Hackin9

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Spiderlabs published an interesting article on this the other day. http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html

The list has now appeared on pastebin and is being sold for 0.05 bitcoins.  (last time I checked they made about $600 so far).  

If you haven't already you may want to start looking at the strong authentication options for some of these services. 

Mark H

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
One of our readers  received a "Microsoft Support" call, finally.  It was to funny not to put up.  Happy Friday
 
"Finally(!), I got one of those unsolicited telephone calls from the "Windows Service Centre".
Caller-ID information showed 'unavailable'.
 
The first caller identified himself as 'Dadge Miller' (or something like that).
He said he was calling from Microsoft headquarters in California.
I said that I thought that their headquarters was in Redmond, Washington.
He said that Microsoft has offices worldwide.
OK, I'll buy that. :-)
 
He said that Microsoft has detected computer-viruses on my computer.
After helping me find the Windows key on my keyboard, he said "press Windows key and R key at the same time".
Then, enter 'eventvwr' and click OK.
When 'Event Viewer' opened, he had me click the 'Application' tab, and said that all the "errors" and "warnings" represented computer-viruses.
OK, I'll buy that. :-)
He had me minimize the window, and back to Windows-R.
Then, enter: www.support.me and click OK.
That launched Internet Explorer, redirecting to: https://secure.logmeinrescue.com/Customer/Code.aspx
He had me enter '702814' and click 'Start Download' and then 'Run'.
Instead, I clicked 'Save' for file: 'Support-LogMeInRescue.exe'.
At this point, I said that my anti-virus software had flagged the download as "unsafe" and that it had deleted the download.
He believed me.  :-)
He passed the telephone call to "Randy Roberts", his supervisor, with an Bangledeshi accent ?!
Then, enter: www.support.me and click OK.
That launched Internet Explorer, redirecting to: https://secure.logmeinrescue.com/Customer/Code.aspx
He had me enter '352632' and click 'Start Download' and then 'Run'.
Again, I said that my anti-virus software had flagged the download.
Then, after a pause, he asked me if there was a Walmart nearby.
 
He offered me two levels of "support" -- one year for 149 dollars (currency not specified) or lifetime for 249 dollars.
I chose the "lifetime" support.   :-)
He told me to go to Walmart, and say that I want to make a Moneygram Money Transfer, citing a "personal" reason.
Recipient name: Tapan Saha (over a dozen people by this name on LINKEDIN ! Lots on Facebook, too!)
Address: Nagaripur
City: Takerhat
Country: Bangladesh.
He said that Microsoft has contracted with this provider in Bangladesh.
He said that the fee will be $299 -- $249 plus $50 for a technician to come to my home to fix my computer, if they cannot fix it over the telephone.
Nice bit of "up-selling".  :-)
 
I said that it would take me some time to get to Walmart, purchase the MoneyGram, and return home.
So, he agreed with my request to call at 1 PM local (70 minutes from the time we talked).
I have an appointment downtown at 1 PM -- guaranteed not to be home at that time!
He said that Walmart will charge me $10 for the MoneyGram.
He confirmed my telephone-number, and gave me his: 727-498-0049,
and told me to ask for "Randy Roberts" if I called him.
 
They told me to turn my computer off before I went to Walmart.
 
While I was out, at my lunch-date, my voice-mail recorded 6 messages -- all "empty" -- two from "unavailable", two from a non-long-distance number, and two from Cincinatti (Ohio).
Obviously, they were spoofing the caller-ID information, repeatedly trying to contact me.
 
M
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

High CISO employment rates means shortage for security industry
IDG News Service
Infosec management is a seller's market; those who are qualified don't have to look too hard for work. What is good for the individual is not good for industry, however. The downside is that it is tough for enterprises to hire qualified IT security ...

 
Microsoft will ship 11 security updates next week to patch critical vulnerabilities in Windows, Internet Explorer, Office and Exchange, including one meant to stymie active attacks the company confirmed last month.
 
At a wine bar in San Francisco on Wednesday, Broadcom Chairman and CTO Henry Samueli delivered some sobering news: Moore's Law isn't making chips cheaper anymore.
 
The core wars between x86 chip makers hit a lull a couple of years ago as processors were deemed to deliver enough performance, but Intel's plans to release a 15-core processor could change that.
 

CSA Congress 2013: CSA and SAFECode Issue Guidance for Developing ...
Infosecurity Magazine
“The greatest threat [to applications] is the lack of education awareness among developers when it comes to the tools that are available”, Howie concluded. “Developers are not necessarily aware of what they should be doing. You can trace a lot of ...

and more »
 
Is Amazon's 60 Minutes revelation serious, or just a publicity ploy?
 
More powerful processors will allow smartphone vendors to turn their high-end models into gaming consoles, but slower growth will also force them to focus more on improving their less expensive products next year.
 
The U.S. House of Representatives has passed a bill meant to discourage so-called patent trolls from filing multiple infringement lawsuits or demanding licensing deals over the objections of some groups representing small inventors.
 
Explosive revelations in the past six months about the U.S. government's massive cyber-spying activities have spooked individuals, rankled politicians and enraged privacy watchdogs, but top IT executives aren't panicking -- yet.
 

Website aggregates compromised accounts from several data breaches
TechTarget
Massive data breaches have become a common occurrence in the infosec world, and with consumers often using the same credentials across several websites and services, victims are left struggling to keep track of which accounts have been exposed and ...

and more »
 

JPMorgan Chase has warned 465,000 holders of prepaid cash cards that their personal information may have been obtained by hackers who breached the bank's network security in July, according to a report published Thursday.

JPMorgan issued the cards on behalf of corporations and government agencies, which in turn used them to pay employees and issue tax refunds, unemployment compensation, and other benefits, Reuters reported. In September, bank officials discovered an attack on Web servers used by its www.ucard.chase.com site and reported it to law enforcement authorities. In the months since, bank officials have investigated exactly which accounts were involved and what pieces of information were exposed.

Wednesday's warning came after investigators were unable to rule out the possibility that some card holders' personal data may have been accessed. The bank usually keeps customers' personal information encrypted, but during the course of the breach, data belonging to notified customers temporarily appeared in plaintext in log files, Reuters said. The notified card holders account for about two percent of the roughly 25 million UCard users.

Read 1 remaining paragraphs | Comments


    






 

High CISO employment rates means shortage for security industry
CSO
Infosec management is a seller's market; those who are qualified don't have to look too hard for work. What is good for the individual is not good for industry, however. The downside is that it is tough for enterprises to hire qualified IT security ...

and more »
 
At a conference as big and boisterous as Dreamforce, you hear a relentless stream of ideas. Some are good, but most are bad. At Dreamforce 2013, there was only one idea that really mattered: Whether smartphones are the future client for enterprise apps.
 
Sen. Edward Markey (D-MA) this week asked automakers what they're doing to protect vehicles from wireless hacking threats and privacy intrusions.
 
Oracle has fully integrated the long-awaited Linux DTrace debugging tool into the latest release of its Linux distribution, potentially allowing administrators and developers to pinpoint the cause of thorny performance issues with more accuracy.
 
GE Healthcare CTO Nevin Zimmermann talks with IDG Enterprise Chief Content Officer John Gallant about mobile, cloud, big data and more. Zimmermann also discusses how his team is evolving and why CIOs must embrace technology changes.
 
Xamarin has integrated the sneak peek version of Google's GDK, or Glass Development Kit, into its cross-platform development tools, allowing C# developers to create apps for Google Glass.
 
The U.S. government has a huge image problem worldwide as it promotes Internet freedom on one hand and conducts mass surveillance on the other, potentially creating major problems for U.S. technology companies, a former official with President Barack Obama's administration said Thursday.
 
The growing popularity of 10 Gigabit and 40 Gigabit Ethernet in data centers helped propel the entire Ethernet switch market during the third quarter, according to IDC.
 

What attributes are necessary to have success in the CISO role?
TechTarget
This support can only be earned by building relationships with each member of the executive team and establishing your expertise in both business and infosec matters. A CISO's greatest asset in building these relationships will be in listening to the ...

and more »
 

Dec OUCH! is out - "Securing Your New Tablet". Download & share with family/friends. www.securingthehuman.org/ouch

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
China Mobile, the world's largest mobile carrier, has finally inked a deal with Apple to sell the iPhone, according to a report by the Wall Street Journal.
 
LinuxSecurity.com: Charlie Somerville discovered that Ruby incorrectly handled floating point number conversion. If an application using Ruby accepted untrusted input strings and converted them to floating point numbers, an attacker able to provide such input could cause the application to crash or, [More...]
 
LinuxSecurity.com: Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]
 
Toyota and wireless charging start-up WiTricity announced an IP licensing agreement today, an indicator that future plug-in hybrid and all-electric Prius cars could soon cut their charging cords.
 
The price of bitcoins may be soaring, but China isn't too thrilled with the virtual currency. On Thursday, the nation moved to regulate use of bitcoins, stating that its financial institutions could not deal in the virtual currency.
 
Twitter and Deutsche Telekom have joined forces to develop software for Android.
 
The U.S. National Security Agency is collecting location data daily from tens of millions of cellphones around the world, the Washington Post reported Wednesday.
 
Microsoft moved to reassure business and government customers worldwide that it is committed to informing them of legal orders related to their data, and will fight in court any 'gag order' that prevents it from sharing such information with customers.
 
Hewlett-Packard took back its server crown from IBM last quarter as the overall market contracted and Taiwanese vendors made big gains selling directly to Internet giants like Google and Facebook, IDC reported Wednesday.
 
Acer wanted to make the Aspire Z3-600 all-in-one PC easy to move around, so it integrated a battery into the computer.
 
A man was shot and killed in San Francisco this week after he tried to sell his PlayStation 4 on Craigslist, highlighting the potential dangers of selling goods to strangers online.
 
A Silicon Valley startup has developed a surveillance robot that it says can cut crime by half, but its appearance on streets would be sure to prompt more debate about technology and privacy.
 
German police have arrested two persons they accuse of hacking computers and using them to generate bitcoins police valued at more than $954,000. A third suspect was not taken into custody, police said.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Last week the PCI Security Standards Council released the next versions of the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS), version v3.0.  The standards are updated over a three year cycle and are valid from the date of release.  The previous version can still be used for certifcation until 31 December 2014 giving companies plenty of time to adjust to the new requirements.  
 
The changes are mostly clarifications of the current requirements. A few have been combined and moved, but there really are no earth shattering changes.  
 
Unlike ISO 27001 there is a document of changes for each of the standards. These are available on the council's web site (www.pcisecuritystandards.org).  One of the more visible changes is that the standard, for each requirement, now provides a guidance statement that explains why the requirement is important.  In early 2014 the reporting requirements should be available which will provide insight as to what documentation and evidence needs to be available when facing an assessment. 
 
Mark H - Shearwater
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
ISO 27001:2013 - Information Security Management Systems was released in September and slipped into use relatively quietly. The standard replaces ISO27001:2005.  Whilst the overall intent of the standard remains the same and when you peel back the changes, most of the old standard remains. There are however enough changes that may require some effort to address.  
 
One of the main changes is the format, instead of the 8 sections in the previous standard, plus the annex. There are now 10 sections and the Annex.  This new format is the Annex SL format which is what will be used in all ISO quality standards going forwards.  Yes standards have been standardised.  One of the cheeky changes is that the Normative references and Terms and Definitions have been removed from the standard and are published separately (so yes you have to buy those).  The new sections are: 
  • 0 Introduction - exactly what it says
  • 1 Scope - states what the standard is about
  • 2 Normative references - no longer included in the standard but a separate purchase :-(
  • 3 Terms and definitions - ditto
  • 4 Context of the organisation - The old section 4 risk assessment component, now more aligned with ISO 31000  
  • 5 Leadership - This refers to the old standard's management responsibility requirement
  • 6 Planning - More risk management and preventative and corrective processes
  • 7 Support - Management support
  • 8 Operation - the implement and operate section of the old standard
  • 9 Performance evaluation - Monitoring, audit and management review
  • 10 Improvement - Continuous Improvement
So still the same elements, but moved about a bit so you will end up having to make changes in your documentation.  The main thing that has gone from the standard is the plan-do-check-act cycle, but when you read between the lines it is still there.  You are still expected to plan the controls to be implemented, implement them, measure and update as needed just like the old one.  
 
The Annex still links through to the ISO 27002 document and reduces the number of controls from 133 down to 114. A few have been removed and some have been combined.  The number of domains has been increased to 14.
  • 5 Information security policies
  • 6 Organisation of information security 
  • 7 Human resource security
  • 8 Asset management
  • 9 Access control
  • 10 Cryptography
  • 11 Physical and environmental security 
  • 12 Operations security
  • 13 Communications security
  • 14 System acquisition, development and maintenance
  • 15 Supplier relationships
  • 16 Information security incident management 
  • 17 Information security aspects of business continuity management 
  • 18 Compliance
These are all pretty self explanatory.  
 
With regards to the documentation and evidence you need keep in order to be compliant there are no significant changes. the main addiiton for most organisations will be the documentation requirements for Performance evaluation. The organisation will need to determine what needs to be measured and what evidence needs to be kept. As many organisations are weak in this, that will be the biggest change for many
 
You will have to check with your certifying body, but most of you will have between 12-24 months to implement the changes and certify to the new standard.  
 
Happy updating
Mark H -   Shearwater
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Posted by InfoSec News on Dec 05

http://www.computerworld.com/s/article/9244515/NSA_spy_scandal_prompts_China_push_to_favor_local_tech_vendors

By Michael Kan
IDG News Service
December 4, 2013

While China's demand for electronics continues to soar, the tech services
market may be shrinking for U.S. enterprise vendors. Security concerns
over U.S. secret surveillance are giving the Chinese government and local
companies more reason to trust domestic vendors, according to...
 

Posted by InfoSec News on Dec 05

http://www.networkworld.com/news/2013/120413-open-source-georgia-tech-276573.html

By Jon Gold
Network World
December 04, 2013

An academic exercise by a security researcher blossomed into a live-fire
infosec emergency last month, after a major vulnerability was found in a
central U.S. government healthcare database system.

Georgia Tech graduate student Doug Mackey didn’t set out to fix a
potentially disastrous issue in a major government...
 

Posted by InfoSec News on Dec 05

http://genevalunch.com/2013/11/28/geneva-high-court-stolen-bank-data-usable-correction/

By Ellen Wallace
Geneva Lunch
November 28, 2013

GENEVA, SWITZERLAND -- Bank data stolen by HSBC ex-employee Hervé Falciani
may be used as evidence in a court, the Geneva cour de cassation has
ruled. The court is the canton’s high court whose job is not to review the
details of cases but rather to verify the interpretation of the law.

In the Falciani...
 

Posted by InfoSec News on Dec 05

http://www.koreaherald.com/view.php?ud=20131204000803

By Park Han-na
The Korea Herald
2013-12-04

North Korea is aggressively beefing up its cyber warfare capabilities by
adding child prodigies to its 3,000-strong special hacker unit targeting
South Korea and its allies, an expert said Tuesday, citing the testimonies
of North Korean defectors.

Pyongyang regularly screens math and science prodigies to train them to be
cyber experts through...
 
Internet Storm Center Infocon Status