InfoSec links October 20, 2014

Finding a Video Poker Bug Made These Guys Rich -- Then Vegas Made Them Pay - Kevin Poulsen - WIRED

Williams could see that Kane was wielding none of the array of cheating devices that casinos had confiscated from grifters over the years. He wasn't jamming a light wand in the machine's hopper or zapping the Game King with an electro­magnetic pulse. He was simply pressing the buttons. But he was winning far too much, too fast, to be relying on luck alone.

Signed Malware = Expensive "Oops" for HP - Brian Krebs - Krebs on Security

Earlier this week, HP quietly produced several client advisories stating that on Oct. 21, 2014 it plans to revoke a digital certificate the company previously used to cryptographically sign software components that ship with many of its older products. HP said it was taking this step out of an abundance of caution because it discovered that the certificate had mistakenly been used to sign malicious software way back in May 2010.

Everything you need to know about the POODLE SSL bug - Troy Hunt - troyhunt.com

Which brings us to POODLE. Whilst I doubt we’ll see the same mass hysteria as we did last month, it is (and will continue) hitting the news and like the other two biggies this year, it’s serious enough to warrant attention and obscure enough to result in wild speculation and a general misunderstanding of the underlying risk. Let me share what I know based on the questions I’m hearing.

InfoSec links October 15, 2014

WPScan Vulnerability Database A New Wordpress Security Resource - Michael Mimoso - Threatpost

It’s not unlikely that a developer may be at a loss as to the security of a particular plug-in, or the disclosure of a devastating flaw in the core WordPress code that could expose a website to attack. During last weekend’s BruCon in Belgium, U.K.-based security researcher Ryan Dewhurst released the WPScan Vulnerability Database, a one-stop shop for the latest WordPress, plug-in and theme vulnerabilities that he hopes becomes an indispensable resource for pen-testers, administrators and WordPress developers.

The Criminal Indictment That Could Finally Hit Spyware Makers Hard - Kim Zetter - WIRED

The case involves StealthGenie, a spy app for iPhones, Android phones and Blackberry devices that until last week was marketed primarily to people who suspected their spouse or lover of cheating on them but it also could be used by stalkers or perpetrators of domestic violence to track victims. The app secretly recorded phone calls and siphoned text messages and other data from a target’s phone, all of which customers of the software could view online until the government succeeded to temporarily close the Virginia-based site (.pdf) that hosted the stolen data.

Developers of hacked Snapchat web app says "Snappening" claims are hoax - Sean Gallagher - ars technica

Posters to 4Chan’s /b/ forum continue to pore over the contents of thousands of images taken by users of the Snapchat messaging service that were recently leaked from a third-party website. Meanwhile, the developer behind that site, SnapSaved.com, used a Facebook post to say it was hacked because of a misconfigured Apache server. The statement also gets into the extent of the breach, while playing down reports that personal information from the users involved was also taken.

InfoSec links October 14, 2014

Signature Systems Breach Expands - Brian Krebs - Krebs on Security

Signature Systems Inc., the point-of-sale vendor blamed for a credit and debit card breach involving some 216 Jimmy John’s sandwich shop locations, now says the breach also may have jeopardized customer card numbers at nearly 100 other independent restaurants across the country that use its products.

Dairy Queen Confirms Breach at 395 Stores - Brian Krebs - Krebs on Security

In a statement issued Oct. 9, Dairy Queen listed nearly 400 DQ locations and one Orange Julius location that were found to be infected with the widely-reported Backoff malware that is targeting retailers across the country.

Snapchat Can't Stop the Parasite Apps That Screw Its Users - Andy Greenberg - WIRED

In a statement, Snapchat puts the blame on third party applications like Snapsaved.com that use its API to allow Snapchatters to save its disappearing messages on their devices, or worse yet, on a remote server. “We can confirm that Snapchat’s servers were never breached and were not the source of these leaks,” a Snapchat spokesperson writes in a statement. “Snapchatters were allegedly victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security.”

Soundscapes: baseball, a walk to work, and trains

Last December I bought my self a Zoom H4n, a portable recording device. I primarily wanted it so that I could record podcast episodes on the go. What I've found, though, is that it's great for collecting sound for soundscapes.

I made this while I was at Spring Training in March.

I have several more minutes of sound than what is presented hear. I wanted to keep the track relatively short while still getting in all the interesting sounds I wanted, so it is an edited soundscape, though, I would be very impressed if you could tell where all the cuts are.

A few weeks ago I made another soundscape as part of a project for my sound design class.

That's my walk into work. This is unedited.

Finally, this is one from my MART 110 class at the University of South Carolina a few semesters ago.

We were supposed to create a soundscape that attempted to elicit some emotion from the listener. The basis for this was from the movie The Shining which has some pretty killer sound work. The one scene that kept sticking in my head while working on this project was when Wendy was pushing the cart through the hotel. That scene reminded me of trains, so I decided to find some train sounds that I could edit together.

Subway sounds are some of the most unsettling eerie sounds and those are the sounds i eventually settled on.

I have audio for two more soundscapes that I plan to release. One is from a class final and the other is from a baseball game that had a heckler.

InfoSec links October 7, 2014

Fileless Infections from Exploit Kit: An Overview - Jéróme Segura - Malwarebytes Unpacked

Unique patterns, packets that match the size of binaries on disk, all make things easier for the good guys to detect and block malicious activity. But the reality is this was just an adaptive phase when the bad guys did not need to spend any extra effort and still got what they wanted: high numbers of infections.

How RAM Scrapers Work: The Sneaky Tools Behind the Latest Credit Card Hacks - Kim Zetter - Wired

Viruses and worms have each had their day in the spotlight. Remote-access Trojans, which allow a hacker to open and maintain a secret backdoor on infected systems, have had their reign as well. These days, though, point-of-sale RAM scrapers are what’s making the news.

The Unpatchable Malware That Infects USBs Is Now on the Loose - Andy Greenberg - WIRED

In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.

Twitter: Star Wars, bugs called bash, and cartoons

WIRED infosec links October 3, 2014

Google and Apple Won't Unlock Your Phone, But a Court Can Make You Do It - Andy Greenberg - WIRED

Silicon Valley’s smartphone snitching has come to an end. Apple and Google have promised that the latest versions of their mobile operating systems make it impossible for them to unlock encrypted phones, even when compelled to do so by the government. But if the Department of Justice can’t demand that its corporate friends unlock your phone, it may have another option: Politely asking that you unlock it yourself, and letting you rot in a cell until you do.

MIT Students Battle State's Demand for Their Bitcoin Miner's Source Code - Kim Zetter - WIRED

The mining tool, known as Tidbit, was developed in late 2013 by Rubin and his classmates for the Node Knockout hackathon—only Rubin is identified on the subpoena but his three classmates are identified on the hackathon web site as Oliver Song, Kevin King and Carolyn Zhang. The now defunct tool was designed to offer web site visitors an alternative way to support the sites they visited by using their computers to mine Bitcoins for them in exchange for having online ads removed.

Kevin Mitnick, Once the World's Most Wanted Hacker, Is Now Selling Zero-Day Exploits - Andy Greenberg - WIRED

Late last week, Mitnick revealed a new branch of his security consultancy business he calls Mitnick’s Absolute Zero Day Exploit Exchange. Since its quiet inception six months ago, he says the service has offered to sell corporate and government clients high-end “zero-day” exploits, hacking tools that take advantage of secret bugs in software for which no patch yet exists. Mitnick says he’s offering exploits developed both by his own in-house researchers and by outside hackers, guaranteed to be exclusive and priced at no less than $100,000 each, including his own fee.

Another round of Shellshock Bash bug links October 2, 2014

Here's some of the latest news on the Shellshock Bash bug:

The anatomy of a Shellshock attack in the wild - Troy Hunt - troyhunt.com

It’s probably a bit early to speculate about the true cost of Shellshock, but what I can do – and in a very objective fashion – is decompose a typical Bash bug attack. I can do this because I had one hit my logs just a couple of days ago.

Shellshock fixes beget another round of patches as attacks mount - Sean Gallagher - ars technica

At the same time, the urgency of applying those patches has mounted as more attacks that exploit the weaknesses in bash’s security (dubbed “Shellshock”) have appeared. In addition to the threat first spotted the day after the vulnerability was made public, a number of new attacks have emerged. While some appear to simply be vulnerability scans, there are also new exploit attempts that carry malware or attempt to give the attacker direct remote control of the targeted system.

Apple patches "Shellshock" Bash bug in OS X 10.9, 10.8, and 10.7 - Andrew Cunningham - ars technica

Shellshock, in essence, allows attackers to issue commands to systems via malformed environment variables. In the case of Web servers, it can allow attackers to gain full control of the system. Exploits of the bug have already been spotted in the wild, and end users and server administrators are all encouraged to patch their systems as soon as possible.

Still more vulnerabilities in bash? Shellshock becomes whack-a-mole - Sean Gallagher - ars technica

In other words, “Shellshock” may be partially patched, but it’s still highly dangerous on systems that might use bash to pass information to the operating system or to launch other software. And it may take a significant change to fix the code.

Things to know: Jimmy John's and Home Depot breach

I meant to write something up on this last week, but someone found a bug in bash that set my world on fire. I've asked several friends and family if they've heard about the Jimmy John's and/or Home Depot breach and the response has been less than encouraging. So here's the low done on the two breaches.

Home Depot

56 million debit and credit card numbers were stolen between April and September of this year:

Home Depot: 56M Cards Impacted, Malware Contained - Brian Krebs - Krebs on Security

It looks like the breach impacted all Home Depot stores in the US and Canada. If the numbers seem quite low for a four-to-five month breach it's because the self-checkout terminals seem to be the ones that got owned. Either way, if you shopped at Home Depot between April and September, get a new card issued from their bank. They'll be sure to send the bill to Home Depot, so don't let them talk you out of a new card. And oh hey look! Home Depot is offering free identity protection for 12 months. Be sure to sign up for that, but realize that "protection" won't stop nefarious people from using your identity for their own gain.

Official Statement

Jimmy John's

216 stores were found to have been affected by this event and Jimmy John's has been kind enough to provide a search tool for the stores that were owned.

Affected Stores & Dates

Two stores were affected in South Carolina, one of which I've gone to in the last year. Luckily I haven't been there in the last three months. Bullet dodged. The tool is easy to use, just input a store number, city, state, address or date. Using a state's two-letter code should limit the results enough to help you identify if you've been affected by this particular breach. Full details can be found below on the incident.

Data Security Incident

Protect yourself

These are only two of the many breaches that have occurred this year. Goodwill has gotten popped as well as several other smaller and local businesses. Here are some tips for protecting yourself from identity theft that could occur from breaches like these:

Check bank statements regularly. It's ridiculously easy to do and should only take 10-15 minutes. I would recommend trying to check bank statements at least once a week. With online banking it shouldn't take more than 10-15 minutes to pop in and check what's been purchased on all your cards.

Also, I would highly recommend using credit cards instead of debit cards. It's a lot easier to replace a credit card than it is a debit card.

Finally, I would recommend cash, but then you have to worry about skimmers on ATM machines, so I won't. =P

Happy shopping!

Shellshock Bash bug impressions

There's been some discussion both at work and on Twitter on whether or not the bash bug is worse than Heartbleed. Bottom line is that it doesn't matter. Both bugs have a severity of 10 out of 10, which make them serious business for everyone involve in information security. For the record, I do think Bash is a little more complicated than Heartbleed, but has the potential to be much more dangerous.

Unlike Heartbleed, which just scrapped information as it goes by on a system using OpenSSL. The Bash bug needs some form of initial bash access. Bash for the uninitiated is essentially a command prompt within Linux, Unix and Mac systems. Common Gateway Interface (CGI) functionality seems to be enough for the bug to be exploitable. The good news is that not all websites utilize CGI; unfortunately, it appears that about half the websites on the internet do, mostly webservers running Apache. For a more in-depth technical look at the Shellshock Bash bug I would highly recommend Troy Hunt's post.

More bad news

The Bash bug isn't just limited to webservers though. It could also affect anything that connects to the internet, which would include your router and any home appliances that can be accessed from an app or the internet. Once the exploit is executed, the attacker essentially has the access to do whatever he wants on the device and it's already being exploited in the wild.

What can be done?

Test everything: IT departments should be testing any device that uses Linux, Unix, and Mac as part of its structure. This includes appliances, firewalls, routers, switches, printers, websites, phones, etc. Bash use is so widespread that ever organization is going to have something vulnerable that will need to be patched. Devices that are available to the internet are of particular concern and should be tested first. 

Pay attention to network traffic logs: signatures should be available for Intrusion Prevention/Detection Systems (IPS/IDS). Watch for incoming and outgoing alerts and pay attention to anything abnormal in the logs. Anything abnormal should be investigated.

Patch everything: vendors should be working on patches and once available should be applied to systems at a reasonable time. Systems available on the internet should be patched as soon as possible. Systems available internally should be patched next with the most critical systems first. After patches are applied the system needs to be tested for the bash bug. The easiest way I've seen is opening up a console and typing in this command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

At home equipment: routers are likely to be the biggest problem. ISP owned routers should be patched by the ISP. Personally owned routers will need to be patched by the owner. It's usually quiet easy to do; but not easily remember to do. For my home router I have to login to the router. Go to the firmware version and click the update button.

Browsing the internets: this is a good time as any to start utilizing safe browsing techniques on the internet. This bug is going to allow attackers to change content on vulnerable web servers, which could include adding malware to that content. This could put anyone who browses to the website at risk of downloading that malware content. Here are two tips for safe web browsing:

  1. Make sure your system is fully patched. That includes: operating system updates, java, adobe flash player, etc. A program that can help with this is Secunia. It's free and does most of the updating for you
  2. Use FireFox to browse the internet. It is free and there's a wonderful add-on that can be installed called NoScript that protects a computer from cross-site scripting (XSS) and Clickjacking attacks. It will require some work to use initially.

We'll get through this

This is a very serious bug and it's easy to get overwhelmed and/or paranoid, but we will get through it. The more I've researched and tested for the bug the more comfortable I've become with it. That doesn't mean I'm worrying less or more at ease, but it does mean that I think we can get a handle on it get the issue fixed. Well fixed for those that want to put the time and effort into getting the bug fixed. 

 

 

Blackhat trailer numero uno

Yes, this is in fact a movie about a hacker.

I'm not sure if it's going to be a hacking movie, but Thor...excuse me Chris Hemsworth is a hacker that has been put away by the US government for 15 years. He's released to help the US government hunt down another hacker attacking US infrastructure.

On top of being a, "genius hacker and coder from MIT" he also apparently kicks ass like Thor and can handle a gun, at least in the trailer. It will be interesting to see if the hacker role will play a significant role or a side roll to this movie. The term blackhat, for those who don't know, is used to denote hackers who are of a criminal nature. Or they use their "powers" for self gain. The hope is that the studio using the title "Blackhat" for one of its movies about hackers would ensure that there is at least some relevancy to its correct usage. But Hollywood can be Hollywood sometimes.

It looks like an interesting movie, though.

Micheal Mann is one of the main players behind the scenes of this movie with director, screenplay, story and producer credit. Some of the other movies he's known for include: Heat; Public Enemies; The Insider; and The Last of the Mohicans (IMDB). The dude has been nominated for an Oscar four times. If you browse his IMDB page you'll get an idea of what kind of movie this is likely to be. Of the movies I've seen he's been involved in: Hancock; Miami Vice; and Ali. All solid movies in my opinion.

Will this be a true hacker movie? Unlikely, but nothing will be if Hollywood is involved.

Will this be an entertaining movie about hackers? There's a very good chance.

Movie expected release date: January 16, 2015.

Useful Shellshock Bash bug links September 29, 2014

Bash Vulnerability Part 6: YABU - Yet Another Bash Update - Doug Burks - Security Onion

If you run Snort this might be of interest to you.

Shellshock in the Wild - Micheal Lin, James Bennett, and David Bianco - FireEye

FireEye has been keeping an eye (pun intended) on Shellshock activity and has a list of how the exploit is being used.

 

Shellshock Bash bug links September 25, 2014

Bug in Bash shell creates big security hole on anything with *nix in it - Sean Gallagher - ars technica

Good starting point for understanding what the bash bug aka Shellshock is. To test your Linx, Unix, or Mac based equipment type this into the command line:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you get the world "vulnerable" as a response then your machine is affected by this bug.

Everything you need to know about the Shellshock Bash bug - Troy Hunt - troyhunt.com

A longer, more in-depth look at the bug sweeping the internet. I would highly recommend reading this if you work in an IT department.

The Thanks-Rob Worm to Come - Richard Stiennon - securitycurrent

It appears someone has begun utilizing the bug to create a worm that downloads malware.

AWS users fret over downtime ahead of Amazon's massive EC2 reboot - Liam Tung - ZDNet

Shellshock isn't mentioned as a reason for the reboot, but a "critical security flaw" is and likely means that Amazon's Web Services are affected by this bug.

 

 

InfoSec links September 24, 2014

Data Breach Victims or Enablers? - Bill Brenner - Liquid Matrix

Companies that suffer a breach — Home Depot and Target have been among this year’s biggest poster children — are victims. They don’t set out to put their customers’ data in danger and they probably thought they were practicing all due diligence until they discovered the intrusions. But they probably also mistook their compliance check lists for real security and failed to turn security into a company-wide mindset, and that makes them enablers for the hackers who beat them.

Home Depot ignored security warnings for years employees say - Sean Gallagher - ars technica

Former information technology employees at Home Depot claim that the retailer’s management had been warned for years that its retail systems were vulnerable to attack, according to a report by The New York Times. Resistance to advice on fixing systems reportedly led several members of Home Depot’s computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer’s stores.

Massive Malvertising Network is 9 Times Bigger Than Originally Thought: Cisco - Brian Prince - Security Week

"The “Kyle and Stan” network is a highly sophisticated malvertising network," blogged Armin Pelkmann, threat researcher with Cisco. "It leverages the enormous reach of well placed malicious advertisements on very well known websites in order to potentially reach millions of users. The goal is to infect Windows and Mac users alike with spyware, adware, and browser hijackers."

Productivity vs. Burnout

I recently read an article that talked about the amount of time you should work every day.

One of the findings from a study done on people working is that the people with the most productivity are the ones that work for 52 minutes and then take a 17 minute break. Now, these aren't people that sit at their desk and surf Facebook or Twitter or the internet during their break; these are people who get up and get away for a break or read a book for their break. Another point of the article is that we only have so much psychological energy each day.

I've been thinking about the article the last day and trying to put into perspective my own work habits. I think that breaks are important, but 17 minutes is only an average and I think some people are going to be more productive with a five minute break and some are going to work better after a 30 minute break. We're all different. I also think that we can condition ourselves to be more productive with less of the break.

What constitutes work? Is something you're passionate about constituted as work? I think that can play a factor as well. I've had a full day of work and then had two college classes. One of which was a Spanish course. I only had about a 15 minute break at lunch, as the other 45 minutes were spent on Spanish homework. Yet, here I am writing a post for my site, because I forgot to do it last night. But this doesn't feel like work. Some people might view maintaining a website as work, but not me. I enjoy this. It makes me feel like I'm being productive and not just sitting around on my ass.

Last year I was putting out two to three articles a week on The Crawfish Boxes (TCB). At times it felt like work, but for the most part I enjoyed what I was doing. This season I've taken a step back. Partly because of some of the things that transpired with the Astros; partly because I wanted to focus on advancing my career in information security; and partly because I was burned out. One post a week of 300-500 words is a lot work. I was doing three of those, plus two weekly podcasts, a breaking news podcast and eventually I spun up a monthly podcast and bi-weekly podcast. It was a lot of work, but came to me easy, because I enjoyed it. Still I burned myself out and I've been having some trouble refocusing my productivity towards information security.

I want be as productive for the infosec community as I was for TCB, but I also don't want to burn myself out. Burnout seems to be a small issue within the infosec community and I already feel it at my day job. I think there's a balance to be struck; I just need to find it.

Monday morning links September 22, 2014

For Sale Soon: The World's First Google Glass Detector - Andy Greenberg - Wired

“Basically it’s a wireless defense shield for your home or place of work,” says Oliver. “The intent is to counter a growing and tangibly troubling emergence of wirelessly capable devices that are used and abused for surveillance and voyeurism.”

"Hobbes and Bacon" is a "Calvin and Hobbes" tribute that takes place 26 years later - Free Republic

This was posted two years ago and is just simply awesome. If you read Calvin and Hobbes growing up you'll really enjoy this.