Thursday, July 30, 2015

Planned Parenthood Attacked by Hacktivists

According to the news, Planned Parenthood has been breached and suffered multiple DDoS attacks against their website. An attacker going by the name "E" is supposedly in control of a large cache of internal data after breaching the internal network of Planned Parenthood.

Going to the site's homepage currently shows that they're still dealing with the after effects of the DDoS attacks. As of right now we're being told Planned Parenthood is keeping it's site down and working on ways to mitigate future attacks. It was also mentioned that they're working with a third party cyber-security firm for assistance. 

Below is what's currently displayed on their homepage:

China Hacking: Can't stop, won't stop

China's really hacking the crap out of anything they can get there hands on right now. Despite discussions to work with other countries on the issue of nation state hacking, it seems that these were all just lies and sweet talk. I'm not saying America or other countries aren't doing something similar, but China is continually gathering data on manufacturing and sensitive personal data for their own use. A few articles came out today referencing their involvement in the following hacks (which was always assumed): OPM, Anthem, United Airlines, etc.

You can view the articles here and here.

Wednesday, July 29, 2015

Google's letting you bring your own encryption keys

Google's recently announced they'll be allowing customers to bring their own encryption keys to their Google Compute Engine (their IAAS offering). This essentially limits them from knowing what's stored in the public cloud since they can't read what data's stored at rest. It also allows them to show that they're playing in the Edward Snowden era and proving to customers that encryption and privacy due matter. At least that's what they're trying to show.

Now before we start lavishing Google with praises, lets remember that this isn't anything new. Both Amazon and Microsoft have this capability, but use third party vendors to store keys in an HSM (like SafeNet) to accomplish the task. From what I've read about the product it seems Google's made there own method to store the keys. This slightly concerns me, but we'll see what comes out over the next couple weeks and as the product matures.

Either way, this is a big move towards privacy.

Network Deception Using Decoys

I wrote this article a few months back in regards to why network deception is a technique that security folk should start using more. It's something relatively inexpensive, or free if go completely open source, that could save your butt. It still seems to be somewhat passe when I speak to people about it, but I've noticed some up-and-coming security vendors using these techniques as services, so I'm encouraged that this will someday be a staple of security monitoring and operations.

If the bad guys can use deception while compromising your network, why not turn the tables on them and use similar techniques to alert of their presence? This has been going on for ever in physical warfare and it should be no different in fighting adversaries in the digital world.

You can check out the article here

Tuesday, July 28, 2015

Dell Aiming Security Services at SMB Market

As a small to medium business you need the ability to manage assets and software on your
workstations and servers. The war of malware is happening on the desktops and it’s one of the single most important areas that need to be addressed as a SMB. The issue quickly becomes one of having the proper resources to manage these workstations and often falls back to a “best effort” on a good day. To properly update applications, patch operating systems and push out new versions of third party software you need a system that’s going to work for you. You need to work smarter, not harder.  

Almost everyday we hear of another company being hacked because they were hit by malware, or exploited due to a vulnerable application. The majority of the time this happens is due to out of date software, or operating systems that are being neglected in SMB companies. This is mostly due to the sheer workload it takes to keep them up to date. Just as we keep hearing of new companies being compromised, there’s an equal comparison to the vulnerability alerts that are being notified by software vendors. It seems that every week Microsoft, Adobe or Java are releasing some type of out-of-band, or critical security patch that needs to be applied to your workstations/servers before it’s exploited by an attacker.

The question quickly becomes: “How do you keep up?” For all those server administrators using Microsoft WSUS to patch your workstations/servers I applauded you, but you’re only covering half the threats with that mentality. What you need is the ability to cover third party systems too, like the Java, Adobe, Flash, etc. These are the one’s getting attacked frequently in the wild, because they deal with browsers most of the time and are normally the gateway to malware if running an old version. You need something that’s going to patch both and that’s not something you’re going to get out of the box with WSUS. Hence the Kace K1000 systems management appliance.

There are many uses for the K1000, but one of the best use cases of it is to patch all systems by determining what software is running on the workstation/servers and alerting on which one’s are needed to meet your security policy or corporate compliance. By understanding what patches need to be applied to systems will give you a better view into the risk of your environment and assist with securing holes that might be exploited otherwise. There are also compliance reports that can be run to help with verifying systems that require compliance being upheld to a certain standard.

By using the K1000, your administrators will be able to set patch policy from both an operating system and third party patch point of view. Once these policies have been created an administrator can quickly push out patches to secure your environment and be freed to continue working on other projects. This not only assists with securing your organization, but it frees up resources.

I’ve personally used Dell for many security solutions, this being one of them, and they always continue to impress. One of the best security companies out there in my opinion. Here’s a link to some other services they perform. I’d seriously consider them for forensics and incident response too. 

Friday, July 24, 2015

Cars getting hacked. Bad code can kill.

Over the past week we've seen security researchers completely take control over a Jeep Cherokee while sitting in the comfort of their own home via the cellular network. Some of the things they were able to commandeer on the moving vehicle were: the breaks, steering wheel, speedometer, music, windshield wipers, door locks, etc. Pretty much they had complete control of the car while the reporter, who was driving the car, flew down the highway at 70mph at their mercy. You can watch the video here.

Shortly afterwards Chrysler recalled over 1.4 million cars that were vulnerable to this exploit by sending the affected owners a software upgrade via  USB drive in the mail. That's right, they pretty much sneaker-netted the software patch it via the post office. The owners of these recalled cars now need to upload the fix from the USB into a port on the dashboard.

There is so much wrong here and it's very concerning. Here are just a few issues:
  • Every automotive vendor is pushing to have their features deployed to production as fast as possible and aren't worried about security. Once again we're seeing the same problem plaque developers and their code. If you're not going to learn how to create secure code in this day and age, do us all a favor and pick a different profession. 
  • If two reseachers were able to do this on a small budget, what could a nation state, criminal gang or terrorist accomplish? Imagine a gang that's able to control your cars and airplanes with nefarious intent. This is not good, we're not talking about your facebook account getting hijacked here. Peoples lives at risk with this exploit. 
  • I'm still not for them presenting these types of vulnerabilities at Black Hat. Yes, they need to be fixed, but when peoples lives are at stake, releasing the code, even just a little bit, is all those with malicious intent need for a jump start. Creating videos like this are fine, because you got the results you were looking for, but releasing it to the public is not the most responsible way to go about it.
Bad code can kill. We need to be careful.

Glenn Greenwalds - Why Privacy Matters

This isn't a new talk, but it's still super relevant today.