Information Security News
Posted by InfoSec News on Apr 28http://www.nextgov.com/defense/2015/04/heres-how-you-hack-drone/111229/
Posted by InfoSec News on Apr 28http://www.nytimes.com/2015/04/28/opinion/preparing-for-warfare-in-cyberspace.html
Posted by InfoSec News on Apr 28http://www.telegraph.co.uk/news/worldnews/europe/estonia/11564163/Estonia-recruits-volunteer-army-of-cyber-warriors.html
Posted by InfoSec News on Apr 28http://www.eweek.com/security/rsa-hammers-home-fact-that-hackers-are-winning.html
Posted by InfoSec News on Apr 28http://motherboard.vice.com/read/the-operators
Infosec's human face
Program Chairman Hugh Thompson closed the RSA Conference with a focus on the human side of information security. It's easy, as information security professionals, to get caught up in seemingly endless cycle of threats, critical flaws and technical ...
166816 (Z66816): A post-RSA Conference recap
On healthcare data security, not all security pros see unique challenges
Takeaways from RSA 2015: The stars of the show
Encryption and key management at heart of great infosec say Thales
We spoke with Richard Moulds, the vice president of product strategy at Thales e-Security, at the recent RSA Conference held in San Francisco about the role of encryption in a number of different security issues. “Everyone thinks encryption is a single ...
An Enduring Adversary
This diary entry documents a criminal group using the Fiesta exploit kit (EK) to infect Windows computers. I previously wrote a guest diary about this group on 2014-12-26  and provided some updated information on my personal blog">]. I first noticed this group in 2013, and its likely been active well before then.
The group is currently using a gate that generates traffic from compromised websites to a Fiesta EK domain. Im calling this group the BizCN gate actor because all its gate domains are registered through Chinese registrar www.bizcn.com, and they all reside on a single IP address. The registrant data is privacy-protected through Wuxi Yilian LLC.
Earlier this month, the BizCN gate actor changed its gate IPto 126.96.36.199 . Were currently seeing thegate lead to Fiesta EK on 188.8.131.52. Below is a flow chart for" />
Traffic From an Infected Host
The following image shows traffic from 184.108.40.206 (the gate)that occurred on 2015-04-26. " />
Within the past week or so, Fiesta EK has modified its URL structure. Now youll finddashes and underscores in the URLs (something that wasn" />
A pcap of this traffic at is available at: http://www.malware-traffic-analysis.net/2015/04/26/2015-04-26-Fiesta-EK-traffic.pcap
The malware payload on the infected host copied itself to a directory under the users AppData\Local folder. It also" />
A copy of the malware payload is available at: " />
Below is an image from Sguil on Security Onion for EmergingThreats and ETPRO snort events caused bythe infection. " />
Indicators of Compromise (IOCs)
Passive DNS on 220.127.116.11 shows at least 100 domains registered through www.bizcn.com hosted on this IP address. Each domain is paired with a compromised website. Below is a list of the gate domains and their associated compromised websites Ive found so far this month:
(Read: gate on 18.104.22.168 - compromised website)
How can you determine if your clients saw traffic associated with this actor? Organizations withweb proxy logs can search for 22.214.171.124 to see theHTTP requests. Those HTTP headers should includea refererline withthe compromised website. Many of these compromised websites use vBulletin.
Researchers may have a hard timegeneratinginfection trafficfrom compromised websites associated with this actor. Most often, HTTP GET requests to the gate domain returna 404 Not Found. ">In some cases, the gate domain might not appear in traffic at all.Other times, the HTTP GET request for theFiesta EK landing page doesnt return anything. Its tough to get a fullinfection chain when youre trying to do it on purpose.
The BizCN gate actor occasionally changes the IP address for these gate domains. Since their information is now public through this diary entry, the actor will likely change the gates IP address and domains again.
Unless theres a drastic change in their pattern of operations, this BizCNgate actor will be found relatively soon after any upcoming changes.
More than seven months after being flagged as vulnerable, more than a dozen Android apps collectively downloaded at least 350 million times still contain fatal HTTPS flaws that cause them to leak passwords, phone numbers, and other highly sensitive user data, student researchers at City College of San Francisco found.
The vulnerable apps include OKCupid Dating, Dish Anywhere, ASTRO File Manager with Cloud, CityShop – for Craigslist, and PicsArt Photo Studio, which collectively have commanded from 170 million to 670 million downloads, according to official Google Play figures. Most of the titles have been updated regularly, but they continue to contain a game-over vulnerability that fails to detect fraudulent transport layer security (TLS) certificates, according to a blog post published Sunday by Sam Bowne, a security researcher who teaches a class on the ethical hacking of mobile devices at the City College of San Francisco. They likely are a tiny fraction of the Android apps that suffer the same flaw.
All 15 of the apps called out by Bowne's class were first flagged as unsafe in a September blog post from the CERT Division of the Software Engineering Institute. In the September post, researcher Will Dormann said CERT was contacting developers of all 23,668 apps found to be vulnerable. Bowne's class didn't have the resources to check all of the apps on the list, so it's likely many more also remain unfixed. Bowne assigned this class project after independently discovering that all text transmitted by Snap Secure could be decrypted by anyone presenting the app with a fraudulent TLS certificate.
Update: About two hours after this post went live, WordPress released a critical security update that fixes the 0day vulnerability described below.
The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full control of the Web server. Attack code has been released that targets one of the latest versions of WordPress, making it a zero-day exploit that could touch off a series of site hijackings throughout the Internet.
Both vulnerabilities are known as stored, or persistent, cross-site scripting (XSS) bugs. They allow an attacker to inject code into the HTML content received by administrators who maintain the website. Both attacks work by embedding malicious code into the comments section that appear by default at the bottom of a WordPress blog or article post. From there, attackers can change passwords, add new administrators, or take just about any other action legitimate admins can perform. The most serious of the two vulnerabilities is in WordPress version 4.2 because as of press time there is no patch.
Ive been asked a few times this year ($dayjob) to discuss and review incident handling practices with some of our clients. This topic seems to have come up to the surface again, and with some breaches getting main-stream coverage, it only makes sense. Taking a look at some of our past posts here on the ISC, I was pleasantly greeted with a long history on this topic (see list below).
For those that have not seen it yet should read the 2015Verizon Data Breach Report (DBIR) . A couple of notes on DBIR(very brief as it seems everyone is reviewing it ), we are getting better. The entry on page 5 that is called out stuck with me In 70% of the attacks where we know the motive for the attack, theres a secondary victim. Some homework, go read page 5!
The second take away from DBIR tells me that we can prevent quite a bit. Remember where prevention stops, incident handling starts. If you jump to page 15 a big lesson that youd THINK we">PATCH 99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.
In my travels it has been observed that more companies are starting to negotiate contracts with outside incident management firms proactively. This is a great sign, one thing I am still noting an area of weakness is in the internal incident handling skills. We should still have some staff that at least understands the process (thinking evidence handling here). These staffers should act as both liaison to contract staff and aid with guidance to management.
Most, if not all, companies that I have visited have solid policies and standards in place. Along with a surprising number that including marketing and public relations. It seems we are getting a little better here. Note: Have a list of those that are cleared to speak to any media, your average journalist will eat an engineer alive. Know when to say I cannot comment on that
The Practice of Network Security Monitoring: Understanding Incident Detection and Response by Richard Bejtlich Link: http://amzn.com/1593275099
Posted by InfoSec News on Apr 27http://www.nytimes.com/2015/04/26/us/russian-hackers-read-obamas-unclassified-emails-officials-say.html
Posted by InfoSec News on Apr 27http://www.telegraph.co.uk/news/worldnews/northamerica/usa/11563746/NSA-veteran-chief-fears-crippling-cyber-attack-on-Western-energy-infrastructure.html
Posted by InfoSec News on Apr 27http://www.zdnet.com/article/bill-introduced-forcing-mandatory-disclosure-of-data-breaches-but-at-the-expense-of-hackers/
Posted by InfoSec News on Apr 27http://www.technologyreview.com/view/537001/security-experts-hack-teleoperated-surgical-robot/
Posted by InfoSec News on Apr 27http://www.tampabay.com/news/courts/criminal/stolen-centcom-computers-found-on-ebay/2226424