Infosec links July 11, 2014

Kaspersky Lab uncovers new Android and iOS spying tools - Ian Barker - betanews

A company called Hacking Team has developed a trojan that can spy on both Android and iOS devices. It’s delivered via spear phishing and malware that gets the trojan installed when the phone is synced with an infected computer. Most of the functions appear to be for surveillance purposes. I wonder who would want to purchase such a thing.

More on Hacking Team's Government Spying Software - Bruce Schneier - Schneier on Securit

Well ethical governments of course. At least that’s who Hacking Team claims they sell the trojan to. What’s the criteria for an ethical government?

  • Must be nice to citizens

  • Must feed the hungry

  • Must provide hugs

  • Must not surv$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

The Ex-Google Hacker Taking on the World's Spy Agencies - Andy Greenberg - WIRED

Really interesting profile on Marquis-Boire who used to work for Google as a security researcher, but now works for First Look Media. His job, to keep journalists who handle sensitive information, e.g. Gleen Greenwald, safe.

This post first appeared on Exploring Information Security.

WiFi Infosec links July 2, 2014

Bad Guys are Watching You (via insecure Wi-Fi) - Stefan Tanase - Kaspersky Lab Daily

WiFi security is really bad. I would be wary of joining any WiFi network out in public. Especially if it says free, and even more so if you were heading to Sao Paulo for the World Cup. The gist of the article here is that WiFi networks have bad security and so do apps.

And the World Cup Security Centre's WiFi password is... - Graham Cluley - GrahamCluley.com

Dear organizations,

When you bring a photographer and a media person who is going to communicate to the public, please. PLEASE! Be very consciousness about what's around you.

Sincerly,

/Facepalm

"Free" Wi-Fi from Xfinity and AT&T also frees you to be hacked - Sean Gallagher - ars technica

What this world really needs is WiFi everywhere, because it's proven to be a secure way to communicate with the internet. Oh wait... This is a good article that goes into more technical detail and how you device can be pwned connecting to a public WiFi network.

This post first appeared on Exploring Information Security.

Thoughts on the Houston Astros data breach

I have a good reason for not having my usual link post up this morning. Yesterday I found out that the Houston Astros, the team I root for on a daily basis, had a data breach. Some of the data taken, made it's way onto Anonbin, so last night I spend five hours putting together 1775 words on the data breach over at The Crawfish Boxes. When I was done, the motivation to write was almost completely gone for me.

Be sure to check my post over there, and be sure to check back tomorrow for my regularly scheduled link post AND a new episode of the Exploring Information Security Podcast.

This post first appeared on Exploring Information Security.

Brian Krebs links June 30, 2014

P.F. Chang's Breach Likely Began in Sept. 2013 - Brian Krebs - Krebs on Security

These types of breaches are why I use a credit card everywhere I shop. If a breach occurs at a retailer I'd much rather they have access to a credit card, indirect money, than my debit card, which goes directly to my bank account. I have never eaten at P.F. Chang's, so I have nothing to worry about in this instant, but I did shop at Target in December and I'm sure to shop at another place that gets breached. What's disconcerting about this is that we're just now hearing about it when the initial breach occurred nine months. Another good reason to check your transactions on a regular basis.

Oil Co. Wins $350,000 Cyberheist Settlement - Brian Krebs - Krebs on Security

Both the oil company and the bank are pointing fingers at each other for a breach that occurred on the oil company's bank account. Allegedly, an oil company employee feel for a phishing account who just happened to have access to the company's financial account with said bank. The oil company argued that there weren't more security measures in place, while the bank argued that the oil company got malware installed on it's machine. This would have been an interesting one to see in trial, but alas the bank's insurance company cut a check for the money lost.

Car Wash: Card Breaches at Car Washes - Brian Krebs - Krebs on Security

Is no place sacred?

It's really not all that surprising. Compromised and unsecure point-of-sale systems, default admin passwords, etc. The most interesting thing about this story is that street gangs are taking advantage of these breaches as buyers of the stolen credit cards. And the fact that one of the detectives quoted in this article said this:

“Honestly, the fact that we still have bank robberies is sort of perplexing,” he said. “Rob a bank and you’re lucky if you get away with $600. But you can rob a credit card company and all the banks are afraid to have their name associated with a case like this, and they quickly reimburse the victims. And most of the retailers are so afraid of having their name in the press associated with credit card fraud and data breaches that make the job doubly hard for us.”

 This post first appeared on Exploring Information Security.

Exploring Information Security Podcast: How to get into information security

I've been wanting to do a podcast, for a while now, on information security. I wasn't sure what I wanted the objective of the podcast to be. Most of the information security podcasts out there, or at least the ones I listen to, usually do a guest interview and cover some of the latest news and happenings within the information security. I didn't want to spin up, yet, another one of those.

Instead I've decided to spin up a podcast that explores the world of information security. One of the things I've been hearing the infosec community needs are people to teach security to those inside and outside the community. I am still very much in the early stages of my career as an information security professional and trying to learn as much as I can. I thought a podcast that allowed me to share what I've learned and explored would make for a great podcast. So here we are and my first podcast is about how to get into information security.

Jimmy Vo presenting at BSides Asheville - How To Win Friends and Influence Hackers

Jimmy Vo presenting at BSides Asheville - How To Win Friends and Influence Hackers

To explore that topic I decided to do an interview with VioPoint consultant and roundhouse master Jimmy Vo (@JimmyVo). We covered how he got into information security and also talked about some of things people on the outside looking in can do to get into information security.

Feedback is very much appreciated and wanted. Leave them in the comment section or contact me via email.

This post first appeared on Exploring Information Security.

InfoSec links June 13, 2014

Safely Storing User Passwords: Hashing vs. Encrypting - Michael Coates - Dark Reading

A good description on the difference between symmetric encryption and hashing and some of the process involved in protecting passwords with those two methods.

Peek Inside a Professional Carding Shop - Brian Krebs - Krebs on Security

Krebs takes us on a wonderful tour of the professional carding shop "McDumpals." It's got the McDonalds arches and everything. It's a good read if you want to learn more about where stolen credit card information goes.

OpenSSL DTLS Fragment Out-of-Bounds Write: Breaking up is hard to do - Brian Gorenc - HP

A new vulnerability in OpenSSL has been found. This one isn't as scary as Heartbleed, but systems do need to be checked and patched. I know that Cisco has a long list of devices affected by this and that VMWare recently released a patch for ESXi 5.5 for the vulnerability. The article itself takes an in-depth technical look at the vulnerability.

This post first appeared on Exploring Information Security.

TrueCrypt Links June 3, 2014

TrueCrypt Compromised/Removed? - Johannes Ullrich - Infosec Handlers Diary Blog

Last week the anonymous developers rocked the infosec community by announcing an abrupt end to the TrueCrypt project that many (millions?) of people use. TrueCrypt, for those that don't know, is a program that allows you to encrypt a drive that you can set a password and store files in. There are alternatives out there, but TrueCrypt seems to be the most popular.

True Goodbye: 'Using TrueCrypt Is Not Secure' - Brian Krebs - Krebs on Security

Krebs has a good roundup on the TrueCrypt saga.

YES...TrueCrypt is still safe to use - Gibson Research Corporation

It appears that TrueCrypt will not die. The audit of TrueCrypt will continue this summer and there is talk of forking the license and continuing on the program, likely, under a different name. I don't know if the full story will ever come up, but I imagine that TrueCrypt won't entirely die off with the original developers.

 This post first appeared on Exploring Information Security.

InfoSec Links April 18, 2014

This is Earth's malware threat, visualized - Sean Buckley - Engadget

Created by Kaspesky Labs, this is a real cool visualization of malware threats around the world.

Crimeware Helps File Fraudulent Tax Retruns - Brian Krebs - Krebs on Security

A big reason why you should do your taxes as soon as possible; otherwise someone else might do them for you and get your tax return.

Critical Java Update Plugs 37 Security Holes - Brian Krebs - Krebs on Security

If you can do without Java, uninstall Java from your computer as quickly as possible. Unfortunately, I think there are very few people who can do without Java. Personally, I have several sites that I use at home and work that require Java to function properly so I'm screwed. If you do need Java to function on the internet, then, at the very least, make sure you keep Java up to date.

 This post first appeared on Exploring Information Security.

OpenSSL Heartbleed Links April 12, 2014

Trying to protect yourself from Heartbleed could land you in jail - Chris Smith - BGR

There are laws in place that say testing a website's security without permissions is illegal. This would include running checks using Heartbleed websites or the Heartbleed Chrome app i linked to in Friday's post. They would have to enforce the law first, but technically you're still breaking the law when you do it. Which just further highlights how far behind the law is when it comes to the internet.

NSA Denies Knowing About Heartbleed Bug - Denver Nicks - Times

It was only a matter of time before the NSA was going to be thrown under the Heartbleed Bug Bus. The NSA has two directives to gather intelligence from it's enemies AND defend the country. Knowing about the bug in OpenSSL and not reporting it would be a massive epic fail for the NSA.

How The Heartbleed Bug Works - xkcd

A very well done, yet simple, visualization of how the Heartbleed bug works.

This post first appeared on Exploring Information Security.

InfoSec Links April 2, 2014

Banks Drop Suit Against Target, Trustwave - Brian Prince - Security Week

A day after linking articles that talk about how ridiculous it was to sue Target and Trustwave we learn that both banks have put in for dismissals of their lawsuit. Coincidentally, news of this comes on April Fool's day, which makes it just an elaborate April Fool's day joke.

Analyzing the Target Break "Kill Chain Analysis" Report - Rafal Los - Following the Wh1t3 Rabbit

Excellent in-depth analysis and discourse of the Target breach and how it happened.

The Continuing Public/Private Surveillance Partnership - Bruce Schneier - Schneier on Security

What's really happening between the government and the companies that are handing over your data.

This post first appeared on Exploring Information Security.

Safety Starts With Strong Passwords

This is a post I wrote for work talking about how to create a strong password.

Creating a strong password is one of the best things you can do to keep both yourself and your accounts safe, both at work and at home. However, creating a strong password is not the easiest thing to do and requires a little bit of thought.

If you choose a long string of random characters, the password is strong but easy to forget. If you choose a much shorter password without any random characters, then it’s easy for someone to guess. The idea is to find a balance between the two. A recent study of passwords that had been compromised, showed the top 10 worst used passwords were:

  1. 123456

  2. password

  3. 12345678

  4. qwerty

  5. abc123

  6. 123456789

  7. 111111

  8. 1234567

  9. Iloveyou

  10. adobe123

Fortunately, most places have a set of password requirements designed to keep your information safe. That does create a bit of a challenge for users because you are required to change your passwords every three months. Here are some tips that will help make the seemingly daunting task of creating strong and memorable passwords, a little easier.

Pick a Theme

Most organizations will require a password to be at least eight characters—with  at least one special character and one number. Try to think of something in your life, non-work related, that has all three of those elements.

Some examples include:

  • Restaurant menu

  • Retail stores

  • Hardware stores

  • Legal documents

  • Food stores

Once you have a theme, start mixing and matching numbers in a way that you can remember. For example, Chicken Strips for 14.99 from a restaurant could be ChSt14.99 or ChcktRips14.99 or Ch1ck4Nst9i9s!

There are thousands of different passwords waiting to be thought up from everyday life. The one caveat is, that if you create a password from your everyday life, make sure you’re not posting it all over your social media site. It’s pointless to use chicken strips as part of a password if you’re tweeting about it for the world to see.

Pick a Phrase

Pick a phrase and then use a combination of letters, numbers and special characters to craft your password. For example, Take The Bull By The Horns could be T-tB-b-TH0 or T8k-7@buLL-bi*7-h0rns or T-T@8’8@T-H0. Be intuitive about it and craft it in a way that you can easily remember it. The same rule applies here; don’t use your own personal catchphrase that’s on your social media profile. Don’t use anything obvious because phrases are easily searchable, especially if they’re popular.

Other Ideas
The two suggestions above are only a couple of ways to create strong and easy- to-remember passwords. It just takes a little thought on the front end. Find something that works for you, and once you do it’s much easier to change and improve on a regular basis.

This post first appeared on Exploring Information Security.

Information Security Link March 7, 2014

Surveillance by Algorithm: https://www.schneier.com/blog/archives/2014/03/surveillance_by.html

Bruce Schneier is one of industry leaders in information security and more specifically cryptographer. He is a very very intelligent individual and you will become smarter reading his works, guaranteed. In this particular blog post he takes some quotes made by the NSA and Google to task, in regards to how they handle people’s personal data.

The TL;DR version is:

The NSA version of the term ‘collect’:

“So, think of that friend of yours who has thousands of books in his house. According to the NSA, he's not actually "collecting" books. He's doing something else with them, and the only books he can claim to have "collected" are the ones he's actually read.”

Google says it’s algorithms, that read your email, is like your dog
“To wit: when you're watched by a dog, you know that what you're doing will go no further than the dog. The dog can't remember the details of what you've done. The dog can't tell anyone else. When you're watched by a computer, that's not true. “

This post first appeared on Exploring Information Security.