ChannelLife NZ

Photo gallery: NZ infosec industry shines at iSanz awards
ChannelLife NZ
New Zealand's information security community turned out in force last week for the inaugural iSanz Awards honouring people and organisation's who have set new standards for making the online space a safer and more secure place. And from dozens of ...

and more »
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(credit: Chris)

The next time a friend or family member asks you to install a gift-registry app, remember this: the app is almost certainly soaking up lots of your personal details. In the case of one such app from retailing giant Target, it's more than happy to make those details public. Witness the following:

(credit: Avast)

According to researchers from security firm Avast, the database storing the names, e-mail addresses, home addresses, phone numbers, and wish lists of Target customers is available to anyone who figures out the app's publicly available programming interface. In a blog post published Tuesday, they wrote:

If you created a Christmas wish list using the Target app, it might be accessible to more people than you want to actually receive gifts from. The Target app keeps a database of users’ wish lists, names, addresses, and e-mail addresses. But your closest family and friends may not be the only ones who know you want a new suitcase for your upcoming cruise!

To our surprise, we discovered that the Target app’s Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.

The JSON file we requested from Target’s API contained interesting data, like users’ names, e-mail addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries. We did not store any personal information, but we did aggregate data from 5,000 inputs, enough for statistical analysis.

Officials for Target weren't immediately available for comment. This post will be updated if they respond later.

Read 1 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

And now for something completely different.">Python">Subtitle: Captain Obvious Applies Chaos Theory


This diary breaks a bit from our expected norms todiscussmanaging possible outcomes originating froma data breach and the resulting organization-wide SDL and security response process.

Ill incorporate chaos theory, specifically the butterfly effect, to exemplify methods for security managers useful in reducing possible chaotic outcomes and increasing orderly, successful outcomes.

Our imaginary company discussed herein is Pathos, an international mental health-oriented software-as-a-service (SaaS) provider. :-)

The scenario begins with a data breach suffered by Pathos.

Limited Secure Development Lifecycle (SDL) practices have been utilized at Pathos and the service has just fallen victim to a damaging compromise. As such, management">3) Implement a security incident management (IM) program to better respond when breaches occur.

When introducing new programs of this nature, particularly in a reactionary manner rather than as proactive steps, the possible outcomes (chaotic or orderly) that occur depend entirely on decisions made and actions taken by Pathos leadership.

Should Pathos management fail to provide clear and defined leadership as they introduce these new initiatives and fail to plan for possible responses from the affected teams, the resulting chaos could have lasting and profound organizational impact.Lets explore some guidelines for avoiding that chaos.

Chaos theory and the Butterfly Effect

Chaos theory defines organizations and businesses as complex, dynamic, entities whose future performance cannot be decided simply by measuring past and present events and actions.

In a state of chaos, organizations behave in ways which are simultaneously both unpredictable (chaotic) and patterned (orderly). (i)

This premise can be further refined with an understanding of the butterfly effect. Coined by Edward Lorenz, the butterfly effect was first used to describe the chaotic nature of weather and a process with which to statistically model weather non-linearly. (ii)

More succinctly, the Butterfly Effect indicates that the slightest change in initial conditions can lead to extraordinarily different outcomes over time. Lorenz aptly entitled his 1972 talk on this phenomenon Predictability: Does the Flap of a Butterflys Wings in Brazil set off a Tornado in Texas?

The statement the slightest change in initial conditions can lead to extraordinarily different outcomes over time is the basis of what were exploring here.

The initiatives and possible outcomes

Consider that complex environments, such as our imaginary company Pathos (a dynamic environment with numerous interrelated teams), tend to encounter bifurcations, a point of branching or forking into qualitatively new types of behavior. (iii)When amplified, these bifurcations can lead either to order or to chaos (iv). Thus, as Pathos introduces additional SDL-related requirements and a security incident management program after a data breach in their complex environment, over time, there will likely be issues. Seemingly minor variations in Pathos managements approach can result in a bifurcation, thus leading the organization in a potentially less-than desirable direction.

As Pathos introduces these new initiatives there are two possible outcomes that depend directly on how Pathos management approaches the process.

The first possible outcome (chaotic) results from a lack of communication, transparency, and planning on Pathos managements part, and leads to organizational disarray, continued insecure code and applications, reduced productivity, delayed releases, and ultimately a loss of revenue. The security incident management program is not well implemented and supported, largely a paper tiger, and individual teams conduct response activities in a silo without unifying approaches.

The second possible outcome (orderly), preceded by careful and thoughtful management planning coupled with a phased approach leads to a much more linear, predictable response from the Pathos development and operations teams, leading to improved code and application quality, increased revenue, and unified incident management.

The prospect of chaos or disorder can be controlled by reducing the number of responses available to involved parties concerning the proposed initiatives. By managing outcomes through well-developed initiatives, with clear implementation plans, it can be demonstrated that adoption of the Pathos SDL and IM initiatives will be more successful.

Chaotic outcome

In this scenario a quick, reactive decision by leadership to implement the SDL and IM policies included no prior discussion with Pathos development and operations staff and no awareness campaign took place. The initiatives were simply implemented and immediately enforced by the staging and production deployment engineers as well as security operations analysts. The development teams were caught completely unaware when attempting to release their next scheduled efforts to staging and production. The forensics and PR teams, still dealing with the initial breach were not consulted regarding the incident management plan. The net result is a complete productivity freeze where all schedules and plans, as well as all future release dates, required new delayed timelines to allow for adherence to the new SDL. Additionally, what should become a unified incident management program becomes a number of redundant processes, resulting in varied findings and a disjointed message in the press.

This lack of planning on Pathos management">4. Further reduced application security, counter to the policy">2) the direct effect those initial conditions have on randomness in outcomes over time.

Remember that the Butterfly Effect indicates that the slightest change in initial conditions can lead to extraordinarily different outcomes over time, a characteristic of chaos as defined by Lorenz.

As a quick precursor, keep in mind that the Lorenz Butterfly Java applet used to generate visualizations (Figures 12) relies on the fact that a mathematical function is a relation that uniquely associates members of one set with members of another set (v)and the derivative of a function represents an infinitesimal change in the function with respect to one of its variables. (vi)

Simplifying this precursor to relate specifically back to Pathos management decisions, we can arbitrarily define possible development team responses to the SDL policy as variable X.

X=5 represents possible development team responses based on Pathos managements lack of planning as described in Chaotic outcome. Again, without the reasoned, gradual, accommodating approach to the introduction of the SDL policy, Pathos management creates a number of possible responses from the development teams (see Figure 1).

On the other hand, X=1 will represent development team responses based on the management policy implementation decision described in Orderly outcome. Specifically, 1 is appropriate as, given the orderly, transparent, and organized management approach to implementing their SDL policy, the development teams are most likely to simply comply, resulting in little variation over time. We can simply assume that a well-conceived and planned approach to SDL policy implementation by Pathos management limited the possible responses by Pathos development teams to one of acceptance and understanding (X=1) resulting in one outcome (see Figure 2).

In Figure 1, using one of the above mentioned Java applets for the Lorenz Model I first visualized X as 5. For each of the 5 mouse clicks (executed in precisely the same position to represent initial conditions) we see all particles following each other very closely for a while, but as time goes on the small difference between the paths of the particles increases until they are following completely non-related paths (vii)" />

Figure 2

In Figure 1, with more initial conditions representing more possible responses from development or operations teams, the various unrelated outcomes soon became clearly evident. Simply, this is indicative of the fact that increased variation in initial conditions leads to the propensity for chaos.

In Figure 2, with a single input (less response from development teams), the variations over time were nonexistent. This is indicative of the fact that reducing initial conditions prevents chaotic outcomes.

Contemplate initial conditions in the context of management decisions to better control outcomes and you have clear visual evidence of why strong leadership under these circumstances matters so much for stronger information security.


It is reasonable to assume that organizations, and their leadership, would always prefer orderly outcomes as a result of their prescribed changes. Taking the additional time to plan policy and program implementation, including staff in discussions and planning, utilizing a phased awareness campaign, and allowing a clearly defined roadmap prior to implementation, will lead to successful, less chaotic outcomes.

Allowing development and operations teams to adjust their release schedules to accommodate newly required checkpoints, helps ensure that they are more likely to comply with the initiatives and achieve the intended goals.

Security management transparency and candor allow teams the opportunity to embrace new approaches and thus reduce chaos. Ultimately, the transparent approach to security management allows for more successful outcomes regardless of the initiative and scenario.

Transparency is another critical attribute of management 2.0. If trust is the bedrock of competitive advantage, and I think it is, then transparency is the foundation for building trust.">|">@holisticinfosec


(i) http://www.stile.coventry.ac.uk/cbs/staff/beech/BOTM/Glossary.htm

(ii) Lorenz, E. N. Deterministic Nonperiodic Flow. J. Atmos. Sci. 20, 130-141, 1963

(iii) Barrow, J.D. (1988). The world within the world. Oxford: Clarendon Press.

(iv) Briggs, J., Peat, F.D. (1989). Turbulent mirror: An illustrated guide to chaos theory and the science of wholeness. New York: Harper Row.

(v) http://mathworld.wolfram.com/Function.html


(vii) http://www.exploratorium.edu/complexity/java/lorenz.html

(viii) Gary Hamel, 2010 HCL Global Meet, Management 2.0 presentation

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
LibreOffice Multiple Remote Code Execution and Information Disclosure Vulnerabilities
Cisco IOS XE Software CVE-2015-6359 Denial of Service Vulnerability
Adobe Flash Player CVE-2015-7645 Remote Code Execution Vulnerability
Adobe Flash Player CVE-2015-7648 Unspecified Remote Code Execution Vulnerability
[SECURITY] [DSA 3419-1] cups-filters security update
Microsoft Windows CVE-2015-6128 DLL Loading Remote Code Execution Vulnerability
Back to 28: Grub2 Authentication Bypass 0-Day [CVE-2015-8370]
[SECURITY] [DSA 3418-1] chromium-browser security update
[security bulletin] HPSBST03517 rev.1 - HP StoreOnce Backup systems, Remote Execution of Arbitrary Code with Privilege Elevation, Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS)


UK police said they have arrested a 21-year-old man in connection to the November breach of electronic toymaker VTech, a hack that exposed personal data of almost 12 million people, including gigabytes worth of headshot photos and chat logs for millions of kids and parents.

The unnamed man was arrested in Bracknell, about 30 miles west of London, it was widely reported Tuesday by news outlets citing a statement released by police. He was detained on suspicion of two offenses under the Computer Misuse Act, including unauthorized access to a computer and causing a computer to enable unauthorized access to data. Police also seized electronic devices during the arrest. No more details were provided.

The breach ultimately exposed data for 11.6 million people, 6.4 million of whom were minors. Personal information for children included their names, gender and birthdates, while details for parents included mailing and e-mail addresses, security questions used for password resets, IP addresses, password data, and download histories. The trove also included headshots and logs of chats between parents and their children. The information was stored in a database for VTech's Learning Lodge app store, which is used by the company's electronic toys. Almost half the compromised accounts belonged to people in North America, VTech’s top market.

Read 2 remaining paragraphs | Comments

phpback v1.1 XSS vulnerability

(credit: Yuri Samoilov/Flickr)

As politicians and counter-terrorism officials search for lessons from the recent attacks in Paris and San Bernardino, California, senior officials have called for limits on technology that sends encrypted messages.

It's a debate that has repeatedly recurred for more than a decade.In the 1990s, the Clinton Administration directed technology companies to store copies of their encryption keys with the government. That would have given the government a "backdoor" to allow law enforcement and intelligence agencies easy access to encrypted communications. That idea was dropped after sharp criticism from technologists and civil liberties advocates.

More recently, intelligence officials in Europe and the United States have asserted that encryption hampers their ability to detect plots and trace perpetrators. But many have questioned whether it would be practical or wise to allow governments widespread power to read encrypted messages.

Read 36 remaining paragraphs | Comments


Security researcher Chris Vickery has found and reported a massive security issue on the Web servers of MacKeeper, a piece of software often regarded as scareware. According to Krebs on Security, the databases of Kromtech, the company behind MacKeeper, were open to external connections and required no authentication whatsoever. The names, passwords, and other information of around 13 million users may have been exposed.

Kromtech has admitted the breach and put a statement on its website saying that "analysis of our data storage system shows only one individual gained access performed by the security researcher himself." It also states that customers' credit card details have never been at risk as they're processed by a third-party merchant.

"The only customer information we retain are name, products ordered, license information, public ip address and their user credentials such as product specific usernames, password hashes for the customer's web admin account where they can manage subscriptions, support, and product licenses," Kromtech explained.

Read 6 remaining paragraphs | Comments

Internet Storm Center Infocon Status