Front Line Sentinel

Practical Tips to Improve Network Security with What You Already Have: Part 2 of 2

2013-06-08T10:59:00.003-04:00

In our first blog on improving network security with what you already have, we examined some tips around logging for certain types of alerts as well as tips to detect bad guys in the network. But we saved the best for last: the IPS and firewall.

As you might have noticed from the first blog, I started this discussion with alerting for extrusion attacks at the node level and went through the network, which brings us to the perimeter. If the data goes out beyond this point you’re officially screwed! Being notified that someone’s in your network and attempting to push data out of you network sucks, but successfully getting data out of your network sucks even more! Here are a few things to review in your IPS or firewall in attempts to stop or alert on this malicious activity.

One way of alerting on sensitive material, like merger and acquisitions info, is to look for keywords on the data itself. I’ve seen people hide certain phrases or words in documents while creating an IPS rule to search for these keywords. This isn’t a failsafe method, but it can help.

Review the signatures on your IPS to make sure they’re reviewing protocols for exfiltration. A few of the protocols to review are DNS and SMTP, which will allow information leakage out of by adding or padding the protocols packets with additional information. This is a sneaky way to walk right past an IPS.

Read the rest of my article here: http://blog.algosec.com/2013/06/tips-to-improve-network-security-part-2-of-2.html

Spear Phishing: Who's Getting Caught?

2013-05-27T10:52:00.002-04:00

[Via: Firmex: Virtual Data Rooms]

Image courtesy of Firmex

Securing big data: Architecture tips for building security within

2013-05-25T13:26:00.003-04:00

Since “big data” is a hot topic these days, there’s no question an increasing number of enterprise infosec teams are going to be asked about the security-related ramifications of big data projects. There are many issues to look into, but here are a few tips for making big data security efforts more secure during architecture and implementation phases:

Create data controls as close to the data as possible, since much of this data isn’t “owned” by the security team. The risk of having big data traversing your network is that you have large amounts of confidential data – such as credit card data, Social Security numbers, personally identifiable information (PII), etc. -- that’s residing in new places and being used in new ways. Also, you’re usually not going to see terabytes of data siphoned from an organization, but the search for patterns to find the content in these databases is something to be concerned about. Keep the security as close to the data as possible and don’t rely on firewalls, IPS, DLP or other systems to protect the data.
Verify that sensitive fields are indeed protected by using encryption so when the data is analyzed, manipulated or sent to other areas of the organization, you’re limiting risk of exposure. All sensitive information needs to be encrypted once you have control over it.
After you’ve made the move to encrypt data, the next logical step is to concern yourself with key management. There are a few new ways to perform key management, including creating keys on an as-needed basis so you don’t have to store them.

Read the rest of my article here: http://searchsecurity.techtarget.com/answer/Securing-big-data-Architecture-tips-for-building-security-in

What Java's installer should really say (Funny)

2013-05-24T19:08:00.001-04:00

How to build C-level support for the benefits of penetration testing

2013-05-24T18:57:00.001-04:00

Performing an external penetration test is extremely valuable. At the same time, it can also be difficult to develop C-level support when talking up the benefits of penetration testing -- especially if the company hasn’t experienced a public breach.

However, before trying to cross that chasm, it’s important to determine what type of external penetration test you’d like to have performed. For example, if you’re at an e-commerce company, I would favor a Web application assessment over a network assessment. If you’re at a public company or under some type of regulation, like Sarbanes-Oxley (SOX) or the Payment Card Industry Data Security Standard (PCI DSS), you’ll most likely be able to leverage these regulations to get a penetration test against your infrastructure in order to meet compliance requirements. I’ve seen many security-related budget items pass simply because an auditor told the company it needed the items to stay compliant. Pen tests are expensive, but are done by professionals in the field and are considered a third-party view.

If you’re not at a public company and do not have a regulator pushing you to perform these assessments, you’ll most likely have to default to research, awareness, and a good presentation to upper management. With spending tight in IT departments, most executives are not going to open the corporate purse until they can see hard numbers on the return on investment (ROI). This can be difficult to calculate, so you’ll need to brush up on your risk management terminology. Certain areas to look into include:

Exposure Factor: The percent of loss that occurs if a breach were realized on a system.
Single Loss Expectancy (SLE): The amount of money that is assigned to one event. This is calculated by multiplying the Exposure Factor by the assets value in dollars.
Annualized Rate of Occurrence (ARO): The estimated number of times the event or breach could occur on the asset.
Annualized Loss Expectancy (ALE): The sum of the overall dollar value of the SLE multiplied by the ARO.

This might seem like quite a bit of work, but it’s a good way to get a better idea of what you need to do to help protect your company’s network and show the executives your view in dollars and cents. If you want to give the executives a more eye-opening number, let them know it would cost the company an average of $194 per record lost as a result of a breach. Considering most breaches involve thousands of lost records, the numbers add up quickly.

Another way to help convince the executives is to show them similar attacks that have happened in the past, potentially to similar companies, and the reputational and financial damage each company incurred.

Read the rest of my article here: http://searchsecurity.techtarget.com/answer/How-to-build-C-level-support-for-the-benefits-of-penetration-testing

"Interview with a Blackhat" by Whitehat Security

2013-05-23T22:33:00.001-04:00

This past week Whitehat Security, the leader in web application vulnerability assessment, released a series of interview's their Director of Product Management (Richard Hansen) held with a self professed blackhat. In this three part series Richard Hansen and his blackhat interviewee helps us get into the mind of the underground.

I found these interviews a fascinating insight into the psychology of the blackhat. Why they do what they do, how they feel about fraud, the tools of the underground trade, what security methods work and what doesn't.

Please do yourself a favor and read the following three part series from Whitehat Security:

Part 1

Part 2

Part 3

Practical Tips to Improve Network Security with What You Already Have: Part 1 of 2

2013-05-21T17:06:00.002-04:00

I think we as security experts need to stop focusing on who or what will attack us and start acting like we’re already owned. If we just started thinking in terms of “I’m already compromised” the security and monitoring of your network and systems would improve drastically. The initial fear of security experts was of being hacked or compromised, but in reality this is happening everyday while you’re on the clock. If you’ve ever had malware infect a workstation you’ve been breached. This is just a small example, but it’s true. There are two types of security professionals:

Those that know they’ve been breached.
Those who’ve been breached, but don’t know it.

With this being said, we need to start focusing on extrusion detection (coined by Richard Bejtlich, @taosecurity) as well as intrusion detection. We speak about security in layers a lot and this is just another way to detect threats. The problem is that often we immediately jump to shiny new objects out there such as Data Loss Prevention (DLP), Next-Generation Firewalls, SIEM, etc. to get the job done. While these are all helpful tools that can certainly improve your ability to monitor for the exfiltration of nefarious traffic, there are things you can do immediately to improve your security posture.

Log for Certain Alerts
There are certain alerts on your domain or network that you know right off the bat are bad news. These alerts should be caught and notified on right away. There are many tools that will do this for you, like SIEM, but you still need to know what you’re looking for. If you don’t currently have a SIEM, you can setup similar alerts to warn you of malicious behavior. Here some examples:

Setup an alert every time the “Domain Admin Group” has a change made to it. If you’re a smaller company there should be a darn good reason this group’s just experienced a change. One of the things a bad guy want’s is complete control, and if he’s already gotten this far it may be too late, but it might give you the time needed to shut things down and save your data from leaving.

Setup fake accounts that you think hackers will try and access. An example of this is an account named “administrator” in Active Directory. I’m assuming and hoping that you’ve already renamed the original one. On this account you can set the lockout threshold really low and alert every time someone logs into it improperly. In this example if a bad guys looking for low hanging fruit he’s going to tip you off right away.

Read the rest of the article, including other tips, here at Algosec: http://blog.algosec.com/2013/05/tips-to-improve-network-security.html

Network perimeter security: How to audit remote access services

2013-05-21T17:00:00.005-04:00

There are a few ways to audit your domain for Internet-facing remote access services. If you’re looking to audit your network perimeter with free tools, then something like Nmap would be the way to go. Do your research before firing away at your perimeter with a port scanner, though; you don’t want to inadvertently create a denial of service by pummeling the network with port scans (obviously make sure you have permission from your superiors as well). Also, when using Nmap, make sure you fingerprint the open ports you find on the network to determine what’s running behind them. Using the Nmap –sV command on a port will often times show you the application listening on the port. This comes in handy when someone is running software on a non-standard port to exit your firewall.

Another tool that’s recommended when looking to audit remote access services is Nessus. There are multiple plug-ins available that can scan your port and determine if you are running particular remote access services. However, unlike Nmap, Nessus will let you know if a particular vulnerability will allow remote access into your organization unintentionally. This tool looks for vulnerabilities, whereas Nmap gives you hard facts as to what’s listening in your environment. There are many other tools that could be used, but these two are common and come at no charge.

Another way to prevent rogue services from listening on your network is by locking down what’s allowed to leave your organization. Many people still don’t perform egress filtering on their firewalls; this is a common way to prevent botnets, misconfigurations and malicious insiders from allowing remote connections into your network. Also, filtering traffic leaving the network with an IPS or next-gen firewall (NGFW) will enable you to inspect the allowed firewall traffic for malicious use. Many times, attackers take advantage of normally open ports, such as port 80, port 443, etc., to transmit data out of your network without you noticing.

Read the rest of the article here: http://searchsecurity.techtarget.com/answer/Network-perimeter-security-How-to-audit-remote-access-services

How Facebook Updates Would Look in Real Life [Funny]

2013-05-13T08:43:00.003-04:00

If we all thought of privacy like this we'd be a little more cautious on social media sites. Very funny.

Two-Factor Authentication for Social Media Sites

2013-05-12T00:09:00.000-04:00

Over the past couple weeks there's been a lot of talk about social media accounts being compromised and the legal aspects of a company having their accounts owned. I for one don't think there needs to be regulation on how companies secure their social media accounts. Increased regulation doesn't assume better security. Ever.

With that being said, I think we need to start looking at how easy it is for an attacker to compromise social media credentials (Key loggers, malware, XSS, phishing, etc.). I read a stat today which said, if you've had a social media account longer than 5 years there's a 50% chance you've had your credentials compromised. That's a pretty scary statistic.

One way to limit the risk of social media accounts being compromised is by using two-factor authentication. Two-factor authentication takes both something you know (your password) and something you have (a token of some sort) and applies both of them to your login. So if an attacker is able to easily steal your credentials it's unlikely that they'll have your token. These tokens can be generated by many systems, but in the case of social media we're going to use the free Google Authenticator app.

Google Authenticator is a free download that uses the Time-based One Time Password (TOTP) that allows you to generate codes/tokens from the Google app and input them into variety of sites that use the protocol for a second factor of authentication. A few sites/software that Google Authenticator can be used for are Dropbox.com, Facebook.com, Google Apps, Wordpress, Microsoft, etc. the list goes one. This isn't a silver-bullet when it comes to securing logins, but it does limit the risk that both the password and the token will be stolen.

After seeing the mini-market crash with the Associated Press's (AP) Twitter account compromise I started thinking about ways to secure social media accounts in an enterprise and was reminded that this technology could be placed on multiple sites (like Facebook), but that Twitter was still behind the eight-ball on this feature. I'm sure the $136 million dollar market crash might have pushed this Twitter feature to the top of QA's list.

So if you're using social media in anyway, especially from a corporate standpoint, I would highly recommend setting up two factor authentication with Google Authenticator (details can be found here), unless you're using Twitter. Which in that case you'll have to wait with the rest of us.

8 charged in $45 million cybertheft bank heist

2013-05-09T17:49:00.000-04:00

In one of the largest bank robberies every committed, all without ski masks, weapons and thugs, there has been 8 people charged in the $45 million cyber heist that crossed the global and startled the financial sector.

Read more about this coordinated cyber robbery here:

NSA's Manual on Hacking the Internet

2013-05-09T10:24:00.000-04:00

So it seems that the NSA has literally wrote the book on how to perform reconnaissance on the internet. You can read their little 643 page book called “Untangling the Web: A Guide to Internet Research” and see the steps the government uses to search the web. There are some very interesting methods they focus on when using Google, nothing new, but still enlightening.

Download the book here.

iFrame drive-by attack demo [Anatomy of Attack online]

2013-05-05T16:43:00.001-04:00

Great educational video, by Sophos, on how iFrames are being used for attack. These types of attacks have exploded in popularity over the past couple months. In Microsoft's Security Intelligence Report, released a few weeks ago, they mention iFrame drive-by attacks as the following:

Enterprises were more likely to encounter the iFrame redirection technique than any other malware family tracked in 4Q12.

Take a look at this video and become more aware of this growing threat vector.

Basic Use of Maltego for Network Intelligence Gathering

2013-05-03T22:38:00.000-04:00

The PR Implications Of Cyber Security

2013-05-01T09:05:00.001-04:00

Here's a great new article by SteamFeed on the unforeseen consequences of a security breach. Jayme Soulati gives sound advice on how to prepare and manage a breach from a PR perspective.

Here are a few suggestions (read the entire blog post here):

Tips to Insulate Before A PR Crisis

1. A crisis communications plan has always been a necessity for companies. When was the last time it was dusted off and reviewed for cyber security?

2. PR needs to be involved during corporate crisis at all times; a company in crisis needs outward-thinking experts who put the customer top of mind.

3. While strategists are monitoring the situation moment to moment, the PR team needs to be preparing statements for media and customers in parallel.

4. Twice a year, the entire marketing team along with IT should meet for a dry run to determine the chain of events should a cyber attack occur in a company. In this case, “cyber attack” can also include the swiping of credit information and personal data; if it’s electronic information, then it’s a breach of cyber security.

5. Annually, meet with the C-suite to review the cyber crisis plan and ensure everyone is on board and ready to hit send when and if a crisis occurs.

VPN troubleshooting: Isolating VPN session timeout issues

2013-04-29T21:09:00.002-04:00

Depending on the vendor your company uses, the location from which you’re trying to establish a VPN connection, and other factors, a user could come up with a hundred different possible issues with authenticating to a VPN. Here are some areas to look at first regarding the stability of a VPN connection.

One of the first things to do when troubleshooting a VPN session timeout or lockout issues is to determine the user’s location. It’s important because if a user can always connect while he or she is at home, but can never connect on an open Wi-Fi connection at the local coffee house, that should enable isolation of the issue quickly. This is one of the simplest forms of VPN troubleshooting, but can save a lot of time during the process.

Another way to start determining the root cause of the VPN issue is to ask the user to connect to the VPN both on the WLAN and the wired LAN. The majority of VPN connections these days are connected wirelessly. In the past, I’ve noticed certain vendor agents are less tolerant of network loss due to the poor strength of a Wi-Fi connection, which could result in VPN stability issues. If a user is able to connect via the wired LAN without any issues, but has an issue periodically with the WLAN, start troubleshooting the agent logs and the origin of the logon attempts with an eye toward wireless-related issues.

There’s also the issue of timeout periods for users. I’ve seen many default values around timeouts, such as idle connections after 10 minutes, and a max session at 60 minutes with a reminder of five minutes before timeout. This might not suit all users, so these values could be reworked to fit the needs of the company and user population. This could be an issue where the defaults are too low for what the user needs the session for; this is especially true in SSL VPNs.

When using IPSec, verify the connection settings of your phase 1 and phase 2 rekey policies. The phase 1 policy will be able to go down without an issue and rekey, but if your phase 1 and phase 2 timers go down at the same time, there’s the potential for a timeout or longer connection time.

Read the rest of my article for searchsecurity.techtarget.com here.

Response to Huffington Post - Fines for Hacked Social Media Accounts

2013-04-27T12:54:00.001-04:00

The Huffington Post recently released an article calling for companies to face fines for having their social media accounts compromised. The Associate Press recently had their Twitter account compromised and caused a small dip in the market after tweeting, "Two Explosions in the White House and Barack Obama is injured".

In the wake of a brief stock market crash caused by hackers sending out a false tweet from the Associated Press' Twitter account, companies who fail to secure their social media accounts from hackers should face fines, one federal regulator told The Huffington Post.

What makes them and Bart Chilton, a commissioner with the Commodity Futures Trading Commission, think adding more regulation is going to fix anything. Haven't they learned that regulations and compliance don't equate security? All this does is allow them vengeance to look for lost money because Wall Street and stock brokers are all trying to be the first to make a trade in a cut-throat community.

Chilton said he asked the agency's lawyers to review whether a company whose Twitter account gets hacked is violating a law that bars it from "providing misleading information or recklessly allowing information to come out."

Before Mr. Chilton starts making blanket statements about how to fix the cyber community he should getter a better understanding of how these compromises actually work. With Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attacks, as well as a plethora of other attacks, makes the stealing of social media credentials something easily obtained by a persistent attacker.

Before we start trying to fix a broken system with more fines and regulations, let's look at the cause of the issue to begin with. Wall Street and Stock brokers shouldn't take everything they read on the internet as gospel. In this digital age with all the advances of trading in the stock market, if a simple tweet can bring down our economy we have more to worry about than hackers.

Modern security management strategy requires security separation of duties

2013-04-24T22:00:00.003-04:00

Over the past few years, information security has become a top-level concern to enterprise senior management. Many organizations by now have created information security departments to secure themselves from the threats they’re facing, but in today’s environment, it’s no longer enough. Hence the reasons why a paradigm shift is needed regarding the ways security departments are being structured. No longer should one department manage security from cradle to grave.

Having two departments share the information security burden is an ideology that’s starting to gain traction; especially in the financial sector due to regulatory mandates like the Sarbanes-Oxley Act (SOX) and Gramm-Leach Bliley Act (GLBA). The idea of having separate roles for those monitoring security incidents and those implementing and acting on security incidents is a shift in thinking. Most security departments are configured as a one-stop security shop, handling everything from strategy, policy, configuration and remediation, but this is broad swath of duties and responsibilities can be lost or purposely overlooked.

As an example, in most enterprises the engineer making a firewall change is also the one reviewing the firewall metrics for unauthorized changes. What if the firewall administrator wanted to hide something? How would anyone ever find out? This is where the separation of duties comes in to focus on the responsibilities of tasks within security. Creating an information security team in this structure allows for dedicated resources performing security from an operation and monitoring standpoint. This paradigm encourages a focused approach to each group and allows for the resources to have dedicated responsibilities. This means the security operations staff is busy with engineering and incidents and the monitoring group is looking for breaches.

To that end, a better model is one in which engineers in an IT operations group would make configuration changes, and then information security analysts in the information security monitoring and management group would monitor the environment, analyze key data and make recommendations on changes and updates. Let’s review each group’s duties in detail.

The operation group would be responsible for the implementation of new security technology and its day-to-day use. Its main focus would be responding to security incidents and hardening systems on an operational level, as well as the remediation of security events and managing technology that helps secure the company proactively. This team should also have rights to investigate issues on equipment, verify configurations are setup properly, and assist with the overall security lifecycle of the infrastructure. This team would manage the configuration and implementation of the network and systems, while managing devices that help protect the perimeter and internal proactively. Some technologies that would fall under the auspices of this group are firewalls, IPS, NAC, WAF, etc.

The monitoring group, on the other hand, should be the security watchers. This group’s main function would be to look for security incidents and vulnerabilities. This group should actively monitor the infrastructure for potential issues and escalate them to the IT operations group as incidents. This team should have read-only permissions to many systems, but shouldn't have the rights to make changes. Its job should be to review the infrastructure, identify potential incidents and alert those with the permissions to take action on them. This team’s main concerns would be the review of the network for breaches, either externally or internally. Technologies that may be housed in this department would include those that support the mission of monitoring and security oversight, such as SIEM, DLP, identity management, vulnerability management, and the like.

With the implementation of a security separation of duties involving two distinct groups managing an enterprise’s information security posture, there may be a feeling of overlap. Both teams will have some access to the majority of the systems housed in each other’s department, but one department will be responsible for certain actions of the tool.

An example of such technology sharing would involve the use of the SIEM. The monitoring group would want to use it to proactively search for and identify potential security incidents, while the operations team might use its logs to research an incident. Both would have access to the tool, but use it for different purposes. Having one team searching for and alerting on events would allow the other to focus on hardening and implementing better security. When the security incident management lifecycle is left solely to one group, issues can easily be overlooked and hence gaps in a security program can result. Having the two teams work in tandem and reporting to different branches of the organization allows for the strongest security posture in an organization. Both groups keep the other honest, and work together to secure the network.

Read the rest of my article at SearchSecurity.com here

Falling for a Phishing Attack (This is fun)

2013-04-23T19:51:00.000-04:00

Okay, so I recently received a phishing e-mail to my home address and wanted to see what happen if I followed it down the rabbit hole. This is always a fun exercise, because you never know what you're going to find or where you'll end up. Many times it leads to a Blackhole exploit kit or malicious iFrame, but this particular phishing e-mail was purely looking for personal information. A classic phishing example.

So here's the body of the phishing e-mail in all of it's glory. Not bad if you think about it, but it still has the tell tale signs of a phishing attack (the generic salutation, grammar, formatting errors, etc.). One area that I thought was amusing in this phishing e-mail is the reference to William Sheley. Mr. Sheley actually exists and does work for Chase as an SVP (thank you Linkedin). All-in-all this is a decently produced and researched phishing attempt, except for one thing. They attached an HTML document they want you to download and fill out (because all banks send you attachments like this). Ummm......No.

So okay, let's play the game. I have a virtual machine (VM) setup running Deep Freeze to purposely infect and play with these type of threats. Once you reboot the VM everything's installed back to original configuration using some sort of black magic. The software works freaking great and I highly recommended it.

The first thing I do is forward the phishing e-mail to a Gmail account I created to store phishing e-mails. Some people collect baseball cards, I collect phishing e-mails. Right off the bat Google notices there's some foul play going on and throws me this alert. Despite having a lack of privacy with Gmail, they're pretty darn good at catching spam/phishing.

Now for the fun part. After I open the HTML document I can see what they're trying to do. This is a simple way of collecting information from unsuspecting victims. Before opening the HTML file on my VM running Deep Freeze, I uploaded the HTML file to www.virustotal.com to verify that it didn't have a malicious reputation and started an instance of Wireshark to collect all the network traffic. Once the fake HTML form was up and all the inputs filled out, with fake data of course, I was able to review the packet capture to see where they were sending my faithfully entered credentials. Another interesting note about this form was that it was coded for user input validation on the fields. When I tried to enter "Shut Up" on the ATM/Debit or Credit Card Number it gave me an error that only numbers were allowed. Well, that was helpful.

As soon as I entered all the data in the appropriate fashion I submitted it like an unsuspecting user and was promptly directed to the real Chase home page below. This is done to make you think you actually completed something for their site and give you a false sense of security.

Now for the funner (is this a word) part!! Let's see exactly where all my "sensitive" information was being sent. I stopped my Wireshark capture and took a look at where this HTML form was forwarding to. Looking at the capture it becomes clear quite quickly what was going on. As soon as you submit the HTML form there's a DNS request looking for the "A" record of www.SITE-WILL-REMAIN-NAMELESS.com and a POST to /web/dmUserPlugin/js/complete.php. It turns out that all my very sensitive information was being sent in the clear to this compromised site.

Now wasn't that fun?! In my next post I'm going to infect my VM with a Blackhole Exploit Kit and show you some of the nasty things it does.

2013 Verizon Data Breach Investigation Report Released

2013-04-23T11:20:00.000-04:00

This year's DBIR combines the expertise of 19 organizations from around the globe. Discover stats that might surprise you—from the percentage of espionage-related attacks to the astonishing length of time it often takes to spot a security breach.

Download the report here.

Review of the Reddit DDoS Attack

2013-04-22T17:53:00.004-04:00

As many of you already know the popular social media site, Reddit.com, was under a massive DDoS attack starting Friday night. There's a great review of the attack and how Reddit is mitigating it by techcrunch.com which can be found here.

A few interesting things I found about this attack are that the system admins created a board in Reddit to help explain the attack and outages. In their communications they gave their users an alert that a DDoS was underway against their site and that they were receiving traffic that was "orders of magnitude larger" then normal. I found this honesty via their Reddit boards and twitter feed an excellent way to communicate to their users during an attack.

One of the other area's I found very interesting (since I' recently blogged about DDoS mitigation techniques) was that even though they were using Akamai as a CDN they were still vulnerable. I can't emphasis this enough, just because you have a CDN in place doesn't give you a bullet proof vest. The CDN has to be routing/caching the traffic back to the origin IP address that it's hosting. If they're not hosting or caching for a domain name they'll have to go back to the origin to find the data. Also, if they want to hit you via an IP address, say at your front-end-router, CDN's have very little if any protection here. Having the ability to route over to a DDoS mitigation vendor via BGP on a slash /24 network is the best bet during an attack. CDN's are an excellent layer, but aren't enough for a skilled or persistent attacker.

Here's part of thread occurring with the system admin "Alienth" and a user about the attack and Akamai.

Top 10 Security Breaches

2013-04-22T10:00:00.003-04:00

Check out the below image from Firmex on a review of their "Top 10 Security Breaches". Pretty cool.

[Via: Firmex: Virtual Data Rooms]

Embed it on your own site using the following code:

Presented by Firmex Virtual Data Rooms

Download PDF version here

Bruce Schneier on the Boston Bombings

2013-04-21T09:20:00.003-04:00

Truer words have never been spoke.

"We don't have to be scared, and we're not powerless. We actually have all the power here, and there's one thing we can do to render terrorism ineffective: Refuse to be terrorized. "

Read the rest of his article here.

Spear phishing examples: How to stop phishing from compromising users

2013-04-20T20:42:00.003-04:00

In the recent upsurge of high-profile attacks, spear phishing has been the tool of choice for hackers to compromise an organization.

Spear phishing is the targeting of specific companies or individuals, using hand-crafted messages meant to trick them into divulging personal or confidential data for unauthorized use. Malicious hackers know people are the weakest link, and that, even if a company has a $10 million security budget, it only takes one user’s mistake to compromise its defenses.

Spear phishing is a far more focused approach than normal phishing. Instead of a mass email sent to a wide swath of people, spear phishing focuses on one particular user or organization. Emails or messages sent under this guise generally employ specific, carefully researched details about the person or company in order to seem authentic. These are targeted attempts that have been maliciously crafted for a purpose: Usually, to gain specific corporate IP or personal information. This tip will offer advice on how to stop phishing and spear phishing attacks from tricking corporate users.

Phishing attacks have risen 12% (.pdf) year after year for the past few years, according to Internet Identity, with spear phishing leading the charge. And, as with the recent Epsilon email breach, it's not just that such an attack can yield customer emails and names, or organizational information for attackers, it's that spear phishers probably already have plans for what they are going to do with the data they compromise. Having a list of names, companies and email addresses can allow attackers to harvest a bounty of stolen data from victims whose information has already been breached, because attackers are able to use this info to craft more sophisticated attacks. The data that was breached in the Epslion attack was significant, but the additional data that could be stolen using this data may be even more noteworthy.

Let's review a few spear phishing examples:

Example 1 - John Smith is a senior chemical engineer working on a high-profile project for a cutting-edge pharmaceutical company. John receives an email purportedly from his college asking him if he’d like to participate in an alumni panel as a guest speaker. The email references an attachment with more details on the event and an attachment to fax back to the alumni office. John clicks the attachment and nothing happens; John Smith has been speared.

An attacker using a spear phishing campaign to compromise an organization is going to do his homework. In this case, all he might have used the Internet to find out where John Smith went to college and crafted a fake letter head with the department head's name on it (information also freely available on the Web). The payload here is the malicious software installed in the attachment. Once John Smith clicked the attachment, his workstation was compromised with malicious software.

A security awareness program should include training to safeguard against these types of attacks. Users should be taught that they should use company email for corporate use only, thus limiting some of the potential ways users’ email addresses would get out onto the Internet. Users should also be taught not to open attachments from sources that they’re not familiar with. In this case, John Smith trusted the sender because he had a previous experience with the school, leading him to believe it was safe. A social networking policy should be considered to hide or limit the information that employees can show on their LinkedIn page. Social networking sites are an excellent tool for spear phishers to use against victims. Limiting what your employees show on social networking sites about the organization will assist in your security posture. Lastly, spam gateways should be configured to block any executable coming into the network via mail by default.

Example 2 – Jane Doe receives an email from her bank, which we’ll call BigBank.com, telling her that she’s been selected to receive double frequent flyer miles on her credit card for the next three months. The email includes a link to fill out a form at https://bigbanks.com to complete the newly offered frequent flyer program. Jane makes sure the link is SSL protected and proceeds to fill out the form with all her personal information. After she’s done, a window pops up saying her profile been updated successfully. Jane Doe has been speared.

Spear phishing emails are frequently used to drive traffic to malicious websites, but it’s getting increasingly difficult for the average user to decipher what’s authentic. In this example, the legitimate website of Jane Doe’s bank is https://bigbank.com, but the phishing email had a link to https://bigbanks.com. Just adding an “s” to the domain creates a similar domain name that the user might not notice is different from the actual domain of his or her bank. Many users now look to see if sites are SSL encrypted and, in this case, it is, directly to the malicious site. Jane Doe added all her personal information into a site that had the look and feel of her normal banking experience, including a false sense of security in the SSL protection. Many users operate under the false impression that an SSL link is inherently secure.

Once again, security awareness training needs to evolve as the attacks evolve. A few years ago users were being taught that if a website URL used HTTPS, then they were safe. The bad guys know this and use this misconception to their advantage. Educating your employees or customers takes more than a one-time course; it needs to be done constantly via training, company newsletters and face-to-face so as attacks change, training and avoidance tactics evolve as well. There has to be expectations from the company on what being secure is as well. In this example, the “Big Bank” should let its customers know it would never ask for personal information from them via email, and to report it if found.

As illustrated by the examples above, spear phishing is a more focused attack method than generic phishing. Generic phishing is purely a numbers game: The more people who receive an email, the more likely it is one of them will click on the infected link. With generic phishing, many of today's filtering technologies will block suspicious-looking inbound email and phishing sites, mainly because they’ve been seen so frequently.

Read the rest of Searchsecurity.com article here.

Microsoft Security Intelligence Report (SIRv 14)

2013-04-18T22:02:00.000-04:00

Yesterday, Microsoft released volume 14 of its Security Intelligence Report (SIRv14) which includes new threat intelligence from over a billion systems worldwide. One of the most interesting threat trends to surface in the enterprise environment was the decline in network worms and rise of web-based attacks. The report found:

· The proportion of Conficker and Autorun threats reported by enterprise computers each decreased by 37% from 2011 to 2H12.

· In the second half of 2012, 7 out of the top 10 threats affecting enterprises were associated with malicious or compromised websites.

· Enterprises were more likely to encounter the iFrame redirection technique than any other malware family tracked in 4Q12.

· One specific iFrame redirection family called IframeRef, increased fivefold in the fourth quarter of 2012 to become the number one malicious technique encountered by enterprises worldwide.

· IframeRef was detected nearly 3.3 million times in the fourth quarter of 2012.

The report also takes a close look at the dangers of not using up-to-date antivirus software in an article titled “Measuring the Benefits of Real-time Security Software.” New research showed that, on average, computers without AV protection were five and a half times more likely to be infected. The study also found that 2.5 out of 10, or an estimated 270 million computers worldwide were not protected by up-to-date antivirus software. With the report’s release they are reminding customers of the importance antivirus software can provide in protecting systems. For more information, check out this blog post.

Of course these are just some of the more interesting threat trends I thought might be of interest. The full Security Intelligence Report, volume 14, is available for free and can be downloaded here.