Defensive Security Podcast Episode 8

News:

Burger King & Jeep twitter accounts hacked

Microsoft and Apple hacked with same exploit that hit Facebook

NBC.com’s site is hacked, injecting an iframe directing visitors to a site that served an exploit kit and installed the Citadel trojan.

Bit9 hack started in July 2012

  • Bit9 released hashes
  • Krebs search of VT turned up some malware compiled in July 2012
  • Bit9 indicates that the compromise was the result of an employee starting up an old virtual machine.  Additional details are apparently going to be released on Bit9’s blog next week.

Risk from business partners/suppliers:

  • Zendesk hacked and leaked client info for Twitter, Pinterest & Tumblr
  • CPanel hacked and leaked root passwords for client servers

Lessons:

  • Vendors are a risk – their vulnerabilities & security practices have a material impact on your business.

 

APT1:

  • Focus on the tactics, not the motives
  • Entry gained via spear phishing emails
  • Implemented remote access trojans
  • Stole credentials, moved throughout victim networks and systems

Lessons:

  • A lot can be learned through forensic investigations
  • We need to come to terms with the problems:
    • Humans are susceptible to phishing
    • We can’t control whether web sites serve up exploits
    • AV is not effective at catching serious threats
    • Constant stream of 0 days
  • What can we do to address this?  2 Main options:
    1. Avoidance
      1. Do not permit the things that are problematic from entering your environment:
        1. Block Internet access
        2. Don’t permit email
        3. Force “dangerous” activities to happen on systems that do not have access to anything sensitive (this includes email)
        4. Work PC becomes a terminal for interfacing with internal apps & systems only
        5. Completely heretical, but effective
    2. Minimization
      1. Minimize the opportunity for successful attacks:
        1. Application white listing
        2. Strict web filtering
        3. Isolation of activities into virtual machines or VDI
        4. Proactive monitoring

 

Leave a Reply