Defensive Security Podcast Episode 6

Suggestions to podcast@defensivesecurity.org

News:

  • ISD Podcast shuts down
  • Noticeable uptick in phishing attacks recently, leading to various exploit kit web sites
  • Yet another Java update.  Oracle seems to have gotten the message.
  • Combofix, a free tool for removing certain kinds of malware, was infected with Sality
    • Do not download repackaged software from other file hosting sites.  Bad!
  • Cisco released it’s 2013 security report.
    • Legitimate sites much more likely to be malicious than traditional pornography
    • Ad networks and content delivery networks worst offenders
  • Anonymous stole information on 4600 bank executives from a Federal Reserve emergency communication application.
    • Fed seems to be downplaying the significance.

US Sentencing Commission:

  • The US Sentencing Commission web site has been repeatedly hacked by Anonymous in protest of the suicide of Aaron Swartz. The site was defaced with a video and offered some encrypted files for download, with a threat to release the decryption keys if reforms to the CFAA are not made.
  • The site was restored Saturday, but was defaced again on Sunday – with Asteroids.
  • The site was unavailable for quite some time after the second breach.
  • Apparently the site was restored, but whatever weakness it had was restored too.
  • Is it better to get the site back up fast or spend some time to figure out what happened?

NY Times announces it has hacked

  • The NY Times reports that its IT systems had been compromised by “Chinese attackers”.
  • When the Times became aware of the intrusion, they chose to monitor the activity, rather than try to immediately close the holes

This has some benefits, since it allows the victim to understand the extent to which their systems have been compromised, rather than tipping off the intruder by starting to remediate systems piecemeal.

  • NYT contracted Mandiant to investigate
  • The attackers were routing traffic through compromised hosts in US universities
  • The apparent method of entry is spear phishing
  • 45 pieces of malware
  • Symantec lashed out at the Times article
  • The attackers appeared to be interested in determining who provided an NYT reporter with some salacious information about Wen Jiabao, China’s prime minister.
  • Lots of criticism about the report
    • Reference to rainbow tables shows the author isn’t a security pro
    • China APT seems to be involved in every investigation Mandiant investigates
    • Lack of details
    • Makes the attack seem highly sophisticated
    • I do agree that there is nothing spectacular about this attack – just about anyone with good knowledge of metasploit and SET could pull this style of attack

The timing of the attack certainly is interesting, given the proximity to the story about the FBI searching for the government source who leaked details of the US’ involvement in Stuxnet to New York Times’ chief Washington correspondent, David Sange.

Wall Street Journal hacked

  • The WSJ announced it was also hacked.
  • No real details of the incident
  • FBI notified the WSJ that it saw WSJ data from it’s Beijing office
  • Claims that the attackers were intending to monitor WSJ’s coverage of China

Update on State of South Carolina Department of Revenue Breach:

  • DoR having a war of words with the former infosec manager
  • Former manager claims that the intrusion should have been noticed before data could be stolen, if logs were being looked at
  • DoR says that Mandiant’s findings indicate that the sophisticated attacker would not have been identified by reviewing the logs
  • Logs are being reviewed daily now

Bit9 was breached and a code signing certificate was stolen

  • The attacker allegedly targeted Bit9 as a means of bypassing the application whitelisting on a Bit9 client’s systems
  • No details about how the intruders gained entry, but the CEO says:

In brief, here is what happened. Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware. There is no defensive security episode 6indication that this was the result of an issue with our product.  Our investigation also shows that our product was not compromised.

We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9.

While there’s not a lot to go on, the wording sounds like Bit9 had servers that weren’t properly configured.

  • AV vendors seem to be getting their comeuppance on Bit9 due to their previous bashing of AV
  • AWL is still a good technology, but this highlights supply chain risks that need to be considered

 

Leave a Reply