InfoSec links July 24, 2014

"Severe" password manager attacks steal digital keys and data en masse - Dan Goodin - ars technica

I’ve never liked the idea of putting my passwords in the cloud and that’s essentially what you’re doing with these web based password managers. The fact that research has determined them to be vulnerable does not sway me to put my passwords online.

Automobile Industry Accelerates Into Security - Kelly Jackson Higgins - Dark Reading

Automobile security is about to become a major thing. Unlike a computer, if a car is hacked it could mean life or death for someone. I’ve read several articles recently that give encouraging signs that some automobile makers are taking car security seriously.

Security Firm Manages To Access Deleted Data On Used Android Devices - Red Orbit

iPhone users carry on. According to this article, old Android phones do not exactly wipe the drive when a reset to factory defaults is initiated. Apparently, all that does is delete or erase the index file, so the phone can’t find the old data. Forensic tools on the other hand are very capable of finding the old data. Great if you realize you need something; not so great if you don’t need anything. The workaround is to enable encryption on the device, then do a factory reset. Encrypting the drive will make it so that when the index file is deleted the data becomes unreadable because the encryption key is lost.

Public infosec links July 21, 2014

How to remove your house from Google Street View - Graham Cluley - welivesecurity

Google is mapping the world, which does come with privacy concerns. However, there is a way for someone to request that their home be blurred on Google Maps street view.

The Rise of Thin, Mini and Insert Skimmers - Brian Krebs - Krebs on Security

There are devices that can be attached to an ATM that can grab your credit card information and pin number. The stuff is meant to look like it’s part of the ATM. If you can wiggle something loose at an ATM it’s probably not meant to be there. Look for anything that appears to be out of place on an ATM.

Beware Keyloggers at Hotel Business Centers - Brian Krebs - Krebs on Security

Malware on a public machine is not all that surprising. Using a public computer for personal accounts is never a good idea. I would recommend avoiding public computers all together, but if you must I would be very careful what information you access on that machine.

InfoSec links July 18, 2014

It Is Idiotic To Hand Out Your Twitter Password to Prove Passwords Are Dead - Kashmir Hill - Forbes

How a journalist distributed denial-of-service (DDoS) his account in one easy step. He tweeted out his Twitter password with two-factor authentication on. He wanted to prove that two-factor authentication was a fantastic security measure. To my knowledge no one has gotten into his Twitter account yet, however, he has had to switch phone numbers.

Project Zero - A Team of Star-Hackers Hired by Google to Protect the Internet - Mohit Kumar - The Hacker News

I can’t help but get a little giddy about this. Sounds very Avengers like and a new way to think about information security. I have on my board at work “Hunt Teams,” which is an idea I heard on a podcast. The team essentially tries to prove that the organization hasn’t been hacked yet.

Meet Google's Security Princess - Clare Malone - Elle

A wonderful read on Google’s Security Princess (her title choice) Parisa Tabriz. She’s the hacker hired by Google to break into Google. The article talks about her background and rise to a security manager of 30 people at Google. It’s Friday, take about 15 minutes through this article. You won’t be disappointed.

Infosec links July 16, 2014

2014: The Year Extortion Went Mainstream - Brian Krebs - Krebs on Security

Extortion has been around for a while, but it looks like it might be the hot new strategy for online criminals to make money. The idea is that you get a letter in the mail requesting that you pay the extortionists in bitcoins or have your business or person languished online via negative publicity. Of course there’s also the good ol crypto locker malware that encrypts your hard drive and holds all your data hostage until you pay. Fun times.

The 5 Biggest Cybersecurity Myths, Debunked - Peter W. Singer and Allan Friedman - WIRED

Interesting list about the five cyber security myths:

  • Cybersecurity is unlike any challenge we have faced
  • Every day we face "millions of cyber attacks"
  • This is a technology problem
  • The best (cyber) defense is a good (cyber) offense
  • "Hackers" are the biggest thread to the internet today

You may not agree with all of them, but they should at least make you think about several issues involving information security.

The State of Metric Based Security - Gavin Millard - Infographic

Metrics are something I’ve always wanted to get into. This infographic doesn’t discuss how to do metrics, but instead looks at who is doing metrics and to what effect. Good read if you want to see how companies are viewing metrics within information security. I’m planning on having a future podcast about the topic.

Pro Photoshop Tip: History States

Make sure your History States are set to 1000 when working in Photoshop. To set your History States:

Edit -> Preferences -> Performance

On the Performance tab should be a History & Cache section. Set History States to 1000. Mine was at 20, which meant Photoshop would only save my last 20 changes. I quickly and easily filled that up with stamp, dodge and various other changes that didn't allow me to go back very far when I royally screwed up the graphic I was working on. It all worked out as I was working in layers and could just replace the layer I was working on with the original.

Bonus Pro Photosho Tip: Always work in layers

InfoSec links July 15, 2014

Pandemiya Emerges As New Malware Alternative To Zeus-Based Variants - Fraud Report - EMC/RSA

This is a breakdown on some new malware called Pandemiya. It’s being offered as an alternative to the widely popular Zeus trojan. The price tag is between $1500-$2000.  

Crooks Seek Revival of 'Gameover Zeus' Botnet - Brian Krebs - Krebs on Security

The previously dead Gameover Zeus botnet is apparently making a comeback. After the initial takedown, the owners of the botnet laid low for a while. Now it appears they’re trying to bring it back. The old botnet is still in lockdown, so this appears to be an effort to rebuild the botnet from the ground up.

Glenn Beck's The Blaze Site Serving Malicious Ads - Pat Belcher - invincea

My care meter for politics:

don’t care |-|---------------------| care

Glenn Beck can be a bit of a hot topic, but it’s his site I want to focus on, The Blaze. It’s been discovered that his site, via advertising, is serving up malware to people that visit the site. The site is not compromised, it’s the ad services that are running on his site. Ad services do not vet the people who submit ads, which makes it easy for nefarious folk to submit ads with malware attached to them. The Blaze, according to the article, is ranked the number two political site on the web, thus making it a target for these kinds of ads. If you see an ad that is of interest you, I would suggest doing a google search instead of clicking the ad.

Exploring information security: new podcast art

I completely whiffed on a link post this morning. I had a good, but dumb weekend (if that makes sense). One of the things I managed to accomplish this weekend was putting together some podcast art, with the help of some friends (Ryan, Adam, Win and Hope, thank you!).

EIS_PodcastArt.jpg

Now I just need to get the RSS feed together and the podcast will be ready to be submitted to a podcast directory near you.

Feedback is certainly welcome.

Infosec links July 11, 2014

Kaspersky Lab uncovers new Android and iOS spying tools - Ian Barker - betanews

A company called Hacking Team has developed a trojan that can spy on both Android and iOS devices. It’s delivered via spear phishing and malware that gets the trojan installed when the phone is synced with an infected computer. Most of the functions appear to be for surveillance purposes. I wonder who would want to purchase such a thing.

More on Hacking Team's Government Spying Software - Bruce Schneier - Schneier on Securit

Well ethical governments of course. At least that’s who Hacking Team claims they sell the trojan to. What’s the criteria for an ethical government?

  • Must be nice to citizens
  • Must feed the hungry
  • Must provide hugs
  • Must not surv$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

The Ex-Google Hacker Taking on the World's Spy Agencies - Andy Greenberg - WIRED

Really interesting profile on Marquis-Boire who used to work for Google as a security researcher, but now works for First Look Media. His job, to keep journalists who handle sensitive information, e.g. Gleen Greenwald, safe.

InfoSec links July 10, 2014

Facebook manipulates 700k users' newsfeeds in secrete study prompting backlash - ABC News Australia

Apparently, Facebook has been manipulating people’s timelines in the interest of SCIENCE! What’s interesting to me is that most of the people I talked to about this, really didn’t have a problem with it. Facebook’s terms of service is certainly going to cover their ass in this instance, but I don’t know that I like the fact that they’re playing with people’s timelines to gauge and emotional reaction. I deleted my Facebook account several months ago, but my wife and several family members and friends are on the site. I’d hate to find out that they’re all pissed off because Facebook is experimenting on them.

How Google Map Hackers Can Destroy a Business at Will - Kevin Poulsen - WIRED

Small businesses beware. Your competition could potentially change information on Google that could impact your business. I would highly suggest managing, or getting someone to manage, your online presence.

Enterprise Social Cyber Attack Inforgraphic - ZeroFox

This is an interesting infographic on how attackers are leveraging social media to phish or get someone to install malware.

Update Adobe Flash

“Weaponized” exploit can steal sensitive user data on eBay, Tumblr, et al. - Dan Goodin - ars technica

Update Adobe Flash. A new technique has been discovered that would allow an attacker access to a user’s credentials for certain sites. The vulnerability seems to revolve around JSONP. Which if you work at an organization that utilizes this type of coding in your websites you might want to have your website developers take a look at this blog post, explaining the technique.

Exploring information security: What is a Chief Information Security Officer

In the third edition of the Exploring Information Security (EIS) podcast my infosec cohort Adam Twitty and I talk to the Wh1t3 Rabbit, Rafal Los, about what exactly a Chief Information Security Officer, otherwise known as CISO, is.

Rafal Los presenting at BSides Nashville

Rafal Los presenting at BSides Nashville

Rafal Los (@Wh1t3Rabbit) is the Director of Solutions Research at Accuvant. He produces the Down The Security Rabbithole podcast and writes the Following the Wh1t3 Rabbit security blog. On several occasions he's tackled the CISO role within an organization on both his podcast and blog.  I would highly recommend both if you're in the infosec field or looking to get into it.

In the interview Rafal talks about:

  • What a CISO is
  • What role does a CISO fill in an organization
  • Who skills are needed to be an effective CISO
  • The different types of CISOs

Leave feedback and topic suggestions in the comment section.

InfoSec scam links July 9, 2014

Phishy Steam Guard File Steals SSFN - Christopher Boyd - Malwarebytes Unpacked

If you buy stuff from another user on the Steam store be very aware of who you are buying from. Also, if they ask you to install something, don’t do it.

"Tracy Morgan Is Dead" Fake Video in Circulation - Christopher Boyd - Malwarebytes Unpacked

Scammers aren’t just waiting for big news to happen; they’re starting to make their own news in an effort to get you install malware. As the article says, stick to high reputable news sources for stories like these.

Heroes of the Storm Beta Keygen: A Wizard Did It - Christopher Boyd - Malwarebytes Unpacked

Getting into beta is a wonderful feeling. I’ve been lucky enough to get into a few beta programs for games that had yet to be released. Heroes of the Storm is another highly anticipated game that has started a beta program. You can sign up on their official site. Any other site claiming to have keys is likely a scam.

How to capture traffic from a mobile app

when I switched to the iPhone 5s several weeks ago, I knew I wanted to keep my old Android phone to play around with for infosec purposes. A couple weeks I finally got an opportunity to do exactly that. We had an app that we needed to find out where information input into the app was being sent. The original idea was simple: setup a wireless network for just the device to connect to and wireshark the traffic. I had another idea though: run some sort of PCAP capture app from the device to collect the outgoing traffic.

The Method

  1. Download WiFinspect from Google Play

  2. Root the phone

  3. Run the capture

  4. Export the capture from the phone

Download WiFinspect from Google Play

There are several apps out there that do PCAP capture as well as other “security” type of functions. I decided on WiFinspect because the app is part of a dissertation at the University of Birmingham. The app requires root access to run the PCAP capture and a few other functions. To do that you have to root the Android device. Which is essentially the same thing as jailbreaking an iPhone.

Root the phone

I’m not going to go through the whole process step-by-step because I found a video that does a great job of that. These are the instructions for a HTC 3D Evo, if you have another phone a simple Google search should get you your own instructions:

Run the capture

Open WiFinspect. Next click ‘Network Sniffer’ then Start Sniffing. At this point you can close the app and go to the application and start poking around in it.

Once you’re done go back to the WiFinspect and select ‘Stop Sniffing.’

 

Retrieve the capture

I was using my old HTC 3D Evo, so all I had to do was simply plug the device up to my computer and select the option to use it as a disk drive. I then opened Windows Explorer and navigated to the Removable Disk drive that appeared under Computer. In there the WiFinspect app had created a folder ‘Wi-Fi Probe’ and in there was the PCAP I needed to analyze. Just drag and drop that PCAP onto the computer you’ll be using Wireshark.

Bruce Schneier infosec inception links July 8, 2014

Could Keith Alexander's Advice Possibly Be Worth $600K a Month? - Bruce Schneier - Schneier on Security

What does being the head of the National Security Agency (NSA) get you in retirement? A 600K asking price for security advice. And probably for good reason. Think of all the classified knowledge he has that could help an organization become secure.

NSA Targets the Privacy-Conscious for Surveillance - Bruce Schneier - Schneier on Security

If you use Tor, Tails or other privacy/anonymous types of sites and tools (or read BoingBoing), you’re likely being targeted for monitoring by the NSA.

NSA Employee Flees to Hong Kong -- You won't Believe What Happens Next - Bruce Schneier - Schneier on Security

Another batch of NSA documents have hit the media:

90% of the individuals eavesdropped on were not the targets of the surveillance.

What does the NSA do with the data once they’ve determined it’s unnecessary? Keep it.

Infosec scam links July 3, 2014

Duo Security Researchers Uncover Bypass of PayPal's Two-Factor Authentication - Zach Lanier - Duo Security

I love two-factor authentication. I turn it on just about everywhere that I can. It’s a real easy way to secure your online account. Well, unless it’s not implemented properly and that’s what it looks like PayPal did. Lot of technical details to dive into this one.

Google's Famous Security Guru Found An Embarrassing Hole In Microsoft's Products - Julie Bort - Business Insider

Microsofts nemesis, Tavis Ormandy, who works for Google found a vulnerability in their security software. The word skirmish is used in the article, which just makes this little battle between tech giants all the more juicy. Way better than Jersey Shore.

Redmond's EMET defense tool disabled by exploit torpedo - Darren Pauli - The Register

In other not-good news for Microsoft. It appears that some researchers have found a way to disable their Enhanced Mitigation Experience Toolkit. This doesn’t make the tool useless, but it does mean Microsoft has it’s work cut out for it strengthening the tool. Currently Tech Preview 5.0 is unaffected by this. Researchers are working on 5.0 and will have details regarding those attempts at Black Hat in Las Vegas in August.

Exploring information security: How to organize an infosec conference

In the second edition of the Exploring Information Podcast (EIS) my infosec cohort Adam Twitty and I talk to Ed Rojas about how to put together an information security conference.

EdRojasThinking

Ed Rojas (@EdgarR0jas) is a Master Consultant for HP Enterprise Security and the creator of Security Zone information security conference in Columbia and the organizer of the BSides Nashville security conference. I had the pleasure of attending BSides Nashville this year and got the opportunity to snap a few pictures. Ed was a very accommodating and passionate host for the event. 

In this interview Ed talks about:

  • The first step to organizing a security conference
  • The time and effort it requires
  • How to pick the right date
  • The biggest challenges putting together an event
  • Some of the mistakes that were made
  • Where to host the event

Leave feedback and topic suggestions in the comment section.

WiFi Infosec links July 2, 2014

Bad Guys are Watching You (via insecure Wi-Fi) - Stefan Tanase - Kaspersky Lab Daily

WiFi security is really bad. I would be wary of joining any WiFi network out in public. Especially if it says free, and even more so if you were heading to Sao Paulo for the World Cup. The gist of the article here is that WiFi networks have bad security and so do apps.

And the World Cup Security Centre's WiFi password is... - Graham Cluley - GrahamCluley.com

Dear organizations,

When you bring a photographer and a media person who is going to communicate to the public, please. PLEASE! Be very consciousness about what's around you.

Sincerly,

/Facepalm

"Free" Wi-Fi from Xfinity and AT&T also frees you to be hacked - Sean Gallagher - ars technica

What this world really needs is WiFi everywhere, because it's proven to be a secure way to communicate with the internet. Oh wait... This is a good article that goes into more technical detail and how you device can be pwned connecting to a public WiFi network.

Thoughts on the Houston Astros data breach

I have a good reason for not having my usual link post up this morning. Yesterday I found out that the Houston Astros, the team I root for on a daily basis, had a data breach. Some of the data taken, made it's way onto Anonbin, so last night I spend five hours putting together 1775 words on the data breach over at The Crawfish Boxes. When I was done, the motivation to write was almost completely gone for me.

Be sure to check my post over there, and be sure to check back tomorrow for my regularly scheduled link post AND a new episode of the Exploring Information Security Podcast.