Google offers new two-factor authentication option

You Can Now Protect Your Google Accounts With a Physical Key - Eric Limer - GIZMODO

I've never had a problem with how Google's two-factor authentication works. There are two options, receive a text message with the two-factor code or install an app that syncs with the Google account. Both methods are fairly easy to use and add a significant amount of security to Google accounts. Now, though, it appears there is a third option, which includes hardware. The hardware will have to be purchased and then enabled for a Google account, but it makes it much easier to interact with a Google account via Chrome or Chrome OS.

I'm a little concerned at the fact that it's a hardware option, because it could be lost or stolen. I imagine that you can disassociate the device from the account if it's lost, but if it's used sparingly there could be a large period of time between the lost device and discovery. And if someone steals the device and happens to have the password to my account it seems like it would be much easier for them to get into my account with hardware that supposed to make it more convenient for me to login. Sure my phone can be lost or stolen, but I'll know about it pretty quickly and it does have a lock on it. And yes, my phone passcode could be cracked, but it is adding another barrier to someone getting into my account vs. a piece of hardware that's triggered by the push of a button. That's not to say that I think this option is bad; it's just that I don't find the current process all that annoying. Regardless, I think a third option is a good thing, because more options for security is a very good thing.

This post first appeared on Exploring Information Security.

InfoSec links October 20, 2014

Finding a Video Poker Bug Made These Guys Rich -- Then Vegas Made Them Pay - Kevin Poulsen - WIRED

Williams could see that Kane was wielding none of the array of cheating devices that casinos had confiscated from grifters over the years. He wasn't jamming a light wand in the machine's hopper or zapping the Game King with an electro­magnetic pulse. He was simply pressing the buttons. But he was winning far too much, too fast, to be relying on luck alone.

Signed Malware = Expensive "Oops" for HP - Brian Krebs - Krebs on Security

Earlier this week, HP quietly produced several client advisories stating that on Oct. 21, 2014 it plans to revoke a digital certificate the company previously used to cryptographically sign software components that ship with many of its older products. HP said it was taking this step out of an abundance of caution because it discovered that the certificate had mistakenly been used to sign malicious software way back in May 2010.

Everything you need to know about the POODLE SSL bug - Troy Hunt - troyhunt.com

Which brings us to POODLE. Whilst I doubt we’ll see the same mass hysteria as we did last month, it is (and will continue) hitting the news and like the other two biggies this year, it’s serious enough to warrant attention and obscure enough to result in wild speculation and a general misunderstanding of the underlying risk. Let me share what I know based on the questions I’m hearing.

This post first appeared on Exploring Information Security.

InfoSec links October 15, 2014

WPScan Vulnerability Database A New Wordpress Security Resource - Michael Mimoso - Threatpost

It’s not unlikely that a developer may be at a loss as to the security of a particular plug-in, or the disclosure of a devastating flaw in the core WordPress code that could expose a website to attack. During last weekend’s BruCon in Belgium, U.K.-based security researcher Ryan Dewhurst released the WPScan Vulnerability Database, a one-stop shop for the latest WordPress, plug-in and theme vulnerabilities that he hopes becomes an indispensable resource for pen-testers, administrators and WordPress developers.

The Criminal Indictment That Could Finally Hit Spyware Makers Hard - Kim Zetter - WIRED

The case involves StealthGenie, a spy app for iPhones, Android phones and Blackberry devices that until last week was marketed primarily to people who suspected their spouse or lover of cheating on them but it also could be used by stalkers or perpetrators of domestic violence to track victims. The app secretly recorded phone calls and siphoned text messages and other data from a target’s phone, all of which customers of the software could view online until the government succeeded to temporarily close the Virginia-based site (.pdf) that hosted the stolen data.

Developers of hacked Snapchat web app says "Snappening" claims are hoax - Sean Gallagher - ars technica

Posters to 4Chan’s /b/ forum continue to pore over the contents of thousands of images taken by users of the Snapchat messaging service that were recently leaked from a third-party website. Meanwhile, the developer behind that site, SnapSaved.com, used a Facebook post to say it was hacked because of a misconfigured Apache server. The statement also gets into the extent of the breach, while playing down reports that personal information from the users involved was also taken.

This post first appeared on Exploring Information Security.

InfoSec links October 14, 2014

Signature Systems Breach Expands - Brian Krebs - Krebs on Security

Signature Systems Inc., the point-of-sale vendor blamed for a credit and debit card breach involving some 216 Jimmy John’s sandwich shop locations, now says the breach also may have jeopardized customer card numbers at nearly 100 other independent restaurants across the country that use its products.

Dairy Queen Confirms Breach at 395 Stores - Brian Krebs - Krebs on Security

In a statement issued Oct. 9, Dairy Queen listed nearly 400 DQ locations and one Orange Julius location that were found to be infected with the widely-reported Backoff malware that is targeting retailers across the country.

Snapchat Can't Stop the Parasite Apps That Screw Its Users - Andy Greenberg - WIRED

In a statement, Snapchat puts the blame on third party applications like Snapsaved.com that use its API to allow Snapchatters to save its disappearing messages on their devices, or worse yet, on a remote server. “We can confirm that Snapchat’s servers were never breached and were not the source of these leaks,” a Snapchat spokesperson writes in a statement. “Snapchatters were allegedly victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security.”

This post first appeared on Exploring Information Security.

InfoSec links October 7, 2014

Fileless Infections from Exploit Kit: An Overview - Jéróme Segura - Malwarebytes Unpacked

Unique patterns, packets that match the size of binaries on disk, all make things easier for the good guys to detect and block malicious activity. But the reality is this was just an adaptive phase when the bad guys did not need to spend any extra effort and still got what they wanted: high numbers of infections.

How RAM Scrapers Work: The Sneaky Tools Behind the Latest Credit Card Hacks - Kim Zetter - Wired

Viruses and worms have each had their day in the spotlight. Remote-access Trojans, which allow a hacker to open and maintain a secret backdoor on infected systems, have had their reign as well. These days, though, point-of-sale RAM scrapers are what’s making the news.

The Unpatchable Malware That Infects USBs Is Now on the Loose - Andy Greenberg - WIRED

In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.

This post first appeared on Exploring Information Security.

WIRED infosec links October 3, 2014

Google and Apple Won't Unlock Your Phone, But a Court Can Make You Do It - Andy Greenberg - WIRED

Silicon Valley’s smartphone snitching has come to an end. Apple and Google have promised that the latest versions of their mobile operating systems make it impossible for them to unlock encrypted phones, even when compelled to do so by the government. But if the Department of Justice can’t demand that its corporate friends unlock your phone, it may have another option: Politely asking that you unlock it yourself, and letting you rot in a cell until you do.

MIT Students Battle State's Demand for Their Bitcoin Miner's Source Code - Kim Zetter - WIRED

The mining tool, known as Tidbit, was developed in late 2013 by Rubin and his classmates for the Node Knockout hackathon—only Rubin is identified on the subpoena but his three classmates are identified on the hackathon web site as Oliver Song, Kevin King and Carolyn Zhang. The now defunct tool was designed to offer web site visitors an alternative way to support the sites they visited by using their computers to mine Bitcoins for them in exchange for having online ads removed.

Kevin Mitnick, Once the World's Most Wanted Hacker, Is Now Selling Zero-Day Exploits - Andy Greenberg - WIRED

Late last week, Mitnick revealed a new branch of his security consultancy business he calls Mitnick’s Absolute Zero Day Exploit Exchange. Since its quiet inception six months ago, he says the service has offered to sell corporate and government clients high-end “zero-day” exploits, hacking tools that take advantage of secret bugs in software for which no patch yet exists. Mitnick says he’s offering exploits developed both by his own in-house researchers and by outside hackers, guaranteed to be exclusive and priced at no less than $100,000 each, including his own fee.

This post first appeared on Exploring Information Security.

Another round of Shellshock Bash bug links October 2, 2014

Here's some of the latest news on the Shellshock Bash bug:

The anatomy of a Shellshock attack in the wild - Troy Hunt - troyhunt.com

It’s probably a bit early to speculate about the true cost of Shellshock, but what I can do – and in a very objective fashion – is decompose a typical Bash bug attack. I can do this because I had one hit my logs just a couple of days ago.

Shellshock fixes beget another round of patches as attacks mount - Sean Gallagher - ars technica

At the same time, the urgency of applying those patches has mounted as more attacks that exploit the weaknesses in bash’s security (dubbed “Shellshock”) have appeared. In addition to the threat first spotted the day after the vulnerability was made public, a number of new attacks have emerged. While some appear to simply be vulnerability scans, there are also new exploit attempts that carry malware or attempt to give the attacker direct remote control of the targeted system.

Apple patches "Shellshock" Bash bug in OS X 10.9, 10.8, and 10.7 - Andrew Cunningham - ars technica

Shellshock, in essence, allows attackers to issue commands to systems via malformed environment variables. In the case of Web servers, it can allow attackers to gain full control of the system. Exploits of the bug have already been spotted in the wild, and end users and server administrators are all encouraged to patch their systems as soon as possible.

Still more vulnerabilities in bash? Shellshock becomes whack-a-mole - Sean Gallagher - ars technica

In other words, “Shellshock” may be partially patched, but it’s still highly dangerous on systems that might use bash to pass information to the operating system or to launch other software. And it may take a significant change to fix the code.

This post first appeared on Exploring Information Security.

Things to know: Jimmy John's and Home Depot breach

I meant to write something up on this last week, but someone found a bug in bash that set my world on fire. I've asked several friends and family if they've heard about the Jimmy John's and/or Home Depot breach and the response has been less than encouraging. So here's the low done on the two breaches.

Home Depot

56 million debit and credit card numbers were stolen between April and September of this year:

Home Depot: 56M Cards Impacted, Malware Contained - Brian Krebs - Krebs on Security

It looks like the breach impacted all Home Depot stores in the US and Canada. If the numbers seem quite low for a four-to-five month breach it's because the self-checkout terminals seem to be the ones that got owned. Either way, if you shopped at Home Depot between April and September, get a new card issued from their bank. They'll be sure to send the bill to Home Depot, so don't let them talk you out of a new card. And oh hey look! Home Depot is offering free identity protection for 12 months. Be sure to sign up for that, but realize that "protection" won't stop nefarious people from using your identity for their own gain.

Official Statement

Jimmy John's

216 stores were found to have been affected by this event and Jimmy John's has been kind enough to provide a search tool for the stores that were owned.

Affected Stores & Dates

Two stores were affected in South Carolina, one of which I've gone to in the last year. Luckily I haven't been there in the last three months. Bullet dodged. The tool is easy to use, just input a store number, city, state, address or date. Using a state's two-letter code should limit the results enough to help you identify if you've been affected by this particular breach. Full details can be found below on the incident.

Data Security Incident

Protect yourself

These are only two of the many breaches that have occurred this year. Goodwill has gotten popped as well as several other smaller and local businesses. Here are some tips for protecting yourself from identity theft that could occur from breaches like these:

Check bank statements regularly. It's ridiculously easy to do and should only take 10-15 minutes. I would recommend trying to check bank statements at least once a week. With online banking it shouldn't take more than 10-15 minutes to pop in and check what's been purchased on all your cards.

Also, I would highly recommend using credit cards instead of debit cards. It's a lot easier to replace a credit card than it is a debit card.

Finally, I would recommend cash, but then you have to worry about skimmers on ATM machines, so I won't. =P

Happy shopping!

This post first appeared on Exploring Information Security.

Shellshock Bash bug impressions

There's been some discussion both at work and on Twitter on whether or not the bash bug is worse than Heartbleed. Bottom line is that it doesn't matter. Both bugs have a severity of 10 out of 10, which make them serious business for everyone involve in information security. For the record, I do think Bash is a little more complicated than Heartbleed, but has the potential to be much more dangerous.

Unlike Heartbleed, which just scrapped information as it goes by on a system using OpenSSL. The Bash bug needs some form of initial bash access. Bash for the uninitiated is essentially a command prompt within Linux, Unix and Mac systems. Common Gateway Interface (CGI) functionality seems to be enough for the bug to be exploitable. The good news is that not all websites utilize CGI; unfortunately, it appears that about half the websites on the internet do, mostly webservers running Apache. For a more in-depth technical look at the Shellshock Bash bug I would highly recommend Troy Hunt's post.

More bad news

The Bash bug isn't just limited to webservers though. It could also affect anything that connects to the internet, which would include your router and any home appliances that can be accessed from an app or the internet. Once the exploit is executed, the attacker essentially has the access to do whatever he wants on the device and it's already being exploited in the wild.

What can be done?

Test everything: IT departments should be testing any device that uses Linux, Unix, and Mac as part of its structure. This includes appliances, firewalls, routers, switches, printers, websites, phones, etc. Bash use is so widespread that ever organization is going to have something vulnerable that will need to be patched. Devices that are available to the internet are of particular concern and should be tested first. 

Pay attention to network traffic logs: signatures should be available for Intrusion Prevention/Detection Systems (IPS/IDS). Watch for incoming and outgoing alerts and pay attention to anything abnormal in the logs. Anything abnormal should be investigated.

Patch everything: vendors should be working on patches and once available should be applied to systems at a reasonable time. Systems available on the internet should be patched as soon as possible. Systems available internally should be patched next with the most critical systems first. After patches are applied the system needs to be tested for the bash bug. The easiest way I've seen is opening up a console and typing in this command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

At home equipment: routers are likely to be the biggest problem. ISP owned routers should be patched by the ISP. Personally owned routers will need to be patched by the owner. It's usually quiet easy to do; but not easily remember to do. For my home router I have to login to the router. Go to the firmware version and click the update button.

Browsing the internets: this is a good time as any to start utilizing safe browsing techniques on the internet. This bug is going to allow attackers to change content on vulnerable web servers, which could include adding malware to that content. This could put anyone who browses to the website at risk of downloading that malware content. Here are two tips for safe web browsing:

  1. Make sure your system is fully patched. That includes: operating system updates, java, adobe flash player, etc. A program that can help with this is Secunia. It's free and does most of the updating for you

  2. Use FireFox to browse the internet. It is free and there's a wonderful add-on that can be installed called NoScript that protects a computer from cross-site scripting (XSS) and Clickjacking attacks. It will require some work to use initially.

We'll get through this

This is a very serious bug and it's easy to get overwhelmed and/or paranoid, but we will get through it. The more I've researched and tested for the bug the more comfortable I've become with it. That doesn't mean I'm worrying less or more at ease, but it does mean that I think we can get a handle on it get the issue fixed. Well fixed for those that want to put the time and effort into getting the bug fixed. 

 

 This post first appeared on Exploring Information Security.

Useful Shellshock Bash bug links September 29, 2014

Bash Vulnerability Part 6: YABU - Yet Another Bash Update - Doug Burks - Security Onion

If you run Snort this might be of interest to you.

Shellshock in the Wild - Micheal Lin, James Bennett, and David Bianco - FireEye

FireEye has been keeping an eye (pun intended) on Shellshock activity and has a list of how the exploit is being used.

 This post first appeared on Exploring Information Security.

Shellshock Bash bug links September 25, 2014

Bug in Bash shell creates big security hole on anything with *nix in it - Sean Gallagher - ars technica

Good starting point for understanding what the bash bug aka Shellshock is. To test your Linx, Unix, or Mac based equipment type this into the command line:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you get the world "vulnerable" as a response then your machine is affected by this bug.

Everything you need to know about the Shellshock Bash bug - Troy Hunt - troyhunt.com

A longer, more in-depth look at the bug sweeping the internet. I would highly recommend reading this if you work in an IT department.

The Thanks-Rob Worm to Come - Richard Stiennon - securitycurrent

It appears someone has begun utilizing the bug to create a worm that downloads malware.

AWS users fret over downtime ahead of Amazon's massive EC2 reboot - Liam Tung - ZDNet

Shellshock isn't mentioned as a reason for the reboot, but a "critical security flaw" is and likely means that Amazon's Web Services are affected by this bug.

 

 This post first appeared on Exploring Information Security.

InfoSec links September 24, 2014

Data Breach Victims or Enablers? - Bill Brenner - Liquid Matrix

Companies that suffer a breach — Home Depot and Target have been among this year’s biggest poster children — are victims. They don’t set out to put their customers’ data in danger and they probably thought they were practicing all due diligence until they discovered the intrusions. But they probably also mistook their compliance check lists for real security and failed to turn security into a company-wide mindset, and that makes them enablers for the hackers who beat them.

Home Depot ignored security warnings for years employees say - Sean Gallagher - ars technica

Former information technology employees at Home Depot claim that the retailer’s management had been warned for years that its retail systems were vulnerable to attack, according to a report by The New York Times. Resistance to advice on fixing systems reportedly led several members of Home Depot’s computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer’s stores.

Massive Malvertising Network is 9 Times Bigger Than Originally Thought: Cisco - Brian Prince - Security Week

"The “Kyle and Stan” network is a highly sophisticated malvertising network," blogged Armin Pelkmann, threat researcher with Cisco. "It leverages the enormous reach of well placed malicious advertisements on very well known websites in order to potentially reach millions of users. The goal is to infect Windows and Mac users alike with spyware, adware, and browser hijackers."

This post first appeared on Exploring Information Security.

Monday morning links September 22, 2014

For Sale Soon: The World's First Google Glass Detector - Andy Greenberg - Wired

“Basically it’s a wireless defense shield for your home or place of work,” says Oliver. “The intent is to counter a growing and tangibly troubling emergence of wirelessly capable devices that are used and abused for surveillance and voyeurism.”

"Hobbes and Bacon" is a "Calvin and Hobbes" tribute that takes place 26 years later - Free Republic

This was posted two years ago and is just simply awesome. If you read Calvin and Hobbes growing up you'll really enjoy this.

This post first appeared on Exploring Information Security.

Longform links September 18, 2014

I can't remember if I've already shared this video before, but it's worth sharing again.

This is a documentary on DEFCON, a security conference hackers and security professionals so loving refer to as, "Hacker Summer Camp." It's almost two hours long, but well worth it.

Fun With Funny Money - Brian Krebs - Krebs on Security

Krebs takes a deep dive into counterfeit money: where it's sold and how to identify it.

Finally, we have a three page article on podcasting

10 years of podcasting: Code, comedy, and patent lawsuits - Cyrus Farivar - ars technica

This dives into the history of podcast, where it started, what it's become and some of the challenges podcasters are facing through the legal and patent systems.

 This post first appeared on Exploring Information Security.

Impressions from BSides Augusta

Simply awesome!

What a great BSides event. Not only was it a short drive for me, but the event itself was top notch, all at the fantastic price of free. I can't gush enough about how great of an event this was. Excellent talks, great location and wonderful people. I volunteered for the event and you can read my experience from that as well as a rant about how awesome volunteering is by clicking <------- this link.

I love that this BSides decided to go with a blue team and a red team track. It helped define some of the talks that might not have been apparent in the title or in the abstract. Full disclosure: I'm a blue team guy and thus spent most of the day in the blue track. I hear there were some fantastic red team talks like Tim Tomes', The Adobe Guide to Keyless Decryption:

But there were also some fantastic blue team talks like Tim Crothers', Techniques for Fast Windows Investigations:

Or Chris Campbell's, Using Microsoft's Incident Response Language:

What I loved in particular about this talk was the Chris spent the majority of his talk going over actual code and techniques, which is not something I see a lot of talks doing. If you're interested in PowerShell, have it up while you're watching this talk.

There's also Chris Sanders' talk Defeating Cognitive Bias and Developing Analytic Technique which kicked off the blue team track:

Finally, Mark Baggett closed out BSides Augusta with his awesome talk Crazy Sexy Hacking:

These talks were the ones that impacted me the most. Everyone is going to get something different out of each talk. I would recommend you check out all the talks at the BSides Augusta YouTube channel. I don't think you'll be disappointed.

One other awesome thing happened at BSides Augusta in that the local media showed up announced and took footage of the event as well as conducted interviews with some of the organizers of the event. This is not just a good thing for BSides Augusta, but the infosec community as a whole.

We must present ourselves to the world as professionals and BSides Augusta did that very well. I look forward to more BSides, especially at Augusta.

 This post first appeared on Exploring Information Security.

Volunteering at BSides Augusta

This past weekend I got an opportunity to volunteer for my first BSides event and I did it at BSides Augusta, which is the closest BSides event to me (approximately an hour away). When I initially signed up to volunteer I was happy to find that I was put on a waiting list. It's pretty awesome that an event that doesn't cost anything and relies heavily on it's organizers and volunteers didn't initially need my services.That changes A few weeks later when I was notified that I would in fact be needed.

I left the house just before 6 a.m. this past Saturday to make it to volunteer orientation at 7 a.m. I showed up and was instantly put to work setting up signs and making sure everything was prepared for the blue team track speakers. BSides participant registration quickly followed and soon after that we were off.

After the initial setup we were free to go to any talks and roam around wherever we wanted to. If someone needed a volunteer they would come find us. I was assigned the duties of helping out the blue track team room, but another volunteer expressed interest in helping out in the room as well, so I ended up splitting time with him. He took the morning sessions and I ended up with the afternoon sessions. This gave me the opportunity to spend my morning walking/running between the blue and red team talks.

When I was working in the blue team room I made sure the speakers got the microphone and computer setup and helped with anything else the track organizer needed. After the conference was over, the signs that were put up in the morning were taken down and I ended up walking around making sure everything was collected that needed to be collected

The great things about most security conferences is that they're recorded and BSides Augusta was no different. At this event they were able to acquire the services of Adrian Crenshaw AKA Irongeek to record all the talks. So you really don't need to go for the talks. Instead you can go for the opportunity to make a connection with other security professionals and volunteering, as it turns out, is an excellent way to make those connections.

Doug Burks ran the blue team track and Mark Baggett ran the red team track. Doug is the creator of Security Onion, which is Linux based network security monitoring tool.  Mark is the owner of In Depth Defense, an author and former Chief Information Security Officer (CISO). Both are SANs instructors and I got to work with both of them and even chat with them a little bit. Well, I didn't chat with Mark a whole lot, but he did mention that he had seen my tweets before (WHAAAA???).

Those were two of the many people I got to meet this past weekend. I also got to meet Joanne Sexton (the volunteer coordinator and assistant professor at Georgia Regents University), Lawrence, Phil, Chad, Warren, Don and many others working and participating in the event. Because I got assigned to help out with one of the talk rooms I also got to interact with several of the speakers such as Chris Sanders, Chris Sistrunk, Mike Reeves, Tim Crothers, Chris Campbell and Jeff Murri. All of these guys have a wealth of knowledge and experience within the information security community. I'm not exactly besties with any of them, but I have made a connection and I am following and being followed by several of them on Twitter now.

By the way, Twitter is fantastic for events like this. Not only do you make connections but you can help promote the event and the infosec community by tweeting about some of the cool things happening there. I had over 50 interactions with people via tweets, mentions, retweets and favorites during and hours after the event. If you're an infosec professional (or in any profession, really) you should be on Twitter. You don't have to tweet anything, but there's a lot of smart people you can follow. If you do tweet you can start making a connection with the people you do follow.

Volunteering is something very near and dear to my heart. This was my fourth BSides event, but the first in an official volunteer capacity. The previous two BSides I participated in, Nashville and Ashville, I volunteered my photography "expertise." Those two events benefited me in allowing me to refine my photography skills as well as make connections with the event coordinators. I am currently helping Ed Rojas (BSides Nashville event organizer) with starting up a new security podcast as well as interning this Spring with BSides Nashville. When you volunteer you get just as much as you give.

Up until recently I've been volunteering at my church for the past three years. Every other Sunday morning I would get up and be at church by 7 a.m. I would then spend the next five and half hours helping produce three services. Through that I've been able to gain WordPress, mac and sound design experience, but I've also made connections with other volunteers, musicians and sound engineers. In fact that music for most of my podcasts comes from the sound engineer I was working under as a volunteer. The fence in my backyard was built by another volunteer who runs his own business.

Volunteering is a wonderful thing: You not only give back to a community or a cause, but you also get back just as much if not more. Don't be just a consumer of your hobbies or profession, be a producer. And if your hobby or profession is information security give back to a BSides event near you. You won't regret it.

This post first appeared on Exploring Information Security.