Episode 9 – From Las Vegas
Comments/questions/hate mail to email@example.com
Follow podcast on twitter @defensivesec
DDOS attack on Bank of the West masked a $900,000 theft from the account of Ascent Builders. http://krebsonsecurity.com/2013/02/ddos-attack-on-bank-hid-900000-cyberheist/
Site compromised – serving malware, had rudimentary defense against automated analysis
Bit9 update: https://blog.bit9.com/2013/02/25/bit9-security-incident-update/
– kudos to bit9 for transparency and disclosure – hopefully works in their favor
New java 0day http://www.symantec.com/connect/blogs/latest-java-zero-day-shares-connections-bit9-security-incident payload signed by stolen bit9 cert
Meant to cover last week – Facebook, apple and Microsoft hacks tracked back to a java 0 day being served on iphonedevsdk.com – the site owners were made aware by reading a news article on All Things D about the Facebook hack http://iphonedevsdk.com/forum/site-news-announcements/111889-iphonedevsdk-compromised-what-happened-and-how-we-are-dealing-with-it.html
Hard to say if watering hole attacks are getting more common, or if we just hear about them more in the current sensitized media.
This does highlight, as I mentioned in the last podcast, the dangers of browsing even “legitimate” sites. At a bare minimum, everyone ought to be using a web filtering solution to block known malicious sites – it’s not perfect and might not protect those who visit a site right after it is infected, but it will often prevent a lot of infections in 0 day scenarios
Reducing surface area of vulnerability, for instance, by not having Flash, PDF reader or Java, is beneficial, but there are so many components susceptible to attack (including the browser itself).
We should be thinking about how we isolate risky activities from key business applications and data.
This includes email – key lesson from the Mandiant APT1 report is the prevalence of using email as an attack vector.
A version of Mandiant’s APT report was being emailed around bundled with the latest PDF reader 0 day exploit. https://isc.sans.edu/diary/Fake+Mandiant+APT+Report+Used+as+Malware+Lure/15226
Kelihos botnet taken down live before an audience at RSA http://threatpost.com/en_us/blogs/latest-kelihos-botnet-shut-down-live-rsa-conference-2013-022613
Phishing strategy – addressing to other addresses at the same domain – training says to not open attachments that you are not expecting, but this illicits curiosity by the recipient.
Symantec announces a variant of stuxnet from 2005 http://news.cnet.com/8301-1009_3-57571384-83/new-stuxnet-whodunit-malware-existed-two-years-earlier-than-anyone-knew/
Cnet seems to not be aware that the US claimed responsibility and is investigating the leak
EverNote password database stolen – emails and salted/hashed passwords http://krebsonsecurity.com/2013/03/evernote-forces-password-reset-for-50m-users/
If you have not gotten the hint that you should be using a different password for EVERY service and web site you use, this is for you!
There are many great password managers, some that will sync across devices. Use them – set them to create long passwords (15-20 characters or more), since you’re not going to be able to remember all of the passwords anyway. And most of the password managers will copy passwords to the clip board so you don’t have to type them in, either.