Thursday, July 30, 2015

Planned Parenthood Attacked by Hacktivists

According to the news, Planned Parenthood has been breached and suffered multiple DDoS attacks against their website. An attacker going by the name "E" is supposedly in control of a large cache of internal data after breaching the internal network of Planned Parenthood.

Going to the site's homepage currently shows that they're still dealing with the after effects of the DDoS attacks. As of right now we're being told Planned Parenthood is keeping it's site down and working on ways to mitigate future attacks. It was also mentioned that they're working with a third party cyber-security firm for assistance. 

Below is what's currently displayed on their homepage:


China Hacking: Can't stop, won't stop


China's really hacking the crap out of anything they can get there hands on right now. Despite discussions to work with other countries on the issue of nation state hacking, it seems that these were all just lies and sweet talk. I'm not saying America or other countries aren't doing something similar, but China is continually gathering data on manufacturing and sensitive personal data for their own use. A few articles came out today referencing their involvement in the following hacks (which was always assumed): OPM, Anthem, United Airlines, etc.

You can view the articles here and here.



Wednesday, July 29, 2015

Google's letting you bring your own encryption keys

Google's recently announced they'll be allowing customers to bring their own encryption keys to their Google Compute Engine (their IAAS offering). This essentially limits them from knowing what's stored in the public cloud since they can't read what data's stored at rest. It also allows them to show that they're playing in the Edward Snowden era and proving to customers that encryption and privacy due matter. At least that's what they're trying to show.

Now before we start lavishing Google with praises, lets remember that this isn't anything new. Both Amazon and Microsoft have this capability, but use third party vendors to store keys in an HSM (like SafeNet) to accomplish the task. From what I've read about the product it seems Google's made there own method to store the keys. This slightly concerns me, but we'll see what comes out over the next couple weeks and as the product matures.

Either way, this is a big move towards privacy.

Network Deception Using Decoys

I wrote this article a few months back in regards to why network deception is a technique that security folk should start using more. It's something relatively inexpensive, or free if go completely open source, that could save your butt. It still seems to be somewhat passe when I speak to people about it, but I've noticed some up-and-coming security vendors using these techniques as services, so I'm encouraged that this will someday be a staple of security monitoring and operations.

If the bad guys can use deception while compromising your network, why not turn the tables on them and use similar techniques to alert of their presence? This has been going on for ever in physical warfare and it should be no different in fighting adversaries in the digital world.

You can check out the article here

Tuesday, July 28, 2015

Dell Aiming Security Services at SMB Market

As a small to medium business you need the ability to manage assets and software on your
workstations and servers. The war of malware is happening on the desktops and it’s one of the single most important areas that need to be addressed as a SMB. The issue quickly becomes one of having the proper resources to manage these workstations and often falls back to a “best effort” on a good day. To properly update applications, patch operating systems and push out new versions of third party software you need a system that’s going to work for you. You need to work smarter, not harder.  

Almost everyday we hear of another company being hacked because they were hit by malware, or exploited due to a vulnerable application. The majority of the time this happens is due to out of date software, or operating systems that are being neglected in SMB companies. This is mostly due to the sheer workload it takes to keep them up to date. Just as we keep hearing of new companies being compromised, there’s an equal comparison to the vulnerability alerts that are being notified by software vendors. It seems that every week Microsoft, Adobe or Java are releasing some type of out-of-band, or critical security patch that needs to be applied to your workstations/servers before it’s exploited by an attacker.

The question quickly becomes: “How do you keep up?” For all those server administrators using Microsoft WSUS to patch your workstations/servers I applauded you, but you’re only covering half the threats with that mentality. What you need is the ability to cover third party systems too, like the Java, Adobe, Flash, etc. These are the one’s getting attacked frequently in the wild, because they deal with browsers most of the time and are normally the gateway to malware if running an old version. You need something that’s going to patch both and that’s not something you’re going to get out of the box with WSUS. Hence the Kace K1000 systems management appliance.

There are many uses for the K1000, but one of the best use cases of it is to patch all systems by determining what software is running on the workstation/servers and alerting on which one’s are needed to meet your security policy or corporate compliance. By understanding what patches need to be applied to systems will give you a better view into the risk of your environment and assist with securing holes that might be exploited otherwise. There are also compliance reports that can be run to help with verifying systems that require compliance being upheld to a certain standard.

By using the K1000, your administrators will be able to set patch policy from both an operating system and third party patch point of view. Once these policies have been created an administrator can quickly push out patches to secure your environment and be freed to continue working on other projects. This not only assists with securing your organization, but it frees up resources.

I’ve personally used Dell for many security solutions, this being one of them, and they always continue to impress. One of the best security companies out there in my opinion. Here’s a link to some other services they perform. I’d seriously consider them for forensics and incident response too. 

Friday, July 24, 2015

Cars getting hacked. Bad code can kill.

Over the past week we've seen security researchers completely take control over a Jeep Cherokee while sitting in the comfort of their own home via the cellular network. Some of the things they were able to commandeer on the moving vehicle were: the breaks, steering wheel, speedometer, music, windshield wipers, door locks, etc. Pretty much they had complete control of the car while the reporter, who was driving the car, flew down the highway at 70mph at their mercy. You can watch the video here.

Shortly afterwards Chrysler recalled over 1.4 million cars that were vulnerable to this exploit by sending the affected owners a software upgrade via  USB drive in the mail. That's right, they pretty much sneaker-netted the software patch it via the post office. The owners of these recalled cars now need to upload the fix from the USB into a port on the dashboard.

There is so much wrong here and it's very concerning. Here are just a few issues:
  • Every automotive vendor is pushing to have their features deployed to production as fast as possible and aren't worried about security. Once again we're seeing the same problem plaque developers and their code. If you're not going to learn how to create secure code in this day and age, do us all a favor and pick a different profession. 
  • If two reseachers were able to do this on a small budget, what could a nation state, criminal gang or terrorist accomplish? Imagine a gang that's able to control your cars and airplanes with nefarious intent. This is not good, we're not talking about your facebook account getting hijacked here. Peoples lives at risk with this exploit. 
  • I'm still not for them presenting these types of vulnerabilities at Black Hat. Yes, they need to be fixed, but when peoples lives are at stake, releasing the code, even just a little bit, is all those with malicious intent need for a jump start. Creating videos like this are fine, because you got the results you were looking for, but releasing it to the public is not the most responsible way to go about it.
Bad code can kill. We need to be careful.

Glenn Greenwalds - Why Privacy Matters



This isn't a new talk, but it's still super relevant today. 

Urgent Wordpress vulnerability....again.

Honestly, I've considered moving this blog away from Blogger many times, which it's hosted on, but it's constant Wordpress vulnerabilities, like these, that always dissuades me from moving forward.

Maybe one day.

The Salvation of Incident Response


Wednesday, July 22, 2015

The Ashley Madison hack is a goldmine for criminals

There have been hundreds of articles written on the Ashley Madison hack this week, as I'm sure you've probably seen. If for some reason you haven't, this site offers users the opportunity to setup sexual affairs with other registered users in secret. The personal messages, profiles, email addresses and credit card numbers have been stolen and are being held for ransom, which is truly sensitive information if you're one of the millions of users, 37 million to be exact, that's looking to have an affair on line and using their services to assist with cheating. The group that stole the information is requesting that the site and their affiliates be taken down or they'll release the cache of info.

No matter how you feel about the site itself, I personally think it's a despicable way to make money, there are some major ramifications at play here that aren't part of a normal data breach. The people that are responsible aren't using the credit cards or selling them, that we know of, and are requesting that the site be taken down. This is a different response from what we normally see when large eCommerce sites have been compromised. At this point the attackers don't seem to be financially motivated, which makes them even more unpredictable.

There's also the aspect of having very personal data potentially being spewed across the internet showing these users infidelity in very public ways. Once this happens there are a few things I can forsee happening:
  • Privacy lawsuits against Ashely Madison for the users that were told their personal information would be removed after their accounts were deleted. These records are going to show up in divorce courts now for the next couple years. This data was supposed to be private and has now been made public for the world to see. The divorce lawyers are going to love this. 
  • Once this list makes its way to the internet the first thing someone's going to do is create a searchable database with credit card, name, email address, etc. for people to search and see if their partners were cheating on them. This will surely happen and relationships will suffer due to this site. Not that these people wouldn't have had affairs without the site, but offering it as a service, while being hacked, is doubly wrong. 
  • Blackmail will happen at large levels. People will be found on the data dump and be told that they'll rat to their spouse unless they pay them. This is bound to happen and could be worse if criminals start using this data to spur cyber espionage (E.G Someone in a pharmacutcial firm is found to be on the list and cyber criminals offer to tell their spouse unless they start giving out trade secrets, etc, etc, etc).
This site was about being secret and fooling around behind your partners back. It turns out that's exactly what's happening to them now (oh the irony). It also shows that if you have something private, no matter what it is, you can't trust a third party to hold your secrets. If there's sensitive information being sent up to a site that you don't manage completely, assume that it will be lost or breached. Make your digital decisions based off this risk approach.


Thursday, July 16, 2015

Steve Jobs Thoughts on Flash


This morning I came across Steve Jobs thoughts on why he despised Adobe Flash, which is widely documented, but I thought due to all the Flash bashing that’s occurred over the past week it was worth sharing. The man was an absolute visionary and I wonder what thoughts he’d have towards Flash now since vendors are finally starting to take action on what he started five years ago. Unless I’m mistaken, Steve Jobs, and Apple, were the first to take a stand against Flash by not allowing it to run on their mobile devices. We need more people with the stubbornness and forward thinking of Steve Jobs to take stands, like Mozilla did earlier in the week, even when at  times it goes against a giant cooperation or flies in the face of what’s considered an industry standard. Many times change comes when one person takes a stand against a particular issue for the greater good. This is also commonly called leadership.

Here’s a snippet from Steve Jobs open letter about Adobe flash. This was written over five years ago and only now are people standing up to take action against Flash. In his open letter to Adobe he hits on six reasons why Apple won’t run Flash on mobile devices. His third reason for alienating Flash from Apple mobile devices is security, take a look at what he said: 

Third, there’s reliability, security and performance.

Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know firsthand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash. 

With this open letter to Adobe, does it really take over five years for us to start acting? If you want to read the entire letter, and I recommended you do, you can find it here: https://www.apple.com/hotnews/thoughts-on-flash/

Wednesday, July 15, 2015

Opening Up Blog to Guest Posts

A few summers ago I opened up my blog to guest contributors and some great content, that might not have gone public, came to light under these guest blogs. With that being said, for the remainder of the summer, if you have a security article you'd like to post, research you'd like to share, news that you'd like to break, etc. please contact me at matthewpascucci@protonmail.ch and we can discuss the details.

Look forward to working with you!!

Building Security into DevOps


I really think this is a huge idea.  Anytime you can take collaboration from other groups and wrap security around it, security wins. It’s having a seat at the table that’s really what’s most important these days. There might not be a surge in productivity right away, but things like this take time to fester and before long you’re being asked if what’s being rolled out is secure. This will however bring many things past your desk that you wouldn’t have otherwise realized. Which is a good thing, right?

Take a look at the article I wrote for Algosec about the benefits security has while being inserted into the DevOps cycle. Also, if you haven’t read the book: “The Phoenix Project”, check it out.

Friday, July 10, 2015

Lessons Learned from the Hacking Team Hack


Over the past week we saw the dismantling of one of the most reviled companies on the internet: Hacking Team. I’m sure everyone’s already read about their public shaming over the past couple days by having their dirty laundry strewn across the internet in a neatly bundled bit torrent file, but this incident leads me to think about a few other things regarding this week’s Hacking Team revelation.
·       Based off these files it really shows how security companies and security professionals aren’t eating their own dog food. The code and emails that were released this past week shows we as security pros sometimes don’t follow the basic rules that we’re supposedly preaching. This is a wakeup call for everyone.

·       Why aren’t we all up in arms with the countries who are using this technology in the first place? Is it because it’s easier to go after the little guy instead of taking on a Nation State? Most likely. It’s also sad that we’ve come to expect this now from our governments and that this is just status quo.  What's even more revolting is having these government throw their hands up and act as if they had no part in this conspiracy. Is this really all they need to do in order to deflect the heat of this scandal and cry immunity? Seems like it.

·       I’d very interested to see what VUPEN is doing internally to protect themselves from a similar compromise. With these vulnerability-for-hire companies making a living off compromising others, it’s more than ironic to watch their businesses crumble by them being the ones popped. I’m sure VUPEN and similar businesses have taken notice and are no battering down the hatches. They’re the ones  now have to be worried about becoming prey.

·       Obviously, incident response wasn’t a strong suit of Hacking Team. Blasting out what seemed like drunk tweets, purportedly DDoSing sites that had their juicy bit torrent file, telling people the files were laced with malware and threatening jail time is not the way to react to a data breach. It's definitely not the way you want a company to react, but this was most likely due to embarrassment and pride. Either way, don’t do what they did during a data breach.

·       Since Hacking Team was in possession of at least two zero-day vulnerabilities, the question must be asked: How do you protect these pesky exploits? If you’re running a bug bounty like Google, Facebook, etc. how are you keeping these zero day vulnerabilities safe and hidden once they’re discovered? It’s very interesting, but if someone was able to determine or compromise the systems these companies are housing this data, they’d have a constant submission of zero-days flowing in for consumption. Not cool, my friend.
Companies aiding governments which are suppressing their citizens and developing tools that have most likely lead to countless captures, arrests or worse, receive no remorse for what happened. We do need to learn from this though, because every moment is a teachable moment, and understand that we need to protect our sensitive data better now. This is not an option and we’re seeing companies, even bad ones like Hacking Team, could have had this crisis reverted (thankfully the news is out) if they followed proper data protection techniques.