Cisco launches open-source tool for penetration testers | ZDNet

Cisco has opened up access to Kvasir, which helps penetration testers worldwide assess the security levels of computer systems at a glance.

In a blog post, Kurt Grutzmacher, solutions architect at Cisco’s Security Practice Advanced Services team, said that the tool was initially created for the Cisco Systems Advanced Services Security Posture Assessment (SPA) team to keep track of the tests and data collected by the firm’s penetration testers.

A pen test is a way to test a system’s security standard by simulating a cyberattack.

During typical assessments of network security, pen testers may analyze between 2,000 and 10,000 hosts for vulnerabilities, perform various exploitation methods such as account enumeration and password attempts, and then they have to collect, sift through and document the results.

via Cisco launches open-source tool for penetration testers | ZDNet.

Now You See Me – H-worm by Houdini | FireEye Blog

H-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. We believe the author is based in Algeria and has connections to njq8, the author of njw0rm [1] and njRAT/LV [2] through means of a shared or common code base. We have seen the H-worm RAT being employed in targeted attacks against the international energy industry; however, we also see it being employed in a wider context as run of the mill attacks through spammed email attachments and malicious links.

via Now You See Me – H-worm by Houdini | FireEye Blog.

The Icefog APT: A Tale of Cloak and Three Daggers – Securelist

The world of Advanced Persistent Threats (APTs) is well known. Skilled adversaries compromising high-profile victims and stealthily exfiltrating valuable data over the course of many years. Such teams sometimes count tens or even hundreds of people, going through terabytes or even petabytes of exfiltrated data.

Although there has been an increasing focus on attribution and pinpointing the sources of these attacks, not much is known about a new emerging trend: the smaller hit-and-run gangs that are going after the supply chain and compromising targets with surgical precision.

Since 2011 we have been tracking a series of attacks that we link to a threat actor called ‘Icefog’. We believe this is a relatively small group of attackers that are going after the supply chain — targeting government institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan. This Icefog campaigns rely on custom-made cyber-espionage tools for Microsoft Windows and Apple Mac OS X. The attackers directly control the infected machines during the attacks; in addition to Icefog, we noticed them using other malicious tools and backdoors for lateral movement and data exfiltration.

via The Icefog APT: A Tale of Cloak and Three Daggers – Securelist.

A good password can still trump sketchy security | ZDNet

WatchGuard has been caught doing what a lot of first-timers to access control have done — simply hashing passwords as a means of implementing security — but perhaps all isn’t that bad in the world.

Information security researcher Jérôme Nokin, who runs a blog on all the fun things you can do over IP, found that WatchGuard’s firewall appliances are taking a bit of a shortcut when it comes to storing passwords.

It’s the typical mistake of recognising that storing plain text passwords is a big no-no, but not going any further than simply hashing the password. In WatchGuard’s case, it had been performing an NTLM hash of the password and that’s it.

Some might recognise NTLM as being part of Microsoft’s old security protocol suite that, these days, is no longer recommended by Redmond because it is so outdated. As Nokin also learned, an NTLM hash is simply the password converted to Unicode, then MD4 applied to it.

via A good password can still trump sketchy security | ZDNet.

Why A Hardware Root Of Trust Matters For Mobile — Dark Reading

As the IT industry grapples with the security implications of mobile devices, some experts believe one of the most important first steps it can take is to stop getting caught up in irrelevancies.

“We are lost in a conversation of mobile versus PC or phones versus tablets or whatever else, but that’s not what’s important,” says Steven Sprague, CEO of Wave Systems, explaining that the really important piece is, “How are we going to manage multiple tenant trusted devices, and what are the basic foundation principles for that? Then you’ve got to stick to your guns. I don’t care if they have the slickest marketing program under the sun — we’ve got to continue putting on our glasses and calling out when the emperor has no clothes.”

via Why A Hardware Root Of Trust Matters For Mobile — Dark Reading.

Data-stealing botnets found in major data brokers’ servers | Naked Security

A “small but very potent” botnet run by an identity theft service has tentacles reaching into computers at some of the country’s largest consumer and business data aggregators, security journalist Brian Krebs has revealed following a seven-month investigation.

The service, which sells the Social Security numbers, birth records, credit and background reports of millions of US residents, has for the past two years run at ssndob[dot]ms (Krebs calls it simply SSNDOB, and I’ll follow suit).

SSNDOB markets itself on underground cybercrime forums as “a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident”, Krebs writes, charging from 50 cents to $2.50 per record and from $5 to $15 for credit and background checks.

The transactions are carried out mostly via largely unregulated and anonymous virtual currencies, including Bitcoin and WebMoney.

via Data-stealing botnets found in major data brokers’ servers | Naked Security.

22 Hours: Average Time It Takes Malware Distributors To Exploit News

Cybercriminals continue to respond with lightning speed when they see an opportunity to exploit a national or global news story to spread malware. In fact, the Research Team of Eleven, leading German e-mail security provider, now sees instances of criminals inventing “breaking news” that appears to relate to high-profile current events.

The Eleven Research Team continually analyzes malicious campaigns that exploit breaking news using the CNN name and other prominent news outlets to lure email recipients to malicious sites. The average time between an actual news event and its exploitation hovered around 22 hours during the last three months.

On Friday, September 6, malware distributors invented fake news designed to take advantage of public interest in the possibility of a U.S. airstrike against Syria. The emails used the subject line, “The United States Began Bombing,” and were crafted to appear as a legitimate CNN news alert. It is an example of the cybercriminal community harnessing the interest and anxiousness about current events to increase the success of their malicious campaigns.

via 22 Hours: Average Time It Takes Malware Distributors To Exploit News.