Course Experience: What to Expect

A High-End Card-Reading Device

An impressive Chinese device that automatically reads marked cards in order to cheat at poker and other card games....

from A High-End Card-Reading Device

Your Cloud Consultant Probably Sucks

There is a disturbing consistency in the kinds of project requests I’m seeing these days. Organizations call me because they are in the midst of their first transition to cloud, and they are spending many months planning out their exact AWS environment and all the security controls “before we move any workloads up”. More often than not some consulting firm advised them they need to spend 4-9 months building out 1-2 virtual networks in their cloud provider and implementing all the security controls before they can actually start in cloud.

This is exactly what you don’t want to do.

As I discussed [in an earlier post on blast radius you most definitely don’t want just one big cloud account/network with everything shoved in. This sets you up for major failures down the road, and will slow down your cloud initiatives to a degree that you lose many of the advantages of cloud. Here is why:

• One big account means a bigger blast radius (note that “account” us the AWS designation, Azure and Google use different structures but you can achieve the same goals). If something bad happens, like someone getting cloud admin credentials, the damage is massive.
• Speaking of admins, it becomes very hard to write identity management policies to restrict admins to only their needed scope, especially as you add more and more projects. With multiple accounts/networks you have a better ability to segregate them out and limit entitlements.
• It becomes harder to adopt immutable infrastructure (using templates like CloudFormation or Terraform to define the infrastructure and built it on demand) since developers and admins will end up stepping on each other more often.
• IP address space management and subnet segregation become really hard. Virtual networks aren’t physical networks. They are fundamentally managed and secured differently. What I end up seeing most organizations trying to do is shove in existing security tools and controls until it eventually falls down. In one recent case it became harder and slower to deploy things into the company’s AWS account than to spend months provisioning a new physical box on the existing network. That’s like paying for Netflix and trying to record Luke Cage on your TiVo so you can watch it when you want.

Those are just the highlights and the short version is that while you can start this way, it won’t last. Unfortunately, I’ve found that this is a surprisingly dominant recommendation from third-party “cloud consultants”, especially ones coming from the big firms. I’ve also seen Amazon Solution Architects (I haven’t worked with any from the other cloud providers) not recommend this practice, but go along with it if the organization is already moving that way. I don’t blame them, their job is to reduce friction and get customer workloads on AWS and changing this mindset is extremely difficult even in the best of circumstances.

Here is where you should start instead:

• Accept that any given project will have multiple cloud accounts to reduce the blast radius. 2-4 is average, with dev/test/prod being separated and a shared services account. This allows developers incredible latitude to work with the tools and configurations they need while still protecting production environments and data as you pare down the number of people with administrative level privileges.
  • I usually use “scope of admin” to define where you need to draw the account boundaries.
• If you need to connect back into the datacenter you still don’t need one big cloud account — use what I call a “bastion” account (Amazon calls these transit VPCs). This is the pipe back to your data center and then you peer your other accounts off of it.
• You still might want/need one shared account for some workloads and that’s okay. Just don’t make it the center of your strategy.
• A common issue, especially in financial services clients, is that outbound SSH is restricted from the corporate network. Thus the organization assumes they need to have a direct/VPN connection to the cloud network to enable remote access. You can get around this with jump boxes, software VPNs, and those bastion accounts/networks.
• Another common concern is that you need a direct connection to manage security and other enterprise controls. In reality I find this is rarely the case since you shouldn’t be using all the same exact tools and technologies anyway. This is more than I can squeeze in this post but you should be adopting more cloud-native architectures and technologies. it isn’t that you are reducing security, on the contrary you are often improving it, but you do need to adjust your existing policies and approaches.

I’ll be writing a lot more on these issues and architectures in the coming weeks. In short if someone tells you to build out a big virtual network that extends your existing network before you move anything to cloud, run away. Fast.

- Rich (0) Comments Subscribe to our daily email digest

from Your Cloud Consultant Probably Sucks

Ten Years of Securosis: Time for a Memory Dump

I started Securosis as a blog a little over 10 years ago. 9 years ago, it became my job. Soon after that Adrian Lane and Mike Rothman joined me as partners. Over that time we’ve published well over 10,000 posts, around 100 research papers, and given countless presentations. When I laid down that first post I was 35, childless, a Research VP at Gartner still, and recently married. In other words, I had a secure job, and the kind of free time no one with a kid ever sees again. Every morning I woke up energized to TELL THE INTERNET IMPORTANT THINGS!

In those 10 years I added three kids, my two partners, and grew what may be the only successful analyst firm to spin out of Gartner in decades. I finished my first triathlons, marathon, and century (plus) bike ride. I started programming again. We racked up a dream list of clients, presented at all the biggest events, and built a collection of research I’m truly proud of, especially my more-recent work on cloud and DevOps, including two training classes.

But it hasn’t all been rainbows and unicorns, especially the past couple of years. I stopped training in martial arts after nearly 20 years (kids), had two big health scares (totally fine), and slowly became encumbered with all the time-consuming overhead of being self employed. We went through 3 incredibly time consuming and emotional failed acquisitions where the offers didn’t meet our goals. We spent two years self funding, designing, and building a software platform that every iota of my experience and analysis says is desperately needed to manage security as we transition to cloud computing, but we couldn’t get it over the finish line. We weren’t willing to make the personal sacrifices you need to in order to get funding unless you are already wealthy, and we couldn’t find another path.

In other words, we lived life.

A side effect, especially after all the effort I put into Trinity (you can see a video of it here), is that I lost a lot of my time and motivation to write during a period where there is a hell of a lot to write about. We are in the midst of the most disruptive transition in how we build, operate, and manage technology. Around seven years ago I bet big on cloud (and then DevOps), with both research and hands-on work. Now there aren’t a lot of people out there with my experience, but I’ve done a crappy job of sharing it. In part I was holding back to give Trinity and our cloud engagements an edge. In bigger part because essentially (co) running two companies at the same time and seeing one of them not make it was emotionally crushing.

Why share all of this? Why not. I miss the days when I work up motivated to TELL THE INTERNET THOSE IMPORTANT THINGS. And the truth is, I no longer know what my future holds. Securosis is still extremely strong — we grew yet again this year and it was probably personally my biggest year yet. On the downside that growth is coming at a cost, where I spend most of my time traveling around performing cloud security assessments, building architectures, and running training classes. It’s very fulfilling work, but a bit of a step back in some ways. I don’t mind some travel, but most of my work now involves it and I don’t like spending that much time away from the family.

Did I mention I miss being motivated to write?

Over the next couple of months I’m going to brain dump everything I can, especially on cloud and DevOps. This isn’t for a paper. No one is licensing it, and I don’t have any motives other than to core dump everything I’ve learned over the past 7 years before I get bored and do something else. Clients have been asking me for a long time where to start in cloud security and I haven’t had anyplace to send them. So I’m putting up this page to collect all these posts in some relatively readable order. My intention is to follow the structure I use when assessing projects but odds are it will end up being a big hot mess. I’ll also be publishing most of the code and tools I’ve been building but was holding on to.

Yeah, this post is probably TMI, but we’ve always tried to be personal and honest around here. That is exactly what used to excite me so much I couldn’t wait to get out of bed and get to work. Perhaps those days are past. Or perhaps it’s just a matter of writing for the love of writing again instead of writing for projects, papers, or promotion.

- Rich (0) Comments Subscribe to our daily email digest

from Ten Years of Securosis: Time for a Memory Dump

Sundown EK: You Better Take Care

This post was authored by Nick Biasini

Over the last six months the exploit kit landscape has seen some major changes. These changes began with Nuclear ceasing operations in April/May and arrests in Russia coinciding with the end of Angler in June. Recently, Neutrino has been added to the list of exploit kits that have stopped being actively used in 2016.What remains is a group of smaller exploit kits vying for pole position in an industry that continues to generate millions of dollars from payloads such as ransomware and banking trojans.

It's now time to turn to another exploit kit that is active on the landscape, Sundown. The Sundown exploit kit has previously been part of a second tier of exploit kits that includes Magnitude and Sweet Orange. These kits successfully compromise users, but typically are not accompanied with the advanced techniques and wide-spread use of the other major exploit kits. It's not to say these kits aren't significant threats, but from a potential victim perspective they historically do not have the reach associated with other EKs from before such as Angler or RIG.


Over the course of several weeks, Talos focused research on Sundown activity and our findings were surprising. What we found was a kit that operated on a relatively small infrastructure footprint, but had what appeared to be one of the largest domain shadowing implementations we had ever seen. The campaign operated out of handful of IPs, but we ended up finding in excess of 80K malicious subdomains associated with more than 500 domains leveraging various registrant accounts. This translates into a kit that will largely evade traditional blacklisting solutions. Sundown remained highly vigilant and the subdomains in use were recycled quickly to help in avoiding detection. In some cases, it appeared to be a single use domain shadowing which is incredibly difficult to stop by using blacklisting.

Overview

Sundown operates similarly to most other exploit kits. It's composed of a couple of parts: a landing page and an exploit page with a payload. With most exploit kits today, a gate is also commonly used as an initial point of redirection. Most victims are directed to exploit kits through two means: compromised websites and malicious advertising. This particular campaign relied primarily on compromised websites as the source of traffic.

As is the case with most compromised websites, there is an iframe added somewhere on the web page that renders off screen andthe Sundown campaign was no different.

Gate Redirection from Compromised Website

This initial redirection points to the gate that was being used for this campaign. It's another shadowed domain that points to another page shown below:

Exploit Kit Landing Page from Gate

The highlighted portion is the actual redirection to the Sundown landing page. This landing page then probes the user's system to determine if they are potentially vulnerable and then delivers an exploit page with a malicious payload. The response from Sundown servers includes a field in the headers that clearly identifies it from other exploit kit traffic: Yugoslavian Business Network. This particular string is present in all landing page responses delivered from Sundown, a sample of which is shown below:

Sundown Calling Card: Yugoslavian Business Network

Note that this is only found specifically in the landing page requests and is noticeably missing on the exploit page requests.

Sample Sundown Exploit Page GET Request

There is one additional GET request found in the Sundown infection chain for /undefined. This results in a 404 from the server before the exploit page is requested. As far as exploits are concerned, Talos has observed Sundown leveraging both Adobe Flash and Silverlight vulnerabilities to compromise victims. One interesting aspect is that they used standard extensions for those files. All requests for flash files end in ".swf" and all silverlight requests end in ".xap" which isn't particularly common for exploit kits as they typically will try and obfuscate the activity.

Campaign

Based on this information, Talos began gathering data associated with this exploit kit. The first aspect was gathering the IP addresses that were hosting Sundown. These particular adversaries were leveraging systems to host Sundown for extended periods of time. In our experience in hunting exploit kits, the servers hosting the kits do not stay active for long. In the days of Angler this could be less than 12 hours to at most 48 hours. Some of the IPs that we have seen hosting Sundown have been active for weeks and in some instances months. This is unexpected because the IPs hosting the activity would be killed by most security providers after a relatively short amount of time. The hosts serving Sundown for this particular campaign were exclusively hosted in the Netherlands. These providers were notified of the activity and, as of the writing of this blog, no response or action appears to have been taken by the providers.

Over the course of the investigation only 10 unique IPs were found associated with this campaign. We then began to investigate the DNS activity associated with these hosts and the findings were striking. Looking at the DNS activity for the IPs in question ended with an excess of 80K unique subdomains. One of the interesting aspects was how long these domains were seen as active; in most cases the domains were active for less than an hour. Additionally, there was not a lot of activity associated with the domains. Generally, it was less than a handful of requests for each subdomain and in some cases just a single request was observed.

Sundown Subdomain Activity

These thousands of subdomains were associated with several hundred different domains; the majority of which were owned by two distinct registrant accounts. Some of the domains were registered using privacy protection mechanisms so there is no real way to know how many actual different registrant accounts were utilized by the adversaries.

Looking at the subdomain activity broken out by day led to an interesting finding. As shown below, the amount of subdomains registered in a given day reached a peak of slightly more than 4,300.

Count of Unique Sundown Subdomains by Day

For a 24 hour period this particular Sundown campaign was seen generating approximately 3 subdomains a minute for the entire day. This seemed like an unruly amount of domains so we did a basic check and it appeared that this particular Sundown campaign was actually using wildcards for the domains they had been leveraging instead of traditional domain shadowing. Shown below are a couple of DNS requests.The first is an actual Sundown domain that was seen compromising victims. The other two domains are just made up subdomains including just actually using 'random' as the subdomain.

Domain Wildcarding Examples

As you can see, all of the domains in question resolved to the server that was hosting Sundown for that particular period. In previous campaigns involving other exploit kits we observed the exploit kit users actually creating the subdomains. Sundown is not using domain shadowing, but is instead using domain wildcarding to host its activity. There is an obvious downside to this type of technique, especially if you are leveraging a compromised registrant account, impacting the core domain. If the domains you are using to host the kit were active, even with something as simple as a parked page, you may impact it. Take for example a domain that is currently parked.Typically you would host that on www.domainname[.]TLD. The downside to wildcarding is now, if someone tries to resolve that particular domain, it will now redirect to the malicious server which was the case for these campaigns:

This also accounts for some of the results found in the data where the www.domainname[.]TLDresolved to both the legitimate hosting and later to the Sundown server. This also explains the 23 million subdomains that were found during a deeper analysis of the IP addresses being used to host the Sundown activity.

As far as payloads are concerned, this particular campaign was seen exclusively delivering banking trojans. Banking trojans and ransomware are, not surprisingly, the payloads of choice for exploit kit users currently. These bad guys are interested in making money and right now ransomware and banking trojans are the best way to easily generate large amounts of revenue.

YBN Logo

Exploit kits are generally careful about what systems are served content from the server. For example, if you were to browse directly to an active landing page you would rarely be served any data. The kits are usually looking for specific referer or other data points before serving content. The typical response is an empty file or an HTTP 404. During our investigation we attempted a get request for a Sundown landing page without any parameters and the results were surprising. Instead of getting some empty data or a 404 data was actually returned.

Base64 Encoded Sundown Logo

As you can see, there is a large base64 encoded blob that is present in a meta tag on the webpage. When this blob is decoded you are left with another web page with two more base64 encoded blobs. Finally, after decoding everything you are left with a nice clean web page with a background and image.

Sundown YBN Webpage Calling Card

It appears that the people behind Sundown have provided a nice logo for their organization the Yugoslavian Business Network.

IOC

Domains
IP Addresses
Subdomains not included due to usage of domain wildcarding during campaign

Conclusion

The last couple of months have lead to major shifts in the exploit kit landscape with major players disappearing rapidly. We are now in a place where only a handful of exploit kits remain active and kits that would have previously been part of a second tier of EKs have started to rise to prominence. Sundown is a far more widely distributed exploit kit than was initially thought. Even though it doesn't have a huge footprint from an infrastructure perspective, there are lots of users interacting with these kits.

There are some major differences between it and the other major kits we've seen in the past. The fact that they re-use exploits, wildcard domains, and don't take much effort to hide their kit from sight indicates that they either lack the sophistication we have seen from other kits or plainly don't care to hide their activity. It also shows that you don't need sophistication to compromise users. It will be interesting to watch how this landscape changes over the next six months to a year. It's obvious that there is a major opportunity for some motivated miscreants to enter the exploit kit market. If we've come to a point where this type of activity isn't worth the effort to develop and maintain remains to be seen. Stay tuned.

Coverage

The domains observed are blocked via Cisco’s Domain reputation systems as soon as we see them, as well as the files being used for exploit in the wild.

For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

from Sundown EK: You Better Take Care

Learning From Buggy WordPress Wp-login Malware

When a site gets hacked, the attack doesn’t end with the malicious payload or spam content. Hackers know that most website administrators will clean up the infection and look no further. Many go on to patch vulnerable software, change their passwords, and perform other post-hack steps. All of this is good, but hackers who follow through the sustainment phase of the attack also leave behind ways to easily reinfect the site.

After breaking into a website, hackers want to make sure they still have access if the original security hole is closed.

Continue reading Learning From Buggy WordPress Wp-login Malware at Sucuri Blog.

from Learning From Buggy WordPress Wp-login Malware

IoT-based Linux/Mirai: Frequently Asked Questions

Ever since the Mirai DDoS attack was launched a few weeks ago, we have received a number of questions that I will try to answer here. If you have more follow-up questions, please let me know! Who is the Author of Mirai? The presumed developer goes under the pseudonym of 'Anna Senpai' on Hackforums - an English-speaking hacker forum. His/her account on the forum is recent (July 2016). and was probably created when he/she started working on Mirai. For example: July 10 - Begins "killing QBots" August...

from IoT-based Linux/Mirai: Frequently Asked Questions

PREDATOR

PREDATOR – Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration, described in the released paper, details the newly developed capability to predict bad-behavior (in this case criminally bad behavior), with the use of analytics at the time of domain registration. Created by Nick Feamster, Shuang Ho, Alex Kantchelian, Brad Miller and Vern Paxson. Outstanding.

"Princeton professor Nick Feamster and University of California Santa Barbara PhD student Shuang Ho worked with Alex Kantchelian (UC Berkley), Google's Brad Miller and Vern Paxson of the International Computer Science Institute to create PREDATOR – Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration...." "The important numbers are: the researchers say PREDATOR identified 70 per cent of domain registrations that were later abused; and they claim a false positive rate of just 0.35 per cent." - via El Reg's Richard Chirgwin

 

Permalink

from PREDATOR

Scary security: Halloween costume ideas from the EFF and us

The privacy rights organization's got you covered, from a facial recognition algorithm grid to a privacy badger. We had a few ideas too!

from Scary security: Halloween costume ideas from the EFF and us

iOS exploit that flooded 911 call centres

Summary by Shaun Nichols for The Register of the story behind the exploit that caused 911 centres around Phoenix to be flooded with ’emergency calls’. Lad cuffed after iOS call exploit knocks out Arizona 911 center David Harley

from iOS exploit that flooded 911 call centres

Your AppleID is NOT expiring today

Graham Cluley describes a ‘smishing’ campaign (phishing via SMS texts) targeting Apple iOS users, trying to persuade them to access a malicious URL by telling them that ‘Your AppleID is die to expire Today’. As the clocks go back, UK Apple users targeted by smishing campaign – Think before you click, and you too can […]

from Your AppleID is NOT expiring today

As the clocks go back, UK Apple users targeted by smishing campaign

As Brits slept, the phishing gangs were up to their old tricks - spamming out SMS messages purporting to be warnings from Apple that our Apple IDs were due to expire today, and that we should act quickly.

from As the clocks go back, UK Apple users targeted by smishing campaign

Liquidmatrix Security Digest TV – mini0x0B

AIs make their own crypto: http://arstechnica.com/information-technology/2016/10/google-ai-neural-network-cryptography/ George Hotz folds https://www.google.ca/amp/www.theverge.com/platform/amp/2016/10/28/13453344/comma-ai-self-driving-car-comma-one-kit-canceled Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security – https://www.sigsac.org/ccs/CCS2016/wp-content/uploads/2016/08/Open-TOC-CCS.html Hillary email investigation reopened – https://www.google.ca/amp/s/www.washingtonpost.com/amphtml/news/post-nation/wp/2016/10/28/read-the-letter-comey-sent-to-fbi-employees-explaining-his-controversial-decision-on-the-clinton-email-investigation/

The post Liquidmatrix Security Digest TV – mini0x0B appeared first on Liquidmatrix Security Digest.

from Liquidmatrix Security Digest TV – mini0x0B

BSides Augusta 2016 – Jason Smith’s ‘Network Situational Awareness with Flow Data’

Permalink

from BSides Augusta 2016 – Jason Smith’s ‘Network Situational Awareness with Flow Data’

BSides Augusta 2016 – Jason Smith’s ‘Network Situational Awareness with Flow Data’

Permalink

from BSides Augusta 2016 – Jason Smith’s ‘Network Situational Awareness with Flow Data’

“Malware Can Hide, But It Must Run”

Article originally posted in forensicfocus.com Author: Alissa Torres It's October, haunting season. However, in the forensics world, the hunting of evil never ends. And with Windows 10 expected to be the new normal, digital forensics and incident respo...

from “Malware Can Hide, But It Must Run”

Friday Squid Blogging: Squid Nebula

Beautiful.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

from Friday Squid Blogging: Squid Nebula

Connect Technical Boot Camp offers latest HPE NonStop and HPE Data Security news



The Connect NonStop Technical Boot Camp is the most comprehensive technical education and training event dedicated exclusively to the global Hewlett Packard Enterprise NonStop community.  Information and content for this event is driven by NonStop users for NonStop users. This year the HPE Security – Data Security team will be there in force, and we’ll be presenting 5 sessions at the event.

from Connect Technical Boot Camp offers latest HPE NonStop and HPE Data Security news

The Connect Technical Boot Camp in San Jose offers the latest HPE NonStop and HPE Data Security news

The Connect NonStop Technical Boot Camp is the most comprehensive technical education and training event dedicated exclusively to the global Hewlett Packard Enterprise NonStop community.  Information and content for this event is driven by NonStop users for NonStop users. This year the HPE Security – Data Security team will be there in force, and we’ll be presenting 5 sessions at the event.

from The Connect Technical Boot Camp in San Jose offers the latest HPE NonStop and HPE Data Security news

What’s Scary About Your Data – Ending National Cybersecurity Awareness with Data Breach Scream

Halloween is nearly upon us. It’s the time of year when individuals are captivated by haunts, horrors, creepy-crawlies and things that go bump in the night. But amid the spooktacular festivities, you may be forgetting one of the scariest things of all – your data. Back in July, we released the results of a survey on what Americans’ most feared getting hacked. Our survey revealed that participants most fear the hacking of their cars (61%) and home security cameras (also […]

The post What’s Scary About Your Data – Ending National Cybersecurity Awareness with Data Breach Scream appeared first on Data Security Blog | Vormetric.

from What’s Scary About Your Data – Ending National Cybersecurity Awareness with Data Breach Scream

Australian Red Cross apologizes for largest Aussie data breach to date

The Australian Red Cross Blood Service has apologized for the country's largest data breach to date. David Bisson reports.

from Australian Red Cross apologizes for largest Aussie data breach to date

BSides Augusta 2016 – Andrew Morris’ ‘Flaying out the Blockchain Ledger for Fun, Profit, and Hip Hop’

Permalink

from BSides Augusta 2016 – Andrew Morris’ ‘Flaying out the Blockchain Ledger for Fun, Profit, and Hip Hop’

A Blog of the Past – Missing Pieces – Mergers & Acquisitions

As the cyber security industry grows and data breaches continue to fill up the news, due diligence in mergers and acquisitions have become a very vital piece in negotiations. Today we bring back a blog from earlier this year that … Continue reading →

The post A Blog of the Past – Missing Pieces – Mergers & Acquisitions appeared first on AsTech Consulting.

from A Blog of the Past – Missing Pieces – Mergers & Acquisitions

Friday Squid Blogging: Squid Nebula

Beautiful. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

from Friday Squid Blogging: Squid Nebula

CSM Passcode: Flaws in connected cameras, recorders broader than bad passwords

Beautiful. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

from CSM Passcode: Flaws in connected cameras, recorders broader than bad passwords

What applications are best for RASP?



Interested in using Runtime Application Self-protection (RASP), but unsure of where to begin?  Which applications are best for applying this monitoring and protection capability? Are there best practices? Read this blog post for more information!

from What applications are best for RASP?

Joomla Exploits in the Wild Against CVE-2016-8870 and CVE-2016-8869

Exactly 3 days ago, the Joomla team issued a patch for a high-severity vulnerability that allows remote users to create accounts and increase their privileges on any Joomla site. Both issues combined give the attackers enough power to easily upload backdoor files and get complete control of the vulnerable site.

A few hours after the patch was released, we were able to reverse-engineer it. We created an internal-only tool that allowed us to exploit the vulnerability and upload a backdoor.

Continue reading Joomla Exploits in the Wild Against CVE-2016-8870 and CVE-2016-8869 at Sucuri Blog.

from Joomla Exploits in the Wild Against CVE-2016-8870 and CVE-2016-8869

Eavesdropping on Typing Over Voice-Over-IP

Interesting research: "Don't Skype & Type! Acoustic Eavesdropping in Voice-Over-IP":

Abstract: Acoustic emanations of computer keyboards represent a serious privacy issue. As demonstrated in prior work, spectral and temporal properties of keystroke sounds might reveal what a user is typing. However, previous attacks assumed relatively strong adversary models that are not very practical in many real-world settings. Such strong models assume: (i) adversary's physical proximity to the victim, (ii) precise profiling of the victim's typing style and keyboard, and/or (iii) significant amount of victim's typed information (and its corresponding sounds) available to the adversary.

In this paper, we investigate a new and practical keyboard acoustic eavesdropping attack, called Skype & Type (S&T), which is based on Voice-over-IP (VoIP). S&T relaxes prior strong adversary assumptions. Our work is motivated by the simple observation that people often engage in secondary activities (including typing) while participating in VoIP calls. VoIP software can acquire acoustic emanations of pressed keystrokes (which might include passwords and other sensitive information) and transmit them to others involved in the call. In fact, we show that very popular VoIP software (Skype) conveys enough audio information to reconstruct the victim's input ­ keystrokes typed on the remote keyboard. In particular, our results demonstrate
that, given some knowledge on the victim's typing style and the keyboard, the attacker attains top-5 accuracy of 91:7% in guessing a random key pressed by the victim. (The accuracy goes down to still alarming 41:89% if the attacker is oblivious to both the typing style and the keyboard). Finally, we provide evidence that Skype & Type attack is robust to various VoIP issues (e.g., Internet bandwidth fluctuations and presence of voice over keystrokes), thus confirming feasibility of this attack.

News article.

from Eavesdropping on Typing Over Voice-Over-IP

Hardware Bit-Flipping Attacks in Practice

How Powell's and Podesta's E-mail Accounts Were Hacked

It was a phishing attack.

from How Powell's and Podesta's E-mail Accounts Were Hacked

Hardware Bit-Flipping Attacks in Practice

A year and a half ago, I wrote about hardware bit-flipping attacks, which were then largely theoretical. Now, they can be used to root Android phones: The breakthrough has the potential to make millions of Android phones vulnerable, at least until a security fix is available, to a new form of attack that seizes control of core parts of the...

from Hardware Bit-Flipping Attacks in Practice

DDoS Attacks Dominate News, Spark Calls for Regulation

Last week’s massive distributed denial-of-service (DDOS) attacks, which made popular websites and services inaccessible to users across the East Coast and elsewhere, has since led to widespread concern about insecure Internet-connected devices and calls for government agencies to get involved in order to ensure those devices are secured against future attacks. In fact, the attack against… Read More

from DDoS Attacks Dominate News, Spark Calls for Regulation

Social-Engineer Newsletter Vol 06 – Issue 85

  Vol 06 Issue 85 October 2016 In This Issue Your Old Password Has Been Sold, So What? Social-Engineer News Upcoming classes THE NEWS As a member of the newsletter you have the option to OPT-IN for special offers. You can click here to do that. Check out the schedule of upcoming training on Social-Engineer.com Continue Reading >

The post Social-Engineer Newsletter Vol 06 – Issue 85 appeared first on Security Through Education.

from Social-Engineer Newsletter Vol 06 – Issue 85

How to Protect Against Mobile Malware

IBM Security recently released a white paper on the mobile malware threat, which included general guidance on managing the mobile threat and an overview of IBM’s MaaS360 Mobile Threat Management tool, I thought it was good advice and well worth sharing.

Mobile is the New Playground for Thieves: How to Protect against Mobile Malware

According to Arxan Technologies. 97% and 87%t of the top paid Android and iOS apps, respectively, have been hacked and posted to third-party app stores.

Mobile Security Guidance (by IBM Security)

• Educate Employees about Application Security: Educate employees about the dangers of downloading third-party applications and the potential dangers that can result from weak device permissioning.
• Protect BYOD devices: Apply enterprise mobility management capabilities to enable employees to use their own devices while maintaining organisational security.
• Permit Employees to download from Authorised App Stores Only: Allow employees to download applications solely from authorised application stores, such as Google Play, the Apple App Store and your organisation’s app store, if applicable.
• Act Quickly when a Device is Compromised: Set automated policies on SmartPhones and tablets that take automatic action if a device is found compromised or malicious apps are discovered. This approach protects your organisation’s data while the issue is remediated.

from How to Protect Against Mobile Malware

The Most Dangerous Threat Is the One You Can’t See

Blog Post

The Most Dangerous Threat Is the One You Can’t See

Jody Ma Kissling

Oct 27, 2016

Technology and the networks that support them are becoming more complex, and threats are quick to take advantage of them to steal valuable...

Read more >

NetFlow, stealthwatch, Threat Detection, infographic

from The Most Dangerous Threat Is the One You Can’t See

Mozilla pushes the White House to do more to prevent cyberattacks

Two senators are also calling on the government for new policies to ensure the discovery, review, and sharing of security vulnerabilities.

from Mozilla pushes the White House to do more to prevent cyberattacks

Profile of a Hacker

As the hacktivist community continues to grow and evolve, so do the tools and services at a hacker’s disposal. The digital divide between skilled and amateur hackers continues to grow. This separation in skill is forcing those with limited knowledge to rely solely on others who are offering paid attack services available in marketplaces on […]

The post Profile of a Hacker appeared first on Radware Blog.

from Profile of a Hacker

RSA Conference 2016 Abu Dhabi: Know Before You Go

RSA Conference 2016 Abu Dhabi kicks off in just a few weeks, and we've created a program that brings together some of the sharpest cybersecurity minds on the international scene to share information, network with peers, and learn about the latest and greatest new technologies. The week kicks off with our Learning Lab and Security Foundations Seminar on Monday. Cyber-Crisis Response—LIve Exercise Scenario is an exercise designed to explore how governments, the private sector, and others can work together to respond to a crisis with direct impact on human life, public safety and key markets. The …

from RSA Conference 2016 Abu Dhabi: Know Before You Go

Agiled

Permalink

from Agiled

Liquidmatrix Security Digest TV – mini0x09

Machine Learning Appsec testing – http://www.slideshare.net/babaroa/code-blue-2016-method-of-detecting-vulnerability-in-web-apps Mozilla doesn’t trust Ernst & Young audits of CAs – https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

The post Liquidmatrix Security Digest TV – mini0x09 appeared first on Liquidmatrix Security Digest.

from Liquidmatrix Security Digest TV – mini0x09

OPM Attack

Good long article on the 2015 attack against the US Office of Personnel Management.

from OPM Attack

Malicious AI

It's not hard to imagine the criminal possibilities of automation, autonomy, and artificial intelligence. But the imaginings are becoming mainstream -- and the future isn't too far off.

Along similar lines, computers are able to predict court verdicts. My guess is that the real use here isn't to predict actual court verdicts, but for well-paid defense teams to test various defensive tactics.

from Malicious AI

Context-Aware Security Leaves Leaked Employee Passwords Useless

At 221 of the leading Fortune 500 companies, employees’ credentials are posted publicy online for hackers to steam and reuse in cyberattacks. This research is just one of many stories we see every year about how leaked employee passwords leave companies vulnerable to hackers who can use the data to break into networks or mount … Continued

The post Context-Aware Security Leaves Leaked Employee Passwords Useless appeared first on Enterprise Network Security Blog from ISDecisions.

from Context-Aware Security Leaves Leaked Employee Passwords Useless

Liquidmatrix Security Digest TV – mini0x08

UNENCRYPTED SCADA PAGERS!!! http://arstechnica.com/security/2016/10/nuclear-plants-leak-critical-alerts-in-unencrypted-pager-messages/ (watch Jamie and Dave’s head explode when they read that) MS threat modelling tool – https://www.microsoft.com/en-us/download/details.aspx?id=49168

The post Liquidmatrix Security Digest TV – mini0x08 appeared first on Liquidmatrix Security Digest.

from Liquidmatrix Security Digest TV – mini0x08

The Digital Defenders: Privacy Guide for Kids (Comic)

Check out EDRi's "Digital Defenders guide on privacy". It's a comic directed towards kids about the benefits of privacy and security. It goes into privacy on social media, password security, smartphones and even how to use Signal and Tor all throughout...

from The Digital Defenders: Privacy Guide for Kids (Comic)

Come Find Us at O’Reilly Security

We’re putting our money where our mouth is again. In continued support for New York’s growing infosec community we’re excited to sponsor the upcoming O’Reilly Security Conference. We expect to be an outlier there: we’re the only sponsor that offers consulting and custom engineering rather than just off-the-shelf products. We see this conference as an […]

from Come Find Us at O’Reilly Security

Malicious AI

It's not hard to imagine the criminal possibilities of automation, autonomy, and artificial intelligence. But the imaginings are becoming mainstream -- and the future isn't too far off. Along similar lines, computers are able to predict court verdicts. My guess is that the real use here isn't to predict actual court verdicts, but for well-paid defense teams to test various...

from Malicious AI

Accountant jailed after falling for Nigerian email scammer sexpot

He lied to a friend to get £151,000 in loans to send to a "woman" (unlikely) he claimed to have met in Liverpool (nope, didn't happen!).

from Accountant jailed after falling for Nigerian email scammer sexpot