Information Security News
Serial hacker Samy Kamkar has released all the hardware and software specifications that hobbyists need to build an aerial drone that seeks out other drones in the air, hacks them, and turns them into soldiers in a growing army of unmanned vehicles under the attacker's control.
Dubbed SkyJack, the contraption uses a radio-controlled Parrot AR.Drone quadcopter carrying a Raspberry Pi circuit board, a small battery, and two wireless transmitters. The devices run a combination of custom software and off-the-shelf applications that seek out wireless signals of nearby Parrot drones, hijack the wireless connections used to control them, and commandeer the victims' flight-control and camera systems. SkyJack will also run on land-based Linux devices and hack drones within radio range.
by Casey Johnston
The company E2V has developed a prototype device that uses a radio-frequency pulse to shut down a car’s engine at range, according to a report from the BBC. While the range of the device is fairly short, it worked on a handful of cars and motorbikes and could also potentially be used on boats.
The product, named the RF Safe-stop, works by sending an RF pulse to a car at up to 50 meters (164 feet) away. The pulse “confuses” the car’s electronic systems, which the BBC said made the “dashboard warning lights and dial [behave] erratically.” The engine then stalls, and the car comes to a stop. How safely and quickly the vehicle would stop depends on the vehicle, and this technique would not work on older vehicles.
Engineer Magazine suggests the RF Safe-stop could be used for stopping vehicles that are suspected of being car bombs. Likewise, the Safe-stop could cut police chases short or be installed in a fixed area to prevent cars from entering. The Association of Chief Police Officers, speaking to the BBC, said that it would be a safer alternative to stopping two-wheeled vehicles than shooting out their tires. E2V does not specify how narrowly the Safe-stop can be targeted.
SANS Announces Results Of Its 2013 Mobile Security Policy And Management ...
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security ...
I recently had a migration from one internet uplink to another to do for a client. As with many organizations, they have about 40% of their workforce at head office, and 60% (and sometimes more) of their workforce operating remotely, so taking the Firewall and especially the VPN services offline is a very big deal. There is no good time to take things down given that their sales force has people in just about every time zone, there are just times that are "less bad" than others.
Anyway, we settled on a weeknight, starting at around 6pm EST after their shipping was completed. As in most projects of this type, we finally got most of the "important" users off the network by about 7:30 and where ready to start.
On logging into their firewall, I (as I always do), did a quick check of the real time logs, just because you never know what you'll see. Imagine my surprise when I saw that it was still pretty busy, and the traffic being logged was mostly this:
So what is that? Their internal workstation network is 192.168.122.0/24, a nice respectable RFC1918 address range. However, we're seeing lots of outbound requests for 192.168.1.0/24, which I would expect to see more on home networks. Now I could see a simple, persistent series of requests to a single 192.168.1.x address, perhaps a home printer that is a user's default, or a home DLNA server, but this looks a whole lot like reconnaissance doesn't it? It's a sweep of the entire 192.168.1.0 network, using ICMP. Looking deeper at the packet, as you'd expect these are echo requests (Type 0, code 0), otherwise known as plain old "ping".
So, what's so interesting about this you ask?
My answer would be - recon of a network that's the default subnet for many home network routers is always suspect in an enterprise. In fact, recon of any type in an enterprise network should be considered suspect. People connect to what they need for to do their jobs, network sweeps are almost always an indicator of compromise, it's almost always malware looking for something else to infect, or an attacker looking for their next foothold. Happily, if the network being scanned isn't in the internal routing table, if it's not black-holed internally it usually shows up in the firewall logs.
In this case, it was malware looking for PNP devices (printers, cameras, TVs, but especially home firewalls), which Johannes wrote up in January ( https://isc.sans.edu/diary/Exposed+UPNP+Devices/15040 ). Even though it's what you might consider "old", it sees sustained use ( https://isc.sans.edu/port.html?port=1900 ) in malware and sees continued success, mostly becuase almost nobody patches or fixes their home routers.
It could also just as easily have been malware looking for default home router credentials or one of the home router backdoor vulnerabilities (which Manuel wrote up here https://isc.sans.edu/diary/Old+D-Link+routers+with+coded+backdoor/16802 )
It was just lucky that I caught this activity on film, the network was so quiet that the malware activity just popped up without looking for it. It's funny that when you have a quiet network, sometimes all that's left is the malware and attack traffic.
Of course, when we did a reverse lookup on the workstation IP, it was their HR manager. You know, the HR manager who insisted that we remove the internet filters from their account so they could be active on social media? No risk at all having malware on that station !!
But hopefully, this should illustrate why it's so important that part of your day-to-day tasks to secure your organization should be to look at your logs. And not just glancing at the logs scrolling by on your firewall - review the text logs that you store in disk, that's where you'll find those "gold" log entries. Make friends with the grep or findstr commands and do some mining for malware, it'll be the most productive time you spend most days! Heck, just looking at a directory of your logs by day is often enough - if yesterdays logs was 10 times the size you normally see, often that's an IOC (Indicator of Compromise) all on it's own. Relying simply on tools to alert you of problems and not looking at your logs is passing up the easiest and earliest detection of problems you'll ever get. As we say over and over - "there's gold in them thar logs!"
Even reviewing the logs of your home network can give you valuable information ( https://isc.sans.edu/diary/Collecting+Logs+from+Security+Devices+at+Home/14614 ). You'll find the same indicators of compromise or attack in home logs as at work, and if nothing else, it's good practice for reviewing logs for enterprise gear - home gear and enterprise gear all log the same things, if they're configured correctly that is...
By the way, did you catch the other problem that our captures showed? Yes, the NTP server that the firewall was synced to had been retired, so the date and time on the firewall was completely out of whack. If you've ever tried to correlate logs from multiple systems, perhaps to get a complete picture of how a compromise happened or what it did after it got it's toe-hold, you'll appreciate just how big a deal syncing your clocks is.
If you've found malware with plain old text logs as a primary source or using a log analysis tool, please let us know using our comment form!
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Response: Beware the Nascent Cyber Insurance Market
US public companies are more forthcoming with details regarding their cybersecurity risk profiles – and more transparency regarding cyber-risk and cyber-attacks is expected to drive greater adoption of cyber-insurance as a means of demonstrating better ...
Posted by InfoSec News on Dec 03http://online.wsj.com/news/articles/SB10001424052702304854804579234091720329338
Posted by InfoSec News on Dec 03http://www.suntimes.com/news/metro/24065183-418/city-cps-students-health-data-accidentally-posted-online.html
Posted by InfoSec News on Dec 03http://www.theaustralian.com.au/technology/government-data-found-on-memory-sticks/story-e6frgakx-1226773129880
Posted by InfoSec News on Dec 03http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/
Posted by InfoSec News on Dec 03http://www.newstatesman.com/future-proof/2013/12/theres-%C2%A360m-bitcoin-heist-going-down-right-now-and-you-can-watch-real-time
Posted by InfoSec News on Dec 03Forwarded from: Vic Vandal <vvandal (at) well.com>
Posted by InfoSec News on Dec 03http://www.deccanchronicle.com/131130/news-current-affairs/article/india-not-equipped-tackle-cyber-attacks-experts