Hacking & Security

What’s Your Security Maturity Level?

Krebs on Security - 27 Duben, 2015 - 06:06

Not long ago, I was working on a speech and found myself trying to come up with a phrase that encapsulates the difference between organizations that really make cybersecurity a part of their culture and those that merely pay it lip service and do the bare minimum (think ‘15 pieces of flair‘). When the phrase “security maturity” came to mind, I thought for sure I’d conceived of an original idea and catchy phrase.

It turns out this is already a thing. And a really notable thing at that. The graphic below, produced last year by the Enterprise Strategy Group, does a nice job of explaining why some companies just don’t get it when it comes to taking effective measures to manage cyber risks and threats.

Very often, experience is the best teacher here: Data breaches have a funny way of forcing organizations — kicking and screaming — from one vertical column to another in the Security Maturity matrix. Much depends on whether the security professionals in the breached organization have a plan (ideally, in advance of the breach) and the clout for capitalizing on the brief post-breach executive attention on security to ask for changes and resources that can assist the organization in learning from its mistakes and growing.

But the Security Maturity matrix doesn’t just show how things are broken: It also provides a basic roadmap for organizations that wish to change that culture. Perhaps unsurprisingly, entities that are able to manage that transition typically have a leadership that is invested in and interested in making security a core priority. The real trick is engineering ways to influence the leadership, with or without the fleeting momentum offered by a breach.

At last week’s RSA Security Conference in San Francisco, I had a chance to meet up with Demetrios “Laz” Lazarikos, the former chief information security officer at Sears. Now founder of the security consultancy blue-lava.net, Laz spends a great deal of time trying to impress upon his clients the need to take the security maturity model seriously. Here’s his sliding scale, which measures maturity in terms of preparedness and expectations.

Source: Blue Lava

I like Laz’s models because they’re customized to every organization, breaking down each business unit into its own security maturity score. The abbreviations in the graphic below — SDLC and PMO — stand for “security development life cycle” and “project management office,” respectively. Dark red boxes (marked with a “1”) indicate areas where the organization’s business unit needs the most work.

Source: Blue Lava Consulting

Laz’s security maturity hierarchy includes five levels:

  • Level 1 – Information Security processes are unorganized, and may be unstructured. Success is likely to depend on individual efforts and is not considered to be repeatable or scalable. This is because processes would not be sufficiently defined and documented to allow them to be replicated.
  • Level 2 – Information Security efforts are at a repeatable level where basic project management techniques are established and successes can be repeated. This is due to processes being established, defined, and documented.
  • Level 3 – Information Security efforts have greater attention to documentation, standardization, and maintenance support.
  • Level 4 – At this level, an organization monitors and controls its own Information Security processes through data collection and analysis.
  • Level 5 – This is an optimizing level where Information Security processes are constantly being improved through monitoring feedback from existing processes and introducing new processes to better serve the organization’s particular needs.

Where does your organization fit in these models? Are they a useful way for getting a handle on security and increasing maturity within your organization? Has your employer recently moved from one security maturity level to another? If so, tell us what you think prompted that shift? Sound off on these or any other thoughts on this subject in the comments below, please.

Kategorie: Hacking & Security

Report: Unclassified e-mails from Obama to staff read by Russian hackers

Ars Technica - 26 Duben, 2015 - 19:55

On Saturday the New York Times reported that “senior American officials briefed on the investigation” confirmed a hack of the White House’s unclassified network last year. The breach "was far more intrusive and worrisome than has been publicly acknowledged,” officials said, telling the Times that the perpetrators were likely Russians with ties to the government, if not with direct backing from Russia.

The White House’s classified network, on which message traffic from President Obama’s Blackberry is kept, was not breached, but e-mails he sent to the unclassified network from that device (as well as e-mails sent from that network to him) were obtained.

The Times noted that many senior staffers have two computers in their offices: "one operating on a highly secure classified network and another connected to the outside world for unclassified communications.” The most highly secure material shared between "the White House, the State Department, the Pentagon, and intelligence communities" is kept on a system called Joint Worldwide Intelligence Communications System (JWICS), which was not breached. JWICS also gives access to the front-end for XKeyscore, a system that collects, manages, and processes the massive amounts of data collected by the NSA.

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

Google Glass 2.0 Coming Soon, says Italian Luxottica Eyewear Company

The Hacker News - 26 Duben, 2015 - 08:31
The details of the next version of Google Glass has been revealed - the search engine giant is planning to launch Google Glass 2.0 soon. Massimo Vian, the chief executive officer of Italian eyewear company Luxottica, said his company is working with Google engineers on not just one, but two new versions of the Google's Internet-connected eyewear device. Luxottica is better known for its
Kategorie: Hacking & Security

That's SHUTTING down your PC, not SHOOTING it down! 60 Sec Security [VIDEO]

Sophos Naked Security - 26 Duben, 2015 - 00:39
Ever felt like shooting your PC? This guy did it! (And more news in our weekly one-minute security video.)

Critical SSL Vulnerability Leaves 25,000 iOS Apps Vulnerable to Hackers

The Hacker News - 25 Duben, 2015 - 14:36
A critical vulnerability resides in AFNetworking could allow an attacker to cripple the HTTPS protection of 25,000 iOS apps available in Apple's App Store via man-in-the-middle (MITM) attacks. AFNetworking is a popular open-source code library that lets developers drop networking capabilities into their iOS and OS X products. But, it fails to check the domain name for which the SSL
Kategorie: Hacking & Security

Tor-Based Dark Web Email Service Targeted by Government Spies

The Hacker News - 25 Duben, 2015 - 11:26
The administrator of the popular Darknet email service, SIGAINT, is warning its users that the email service has become a target of a suspected law enforcement agency who tried to compromise it. About a week ago, SIGAINT has been targeted by an attacker who tried to hack the service by using nearly 70 bad Tor exit nodes, one of the service's administrator informed its users via the
Kategorie: Hacking & Security

Wi-Fi security software chokes on network names, opens potential hole for hackers

Sophos Naked Security - 24 Duben, 2015 - 22:15
The Wi-Fi security software "wpa_supplicant," found in Android amongst many other places, has a potentially hackable security hole...

Hackers Could Crash Trains by Hacking Rail Traffic System

The Hacker News - 24 Duben, 2015 - 21:39
After reaching heights in cyber attacks by targeting SCADA systems, hackers are looking forward to crash trains. It isn't only assumptions; it could actually happen in real. A new hi-tech railway signalling system being tested in the United Kingdom could potentially be hacked by cyber criminals to cause oncoming trains to crash into one another at highest speeds, an Internet security
Kategorie: Hacking & Security

Google Provides Detailed Analysis of GitHub Attack Traffic

Threatpost - 24 Duben, 2015 - 19:46
The high-profile DDoS attack against GitHub that went on for several days last month was the end result of an operation that included several phases and extensive testing and optimization by the attackers. Researchers at Google analyzed the attack traffic over several weeks and found that the attackers used both Javascript replacement and HTML injections. […]
Kategorie: Hacking & Security

CVE-2015-0359 (Flash up to 17.0.0.134) and Exploit Kits

Malware don't need Coffee - 24 Duben, 2015 - 19:28

As spotted by FireEye on 2015-04-17, Angler EK is now taking advantage of a vulnerability patched with the last version of Flash Player ( 17.0.0.169 )

Angler EK :
2015-04-17

Angler EK successfully exploiting CVE-2015-0359
2015-04-24Flash Sample from this pass : ff7685252e2a353b10543df90214f1a948a554947323b07078c18e9f6a810373
Fiddler sent to VT

"Standalone" Neutrino-ish :
2015-04-27
Thanks to Malwarebytes Anti-Exploit team for referer
Thanks to Timo Hirvonen for CVE identification

Same CVE as Angler used in "Standalone" mode - 2015-04-27IE11 - Win7 Flash 17.0.0.134

Traffic source : adxpansion on porn website
Sample (Viagra/Cialis badvert) : c14c1130796167bbe0172dda86adec4ff3dcc34a81451f285795b81c2abd4983
Fiddler : sent on VT

This drop a js in %temp% or %temp%\low that do the rc4 and call

wscript executing the js  in another case  Badvert : 403cba4b81d235b5b53912c4b68995c7 (you can see the RC4 key used)


http://pastebin.com/raw.php?i=6qdTEBnj
Note the 6 minutes sleep :)

Dropped malware : You can get them here.
Tofsee maybe : a29acacfc2b5e44cdbfb769ce9cf9ccf
Trapwot fake av (defender pro 2015) : 37cd5cb1ebabcb921fe20341c2a63fc4
Undefined : 2e297279f7d919e4e67464af91fb6516

Drops in %temp%
One more :

Neutrino-ish malvert 2015-04-30
cf :  https://twitter.com/BelchSpeak/status/593803410207612928
Fiddler sent to VT (password : malware)

Those drop were so "Neutrino-ish" that i decided to take a look at neutrino in same conditions and guess what :

Neutrino :
2015-04-27
Thanks to Timo Hirvonen for CVE identification
Same CVE as Angler used in "Standalone" mode - 2015-04-27IE11 - Win7 Flash 17.0.0.134
Sample : d7a44f7794f8f0ba972c41d30d1e47d3232b32b45292ac9c9c9d8d338814f3d3
Fiddler sent to VT

Nuclear Pack :
2015-04-28
Thanks to TrendMicro for confirming CVE was the same as the one used in Angler EK

Nuclear Pack successfully exploiting Flash 17.0.0.134 inside IE11 on Windows 7to push Kelihos Loader (suba002)2015-04-28NB: some Nuclear Pack instances are still only firing CVE-2015-0335.
Sample : 6eca6686bf2450d6251add82f5f5681e6c542575acf350f21efede628c6be6fe
Fiddler sent to VT

RIG :
2015-04-30
Thanks @TimoHirvonen for CVE confirmation.
RIG now

Sample was : a345a866f64fb61e482ead7e3b3979542381b579c6065ffd7e93bc23faefdd4c
Fiddler sent to VT

To those wondering why i do not give direct link to exploit patched less than one month ago, look at these stats shared by a user on underground :
RIG stats (mostly BR) shared by a user undergroundMagnitude:
2015-04-02

Magnitude successfully exploiting CVE-2015-0359 to push Cryptowall and Zemot2015-05-02Sample in that pass : 85e0f358c80e9013be2358e4ee11d90885d74f5b32d4cef710b76e0245631b26
Fiddler sent to VT

Fiesta:
2015-05-03
Logo Courtesy of Fox-IT
Fiesta firing CVE-2015-0359 (more like the real one accorting to @TimoHirvonen)
2015-05-03Sample in that pass : a78f2cd9233523141fc29960831947ad9f993e08680f2db10facf2ed93a7e94e
Fiddler sent to VT
Read more :
Latest Flash Exploit in Angler EK Might Not Really Be CVE-2015-0359 - 2015-04-22 - Peter Pi - TrendMicro
Angler EK Exploiting Adobe Flash CVE-2015-0359 with CFG Bypass - 2015-04-18 - Dan Caselden and Sai Omkar Vashisht - FireEye
Kategorie: Hacking & Security

Critical HTTPS bug may open 25,000 iOS apps to eavesdropping attacks

Ars Technica - 24 Duben, 2015 - 19:00

At least 25,000 iOS apps available in Apple's App Store contain a critical vulnerability that may completely cripple HTTPS protections designed to prevent man-in-the-middle attacks that steal or modify sensitive data, security researchers warned.

As was the case with a separate HTTPS vulnerability reported earlier this week that affected 1,500 iOS apps, the bug resides in AFNetworking, an open-source code library that allows developers to drop networking capabilities into their iOS and OS X apps. Any app that uses a version of AFNetworking prior to the just-released 2.5.3 may expose data that's trivial for hackers to monitor or modify, even when it's protected by the secure sockets layer (SSL) protocol. The vulnerability can be exploited by using any valid SSL certificate for any domain name, as long as the digital credential was issued by a browser-trusted certificate authority (CA).

"The result is an attacker with any valid certificate can eavesdrop on or modify an SSL session initiated by an app with this flawed library," Nate Lawson, the founder of security analytics startup SourceDNA, told Ars. "The flaw is that the domain name is not checked in the cert, even though the cert is checked to be sure it was issued by a valid CA. For example, I can pretend to be 'microsoft.com' just by presenting a valid cert for 'sourcedna.com.'"

Read 8 remaining paragraphs | Comments

Kategorie: Hacking & Security

A Javascript-based DDoS Attack as seen by Safe Browsing

Google Security Blog - 24 Duben, 2015 - 18:38
Posted by Niels Provos, Distinguished Engineer, Security Team

To protect users from malicious content, Safe Browsing’s infrastructure analyzes web pages with web browsers running in virtual machines. This allows us to determine if a page contains malicious content, such as Javascript meant to exploit user machines. While machine learning algorithms select which web pages to inspect, we analyze millions of web pages every day and achieve good coverage of the web in general.

In the middle of March, several sources reported a large Distributed Denial-of-Service attack against the censorship monitoring organization GreatFire. Researchers have extensively analyzed this DoS attack and found it novel because it was conducted by a network operator that intercepted benign web content to inject malicious Javascript. In this particular case, Javascript and HTML resources hosted on baidu.com were replaced with Javascript that would repeatedly request resources from the attacked domains.

While Safe Browsing does not observe traffic at the network level, it affords good visibility at the HTTP protocol level. As such our infrastructure picked up this attack, too. Using Safe Browsing data, we can provide a more complete timeline of the attack and shed light on what injections occurred when.

For this blog post, we analyzed data from March 1st to April 15th 2015. Safe Browsing first noticed injected content against baidu.com domains on March 3rd, 2015. The last time we observed injections during our measurement period was on April 7th, 2015. This is visible in the graph below, which plots the number of injections over time as a percentage of all injections observed:

We noticed that the attack was carried out in multiple phases. The first phase appeared to be a testing stage and was conducted from March 3rd to March 6th. The initial test target was 114.113.156.119:56789 and the number of requests was artificially limited. From March 4rd to March 6th, the request limitations were removed.

The next phase was conducted between March 10th and 13th and targeted the following IP address at first: 203.90.242.126. Passive DNS places hosts under the sinajs.cn domain at this IP address. On March 13th, the attack was extended to include d1gztyvw1gvkdq.cloudfront.net. At first, requests were made over HTTP and then upgraded to to use HTTPS. On March 14th, the attack started for real and targeted d3rkfw22xppori.cloudfront.net both via HTTP as well as HTTPS. Attacks against this specific host were carried out until March 17th.

On March 18th, the number of hosts under attack was increased to include the following: d117ucqx7my6vj.cloudfront.net, d14qqseh1jha6e.cloudfront.net, d18yee9du95yb4.cloudfront.net, d19r410x06nzy6.cloudfront.net, d1blw6ybvy6vm2.cloudfront.net. This is also the first time we find truncated injections in which the Javascript is cut-off and non functional. At some point during this phase of the attack, the cloudfront hosts started serving 302 redirects to greatfire.org as well as other domains. Substitution of Javascript ceased completely on March 20th but injections into HTML pages continued. Whereas Javascript replacement breaks the functionality of the original content, injection into HTML does not. Here HTML is modified to include both a reference to the original content as well as the attack Javascript as shown below:

<html>
<head>
<meta name="referrer" content="never"/>
<title> </title>
</head>
<body>
      <iframe src="http://pan.baidu.com/s/1i3[...]?t=Zmh4cXpXJApHIDFMcjZa" style="position:absolute; left:0; top:0; height:100%; width:100%; border:0px;" scrolling="yes"></iframe>
</body>
<script type="text/javascript">
[... regular attack Javascript ...]

In this technique, the web browser fetches the same HTML page twice but due to the presence of the query parameter t, no injection happens on the second request. The attacked domains also changed and now consisted of: dyzem5oho3umy.cloudfront.net, d25wg9b8djob8m.cloudfront.net and d28d0hakfq6b4n.cloudfront.net. About 10 hours after this new phase started, we see 302 redirects to a different domain served from the targeted servers.

The attack against the cloudfront hosts stops on March 25th. Instead, resources hosted on github.com were now under attack. The first new target was github.com/greatfire/wiki/wiki/nyt/ and was quickly followed by github.com/greatfire/ as well as github.com/greatfire/wiki/wiki/dw/.

On March 26th, a packed and obfuscated attack Javascript replaced the plain version and started targeting the following resources: github.com/greatfire/ and github.com/cn-nytimes/. Here we also observed some truncated injections. The attack against github seems to have stopped on April 7th, 2015 and marks the last time we saw injections during our measurement period.

From the beginning of March until the attacks stopped in April, we saw 19 unique Javascript replacement payloads as represented by their MD5 sum in the pie chart below.

For the HTML injections, the payloads were unique due to the injected URL so we are not showing their respective MD5 sums. However, the injected Javascript was very similar to the payloads referenced above.

Our systems saw injected content on the following eight baidu.com domains and corresponding IP addresses:

  • cbjs.baidu.com (123.125.65.120)
  • eclick.baidu.com (123.125.115.164)
  • hm.baidu.com (61.135.185.140)
  • pos.baidu.com (115.239.210.141)
  • cpro.baidu.com (115.239.211.17)
  • bdimg.share.baidu.com (211.90.25.48)
  • pan.baidu.com (180.149.132.99)
  • wapbaike.baidu.com (123.125.114.15)

The sizes of the injected Javascript payloads ranged from 995 to 1325 bytes.

We hope this report helps to round out the overall facts known about this attack. It also demonstrates that collectively there is a lot of visibility into what happens on the web. At the HTTP level seen by Safe Browsing, we cannot confidently attribute this attack to anyone. However, it makes it clear that hiding such attacks from detailed analysis after the fact is difficult.

Had the entire web already moved to encrypted traffic via TLS, such an injection attack would not have been possible. This provides further motivation for transitioning the web to encrypted and integrity-protected communication. Unfortunately, defending against such an attack is not easy for website operators. In this case, the attack Javascript requests web resources sequentially and slowing down responses might have helped with reducing the overall attack traffic. Another hope is that the external visibility of this attack will serve as a deterrent in the future.
Kategorie: Hacking & Security

FTC sanctions phone location tracking company for not allowing customer opt-out

Sophos Naked Security - 24 Duben, 2015 - 18:13
Nomi has been ordered to tidy up its business practices as part of a settlement with the FTC over its tracking of retail customers' smartphones.

Nigerian accused of hacking bank computer to steal $340 million

Sophos Naked Security - 24 Duben, 2015 - 17:40
If this had been a physical heist it would have been well up among the largest ever - a Nigerian man has been charged with hacking into a bank server and siphoning out more than N68 billion (over $340 million).

Op-Ed: In defense of Tor routers

Ars Technica - 24 Duben, 2015 - 15:31

A recent Ars Technica Op-Ed post by Nicholas Weaver took a harsh view on Tor routers, calling their basic premise flawed. We acknowledge that Tor routers are not a privacy silver bullet; we’ve been vocal about the need for people to use privacy add-ons with their web browsers. But I feel Weaver's article was one-sided and overstated the case against Tor routers; many of the arguments he made against them could be applied to VPNs as well.

Some of Weaver's points of contention were:

  • If you want protection from your ISP, you should use a VPN;
  • A personal VPN hosted on Amazon EC2 is a reasonable choice;
  • VPN providers offer “better performance and equal privacy”;
  • Many Tor exit nodes are malicious (implying that some VPN providers aren’t);
  • Browser fingerprinting can break the anonymity of Tor without the Tor Browser Bundle; and
  • Tor router makers are money-grabbing scumbags.

I'll address each of these in turn; some of them are good points, others not as much. I may be biased because we make a Tor router, and I think we’ve made a pretty good device. But I’ve tried to be as fair as I can here and acknowledge the limits of Tor routers.

Read 16 remaining paragraphs | Comments

Kategorie: Hacking & Security

Interview: Jason Dover, Director of Product Line Management at KEMP Technologies

InfoSec Institute Resources - 24 Duben, 2015 - 14:15

Jason Dover is Director of Product Line Management at KEMP Technologies, a Microsoft MCP, VMware VTSP and VMware VSP. He’s a subject matter expert on messaging technologies and application delivery with a background in the design and implementation of Enterprise Unified Communication and Directory Solutions.  Prior to joining KEMP, Dover worked in the Finance industry and provided consultative Messaging and Directory […]

The post Interview: Jason Dover, Director of Product Line Management at KEMP Technologies appeared first on InfoSec Institute.

Kategorie: Hacking & Security

HTML5 Security: Local Storage

InfoSec Institute Resources - 24 Duben, 2015 - 14:00

In a previous article of mine, I discussed Cross Domain Messaging in HTML5. This article walks you through another feature, called local storage, and its security. Local Storage Local storage is one of the new features added in HTML5. It was first introduced in Mozilla 1.5 and eventually embraced by the HTML5 specification. We can […]

The post HTML5 Security: Local Storage appeared first on InfoSec Institute.

Kategorie: Hacking & Security

How to secure your baby monitor

Sophos Naked Security - 24 Duben, 2015 - 13:17
Two more families say they've had baby monitors turned into nursery-room eavesdropping bugs. Here's how to button up your baby's security, camera, Wi-Fi, router and all.

Cisco releases first transparency report, showing literally nothing to hide

Sophos Naked Security - 24 Duben, 2015 - 12:48
Networking supergiant Cisco has become the latest big firm to release a transparency report, detailing its approach to dealing with requests for information from governments and police forces.

Dokumenty ukradené společnosti Sony Pictures jsou zveřejněné na WikiLeaks

Novinky.cz - bezpečnost - 24 Duben, 2015 - 12:01
Problémy společnosti Sony Pictures s únikem citlivých údajů se stupňují. Julian Assange, šéfredaktor serveru WikiLeaks, dospěl k názoru, že ukradená data představují užitečný náhled na fungování korporací a rozhodl, že je ve veřejném zájmu tato data zveřejnit.
Kategorie: Hacking & Security
Syndikovat obsah