An INFOSEC Maturity Differential Diagnosis:
Advanced Persistent Failure (APF *tm*) is a term that I coined today in my Twitter feed that I have yet to trademark before Rob Graham (@erratarob) gets around to it.
Advanced Persistent Failure: The inability for human beings and their collectives to learn from security incidents, data, polls, and any other lessons learned that would normally cause changes to be made. Instead, the cognitive dissonance wins out and they believe nothing is ever wrong, they are safe, and unicorn devices will prevent their data from being stolen”
Why it came to me today was the article pictured above by Brian Krebs, who begs the question “What is your orgs security maturity?” I find it interesting that the guy who is out there on the net and the one person you “don’t want to hear from” of late because if he’s calling it’s because your data is out on the net and he knows about it. Brian is actually asking a question that many others have asked in the past but I don’t think any of them, myself included, ever get the traction with the hoi polloi because we aren’t all famous or ‘rock stars’ in the industry. Still, even with someone like Brian begging the question, I still don’t think the message will get through the static of all the sales pitches and self absorbed thought processes out there in the corporate world to make one whit of difference.
What I mean to say is that even with someone like Brian asking the question, the companies and people that comprise them likely will not navel gaze enough to make the changes that are recommended by such posts and supporting data. Now you may just consider me to be a jaded bastard or a pessimist, which I am both, but I want you all to take in the reality of the situation. How many orgs do you know of that have been on the right path security wise from the start? How many of those orgs only began to change post an intrusion that caused great deals of damage and FUD? Seriously, take a look at the chart above and compare it to your own org. Now ask yourself honestly these important questions;
- If I am in reactive org can I change the org to not be?
- If I am compliance driven the motivation has already been given yet I am still unable to secure things.. Why?
- If my executive chain does not get it now how can I change this?
Now these questions may be daunting for the average security worker but then consider a CISO or director asking these questions too. Do you honestly think that even if they sent this article to the executive set that they would even bother? Why would they? Do your execs get security at all? I am sure some of you out there are like “yeah they get it, my org rocks!” to which I say “Good for you! Liar.” It is my opinion, after a long time in this business as a consultant, that orgs in general are fucked up and not clued in on security as the rule. Doubt this? Just look at all the big compromises and advanced persistent failure we have seen over the last few years. How about this though, just consider the reports recently about POS machines with default passwords that have not been changed in 20 years.
How bout them apples? We all know that default passwords are bad and they should be changed as a rule but no one is doing that. Why do we persistently fail at doing the simple things? Perhaps it is because humans are just bad at determining long term risk? Perhaps none of us is as bad as all of us when it comes to making security decisions? Or maybe it is just because there is no real imperative on the part of companies to really care because the financial and reputational losses are not that great today? Let me ask you this.. Do you think that the former CEO of (insert hacked company) is now living on the street in a cardboard box because they failed to care about the security at (insert hacked company) ?
Lemme give you a hint… No.
Clearly it is not an imperative so by Brian asking the question it may get some air time but really, how many orgs do you think are going to read that article and yell “BY JOVE HE’S RIGHT! WE MUCH CHANGE THIS HENCEFORTH!”
Lemme give you a second hint… None of them.
BUT CSO MAGAZINE SAID:
Hell, even if Steve Ragan wrote a piece on this *hint hint* I still expect that the vast majority of the security people out there, even with taking that article and forwarding it to directors and CISO’s would be able to effect a change for the better security wise. Why? Because once again, people don’t give a shit and they aren’t being forced to do anything about it. No, really, that is my opinion and I am going to stick to it. Nothing will change unless they are forced to be cognizant of the issues as well as responsible, really responsible at the end of the day. So there will be very little to hope that your CISO will be magically reporting directly to your CEO. There will be very little hope that your CISO will be working directly with the board of directors UNLESS maybe, if you are lucky, you have been hacked spectacularly and in the news. Those orgs though that have made those changes post being hacked I feel are more unicorns than anything else though. So yeah Steve, please write about this and have that drop in all the CISO’s email boxes! It will be all hopey changey!! Secretly though I would hope you just link back to me about the APF of all of this though, ya know, just as a cautionary tale and a buzzkill.
Face facts kids, we are well and truly shit out of luck here. I certainly don’t expect us as a species to change how we operate because some people in the media pointed out the realities of our collective fail. Sure, China is hacking the shit out of us. Iran is about to cyber nuke the lot of us and the Russki’s are all up in our President’s emails but will we change our SOP for security because of it? No, no we won’t we will just continue to stumble along like we have been all along. Our predilection for Advanced Persistent Failure is like an addiction really. Security is hard! We can’t make those changes to passwords! I mean how will we rememberize them? Oh. My. God! Enlightenment, even the ‘brick” that @Gattaca and others use out there does not have the play or the sexy that a new blinky light APT stopper has on the RSA floor as hawked by booth… Babes? Men? Whatever the flavor of the day is now in our stupid industry of fail.
Prepare for the next fail tsunami kids. Nothing will change.
Watch video first.. Yes, watch it again if you haven’t already then read on….
Ok, so do you feel some horror and outrage even though you laughed your ass off? Yeah, me too. But after those feelings wear off I am just left with a sense of creeping dystopia and loathing. Honestly, this shit is just out of hand and no one is really capable or willing to deal with it and this comedic bit by John Oliver hits the nail on the head. No matter what you think of Snowden the point is even after all of the data being released and all its portents shared nothing substantive has happened. Sure, the world now knows and the security community at least seems to be in a quandary over it all but the general populace it seems cannot be bothered to even know who Snowden is and what he did? To quote myself here;
Ok ok ok, maybe the sampling was skewed in Times Square that day and the sampling was small but really, no one in there had a real grasp of the leaks never mind the import to their daily hyper connected lives? I am still a little stymied to believe this to be the case but there you have it on HBO. So as the date approaches for the re-up on the Patriot Act, and specifically the most egregious of all the egregious shit in it, Section 215 we the people seem to just be abdicating our rights as citizens to say no to this. Even as we see more executive orders come out on hacking and the ‘cyber’ that seem at least notionally obtuse and open to interpretation if not outright deliberately so to allow abuses, we are just gonna go back to collectively not caring about anything other than Kim Kardashian’s ass?
Oh.. Wait a minute here, I am forgetting about the dick pics!
Well obviously we have our priorities straight as a nation and a freedom loving people right? I mean FOR GOD’S SAKE YOU CAN TAKE MY PERSONAL CALLS AND CALL ME A TERRORIST BUT FUCK ME YOU CANNOT LOOK AT MY DICK PICS YOU SURVEILLANCE BASTARDS! Yeah, that is a bridge too far my friends! I suspect I will be seeing new ‘Don’t Tread On Me’ flags with a penis instead of a snake soon enough.
Ok, well then we have proven that we as a nation, as a people, do not comprehend the problem of pervasive surveillance enough to do anything about it UNLESS it is about our personal porn. I get it now. As no one but Oliver has made it about this I predict that section 215 will just get another pass. Meanwhile all our data collection will continue and the mass surveillance state will grow even further than it already has. This leaves me once again back at the stage of Neo Ludditism. Excuse me while I go to my 6’x12′ cabin in the woods and make my ‘packages’…
GLOBAL Threat Intelligence Report – March 2015
In the month of March there were several high level vulnerabilities exposed ranging from programmatic issues to compromise of user security by supply chain tampering by a maker of laptops and desktops. All of these instances show just how much the landscape changes per month in the security of our systems and networks.
This report has been generated to give the end user an idea of what is happening in the security space as well as insights into little thought of security issues that could lead to compromise of your network. From the macro to the micro-verse, security issues can have great effect on corporations large and small. From the effects of the Target hack response of ten million dollars in reparations to their clients to the FREAK vulnerability and the attacks on core protocols that the internet is based and is secured with, these reports give you an idea of where to look and what to look for.
Fully Patched Versions of Firefox, Chrome, and IE 11, & Safari hacked in PWN2OWN contest
Think that patching your browser on a regular basis is the only answer to your security problems? Then guess again. At the last Pwn2Own contest all of the major browsers fell to attacks even though they were fully patched.
What this statistic shows is that even when a system has been curated well and security patches applied, there can always be flaws in the code that can lead to compromise. This is an important fact to remember and plan for in any environment dealing with on-line activities.
However, mitigations can be taken to help stem these types of attacks. Consider deploying systems like EMET 5 or another HIDS client that can monitor the volitile memory space as well as changes to the operating system that might trigger when a browser is exploited. It is also a given that your company should have IDS/IPS/SIEM capabilities as well to detect traffic that may be going to C&C’s from compromised systems and browsers.
The Largest Email Hack in History
The US Department of Justice announced today that it has charged three men for participating in what officials are calling “one of the largest reported data breaches in US history” and “the largest data breach of names and email addresses in the history of the Internet.”
According to allegations in the indictments, between February 2009 and June 2012, Viet Quoc Nguyen, 28, a citizen of Vietnam, allegedly hacked into at least eight email service providers (ESPs) throughout the United States and stole confidential information, including proprietary marketing data containing over one billion email addresses. Nguyen, along with Giang Hoang Vu, 25, also a citizen of Vietnam, then allegedly used the data to send “spam” to tens of millions of email recipients. The data breach was the largest in U.S. history and was the subject of a Congressional inquiry in June 2011. ~USDOJ
The hacking of eight major email providers in this case shows just how important common information like our email addresses and content are to criminals. That this is the biggest and seemingly longer running of the scams also show’s how long something like this can go on and how it has been corporatized in a way.
The criminals created an enterprise in which they used the data from their ill gotten gains to send spam and generate revenue from it. This is common today but is not completely predicated usually on the hacking of major email providers and stealing inside information.
The FREAK Vulnerability and SSL
Just when you thought it was safe to use your computer again after last year’s Heartbleed, Shellshock and other computer bugs that threatened your security and just as I predicted in my column of Dec. 20, 2014, researchers have discovered yet another security flaw that threatens millions of Internet users.
The FREAK vulnerability is just another in a line of vulnerabilities now being sought in the SSL framework. Once the first of these types of attacks was discovered, the SSL framework became a target for a lot of scrutiny by researchers both good and bad. As time progresses expect to see more attacks on this fundamental protocol which could compromise your whole environment.
This is important to you because SSL is the basis for many secure transactions on-line and in your network. Once this has been broken by making a session insecure, an attacker can then steal credentials and then further exploit networks and systems. It is important that your organization keeps up with these vulnerabilities and manages them.
Target Offers 10 Million Dollars in Breach Payments
Target has agreed to pay $10 million to settle a class-action lawsuit related to the company’s 2013 data breach.
Court documents show hacking victims could get as much as $10,000 apiece.
The Target hack was one of the first of recent time that has made a lasting impression on the world. This attack not only showed how the adversaries used advanced and persistent means to gain access and keep it in Target’s networks but also how a company can be financially and reputation-ally compromised.
Now that Target is making offers of money, more than just offering credit monitoring, shows just how important these attacks are on a companies bottom line as well as continuing their reputation. This round of settlements though has been marked as low and not enough by many in the industry and in the public however.
The upshot here is that the company has had to respond in this manner due to their own culpability in their security measures being not up to speed to catch the warning signs that were going off like klaxon’s in the night. It is important to all organizations to perform due diligence in this day and age of advanced adversaries who may not be nation state sponsored.
One in Three Websites at Risk on the Net
Facebook. Paypal. ESPN. Google. Amazon. These are sites you probably visit all the time, sites you inherently trust. But a new report from Menlo Security released Tuesday says that trustworthy sites are not necessarily safer.
Menlo pulled out the top 1 million domains on the Web and reviewed them all for potential vulnerabilities. The results were startling. One in three fell into the category of “risky,” meaning that they had either already been compromised by hackers, or were running vulnerable software that leaves them open to attack.
There are a couple of factors that could lead to this vulnerability assessment being the case. The first of which is that the vulnerabilities are just so many that they are hard to keep up with in an enterprise environment. The second is that either the companies are not performing their scans as regularly as they should or have decided that the vulnerabilities are acceptable to them and write them off as acceptable risk.
I am unsure of the reality here regarding these potential risks to all these sites on-line. Risk acceptance and determination of the level of risk are hard to scope out as each environment is making that calculation (one hopes) for themselves so there are variations in levels of care. However, this article and the statistics therein show that as a whole, we can understand how easily the adversaries can exploit systems easily reached on-line and why we keep seeing stories about large scale hacks on organizations.
ISIS Hit List and Information Warfare
At least three times in the last five months, U.S. military members have been urged to limit their social media activity in response to worries that ISIS-linked terrorists could track them down, in the U.S. or abroad.
The latest warning came this week, when a group calling itself the Islamic State Hacking Division posted personal information of about 100 service members, which defense officials said had been collected from social media sites.
While this story is about the war on terror and the on-line antics of a small cadre of Da’esh followers, it is also a cautionary tale. The information that was leaked on-line was not in fact hacked, but instead all available through Google searches. This is an important fact in the story to clarify but also sets the stage for the second important insight, of how much of our personal data is on-line.
A simple Google ‘Dork’ can deliver a huge amount of OSINT on a target today and the use of that data to then re-post it on a page like pastebin and call for assassinations shows the power of the net. Basically, this story is the story of asymmetric warfare and how easily it can be carried out online. Now imagine that it is not in fact a terrorist organization doing this but a disgruntled employee or client of a company doing this.
Every individual should consider how much data they put online and where they are putting it. From cyber bullying to outright death threats, we make it easy to ‘dox’ ourselves with our Tweets, Facebook postings, and emails.
On March 26, 2015, a very well-coordinated distributed denial of service (DDoS) attack was waged on GitHub, the heir apparent to the now-closing Google Code. GitHub characterized this as the largest DDoS in its history.
The Electronic Frontier Foundation (EEF) and security researchers Netresec name the Chinese government as the culprits of the attack, which lasted until March 31, 2015. Here’s an overview of why the cloud-based git repository host was targeted.
China and India both blocked GitHub recently for their site’s content that evidently they found threatening. In the case of China, it seems that GitHub may have just become another piece of fodder for the internet wars. The reality though is that no matter the political aegis, GitHub was taken down with a Dd0S because of an unencrypted session that was allowed to Baidu.
The bigger story here is though, that DdoS is incredibly hard to mitigate and everyone is vulnerable to it. As a means of political protest or just an attack to force a company into some kind of complicity, DdoS is not going anywhere. This is because our systems are inherently vulnerable to these attacks and until such time as the code is adjusted to disallow these attacks, they will happen regularly.
For more on DdoS go here
Your Private Data Available Through Anonymous Shares On-line
Our lives are digital now.
Everything we do on-line leaves a trail that leads directly to us; something privacy advocates are fighting to eliminate. However, we’re our own worst enemy when it comes to privacy, and personal cloud adoption has done nothing to help the situation.
Each day millions of people across the globe create backups of their files. These backups are supposed to offer a measure of assurance that their files are safe and easily recovered if needed. But that’s not entirely true.
In fact, depending on how you’ve configured the device, your backups are freely available on-line to anyone who knows what they’re looking for.
Google ‘Dorking’ as mentioned above in the Da’esh story is an easy way to not only gather data on users but to also gain access to their data and systems. In the case of the story at CSO it was easy to Google with certain terms and strings to locate users systems that were insecure and on-line. Many of these systems were in fact routers that had been turned on with default settings or mistakenly configured incorrectly.
This is an object lesson for everyone and you all should consider this not only as a personal security issue but also a corporate one. Imagine if you will that you have an IT person who is bringing work home, or worse still, has configured a router or a NAS device to share in this way to the Internet. This is actually a scenario that was discovered and offered up a compromise to the companies whole infrastructure.
Many of the cases just involve personal information. However, there have been cases like the one cited above as well as cleared individuals sharing out FOUO/NOFORN/CONFIDENTIAL information as well so this is certainly not only a personal issue. Please consider talking to your employees about these types of data breaches at home that could lead to breaches at your company as well.
Superfish! Lenovo Pre-Installed Malware
Does your Lenovo computer have Superfish VisualDiscovery adware (a.k.a. spyware) installed? It’s possible if you purchased a Lenovo PC any time in September of 2014 and thereafter.
This Superfish software intercepts the Lenovo user’s traffic so that the user sees ads displayed that reflect their browsing habits. The problem with this targeted advertising scheme is that it comes with a vulnerability that makes it easy for hackers to attack.
Superfish enables targeted advertising by installing what’s called a trusted root CA certificate.
These threat intelligence reports have covered the idea of ‘Supply Chain Tampering’ in the past but this one should set bells off for anyone buying a computer from any vendor. The alleged adware with a trusted CA according to Lenovo was nothing to worry about. However it was proven out that this adware/malware could be used by others to compromise the systems entirely.
Though Lenovo considered this form of advertising inside access and routing as legal and ok, it is in fact not. Just as Sony considered that adding a RAT (remote access tool) to their DVD’s in the past and were called on it, this is wholly inappropriate and in fact degrades the security of whole organizations as well as individuals who may purchase their hardware.
Now that this is out in the open, if you have these systems within your network you should remove the adware/trojan as well as inform any home users that might be in your work at home or bring your own computer offering to remove this as well. If left as is today, post all the reporting on it there could be compromise because exploit code is already in the wild.
To remove SuperFish go here
Kilim Facebook Worm Hooks with Sexy Pics
Security experts have warned of a new Facebook worm using adult content as a lure to trick desktop users into downloading malware.
The authors behind this version of the Kilim worm have “gone to great lengths to anonymize themselves” and circumvent browser protections, Malwarebytes senior security researcher, Jérôme Segura, wrote in a blog post.
If they click on what appears to be a video file promising to show “sex photos of teen girls,” victims are redirected via two ow.ly links – first to an Amazon Web Services page and then a malicious site, videomasars.healthcare, which apparently checks their computer.
One of the more common techniques in malware delivery and phishing attacks is the promise of sexual content. That this is being leveraged in Facebook is only more effective because of Facebook’s prevalence on the net. Additionally, the use of obfuscated shortened links like bit.ly and owl.ly is common as well and should be filtered if possible in your environment to disallow these attacks.
As organizations, you should have some form of web filtering in place but often times these slip up and let such content through. Please keep up with the filtering and leverage systems like BlueCoat and Websense as a front line tool against these types of attacks.
The Hanjuan Exploit Kit and Malvertising
Anyone who visited the New York Daily News website or Metacafe website – as well as several other lesser known sites – within the past couple of weeks could have been infected with malware, according to Malwarebytes.
Researchers identified a malvertising campaign originating from the engage:BDR advertising network, a Tuesday post indicates. In a Wednesday email correspondence, Jerome Segura, senior security researcher with Malwarebytes, told SCMagazine.com that the issue has been resolved.
Malvertising (from “malicious advertising”) is the use of online advertising to spread malware. Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.
Another name for this type of attack could be ‘drive by’ as well but the point here is that nothing is safe. Ad’s on sites can in fact be the infection points for systems that are looking at the page and this is a risk to all environments.
Whether it be an iframe attack or a click through to a malicious domain, these types of attacks are myriad on-line and should be a concern for all security departments in corporations. What can be done though? It is a hard thing to keep up with and prevent users from clicking or just visiting legitimate sites that may be compromised temporarily.
The best thing that you can do is have the measures in place (Websense/BlueCoat/Barracuda etc) to monitor the online traffic of your users and get alerts on sites that may be compromised. It is then your job to locate the users who may have gone to these sites and scan their systems for compromise. Having a program of means to keep up with these types of attacks (RSS feeds etc) as well will help your security team to detect and deter these attacks from happening.
Android Malware Risk to Almost 50 percent of all Devices
Millions of Android devices have been found vulnerable to cyber attack following a security flaw allowing malware to replace legitimate apps, hacker Zhi Xu has found.
Almost half of Android phones may be affected, with the flaw allowing dangerous malicious apps to be downloaded without the user’s knowledge, collecting personal data from the infected device.
As mobile computing becomes more prevalent and operating systems like Android take more market share, your employees and you are at more risk to compromise. In the case of this malicious application installation it has been shown that nearly fifty percent of all phones are vulnerable.
With the advent of ‘Bring your own device’ and just general use of these phones, tablets, and devices the risk for compromise has increased geometrically. It is important that your security programs include keeping up on vulnerabilities to these devices as well as being aware of the intricacies involved in private individuals devices, their use, and where the security rubber meets the privacy road.
A compromise of a device not only means that the end user’s data is at risk but also the corporations as well as their network infrastructure.
New variants of malware come and go with depressing regularity, but some have capabilities that offer more cause for concern than others.
The latest piece of scary software comes from researchers at security company Doctor Web who have uncovered a new Trojan dubbed BackDoor.Yebot that’s capable of carrying out a wide range of destructive actions on an infected machine.
It’s spread via another piece of malware, Trojan.Siggen6.31836. When launched on the target machine, this injects its code into the svchost.exe, csrss.exe, lsass.exe and explorer.exe processes. After sending a request to the remote server it then downloads and decrypts BackDoor.Yebot and transfers control to it. Some features of Trojan.Siggen6.31836 are encrypted (and can be decrypted only while it’s being executed). It also incorporates mechanisms to verify the virtual machine in a target system and bypass User Account Control.
Multiple vector infection malware is more common today. Once the code has been allowed on the system it will infect many .dll files or others that are common to the operating system as a means to stay entrenched on the system. This is called ‘persistence’ and is the status quo. It is also important to note that these types of malware then in turn call out to command and control systems to gather more malware for that same persistence should the primary infection be detected and removed.
In the case of this particular malware it is important to understand the multiplicity of infections as well as the many means that it then creates to exfil your data out of your domain as well as the rapidity that this can happen at. What this means is that not only by the time an infection is detected, it already has had ample time to export your data to the adversaries.
Please note that this is not part of some exotic malware campaign by a nation state actor, this is in fact crimeware!
Bitcoin blockchain exploitation could allow for malware spreading
Bitcoin’s blockchain can do more than store transactions, according to new research from Kaspersky that demonstrates the way in which the cryptocurrency’s ledger can be used to store malware control mechanisms or provide access to illicit content.
As with anything on the Internet and in computing, the technology can be turned against you. In this case it is the primary means for Bitcoin (a crypto currency) to track it’s amounts and use can be used to infect systems. This likely will not be a big deal for many companies as yet because Bitcoin is still not in use widely by corporations.
However, it is important to note that any users of the currency might fall prey to these attacks and those persons may work for you and use systems that not only connect to their daily lives but also your network as well.
A local user can run a program that repeatedly accesses a row of memory to cause bits in adjacent rows to flip. This can be exploited to execute arbitrary code on the target system with kernel-level privileges.
This is a local exploit that can cause a flipping of bits in certain brands of DDR3 RAM. This then would result in compromising kernel level processes on the system attacked.
We have shown two ways in which the DRAM rowhammer problem can be exploited to escalate privileges. History has shown that issues that are thought to be “only” reliability issues often have significant security implications, and the rowhammer problem is a good example of this. Many layers of software security rest on the assumption the contents of memory locations don’t change unless the locations are written to.
This is a problem for various brands of laptops and desktops that use the specific RAM mentioned in the article. Please consider looking at the systems in your environment and what RAM they use to insure that you are not at a higher risk through mono-cultures in hardware.
FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers.
As stated above in this report the FREAK vulnerability is just one of a few that have come out over the last year. This section will rely more on the technical aspects of the vulnerability but the statement above must be repeated;
The FREAK vulnerability is just another in a line of vulnerabilities now being sought in the SSL framework. Once the first of these types of attacks was discovered, the SSL framework became a target for a lot of scrutiny by researchers both good and bad. As time progresses expect to see mo
Fully Patched Versions of Firefox, Chrome, and IE 11, & Safari hacked in PWN2OWN contest
re attacks on this fundamental protocol which could compromise your whole environment.
This is important to you because SSL is the basis for many secure transactions on-line and in your network. Once this has been broken by making a session insecure, an attacker can then steal credentials and then further exploit networks and systems. It is important that your organization keeps up with these vulnerabilities and manages them.
Please click the links above to the CVE and the technical specs for this vulnerability and remediate in your networks.
Security Advisory Feeds
Newsnow offers an aggregation of security advisories that is very helpful if you do not already have an RSS feed aggregated.
The importance of advisories and news sources to a security program cannot be overstressed. If you do not already aggregate security RSS feeds you should start to look toward doing so.
Websense XSS Vuln
Users of Websense Data Security that are reviewing DLP incidents can be attacked via cross site scripting. This issue can be exploited using a specially crafted email, or by sending a specially crafted HTTP request through the Websense proxy. The attacker-supplied code can perform a wide variety of attacks, such as stealing session tokens, login credentials, performing arbitrary actions as victims, or logging victims’ keystrokes.
Websense is a very common solution for web filtering and DLP for mid sized companies. This current vulnerability could lead to compromise of your internal networks as well as all the data within the DLP/Websense system. If you are running Websense with a DLP (Data Loss Prevention) module please go to the following link and update your console:
This issue is resolved in TRITON APX Version 8.0. More information about
the fixed can be found at the following location:
<enter your own data here from IDS/SIEM/AV/LOG CORRELATION> for your own organization and report on what you are seeing on your network.
WORD FORMAT: HERE
Recently there was a spate of defacements by Team System DZ that has been making the rounds in the mainstream media. These defacements by Poti-SaDZ or Poti Sad Darky and his derpy bandito boyz using daesh symbols and poorly written rhetoric are nothing to write home about yet the media spins their skiddie exploits into media gold. Well I am here to set the record straight with you all. Poti, or Ahmed Saoudi is just a derpy kid in Algeria with nothing better to do than deface sites with others tools. He, and they, are just looking for the lowest of low hanging fruit to garner some attention for themselves. In fact, Poti here has some poor OPSEC as do many of his derpy little pals as you can see below.
In the first picture there you see his folders as he is running a tutorial on uber lee7 h4x0ring in winderz. The second picture is one of more than a few where he fails to engage his proxy and the handy little task bar there on the browser gives his home IP address(s) 126.96.36.199 and 188.8.131.52 respectively over time. Poti in fact logs in to the Team System DZ Facebook account without proxy a couple times and is likely unable to easily get on there because of issues with proxies, since ya know Zucky don’t play privacy.
Anyway, the IP space is for the following in Algeria:
IP address: 184.108.40.206
inetnum: 220.127.116.11 – 18.104.22.168
descr: region chlef
status: ASSIGNED PA
source: AFRINIC # Filtered
parent: 22.214.171.124 – 126.96.36.199
person: Security Departement
source: AFRINIC # Filtered
Poti-Sadz aka PoTi SaD DaRkY
youtube.com/user/ahmedsaoudik/playlists … ahmedsaoudik
There are a lot of Ahmed Saoudi’s in the skype phone book as well but only a couple list Algeria as his location and one of them has 1992 attached to the name. So, 2015 – 1992 = 23 which would be a prime age range for this kind of stupid kid activity no?
Give em a shout and see! Look, what I am saying here is that in looking at these guys I would have to say that the are not the daesh A-Team of hacking. I would also say that perhaps they could be behind the last derpy Googling of some military names and posting a hitlist online thing. That there was also something that the media went nova on and in reality “no va” is really more appropriate.
HOLY WTF PEOPLE! CUT THIS SHIT OUT!
Anywho, I just thought I would dump this little OSINT OPSEC FAILTACULAR on you all.
Enjoy the lulz…
So you all know me, I had to go and download CSI Cyber just to see. I mean, I couldn’t resist because I am a masochist and I knew that this would be a terrible show so I had to see it! Well I am happy to report that none of you were wrong, this is in fact one of the worst shows on television and it’s not just because it is all about the OMG CYBER! There are a whole host of issues with this show and I just wanted to share with you all my personal review. So strap yourselves in, put on your sturdiest CYBER HELMET, and prepare for a heaping helping of WTF.
The show starts off with the kidnapping of a baby and some nonsense about voices coming from a nanny cam. The case comes across the lead investigator’s email and she immediately goes to her boss and says that any criminal action that includes electronics make it a CYBER CRIME! No, really, she says this and thus a plot line is born! The feebs then take over the case and use shiny bags to take away laptops and phones. They use what they call “Faraday Bags” and have the nifty graphic above to show signals bouncing off the bag PEW PEW PEW! (eat your hearts out Norse!)
It was in this moment that the plots sub sub plot of CYBER PSYCHIATRY comes to play. The main character ( Avery Ryan ) who is loosely based on the “creator/SME” of the show Mary Aiken one of the loopiest people I have looked at online. She claims she is a “Cyber Psychiatrist” whatever the fuck that is. Let me just set you all straight, there is no such thing as a “Cyber Psychiatrist” There are Psychiatrists who maybe deal with technology issues and pscyhology and psychiatry but there is no cognitive DSM V sub speciality that I am aware of. In short, she is making shit up as she goes. I may go into a full rant on this later on, but sweet jeebus she is as much a Cyber Psychiatrist as the Scorpion Crew is an elite red team in reality ok?
Next let’s talk tech because I know you all want to! CYBER CYBER CYBER! Blinky lights and holodecks for everyone! This show does not let us down in this area either. There is so much shiny blinky light material that if you are epileptic you should really consider watching it with shades. The highlights of all this is the above image from the uberl337 hax0r showing that malware always shows up as RED TEXT on ADA and more often than not actually calls itself MALWORM! As I was morning drunk tweeting watching this farce I managed to start a bit of a dialogue with some who complained that they did not get all of our attitudes about the tech being right at all because it’s TV FOR FUCKS SAKE! Well, Ian, yes, yes it is and really we should not really worry ourselves about this in reality. I guess some of us all care too much or live it too closely. In my case I don’t really care beyond the possibility that this shit will bleed into our real lives as dumbasses think that this is all reality from watching entertainment TV. I will once again point to the CSI Effect and just say I hope this kind of shit does not happen in the court room because of shit like this is all.
OMG CYBER ATOMIC SOMETHING SOMETHING!
At the end of the day I just have to report that this show is sucktastic. The acting is wooden, the dialogue is horrendous, and the subject matter is wholly unbelievable. Well, unbelievable for someone who actually works in psychiatry, technology, hacking, acting, cinematography, etc. This is the turdliest of unflushable turds that CBS has grunted out of its collective anus in a while.
For my part I LOVED the original CSI because it was new and it was fun. I used to sit watching it with a REAL SCIENTIST who cringed as much as we all do about the OMG CYBER today so it is not just our group of peers that have issues with the Hollywood-izaton of their careers. Though I knew that the tech was not accurately portrayed made no difference because it was fun and the chemistry/writing worked. As soon though as Grissom left so did I. It has been pathetic to watch CBS continue to flail the dead corpse of CSI through the David (flip sunglasses down the nose) Caruso years to the Cheer’s OMG MY HAIR GREW BACK INTO A POMPADOUR Ted Danson travesty.
No more please.
Please FUCKING STOP!
*hangs head.. CSI CYBER!*
Welcome to CBS TV where we make shitty SHITTIER!
Global Threat Intelligence Report
In the month of February an astonishing array of news came out concerning information security and vulnerabilities. One such piece of news concerned supply chain tampering by Lenovo with “Superfish” an adware that compromised users SSL sessions of every user’s machine purchased from the company. In other areas we discovered that our personal routers were being attacked by phishing emails containing the default passwords for the routers that people commonly forget to change. It would seem that nothing is safe either because people leave the defaults as the way they operate or in fact the companies are weakening security on their products to make more money through tracking users and selling data to advertisers.
This report will cover the news highlights and give you a more nuanced portrait of their importance globally to you personally as well as at a corporate level for information security. Use this report as a primer to understanding the security picture as it is today and to help in confronting the security issues within your organization.
Think your BYOD program is secure? Perhaps you might want to think again about that as you consider this article. Applications for iOS and Android have been cloned and malware inserted into them for download by unsuspecting users. All the attackers need to is trick the end users into installing the new application with malware in it by sending them an email with a link to their fake site.
As more and more corporations move toward the singularity and use BYOD as their primary way of conducting business (phones, tablets, and phablets) these concerns should be more pressing. Given that the BYOD now allows personal devices to access corporate networks and assets, if the user then infects their device with malware that steals data such as keystrokes, then your corporate network is now at risk of compromise.
If you have a BYOD program and do not have a robust way to manage what the users can download and install then you are more likely to have a compromise to your domain. If for example though, you have BYOD mandates and policies that require phones with separate profiles you might be on a better footing in that the end users corporate profile should be completely locked down and unable to install anything without approval. This is a hard needle to thread and must be considered today as we see more of these types of attacks being leveraged in the wild against corporate BYOD programs.
Once again we find ourselves facing another SSL attack that may leave our private communications at risk. This one has been an issue for many years and only now is being talked about as something adversaries may be using. As with others, this attack uses the fact that many systems still allow backward compatibility to reduce the encryption levels to one that can be cracked by an attacker.
While this attack is being patched it is important to note that since Shellshock and Poodle adversaries have been working on variations on a theme to attempt to find old or unthought-of of exploits to leverage in attacks today. It is important to keep up on these various vulnerabilities being reported to respond to them as soon as possible once they have been announced.
It is recommended that all SSL systems be set to disallow backward compatibility of there is a newer version that is more secure. If you are forced to use backward compatibility though, you should insure that you have a risk assessment carried out and the risk signed off on at a corporate level to cover your risk should an incident occur from one of these known exploits.
Common technologies abound today and one of the most popular is the COTS (Common Off The Shelf) router for internet access. In the case of D-Link, one of the more common brands being used today, there are multiple vulnerabilities that could lead to compromise of home or even corporate networks. The current vulnerability allows for a remote attack to gain “root” or administrative access to the routers.
So how then could these COTS routers be a threat to your corporate network? Well, consider that the home user who is VPN’d into your network is using one of these routers that is vulnerable? If that is the case and their router is compromised, then so too is all the traffic and systems potentially they own at home. If that home user has their system online and not on the VPN then their system could be scanned and compromised remotely. If the end point has been compromised so too is your network VPN or not so this is a real threat to your corporate environment as well.
Additionally, should by any chance your environment have any of these devices connected to your networks then you too may be vulnerable directly from attacks on those routers. Consider too any company that you may be connected to (via VPN for instance again) that may be a mom and pop with one of these routers being used. This could be leveraged to gain access to your network as well by an enterprising adversary.
It is recommended that all corporations consider these vulnerabilities whether or not they think they have these devices on premises or not. All it takes is one connection from an insecure network elsewhere that has rights on yours to make your life miserable.
NAS (Network Accessible Storage) is common not only in corporate networks but also home networks. As such these devices need to be securely configured and access restricted to internal networks only unless you absolutely know what you are doing. In the case of the Seagate NAS, this vulnerability is like many of the others out there and Seagate has yet to update their firmware months after the fact. This leaves all of these devices unprotected on networks and on the internet in some unfortunate cases.
Think that your corporate network doesn’t have a problem because the NAS is behind the firewall? Well that is not truly the case either as you could have a compromise internally and if these devices are secured yet vulnerable to these types of attacks you could lose in the end. It is recommended that you seek to determine if you have these in your environment and patch as soon as possible.
Alternatively, consider the end user out there who works for you. Do you have a strong policy and practice of not allowing those users to store corporate data anywhere other than your network? Consider the end user who buys one of these and puts it on their home network and shares it accidently with the world. Think that is not probable? Then go to Shodan and look for these devices or better yet use Google to search for them. They are out there and they are open.
Patch Tuesday in February was huge with a total of 56 vulnerabilities being fixed in Microsoft products. A majority of the patches were for Internet Explorer, a core piece of the Windows system and the one most attacked by adversaries seeking to exploit users systems.
This particular patch cycle was of note because the previous cycle had not patched IE and this one seems to have been an aggregate of earlier patches being held back. As the number of patches is so high for one piece of the Microsoft system it can be inferred just how much attention is paid to attacks for the IE Browser.
It is recommended that every enterprise undertake a strong process driven function around patching in your environment. Specifically, enterprises should take care to patch high value target systems at the least and all systems at the most. Given that there are mitigating factors that may leave an organization no choice but to not patch a system because it would break business, those systems should be signed off on for risk and as a compensating measure watched more to insure that they are not compromised.
Earlier this report covered default passwords on routers in the home. It seems that this issue has risen again as malware/malcode disguised in spam has been seen in the wild with the ability to log into routers with insecure default passwords. This type of attack is not new but it is once again being leveraged by particular actors today in the wild.
This in and of itself should be a wakeup call for any users who have not changed their default passwords and logins for COTS routers. As also mentioned before in this report, this is something that all enterprises should be concerned about with regard to users who work from home and have access to your internal networks.
It is recommended that all organizations look at these vulnerabilities as not only affecting home users but also those networks that they may interface every day for work. As such, it is in every companies interest to follow these things and to have education for their users not only about corporate networks and assets but also those BYOD devices and networks that interconnect them.
Increasingly carders and other adversaries are attacking corporations by targeting the end users for malware by phishing campaigns. Much of these exploits are directly targeted at gaining access to credit card data, bank account data, and PII data that would allow them to create new identities and start credit lines.
The adversaries are however getting cleverer and targeted today and with knowledge, they are attacking from the top down. Phishing campaigns aimed at executives gain access to their accounts and machines which then are used to trick employees into making funds transfers from the company accounts.
It is recommended that organizations keep awareness at a high level not only for regular employees but also specifically, the executives. Executives are the prime targets for much of the malware and phishing campaigns in these types of attacks and all too often, the executives and their minions are less aware than they should be about phishing and how to spot it.
Additionally, it is also a good policy to have some means of empowering employees to question the process of such transactions if they feel that there is something amiss. Often times the adversaries are counting on the social and psychological norms of corporate pecking order to just get an employee to react and carry out transactions like these.
As the tempo of attacks speeds up and more groups of adversaries start working together, the likelihood of follow on attacks using news items like the Anthem breach is high. In the case of Anthem, phishing emails started immediately after the incident made it into the news. Emails began to be sent from newly created domains created by a whole other sector of adversaries.
The Anthem breach for all intents and purposes, seems to have been Nation State actors and as such the data that they stole will not, and has not yet been seen to be for sale on the darknet or other places where this data is sold. This means that the criminals who do carry out this type of attack for money are seeking to capitalize on the backs of the APT by phishing already worried clients of Anthem.
It is recommended that organizations keep up with this type of activity as well as the breach itself. Targeted phishing emails are not just going to end users home addresses. These phishing emails and new waves of malware have been seen in corporate email systems as well. Awareness is key and as such talking directly to employees about these types of attacks will not only benefit them but hopefully stop incursions into your network as well.
The Anthem breach, while unfortunate, should be an object lesson for all corporations today. The scope of the breach and the attacks that were carried out to steal the information and keep access to the networks at Anthem should be studied by anyone who has a network and data they want to protect. In the case of Anthem though, it is becoming clearer that not only was it nation state actors but also that they had access to Anthem’s networks for a considerable amount of time before discovery.
As information becomes more available the likelihood will be that the initial incursion came from a phishing campaign using crafted domains (we11point.com etc) to get users to click on links and install malware on their machines. This is a common tactic and something that every organization has problems with as users are being manipulated by actors who understand human nature.
Watch the Anthem story and consider how your networks could or could not use telemetry to determine undue traffic to known bad actor sites as well as anomalous traffic. In the case of Anthem, it was a sysadmin who first noticed that their account was being used on a system that they had never logged into that started the incident there. Every org is vulnerable to these tactics and it is in the interest of every company to learn from others mistakes as well as the modus operandi of the actors involved.
Superfish, a simple piece of adware that was installed on every system that Lenovo sold in the last couple of years had upended the trust of the public about their products. This particular malware was to perform a man in the middle attack against SSL traffic and route the user to specific ads which then would pay Lenovo on the back end. This however backfired on them once the malware was discovered.
While Lenovo claimed that the adware was harmless it was shown that in fact this piece of software could be easily subverted to break into machines by setting up man in the middle exploits and getting users to log into things with their credentials as well as downloading malware. This is unacceptable and an object lesson in supply chain trust.
If one cannot trust the supply chain (e.g. laptops from Lenovo without malware pre-loaded) how can one trust that the systems they are buying for their companies are secure? This issue should be something that all companies consider when not only purchasing new equipment but also those systems or appliances they may buy grey market online. Can you trust the systems have not been tampered with?
Today the selling of “Threat Intelligence” is all the rage, but really how useful is much of what is being sold today? So far the focus of many seems to be on “who” carried out the attacks but not so much on the how. While the who can be important in many ways, it is the least of your worries when dealing with an incident and this needs to be a key focus for companies.
By engaging companies that sell threat intelligence a company can in fact gain a better foothold on protecting their networks and data. However, all too many companies are not prepared to really use the data that these threat intelligence firms provide because they do not have enough insight into their own networks to start. As such it is key to know your own capabilities and work with threat intelligence firms to set up feeds and methods that will help your company detect and deter as well as proactively mitigate ongoing campaigns.
It is recommended that when you look into threat intelligence feeds that you first undertake a serious introspective look at your environment, it’s maturity, and capabilities to truly leverage the data that you are buying and not to just have a feed as a check box in an auditors notebook.
Document for download and dissemination HERE
A Cosmic War
A recent article in The Atlantic has staked the claim that daesh is a millenarian cult bent on bringing the apocalypse upon the world. The article uses recent materials from Dabiq (the daesh propaganda magazine) and cites interviews with the likes of Anjem Choudary to back it’s case that not only is the group Muslim (well that is a given right?) but also that they are battling to re-create the Caliphate to bring the end times upon us all. A great battle with Shaytan (شيطان,) and even Jesus will ensue and in the end the Caliphate will win and all kufr will be destroyed.
After reading the article in it’s entirety I just had to sit back and wonder at the over simplification that just had been perpetrated on us all by this reporter. I think he frankly went to the George Bush school of Islamic Comprehension but I had to go back and read through all the issues of Dabiq to confirm or deny what the author was saying. Five issues of Dabiq later, I am still of the opinion that the article is off the mark where this is all concerned. I also believe that once again it is another classic case of a reporter writing about things without deep knowledge of them but yet speaking on them as if he were. Here are some salient facts that the Atlantic failed to talk about in this article;
- Hadiths Versus Qu’ran: Much of what daesh uses as exhortations and rationalizations for their actions come from the Hadiths (prophetic traditions) which basically are a grouping of sayings written long after the prophet was gone. So much of what is there is subject to doubt because this is based on memory or just made up whole cloth to be companion pieces and re-enforce certain ideals. This of course is also coming from religion and all religions have their books which were written a long time after the people involved had passed on. So the use of these even further separated texts from their original oral traditions that finally got written down is reason enough to doubt their validity.
- The Caliphate and Millenarian Prophecy: daesh seems to be only recently really interested in the millenarian slant on their battle with the kufr of the world and apostasy in general. In looking at their propaganda over the arc of their arrival and dominance it can be seen that this is a new feature. Specifically you can see this arc over the 5 issues of Dabiq magazine. This rhetoric over a cosmic war and the use of the eschatology concerning Rome, the Crusades, and the great battle with Shaytan (إبليس) frankly is only being leveraged now to give their base a boost as well as is a well thought out propaganda tool. The daesh want to recruit and they, unlike AQ/AQAP and Inspire found the right mix that has seemed to, in tandem with their actual taking of lands and creating a so called “caliphate” made all the difference in getting recruits to come to the new Afghanistan. This melange of things, rhetoric, tales of epic battles, use of ultra violent means, and the propganda generated from it is what daesh is about and using it, not necessarily I think do the core believe all that they are putting out there. I have yet to see Al Baghdadi speak on these things at all.
- The Language of Crusades and Rome: Another bone to pick here that I have is that the claptrap of using Rome and the Crusades is that they post date the prophet by quite a long time. You can see that daesh is carefully cultivating a look and feel using key words and ideals that resonate with people concerning the wound that is the Crusades. Honestly, this is just a hot button use of terminology and imagery that Bush only exacerbated when he said “This crusade, this war on terrorism is going to take a while. ” I remember face-palming when he said this on live air. Now the daesh and their acolytes use this all the time as a rallying call evincing images of Salahuddin but removing any of his more temperate decisions or commands concerning the greater war on the lands of the ummah.
- Propaganda Wars and Recruitment: The article fails to take into account that nothing daesh says should be taken at face value. The reporter goes on to talk to a few true believers (aka the deluded) in Britain and elsewhere but, as you can see, they are not in Syria are they? They are propaganda mouth pieces only and the fact of the matter is that all of what we have seen has been carefully created propaganda by the media wing Al Hayat. When reporters talk about daesh and all of what has been going on of late they always remark on the professional quality of the videos and other media being put out. Well, there you have it, it is propaganda and if you just believe that this is all that daesh is about, well, you have been fooled. This is all a means to an end to intimidate as well as recruit.
- Politics, Power, and Money: No matter how much the daesh clothe their movement in the millenarian trappings that you see in Dabiq, this is not just about a cosmic war. This is about power and politics as well as money. The daesh are now trying to mint coins as well as raking in huge amounts from the oil fields that they have taken in Iraq. No doubt if the caliphate ever really normalizes you will see Baghdadi and his core living well somewhere, not in fact frugally with the people.
- The Apostasy of daesh and Islamism: Finally, the daesh are the most apocryphal and apostatic group out there today. The use of the hadiths to rationalize their brutality is just a means to an end for control over the people. Fear of violence clothed in snippets of hadiths is apostasy in itself. They have carried out atrocities that Salahuddin would be shamed by never mind the prophet and if they TRULY believed in the teachings of the various books, then they would not be doing these things. So when the arguments start over Islamism/Jihadism and their book being the source of all the ills of the world much of it can be blamed on this one dimensional reporting in the Atlantic.
Once You Name A Thing You Have Power Over It
I guess in the end this Atlantic article serves the purpose of the US and others who don’t have the wherewithal to take the time to understand Islam, the region, and its history to give them an understandable bogey man. After all, in looking at the US governments answers to daesh thus far I for one can see this simplification to be of use to them. It has been hard to troll the daesh as we have seen with the “Think again turn away” program by (@CEP) and a nuanced approach is, well, nuanced. Don’t get me wrong, this whole thing is as complex as it gets but if daesh wants to simplify it all to gather recruits with their cosmic war propaganda well then turn about is fair play right? So go ahead CEP, use this and troll the living daylights out of it.
Sadly though, I fear they won’t do this..
However, everyone should know that this is not just some epic battle of good and evil. Satan and Jesus. This is not a millenarian cult in the least bit at its core and to think so is just stupid. I hope at least that this article does not cause even more troubles with Islamophobia amongst the uninitiated and stir more hate. Frankly, as I have said on Twitter recently; “If you want to paint daesh as an apocalyptic cult you may as well also paint Christianity as well. I mean, they are the ones who wrote revelation right?” It’s not the book but those who use the book for their own agenda. In the case of daesh, they aren’t even using the book, they are just winging it.