Tech Insight: Top 4 Problem Areas that Lead to Internal Data Breaches

External data breaches from groups like Anonymous and internal data leaks from insiders such as Edward Snowden have enterprises questioning and rethinking their security programs. Are they doing enough to protect their data? Are there security controls effective? Would they be able to respond appropriately to a data breach and contain it quickly?
Much of the questions and confusion has to do with executives not understanding where their critical assets are and how they need to be protected. Their sense of security is skewed by the fact that they’ve passed their compliance requirements causing them to think they are safe. For most companies, if they were truly targeted by a sophisticated and determined attacker, they would fail miserably.
Why would they fail? Traditionally, security was focused on protecting the perimeter. Based on my experience with penetration testing organizations from all different industries, companies are doing a great job of locking down there externally exposed assets, with the exception of Web servers. There are fewer devices exposed and even less ports open that could provide an avenue for attack.

via Tech Insight: Top 4 Problem Areas that Lead to Internal Data Breaches.
Read the article for the details, but the four problem areas are:

  1. Asset management and putting in place proper protection mechanisms for those assets
  2. Not knowing or understanding the “principle of least privilege” (I’d also add “default deny”) and “need to know”
  3. Security training and awareness
  4. Shared credentials and password resuse

In my opinion items 1, 2, and 4 tie into my preference for dealing with security’s “low hanging fruit”, the basic tenets we all should do 100% of the time. Security awareness and training has value, but I think there’s too much focus on it. That focus takes time, money, and effort away from those security tenets I mentioned before.

ISC Diary | Tools for reviewing infected websites

At the ISC we had a report today from Greg about obfuscated Javascript on the site hxxp:// A little research revealed that this site has been infected in the past. Nothing extraordinary, just another run of the mill website infection.
What did strike me is how the nature of this research has changed in recent years. Not so long ago checking out a potentially infected website would have involved VMs or goat machines and a lot of patience and trial and error. Today there are so many sites that will do the basics for you. Greg sent us a link to URLQuery which displays a lot of information about a website including the fact that this one is infected.

via ISC Diary | Tools for reviewing infected websites.

200 years ago this weekend the British left Detroit for good |

Two hundred years ago this Sunday the British left Detroit for the last time.
The Detroit Historical Museum is celebrating the city’s final independence from the British this weekend with three events commemorating the British departure on Sept. 29, 1813.
The museum is releasing its new book, “Border Crossings: The Detroit River Region in the War of 1812,” to coincide with the celebration.

via 200 years ago this weekend the British left Detroit for good |

Cisco launches open-source tool for penetration testers | ZDNet

Cisco has opened up access to Kvasir, which helps penetration testers worldwide assess the security levels of computer systems at a glance.
In a blog post, Kurt Grutzmacher, solutions architect at Cisco’s Security Practice Advanced Services team, said that the tool was initially created for the Cisco Systems Advanced Services Security Posture Assessment (SPA) team to keep track of the tests and data collected by the firm’s penetration testers.
A pen test is a way to test a system’s security standard by simulating a cyberattack.
During typical assessments of network security, pen testers may analyze between 2,000 and 10,000 hosts for vulnerabilities, perform various exploitation methods such as account enumeration and password attempts, and then they have to collect, sift through and document the results.

via Cisco launches open-source tool for penetration testers | ZDNet.

Now You See Me – H-worm by Houdini | FireEye Blog

H-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. We believe the author is based in Algeria and has connections to njq8, the author of njw0rm [1] and njRAT/LV [2] through means of a shared or common code base. We have seen the H-worm RAT being employed in targeted attacks against the international energy industry; however, we also see it being employed in a wider context as run of the mill attacks through spammed email attachments and malicious links.

via Now You See Me – H-worm by Houdini | FireEye Blog.

The Icefog APT: A Tale of Cloak and Three Daggers – Securelist

The world of Advanced Persistent Threats (APTs) is well known. Skilled adversaries compromising high-profile victims and stealthily exfiltrating valuable data over the course of many years. Such teams sometimes count tens or even hundreds of people, going through terabytes or even petabytes of exfiltrated data.
Although there has been an increasing focus on attribution and pinpointing the sources of these attacks, not much is known about a new emerging trend: the smaller hit-and-run gangs that are going after the supply chain and compromising targets with surgical precision.
Since 2011 we have been tracking a series of attacks that we link to a threat actor called ‘Icefog’. We believe this is a relatively small group of attackers that are going after the supply chain — targeting government institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan. This Icefog campaigns rely on custom-made cyber-espionage tools for Microsoft Windows and Apple Mac OS X. The attackers directly control the infected machines during the attacks; in addition to Icefog, we noticed them using other malicious tools and backdoors for lateral movement and data exfiltration.

via The Icefog APT: A Tale of Cloak and Three Daggers – Securelist.

A good password can still trump sketchy security | ZDNet

WatchGuard has been caught doing what a lot of first-timers to access control have done — simply hashing passwords as a means of implementing security — but perhaps all isn’t that bad in the world.
Information security researcher Jérôme Nokin, who runs a blog on all the fun things you can do over IP, found that WatchGuard’s firewall appliances are taking a bit of a shortcut when it comes to storing passwords.
It’s the typical mistake of recognising that storing plain text passwords is a big no-no, but not going any further than simply hashing the password. In WatchGuard’s case, it had been performing an NTLM hash of the password and that’s it.
Some might recognise NTLM as being part of Microsoft’s old security protocol suite that, these days, is no longer recommended by Redmond because it is so outdated. As Nokin also learned, an NTLM hash is simply the password converted to Unicode, then MD4 applied to it.

via A good password can still trump sketchy security | ZDNet.

Why A Hardware Root Of Trust Matters For Mobile — Dark Reading

As the IT industry grapples with the security implications of mobile devices, some experts believe one of the most important first steps it can take is to stop getting caught up in irrelevancies.
“We are lost in a conversation of mobile versus PC or phones versus tablets or whatever else, but that’s not what’s important,” says Steven Sprague, CEO of Wave Systems, explaining that the really important piece is, “How are we going to manage multiple tenant trusted devices, and what are the basic foundation principles for that? Then you’ve got to stick to your guns. I don’t care if they have the slickest marketing program under the sun — we’ve got to continue putting on our glasses and calling out when the emperor has no clothes.”

via Why A Hardware Root Of Trust Matters For Mobile — Dark Reading.

Data-stealing botnets found in major data brokers’ servers | Naked Security

A “small but very potent” botnet run by an identity theft service has tentacles reaching into computers at some of the country’s largest consumer and business data aggregators, security journalist Brian Krebs has revealed following a seven-month investigation.
The service, which sells the Social Security numbers, birth records, credit and background reports of millions of US residents, has for the past two years run at ssndob[dot]ms (Krebs calls it simply SSNDOB, and I’ll follow suit).
SSNDOB markets itself on underground cybercrime forums as “a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident”, Krebs writes, charging from 50 cents to $2.50 per record and from $5 to $15 for credit and background checks.
The transactions are carried out mostly via largely unregulated and anonymous virtual currencies, including Bitcoin and WebMoney.

via Data-stealing botnets found in major data brokers’ servers | Naked Security.

22 Hours: Average Time It Takes Malware Distributors To Exploit News

Cybercriminals continue to respond with lightning speed when they see an opportunity to exploit a national or global news story to spread malware. In fact, the Research Team of Eleven, leading German e-mail security provider, now sees instances of criminals inventing “breaking news” that appears to relate to high-profile current events.
The Eleven Research Team continually analyzes malicious campaigns that exploit breaking news using the CNN name and other prominent news outlets to lure email recipients to malicious sites. The average time between an actual news event and its exploitation hovered around 22 hours during the last three months.
On Friday, September 6, malware distributors invented fake news designed to take advantage of public interest in the possibility of a U.S. airstrike against Syria. The emails used the subject line, “The United States Began Bombing,” and were crafted to appear as a legitimate CNN news alert. It is an example of the cybercriminal community harnessing the interest and anxiousness about current events to increase the success of their malicious campaigns.

via 22 Hours: Average Time It Takes Malware Distributors To Exploit News.