InfoSec links June 9, 2014

June 9, 2014

Complexity as the Enemy of Security - Brian Krebs - Krebs on Security

The Syrian Electronic Army (SEA) has been at the center for several high profile hacks. They've hacked major news websites such as Time, CNN and The Washington Post. More recently they got into the RSA Conference site after they were called coachraoches by Ira Winkler. They accomplished this by a third-party content provider. This past weekend I went to BSides Asheville and Paul Coggins had an interesting talk on cloud networks and how "third-party" service providers could be the weak point in a network's infrastructure. The more entities you add the bigger the attack surface and the more potential vulnerabilities that may be out there.

Which of your favourite websites are terrible at passwords? - Lisa Vaas - Naked Security

Strong passwords are something that's preached pretty regularly by the infosec community. Typically, it's preached at users, but it should also be preached at websites that offer you to create accounts. Match.com tops the list of sites that allow weak passwords such as:

Qwerty
123456
111111
and many others

They also don't lock accounts after a certain number of attempts or limit how long a password can be. Seriously, why would you limit someone from creating a longer password? or not allow you to use special characters?

They Hack Because They Can - Brian Krebs - Krebs on Security

Highway signs are being hacked again for....well because they can be hacked and because the security on these types of signs is awful. The prankster appears to be a foreign script kiddie who enjoys defacing websites, according to Krebs. The methods used to perform the hack appear to be trivial at best.

This post first appeared on Exploring Information Security.

Heartbleed Links June 6, 2014

June 6, 2014

New Heartbleed Attack Vectors Impact Enterprise Wireless, Android Devices - Eduard Kovacs - Security Week

Nearly two months after the Heartbleed bug was discovered, new attack vectors are being discovered. The vectors in this article involve wireless and Android smart phones. It's a very technical article and not for the uninitiated.

Beware Of Fake 'HeartBleed Bug Remover Tool,' Hijacks System with Malware - Wang Wei - The Hacker News

Repeat after me. "Heartbleed is a bug, not a virus, trojan or any other form of malicious software." A bug is code in a piece of software or application that when exploited gives an unexpected, unattended result. A virus, trojan and keylogger all fall under the malicious software (or malware) category. They are software or a program designed to perform malicious acts on your computer for nefarious gains. Now that we've established that, don't fall for any scams that say you need to remove Heartbleed from your computer, because Heartbleed is a bug, not a piece of malware. The Hearbleed bug is located in a critical piece of infrastructure on the internet called OpenSSL, and there is no removing it. The entities that use OpenSSL have to patch the bug for you to be safe. Again, Heartbleed is not something on your computer that can be removed.

The Human Side of Heartbleed - Bruce Schneier - Schneier on Security

This Schneier special dives into some of the nuances involved in reporting the Heartbleed bug. Which was discovered several days before the rest of us heard about it, by two separate researchers:

One of the biggest problems we face in the security community is how to communicate these sorts of vulnerabilities. The story is technical, and people often don't know how to react to the risk. In this case, the Codenomicon researchers did well. They created a public website explaining (in simple terms) the vulnerability and how to fix it, and they created a logo -- a red bleeding heart -- that every news outlet used for coverage of the story.

As bad as Heartbleed was, the InfoSec community handled it really well.

This post first appeared on Exploring Information Security.

Hacking links June 5, 2014

June 5, 2014

'Half of American adults hacked' in the past year - really? - John Zorabedian - Naked Security

Recently, CNN reported on a study that claimed that 47% of US adults have been hacked. The thing is those percentages and the numbers might not actually be representative of the population. Also at question, the term hacked. Should employee negligence or insider theft be considered negligence? Probably not.

Thieves Planted Malware to Hack ATMs - Brian Krebs - Krebs on Security

This occurred in the Chinese territory of Macau. The process for the hack is quite interesting. The criminals slide a long skimming board down the ATMs card slot to install the malware. The malware would log anyone that used that information and a few days later they'd follow the same process to get the logged information and to remove the malware. Pictures of the device and the rest of the kit are featured in the article.

Hacking the Registry to keep Windows XP Updating - A Bad, Bad Idea - Rafal Los - Following the Wh1t3 Rabbit

Apparently, someone has figured that you can change the registry of a Windows XP machine to make it look like a Point-of-Sales (POS) terminal, which are still getting Windows XP updates. This might not be the best idea in the world as POS terminals are much different than a computer installed with Windows XP and patches could negatively affect system stability. If you're that desperate to get Windows Updates, just go ahead and upgrade your system. It will save you a love headache in the long run.

This post first appeared on Exploring Information Security.

TrueCrypt Links June 3, 2014

June 3, 2014

TrueCrypt Compromised/Removed? - Johannes Ullrich - Infosec Handlers Diary Blog

Last week the anonymous developers rocked the infosec community by announcing an abrupt end to the TrueCrypt project that many (millions?) of people use. TrueCrypt, for those that don't know, is a program that allows you to encrypt a drive that you can set a password and store files in. There are alternatives out there, but TrueCrypt seems to be the most popular.

True Goodbye: 'Using TrueCrypt Is Not Secure' - Brian Krebs - Krebs on Security

Krebs has a good roundup on the TrueCrypt saga.

YES...TrueCrypt is still safe to use - Gibson Research Corporation

It appears that TrueCrypt will not die. The audit of TrueCrypt will continue this summer and there is talk of forking the license and continuing on the program, likely, under a different name. I don't know if the full story will ever come up, but I imagine that TrueCrypt won't entirely die off with the original developers.

This post first appeared on Exploring Information Security.

InfoSec links May 28, 2014

May 29, 2014

Fitness apps are a "privacy nightmare," shedding personal data to the highest bidder - Lisa Vaas - Naked Security

Information can be a powerful thing. Fitness apps can give you detailed information about your training, that allows you to structure workouts better, but you might not be the only one getting that information. You're also giving that information to the apps, and then the question becomes what are they doing with that information. Information is a powerful, and profitable thing.

Comey: FBI 'Grappling' With Hiring Policy Concerning Marijuana - Charles Levinson - The Wall Street Journal

The FBI needs smart and talented people to help battle the ever increasing population of cyber criminals. The problem for the FBI is that due to their drug policy they eliminate a large pool of those smart and talented people. FBI Director, James Comey, has recognized this and is looking at possibly changing some of the FBI's policy in regards to marijuana use.

Worst Day for eBay, Multiple Flaws leave Millions of Users vulnerable to Hackers - Mohit Kumar - The Hacker News

eBay has had a rough go of it recently (if you have an eBay account and have no idea what I'm talking about you might want to go change your eBay account password, immediately). They've not only bungled the handling of their breach, but apparently there are still a few vulnerabilities live that can still get their systems compromised. This article is from Friday, May 23, 2014, so the vulnerabilities may have been fixed by now,.

This post first appeared on Exploring Information Security.

Snowden aftermath links May 28, 2014

May 28, 2014

New Al Qaeda Encryption Software - Bruce Schneier - Schneier on Security

There's beginning to be some discourse about the effect of the Snowden released documents and how it's helped enemies of the US. Schneier thinks that this might actually be a good thing as entities try to create their own crypto that might be weaker than what's available for free.

NSA reform falters as House passes gutted USA Freedom Act - David Kravets - ars technica

Hey look! It's the government being the government. Just before the vote things were changed and congress passed what appears to be a much weaker attempt at reigning in some of the governments heinous surveillance programs. It might take more drastic measures for real change to take place.

Disclosing vs. Hoarding Vulnerabilities - Bruce Schneier - Schneier on Security

Vulnerabilities are a balancing act for the government. Do you disclose the vulnerability that could be used to get into an enemies network or do you keep it for future use. I'm with Schneier and believe the the US government should disclose vulnerabilities, because part of their mission is defense, but I still think there is some reason for them to keep some vulnerabilities to help with their offensive mission.

This post first appeared on Exploring Information Security.

InfoSec links May 27, 2014

May 27, 2014

Hackers now crave patches, and Microsoft's giving them just what they want - Gregg Keizer - Computer World

Criminals are using Windows 7 patches to try and figure out vulnerabilities in Windows XP. According to the article, "By conducting before- and after-patch code comparisons, attackers may be able to figure out where a vulnerability lies in Windows 7 -- which will be patched -- then sniff around the same part of XP's code until they discover the bug there." Just another reason to get off Windows XP.

CBS picks up 'CSI: Cyber' with Patricia Arquette - Scott Collins - LA Times

I used to watch a lot of CSI: Las Vegas. After several seasons, though, I realized it was the same episode with slightly different variations. This looks interesting enough that I might just check it out. My expectations for an accuracy and/or entertainment quite low. Still, it could be used to give the masses a small peak into the electronic "battlefield" and might even make for a good jumping off point for infosec professionals to teach the uninitiated.

Meet the Zberp Trojan - Dana Tamir - Security Intelligence

New malware has been discovered. According to Trusteer researchers the new malware combines the Zeus and Carberp Trojans, hence the name Zberp.

This post first appeared on Exploring Information Security.

Impressions from BSides Nashville

May 23, 2014

This past Saturday I made the six and half hour drive to Nashville, Tennessee, for BSides Nashville. The event was great. It had three different tracks, well known and experienced presenters, engaging presentations, great food and an outstanding event organizer and volunteers. I lucked out that the Houston Astros minor league team, Oklahoma City RedHawks, and the South Carolina Gamecocks baseball team were in town that same exact weekend. Prior to the event, I questioned whether or not I would make the trip next year without baseball in town, but I think the first annual event has proven that it’s worth the trek from South Carolina to Tennessee on it’s own.

The three BSides Nashville tracks were labeled 101, 418 and 429. The 101 track was for people just getting into information security, while the other two were more advanced tracks. Having been to BSides Charleston, back in November, and their one track conference which entailed a lot of advanced talks, I decided to go the 101 route at Nashville. I’ve been interested in information security for the past six years, but I’ve only had a job that focuses on information security the past two years and I’m still very much in the early stages of understanding information security. So I wanted to go to talks that focused on what I can do to continue my education and refine my trajectory within the infosec field. Little did I know that the 101 track wasn't for infosec noobs, as several information security veterans attended the 101 talks. I did manage to catch the end of a 429 talk which entailed security key performance indicators and gave me a few ideas for the organization I work at.

The conference was held at Lipscomb University, in the Ezell Center. The campus is beautiful and the facility was top notch. My one gripe about the conference setup was that I was a little confused about where I needed to be when I first entered the build. I didn’t see a map or label on the rooms when I first walked in so I actually walked around the first floor before figuring out where everything was. Luckily, I had downloaded the EventJoy app on my phone and quickly figured out the layout using the map on the app. Speaking of which the app was invaluable in not only knowing where to be but also when to be somewhere for a talk or lunch. Lunch, by the way, consisted of ribs, baked beans, mashed potatoes and green beans with sweet or unsweet tea to wash it all down. It was quite delicious and kept me full for hours. The other use I found for the app was an agenda feature, which allowed me to plan out my day at the conference.

Jack Daniel, Eve Adams, Adam Len Compton, Rafal Los and Scott Thomas were among the many fantastic presenters I got an opportunity to see at the event. A full list of talks can be found at the IronGeek website under BSides Nashville 2014 videos. Finally, the event organizer, Ed Rojas, did a wonderful job not only putting the event together, but getting it to run smoothly throughout the day. He was more than accommodating to me and gave me permission to record the event on my camera. Overall, it was a fantastic event that I would recommend to any IT person within driving distance of Nashville. I am very much looking forward to next years event.

This post first appeared on Exploring Information Security.

Brian Krebs InfoSec links May 23, 2014

May 23, 2014

Teen Arrested for 30+ Swattings, Bomb Threats - Brian Krebs - Krebs on Security

Canadian teen is arrested for making fraudulent emergency calls. These emergency calls involve things like “phony bomb threats” and “swatting” which as Krebs puts is, “a hoax in which the perpetrator spoofs a call about a hostage situation or other violent crime.” If you’ve been reading Krebs, you’ll know that this isn’t anything new to him and that this particular teen actually attempted to swat him twice.

'Blackshades' Trojan Users Had It Coming - Brian Krebs - Krebs on Security

Blackshades is a, “password-stealing Trojan horse program designed to infect computers throughout the world to spy on victims through their web cameras, steal files and account information, and log victims’ key strokes.” You could buy the program for as low as $40 in the US. If you did purchase and use this piece of software, you might be getting a visit from the FBI soon.

eBay Urges Password Changes After Breach - Brian Krebs - Krebs on Security

You’re going to want to change your password, if you have an eBay account. There is no “indication” that anyones information has been used maliciously, however, employee credentials were compromised and “customers’ name, encrypted passwords, email address, physical address, phone numbers and date of birth” were compromised.

This post first appeared on Exploring Information Security.

The internet being the internet links May 21, 2014

May 21, 2014

Poor execution of the day: codebabes motivates beginning coders with naked women - Susana Polo - The Mary Sue

Read this.

Code Dicks - the internet

Then poke around in this site for a little bit.

The Dipr the Ultimate Cookie Spoon - Amazon

Figure out what this is, then read the comments.

This post first appeared on Exploring Information Security.

NSA owns your tweets May 14, 2014

May 14, 2014

Frustrated by Facebook users locking down their profiles, GCHQ decided to just intercept FB users' traffic instead. pic.twitter.com/DLfGeZbLgY
— Christopher Soghoian (@csoghoian) May 13, 2014

This should be the headline of the year http://t.co/stJjSvVGhO pic.twitter.com/ywmYgSM51H
— Jonathon Colman (@jcolman) May 10, 2014

NSA interdiction in action (note the Cisco logo on the box) pic.twitter.com/kSIcJmbXI6
— Christopher Soghoian (@csoghoian) May 13, 2014

Here is the "GPG for Journalists" video made by Edward Snowden for @ggreenwald, with voice changing effect http://t.co/JKYotnVR5g
— K.M. Gallagher (@ageis) May 13, 2014

This post first appeared on Exploring Information Security.

FIX: Message sent using invalid number of digits - Msg 2114

May 13, 2014

I bought my wife a new iphone 5s for Mother's Day. She of course loves it, but informed me that she was unable to message me and kept getting the following message:

Message sent using invalid number of digits. Please resend using 10 digit number or valid short code. Msg 2114.

Our carrier is Sprint and there seems to be an issue with trying to send a text message using only seven digits. In researching the problem I found that this problem was not exclusive to the iPhone 5s, but the fix seems to involve similar setting changes. For the most part you need to delete the person you're having problems texting from your contact list and delete any text messages you attempted to send. Also delete the error messages you received for each attempt. After you've done that reboot the phone and try sending that person a text. For my wife's phone I went straight to messages and composed a new message with my number.

You'll need to try something similar on other phones, but here are the exact directions on an iPhone 5s:

Open Contacts -> select the contact -> select edit -> scroll all the way to the bottom and delete contact (delete multiple entries of the same phone number, my wife had five).

Open the Messages app -> select Edit -> select the red circle and then select delete. Do this for both the person and the messages you received.

Open the Settings app -> scroll down and select Messages -> turn off messages, by selecting the switch, and any other options turned on.

Turn off your phone and then turn it back on.

Go straight to messages and compose a new message and put in the phone number of the person you're trying to text. Send and that person should receive the text message. Add the person to your contacts and go back into message settings to turn on any other options you want on that you turned off.

This post first appeared on Exploring Information Security.

InfoSec Links May 13, 2014

May 13, 2014

Serious security flaw in OAuth OpenID discovered - Aloysius Low and Seth Rosenblatt - Cnet

The way you login to certain sites (Facebook, Google, Yahoo, LinkedIn) could be vulnerable to having your credentials stolen. The vulnerability revolves around clicking on the wrong link and a pop-up box asking you to reauthenticate. The issue with this, is that the pop-up appears to come from the site you're on. Unfortunately, this is not an easy fix and even if the organizations take that route it would impact the user experience, which could mean a loss of business.

Security is Fundamentally A Battle of Mistakes - Jerry Gamblin - JerryGamblin.com

An interesting though exercise involving security and poker and how you protect your network. Essentially, are you focusing on the areas you can be the most effective on or are you focusing on the areas you think you need to focus on.

URL Shortener Bit.ly Says Account Credentials Possibly Compromised - Mike Lennon - Security Week

If you have an account with Bit.ly you may find that you need to change some things when you login in next time. My favorite part of this story is Bit.ly taking the initiative in this:

The company has invalidated all credentials within Facebook and Twitter, forcing users to reconnect their Facebook and Twitter profiles in order to publish to their accounts.

This post first appeared on Exploring Information Security.

Brian Krebs InfoSec Links May 7, 2014

May 7, 2014

Cause Brian Krebs is awesome.

Phishers Divert Home Loan Earnest Money - Brian Krebs - Krebs on Security

In this scheme, the attackers intercept emails from title agencies providing wire transfer information for borrowers to transmit earnest money for an upcoming transaction. The scammers then substitute the title company’s bank account information with their own, and the unsuspecting would-be homeowner wires their down payment directly to the fraudsters.

Emails are being intercepted and the account information changed so that the home buyers send the money to the criminal and not the loan agency. That's really scary and shows that if it's financially profitable criminals will find a way to exploit the system.

Adobe Update Nixes Flash Player Zero Day - Brian Krebs - Krebs on Security

Update Adobe Flash Player on your computers. Do it. Do it NOW!

The Target Breach, By the Numbers - Brian Krebs - Krebs on Security

Krebs breaks down some of the numbers involved in the Target breach that took place from November 27 to December 15, 2013. The most glaring one is the number of Chief Information Security Officers (CISO) or Chief Security Officers (CSO), which was zero, according to the AP. If true, that's pretty sad for the second-largest discount retailer in the United States. And it's not that a CISO or CSO would have stopped the breach, but does give us a peek into Target's thoughts on information security.

This post first appeared on Exploring Information Security.

InfoSec Links May 2, 2014

May 2, 2014

Skimmers put inside Pearland gas pumps to steal credit, debit card info - Jeff Ehling - ABC 13 Houston

Skimmers are, actually, being found inside of pumps instead of on the outside. Which almost sounds like something out of the movies. Bad guy walks up to pump in maintenance uniform inserts device, walks away. Movie or not, the best course of action here is to make sure you're using your credit card, not your debit card to pay for gas or anything else for that matter.

Heartbleed Over-Hype - Tyler Reguly - The State of Security

One of the challenges of the information security community is educating users on what vulnerability, virus, trojan, etc. mean to them. This article brings up some good points on the heartbleed virus and educating users overall.

Heartburn from heartbleed forces wide-ranging rethink in open source world - Seth Rosenblatt - CNet

This article discusses how we could do a better job in open source and vetting the tools better that we use on the internet. The Heartbleed bug resulted from a vulnerability in OpenSSL, which is maintained by volunteers. If that sounds weird, it should. Major corporations and websites are relying on a volunteer open source project to secure their transmissions on the internet. It's a good technical read for those of you interested.

This post first appeared on Exploring Information Security.

Implementing Best Practices

April 29, 2014

Best Practices - The Only Thing Worse Than Compliance - Rafal Los - Following the Wh1t3 Rabbit

This is a really good post on best practices and how they're implemented within organization. Best practices reminds me of the gaming term, "cookie-cutter spec." In some video games you get these things called talent points that you can put into different spells to improve them. You're only given so many points to use on skills so you have to place them in a way that maximize your character. A cookie-cutter spec is a talent point set or build that has been proven to work for a majority of people playing that character based on statistical data.

The thing is, not everyone plays the character the exact same way so it's important that you take the base of the build and modify it to your play style. The same thing applies to organizations when it comes to information security or any IT best practices for that matter. Take the core best practices and then modify the rest to fit your organization.

This post first appeared on Exploring Information Security.

Securing Internet Explorer from the latest vulernability

April 28, 2014

Over the weekend Microsoft put out an advisory for a zero-day vulnerability in Internet Explorer (IE) that allows an attacker to gain remote access to a computer via an Adobe Flash exploit. It appears that just about every version of IE is affected.

Secure your system

The easiest and simplest way to mitigate the vulnerability would be to not use IE. FireFox, Chrome and Safari are the three big alternatives to using IE. If you must use IE, though, you can mitigate the issue by installing Microsoft's Enhanced Mitigation Experience Toolkit (EMET) versions 4.1 or 5. Just download, install and run the recommended security settings. It's really simple to install and you likely won't notice any difference in system performance.

Disabling the Adobe Flash player in IE is another option. Click on the gear icon in the top right corner, then select Manage add-ons. Click the drop down under 'Show:' and select 'All add-ons.' Select the Adobe Flash plugin, right click and select 'Disable.' Of course, this will break many things on the internet as many sites utilize flash in their website design.

Finally, you can enable Enhanced Protected Mode in IE. Click on the gear icon again, then select 'Internet options.' Under the 'Advanced' tab, scroll down to the security section and check the box for 'Enable Enhanced Protected mode,' apply and close out internet options.

I would highly recommend avoiding IE, but if you must use it, implement the changes above. They're pretty straight forward and easy to do. A patch is on the way, that is, unless you're still using Windows XP. If you're still using Windows XP upgrade, or be prepared to see more of these types of vulnerabilities that will be on your system forever.

Reference

http://krebsonsecurity.com/2014/04/microsoft-warns-of-attacks-on-ie-zero-day/

http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

https://technet.microsoft.com/library/security/2963983

http://blogs.msdn.com/b/ie/archive/2012/03/14/enhanced-protected-mode.aspx

This post first appeared on Exploring Information Security.