Follow by Email

Saturday, February 21, 2015

Bulk SIM Card Database and Steals Billions of Keys Hacked by NSA

The Intercept has an extraordinary story: the NSA and/or GCHQ hacked into the Dutch SIM card manufacturer Gemalto, stealing the encryption keys for billions of cell phones. People are still trying to figure out exactly what this means, but it seems to mean that the intelligence agencies have access to both voice and data from all phones using those cards.
"We always knew that they would occasionally steal SIM keys. But all of them? The odds that they just attacked this one firm are extraordinarily low and we know the NSA does like to steal keys where it can."
I think this is one of the most important Snowden stories we've read.

Common Password "Mustang" Is at 16th position

This is what happens when a PR person gets hold of information he really doesn't understand.
"Mustang" is the 16th most common password on the Internet according to a recent study by SplashData, besting both "superman" in 21st place and "batman" in 24th
Mustang is the only car to appear in the top 25 most common Internet passwords
That's not bad. If you're a PR person, that's good.
Here are a few suggestions for strengthening your "mustang" password:
  • Add numbers to your password (favorite Mustang model year, year you bought your Mustang or year you sold the car)
  • Incorporate Mustang option codes, paint codes, engine codes or digits from your VIN
  • Create acronyms for modifications made to your Mustang (FRSC, for Ford Racing SuperCharger, for example)
  • Include your favorite driving road or road trip destination
Keep in mind that using the same password on all websites is not recommended; a password manager can help keep multiple Mustang-related passwords organized and easy-to-access.
At least they didn't sue users for copyright infringement.

The Brand Lenovo Deployed Malware By Default

It's not just national intelligence agencies that break your https security through man-in-the-middle attacks. Corporations do it, too. For the past few months, Lenovo PCs have shipped with an adware app called Superfish that man-in-the-middles TLS connections.
Here's how it works, and here's how to get rid of it.
And you should get rid of it, not merely because it's nasty adware. It's a security risk. Someone with the password -- here it is, cracked -- can perform a man-in-the-middle attack on your security as well.
Since the story broke, Lenovo completely misunderstood the problem, turned off the app, and is now removing it from its computers.

Saturday, February 7, 2015

Facebook Will Soon Be Able To ID You In Any Photo

Appear in a photo taken at a protest march, a gay bar, or an abortion clinic, and your friends might recognize you. But a machine probably won't — at least for now. Unless a computer has been tasked to look for you, has trained on dozens of photos of your face, and has high-quality images to examine, your anonymity is safe. Nor is it yet possible for a computer to scour the Internet and find you in random, uncaptioned photos. But within the walled garden of Facebook, which contains by far the largest collection of personal photographs in the world, the technology for doing all that is beginning to blossom.

How To Hack a BMW: Details On the Security Flaw That Affected 2.2 Million Cars

BMW recently fixed a security hole in their ConnectedDrive software, which left 2.2 million cars open to remote attacks. Security expert Dieter Spaar reverse engineered the system and found some serious flaws [note: if you'd prefer English to German, try this translation], including using the same symmetric keys in all vehicles, not encrypting messages between the car and the BMW backend or using the outdated DES.

Utah Cyberattacks, Up To 300 Million Per Day, May Be Aimed At NSA Facility

Five years ago, Utah government computer systems faced 25,000 to 30,000 attempted cyberattacks every day. At the time, Utah Public Safety Commissioner Keith Squires thought that was massive. "But this last year we have had spikes of over 300 million attacks against the state databases" each day: a 10,000-fold increase. Why? Squires says it is probably because Utah is home to the new, secretive National Security Agency computer center, and hackers believe they can somehow get to it through state computer systems. "I really do believe it was all the attention drawn to the NSA facility. In the cyberworld, that's a big deal," Squires told a legislative budget committee Tuesday. "I watched as those increases jumped so much over the last few years. And talking to counterparts in other states, they weren't seeing that amount of increase like we were.

Depending On Hackers For the Information - NSA

In the latest article based on the Snowden documents, the Intercept is reporting that the NSA and GCHQ are piggy-backing on the work of hackers:
In some cases, the surveillance agencies are obtaining the content of emails by monitoring hackers as they breach email accounts, often without notifying the hacking victims of these breaches. "Hackers are stealing the emails of some of our collecting the hackers' 'take,' we...get access to the emails themselves," reads one top secret 2010 National Security Agency document.

Depending On One Guy - GPG Funding Essentials

Werner Koch, who has been maintaining the GPG e-mail encryption program since 1997, is going broke and considering quitting.
Updates to the article say that, because of the article, he has received substantial contributions to continue.

Tracking The Ongoing Bitcoin Scams

Interesting paper: "There's No Free Lunch, Even Using Bitcoin: Tracking the Popularity and Profits of Virtual Currency Scams," by Marie Vasek and Tyler Moore.
Abstract: We present the first empirical analysis of Bitcoin-based scams: operations established with fraudulent intent. By amalgamating reports gathered by voluntary vigilantes and tracked in online forums, we identify 192 scams and categorize them into four groups: Ponzi schemes, mining scams, scam wallets and fraudulent exchanges. In 21% of the cases, we also found the associated Bitcoin addresses, which enables us to track payments into and out of the scams. We find that at least $11 million has been contributed to the scams from 13 000 distinct victims. Furthermore, we present evidence that the most successful scams depend on large contributions from a very small number of victims. Finally, we discuss ways in which the scams could be countered.
News article.

Embed A Code In Pop Song

In Colombia:
The team began experimenting with Morse code using various percussion instruments and a keyboard. They learned that operators skilled in Morse code can often read the signals at a rate of 40 words per minute ­ but played that fast, the beat would sound like a European Dance track. "We discovered the magic number was 20," says Portela. "You can fit approximately 20 Morse code words into a piece of music the length of a chorus, and it sounds okay."

Portela says they played with the Morse code using Reason software, which gives each audio channel or instrument its own dedicated track. With a separate visual lane for certain elements, it was possible to match the code to the beat of the song -- and, crucially, blend it in.
Hiding the Morse code took weeks, with constant back-and-forth with Col. Espejo and the military to make sure their men could understand the message. "It was difficult because Morse code is not a musical beat. Sometimes it was too obvious," says Portela. "Other times the code was not understood. And we had to hide it three times in the song to make sure the message was received."

Tuesday, February 3, 2015

IT Audit Operational Risk & Unease

Don’t die of shock here, but audit committees are still overworked and unsure how to handle new risks confronting Corporate America.

So says the 2015 edition of the KPMG Audit Committee Survey, whose findings sound strikingly similar to the 2014 report one year ago. Audit committees are confident in the support they get from compliance officers about financial reporting and regulatory risks, very confident in their own abilities to digest all that information, and lost in the woods with cyber-security.

Let’s start with the good news on financial reporting. On all major tasks within that broad category—assessing adequacy of financial controls, evaluating the external auditor, reviewing financial filings, and the like—a large percentage of audit committee members said they spend the right amount of time on those issues, and don’t expect to need more time on them in 2015. Almost all survey respondents (98 percent) rate their oversight of financial reporting and disclosure issues as either “highly effective” or “generally effective.”

All that fits. Nobody relishes the joy of Sarbanes-Oxley compliance, but like it or not, SOX has instilled a discipline and attention to financial control over the last 10 years. These high marks on financial reporting are essentially unchanged from last year, and they’re likely to stay high in the future. SOX compliance is a lot like going to the gym: you feel awful the first time you do it, but over time you gain strength and get healthy. The same thing is happening here.

Now, on to the bad news—because lots of it falls squarely onto the compliance officer’s shoulders.

Boards are a lot less confident about their oversight of operational risks, cyber-security, and the overall pace of technology change; they want to spend more time on all those issues in 2015. Only 36 percent rated their relationship with the chief compliance officer as “excellent,” although another 24 percent rated it as “good but issues arise periodically” and only 10 percent said it needs improvement. Forty percent say the job is getting increasingly difficult to manage given the time they have; 8 percent say they already don’t have enough time to fulfill their role.

All that fits, too. All those points of data feed into one master problem: that operational risks are growing too complicated. Compliance officers struggle to impose controls over them, and audit committees struggle to understand how all those operational risks affect a company’s ability to act strategically.

Cyber-security is an easy example. Fifty-five percent of audit committee members want to spend more time on that issue in 2015, and 41 percent say the quality of information they receive about cyber-security risks needs improvement. No surprise there, right?

Look more closely at other, related questions. At the same time so many audit committee members worry about cyber-security, even more survey respondents (61 percent) said the want to spend more time on internal controls for operational risk, and 50 percent want to spend more time understanding the pace of technology change.

All these concerns are one in the same. Rapid technology change (say, storing customer data in the cloud) short-circuits your operational controls (keeping customer data under the company’s watchful eye) which then causes a cyber-security risk (your data gets stolen from the cloud provider). Or to put it another way, technology is changing faster than a compliance officer’s ability to build controls, policies, and procedures around it. Hence you face more risks, and almost all of those risks involve the security of your data. 

Building a system of effective internal control over operational risk clearly is in the chief compliance officer’s realm of responsibility. It requires someone who knows the regulatory requirements and the business risks that face your company, and how to create policies and procedures to address them. That’s what a chief compliance officer does. And with close help from the internal audit team, you then test those policies and procedures to be sure they work to keep operational risks in check.

That’s all at a theoretical level, however—in practice, operational risks are so diverse, and so fluid, that building adequate internal controls for them is incredibly difficult. All financial reports follow the same basic structure, so financial reporting risks are generally similar from one company to the next. Operational risks differ from one company to the next, and regulators only care that you docomply with their regulations, not how you achieve compliance.

Which all means that internal control for operational risks is going to be a long, hard slog, with plenty of improvisation and trial-and-error along the way. No wonder audit committees want more time to consider them. 

This post originally appeared in the Feb. 2 edition of Compliance Week.

Setup your own securiry operation centre

What Is SOC ??

SOC can be define as the process of implementing below mentioned components

Management System
Analyst Systems
Contextual Info
Incident Response

Why do you need SOC ?

Central location to collect information on threats
• External Threats
• Internal Threats
• User activity
• Loss of systems and personal or sensitive data
• Provide evidence in investigations

Keeping your organization running by maintaining 
• Health of your network and systems

Isn't Firewall, IDS AV enough ?

Firewall is active and known by attackers protect your system not your users

Anti-Virus Lag time to catch new threats by match files but not traffic patterns.

IDS alert on Event but doesn't provide context

  • System Log
  • proxy log
  • DNS log
  • Information From other People

Single IDS with Switch

Multiple IDS on Switch

Activities that can help you to discover the criteria to build custom rules for IDS

  • Test by creating rules on IDS
  • Test configuration Changes
  • can be used as a backup
  • use malware to test system 
  • try hack procedures

How to Analyze something like malware


step1 Collect Input from IDS
Step2 look at network capture
Step3 Look at firewall log
Step4 Look at proxy logs
Step5 Look at AV logs
Step6 look at system logs
Step7 talk to user for more analyzing in detail
Step8 Take Action (Incident Response)

From Q3 to Q4, 90 percent increase in global DDoS attacks observed

In the final quarter of 2014, enterprises around the globe were targeted with an influx of distributed denial-of-service (DDoS) attacks, which topped even experts' expectations for the period – a season typically rife with such attacks.

According to Akamai Technologies' Q4 2014 State of the Internet Security Report (PDF) released Thursday, 90 percent more DDoS attacks against companies were observed in the last quarter of the year, compared to Q3 2014. And, Akamai saw a 57 percent spike in DDoS attacks over Q4 2014, the report said. 

The global report noted that the U.S., followed by China, Germany and Mexico, were among the top 10 source countries for DDoS attacks last quarter. 

During the period, Akamai mitigated nine attacks that exceeded 100 Gbps, the report added. The verticals targeted with the highest-bandwidth DDoS attacks were the media and gaming industries, with the latter being hit with the last four “mega-attacks,” exceeding 100 Gbps, of the year.

John Summers, vice president of Akamai's Security Business, told in an interview that the firm “always sees a big increase [in attacks] around the Christmas season,” but they were "more pronounced than any of us anticipated,” that quarter.

The report also noted that the gaming industry received 35 percent of all DDoS attacks in Q4, which was “driven by a surge in attack activity at the end of December.” 

“Gaming remained the most targeted industry since Q2 2014 and experienced a 2 percent increase this quarter. In Q4, attacks were fueled by malicious actors seeking to gain media attention or notoriety from peer groups, damage reputations and cause disruptions in gaming services. Some of the largest console gaming networks were openly and extensively attacked in December 2014, when more players were likely to be affected. Another trend was the holding of networks hostage, where the owners were asked to pay a small ransom to stop a DDoS attack,” the report said. 

Akamai also highlighted a DDoS attack vector in the report, called “XMAS-DDoS,” which was launched by a hacking group claiming to be Lizard Squad, and stood as the only TCP (Transmission Control Protocol) attack that surpassed 100 Gbps in Q4. The attack uses a Christmas tree packet packed with TCP flags, hence the name “XMAS-DDoS."

The report noted that “Some of the aspects that make this attack unique also make it less effective. For example, some of the TCP flag combinations do not even render a response from the target.”

Despite this finding, the XMAS-DDoS attack vector successfully helped saboteurs scale one of the nine “mega-attacks” observed by Akamai that quarter.

“Regardless, the attack achieved its goal by generating high traffic volumes and high packet rates…This is enough traffic to hinder or completely clog most corporate infrastructures – and it highlights the ongoing development of DDoS tools,” the report said.

How to overcome the daily challenges of a security team

The constantly evolving cyber threat landscape is resulting in new challenges and approaches for today’s security analyst teams.

In the past, companies looked at the importance of hiring talented and experienced CISOs to lead the establishment of security and incident-response teams. Now, emerging threats posed by advanced cybercriminals and the possible damage of a sophisticated rogue insider are changing that trend as companies move beyond traditional security methods and adopt new strategies such as profiling user behavior and leveraging big data analytics. As a result, more companies are shifting towards understanding the importance of hiring diverse teams of talented individuals to develop and then implement these new methods and technologies to secure the cyber front.

That in mind, the institutionalization of domestic security and incident-response into a distinct profession have formed three major challenges for large enterprises:

1. Regulations – The fact that attacks are becoming more common has created a beast. Companies nationwide are constantly learning from each other's mistakes and are forming an ever-extending list of internal regulations aimed at preventing yesterday's attack form. While no company wants to be the next Target, or to discover the next Ed Snowden, strict security regulations are demanding growing attention from the exact people who are supposed to always be on the highest alert.

2. Routine – Sets of regulations are usually accompanied by a strict response protocol and create every analyst's nightmare. Endless sheets of potential cases and responses are carefully drafted to make sure no analyst will miss a curtail step when dealing with an incoming alert. While no two incidents are the same, one of the toughest challenges analysts face is to keep treating every alert like it's their first. Eventually, and usually in later hours of the day, routine becomes a key factor. 

3. Abundance – Data sources and analytical tools are flooding security teams these days. The ability to correlate events from every part of the company's network has become a prime order. Instead of looking where attackers and rogue insiders may be doing their harm, we often flood ourselves with information that has the dangerous potential of causing us to look away from where threats are most often found.

So how does a security team go about prioritizing different possible risk factors? While there are no simple answers, a small shift in approach is in many cases the first step in the right direction. We offer these suggestions to struggling and successful security teams as one:

1. Gain visibility – Security services are now sold in bulk, in separate and sometimes even two for the price of one. One thing you can be sure of is that new technologies and services now come in great packaging, bright colors, big buttons and cleaner interfaces. Security teams should look to tools that provide immediate value and offer to better project the events that usually go undetected. In an era of stealthier attackers and rogue insiders, better visibility is the first key to mitigating today’s threats.

2. Beware of false-positives – With security practices becoming more strict and prone to protocol, new technologies and services hold the biggest promise to emancipate security analysts from the routine of day-to-day practices. Beware services offering to decrease treatment time, but hide the risk of having high false-positive rates. Look not only for the most efficient platform, but the one that provides better end-results.

Sunday, February 1, 2015

Cost Of A Life For Ransomware

Last week, the information security community was saddened to learn of Joseph Edwards, a 17-year-old secondary school student who committed suicide after his computer became infected with ransomware.
Edwards’ computer was corrupted by Reveton (or Police Ransomware), a common type of malware that locks a victim’s computer, claims that the victim is in trouble with law enforcement authorities for having looked at illegal websites, and demands a fine in order to stop the police from investigating them.
In this case, Edwards was a grade-A student with Autism, a neurodevelopmental disorder that, in his mother’s opinion, may have prevented him from understanding both the illegitimacy of the scam, as well as the implications of his subsequent actions.
Even so, this tragedy is not lost on information security professionals.
In observance of International Data Privacy Day, which occurred on January 28, Tripwire would like to honor Joseph Edwards’ memory by providing a detailed guide on ransomware, including what it is, how it works, steps users can take if they find themselves victims of ransomware, and what measures people can take to protect their computers against it.

Ransomware: A Bitcoin (Or Two) for Your Files

Ransomware is a type of malware that cybercriminals use to extort money from their victims. This type of malware activates when a user clicks on a phishing link or opens a suspicious email attachment (usually a “.zip” file), triggering the ransomware program to install on a user’s computer.
Security experts generally agree that there are two different types of ransomware. The first, known as “WinLocker,” is the less harmless of the two. WinLocker locks the computer screen and demands that the user pay a ransom fee in order to have access restored.
There are many strains of ransomware that replicate WinLocker’s method of attack. For instance, “MBR ransomware” infects a portion of the computer’s hard drive. This causes the normal boot process to be interrupted, which attackers exploit by displaying a ransom demand.
Notwithstanding the disruptions they may cause to normal computer functions, WinLocker and MBR ransomware are not too different from “scareware,” malware that tries to frighten users into purchasing licenses for usually ineffective rogue anti-virus software.
The second type of ransomware, however, is by far more serious than WinLocker. Instead of locking computer screens or interrupting a computer’s boot process, crypto-ransomware, which began with CryptoLocker back in the fall of 2013, encrypts most types of personal files available to users, including “.doc,” “.xl,” and “.exe”. The attackers then demand that the users pay a ransom (usually between $200 and $3000 in Bitcoins) in exchange for the decryption keys to their files.
But it is more sinister than that. CryptoLocker uses asymmetric encryption, a form of encryption that includes both a public and private key, to lock users’ files. The public key is used to encrypt the user’s data, whereas the private key is used for decryption. This private key is not accessible online and is stored on the attacker’s server, which means that users have little hope of recovering their files back.
In an effort to heighten the psychological effects of infection, attackers oftentimes use hyperbolic language in their ransom demands to accuse their victims of illegal behavior, including accessing child pornography websites or accessing sensitive law enforcement documents. They also commonly include a date and time after which the decryption keys for the victim’s files will expire, thereby heightening the urgency of payment.
Acknowledging this, the consequences of infection for the user vary. If infected by WinLocker or MRB ransomware, the user will likely experience only a minor loss in productivity as they take the time out to remove the malware from their computers. However, users whose files are encrypted by CryptoLocker could lose years and years of work. In the case of Edwards, if they do not understand the true extent of the scam, they might even decide to take their own life.

Ransomware – How to Remove It From Your Computer

Removing ransomware from your computer depends on the infection type and severity. If the ransomware is like WinLocker and has locked your web browser, you can navigate to your computer’s applications and try to force quit the browser. Once the web browser shuts down, you will be asked whether you would like to restore your previous session. Make sure you click “No” to avoid re-loading the ransomware program into your browser.
Unfortunately, most strains of ransomware are not so easily expunged. This leaves users with two options. If they are computer savvy, they can access their computer’s registry and remove all of the malware indicators. For all other users, it is recommended that they launch an on-demand malware scanner, such as Malwarebytes.
In some instances, the ransomware may not permit an online scanner to activate. If this occurs, users should either try to load an offline malware scanner, such as USB-based anti-virus software, or restore their computers to a previous setting using either System Restore (Windows) or Recovery Mode (Mac).
For the most extreme cases, users can also conduct a full factory reset of their computers, which will eradicate all system modifications, including user data and any lingering strains of ransomware.
Under no circumstances should users ever pay a ransom. Attackers leverage locked screens and encrypted personal files to extort money only. Once they have received payment, they are under no obligation to restore users’ computers to their normal functionality. Additionally, as evident in a new form of ransomware called “Business E-mail Compromise” (BEC), attackers can also use ransomware payments as drops for Trojans, keyloggers, and other malicious software. With this in mind, users should focus first and foremost on removing the ransomware infections from their computers.

Safeguards Against Ransomware

Given the damaging effects of ransomware, it is imperative that users take a series of precautions to protect themselves against infection. These include the following:
  • Install and regularly update real-time anti-virus software: As opposed to on-demand malware scanners, anti-virus software constantly searches a user’s computer for malware. These solutions are therefore the first line of defense in users’ fight against ransomware.
  • Use cyber security common sense: Security awareness goes a long way in preventing malware infections. Acknowledging this, users should not open any attachments from suspicious emails and should learn how to spot a phishing email.
  • Load an update whenever it becomes available: Updates to web browsers and other applications often contain security patches for known vulnerabilities. By installing each update, users thus close a flaw that attackers could otherwise exploit to load ransomware onto their computers.
  • Backup your files often: CryptoLocker derives its power from holding the keys to a user’s files. However, if a user has multiple backups of their data, they can focus on removing the ransomware from their computers without worrying about losing their files. As a result, users should frequently backup any information they wish to not fall into the wrong hands.

Data Protection and the User

Ransomware tries to use fear and intimidation to get what they want, often leaving users with a feeling of helplessness when their computers’ normal functions are interrupted. But the effectiveness of any ransomware strain depends on how each user responds and what defensive measures they have in place. By following the above steps above, not only can users successfully remove ransomware from their computers, but they can also protect themselves and their data from ever being infected in the first place.