Information Security News
by Robert Lemos
A group of cyber spies targeted the North Atlantic Treaty Organization (NATO), Ukrainian and Polish government agencies, and a variety of sensitive European industries over the last year, in some cases using a previously unknown flaw in Windows systems to infiltrate targets, according to a research report released on Tuesday.
Dubbed "Sandworm" by iSIGHT Partners, the security consultancy that discovered the zero-day attack, the campaign is suspected to be Russian in origin based on technical details, the malware tools used, and the chosen targets, which also included government agencies in Europe and academics in the United States. If confirmed, the attack is an uncommon look into Russia's cyber-espionage capabilities.
"We can confirm that NATO was hit; we know from several sources that multiple organizations in the Ukraine were targeted," John Hultquist, senior manager of cyber-espionage threat intelligence for iSIGHT. "We have seen them using Ukrainian infrastructure as part of their attacks."
Popular online locker service Dropbox appears to have been hacked. A series of posts have been made to Pastebin purporting to contain login credentials for hundreds of Dropbox accounts, with the poster claiming that altogether 6,937,081 account credentials have been compromised.
Reddit users who have tested some of the leaked credentials have confirmed that at least some of them work. Dropbox seems to have bulk reset all the accounts listed in the Pastebin postings, though thus far other accounts do not appear to have had their passwords reset.
The hackers claim that they will release more username/password pairs if they receive donations to their bitcoin address.
JPMorgan to double infosec spending to $570m after hack
US investment bank JPMorgan will double its spending in cyber security following a data breach which affected approximately 84 million account holders. Speaking at the Institute of International Finance conference in Washington late on Friday, JPMorgan ...
Whitelisting has its place in your company's antimalware arsenal
After some false starts, I found answers at the InfoSec Institute website, in particular, Top 10 Common Misconceptions About Application Whitelisting. This paper was written by John Fox, a 20-year veteran in software development and director of ...
Posters to 4Chan’s /b/ forum continue to pore over the contents of thousands of images taken by users of the Snapchat messaging service that were recently leaked from a third-party website. Meanwhile, the developer behind that site, SnapSaved.com, used a Facebook post to say it was hacked because of a misconfigured Apache server. The statement also gets into the extent of the breach, while playing down reports that personal information from the users involved was also taken.
“I sincerely apologize on behalf of SnapSaved.com,” the developer’s spokesperson wrote. “We did not wish to cause Snapchat or their users harm, we only wished to provide a unique service.”
SnapSaved’s developer said there was no substance to claims by some 4Chan posters that a searchable database of the images stolen from the service’s server was being developed. “The recent rumors about the snappening are a hoax,” the developer wrote. “The hacker does not have sufficient information to live up to his claims of creating a searchable database.” The developer also said that the service actively “tried to cleanse the database of inappropriate images as often as possible…SnapSaved has always tried to fight child pornography, [and] we have even gone as far as reporting some of our users to the Swedish and Norwegian authorities.”
by Robert Lemos
The U.S. National Security Agency has worked with companies to weaken encryption products at the same time it infiltrated firms to gain access to sensitive systems, according to a purportedly leaked classified document outlined in an article on The Intercept.
The document, allegedly leaked by former NSA contractor Edward Snowden, appears to be a highly classified summary intended for a very small group of vetted national security officials according to details included in The Intercept article, which was published this weekend. The document outlines six programs at the core of the NSA's mission, collected under the name Sentry Eagle.
The Intercept claims the document states "The facts contained in [the Sentry Eagle] program constitute a combination of the greatest number of highly sensitive facts related to NSA/CSS’s overall cryptologic mission."
[This is a guest diary published on behalf of Chris Sanders]
Hunting for evil in network traffic depends on the analysts ability to locate patterns and variances in oceans of data. This can be an overwhelming tasks and relies on fundamental knowledge of what is considered normal on your network as well as your experienced-based intuition. These dark waters are navigated by finding glimmers of light">and following them where they lead you by carefully investigating all of the data sources and intelligence in your reach. While hunting the adversary in this manner can yield treasure, following some of these distant lights can also land you in the rocks.
One scenario that often puts analysts in murky waters occurs when they chase patterns of network traffic occurring over clearly visible intervals. This periodic activity often gets associated with beaconing, where analysts perceive the timing of the communication to mean that it may be the result of malicious code installed on a friendly system.
As an example, consider the flow records shown here:
Figure 1 (click on image for full size)
If you look at the timestamps for each of these records, you will see that each communication sequence occurs almost exactly one minute from the previous. Along with this, the other characteristics of the communication appear to be similar. A consistent amount of data is being transferred from an internal host 172.16.16.137 to an external host 18.104.22.168 each time.
So, whats going on here? Less experienced analysts might jump to the conclusion that the friendly device is compromised and that it is beaconing back out to some sort of attacker controlled command and control infrastructure. In reality, it doesn" />
Figure 2 (click on image for full size)
As analysts, we are taught to identify patterns and hone in on those as potential signs of compromise. While this isnt an entirely faulty concept, it should also be used with discretion. With dynamic content so prevalent on the modern Internet, it is incredibly common to encounter scenarios where devices communicate in a periodic nature. This includes platforms such as web-based e-mail clients, social networking websites, chat clients, and more.
Ultimately, all network traffic is good unless you can prove its bad. If you do need to dig in further in scenarios like this, try to make the best use of your time by looking for information you can use to immediately eliminate the potential that the traffic is malicious. This might include some basic research about the potentially hostile host like we did here, immediately pivoting to full PCAP data to view the content of the traffic when possible, or by simply examining the friendly host to determine which process is responsible for the connection(s). The ability to be selective of what you choose to investigate and to quickly eliminate likely false positives is the sign of a mature analyst. The next time you are hunting through data looking for evil, be wary when your eyes are drawn towards beaconing">Blogs:">">http://www.chrissanders.org(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Leading Enterprise Organizations Have Established a Dedicated Network Security
As part of its data analysis, ESG builds a scoring system it uses to segment enterprise organizations into three groups (based upon their infosec skills, resources, and practices): Advanced organizations (approximately 20% of the total survey ...