Friday, April 11, 2014

OpenSSL is bleeding and the world is panicking

OpenSSL nasty bug set the security community on fire. 
 http://www.infosecnotes.com/openssl-heartbleed/

 Bruce Schneier consider this vulnerability as Catastrophic!
https://www.schneier.com/blog/archives/2014/04/heartbleed.html


Labels:

Tuesday, March 25, 2014

outlook 0day caused by word

0day M$ word in the wild affecting outlook: http://www.infosecnotes.com/msword-outlook-0day/

As MS word is the default viewer in outlook, simply by viewing the email, without even clicking any attachment... it can compromise the system.

Labels:

Thursday, February 27, 2014

CISSP CPE8: Rapid7 webinar: Vulnerabilities, Dissected: The Past, Present & How to Prepare for their Future


Length 01:00:00 
https://information.rapid7.com/vulnerabilities-dissected-webcast.html

Vulnerability – configuration issue OR programming error that can be exploited.

Why should we care? Because vulnerability put things that we value at risk.

4 categories of vulnerabilities: 
1.    remote code execution
2.    elevation of privilege
3.    information disclosure
4.    DoS

History.
Past: attacker going after company
Present: attacker going after individual (stealing ID & credit card info)

CVE run by MIST  standard to describe vulnerability

Vulnerability risk impact:
1.    Vulnerability category ( remote execution > elevation of privilege > Info disclosure > DoS)
2.    Ease of exploitation
3.    Location of asset
4.    Importance of asset

Attacker motives & techniques:
1.    Discover/recon
2.    Probing of system/network
3.    Passive engagement
4.    Active engagement
5.    Post exploitation
Chaining vulnerabilities together:
Exploiting one vulnerability to exploit other vulnerabilities
Low severity vulnerabilities matter


Example: leaking credentials
Get trivial data as foothold -> gaining limited access -> elevation of privilege
Exploit is the attack that take advantage of the vulnerability

The Near future of Vulnerabilities:
-    Windows XP EOL
-    Mobile & cloud platform
-    Directly attacking payment system
-    Cyber-warfare: asymmetrical battleground/APT engaged in economic espionage

Tip to prepare for the future:
1.    Know your environment
2.    Keep system up to date
3.    Use mitigation techniques



Labels: ,

Wednesday, February 12, 2014

CISSP CPE8: Rapid7 webinar: The Anatomy of Deception Based Attacks: How to Secure Against Today’s Major Threat

Length 01:00:00



they are discussing about a new product/service that they are designing.. very interesting .


Getting in by stealing someone’s identity and pretending being them… any credential will do to evade & to have access for long period of time.

Common deception based attack:
Phishing
Convincing drive-by
Malicious USB distribution
Use compromised pwd (ex: adobe breach)
Malicious mobile app
MITM
MITB
Pass the hash
Fake add drive-by

In the news, MS employee account compromised by the syrian electronic army

Target
Dropbox spear phishing campaign deploy new zeus trojan varian
RSA SecureID breach with spear phishing  attack


Accessing through wifi
Russia iron chip suppy chain was compromised.
USB malicious USB cellphone charger

Compromised credential
South Carolina almost all tax payer  had their credential stolen IRS.

Most apps from top bank are insecure
 Very difficult to discover

Yahoo drive-by add – they are legitimate
Often there is not signature / exploit .

Very hard to detect against deception based attack.
Tool to for detection and investigation
Userinsight

Effortless discover of user behavior
Detection of deception
Incident investigation

Many tools today is asset function not user function


Suspicious network access
Domain admins
Mobile device
Cloud services
User phishing risk
Monitor riskiest users


You want to know if employee who is about to leave is dropping lots of data to dropbox…


Service account  - non expiring account

Domain admin activity

Smart detection of deception

Account leak in massive data breach
Network ingress from multiple location
Elevated admin privileges
Authentication from disable accounts
Re-enabling disabled account
Remote access with service accounts
Traffic from TOR nodes or known proxy servers
Addition of an unusual number of mobile device

Involved in mega breach

A lot of people use the same password across different services.


Alert if same user access network from different location in short period of time.


Example of adobe breach –


Fast incident investigation
-    Cut investigation time
-    Immediate context to close incident faster than ever
-    Connect users to assets
-    Prove user responsibility
-    Complete picture of user actions
-    Minimize the need to look into various system


IP correlation

How user behavior being discover

Most of log data (fw, proxy, ldap, AD, auth services)  just pulling the relevant info

It scales for big organization 20 to 50K

What sw should be installed in client side.

2 part:
a.    Very small sw need to be install  can be install in vmware – we collect all logs
It is not SIEM
Most customer use SIEM for compliance reason…

Pricing model..

Yearly, active user.


Labels: ,

Saturday, January 11, 2014

CPE: McAfee AudioParasitic: Episode 76: holiday malwares


Length 00:25:28
Christmas season malware, you better watch out santa is bringing.
Christmas is the most favorite time to distribute malware

Top 12 scams from xmas:
1.       Charity phishing scam
2.       Fake invoice to confirm delivery
3.       Fake social networking email request
4.       Malicious holiday e-card
5.       Luxurious jewelries discounted  malicious site
6.       On-line identitify theft
7.       Cristmast carol lyric / ring tone
8.       Job related email scam
9.       On-loin action site scam
10.   Password stealing scam: malware/email/spam campaign
11.   Email banking scam, because of the more shopping
12.   Ransom ware scam

Labels: ,

CPE: McAfee AudioParasitic: Episode 75: M$ patch tuesday


Length 00:07:02
6 bulletins
15 vulnerabilities
Most critical: all code execution vulnerabilities
MS09-063: web service
MS09-064:  license logging server
MS09-065: lot parsing vulnerability <- nasty one
Kernel vulnerability exploited through GDI
MS09-067: 6 excell CVEs : code execution vulnerability

AD DoS

Labels: ,

CPE: McAfee AudioParasitic: Episode 74: New Mac protection product.


Length 00:17:33
Mac protection
Mac has a lot less malware
These are DNS changes poppers

Popper alone is not a good reason to have mac protection

Popper family is written by a group that has a lot of experience in windows malware, and they are professional

Ed Medcalf from McAfee sales marketing:
McAfee is one of the first vendor that provide Mac Protection:
-          Application control
-           Anti-spyware
Managed by cerntralied ePO

Mac market is growing,  4.5 years ago Mac share was 3.5%, now 8%

Mac is becoming interesting target.

Mac can be a vector, malware may be dormant in Mac but causing problem in M$

Hightlight: traditional AV, anti-spyware, desktop FW, application protection
+ deploy and managed using centralized ePO <- compliance.

Labels: ,