Category Archives: Security

Defensive Security Podcast Episode 17

Podcast, Security, , , ,

Podcast: Play in new window | Download | Embed

Subscribe: RSS

This week: Twitter warns news agencies of attacks and to use dedicated PCs for using twitter, the US department of Labor website was compromised and serving up an 0day for IE8, 18 12-13 year olds in Alaska socially engineered passwords for 300 computers out of their teachers, iOS did NOT have a malicious app discovered, AV vendors are starting to shun Windows XP, 7 elements of a successful security awareness program, and the unforeseen impacts of cyberwar.

Subscribe in iTunes | Podcast RSS Feed | Twitter | Email

Episode 17

http://security.onestopclick.com/technology_news/media-warned-to-tighten-twitter-security_474.htm

http://arstechnica.com/security/2013/05/internet-explorer-zero-day-exploit-targets-nuclear-weapons-researchers/

http://www.bbc.co.uk/news/technology-22398484

http://www.networkworld.com/news/2013/050213-ios-app-contains-potential-269393.html

http://podcasts.infoworld.com/t/anti-virus/windows-xp-risk-antivirus-vendors-jump-ship-217806

http://www.wired.co.uk/news/archive/2013-05/2/comment-crew-plunder-qinetiq

http://www.networkworld.com/news/2013/050113-the-7-elements-of-a-269301.html

http://www.networkworld.com/news/2013/050113-livingsocial-breach-scope-widens-on-269295.html

http://qz.com/81268/the-worst-possible-cybersecurity-breaches-could-be-far-worse-than-you-imagined/

Defensive Security Podcast Episode 16

Podcast, Security,

Podcast: Play in new window | Download | Embed

Subscribe: RSS

In this episode, another Java 0day, Symantec’s Q1 2013 0day roundup, the Akamai State of the Internet report, the Verizon 2013 DBIR, AP’s twitter feed hack, and cyber terrorists.

Subscribe in iTunes | Podcast RSS Feed | Twitter Email

http://www.scmagazine.com/livingsocial-updates-encryption-practices-after-password-breach-affects-50m/article/291042/

Q1 0day vulnerabilities: http://www.symantec.com/connect/blogs/2013-first-quarter-zero-day-vulnerabilities

http://www.akamai.com/stateoftheinternet/

http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf

http://akamai.infoworld.com/d/security/5-hot-security-defenses-dont-deliver-217045

http://www.pcworld.com/article/2036261/ap-twitter-hack-prompts-fresh-look-at-cybersecurity-needs.html

http://www.hotforsecurity.com/blog/associated-press-twitter-account-hack-hits-us-stock-prices-6015.html

http://www.theinquirer.net/inquirer/news/2263460/cyber-terrorists-are-only-a-matter-of-time-warns-eugene-kaspersky

Defensive Security Podcast Episode 15

Podcast, Security, , ,

Podcast: Play in new window | Download | Embed

Subscribe: RSS

This week: Twitter account hacks highlight opportunity for exploitation by attackers, Microsoft and Malwarebytes both release bad patches, Oracle releases a Java patch which fixes 42 security bugs, Oracle announces that Java 8 is delayed due to the focus on Java 7, a new botnet is being created by compromising WordPress installations for some unknown purpose, Linode was compromised in an attack targeted at some Linode customers, Microsoft finds a trojan that cleans up after itself in the next wave of anti-forensics, the Boston marathon bombing and West, Texas explosions see many phishing scams leading to malware installations, spam is down, targeted attacks via email are up, Microsoft released it’s second half 2012 Security Intelligence Report with some odd mixes of data, Microsoft releases EMET 4.0 beta, and a former employee has been charged with planting back doors on 2723 Hostgator servers.

Subscribe in iTunes | Podcast RSS Feed | Twitter Email

60 minutes, 48 hours, NPR, BBC twitter accounts recently hacked.

MS and Malwarebytes released bad updates

http://krebsonsecurity.com/2013/04/java-update-plugs-42-security-holes/

http://mreinhold.org/blog/secure-the-train

http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/

http://www.theregister.co.uk/2013/04/16/linode_breach/

http://m.darkreading.com/133696/show/b7639d290f6c32534f633e85cfe6ac04/

Boston bombing used to spread malware in multiple ways
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Z6nE3UFETb0/

http://news.cnet.com/8301-1009_3-57579847-83/targeted-cyberattacks-jump-42-percent-in-2012-symantec-says/

SIR: http://download.microsoft.com/download/E/0/F/E0F59BE7-E553-4888-9220-1C79CBD14B4F/Microsoft_Security_Intelligence_Report_Volume_14_Key_Findings_Summary_English.pdf

http://blogs.technet.com/b/srd/archive/2013/04/18/introducing-emet-v4-beta.aspx

http://arstechnica.com/security/2013/04/former-employee-arrested-charged-with-rooting-2700-hostgator-servers/

 

 

Defensive Security Podcast Episode 14

Podcast, Security, , , ,

Podcast: Play in new window | Download | Embed

Subscribe: RSS

Subscribe in iTunes | Podcast RSS Feed | Twitter | Email

I’ll be picking someone to give an e-copy of @Taosecurity’s new book “The Practice of Network Security” who sends me an email with feedback on the show.
Encrypt your drives, eve. If you don’t think the computer will leave the office: http://feedly.com/k/ZM172z

Spate of MS and Adobe patches fix numerous remote code execution and priv escalation bugs

SEC filings seem to disagree with the growing furor over cyber attacks: http://feedly.com/k/ZM1IRB

51 weeks of windows XP left

FireEye threat report: http://feedly.com/k/11mWyAn

2 ideas for better security: http://feedly.com/k/14VTn5V

A review of APT1 http://www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf

http://packetstormsecurity.com/news/view/22398/Author-Of-The-SSH-Protocol-Wants-A-New-One.html

http://www.networkworld.com/news/2013/041013-shylock-bank-trojan-upgraded-with-268583.html?source=nww_rss

http://packetstormsecurity.com/news/view/22399/Porn-Sites-Pose-Growing-Malware-Risk.html

http://www.bankinfosecurity.com/global-closes-breach-investigation-a-5684?rf=2013-04-15-eb&elq=593a933acd7a48d4b7e39bcc55f49e62&elqCampaignId=6440

Defensive Security Podcast Episode 13

Podcast, Security, ,

Podcast: Play in new window | Download | Embed

Subscribe: RSS

The Internet destroying ddos attack that wasn’t

http://krebsonsecurity.com/2013/03/missouri-court-rules-against-440000-cyberheist-victim/

http://hothardware.com/News/Huge-Spike-In-Mobile-Data-Traffic-Drives-IEEE-400-Gigabit-Ethernet-Standard/

http://adamcaudill.com/2013/04/04/security-done-wrong-leaky-ftp-server/

http://nakedsecurity.sophos.com/2013/04/05/ransomware-child-buse/

http://blog.trendmicro.com/trendlabs-security-intelligence/three-lessons-from-the-south-korea-mbr-wiper-attacks/

Defensive Security Podcast Episode 12

Malware, Podcast, Security, , , ,

Podcast: Play in new window | Download | Embed

Subscribe: RSS

Subscribe in iTunes | Podcast RSS Feed | Twitter | Email

http://www.informationweek.com/security/vulnerabilities/cisco-password-fumble-hardware-security/240151244

Etsy’s solution for running java: http://codeascraft.etsy.com/2013/03/18/java-not-even-once/

http://www.infosecurity-magazine.com/view/31372/seoul-cautious-in-blaming-north-korea-for-massive-cyberattack-

http://blogs.mcafee.com/mcafee-labs/south-korean-banks-media-companies-targeted-by-destructive-malware

http://arstechnica.com/security/2013/03/your-hard-drive-will-self-destruct-at-2pm-inside-the-south-korean-cyber-attack/

https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+-+Part+2/15406
https://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+3/15448
https://isc.sans.edu/diary/Wipe+the+drive%21++Stealthy+Malware+Persistence+-+Part+4/15460

The Usefulness of Security Education

The Usefulness of Security Education

Security, Training,

Bruce Schneier recently wrote a blog post about the value of security training on Dark Reading that is a bit provocative. Similar to the comments Dave Aitel made last year, Bruce asserts that money spent on education is more useful if spent elsewhere on improving security.

I both strongly agree and disagree with this position. Before you assume I am copping out of taking a stance, let me explain. It’s my experience that there are some things worth teaching and others that have little value:
Choosing a strong password – little value
Understanding that AntiVirus can’t protect against many threats – pretty valuable

And so it goes.

I’ve found that it is nearly useless to try to train people on password etiquette for a number of reasons. They don’t care; they don’t believe that it really matters; they are prompted to choose a password at a very inopportune time; they really believe that Password1 is strong. This is an area where it is far better to focus efforts on improving the technical control than spending a bunch of money on more training. Set the minimum password length to 20 characters and give everyone a password manager – oh and make sure that they can’t pick abcdefghijklmnopqrs as their password.

But in other areas, we are forced to rely on trying to hone the imperfect mind. Recognizing phishing emails and understanding that AV is not perfect are important, because we can’t enable a setting to make people safe. I suspect we all wish the world would invest in writing more secure software, and despite appearances, we are trying but the tactics for finding weaknesses grow ever more ingenious. I can’t envision a future where we have solved the problem, despite diverting all training spending on better development practices. So we are left trying to find innovative ways to get people to change their behavior, even if slightly.

I can’t count the number of times employees have expressed surprise and frustration that potentially malicious files might end up in their email inboxes. “How is it possible that a virus can get to my inbox if we are using AV?”

To me, it seems like the trick is figuring out which aspects of security to focus training on, and which can and should be addressed with technology.

On a related topic, I have been working on some security education and have been thinking about how to make it more engaging. I recently flew Delta from Atlanta to Las Vegas and noticed that the airline had remade their safety videos. I have flown hundreds of times and find those videos a bit of a bore, but I was captivated. Delta worked in some very humorous elements into the safety video – from a man using a typewriter on a tray table and needing to stow it, to a man in a neck brace unable to look behind him for the nearest exit, to a posted placard that prohibits comb-overs. I couldn’t stop watching and listening to catch the subtle humor that was being presented. On the return flight, I found that the video was mostly different, and so I needed to pay close attention again to get the new jokes. Brilliant move by Delta, in my opinion. I would love to come up with a way to do something similar in my security education programs.

Abusing JavaScript for Social Engineering Fun!

Security,

There is a really interesting blog post by @ossij called “Hacking the a tag in 100 characters“.

I suspect the nefarious utility of this is going to be pretty extensive. We often tell our constituents in security awareness training to look at the address of a link before clicking on it. This strategy certainly has the ability to undermine that guidance, particularly if this JavaScript works in HTML emails. And I expect that it will work in HTML emails. One more reason that viewing email in plain text is a good idea.

I can envision some new crafty targeted watering hole attacks with this method. Rather than including a noisy iframe that gets presented to everyone, links on the page are redirected to a malicious site after clicking, but only for the intended victim – the page looks and works normally for everyone else.

Stay safe,

Jerry

The Importance of Reinstalling After a Virus or Malware Infection

Malware, Security,

In episode 11, I made some comments about wiping a compromised system rather than trying to clean it. I saw in my twitter feed a bit ago that the 2013 Shmoocon videos were posted. I looked through and one talk stuck out and I wanted to share here, given my comments: Wipe The Drive – Techniques for malware persistence..

Basically, the presenters show why it’s such a bad idea to simply clean a computer after a virus infection. I like to think this is common knowledge, but I meet people daily who so not understand the reasons behind taking this draconian approach.