(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

THE DEFENDER’S DILEMMA: CISO’s and Execs to the right of me… APT’s and Hackers to the left… Here I am stuck in the middle with you.

with one comment


 The Defender’s Dilemma:

This week I came across a tweet from @violetblue about an article she wrote for ZDnet on a RAND study that had recently been published. The report; “The Defenders Dilemma: Charting A Course Toward Cyber Security” The report ostensibly showed that the end game for information security was as predicted by 99.9999 percent of the information security workers in the world today. Simply put, there is no winning the game and you should really just listen to the WOPR and not play at all. How about a nice game of chess?


All kidding aside though, many in the game know that there is no winning the cyber war. All you can do is perhaps win battles. Endless battles. The war will never end unless by some miracle someone uses the Nash Equilibrium Theorem to bring all the game players to the table and stop the game with wins all around. I somehow doubt that this will happen, just as much as I doubt that the same model can be used against Da’esh but that is a story for another day.

What this report is telling us though is pretty much common knowledge within the community and I have to wonder just how many execs, which come out of this report not too well as to their cognizance on the issues, will actually you know, read the report in the first place. It would seem that this reports 169 pages is another echo within the INFOSEC echo chamber that once again the executives will not see, hear, or understand because there are too many words to read. Honestly RAND, after you say all these things you really even expect them to read the executive summary and understand it all?

Sampling Problems and Conclusions:

Eh.. Still, even if someone like me were to try to synthesize this report into a comestible for the exec set, I would still have to deal with the fact that I dislike your sampling data and some of your conclusions up to and including your heuristic model ten years into the cyber future. Honestly, what the ever living fuck RAND? Let me start with your sampling of CISO’s out there in the wide wide cyber world.

  As a result of interviewing 18 CISOs, we drew three sets of conclu- sions: those we expected, those that confirmed our suppositions, and those that came as surprises.

Eighteen CISO’s? EIGHTEEN? Holy what the bad statistics Batman! How do you even think you can conclude much of anything from such a small sample of the pool out there RAND? I read that and I literally felt like I had just re-heard one of those old ad’s where “Nine out of ten dentists approve!” What bullshit is this? Ok, let’s forget the whole thing about sampling and statistics, ya know, math and just go with the logic here of talking to only 18 guys. How do you know that these guys aren’t idiots? How engaged are these people? How efficacious is their leadership? I mean all of these things matter when you are asking people for their considered opinions for some kind of study! This number reminded me of a quote from “Back To School” with the late Rodney Dangerfield.

Thornton Melon: [in college bookstore] Hey, you guys get everything you need?

Jason Melon: Oh, yeah, we got it.

Thornton Melon: Good… Hey! What’s with the used books?

Jason Melon: Well, what’s wrong with used books?

Thornton Melon: They’ve already been read!

Jason Melon: Yeah, and they already been UNDER-LINED, too. Get it?

Thornton Melon: That’s the problem. The last guy who under-lined them, he could have been a maniac! Hey, get these guys some new books. Huh? Get some new books, will ya?

The sample is important kids and RAND just screwed the pooch on that one. Which brings me to another interlude they had in the report that shows you just how important this is.

Screenshot from 2015-06-12 08:39:34WHAAAAAAAAAT? What kind of CISO doesn’t even know where the firewalls are?

Oh.. Wait… What am I thinking? I mean how many CISO’s are or were actual practitioners with real world technical experience out there huh? Now that would  a statistic that is rather important to the comprehension of the issue in the first place right? Evidently RAND doesn’t think that this is an important data point in this study though. So yeah, we have “CISO’s GONE WILD” here as well as some seemingly tuned in responses from the whopping sample of 18 respondents that finished an average 15 out of 20 questions on their questionnaire. With these stats these guys may as well be Ponemon for fucks sake!


In the executive summary they lay out their conclusions from this study and surprisingly I agree with many of them but from long experience in the field not from 18 CISO’s answering nearly twenty questions. Most of these are just common sense really and logical conclusions and there was no need for a survey however poorly constructed to get to the answers. However there are some gems in there.

The conclusions we expected were as follows:

•Security postures are highly specific to company type, size, etc.,
and there often are not good solutions for smaller businesses.

•The importance of intellectual property varies with the individual
firms’ missions.

Cybersecurity is a hard sell, especially to chief executives. ….Yes, yes it is.

•Although CISOs generally lack a way to know whether they are
spending enough on cybersecurity, they split between those who
think spending is sufficient and those who feel more is needed.

….. So 50/50? Uhhh Clue please?

•Air-gapping, wherein networks are electronically isolated from
the Internet, can be a useful option. (In a softer form, it is com-
patible with tunneling through the Internet but otherwise not
interacting with it).

……. NO. WAY. How long have we been saying this?

•Responding to the desire of employees to bring their own devices
(BYOD) and connect them to the network creates growing

…… WORST fucking idea EVER.

•CISOs feel that attackers have the upper hand, and will continue
to have it.

…… Well duh, they do. It’s asymmetric warfare you idiots!

The conclusions that confirmed our suspicions were these:

•Customers look to extant tools for solutions even though they do
not necessarily know what they need and are certain no magic
wand exists.

……..But Mandiant and others are more than willing to sell you a “wand”

•When given more money for cybersecurity, a majority of CISOs
choose human-centric solutions.

……..What? Where? WHO?!?! FO FUCK SAKES SHOW ME! Oh yeah.. 18 CISO’s DERP.

•CISOs want information on the motives and methods of spe-
cific attackers, but there is no consensus on how such information
could be used.

.…What have I been saying? They want it but really it’s USELESS hear that TI firms?

•Current cyberinsurance offerings are often seen as more hassle
than benefit, useful in only specific scenarios, and providing little

…..But they are all the rage in making sure your ass is covered.

•The concept of active defense has multiple meanings, no standard
definition, and evokes little enthusiasm.

….Yes, well they have not met Dave Aitel or any of the other boys who cry CYBER PEARL HARBOR!

•CISOs lack a clear vision on incentives

… Um not being fired?

•Information-sharing tends to live within a web of trust.

….And next to the land of the unicorns with gumdrop kids

•CISOs tend to be optimistic about the cloud, but, apart from
those who sell cloud services, most are willing to be only cautious
fast followers.

…CLOUD IS THE NEW CYBER VIAGRA! But it isn’t the CISO’s choice remember that CEO guy?

•CISOs are likely to assign lower priority to security-as-a-service

…Well, yeah, I mean you wanna outsource everything and have nothing to control?

•CISOs, in general, are not ready to concentrate their purchases
from a single vendor (but also are not sure that heterogeneity is
the best solution, either).

…Meh, I have seen a lot of eggs in one place lately.

The conclusions that came as surprises were the following:

•A cyberattack’s effect on reputation (rather than more-direct
costs) is the biggest cause of concern for CISOs. The actual intel-
lectual property or data that might be affected matters less than
the fact that any intellectual property or data are at risk.

…Ummm yeah, if you have no CUSTOMERS then you don’t have REVENUE right? WTF.

•In general, loss estimation processes are not particularly compre-

… Loss estimation of future events.. Say heard of the Cat in box paradox?

•The ability to understand and articulate an organization’s risk
arising from network penetrations in a standard and consistent
matter does not exist and will not exist for a long time.

…Uhh what? WTF? If you are pwn3d and your shit stolen you are fucked. Simple.

God.. What a wankery waste of time having to read all that drivel. It gets worse though as they philosophize on future events with heuristics. WOOOOOO! Now that’s a read! I had to extra coffee up for that nonsense. Look, if you want to study this shit great, but unless you have a solution to the problem why waste my time? Oh, and yeah, I will be the only one reading it all because I have taken a poll of my own that shows EXECS DON’T FUCKING READ THIS SHIT NOR MUCH ELSE THAT SECURITY PUTS OUT!

Just sayin.

I have linked the document above so go ahead if you like pain and read the whole 169 pages. I did and look how well adjusted I am!


Written by Krypt3ia

2015/06/12 at 15:11

Posted in Infopocalypse, Infosec

May 2015 Global Threat Intelligence Report

leave a comment »

GLOBAL Threat Intelligence Report – May 2015




  1. Executive Summary

In the month of May 2015 we saw the advent of “stunt hacking” with the claims of one researcher being able to hack a plane’s engines while in flight. While this event was the talk of all the media the real point of the thing was that nothing is secure, not planes, not trains, not automobiles, and certainly not your networks.

The common factor here is that security is an ongoing process that never stops. It is not a static thing and must always be perpetually worked on to hopefully prevent a breech or more than likely, to detect one that is or has happened and to react to it properly. The following document covers some of the events in the security sphere that took place in may and are commented on to give direction as to their importance in the scheme of things.

Please use this document as a means to an end to enlighten yourselves on the current threatscape out there and as a guide to a process with which you can grow your own practice to a maturity where this information cycle becomes your own.

  1. Global Threats

      1. Tiversa accused of hacking clients to extort them:

When you hire a firm to take care of your cybersecurity, you’re hiring a team of experts whom you assume you can trust. But one such firm allegedly used the trust of its clients to straight-up extort them with made-up “data breaches.”

CNN Money gives us a rundown on Tiversa, a still-operating cybersecurity company that offers up digital security services to other companies. According to a whistleblower who worked there and is now testifying in federal court, Tiversa was running a very simple and clever scam.

      1. Analysis:

The importance of this story cannot be overstated today in a world where often times security is checked by hiring an outside firm to test it. In the case of Tiversa, the extreme is that they were extorting companies with false data or worse, by hacking firms and then extorting them into buying their services.

It is important to not only vet the companies you are doing business with but also to have security functions within the org that can vet the data being presented as well. If there are any questions on the findings they should be called out and researched to insure their validity in cases where companies offering these services may not be doing their due diligence.

It is also important for the executive management to understand the importance of the findings presented in these types of assessments as well as the differences between a vulnerability scan and a penetration test. All too often this key difference is not apparent to the C-Suite.

      1. What’s the difference between a vulnerability scan, penetration test and a risk analysis?:

You’ve just deployed an ecommerce site for your small business or developed the next hot iPhone MMORGP. Now what?

Don’t get hacked!

An often overlooked, but very important process in the development of any Internet-facing service is testing it for vulnerabilities, knowing if those vulnerabilities are actually exploitable in your particular environment and, lastly, knowing what the risks of those vulnerabilities are to your firm or product launch. These three different processes are known as a vulnerability assessment, penetration test and a risk analysis. Knowing the difference is critical when hiring an outside firm to test the security of your infrastructure or a particular component of your network.

      1. Analysis:

The differences between a vulnerability scan and a penetration test is a key point to understand for any organization to effectively secure an organization. The above article does a fair job at describing the differences and is a must read for any C-suite or middle manager who has a security function. In turn, this information should be imparted to those in charge to comprehend the differences and the needs for both to secure a company.

Even today after years of having these types of assessments available, often times you will find companies selling what they call ‘penetration tests’ when in fact they are not testing by penetration of exploits at all. On the flip side of this coin, many companies shopping for these services are much more comfortable with just a vulnerability scan without actually exploiting their networks due to the FUD (fear, uncertainty, and doubt) that surround such activities.

If your org is only having vulnerability tests run and not having penetration tests carried out as a real world test of the security of the org, you are only setting yourselves up for an eventual compromise and the fallout that comes with this. Both of these functions are integral to the hygeine of any security program.

      1. Criminals stealing money via Starbucks App:

Starbucks (SBUX) on Wednesday acknowledged that criminals have been breaking into individual customer rewards accounts.

The Starbucks app lets you pay at checkout with your phone. It can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal.

That’s how criminals are siphoning money away from victims. They break into a victim’s Starbucks account online, add a new gift card, transfer funds over — and repeat the process every time the original card reloads.

      1. Analysis:

Starbucks, like many other companies today allows for the connection of bank accounts to honor cards that can be used to pay for services as well as give that user perks when they do use them. As smartphones take on the physical replacement of the honor cards we create a new vector for attacks against the user.

In this case the users passwords to the Starbucks application and system may have been weak but this does not discount other types of attacks against the mobile phones and the applications like the Starbucks app itself. In either case, the attack can allow for connected cards and bank accounts to be siphoned off rapidly by these events.

It is important to understand that this story can apply to you personally as well as perhaps organizationally if you have honor cards or deal with them. Honor cards specifically attached to bank accounts as well, can be hacked and the personal data as well as the banking data can be stolen.

Additionally, companies should be aware of these situations when potential applications have been compromised on users who may also have corporate data on phones as well. If an application is compromised, just how much access does it have to the phone’s operating system and thus the users data?

      1. 1.1 Million customer records lost to hack on Carefirst:

For CareFirst BlueCross BlueShield, the road to hell was paved with good intentions. Recently, while making security upgrades, the company discovered that it had actually already been breached—in June 2014.

1.1 million current and former customers were affected by the hack, and CareFirst has 3.4 million current customers. The company, which offers coverage in Washington D.C., Virginia, and Maryland, says that hackers compromised one of its databases and may have had access to user names, member IDs, legal names, birthdays, and email addresses. Medical records, credit card numbers, and social security numbers weren’t affected.

      1. Analysis:

While this attack has the hallmarks of potentially being nation state instigated, it is important to note that even with a security program in place, compromises may be missed if the adversary is skilled. On average, according to Mandiant, most orgs are compromised for up to about a year before they are usually informed by someone else that they had been breeched and this is an important statistic to be mindful of.

It is not clear just how well the Caremark security program runs from the story nor is it possible for every security team to catch everything, but it does show that without indicators of compromise it can be difficult to spot when a company has been hacked and when data is leaving the network. Thus it is important to consistently strive to have a firm grasp on your network, it’s traffic, and any possible anomalies that may in fact be indications that you have in fact been compromised and data is being stolen.

Organizations should have mitigations in place such as IDS/IPS as well as robust logging and correlation in tandem with a SIEM product to watch the traffic in and specifically out of the domain to detect and potentially stop an incursion in process.

      1. Stop using painfully obvious security answers:

We all love pizza, but that doesn’t mean you should be using it as a way to keep your data safe online.

In a new research paper, Google staffers found that those pesky security questions which are often used to help users recover passwords are one of the worst ways to protect online accounts. The company studied hundreds of millions of actual question-and-answer combos used by real Google users, and discovered people often choose obvious answers that are easy to remember — but also easy for hackers to guess.

For example, an attacker would have a 20% chance of guessing an English speaker’s answer to the question, “What is your favorite food?” by guessing “pizza” on the first try.

      1. Analysis:

This article may be aimed at end users but it should also be aimed squarely at companies that use these types of questions as a means of authentication for their paying clients. These questions and their easy answers are not a feasable security layer today and could lead to compromise not only of end user systems but also corporate networks if they are not using more robust authentication techniques.

This article concludes that it should be taken even further to disallow the questions to be asked as they are too easy to guess from the start. This is a correct assessment of these kinds of questions. If you or anyone else is using a household pets name or a birth date of a child as a password you are already behind the security 8 Ball because these are easily obtainable bits of information on the internet today for adversaries to find.

A two factor authentication system today is a better way to secure your network and this usually consists of a user ID, A pin, and a password. As these systems are more costly many organizations try to avoid them, but they are the best way we have today of securing a network that is accessed by end users remotely.

  1. Malware & Crimeware

      1. Hackers sneak malware into job applications:

Hackers are slipping malware into resumes submitted through the job posting website to infect businesses, security researchers have found.

Attackers are browsing open positions and attaching malicious documents disguised with the name “resume.doc” or “cv.doc” to applications, according to the Sunnyvale, Calif.-based security company Proofpoint. The attack sends malware directly to hiring managers and interviewers because CareerBuilder automatically emails job-poster notifications and attachments with resumes when candidates submit applications.

      1. Analysis:

With the rise in phishing and the attendant rise in awareness on the part of corporations and their employees, the tactics needed to evolve to work. While phishing exploits still work pretty well on average, this pivot to sending resume’s pre-loaded with malware to specific targets was only a matter of time.

The upshot of this article and this analysis is that even with AV often times malware makes it through the defenses and is activated by internal users. When this happens you may have started the domino’s falling on a larger compromise to the whole of the network through one infected doc file or pdf.

Companies should take the extra step of having a sandbox technology on top of AV/Spam systems that can be used to open documents and test them for malware before being introduced into the common network environment. As seen with the attack on Target, the criminal elements (i.e. Russian carders) are using similar tactics to advanced persistent threats now and anyone who handles PII/PCI/HIPAA or any other kind of data that can be sold is a target.

      1. Mumblehard turns WordPress sites into spambots:

The Mumblehard malware is turning Linux and BSD server into spam-spewing zombies.

Security researchers at ESET have logged over 8,500 unique IP addresses during a seven-month research period looking into the junk-mail-linked malware menace.

Mumblehard is made up of two different components. The first component is a generic backdoor that requests commands from its command and control server. The second component is a “full-featured spammer daemon” process, which is launched via a command received via the backdoor.

      1. Analysis:

Not all hacking attempts are used to compromise networks and not all malware is used to steal data. In the case of Mumblehard, the malware was created and used to turn your system into a slave to be used as a means of making money via spam. This type of attack may seem more a nuisance but it really is a problem especially if the compromise could lead to further compromise of your network down the line.

As WordPress sites have had a track record of vulnerabilities in the past, it is important that if you have WordPress in your environment you keep up with patches and alerts concerning the application security of your sites. Anyone who has WordPress as a working part of their infrastructure, especially if it is internet facing, should be on the distribution lists for patching that wordpress puts out and be a regular part of the patch cycle.

      1. The return of macro malware:

Macro malware, that tried-and-true document-borne attack vector, is back. Over the past few months, Microsoft has seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

The majority of the macro-malware attacks have taken place in the United States and United Kingdom.

Macro malware gets into your PC as a spam email attachment. The user opens the document, enables the macro, thinking that the document needs it to function properly—unknowingly enabling the macro malware to run.

Success of course requires the email recipient to fall for a social engineering technique and open the attachment.

      1. Analysis:

Within the realm of malware and phishing attacks this old malware attack has come back to the fore with a vengeance recently. Relying on the social engineering portion heavily to get the user to open the email first and then to turn on macro support has been partially successful in many instances.

Once opened the macro will then contact a download site and install other tools on the compromised system thus finishing the attack cycle. In many cases these phishing attacks and the files attached are not being seen by AV applications and thus passed to end users for them to open.

It is important that your organization have a good grasp on awareness for phishing/social engineering attacks and the different means that an attacker will try to get an end user to compromise their system and allow the adversary in. If you are not carrying out awareness on an ongoing and repeated basis it is highly likely that an end user(s) will be the arbiter of a compromise at your org.

      1. New ‘Rombertik’ malware destroys master boot record if analysis function detected:

While detection scanning malware is nothing new, Cisco researchers have identified a new malware sample that takes its detection evasion features one step further than the average malware.

Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device’s master boot record (MBR), researchers wrote in a blog post.

This malware spreads through spam and phishing messages sent to possible victims.

      1. Analysis:

While the Rombertik malware has made a splash in the news this month it is not necessarily novel in that it has a MBO (Master Boot Record) deletion program within it. This type of attack has been around for nearly eighteen years, however, the triggering of this piece of the malware is interesting.

As counter detection methods goes though, this is an extreme case and as such may not end up being all that common in the long run. However, the fact that this malware had it and that it was a purchased piece of malware being used by an individual and not a nation state is important to note.

(please see attribution article below for context of last statement)

Clearly the bar is being lowered on malware and phishing attacks and organizations should be cognizent of this fact. It does not take a nation state with resources and human assets to carry out an attack on a company that could possibly shut it down with such malware as this on the wrong computers.

      1. Malware hidden in technet:

In an ironic twist, Microsoft’s TechNet Web site has been used by Chinese hackers to hide malware commands. TechNet is a digital security and support site for IT professionals. Security firm FireEye Threat Intelligence discovered the activity working in collaboration with the Microsoft Threat Intelligence Center.

According to a report by FireEye titled “Hiding in Plain Site: FireEye and Microsoft Discover New Obfuscation Tactic,” the activity was the handiwork of Chinese hacker group APT17. The group, also known as Deputy Dog, has been actively attacking organizations including U.S. government entities, defense industry companies, law and IT firms, NGOs, and mining companies, since at least 2013.

      1. Analysis:

While this article shows that the nation state hackers had been using Microsoft’s own Technet site as a means of command and control it is important to understand that this can happen with any site. Small changes within code can be used to trigger malware to carry out actions as well as they can also be the arbiter of a drive by attack on users systems.

Given that the bar to access is being lowered as code can be bought and more savvy adversaries (both nation state and criminal) are getting in on the game, organizations should pay more attention to telemetry. As mentioned earlier in this document, the use of technologies to monitor traffic and their destinations should be a key part of any security program today.

  1. Advisories

      1. [SECURITY] [DSA 3250-1] wordpress security update:

Multiple security issues have been discovered in WordPress, a weblog manager, that could allow remote attackers to upload files with invalid or unsafe names, mount social engineering attacks or compromise a site via cross-site scripting, and inject SQL commands.

      1. Analysis:

These attacks are key to much of the kinds of attacks that are mentioned throughout this report. It is important to keep up with the patching for any WordPress site in your DMZ and these sites should be monitored for activities that may show indicators of comproimse.

In the case of this advisory, the attacks could be the first step in an internal compromise to the back end as well and as such could lead to a major breech.

      1. Apple Safari Multiple WebKit Bugs Let Remote Users Execute Arbitrary Code, Access Files, and Spoof Interface Elements :

Multiple vulnerabilities were reported in Apple Safari. A remote user can cause arbitrary code to be executed on the target user’s system. A remote user can obtain potentially sensitive information on the target system. A remote user can spoof user interface elements.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error in WebKit and execute arbitrary code on the target system [CVE-2015-1152, CVE-2015-1153, CVE-2015-1154]. The code will run with the privileges of the target user.

Apple Safari Multiple WebKit Bugs Let Remote Users Execute Arbitrary Code, Access Files, and Spoof Interface Elements

      1. Analysis:

While Mac and OSX has a history of seeming to be less prone to vulnerabilities, the reality is that OSX, like any system that is popular, will be attacked to gain access to people’s systems. In the case of this vulnerability, the main browser (Safari) is the weak point and may lead to drive by attacks on users systems.

It is important that any org that has a complement of Mac systems also be up to date on the patches and vulnerabilities to this platform and not consider it more secure because of the perceptions that Mac would like people to have about their products.

      1. Microsoft Silverlight Permission Error Lets Local and Remote Users Gain Elevated Privileges:

A local or remote user can obtain elevated privileges on the target system.

Silverlight does not properly allow applications intended to run at a low integrity level (e.g., very limited permissions) to be executed at a medium integrity level (e.g., permissions of the current user) or a higher integrity level.

A remote user can create a specially crafted Silverlight application that, when executed by the target user, will execute arbitrary code on the target system with the privileges of the target user instead of with limited privileges.

      1. Analysis:

While Silverlight is a defunct language today it is still used by many organizations. This vulnerability may be mitigated by end users not having escalated privileges on the system that is attacked. However, there are still places where people have administrative privileges on systems and where this type of attack can cause root compromise of the system.

It is important to be aware of the use of Silverlight in your organization and to understand the vulnerability matrix where a compromise to this might lead within an org.

      1. Apache Cordova vulnerability leaves Android apps wide open to hackers:

Security Researchers at Trend Micro have discovered a “major” vulnerability in the Apache Cordova app framework that leaves one in 20 Android apps open to hackers.

Apache Cordova, which is used in 5.6 percent of Android applications, is a toolkit of APIs used by mobile app developers to access native device functions, including cameras and accelerometer, from JavaScript.

      1. Analysis:

While this 5.6 percentile figure may seem small, this is an important vulnerability as are many others if you are using Android systems within your BYOD program. Without the right mitigations (sandbox/separate identities/systems) on a phone today you could potentially compromise a network as well as a smartphone.

Application hacks could lead to compromise of the OS itself as well as any applications you may have (i.e. touchdown and others) on the phone that facilitate access to your internal network or mail systems.

      1. Logjam Vulnerability: 5 Key Issues:

While the “Logjam” vulnerability raises serious concerns, there’s no need to rush related patches into place, according to several information security experts.

These pros have been helping organizations understand how best to react to the announcement this week that a team of computer scientists have discovered a 20-year-old flaw in Transport Layer Security (see Massive ‘Logjam’ Flaw Discovered). And given the age of the flaw and absence – so far – of publicly documented exploits, experts say organizations do not need to rush related fixes into place.

      1. Analysis:

With the advent of vulnerabilities that seem to have their own marketing campaigns attached, it is as important as ever, to understand the vulnerabilities as well as their risk. In the case of Logjam, there was a lot of media attention on it but the reality is that it is not the end of the world.

The vulnerability to the system is twenty years old and as it has not been seen in the wild previously denotes that it is not something that will show up in the wild soon. It is important to patch for it and manage encryption methods with or without this vulnerability as a standard practice.

  1. Directed Threat Data & Metrics

      1. Analysis:

      2. TITLE:


Word doc for you to download and edit for your own use is here

Written by Krypt3ia

2015/06/01 at 19:02

Global Threat Intelligence Report April 2015

with 2 comments


  1. Executive Summary

In the month of April the world saw much of the same tricks and hacks against companies, governments, and people carried out by the usual suspects. Needless to say, the fact of the matter is that today if you are online you are likely to be phished, hacked, infected with malware, or socially engineered. There are ways to attempt to avoid these things from happening to you but the in the aggregate you have to realize that everyone will get hacked and you will lose data. The difference though is that realizing it is one thing, to act against it is quite another.

The following threat intelligence report is to be used as a notional guide to show you what has happened within the last month in the way of new hacks and exploits and to point to areas of the CIA triad where you can bolster your security awareness. By seeing what has been happening perhaps you and your organization can seek remedies to security vulnerabilities that you have by insights in this document.

  1. Global Threats

Social Media & Reputation Management In Danger from Easy Hacks

Lately there has been a spate of attacks on Twitter and other social media accounts that have raised the bar on schadenfreude for the month. Whether the issue stems from poor password systems security within the platforms like Twitter or just a persistent and creative group of adversaries, the outcome has been noticed.


The above link is only one in a multitude of attacks on Twitter and other social media accounts of late. The use of these types of attacks against companies is usually aimed at a goal of embarrassment to the entity being attacked. A secondary outcome from these attacks usually stems from poor password strength and most of all password re-use on more sensitive systems.

A tertiary effect is reputational loss due to the hacks on these accounts. Often times the accounts are then used to spread propaganda or just to shame the company/entity with the fact that they got hacked very publicly and in some cases used as a tool to spread hacked information from their own accounts. One should consider this whenever accounts like these are created and maintained. Insure that the passwords are not re-used, the systems that access it are secure and not of a sensitive nature, and that you use good password hygiene at all times including changing those passwords at regular intervals.

Passwords… Yeah, OPSEC Much?

It is bad enough when your TV station gets hacked and used as a platform for propaganda. It is quite another thing when the hack itself was caused by a password(s) being shared on your own TV stations broadcast. This is the case of the French TV station that got hacked by the Cyber Caliphate in April. This is what is called OPSEC failure in the world of information security.


The hack of TV 5 Monde in April stemmed directly from a segment that aired containing their sensitive passwords to systems at the station itself. The Cyber Caliphate, a pseudo aligned group with daesh (ISIL) must have seen the segment or heard online that the passwords were in the video. Once this happened they went to work on hacking the TV station altotgether. It is not known to what level the hackers had gained access to the network before they were shut down but it is assumed that they had gotten inside deep enough to cause havoc. The station shut itself down to remediate the issues but not before the Caliphate made it known they had been hacked.

The fundamental issue here though is that no one, not the videographers, the technical force there, nor the security people that they may have at Tv 5 Monde stopped this from happening in the first place. It is a complete lack of security awareness about passwords, their placement on screens or other media in a segment or online that is stunning in this case. It is important to note this story and to take pains to insure that you are not the next company to lose control of it’s networks due to simple security failures like simple passwords or their sharing in public media.

The Dangers of Insider Threats

The hack of the lottery by an insider is a classic signpost for anyone in information security. The aphorism goes something like this in this business; “The insider threat is the biggest threat”and this is absolutely true.


In the case of the great lottery job of 2015, the insider tried as best as he could to pull off the job of the century. This insider almost made it but lost in the end because of the logistics of claiming the prize that did him in. It seems that the insider could not get someone right away to claim the winnings and waited a year before trying to get prize.

The object lesson here is that this attacker worked for more than a year on his plan and bided time to collect the winnings. The insider subverted not only air gapped computers with a self destructing rootkit but also the camera systems that watched the room that they reside in. This should be a lesson for everyone running a security program. Remember the mantra; “The insider threat is the biggest one”How does one stop insider threats? Well that is the problem isn’t it? Consider looking into this issue at your company and assess what steps you can take to mitigate some of these attacks.

Average Time To Intervene In A Phishing Attack: One Minute Twenty Seconds:

Phishing… What can you say about phishing that hasn’t already been said? Well, I guess you could conduct a study and determine just how long you have as a security body to stop one from being successful. That seems to be a window of one minute and twenty seconds today.


Phishing and more to the point, spear phishing, are tactics that rely heavily on the end user and the psychology of the human animal. In that you have a period of just over a minute to attempt to intervene between a user and a clickable link, loaded file, or other methods to exploit the end user system one can see the immensity of the issue.

There are many means to attempt to stop these attacks from happening in the first place such as email sandboxing, malware and semantic detection through systems like spam sifting. However, the human being at the beginning of the attack chain will always find a way to subvert those systems and get the lure to the end user. This is why it is exceedingly important to understand the human psyche and to use that to train users to understand what phishing and spear phishing is.

As the primary attack vector today in most compromises, it is the duty of all security organizations to attempt to educate their users in a fashion that will give them real knowledge and not just wrote memorization. To understand the attacks and think like an attacker is probably the best way to deter attacks. As a security organization please consider this story and work on education programs as well as check up systems of self phishing end users to inculcate awareness. Technology alone cannot solve this problem and will only lead to the cycle continuing.

A Majority of Incidents Are Aided By The End Users:

As you just read above, it seems that the end user is the primary target today for attacks on organizations. Phishing emails, social engineering exploits, and poor user security hygiene most often than not leads to greater company compromise today.


In an era when the moat, castle, and portcullis (firewall) aren’t the arbiters of stopping attacks, one must then consider that the Troy fell to the Greeks by the use of a Trojan Horse. It amazes me that even today people still fall prey to the notion that they have some security technologies like a firewall and believe that they are good to go.

What this story should give you as a takeaway, along with the previous story on phishing in tandem, is that the end user is the key to 95% of the security threats we face today. Yet, many still believe that a technological solution alone is the way to go and that education for end users is pointless. The fact of the matter is that it is quite the opposite and more orgs should come to understand the human animal’s psychology to lead them to better security choices and educate them to do so.

If your org does not have a robust program of iterative security education for the end users, you are doing a disservice to the company and the end users. You will in the end, lose your battle much quicker and have larger compromises if you are not carrying out continuing security education.

Default Passwords; A Security Threat

Insanity: doing the same thing over and over again and expecting different results.

~Albert Einstein

Default passwords on secure systems. This is an oxymoron yet it happens all of the time in networks and organizations. How is it that systems are placed on networks or facing the internet with these same defaults left in their original states?


Once again the human psyche seems to be at work in our security failures and foibles. All too often default passwords or default configurations are the cause of compromise for organizations that lead to great loss of data and reputation. Are these things just oversights by overtaxed network admins? Or is there just a lack of comprehension on the part of the workers and management within the security milieu?

As a security organization you should by default (ha ha) be seeking out these defaults with network vulnerability tools and testing to deny their use by others to access your networks. This is the lowest of low hanging fruit and yet it keeps happening.

RyanAir Hacked and Five Million Dollars Stolen Electronically:

Attacks on banking systems as well as other payment type systems are becoming more prevalent as well as creative. In the case of the Ryan Air compromise, the attackers knew their target and their ways very well indeed to carry out this hack and transfer of 5 million dollars.


This case is specifically of interest because of the way that the adversary used the daily operations of the company to transfer large sums of cash without raising a red flag internally. Like many companies Ryan Air, had a set of accounts and practices that could be leveraged by an astute attacker to make off with funds and not raise an eyebrow. In this case it was the accounts that are used to pay for re-fueling the planes.

Since the costs of fuel fluctuates this made these the perfect accounts because they often had high volume transactions with some regularity. In many companies you will also find such accounts and practices that could be leveraged by attackers to make off with money transfers that would not be noticed. As organizations you should consider looking at these high value accounts and consider means to track them more assiduously to detect and perhaps deter such attacks.

What’s Your Security Maturity Level?

Brian Krebs brings up a very important question when considering your security posture at a corporate level. In this piece he begs the question through a poll that was taken and data that shows how orgs tend to fail as security bodies. The maturity level of the company directly correlates to the level of threat that company faces from adversaries leveraging the lack of maturity to effect their goals.


One of the primary tenets of INFOSEC is that unless the security organization has buy in from the top and a clear channel to communicate, it will fail in it’s job. This is much of the point of the article and the data that Mr. Krebs is pointing out. Every organization should consider the data within this article and question what their organizational structure is and seek to better it if it is not already functioning at high level.

How does your org function? Can you get buy in from the CEO down? If not, you are not likely to be successful.

  1. Malware & Crimeware

False Positives Sink Antivirus Ratings

Antivirus is problematic to start with. All too often it is seen as a panacea by the executives but the reality is that it is quite an imperfect system and must be used in tandem with a layered approach to mitigating attacks. With the prevalence of false positives we can see how just this one factor can lead to ratings hits as well as a sense of crying wolf.,2817,2481367,00.asp


The fact that AV has so many false positives as well as issues around patterns either not being up to date or missing often times makes the system a flawed one at best. Orgs should not be looking at the ratings of detection as much as the overall issues surrounding the efficacy of the products themselves as well as their balanced use in a layered approach.

Overall, orgs should look at their AV choices and implementations to determine where gaps exist in the efficacy of the programs technically and logically. Those gaps should then be closed with other means logically or technically to stop gap areas of concern. A single AV solution in an environment is futile as a means to protect your organization today.

New Malware Spreads Through Advertising Channels:

Malware campaigns spread via advertising channels is a stroke of genius for the adversaries. The prevalence of advertisements on sites and the ability to spread malware through them enables the attacks to geometrically progress.


An uptick in this activity has been seen in many channels and should be considered a clear and present danger. Once the malware channels have been created by taking over linkages to advertisements in sites and feeds the drive by potential is increased geometrically. Depending on the malware variants and the adversaries we could see quite an uptick in directed attacks.

A curated malware campaign by these attackers could conceivably be used to go after particular targets through the types of ads being used as the transmission point. Say that you were able to go after luxury item ads and inject malware into those who use them. The return on investment here by the adversaries could be huge. As well, given the prevalence for ads on sites today in every corner of the page, one imagines that this vector will become the go to method in the near future.

Banking Malware Now Using More Exotic Evasion Tactics:

The crimeware creators are taking cues from the advanced persistent threat crowd and building in features that will allow for not only greater compromise but longer periods of entrenchment in the victim networks. These factors will make crimeware the new APT and the APT seem like old hat.


As time has past we have seen the crimeware creators become more adept at integrating the tools and techniques of the advanced persistent threat set. In the case of this report we can see directly how the criminals have taken up the mantle of APT by using advanced techniques to keep persistence on the networks they are attacking.

As the technology gets more complex so too will the ability to detect and deter the attacks. In samples recently, malware of a more pedestrian nature via phishing exploits of a lower end type have shown to have malware that has been built to be network aware as well as sandbox aware. These escalations in techniques will require organizations to catch up to their level and have operations that can detect, reverse, and report on these attacks as their frequency and technological complexity rises. Orgs should invest in people and technologies to deal with these threats appropriately.


  1. Vulnerabilities

CISCO ASA Bug Allows Arbitrary Commands and DoS

Several vulnerabilities were reported in Cisco ASA. A remote user can cause denial of service conditions on the target system. A remote user can execute arbitrary commands on the target system.


A remote user on the local network can send specially crafted UDP packets to the target failover device via the failover interface to trigger a flaw in the failover IPSec feature and execute arbitrary configuration commands on the target device [CVE-2015-0675]. This can be exploited to take full control of the active and standby failover units.

This is another good example of a core system being attacked with code that could allow for greater compromise of a network. Please insure that your org is looking at these types of core systems and their feeds for vulnerabilities and patches that should be applied or investigated.

Windows HTTP Protocol Stack (‘HTTP.sys’) Parsing Error Allows Aritrary Code

A vulnerability was reported in Windows ‘HTTP.sys’. A remote user can execute arbitrary code on the target system.


A remote user can send a specially crafted HTTP request to trigger a parsing flaw in the HTTP protocol stack (HTTP.sys) and execute arbitrary code on the target system. The code will run with System privileges.

This is another flawed that exists in common core features of the internet. As has been mentioned before it seems that the attackers are now going after core systems and protocols for larger effect today. Such vulnerabilities should be considered a clear and present danger being patched as soon as practicable.

Microsoft Security Bulletin April 2015

In Aprils patch Tuesday there were 27 vulnerabilities patched that ranged from critical to informational.


As with all systems, Microsoft has patches that are produced from alerts and events concerning their operating systems vulnerabilities. It is important that all orgs focus time on a monthly basis following up on Microsoft security patches that are put out each 2nd Tuesday of the month.

Microsoft, being what they are, is a bit of a monoculture in many networks and as such a compromise of one system likely will mean the compromise of the greater network because of trusts within the domain as well as weaknesses in the operating systems.

Please insure that your organization’s security group is involved with the patch cycle by involvement in the decision making of patching vulnerabilities per their criticality to your own environment.

Word Document to download and edit for your org HERE

Written by Krypt3ia

2015/05/04 at 21:58

Advanced Persistent Failure: The Malaise of INFOSEC

with one comment

Screenshot from 2015-04-27 14:15:25

An INFOSEC Maturity Differential Diagnosis:

Advanced Persistent Failure (APF *tm*) is a term that I coined today in my Twitter feed that I have yet to trademark before Rob Graham (@erratarob) gets around to it.

Advanced Persistent Failure: The inability for human beings and their collectives to learn from security incidents, data, polls, and any other lessons learned that would normally cause changes to be made. Instead, the cognitive dissonance wins out and they believe nothing is ever wrong, they are safe, and unicorn devices will prevent their data from being stolen”

Why it came to me today was the article pictured above by Brian Krebs, who begs the question “What is your orgs security maturity?” I find it interesting that the guy who is out there on the net and the one person you “don’t want to hear from” of late because if he’s calling it’s because your data is out on the net and he knows about it. Brian is actually asking a question that many others have asked in the past but I don’t think any of them, myself included, ever get the traction with the hoi polloi because we aren’t all famous or ‘rock stars’ in the industry. Still, even with someone like Brian begging the question, I still don’t think the message will get through the static of all the sales pitches and self absorbed thought processes out there in the corporate world to make one whit of difference.

Screenshot from 2015-04-27 14:03:27Full report here

Screenshot from 2015-04-27 14:18:36

 What I mean to say is that even with someone like Brian asking the question, the companies and people that comprise them likely will not navel gaze enough to make the changes that are recommended by such posts and supporting data. Now you may just consider me to be a jaded bastard or a pessimist, which I am both, but I want you all to take in the reality of the situation. How many orgs do you know of that have been on the right path security wise from the start? How many of those orgs only began to change post an intrusion that caused great deals of damage and FUD? Seriously, take a look at the chart above and compare it to your own org. Now ask yourself honestly these important questions;

  1. If I am in reactive org can I change the org to not be?
  2. If I am compliance driven the motivation has already been given yet I am still unable to secure things.. Why?
  3. If my executive chain does not get it now how can I change this?

Now these questions may be daunting for the average security worker but then consider a CISO or director asking these questions too. Do you honestly think that even if they sent this article to the executive set that they would even bother? Why would they? Do your execs get security at all? I am sure some of you out there are like “yeah they get it, my org rocks!” to which I say “Good for you! Liar.” It is my opinion, after a long time in this business as a consultant, that orgs in general are fucked up and not clued in on security as the rule. Doubt this? Just look at all the big compromises and advanced persistent failure we have seen over the last few years. How about this though, just consider the reports recently about POS machines with default passwords that have not been changed in 20 years.

How bout them apples? We all know that default passwords are bad and they should be changed as a rule but no one is doing that. Why do we persistently fail at doing the simple things? Perhaps it is because humans are just bad at determining long term risk? Perhaps none of us is as bad as all of us when it comes to making security decisions? Or maybe it is just because there is no real imperative on the part of companies to really care because the financial and reputational losses are not that great today? Let me ask you this.. Do you think that the former CEO of (insert hacked company) is now living on the street in a cardboard box because they failed to care about the security at (insert hacked company) ?

Lemme give you a hint… No.

Clearly it is not an imperative so by Brian asking the question it may get some air time but really, how many orgs do you think are going to read that article and yell “BY JOVE HE’S RIGHT! WE MUCH CHANGE THIS HENCEFORTH!”

Lemme give you a second hint… None of them.


Hell, even if Steve Ragan wrote a piece on this *hint hint* I still expect that the vast majority of the security people out there, even with taking that article and forwarding it to directors and CISO’s would be able to effect a change for the better security wise. Why? Because once again, people don’t give a shit and they aren’t being forced to do anything about it. No, really, that is my opinion and I am going to stick to it. Nothing will change unless they are forced to be cognizant of the issues as well as responsible, really responsible at the end of the day. So there will be very little to hope that your CISO will be magically reporting directly to your CEO. There will be very little hope that your CISO will be working directly with the board of directors UNLESS maybe, if you are lucky, you have been hacked spectacularly and in the news. Those orgs though that have made those changes post being hacked I feel are more unicorns than anything else though. So yeah Steve, please write about this and have that drop in all the CISO’s email boxes! It will be all hopey changey!! Secretly though I would hope you just link back to me about the APF of all of this though, ya know, just as a cautionary tale and a buzzkill.

Face facts kids, we are well and truly shit out of luck here. I certainly don’t expect us as a species to change how we operate because some people in the media pointed out the realities of our collective fail. Sure, China is hacking the shit out of us. Iran is about to cyber nuke the lot of us and the Russki’s are all up in our President’s emails but will we change our SOP for security because of it? No, no we won’t we will just continue to stumble along like we have been all along. Our predilection for Advanced Persistent Failure is like an addiction really. Security is hard! We can’t make those changes to passwords! I mean how will we rememberize them? Oh. My. God! Enlightenment, even the ‘brick” that @Gattaca and others use out there does not have the play or the sexy that a new blinky light APT stopper has on the RSA floor as hawked by booth… Babes? Men? Whatever the flavor of the day is now in our stupid industry of fail.

Prepare for the next fail tsunami kids. Nothing will change.


Written by Krypt3ia

2015/04/27 at 19:03

Posted in Infosec

THE SNOWMAN EFFECT: It’s all about the dick pics!

with 3 comments

Watch video first.. Yes, watch it again if you haven’t already then read on….

Ok, so do you feel some horror and outrage even though you laughed your ass off? Yeah, me too. But after those feelings wear off I am just left with a sense of creeping dystopia and loathing. Honestly, this shit is just out of hand and no one is really capable or willing to deal with it and this comedic bit by John Oliver hits the nail on the head. No matter what you think of Snowden the point is even after all of the data being released and all its portents shared nothing substantive has happened. Sure, the world now knows and the security community at least seems to be in a quandary over it all but the general populace it seems cannot be bothered to even know who Snowden is and what he did? To quote myself here;


Ok ok ok, maybe the sampling was skewed in Times Square that day and the sampling was small but really, no one in there had a real grasp of the leaks never mind the import to their daily hyper connected lives? I am still a little stymied to believe this to be the case but there you have it on HBO. So as the date approaches for the re-up on the Patriot Act, and specifically the most egregious of all the egregious shit in it, Section 215 we the people seem to just be abdicating our rights as citizens to say no to this. Even as we see more executive orders come out on hacking and the ‘cyber’ that seem at least notionally obtuse and open to interpretation if not outright deliberately so to allow abuses, we are just gonna go back to collectively not caring about anything other than Kim Kardashian’s ass?

Oh.. Wait a minute here, I am forgetting about the dick pics!

Well obviously we have our priorities straight as a nation and a freedom loving people right? I mean FOR GOD’S SAKE YOU CAN TAKE MY PERSONAL CALLS AND CALL ME A TERRORIST BUT FUCK ME YOU CANNOT LOOK AT MY DICK PICS YOU SURVEILLANCE BASTARDS! Yeah, that is a bridge too far my friends! I suspect I will be seeing new ‘Don’t Tread On Me’ flags with a penis instead of a snake soon enough.


Ok, well then we have proven that we as a nation, as a people, do not comprehend the problem of pervasive surveillance enough to do anything about it UNLESS it is about our personal porn. I get it now. As no one but Oliver has made it about this I predict that section 215 will just get another pass. Meanwhile all our data collection will continue and the mass surveillance state will grow even further than it already has. This leaves me once again back at the stage of Neo Ludditism. Excuse me while I go to my 6’x12′ cabin in the woods and make my ‘packages’…




Written by Krypt3ia

2015/04/08 at 13:50

Posted in 1984

Global Threat Intelligence Report March 2015

with one comment


GLOBAL Threat Intelligence Report – March 2015

  1. Executive Summary

In the month of March there were several high level vulnerabilities exposed ranging from programmatic issues to compromise of user security by supply chain tampering by a maker of laptops and desktops. All of these instances show just how much the landscape changes per month in the security of our systems and networks.

This report has been generated to give the end user an idea of what is happening in the security space as well as insights into little thought of security issues that could lead to compromise of your network. From the macro to the micro-verse, security issues can have great effect on corporations large and small. From the effects of the Target hack response of ten million dollars in reparations to their clients to the FREAK vulnerability and the attacks on core protocols that the internet is based and is secured with, these reports give you an idea of where to look and what to look for.

  1. Global Threats

Fully Patched Versions of Firefox, Chrome, and IE 11, & Safari hacked in PWN2OWN contest


Think that patching your browser on a regular basis is the only answer to your security problems? Then guess again. At the last Pwn2Own contest all of the major browsers fell to attacks even though they were fully patched.

What this statistic shows is that even when a system has been curated well and security patches applied, there can always be flaws in the code that can lead to compromise. This is an important fact to remember and plan for in any environment dealing with on-line activities.

However, mitigations can be taken to help stem these types of attacks. Consider deploying systems like EMET 5 or another HIDS client that can monitor the volitile memory space as well as changes to the operating system that might trigger when a browser is exploited. It is also a given that your company should have IDS/IPS/SIEM capabilities as well to detect traffic that may be going to C&C’s from compromised systems and browsers.

The Largest Email Hack in History

The US Department of Justice announced today that it has charged three men for participating in what officials are calling “one of the largest reported data breaches in US history” and “the largest data breach of names and email addresses in the history of the Internet.”

According to allegations in the indictments, between February 2009 and June 2012, Viet Quoc Nguyen, 28, a citizen of Vietnam, allegedly hacked into at least eight email service providers (ESPs) throughout the United States and stole confidential information, including proprietary marketing data containing over one billion email addresses. Nguyen, along with Giang Hoang Vu, 25, also a citizen of Vietnam, then allegedly used the data to send “spam” to tens of millions of email recipients. The data breach was the largest in U.S. history and was the subject of a Congressional inquiry in June 2011. ~USDOJ


The hacking of eight major email providers in this case shows just how important common information like our email addresses and content are to criminals. That this is the biggest and seemingly longer running of the scams also show’s how long something like this can go on and how it has been corporatized in a way.

The criminals created an enterprise in which they used the data from their ill gotten gains to send spam and generate revenue from it. This is common today but is not completely predicated usually on the hacking of major email providers and stealing inside information.

The FREAK Vulnerability and SSL

Just when you thought it was safe to use your computer again after last year’s Heartbleed, Shellshock and other computer bugs that threatened your security and just as I predicted in my column of Dec. 20, 2014, researchers have discovered yet another security flaw that threatens millions of Internet users.


The FREAK vulnerability is just another in a line of vulnerabilities now being sought in the SSL framework. Once the first of these types of attacks was discovered, the SSL framework became a target for a lot of scrutiny by researchers both good and bad. As time progresses expect to see more attacks on this fundamental protocol which could compromise your whole environment.

This is important to you because SSL is the basis for many secure transactions on-line and in your network. Once this has been broken by making a session insecure, an attacker can then steal credentials and then further exploit networks and systems. It is important that your organization keeps up with these vulnerabilities and manages them.

Target Offers 10 Million Dollars in Breach Payments

Target has agreed to pay $10 million to settle a class-action lawsuit related to the company’s 2013 data breach.

Court documents show hacking victims could get as much as $10,000 apiece.


The Target hack was one of the first of recent time that has made a lasting impression on the world. This attack not only showed how the adversaries used advanced and persistent means to gain access and keep it in Target’s networks but also how a company can be financially and reputation-ally compromised.

Now that Target is making offers of money, more than just offering credit monitoring, shows just how important these attacks are on a companies bottom line as well as continuing their reputation. This round of settlements though has been marked as low and not enough by many in the industry and in the public however.

The upshot here is that the company has had to respond in this manner due to their own culpability in their security measures being not up to speed to catch the warning signs that were going off like klaxon’s in the night. It is important to all organizations to perform due diligence in this day and age of advanced adversaries who may not be nation state sponsored.

One in Three Websites at Risk on the Net

Facebook. Paypal. ESPN. Google. Amazon. These are sites you probably visit all the time, sites you inherently trust. But a new report from Menlo Security released Tuesday says that trustworthy sites are not necessarily safer.

Menlo pulled out the top 1 million domains on the Web and reviewed them all for potential vulnerabilities. The results were startling. One in three fell into the category of “risky,” meaning that they had either already been compromised by hackers, or were running vulnerable software that leaves them open to attack.


There are a couple of factors that could lead to this vulnerability assessment being the case. The first of which is that the vulnerabilities are just so many that they are hard to keep up with in an enterprise environment. The second is that either the companies are not performing their scans as regularly as they should or have decided that the vulnerabilities are acceptable to them and write them off as acceptable risk.

I am unsure of the reality here regarding these potential risks to all these sites on-line. Risk acceptance and determination of the level of risk are hard to scope out as each environment is making that calculation (one hopes) for themselves so there are variations in levels of care. However, this article and the statistics therein show that as a whole, we can understand how easily the adversaries can exploit systems easily reached on-line and why we keep seeing stories about large scale hacks on organizations.

 ISIS Hit List and Information Warfare

At least three times in the last five months, U.S. military members have been urged to limit their social media activity in response to worries that ISIS-linked terrorists could track them down, in the U.S. or abroad.

The latest warning came this week, when a group calling itself the Islamic State Hacking Division posted personal information of about 100 service members, which defense officials said had been collected from social media sites.


While this story is about the war on terror and the on-line antics of a small cadre of Da’esh followers, it is also a cautionary tale. The information that was leaked on-line was not in fact hacked, but instead all available through Google searches. This is an important fact in the story to clarify but also sets the stage for the second important insight, of how much of our personal data is on-line.

A simple Google ‘Dork’ can deliver a huge amount of OSINT on a target today and the use of that data to then re-post it on a page like pastebin and call for assassinations shows the power of the net. Basically, this story is the story of asymmetric warfare and how easily it can be carried out online. Now imagine that it is not in fact a terrorist organization doing this but a disgruntled employee or client of a company doing this.

Every individual should consider how much data they put online and where they are putting it. From cyber bullying to outright death threats, we make it easy to ‘dox’ ourselves with our Tweets, Facebook postings, and emails.


On March 26, 2015, a very well-coordinated distributed denial of service (DDoS) attack was waged on GitHub, the heir apparent to the now-closing Google Code. GitHub characterized this as the largest DDoS in its history.

The Electronic Frontier Foundation (EEF) and security researchers Netresec name the Chinese government as the culprits of the attack, which lasted until March 31, 2015. Here’s an overview of why the cloud-based git repository host was targeted.


China and India both blocked GitHub recently for their site’s content that evidently they found threatening. In the case of China, it seems that GitHub may have just become another piece of fodder for the internet wars. The reality though is that no matter the political aegis, GitHub was taken down with a Dd0S because of an unencrypted session that was allowed to Baidu.

The bigger story here is though, that DdoS is incredibly hard to mitigate and everyone is vulnerable to it. As a means of political protest or just an attack to force a company into some kind of complicity, DdoS is not going anywhere. This is because our systems are inherently vulnerable to these attacks and until such time as the code is adjusted to disallow these attacks, they will happen regularly.

For more on DdoS go here

Your Private Data Available Through Anonymous Shares On-line

Our lives are digital now.

Everything we do on-line leaves a trail that leads directly to us; something privacy advocates are fighting to eliminate. However, we’re our own worst enemy when it comes to privacy, and personal cloud adoption has done nothing to help the situation.

Each day millions of people across the globe create backups of their files. These backups are supposed to offer a measure of assurance that their files are safe and easily recovered if needed. But that’s not entirely true.

In fact, depending on how you’ve configured the device, your backups are freely available on-line to anyone who knows what they’re looking for.


Google ‘Dorking’ as mentioned above in the Da’esh story is an easy way to not only gather data on users but to also gain access to their data and systems. In the case of the story at CSO it was easy to Google with certain terms and strings to locate users systems that were insecure and on-line. Many of these systems were in fact routers that had been turned on with default settings or mistakenly configured incorrectly.

This is an object lesson for everyone and you all should consider this not only as a personal security issue but also a corporate one. Imagine if you will that you have an IT person who is bringing work home, or worse still, has configured a router or a NAS device to share in this way to the Internet. This is actually a scenario that was discovered and offered up a compromise to the companies whole infrastructure.

Many of the cases just involve personal information. However, there have been cases like the one cited above as well as cleared individuals sharing out FOUO/NOFORN/CONFIDENTIAL information as well so this is certainly not only a personal issue. Please consider talking to your employees about these types of data breaches at home that could lead to breaches at your company as well.

  1. Malware & Crimeware

Superfish! Lenovo Pre-Installed Malware

Does your Lenovo computer have Superfish VisualDiscovery adware (a.k.a. spyware) installed? It’s possible if you purchased a Lenovo PC any time in September of 2014 and thereafter.

This Superfish software intercepts the Lenovo user’s traffic so that the user sees ads displayed that reflect their browsing habits. The problem with this targeted advertising scheme is that it comes with a vulnerability that makes it easy for hackers to attack.

Superfish enables targeted advertising by installing what’s called a trusted root CA certificate.


These threat intelligence reports have covered the idea of ‘Supply Chain Tampering’ in the past but this one should set bells off for anyone buying a computer from any vendor. The alleged adware with a trusted CA according to Lenovo was nothing to worry about. However it was proven out that this adware/malware could be used by others to compromise the systems entirely.

Though Lenovo considered this form of advertising inside access and routing as legal and ok, it is in fact not. Just as Sony considered that adding a RAT (remote access tool) to their DVD’s in the past and were called on it, this is wholly inappropriate and in fact degrades the security of whole organizations as well as individuals who may purchase their hardware.

Now that this is out in the open, if you have these systems within your network you should remove the adware/trojan as well as inform any home users that might be in your work at home or bring your own computer offering to remove this as well. If left as is today, post all the reporting on it there could be compromise because exploit code is already in the wild.

To remove SuperFish go here

Kilim Facebook Worm Hooks with Sexy Pics

Security experts have warned of a new Facebook worm using adult content as a lure to trick desktop users into downloading malware.

The authors behind this version of the Kilim worm have “gone to great lengths to anonymize themselves” and circumvent browser protections, Malwarebytes senior security researcher, Jérôme Segura, wrote in a blog post.

If they click on what appears to be a video file promising to show “sex photos of teen girls,” victims are redirected via two links – first to an Amazon Web Services page and then a malicious site,, which apparently checks their computer.


One of the more common techniques in malware delivery and phishing attacks is the promise of sexual content. That this is being leveraged in Facebook is only more effective because of Facebook’s prevalence on the net. Additionally, the use of obfuscated shortened links like and is common as well and should be filtered if possible in your environment to disallow these attacks.

As organizations, you should have some form of web filtering in place but often times these slip up and let such content through. Please keep up with the filtering and leverage systems like BlueCoat and Websense as a front line tool against these types of attacks.

The Hanjuan Exploit Kit and Malvertising

Anyone who visited the New York Daily News website or Metacafe website – as well as several other lesser known sites – within the past couple of weeks could have been infected with malware, according to Malwarebytes.

Researchers identified a malvertising campaign originating from the engage:BDR advertising network, a Tuesday post indicates. In a Wednesday email correspondence, Jerome Segura, senior security researcher with Malwarebytes, told that the issue has been resolved.


Malvertising (from “malicious advertising”) is the use of online advertising to spread malware. Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.

Another name for this type of attack could be ‘drive by’ as well but the point here is that nothing is safe. Ad’s on sites can in fact be the infection points for systems that are looking at the page and this is a risk to all environments.

Whether it be an iframe attack or a click through to a malicious domain, these types of attacks are myriad on-line and should be a concern for all security departments in corporations. What can be done though? It is a hard thing to keep up with and prevent users from clicking or just visiting legitimate sites that may be compromised temporarily.

The best thing that you can do is have the measures in place (Websense/BlueCoat/Barracuda etc) to monitor the online traffic of your users and get alerts on sites that may be compromised. It is then your job to locate the users who may have gone to these sites and scan their systems for compromise. Having a program of means to keep up with these types of attacks (RSS feeds etc) as well will help your security team to detect and deter these attacks from happening.

Android Malware Risk to Almost 50 percent of all Devices

Millions of Android devices have been found vulnerable to cyber attack following a security flaw allowing malware to replace legitimate apps, hacker Zhi Xu has found.

Almost half of Android phones may be affected, with the flaw allowing dangerous malicious apps to be downloaded without the user’s knowledge, collecting personal data from the infected device.


As mobile computing becomes more prevalent and operating systems like Android take more market share, your employees and you are at more risk to compromise. In the case of this malicious application installation it has been shown that nearly fifty percent of all phones are vulnerable.

With the advent of ‘Bring your own device’ and just general use of these phones, tablets, and devices the risk for compromise has increased geometrically. It is important that your security programs include keeping up on vulnerabilities to these devices as well as being aware of the intricacies involved in private individuals devices, their use, and where the security rubber meets the privacy road.

A compromise of a device not only means that the end user’s data is at risk but also the corporations as well as their network infrastructure.


New variants of malware come and go with depressing regularity, but some have capabilities that offer more cause for concern than others.

The latest piece of scary software comes from researchers at security company Doctor Web who have uncovered a new Trojan dubbed BackDoor.Yebot that’s capable of carrying out a wide range of destructive actions on an infected machine.

It’s spread via another piece of malware, Trojan.Siggen6.31836. When launched on the target machine, this injects its code into the svchost.exe, csrss.exe, lsass.exe and explorer.exe processes. After sending a request to the remote server it then downloads and decrypts BackDoor.Yebot and transfers control to it. Some features of Trojan.Siggen6.31836 are encrypted (and can be decrypted only while it’s being executed). It also incorporates mechanisms to verify the virtual machine in a target system and bypass User Account Control.


Multiple vector infection malware is more common today. Once the code has been allowed on the system it will infect many .dll files or others that are common to the operating system as a means to stay entrenched on the system. This is called ‘persistence’ and is the status quo. It is also important to note that these types of malware then in turn call out to command and control systems to gather more malware for that same persistence should the primary infection be detected and removed.

In the case of this particular malware it is important to understand the multiplicity of infections as well as the many means that it then creates to exfil your data out of your domain as well as the rapidity that this can happen at. What this means is that not only by the time an infection is detected, it already has had ample time to export your data to the adversaries.

Please note that this is not part of some exotic malware campaign by a nation state actor, this is in fact crimeware!

Bitcoin blockchain exploitation could allow for malware spreading

Bitcoin’s blockchain can do more than store transactions, according to new research from Kaspersky that demonstrates the way in which the cryptocurrency’s ledger can be used to store malware control mechanisms or provide access to illicit content.


As with anything on the Internet and in computing, the technology can be turned against you. In this case it is the primary means for Bitcoin (a crypto currency) to track it’s amounts and use can be used to infect systems. This likely will not be a big deal for many companies as yet because Bitcoin is still not in use widely by corporations.

However, it is important to note that any users of the currency might fall prey to these attacks and those persons may work for you and use systems that not only connect to their daily lives but also your network as well.

  1. Vulnerabilities


Description: A vulnerability was reported in some dynamic random-access memory (DRAM) devices. A local user can obtain elevated privileges on the target system.

A local user can run a program that repeatedly accesses a row of memory to cause bits in adjacent rows to flip. This can be exploited to execute arbitrary code on the target system with kernel-level privileges.


This is a local exploit that can cause a flipping of bits in certain brands of DDR3 RAM. This then would result in compromising kernel level processes on the system attacked.

Technical Report:

We have shown two ways in which the DRAM rowhammer problem can be exploited to escalate privileges. History has shown that issues that are thought to be “only” reliability issues often have significant security implications, and the rowhammer problem is a good example of this. Many layers of software security rest on the assumption the contents of memory locations don’t change unless the locations are written to.

This is a problem for various brands of laptops and desktops that use the specific RAM mentioned in the article. Please consider looking at the systems in your environment and what RAM they use to insure that you are not at a higher risk through mono-cultures in hardware.


FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers.


As stated above in this report the FREAK vulnerability is just one of a few that have come out over the last year. This section will rely more on the technical aspects of the vulnerability but the statement above must be repeated;

The FREAK vulnerability is just another in a line of vulnerabilities now being sought in the SSL framework. Once the first of these types of attacks was discovered, the SSL framework became a target for a lot of scrutiny by researchers both good and bad. As time progresses expect to see mo

Fully Patched Versions of Firefox, Chrome, and IE 11, & Safari hacked in PWN2OWN contest

re attacks on this fundamental protocol which could compromise your whole environment.

This is important to you because SSL is the basis for many secure transactions on-line and in your network. Once this has been broken by making a session insecure, an attacker can then steal credentials and then further exploit networks and systems. It is important that your organization keeps up with these vulnerabilities and manages them.

Please click the links above to the CVE and the technical specs for this vulnerability and remediate in your networks.

Security Advisory Feeds

Newsnow offers an aggregation of security advisories that is very helpful if you do not already have an RSS feed aggregated.


The importance of advisories and news sources to a security program cannot be overstressed. If you do not already aggregate security RSS feeds you should start to look toward doing so.

Websense XSS Vuln

Users of Websense Data Security that are reviewing DLP incidents can be attacked via cross site scripting. This issue can be exploited using a specially crafted email, or by sending a specially crafted HTTP request through the Websense proxy. The attacker-supplied code can perform a wide variety of attacks, such as stealing session tokens, login credentials, performing arbitrary actions as victims, or logging victims’ keystrokes.


Websense is a very common solution for web filtering and DLP for mid sized companies. This current vulnerability could lead to compromise of your internal networks as well as all the data within the DLP/Websense system. If you are running Websense with a DLP (Data Loss Prevention) module please go to the following link and update your console:

This issue is resolved in TRITON APX Version 8.0. More information about

the fixed can be found at the following location:

  1. Directed Threats Data

<enter your own data here from IDS/SIEM/AV/LOG CORRELATION> for your own organization and report on what you are seeing on your network.








Written by Krypt3ia

2015/04/07 at 15:27

Much Ado About Nothing: Team System DZ and Defacements

with one comment

Screenshot from 2015-03-27 08:35:58

Recently there was a spate of defacements by Team System DZ that has been making the rounds in the mainstream media. These defacements by Poti-SaDZ or Poti Sad Darky and his derpy bandito boyz using daesh symbols and poorly written rhetoric are nothing to write home about yet the media spins their skiddie exploits into media gold. Well I am here to set the record straight with you all. Poti, or Ahmed Saoudi is just a derpy kid in Algeria with nothing better to do than deface sites with others tools. He, and they, are just looking for the lowest of low hanging fruit to garner some attention for themselves. In fact, Poti here has some poor OPSEC as do many of his derpy little pals as you can see below.

Screenshot from 2015-03-27 08:48:59

Screenshot from 2015-03-27 08:06:26

In the first picture there you see his folders as he is running a tutorial on uber lee7 h4x0ring in winderz. The second picture is one of more than a few where he fails to engage his proxy and the handy little task bar there on the browser gives his home IP address(s) and respectively over time. Poti in fact logs in to the Team System DZ Facebook account without proxy a couple times and is likely unable to easily get on there because of issues with proxies, since ya know Zucky don’t play privacy.

Anyway, the IP space is for the following in Algeria:

IP address:
inetnum: –
netname:        RegChlef
descr:          region chlef
country:        DZ
admin-c:        SD6-AFRINIC
tech-c:         SD6-AFRINIC
status:         ASSIGNED PA
mnt-by:         DJAWEB-MNT
source:         AFRINIC # Filtered
parent: –

person:         Security Departement
address:        Alger
phone:          +21321911224
fax-no:         +21321911208
nic-hdl:        SD6-AFRINIC
source:         AFRINIC # Filtered

Other Data:

Poti-Sadz aka PoTi SaD DaRkY … ahmedsaoudik

Skype: poti_sad-dz

There are a lot of Ahmed Saoudi’s in the skype phone book as well but only a couple list Algeria as his location and one of them has 1992 attached to the name. So, 2015 – 1992 = 23 which would be a prime age range for this kind of stupid kid activity no?

Skype: ahmed.saoudi1992

Give em a shout and see! Look, what I am saying here is that in looking at these guys I would have to say that the are not the daesh A-Team of hacking. I would also say that perhaps they could be behind the last derpy Googling of some military names and posting a hitlist online thing. That there was also something that the media went nova on and in reality “no va” is really more appropriate.


Anywho, I just thought I would dump this little OSINT OPSEC FAILTACULAR on you all.

Enjoy the lulz…


Written by Krypt3ia

2015/03/27 at 15:08


Get every new post delivered to your Inbox.

Join 201 other followers