Tweets worth mentioning July 31, 2014

Exploring Information Security: What is cryptography

JustinTroutman

In the fourth edition of the Exploring Information Security (EIS) podcast, I talk to the smooth sounding Justin Troutman a cryptographer from North Carolina about what cryptography is.

Justin is a security and privacy research currently working on a project titled, "Mackerel: A Progressive School of Cryptographic Thought." You can find him on Twitter (@JustinTroutman) discussing ways in which crypto can be made easier for the masses. Be sure to check out his website for more information.

In the interview Justin talks about

  • What cryptography is
  • Why everyone should care about cryptography
  • What some of it's applications are
  • How someone would get started in cryptography and what are some of the skills needed

Leave feedback and topic suggestions in the comment section below.

InfoSec links July 29, 2014

Banks: Card Breach at Goodwill Industries - Brian Krebs - Krebs on Security

Who steals from Goodwill? Honestly.

What's the worst thing you can say to a sysadmin? - Naked Security - Sophos

I had no idea there was such a thing as SysAdmin day, let alone that it’s been going on for the past 15 years.

The Barnaby Jack Few Knew: Celebrated Hacker Saw Spotlight as 'Necessary Evil' - Jordan Robertson - Bloomberg

A profile on Barnaby Jack whom I’ve heard only good things about.

InfoSec Links July 28, 2014

Here's How Easy It Could Be for Hackers to Control Your Hotel Room - Kim Zetter - Wired

The attack surface for hotels will increase as more electronic amenities are added to rooms. Security should be kept in mind from both the hotel side and the guest side.

How Thieves Can Hack and Disable Your Home Alarm System - Kim Zetter - Wired

It looks like some home security companies have some work to do in the security arena. Codes are being transmitted in a way that allows someone with the right equipment to capture your home alarm system code and they don’t necessarily need to be standing in front of your house. I like the idea of rotating numbers similar to what you get with two-factor authentication.

The App I Used to Break Into My Neighbor's Home - Andy Greenberg - Wired

This is scary. And even more scary is the fact that the company who designed an app to make keys with a picture seems to downplay some of the concerns surrounding that technique.

AddThis, the White House, and Privacy Badger

White House Website Includes Unique Non-Cookie Tracker, Conflicts With Privacy Policy - Peter Eckersley - Electronic Frontier Foundation

The company AddThis has been playing around with a replacement for cookies. The idea is that each computer handles browser traffic slightly different, so give it a pen and paper and let it draw a visualization of what that looks like. A cool idea, but it essentially means AddThis is fingerprinting all computers for tracking purposes. Not a good thing for privacy and apparently the White House dot gov is one of many sites running this new fangled voodoo from AddThis. There is a way to mitigate this though and it comes in the way of EFF’s recently released browser extension, Privacy Badger.

The extension is easy install. Simply, go to this site and click on the link for your browser. Accept the installation of the extension. Once the extension has been installed a badger icon will appear in the top right corner of the browser and a page will open explaining what the different indicators mean.

  • Green means you’re not being tracked.
  • Yellow means the site is tracking you, but on a whitelist. The cookie in question may be needed to view the page properly.
  • Red means the content has been disallowed.

Clicking on the extension icon will open up a panel with the list of domains that are being either blocked or allowed. You can change setting for the domain by sliding the bar left or right.

The extension is really easy to install and use and improves your privacy while surfing the internet. I’ve been using it for a little while now and I haven’t noticed any significant performance issues. I have noticed that I am no longer creeped out by ads that display service or equipment from email conversations with other people.

Another extension I highly recommend is NoScript for Firefox. According to Bruce Schneier, it appears that extension will block most of this stuff as well. NoScript requires a little more involvement, as it blocks everything by default and you have to decide what to allow, but it is one of the easiest things you can do to improve your own personal security as you browse the internet.

If you have anything further to add or other suggestions for safe browsing, leave a comment below.

 

InfoSec links July 24, 2014

"Severe" password manager attacks steal digital keys and data en masse - Dan Goodin - ars technica

I’ve never liked the idea of putting my passwords in the cloud and that’s essentially what you’re doing with these web based password managers. The fact that research has determined them to be vulnerable does not sway me to put my passwords online.

Automobile Industry Accelerates Into Security - Kelly Jackson Higgins - Dark Reading

Automobile security is about to become a major thing. Unlike a computer, if a car is hacked it could mean life or death for someone. I’ve read several articles recently that give encouraging signs that some automobile makers are taking car security seriously.

Security Firm Manages To Access Deleted Data On Used Android Devices - Red Orbit

iPhone users carry on. According to this article, old Android phones do not exactly wipe the drive when a reset to factory defaults is initiated. Apparently, all that does is delete or erase the index file, so the phone can’t find the old data. Forensic tools on the other hand are very capable of finding the old data. Great if you realize you need something; not so great if you don’t need anything. The workaround is to enable encryption on the device, then do a factory reset. Encrypting the drive will make it so that when the index file is deleted the data becomes unreadable because the encryption key is lost.

Public infosec links July 21, 2014

How to remove your house from Google Street View - Graham Cluley - welivesecurity

Google is mapping the world, which does come with privacy concerns. However, there is a way for someone to request that their home be blurred on Google Maps street view.

The Rise of Thin, Mini and Insert Skimmers - Brian Krebs - Krebs on Security

There are devices that can be attached to an ATM that can grab your credit card information and pin number. The stuff is meant to look like it’s part of the ATM. If you can wiggle something loose at an ATM it’s probably not meant to be there. Look for anything that appears to be out of place on an ATM.

Beware Keyloggers at Hotel Business Centers - Brian Krebs - Krebs on Security

Malware on a public machine is not all that surprising. Using a public computer for personal accounts is never a good idea. I would recommend avoiding public computers all together, but if you must I would be very careful what information you access on that machine.

InfoSec links July 18, 2014

It Is Idiotic To Hand Out Your Twitter Password to Prove Passwords Are Dead - Kashmir Hill - Forbes

How a journalist distributed denial-of-service (DDoS) his account in one easy step. He tweeted out his Twitter password with two-factor authentication on. He wanted to prove that two-factor authentication was a fantastic security measure. To my knowledge no one has gotten into his Twitter account yet, however, he has had to switch phone numbers.

Project Zero - A Team of Star-Hackers Hired by Google to Protect the Internet - Mohit Kumar - The Hacker News

I can’t help but get a little giddy about this. Sounds very Avengers like and a new way to think about information security. I have on my board at work “Hunt Teams,” which is an idea I heard on a podcast. The team essentially tries to prove that the organization hasn’t been hacked yet.

Meet Google's Security Princess - Clare Malone - Elle

A wonderful read on Google’s Security Princess (her title choice) Parisa Tabriz. She’s the hacker hired by Google to break into Google. The article talks about her background and rise to a security manager of 30 people at Google. It’s Friday, take about 15 minutes through this article. You won’t be disappointed.

Infosec links July 16, 2014

2014: The Year Extortion Went Mainstream - Brian Krebs - Krebs on Security

Extortion has been around for a while, but it looks like it might be the hot new strategy for online criminals to make money. The idea is that you get a letter in the mail requesting that you pay the extortionists in bitcoins or have your business or person languished online via negative publicity. Of course there’s also the good ol crypto locker malware that encrypts your hard drive and holds all your data hostage until you pay. Fun times.

The 5 Biggest Cybersecurity Myths, Debunked - Peter W. Singer and Allan Friedman - WIRED

Interesting list about the five cyber security myths:

  • Cybersecurity is unlike any challenge we have faced
  • Every day we face "millions of cyber attacks"
  • This is a technology problem
  • The best (cyber) defense is a good (cyber) offense
  • "Hackers" are the biggest thread to the internet today

You may not agree with all of them, but they should at least make you think about several issues involving information security.

The State of Metric Based Security - Gavin Millard - Infographic

Metrics are something I’ve always wanted to get into. This infographic doesn’t discuss how to do metrics, but instead looks at who is doing metrics and to what effect. Good read if you want to see how companies are viewing metrics within information security. I’m planning on having a future podcast about the topic.

Pro Photoshop Tip: History States

Make sure your History States are set to 1000 when working in Photoshop. To set your History States:

Edit -> Preferences -> Performance

On the Performance tab should be a History & Cache section. Set History States to 1000. Mine was at 20, which meant Photoshop would only save my last 20 changes. I quickly and easily filled that up with stamp, dodge and various other changes that didn't allow me to go back very far when I royally screwed up the graphic I was working on. It all worked out as I was working in layers and could just replace the layer I was working on with the original.

Bonus Pro Photosho Tip: Always work in layers

InfoSec links July 15, 2014

Pandemiya Emerges As New Malware Alternative To Zeus-Based Variants - Fraud Report - EMC/RSA

This is a breakdown on some new malware called Pandemiya. It’s being offered as an alternative to the widely popular Zeus trojan. The price tag is between $1500-$2000.  

Crooks Seek Revival of 'Gameover Zeus' Botnet - Brian Krebs - Krebs on Security

The previously dead Gameover Zeus botnet is apparently making a comeback. After the initial takedown, the owners of the botnet laid low for a while. Now it appears they’re trying to bring it back. The old botnet is still in lockdown, so this appears to be an effort to rebuild the botnet from the ground up.

Glenn Beck's The Blaze Site Serving Malicious Ads - Pat Belcher - invincea

My care meter for politics:

don’t care |-|---------------------| care

Glenn Beck can be a bit of a hot topic, but it’s his site I want to focus on, The Blaze. It’s been discovered that his site, via advertising, is serving up malware to people that visit the site. The site is not compromised, it’s the ad services that are running on his site. Ad services do not vet the people who submit ads, which makes it easy for nefarious folk to submit ads with malware attached to them. The Blaze, according to the article, is ranked the number two political site on the web, thus making it a target for these kinds of ads. If you see an ad that is of interest you, I would suggest doing a google search instead of clicking the ad.

Exploring information security: new podcast art

I completely whiffed on a link post this morning. I had a good, but dumb weekend (if that makes sense). One of the things I managed to accomplish this weekend was putting together some podcast art, with the help of some friends (Ryan, Adam, Win and Hope, thank you!).

EIS_PodcastArt.jpg

Now I just need to get the RSS feed together and the podcast will be ready to be submitted to a podcast directory near you.

Feedback is certainly welcome.

Infosec links July 11, 2014

Kaspersky Lab uncovers new Android and iOS spying tools - Ian Barker - betanews

A company called Hacking Team has developed a trojan that can spy on both Android and iOS devices. It’s delivered via spear phishing and malware that gets the trojan installed when the phone is synced with an infected computer. Most of the functions appear to be for surveillance purposes. I wonder who would want to purchase such a thing.

More on Hacking Team's Government Spying Software - Bruce Schneier - Schneier on Securit

Well ethical governments of course. At least that’s who Hacking Team claims they sell the trojan to. What’s the criteria for an ethical government?

  • Must be nice to citizens
  • Must feed the hungry
  • Must provide hugs
  • Must not surv$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

The Ex-Google Hacker Taking on the World's Spy Agencies - Andy Greenberg - WIRED

Really interesting profile on Marquis-Boire who used to work for Google as a security researcher, but now works for First Look Media. His job, to keep journalists who handle sensitive information, e.g. Gleen Greenwald, safe.

InfoSec links July 10, 2014

Facebook manipulates 700k users' newsfeeds in secrete study prompting backlash - ABC News Australia

Apparently, Facebook has been manipulating people’s timelines in the interest of SCIENCE! What’s interesting to me is that most of the people I talked to about this, really didn’t have a problem with it. Facebook’s terms of service is certainly going to cover their ass in this instance, but I don’t know that I like the fact that they’re playing with people’s timelines to gauge and emotional reaction. I deleted my Facebook account several months ago, but my wife and several family members and friends are on the site. I’d hate to find out that they’re all pissed off because Facebook is experimenting on them.

How Google Map Hackers Can Destroy a Business at Will - Kevin Poulsen - WIRED

Small businesses beware. Your competition could potentially change information on Google that could impact your business. I would highly suggest managing, or getting someone to manage, your online presence.

Enterprise Social Cyber Attack Inforgraphic - ZeroFox

This is an interesting infographic on how attackers are leveraging social media to phish or get someone to install malware.

Update Adobe Flash

“Weaponized” exploit can steal sensitive user data on eBay, Tumblr, et al. - Dan Goodin - ars technica

Update Adobe Flash. A new technique has been discovered that would allow an attacker access to a user’s credentials for certain sites. The vulnerability seems to revolve around JSONP. Which if you work at an organization that utilizes this type of coding in your websites you might want to have your website developers take a look at this blog post, explaining the technique.

Exploring information security: What is a Chief Information Security Officer

In the third edition of the Exploring Information Security (EIS) podcast my infosec cohort Adam Twitty and I talk to the Wh1t3 Rabbit, Rafal Los, about what exactly a Chief Information Security Officer, otherwise known as CISO, is.

Rafal Los presenting at BSides Nashville

Rafal Los presenting at BSides Nashville

Rafal Los (@Wh1t3Rabbit) is the Director of Solutions Research at Accuvant. He produces the Down The Security Rabbithole podcast and writes the Following the Wh1t3 Rabbit security blog. On several occasions he's tackled the CISO role within an organization on both his podcast and blog.  I would highly recommend both if you're in the infosec field or looking to get into it.

In the interview Rafal talks about:

  • What a CISO is
  • What role does a CISO fill in an organization
  • Who skills are needed to be an effective CISO
  • The different types of CISOs

Leave feedback and topic suggestions in the comment section.

InfoSec scam links July 9, 2014

Phishy Steam Guard File Steals SSFN - Christopher Boyd - Malwarebytes Unpacked

If you buy stuff from another user on the Steam store be very aware of who you are buying from. Also, if they ask you to install something, don’t do it.

"Tracy Morgan Is Dead" Fake Video in Circulation - Christopher Boyd - Malwarebytes Unpacked

Scammers aren’t just waiting for big news to happen; they’re starting to make their own news in an effort to get you install malware. As the article says, stick to high reputable news sources for stories like these.

Heroes of the Storm Beta Keygen: A Wizard Did It - Christopher Boyd - Malwarebytes Unpacked

Getting into beta is a wonderful feeling. I’ve been lucky enough to get into a few beta programs for games that had yet to be released. Heroes of the Storm is another highly anticipated game that has started a beta program. You can sign up on their official site. Any other site claiming to have keys is likely a scam.

How to capture traffic from a mobile app

when I switched to the iPhone 5s several weeks ago, I knew I wanted to keep my old Android phone to play around with for infosec purposes. A couple weeks I finally got an opportunity to do exactly that. We had an app that we needed to find out where information input into the app was being sent. The original idea was simple: setup a wireless network for just the device to connect to and wireshark the traffic. I had another idea though: run some sort of PCAP capture app from the device to collect the outgoing traffic.

The Method

  1. Download WiFinspect from Google Play

  2. Root the phone

  3. Run the capture

  4. Export the capture from the phone

Download WiFinspect from Google Play

There are several apps out there that do PCAP capture as well as other “security” type of functions. I decided on WiFinspect because the app is part of a dissertation at the University of Birmingham. The app requires root access to run the PCAP capture and a few other functions. To do that you have to root the Android device. Which is essentially the same thing as jailbreaking an iPhone.

Root the phone

I’m not going to go through the whole process step-by-step because I found a video that does a great job of that. These are the instructions for a HTC 3D Evo, if you have another phone a simple Google search should get you your own instructions:

Run the capture

Open WiFinspect. Next click ‘Network Sniffer’ then Start Sniffing. At this point you can close the app and go to the application and start poking around in it.

Once you’re done go back to the WiFinspect and select ‘Stop Sniffing.’

 

Retrieve the capture

I was using my old HTC 3D Evo, so all I had to do was simply plug the device up to my computer and select the option to use it as a disk drive. I then opened Windows Explorer and navigated to the Removable Disk drive that appeared under Computer. In there the WiFinspect app had created a folder ‘Wi-Fi Probe’ and in there was the PCAP I needed to analyze. Just drag and drop that PCAP onto the computer you’ll be using Wireshark.