InfoSec privacy links October 23, 2014

How to restore privacy - fix macosx

It appears that Apple's Spotlight app, which helps search for various items, on Max OS X Yosemite devices sends your search data to Apple. This website will show you how to disable the features that send this information. I went ahead and disabled everything, because I don't use Spotlight. For more information click here. To open Spotlight, simply swipe down on the home screen.

Bahraini Activists Hacked by Their Government Go After UK Spyware Maker - Kim Zetter - WIRED

Not long after the phantom Facebook messages, Ali discovered spyware on his computer—a powerful government surveillance tool called FinFisher made by the UK firm Gamma International. Human rights groups and technologists have long criticized Gamma International and the Italian firm Hacking Team for selling surveillance technology to repressive regimes, who use the tools to target political dissidents and human rights activists. Both companies say they sell their surveillance software only to law enforcement and intelligence agencies but that they won’t sell their software to every government. Gamma has, in fact, denied selling its tool to Bahrain, which has a long history of imprisoning and torturing political dissidents and human rights activists.

More Crypto Wars II - Bruce Schneier - Schneier on Security

I'm not sure why he believes he can have a technological means of access that somehow only works for people of the correct morality with the proper legal documents, but he seems to believe that's possible. As Jeffrey Vagle and Matt Blaze point out, there's no technical difference between Comey's "front door" and a "back door."

Google offers new two-factor authentication option

You Can Now Protect Your Google Accounts With a Physical Key - Eric Limer - GIZMODO

I've never had a problem with how Google's two-factor authentication works. There are two options, receive a text message with the two-factor code or install an app that syncs with the Google account. Both methods are fairly easy to use and add a significant amount of security to Google accounts. Now, though, it appears there is a third option, which includes hardware. The hardware will have to be purchased and then enabled for a Google account, but it makes it much easier to interact with a Google account via Chrome or Chrome OS.

I'm a little concerned at the fact that it's a hardware option, because it could be lost or stolen. I imagine that you can disassociate the device from the account if it's lost, but if it's used sparingly there could be a large period of time between the lost device and discovery. And if someone steals the device and happens to have the password to my account it seems like it would be much easier for them to get into my account with hardware that supposed to make it more convenient for me to login. Sure my phone can be lost or stolen, but I'll know about it pretty quickly and it does have a lock on it. And yes, my phone passcode could be cracked, but it is adding another barrier to someone getting into my account vs. a piece of hardware that's triggered by the push of a button. That's not to say that I think this option is bad; it's just that I don't find the current process all that annoying. Regardless, I think a third option is a good thing, because more options for security is a very good thing.

InfoSec links October 20, 2014

Finding a Video Poker Bug Made These Guys Rich -- Then Vegas Made Them Pay - Kevin Poulsen - WIRED

Williams could see that Kane was wielding none of the array of cheating devices that casinos had confiscated from grifters over the years. He wasn't jamming a light wand in the machine's hopper or zapping the Game King with an electro­magnetic pulse. He was simply pressing the buttons. But he was winning far too much, too fast, to be relying on luck alone.

Signed Malware = Expensive "Oops" for HP - Brian Krebs - Krebs on Security

Earlier this week, HP quietly produced several client advisories stating that on Oct. 21, 2014 it plans to revoke a digital certificate the company previously used to cryptographically sign software components that ship with many of its older products. HP said it was taking this step out of an abundance of caution because it discovered that the certificate had mistakenly been used to sign malicious software way back in May 2010.

Everything you need to know about the POODLE SSL bug - Troy Hunt - troyhunt.com

Which brings us to POODLE. Whilst I doubt we’ll see the same mass hysteria as we did last month, it is (and will continue) hitting the news and like the other two biggies this year, it’s serious enough to warrant attention and obscure enough to result in wild speculation and a general misunderstanding of the underlying risk. Let me share what I know based on the questions I’m hearing.

InfoSec links October 15, 2014

WPScan Vulnerability Database A New Wordpress Security Resource - Michael Mimoso - Threatpost

It’s not unlikely that a developer may be at a loss as to the security of a particular plug-in, or the disclosure of a devastating flaw in the core WordPress code that could expose a website to attack. During last weekend’s BruCon in Belgium, U.K.-based security researcher Ryan Dewhurst released the WPScan Vulnerability Database, a one-stop shop for the latest WordPress, plug-in and theme vulnerabilities that he hopes becomes an indispensable resource for pen-testers, administrators and WordPress developers.

The Criminal Indictment That Could Finally Hit Spyware Makers Hard - Kim Zetter - WIRED

The case involves StealthGenie, a spy app for iPhones, Android phones and Blackberry devices that until last week was marketed primarily to people who suspected their spouse or lover of cheating on them but it also could be used by stalkers or perpetrators of domestic violence to track victims. The app secretly recorded phone calls and siphoned text messages and other data from a target’s phone, all of which customers of the software could view online until the government succeeded to temporarily close the Virginia-based site (.pdf) that hosted the stolen data.

Developers of hacked Snapchat web app says "Snappening" claims are hoax - Sean Gallagher - ars technica

Posters to 4Chan’s /b/ forum continue to pore over the contents of thousands of images taken by users of the Snapchat messaging service that were recently leaked from a third-party website. Meanwhile, the developer behind that site, SnapSaved.com, used a Facebook post to say it was hacked because of a misconfigured Apache server. The statement also gets into the extent of the breach, while playing down reports that personal information from the users involved was also taken.

InfoSec links October 14, 2014

Signature Systems Breach Expands - Brian Krebs - Krebs on Security

Signature Systems Inc., the point-of-sale vendor blamed for a credit and debit card breach involving some 216 Jimmy John’s sandwich shop locations, now says the breach also may have jeopardized customer card numbers at nearly 100 other independent restaurants across the country that use its products.

Dairy Queen Confirms Breach at 395 Stores - Brian Krebs - Krebs on Security

In a statement issued Oct. 9, Dairy Queen listed nearly 400 DQ locations and one Orange Julius location that were found to be infected with the widely-reported Backoff malware that is targeting retailers across the country.

Snapchat Can't Stop the Parasite Apps That Screw Its Users - Andy Greenberg - WIRED

In a statement, Snapchat puts the blame on third party applications like Snapsaved.com that use its API to allow Snapchatters to save its disappearing messages on their devices, or worse yet, on a remote server. “We can confirm that Snapchat’s servers were never breached and were not the source of these leaks,” a Snapchat spokesperson writes in a statement. “Snapchatters were allegedly victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security.”

Soundscapes: baseball, a walk to work, and trains

Last December I bought my self a Zoom H4n, a portable recording device. I primarily wanted it so that I could record podcast episodes on the go. What I've found, though, is that it's great for collecting sound for soundscapes.

I made this while I was at Spring Training in March.

I have several more minutes of sound than what is presented hear. I wanted to keep the track relatively short while still getting in all the interesting sounds I wanted, so it is an edited soundscape, though, I would be very impressed if you could tell where all the cuts are.

A few weeks ago I made another soundscape as part of a project for my sound design class.

That's my walk into work. This is unedited.

Finally, this is one from my MART 110 class at the University of South Carolina a few semesters ago.

We were supposed to create a soundscape that attempted to elicit some emotion from the listener. The basis for this was from the movie The Shining which has some pretty killer sound work. The one scene that kept sticking in my head while working on this project was when Wendy was pushing the cart through the hotel. That scene reminded me of trains, so I decided to find some train sounds that I could edit together.

Subway sounds are some of the most unsettling eerie sounds and those are the sounds i eventually settled on.

I have audio for two more soundscapes that I plan to release. One is from a class final and the other is from a baseball game that had a heckler.

InfoSec links October 7, 2014

Fileless Infections from Exploit Kit: An Overview - Jéróme Segura - Malwarebytes Unpacked

Unique patterns, packets that match the size of binaries on disk, all make things easier for the good guys to detect and block malicious activity. But the reality is this was just an adaptive phase when the bad guys did not need to spend any extra effort and still got what they wanted: high numbers of infections.

How RAM Scrapers Work: The Sneaky Tools Behind the Latest Credit Card Hacks - Kim Zetter - Wired

Viruses and worms have each had their day in the spotlight. Remote-access Trojans, which allow a hacker to open and maintain a secret backdoor on infected systems, have had their reign as well. These days, though, point-of-sale RAM scrapers are what’s making the news.

The Unpatchable Malware That Infects USBs Is Now on the Loose - Andy Greenberg - WIRED

In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.

Twitter: Star Wars, bugs called bash, and cartoons

WIRED infosec links October 3, 2014

Google and Apple Won't Unlock Your Phone, But a Court Can Make You Do It - Andy Greenberg - WIRED

Silicon Valley’s smartphone snitching has come to an end. Apple and Google have promised that the latest versions of their mobile operating systems make it impossible for them to unlock encrypted phones, even when compelled to do so by the government. But if the Department of Justice can’t demand that its corporate friends unlock your phone, it may have another option: Politely asking that you unlock it yourself, and letting you rot in a cell until you do.

MIT Students Battle State's Demand for Their Bitcoin Miner's Source Code - Kim Zetter - WIRED

The mining tool, known as Tidbit, was developed in late 2013 by Rubin and his classmates for the Node Knockout hackathon—only Rubin is identified on the subpoena but his three classmates are identified on the hackathon web site as Oliver Song, Kevin King and Carolyn Zhang. The now defunct tool was designed to offer web site visitors an alternative way to support the sites they visited by using their computers to mine Bitcoins for them in exchange for having online ads removed.

Kevin Mitnick, Once the World's Most Wanted Hacker, Is Now Selling Zero-Day Exploits - Andy Greenberg - WIRED

Late last week, Mitnick revealed a new branch of his security consultancy business he calls Mitnick’s Absolute Zero Day Exploit Exchange. Since its quiet inception six months ago, he says the service has offered to sell corporate and government clients high-end “zero-day” exploits, hacking tools that take advantage of secret bugs in software for which no patch yet exists. Mitnick says he’s offering exploits developed both by his own in-house researchers and by outside hackers, guaranteed to be exclusive and priced at no less than $100,000 each, including his own fee.

Another round of Shellshock Bash bug links October 2, 2014

Here's some of the latest news on the Shellshock Bash bug:

The anatomy of a Shellshock attack in the wild - Troy Hunt - troyhunt.com

It’s probably a bit early to speculate about the true cost of Shellshock, but what I can do – and in a very objective fashion – is decompose a typical Bash bug attack. I can do this because I had one hit my logs just a couple of days ago.

Shellshock fixes beget another round of patches as attacks mount - Sean Gallagher - ars technica

At the same time, the urgency of applying those patches has mounted as more attacks that exploit the weaknesses in bash’s security (dubbed “Shellshock”) have appeared. In addition to the threat first spotted the day after the vulnerability was made public, a number of new attacks have emerged. While some appear to simply be vulnerability scans, there are also new exploit attempts that carry malware or attempt to give the attacker direct remote control of the targeted system.

Apple patches "Shellshock" Bash bug in OS X 10.9, 10.8, and 10.7 - Andrew Cunningham - ars technica

Shellshock, in essence, allows attackers to issue commands to systems via malformed environment variables. In the case of Web servers, it can allow attackers to gain full control of the system. Exploits of the bug have already been spotted in the wild, and end users and server administrators are all encouraged to patch their systems as soon as possible.

Still more vulnerabilities in bash? Shellshock becomes whack-a-mole - Sean Gallagher - ars technica

In other words, “Shellshock” may be partially patched, but it’s still highly dangerous on systems that might use bash to pass information to the operating system or to launch other software. And it may take a significant change to fix the code.

Things to know: Jimmy John's and Home Depot breach

I meant to write something up on this last week, but someone found a bug in bash that set my world on fire. I've asked several friends and family if they've heard about the Jimmy John's and/or Home Depot breach and the response has been less than encouraging. So here's the low done on the two breaches.

Home Depot

56 million debit and credit card numbers were stolen between April and September of this year:

Home Depot: 56M Cards Impacted, Malware Contained - Brian Krebs - Krebs on Security

It looks like the breach impacted all Home Depot stores in the US and Canada. If the numbers seem quite low for a four-to-five month breach it's because the self-checkout terminals seem to be the ones that got owned. Either way, if you shopped at Home Depot between April and September, get a new card issued from their bank. They'll be sure to send the bill to Home Depot, so don't let them talk you out of a new card. And oh hey look! Home Depot is offering free identity protection for 12 months. Be sure to sign up for that, but realize that "protection" won't stop nefarious people from using your identity for their own gain.

Official Statement

Jimmy John's

216 stores were found to have been affected by this event and Jimmy John's has been kind enough to provide a search tool for the stores that were owned.

Affected Stores & Dates

Two stores were affected in South Carolina, one of which I've gone to in the last year. Luckily I haven't been there in the last three months. Bullet dodged. The tool is easy to use, just input a store number, city, state, address or date. Using a state's two-letter code should limit the results enough to help you identify if you've been affected by this particular breach. Full details can be found below on the incident.

Data Security Incident

Protect yourself

These are only two of the many breaches that have occurred this year. Goodwill has gotten popped as well as several other smaller and local businesses. Here are some tips for protecting yourself from identity theft that could occur from breaches like these:

Check bank statements regularly. It's ridiculously easy to do and should only take 10-15 minutes. I would recommend trying to check bank statements at least once a week. With online banking it shouldn't take more than 10-15 minutes to pop in and check what's been purchased on all your cards.

Also, I would highly recommend using credit cards instead of debit cards. It's a lot easier to replace a credit card than it is a debit card.

Finally, I would recommend cash, but then you have to worry about skimmers on ATM machines, so I won't. =P

Happy shopping!

Shellshock Bash bug impressions

There's been some discussion both at work and on Twitter on whether or not the bash bug is worse than Heartbleed. Bottom line is that it doesn't matter. Both bugs have a severity of 10 out of 10, which make them serious business for everyone involve in information security. For the record, I do think Bash is a little more complicated than Heartbleed, but has the potential to be much more dangerous.

Unlike Heartbleed, which just scrapped information as it goes by on a system using OpenSSL. The Bash bug needs some form of initial bash access. Bash for the uninitiated is essentially a command prompt within Linux, Unix and Mac systems. Common Gateway Interface (CGI) functionality seems to be enough for the bug to be exploitable. The good news is that not all websites utilize CGI; unfortunately, it appears that about half the websites on the internet do, mostly webservers running Apache. For a more in-depth technical look at the Shellshock Bash bug I would highly recommend Troy Hunt's post.

More bad news

The Bash bug isn't just limited to webservers though. It could also affect anything that connects to the internet, which would include your router and any home appliances that can be accessed from an app or the internet. Once the exploit is executed, the attacker essentially has the access to do whatever he wants on the device and it's already being exploited in the wild.

What can be done?

Test everything: IT departments should be testing any device that uses Linux, Unix, and Mac as part of its structure. This includes appliances, firewalls, routers, switches, printers, websites, phones, etc. Bash use is so widespread that ever organization is going to have something vulnerable that will need to be patched. Devices that are available to the internet are of particular concern and should be tested first. 

Pay attention to network traffic logs: signatures should be available for Intrusion Prevention/Detection Systems (IPS/IDS). Watch for incoming and outgoing alerts and pay attention to anything abnormal in the logs. Anything abnormal should be investigated.

Patch everything: vendors should be working on patches and once available should be applied to systems at a reasonable time. Systems available on the internet should be patched as soon as possible. Systems available internally should be patched next with the most critical systems first. After patches are applied the system needs to be tested for the bash bug. The easiest way I've seen is opening up a console and typing in this command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

At home equipment: routers are likely to be the biggest problem. ISP owned routers should be patched by the ISP. Personally owned routers will need to be patched by the owner. It's usually quiet easy to do; but not easily remember to do. For my home router I have to login to the router. Go to the firmware version and click the update button.

Browsing the internets: this is a good time as any to start utilizing safe browsing techniques on the internet. This bug is going to allow attackers to change content on vulnerable web servers, which could include adding malware to that content. This could put anyone who browses to the website at risk of downloading that malware content. Here are two tips for safe web browsing:

  1. Make sure your system is fully patched. That includes: operating system updates, java, adobe flash player, etc. A program that can help with this is Secunia. It's free and does most of the updating for you
  2. Use FireFox to browse the internet. It is free and there's a wonderful add-on that can be installed called NoScript that protects a computer from cross-site scripting (XSS) and Clickjacking attacks. It will require some work to use initially.

We'll get through this

This is a very serious bug and it's easy to get overwhelmed and/or paranoid, but we will get through it. The more I've researched and tested for the bug the more comfortable I've become with it. That doesn't mean I'm worrying less or more at ease, but it does mean that I think we can get a handle on it get the issue fixed. Well fixed for those that want to put the time and effort into getting the bug fixed. 

 

 

Blackhat trailer numero uno

Yes, this is in fact a movie about a hacker.

I'm not sure if it's going to be a hacking movie, but Thor...excuse me Chris Hemsworth is a hacker that has been put away by the US government for 15 years. He's released to help the US government hunt down another hacker attacking US infrastructure.

On top of being a, "genius hacker and coder from MIT" he also apparently kicks ass like Thor and can handle a gun, at least in the trailer. It will be interesting to see if the hacker role will play a significant role or a side roll to this movie. The term blackhat, for those who don't know, is used to denote hackers who are of a criminal nature. Or they use their "powers" for self gain. The hope is that the studio using the title "Blackhat" for one of its movies about hackers would ensure that there is at least some relevancy to its correct usage. But Hollywood can be Hollywood sometimes.

It looks like an interesting movie, though.

Micheal Mann is one of the main players behind the scenes of this movie with director, screenplay, story and producer credit. Some of the other movies he's known for include: Heat; Public Enemies; The Insider; and The Last of the Mohicans (IMDB). The dude has been nominated for an Oscar four times. If you browse his IMDB page you'll get an idea of what kind of movie this is likely to be. Of the movies I've seen he's been involved in: Hancock; Miami Vice; and Ali. All solid movies in my opinion.

Will this be a true hacker movie? Unlikely, but nothing will be if Hollywood is involved.

Will this be an entertaining movie about hackers? There's a very good chance.

Movie expected release date: January 16, 2015.

Useful Shellshock Bash bug links September 29, 2014

Bash Vulnerability Part 6: YABU - Yet Another Bash Update - Doug Burks - Security Onion

If you run Snort this might be of interest to you.

Shellshock in the Wild - Micheal Lin, James Bennett, and David Bianco - FireEye

FireEye has been keeping an eye (pun intended) on Shellshock activity and has a list of how the exploit is being used.

 

Shellshock Bash bug links September 25, 2014

Bug in Bash shell creates big security hole on anything with *nix in it - Sean Gallagher - ars technica

Good starting point for understanding what the bash bug aka Shellshock is. To test your Linx, Unix, or Mac based equipment type this into the command line:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you get the world "vulnerable" as a response then your machine is affected by this bug.

Everything you need to know about the Shellshock Bash bug - Troy Hunt - troyhunt.com

A longer, more in-depth look at the bug sweeping the internet. I would highly recommend reading this if you work in an IT department.

The Thanks-Rob Worm to Come - Richard Stiennon - securitycurrent

It appears someone has begun utilizing the bug to create a worm that downloads malware.

AWS users fret over downtime ahead of Amazon's massive EC2 reboot - Liam Tung - ZDNet

Shellshock isn't mentioned as a reason for the reboot, but a "critical security flaw" is and likely means that Amazon's Web Services are affected by this bug.