The SANS guys have developed a pretty impressive holiday-themed hacking challenge. Speaking as someone who creates crisis management table-top exercise scenarios as part of my job, I'm always impressed by the level of effort and details that goes into creating these challenges.
Even if you don't have the type of skills required to participate in a challenge like this, you can still benefit from it, by using it as a chance to get inside the mind of an attacker and think like "they" think.
Then, continue in that mindset and turn your attention to your own organization's network. How would you attack it if you were inclined to - what would you target?
Your own security program will benefit if you start to think like this.
Friday, December 7, 2012
Friday, October 5, 2012
Hakin9 magazine exposed by security researchers
Speaking as someone who has recently received multiple requests from hakin9 to contribute articles to their magazine, I found this article on The Register very entertaining.
I received a request from hakin9 (at the time I hadn't heard of their website or magazine) asking for an article on achieving the CISSP certification. I was interested and replied asking for more detail on what they were looking for. They responded but I was busy and never wrote anything for them.
Then a week or so later I received another request asking me to contribute an article about SNORT but it seemed to me that whoever had written the request didn't really understand what SNORT was - which I thought was odd and forgot all about it, until someone sent me the article above. Enjoy!
I received a request from hakin9 (at the time I hadn't heard of their website or magazine) asking for an article on achieving the CISSP certification. I was interested and replied asking for more detail on what they were looking for. They responded but I was busy and never wrote anything for them.
Then a week or so later I received another request asking me to contribute an article about SNORT but it seemed to me that whoever had written the request didn't really understand what SNORT was - which I thought was odd and forgot all about it, until someone sent me the article above. Enjoy!
Monday, October 1, 2012
Hooking the big one?
A sensitive computer network belonging to the US government has been compromised in a targeted spear-phishing attack - as reported by Bill Gertz on the Washington Free Beacon's web site.
Additional write up on CNET News.
Both stories say that China was behind the attack, but this brings to my mind the problem of attack attribution in this kind of situation. The only evidence the articles cite is that the attackers "used servers located in China". How easy is it to rent hosting space in a Chinese data center and attack the US, in order to make it look like the Chinese are behind it? I'm not sure. Wouldn't Chinese state-sponsored hackers use a third party country to avoid attracting attention? Or maybe that's what they want us to think?
Additional write up on CNET News.
Both stories say that China was behind the attack, but this brings to my mind the problem of attack attribution in this kind of situation. The only evidence the articles cite is that the attackers "used servers located in China". How easy is it to rent hosting space in a Chinese data center and attack the US, in order to make it look like the Chinese are behind it? I'm not sure. Wouldn't Chinese state-sponsored hackers use a third party country to avoid attracting attention? Or maybe that's what they want us to think?
Wednesday, September 19, 2012
Virgin Mobile: a case study on how not to implement password authentication
This article caught my eye today. Virgin Mobile shows everyone all the places you can go wrong when implementing website password authentication.
The good side of this story? I am planning to use this as a case study when discussing web app authentication with our software developers. Not much comfort if you're a VM customer though.
The good side of this story? I am planning to use this as a case study when discussing web app authentication with our software developers. Not much comfort if you're a VM customer though.
Tuesday, August 7, 2012
Social Engineering, or "Why I hate so-called Security Questions"
You may have already read the story of a Wired reporter, Mat Honan, whose online accounts were hacked by an attacker who used social engineering tricks and then wiped data from his phone, his laptop and took over his and his employer's twitter accounts to broadcast homophobic and racist messages on his behalf.
Here's the original story that recounts all of the security failings by Mat himself, by Apple, Amazon and Google in detail.
Here are articles about changes that Amazon and Apple are making to their customer care procedures in the wake of this attack,
and here's a good article which gives a lot of good advice on how to avoid being hit by the same or similar fate.
A lot of the advice in the article has been preached by security professionals like me for years. This story is a great illustration of why I think reliance on "security questions" by businesses as a way of establishing identity of an individual is totally ridiculous in 2012. By "security questions" I mean the type of questions a business asks you like what town you grew up in, or your mother's maiden name or what year you were born etc. etc. The ones they think will really let them be 100% sure it's really you they're talking to. The problems is, anyone can find the answers to these questions about you on Facebook, or by searching other public information sources.
The only way that "security questions" can actually work as an effective identification mechanism is if you use intentionally false and random answer that only you could ever know, (and you keep a record of it).
For example, if you set up an account and are asked for your mother's maiden name - why not answer "geranium", "roulette", or "haddock" (assuming none of those are correct answers for you). Make a note of the answer you've given to this organization, and in future even someone who can google your entire family tree will never find the correct answer in any kind of online public record. You'll be able to supply the correct answer, because you made a note of the answer you gave when creating the account. You did remember to do that right?
In the case of Mat Honan, unfortunately customer service staff gave attackers access to his online account EVEN THOUGH the attackers could not answer the security questions required. So, obviously the method I outlined above will not help you in this case. Check out the third article in the list for other helpful advice that would have helped Mat, and can help you avoid sharing his fate.
Do you have any suggestions of other advice that would have helped? Leave a comment below.
[Updated Aug 8 2012 to add a link to story about Amazon's changes to their procedures after this attack.]
Here's the original story that recounts all of the security failings by Mat himself, by Apple, Amazon and Google in detail.
Here are articles about changes that Amazon and Apple are making to their customer care procedures in the wake of this attack,
and here's a good article which gives a lot of good advice on how to avoid being hit by the same or similar fate.
A lot of the advice in the article has been preached by security professionals like me for years. This story is a great illustration of why I think reliance on "security questions" by businesses as a way of establishing identity of an individual is totally ridiculous in 2012. By "security questions" I mean the type of questions a business asks you like what town you grew up in, or your mother's maiden name or what year you were born etc. etc. The ones they think will really let them be 100% sure it's really you they're talking to. The problems is, anyone can find the answers to these questions about you on Facebook, or by searching other public information sources.
 |
| Photo by Dave Delaney on Flickr |
The only way that "security questions" can actually work as an effective identification mechanism is if you use intentionally false and random answer that only you could ever know, (and you keep a record of it).
For example, if you set up an account and are asked for your mother's maiden name - why not answer "geranium", "roulette", or "haddock" (assuming none of those are correct answers for you). Make a note of the answer you've given to this organization, and in future even someone who can google your entire family tree will never find the correct answer in any kind of online public record. You'll be able to supply the correct answer, because you made a note of the answer you gave when creating the account. You did remember to do that right?
In the case of Mat Honan, unfortunately customer service staff gave attackers access to his online account EVEN THOUGH the attackers could not answer the security questions required. So, obviously the method I outlined above will not help you in this case. Check out the third article in the list for other helpful advice that would have helped Mat, and can help you avoid sharing his fate.
Do you have any suggestions of other advice that would have helped? Leave a comment below.
[Updated Aug 8 2012 to add a link to story about Amazon's changes to their procedures after this attack.]
Friday, August 3, 2012
The CloudFlare breach - and what it means for organizations
In July an attack on a content delivery company, CloudFlare, exploited
weaknesses in the two-factor authentication systems Google provides to protect
personal and business accounts.
Google issued an update to correct a flaw the proces used to recover passwords which allowed the attack to take place, and the CEO of CloudFlare, Matthew Prince wrote an extensive blog
entry about the attack, their investigations, and giving advice to
organizations on protecting themselves from the same attack.
The attack highlighted the need for
organizations using software-as-a-service email providers to review the "lost
password" procedures for their administrator accounts on those services, and ensure that all contact methods they will use to receive messages
about password resets are secure and cannot be redirected or accessed without
their knowledge.
Friday, July 13, 2012
Another day, another round of password breaches...
Today it's accounts at the website of surf clothing company Billabong, and the online forums of technology firm NVIDIA that are affected. More info here from Threapost.com.
Thursday, July 12, 2012
Yahoo passwords breach
News broke today of a breach of almost 450,000 passwords from a service belonging to yahoo.com.
Initial analysis of the leaked passwords appears to show they were stored in plain text, and that they were stolen using a SQL injection attack.
Yahoo said that the passwords were from an old, out of date file, and that only 5% were valid acounts.Whether they were current or out of date, and how many were valid yahoo accounts doesn't matter. Storing user passwords in an unencrypted form puts the owners of those accounts at risk. Period. Although best practice says that you use different passwords for each service you use, we all know that some people use the same password for every single website in their life.
All yahoo.com users should change their password on yahoo itself and on all other sites where they use the same password.
Initial analysis of the leaked passwords appears to show they were stored in plain text, and that they were stolen using a SQL injection attack.
Yahoo said that the passwords were from an old, out of date file, and that only 5% were valid acounts.Whether they were current or out of date, and how many were valid yahoo accounts doesn't matter. Storing user passwords in an unencrypted form puts the owners of those accounts at risk. Period. Although best practice says that you use different passwords for each service you use, we all know that some people use the same password for every single website in their life.
All yahoo.com users should change their password on yahoo itself and on all other sites where they use the same password.
Wednesday, June 13, 2012
Malicious e-mails: new and improved!
"The payment you sent"
"Please confirm your LinkedIn password"
"Your bill is now available"
"Your paypal.com transaction"
Recently I've received a number of e-mails about services I use and subscribe to; some of the subject lines are shown above. The e-mails look very genuine, and they are normally telling me about a problem with my account and urging me to click the "Login" button as soon as possible to resolve the issue. If my personal experience is anything to go by, recently these scam e-mails are looking more and more like the real thing. They are designed to look as "official" as possible and they are solely designed to prompt you to log in to your account at PayPal, or your bank, or your mobile phone company, or LinkedIn - I've received examples purporting to be from all of these companies in the last week or so.
Of course, when you click the "log in to my account" link from the scam e-mail, you're not actually going to the real site but a site created by the attacker which looks identical (apart from the address in the url bar, which will NOT be the address of the site you think you are logging into but something which looks almost the same).
After you've logged in to the fake website, the attackers will take a copy of your log-in details. They can then either use the username and password they now know to log you in to the real site and redirect you to it (so you'll never know what just happened) or they can show you a page which says the site is "down for maintenance, please try later" - again, you might not suspect that your details have just been stolen. After that, the attackers can do whatever they like to your account. For example, they can transfer money to their own account, and you'll probably have a hard time proving that it wasn't you.
If you have any suspicions about an email you receive, never click on the link inside the e-mail. Instead, go to the account it relates to by typing the address into the browser yourself. That way you know you're going where you think you're going.
What do you think? Have you noticed the "quality" of these types of email improving recently? Let me know in the comments.
"Please confirm your LinkedIn password"
"Your bill is now available"
"Your paypal.com transaction"
Recently I've received a number of e-mails about services I use and subscribe to; some of the subject lines are shown above. The e-mails look very genuine, and they are normally telling me about a problem with my account and urging me to click the "Login" button as soon as possible to resolve the issue. If my personal experience is anything to go by, recently these scam e-mails are looking more and more like the real thing. They are designed to look as "official" as possible and they are solely designed to prompt you to log in to your account at PayPal, or your bank, or your mobile phone company, or LinkedIn - I've received examples purporting to be from all of these companies in the last week or so.
Of course, when you click the "log in to my account" link from the scam e-mail, you're not actually going to the real site but a site created by the attacker which looks identical (apart from the address in the url bar, which will NOT be the address of the site you think you are logging into but something which looks almost the same).
After you've logged in to the fake website, the attackers will take a copy of your log-in details. They can then either use the username and password they now know to log you in to the real site and redirect you to it (so you'll never know what just happened) or they can show you a page which says the site is "down for maintenance, please try later" - again, you might not suspect that your details have just been stolen. After that, the attackers can do whatever they like to your account. For example, they can transfer money to their own account, and you'll probably have a hard time proving that it wasn't you.
If you have any suspicions about an email you receive, never click on the link inside the e-mail. Instead, go to the account it relates to by typing the address into the browser yourself. That way you know you're going where you think you're going.
What do you think? Have you noticed the "quality" of these types of email improving recently? Let me know in the comments.
Monday, May 21, 2012
Security mindset
Interesting article about the mindset of security practitioners - thanks to Bruce Schneier for highlighting this one.
Tuesday, May 15, 2012
Surveillance cameras
A report from Wired's excellent Threat Level blog on research into the security of cameras used for CCTV, surveillance, security purposes. It seems many of them are by default enabled to allow access from the internet, and also by default use weak, well known passwords. That's a bad combination.
Password questions
A report from CNET about the compromise of thousands (the exact number of accounts compromised seems to be disputed, but seems to be over 20,000) of twitter account credentials.
If your account is affected you should've already been notified and should follow the instructions. If you're not directly affected, now might be a good time to revisit your password for twitter and other online services and ask yourself some questions:
1. Am I using the same password for multiple services?
2. Could someone who knows me (or who can find me online) easily guess the password I'm using?
3. Is the password strong (letters, numbers and ideally special characters)?
If your account is affected you should've already been notified and should follow the instructions. If you're not directly affected, now might be a good time to revisit your password for twitter and other online services and ask yourself some questions:
1. Am I using the same password for multiple services?
2. Could someone who knows me (or who can find me online) easily guess the password I'm using?
3. Is the password strong (letters, numbers and ideally special characters)?
Tuesday, May 1, 2012
Backdoor in industrial control system
With all of the recent focus on SCADA vulnerabilities and critical infrastructure protection, how does something like this happen?? RuggedCom appears to have been totally dismissive of the fundamental vulnerability reported to them.
RuggedCom was bought by Siemens in March 2012.
RuggedCom was bought by Siemens in March 2012.
Monday, April 30, 2012
Hacktivism survey
Bit9 released the results of a survey of IT Professionals which showed that hacktivism is now seen as the biggest security threat. 61% of those surveyed believe that their organization will be targeted by hacktivist groups like Anonymous.
As a side note, Imperva's analysis of the results notes that while 61% are concerned about hacktivism, only 4% were concerned about SQL injection - which happens to be one of the most prevalent web app vulnerabilities on the internet, one of the main avenues for hackers to extract data and number 1 in the OWASP Top 10.
As a side note, Imperva's analysis of the results notes that while 61% are concerned about hacktivism, only 4% were concerned about SQL injection - which happens to be one of the most prevalent web app vulnerabilities on the internet, one of the main avenues for hackers to extract data and number 1 in the OWASP Top 10.
Friday, April 20, 2012
Fake Instagram app for Android
To demonstrate the fact that malware authors use whatever is currently popular to trick people into downloading their software, here's a report from Threatpost about a malicious version of the Instagram Android app which also sends premium rate text messages in the background.
Friday, April 13, 2012
Panda Security hacked by Anonymous
Panda Security was hacked by the Anonymous group in retaliation for allegedly working with law enforcement to investigate Anonymous members, something that Panda staff deny.
Story from ZDNet Australia via the Verizon Business Security blog
Story from ZDNet Australia via the Verizon Business Security blog
Library of Congress website compromised
The Library of Congress website was compromised by a group known as BlitzSec - report from threatpost.com The password tables were taken and some of the passwords were decrypted revealing some particularly weak password policies in place. A user account named "test" had a password of "testing" for example.
Monday, April 9, 2012
Zero-Day Java Flaw for Apple
Last week Apple released two updates to Java for Mac OS X to fix multiple security issues that have been exploited by the Flashback trojan. Good write up on Krebs On Security.
If you think that the reason Apple's OS hasn't been a target for malware writers is because it's "better" and "more secure" , think again.Malware writers target whichever platform is the biggest, witness the rise in mobile-targeted malware that's happened alongside the hiuge rise in smartphones as proof of that.
If you think that the reason Apple's OS hasn't been a target for malware writers is because it's "better" and "more secure" , think again.Malware writers target whichever platform is the biggest, witness the rise in mobile-targeted malware that's happened alongside the hiuge rise in smartphones as proof of that.
Wednesday, April 4, 2012
"Instaspam"
Love the title of Symantec Security Response team's latest blog post - "Instaspam: Instagram Users Receive Gift Card Spam | Symantec Connect Community" about spam targeted at Instagram users
It's also related to an earlier post of theirs which I read about spammers moving to new social media sites like Pinterest
It's also related to an earlier post of theirs which I read about spammers moving to new social media sites like Pinterest
Subscribe to:
Posts (Atom)