Monday, November 21, 2011

Here's my latest article in Search Security Magazine


Over the past few years, information security has become a top-level concern to enterprise senior management. Many organizations by now have created information security departments to secure themselves from the threats they’re facing, but in today’s environment, it’s no longer enough. Hence the reasons why a paradigm shift is needed regarding the ways security departments are being structured. No longer should one department manage security from cradle to grave.

Take a look here for the rest.

http://searchsecurity.techtarget.com/tip/Modern-security-management-strategy-requires-security-separation-of-duties

Saturday, November 19, 2011

Testing the Waters (Illinois Water System Hacked!!)

There is reason to believe that an Illinois water system has been compromised, and the source of the attack has been traced back to a computer in Russia (no surprise). Supposedly, the intruders burned out a pump by utilizing access to stolen credentials that gave them access to there SCADA software.

Its widely known that critical infrastructure in America is severely insecure. There's been a call from many security professionals over the past decade to tighten security on these systems, and protect our infrastructure. With highly sophisticated malware being created to attack SCADA equipment, like Stuxnet and Duqu, its only a matter of time before these hacks start taking place more frequently.

Its seems like the hackers were only "testing the water", sorry about the pun, with what they could do with their access. What if they wanted to do something more malicious to these systems besides breaking them? The water supply would reach thousands if not millions of people. What if they hit the power grid, and turned off power to parts of the country? These things, as unbelievable as they may seem, are what we're facing now.

The government is downplaying what happened here in Illinois, but they need to start securing their systems before innocent people die. This isn't a trojan thats going to steal your banking credentials. These hacks have the capability to stop a town and or state, and potentially harm the citizens living in them.

The time to act it now.

Saturday, November 5, 2011

Anonymous vs. Mexico's Zetas Cartel: This One's Real

Anonymous seems to have met their match: The Zeta Cartel, or have they?

Over the past week anonymous has been threatening to release a list of "servants",(journalists, taxi drivers, government workers, etc.) that are on the payroll for the Zeta cartel. This is in response to the Mexican's kidnapping an anonymous member earlier in the week. The Zeta cartel is one of the most infamous and powerful cartels in Mexico, are extremely violent, and not shy about bloodshed.

Anonymous has demanded the kidnapped member be released, or they'd dump the classified information they have on the cartels "servants". As of this morning its been noted that the kidnapped member has been freed, but they threatened if anonymous leaked any information on their "servants" they'll kill the members family and 10 people for every name released.

This is where it gets real. Anonymous is an internet group and debated heavily on on the release of this data. This isn't law enforcement or governments getting involved, its random people in a chat forum. If they were to dump a couple hundred names on the internet thousands of people could have died. Its one thing to setup a sit-in at parks (#occupy), but getting started in a gang war is over their heads.

Both of these groups don't like being told what to do, but its evident the cartel dosen't want their servants exposed, and anonymous were slightly concerned with a real backlash. Their response to this event was much more real than a DDOS or web attack, and I think they eventually realized that.

Anonymous, for the sake of human life drop this one.

Thursday, October 27, 2011

Wednesday, October 19, 2011

Stuxnet's Little Brother


Researchers at F-Secure and Symantec have reportedly found a Stuxnetesque Trojan affecting industrial and manufacturing systems in Europe. The trojan uses similar methods of stealth by using a legitimate driver signed with a valid digital certificate from Taiwan. Again.

They’re calling this Trojan “Duqu” and from what we’re hearing, it’s the precursor to future Stuxnetesque attacks. This particular Trojan seems to only watch what’s occurring on the infected systems. It doesn’t seem to change anything on the devices or send commands to destroy the industrial equipment like Stuxnet. Duqu seems to be the part of Stuxnet that was missing; the data gathering piece. It’s still early, but Duqu seems to be the intelligence gathering module for future attacks. Using data that’s siphoned out of these companies on potentially how systems work, and who’s using what, is a valuable part of creating the next Stuxnet version. The trojan also supposedly uses custom protocols to communicate to its command-and-control server. Duqu doesn’t have had a payload and doesn't seem to have a way of replicating itself. I’m very interested in seeing how it was initially installed; I’m guessing spear phishing here.

Despite this trojan opening a window into how Stuxnext might have been developed, it opens up a few others?

First, the authors of Stuxnet haven’t been dormant. This software was created after Stuxnet was initially found and they’ve obviously been busy. They don’t seemed phased by the celebrity of Stuxnet and rightfully so. People still don’t know who created it so why be concerned with continuing. If this is a nation-state, which I’m pretty sure it is, the funding and the mission are still there. I think by the mere exception of it not being installed in America is a good factor that the USA has something to do with it.

Secondly, the authors are getting ready for another strike. If this is an information gathering tool that’s used to create Stuxnet 2.0, than it’s only a matter of time before they attack again. The industrial sector needs to be aware of what’s going on and ways to protect themselves from these types of attacks.

Thirdly, why is this being focused only in Europe? I think we all know why Iran was targeted, but what's so special about these locations in Europe? What's the motive here?

Lastly, it was reported that the trojan was using custom protocols to communicate to the CC server. This is something we’re starting to see a lot of now. The authors of their code are not only creating custom malware, but they’re communicating the data back over custom protocols that they've created. This adds yet another layer of obfuscation to an already mysterious trojan.

Tuesday, October 4, 2011

Here's my latest article in SCMagazine on Hacktivism


Here's my latest article on Hacktivism, and if we'll able to stop it.

You can read the article to find my opinion, but leave me some comments to let me know yours.

http://www.scmagazineus.com/can-we-stop-hacktivism/article/213559/

Wednesday, September 14, 2011

Sunday, July 17, 2011

Stop Malware Before It Strikes!!

With the ever increasing threat of mass malware being installed on your PC how can we protect ourselves from being susceptible from attack? When people think of protection against malware they normally think of anti-virus/anti-spyware software. The problem with anti-virus software is twofold: First it’s a very reactive approach that waits for an attack to happen before reacting, and secondly its detection rate on malware is exponentially getting lower.

In order for malware to be installed on a system there normally needs to be a vulnerability open to allow the malicious software access. So if we know where we’re vulnerable we could potentially stop the bulk of malware from being installed in the first place. The majority of threats being exploited from the internet are surprisingly not on the operating system level, but at the application/plug-in level.

So now that we know what the problem is how do we proactively stop malware from being exploited on our system? Two companies are offering free tools that can scan your workstations for installed application/plug-ins that are vulnerable to known threats, and link you to the patches needed for remediation.

These two companies are Secunia and Qualys, and the links to their free software is below. These free tools allow you to take a proactive approach to fighting malware by fixing the unpatched exploits mass malware is using to infect the majority of systems today.

http://secunia.com/vulnerability_scanning/personal/

https://browsercheck.qualys.com/

This is by no means an end all be all way to stop malware from being installed, but it sure helps. Proactively using these tools coupled with anti-virus will give you the best protection from being infected by malware.

Saturday, May 14, 2011

Privacy? What's that? Can I have some?

With the latest privacy debacle involving Google and Apple phones sending out the location of WI-FI hotspots near users, it makes us notice that the line between privacy is now completely blurred. Have we the consumer allowed our privacy to be taken or has it been stolen from us by greedy companies? The answer to that is a two-edged sword.

We the consumer are constantly looking for the newest, shiniest, most trendiest toy, whether it be software or hardware, and this has allowed vendors to take privileges in a way that they might not have taken if we weren't so hungry for it.

I agree that companies should be made much more transparent on the way they operate, but in the long run does the average user actually care? Both these companies said that they had no plans on the using the data besides for location services at this time. At this time? What does that mean? When will they be using it and what for?

These companies realize that we the consumer have short term memories, especially when we see what cool things their new toys can do. We have to look long term here and make them accountable for what they're doing, otherwise we'll continue to give our privacy away zombies looking for the next big thing.

Just because they're not using the data right now in an inappropriate way, this also depends on your definition of inappropriate, we should as the consumer know when our information is being siphoned from our pockets. Having the ability to opt-in to programs like this would be a way to at least notify the consumer of their intentions.

I hope we see some major changes in this process in the near future.

Tuesday, May 10, 2011

Defense In Depth: The Onion Approach


Here's a link to my latest article. Hope you like it.

http://enterpriseitsecuritymag.com/defense-in-depth-the-onion-approach/

Phones Required To Receive Emergency Alerts From President

The President and other local emergency crews will now have the ability to broadcast alerts to your cell phone if you're within a certain area in NYC. These alerts are designed for emergency response to disasters or potential terrorist activity in the area. This was in direct response to the Osama Bin Laden killing, and possible revenge attacks to New York.

Part of me doesn't like having the government being able spam citizens with text messages, but another part of me saw the damage of 9/11 personally. I can see where this would be useful, but I'm still concerned that the government, if given an inch, will take a mile.

I'm also concerned about what this mobile phone "chip" is and what it will be able to track. If anyone has any information on this please let me know.


http://newyork.cbslocal.com/2011/05/10/national-emergency-alert-system-set-to-launch-in-nyc/

Thursday, May 5, 2011

Enterpriseitsecuritymag.com just launched

I would like to announce that the May issue of Enterprise IT Security is finally out and ready to download!
You will be able to read a lot of interesting articles written by professionals.

We also encourage you to take part in the contest prepared in cooperation with Nordic Information Security Group AB.

Visit the website at http://enterpriseitsecuritymag.com

For more information concerning the contest please contact:
kinga.polynczuk@software.com.pl
lukasz.koska@software.com.pl

Enjoy reading!

Saturday, April 23, 2011

Kaspersky's Son Kidnapped

Eugene Kaspersky the founder of "Kaspersky Labs" a leading anti-virus provider, has had his son kidnapped in Moscow over the weekend. Is this kidnapping due to Eugene Kaspersky's wealth? Or a message being sent by the cyber-criminals in Russia? 


http://www.heraldsun.com.au/news/breaking-news/it-tycoons-son-kidnapped-in-moscow/story-e6frf7jx-1226043129087

Saturday, March 5, 2011

Mobile Malware on Android Growing

Everyone saw this coming and its the major reasons I won't get an Android phone right now. Its my opinion that Google needs to vet their apps before being placed on their Market. Otherwise we're going to start seeing commercials with the Mac Guy vs. Android Robot on which one's more secure.


http://www.darkreading.com/security-services/167801101/security/attacks-breaches/229300070/50-android-market-apps-found-harboring-malware.html

Wednesday, February 2, 2011

News Sites Creating WikiLeakish Services

Many major news organizations are looking to adopt the Wikileaks model of "digital dropbox" within the next couple months. The New York Times is looking to create its own leak page to mimic that of the popular wikileaks.ch. Instead of taking it from a third party, why not have the material delivered directly to your site? Doesn't take much to setup either.


Here's a good link referencing it too:


http://www.internetevolution.com/author.asp?section_id=1047&doc_id=203625

Tuesday, February 1, 2011

DHS Spending $40 Million on Cyber Security Research

This is a step in the right direction for the Department of Homeland Security. Seems that with all the recent cyber attacks against the United States government they're starting to open their eye's a little bit. I found this news encouraging.


https://threatpost.com/en_us/blogs/dhs-40m-research-next-big-thing-cyber-security-012811

How I Got My ATM Card Skimmed


On Sunday June 27th, 2010 at around 2:00pm I took out $200 dollars from my local branch ATM.  Little did I know that this ATM had been compromised and was fashioned with an ATM skimmer. The compromised ATM was within the bank and wasn’t your normal outdoor ATM unit. After using the ATM, my card information and pin number were successfully stolen and I was completely unaware of the theft. I left the ATM with my $200 dollars without thinking twice.
Monday June 28th, 2010 at around 6:00pm I received a call from my bank’s fraud department asking if I had made 2 withdrawals in Manhattan within the past 24 hours for a total of $600 dollars. I told the analyst on the phone that I hadn’t been in Manhattan that weekend, and to please put a hold on my card. The analyst then explained to me that my card had been compromised and that they were cancelling the card. She explained to me that I would have to go down to a local branch and receive a new one. At this point she started the process of refunding my account and gave me a case and telephone number to follow up with in the morning.
Tuesday June 29th, 2010 at around 10:00am I called the number the fraud analyst gave me and spoke with the fraud department again. I explained what happened and they refunded me the money that was stolen. They then asked me a few questions on what I was doing that weekend and if I’d like to press charges or file a police report if needed; I told them that I would. After getting off the phone I went directly to my local branch to get a new debt card, not knowing that this was the site of the compromised ATM. When I arrived I spoke with the bank manager and told her what had happened. She asked me if I had used their ATM over the weekend, and after I told her I did she told me to take a seat in the lobby with a few other people that also had their cards compromised. I was the 7th user that morning that they were dealing with regarding their compromised ATM. She explained to me that they found the skimmer earlier and had removed it from the ATM. I went through the process of creating a new card and pin number on-site at the branch.
Monday January 17th, 2011 I received a letter in the mail from the U.S Department of Justice regarding the 5 defendants, all of Romanian decent, that were in custody regarding my case. This was the first correspondence regarding this case since the day I received my new debt card. The document showed the 5 names of the defendants that were in custody and gave me a case number, court docket number, a victim ID number and a pin. Also on the document were a website www.notify.usdoj.gov and the phone number of the Victim Witness Coordinator. Here you could use the victim ID and pin number to get details regarding court dates, arrests and charges.
After calling the number I was able to determine that only two of the defendants were still in custody with no scheduled court dates assigned to them. The charges being brought against them were as follows: 2 counts of Bank fraud, 1 count of Fraud Related Activity: Identification Documents, and 2 counts of Fraud Related Activity: Access Device. They were arrested on October 27th, 2010, exactly four months after skimming my card. 
A few things I learned from this experience are  never trust an ATM or device that you have to insert your card and pin number into. Cyber thieves are making such slick devices now that you won't even notice the skimmers. Many times criminals have replaced hardware or implanted devices into ATMs or gas pumps, some with cellular technology included (http://www.frontlinesentinel.com/2011/01/ultimate-post-about-atm-skimmers.html). This doesn't leave the consumer a chance, so don't be embarrassed. Also it seems like the banks are getting much more aggressive about catching the bad guys, which is a good thing, but the bad guys always seem to be one step ahead. For now.

Saturday, January 29, 2011

Egypts Internet Goes Dark, Shuts Down Cellphone Service

In Egypt, where there's an anti-government movement due to corruption, a failing economy and lack of freedoms, citizens have taken to the streets in protest.

Due to the continuous uprising of people protesting, Egypt has taken the country off-line. As of Thursday night at 10:12pm local time, all 4 major ISPs in the country "went dark" within a 13 minute time frame. There is no communication inbound or outbound from the country except for a few government sites and their stock exchange. The Egyptian government also asked mobile operators to go offline, leaving the local telephone carriers as the only form of communication in the country.

In the past countries have blocked sites like youtube, twitter and facebook to try and contain the protests that were occurring in their countries. In the Egyptian case they didn't block by domain name, but instead removed access completely to the internet. I'd be very interested to see the financial loss that's occurring to business due to having no internet presence. This means no e-mail, ftp, or http traffic going into or out of the country. How are international businesses supposed to operate if they can't communicate? Egypt is hurting themselves financially by trying to cover up whats going on in their country. Egypt is also a major hub between Africa and the middle east and its likely that by pulling themselves off the internet, they've distrusted connections to other countries. This wasn't thought out properly.

I don't see what they're trying to prove here? Everyone in the world knows that they're rioting, and they think that by pulling the plug they'll fool everyone into believing that every things okay? Didn't they learn from the Iranian elections?

Lastly, with all the talk about the Obama administration wanting to create an "Internet Kill Switch" in America, the Egyptian case scares me even more. Is this why they want to create the American kill switch? The Obama administration wants it in place to protect the government and critical infrastructure, right. The Egyptians obviously didn't have one in place because there was a time gap between each ISP going down. Due to the infrastructure in America and the number of ISPs it would be incredibly difficult to shut us off the internet like the Egyptians, but creating this "Kill Switch" to have us removed is terrifying.

Thursday, January 27, 2011

The Ultimate Post About ATM Skimmers

This is by far the most exhaustive post I've ever read on ATM skimmers. Brian Krebs has one of the most popular security blogs on the internet, and with posts like these its no wonder why.

I would highly suggest reading this article(s) and learning about all the methods hackers use to compromise your ATM card. Fascinating.


http://krebsonsecurity.com/all-about-skimmers/

Facebook enhancing security with HTTPS

Facebook announced that it will be rolling out the ability to use HTTPS for communication between your browser and their servers. This coming one day after facebook founder, Mark Zuckerberg's, facebook profile was compromised.

Previously facebook would secure you credentials after authenticating, but would than pass all other traffic over the Internet unencrypted. Using simple tools like firesheep (http://codebutler.com/firesheep), allows hackers to gain access to sites sending data over in clear-text after the initial encrypted credentials were secured. Many other sites need follow facebooks lead and jump on the SSL band wagon (twitter.com, gmail.com, flickr.com, etc..)

Facebook said that over the next couple weeks everyone will have the ability to activate HTTPS for their profile. As big a step as this is for one of the largest sites on the internet, the end goal should be to not only have voluntary HTTPS access, but to have a completely secure browsing experience. They need to work out some bugs (pages loading slower, apps not working, etc), but the vision should be to have end-to-end encryption during the entire session.

People are putting their entire lives on Facebook and the least they could do is make sure its secure.

Tuesday, January 25, 2011

The Government Wants To Control The Internet

The government is obviously making a big push towards gaining more control over the internet. I'm not sure how this is going to play out for our benefit, but I can see both sides of the coin. The major issue I have is giving the government any more power. Here are a few things that are currently going on now with cybersecurity and the United States government.

Internet Kill Switch
http://www.cbsnews.com/8301-501465_162-20029302-501465.html

At first glance this is absolutely terrifying. Giving this much power to the government over a private company is outright scary. This is still in its early phases of legislation, but I can see some good with the government monitoring the infrastructure of national critical systems (Nuclear plants, Dams, etc.), but giving them the power to cut them off from the world seems a little intense. I think improved regulations, monitoring, and vulnerability assessment/remediation against these sites would be better than a kill switch. At least here they're taking a proactive approach. Plus the ISP could always cut them off if needed in a real disaster. I think we need more details as to what classifies a company under this law and under what conditions would they be "switched off".

This was a scary line:
A company that objects to being subject to the emergency regulations is permitted to appeal to DHS secretary Janet Napolitano. But her decision is final and courts are explicitly prohibited from reviewing it. 

Broader Wire Tapping
http://www.engadget.com/2010/09/28/u-s-officials-push-for-broader-internet-wiretapping-regulations/

This one annoys me the most. In efforts to catch bad guys the government wants to have the ability to listen in on anything they want over the internet, including Skype. This is a serious breach in privacy to the majority of America. I don't know why we keep thinking the bad guys are stupid? Once they allow us to tap into these areas they'll start using something else or putting encryption against their communication; we still won't catch them and we'll be the ones being tapped.

Internet Identity Management
http://www.businessweek.com/news/2011-01-07/internet-identity-system-said-readied-by-obama-administration.html

The issues I have with this are who is going to run it, why are they creating a single point of failure and why are they making a push for this? I don't think this is going to stop cyber crime in the least. If anything, once a hacker gets your credentials for one site he has it for all others. I'm not sure I by into this yet for home use.

“This is going to cause a huge shift in consumer use of the Internet,” said John Clippinger, co-director of the Law Lab at Harvard.  WOW!! You're a director at Harvard and you don't think people use the internet enough for commerce?

The new system will probably hasten the death of traditional passwords, Clippinger said. Instead, users may rely on devices such as smartcards with embedded chips, tokens that generate random codes or biometric devices. I hate to break it to you, but if you're putting in a random code its still a password.

"Do Not Track" Option Coming To A Browser Near You

Chrome, Mozilla and IE are all working on their version of an opt-out of personalized advertising. 

http://www.scmagazineus.com/google-mozilla-announce-new-do-not-track-features/article/194872/?DCMP=EMC-SCUS_Newswire

Handheld Devices Become Targets For Hackers

Handheld devices are swiftly becoming a new target for many hackers. Due to the large number of vulnerabilities and the sheer number of handheld devices in the wild, its no wonder that we've seen a huge jump in malicious apps for handheld devices.


The Cisco 2010 Annual Security Report (PDF) cited progress by Microsoft and other software vendors to improve security by providing updates, alerting users to potential flaws and making patches available to users. The progress on the desktop is going to force cybercriminals to shift their activities to mobile platforms, which often times have similar vulnerabilities, said Henry Stern, a CSIRT security engineer at Cisco Systems Inc. Apple, with the popularity of its iPhone and iPad and Android, with dozens of different smartphones are the likely targets, according to the report.

Friday, January 14, 2011

Google Pays Bounty For Chrome Bugs

Here's a proactive and ingenious way to rid your software of bugs. Now what happens when these people start selling the bugs to the bad guys for 10x the cost?


http://www.networkworld.com/news/2011/011311-google-pays-record-bounty-for.html

Saturday, January 8, 2011

The Building Cyber Threat Of Mobile Phones

As mobile phone users continue to grow exponentially every year, the threat of malicious intent involving smart phones increases as well. With the emergence of Google's Android OS appearing on multiple vendor phones, its only a matter of time before there's a major breach involving a major smart phone distributor.

Over the past year there's been multiple instances of malicious apps being downloaded from the Android Market onto a users phone, using simple social engineering tactics (I.E New Angry Bird Levels, Twilight app, etc.) that are all designed for information stealing, service theft or botnet creation. Some of these apps have the potential to steal information such as contacts, send out SMS texts, make phone calls and determine your location via the built-in GPS. These apps could theoretically be installed from any vendor store, but its more likely to be installed on an Android OS since they don't vet their apps as throughly, if at all before being placed on their "Market".   http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=228200946

Most major vendors like Apple and Google have something called a "Kill Switch", that will allow the app to be removed globally across all phones that have it installed. Once an app has been determined to have breached
the vendors policy they'll push the button and have it killed. Its not sure if the users will have the money reimbursed for the purchase of the app after its been killed. http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=211200988

Certain banking apps have also been compromised with "Man-in-the-browser" like attacks that end up stealing banking credentials that give attackers access to your banking credentials and account information. http://threatpost.com/en_us/blogs/zeus-variant-targets-mobile-online-banking-apps-092710

Right now there are a few vendors that are creating anti-virus for phones, but I don't think this is the road we should take considering that anti-virus isn't working now for PCs. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security

All mobile phone users should not only password protect their phones, but they should encrypt the data that's stored on it. Both of these are simple settings that can be enabled on the majority of phones. This and using caution when downloading applications will prevent malicious activity on your phone for now.

Saturday, January 1, 2011

Shadowserver Foundation Taking It To The Bad Guys

The Shadowsesrver foundation is a volunteer-run organization that's collecting data on the dark side of the internet and assisting with hunting down the bad guys.

By working with ISP's and utilizing honeypots and other methods, they're able to glean an enormous amount of useful data that's making a difference in the fight against cybercrime.

Check them out: http://www.shadowserver.org/wiki/