BuzzSec

The Sea Hunting Autonomous Reconnaissance Drone (SHARD) swims like a squid and can explode on command. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2019/11/friday_squid_bl_705.html

Interesting research: " TrojDRL: Trojan Attacks on Deep Reinforcement Learning Agents ": Abstract: : Recent work has identified that classification models implemented as neural networks are vulnerable to data-poisoning and Trojan attacks at training time. In this work, we show that these training-time vulnerabilities extend to deep reinforcement learning (DRL) agents and can be exploited by an adversary with access to the training process. In particular, we focus on Trojan attacks that augment the function of reinforcement learning policies with hidden behaviors. We demonstrate that such attacks can be implemented through minuscule data poisoning (as little as 0.025% of the training data) and in-band reward modification that does not affect the reward on normal inputs. The policies learned with our proposed attack approach perform imperceptibly similar to benign policies but deteriorate drastically when the Trojan is triggered in both targeted and untargeted settings. Furth

When shopping online during the holiday season—or any time of year—always be wary of deals that seem too good to be true, and do your part to avoid becoming a scammer’s next victim. from Cyber Crimes Stories https://www.fbi.gov/news/stories/avoid-holiday-shopping-scams-112719

The DHS is requiring all federal agencies to develop a vulnerability disclosure policy. The goal is that people who discover vulnerabilities in government systems have a mechanism for reporting them to someone who might actually do something about it. The devil is in the details, of course, but this is a welcome development. The DHS is seeking public feedback . from Schneier on Security https://www.schneier.com/blog/archives/2019/11/dhs_mandates_fe.html

Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a .gov domain versus a commercial one ending in .com or .org. But a recent experience suggests this trust may be severely misplaced, and that it is relatively straightforward for anyone to obtain their very own .gov domain. Earlier this month, KrebsOnSecurity received an email from a researcher who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a “.us” domain name, and impersonating the town’s mayor in the application. “I used a fake Google Voice number and fake Gmail address,” said the source, who asked to remain anonymous for this story but who said he did it mainly as a thought experiment. “The only thing that was real was the mayor’s name.” The email from this source

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xxi/93

Brian King // Recon-ng had a major update in June 2019, from 4.9.6 to 5.0.0. This post is meant to help with the adjustment by providing a cheat sheet for common commands and mapping of some old syntax to the new syntax. If you’re at all like me, you’ll assume that what you know from […] The post What’s Changed in Recon-ng 5.x appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/whats-changed-in-recon-ng-5x/

It wasn’t so long ago that large manufacturers had relatively little to worry about as far as cybersecurity was concerned. After all, their primary resources were huge industrial machines, which typically weren’t “smart” enough to connect to anything more complicated than a power grid. Oh, how things have changed … These days, manufacturing organizations have some of the most complex network environments around. The industrial IoT/OT revolution has enabled huge efficiency gains and new business models galore — but it has also created hundreds (even thousands) of new entry points for cybercriminals. Let’s take a closer look at cyber threats facing the manufacturing industry, and how organizations with complex IoT/OT environments can use threat intelligence to secure against cyber threats . The $10 Million Per Year Problem Verizon’s 2019 Data Breach Investigations Report (DBIR) identifies privilege misuse as the top threat vector for manufacturers, with most cases following a succe

On Nov. 23, one of the cybercrime underground’s largest bazaars for buying and selling stolen payment card data announced the immediate availability of some four million freshly-hacked debit and credit cards. KrebsOnSecurity has learned this latest batch of cards was siphoned from four different compromised restaurant chains that are most prevalent across the midwest and eastern United States. An advertisement on the cybercrime store Joker’s Stash for a new batch of ~4 million credit/debit cards stolen from four different restaurant chains across the midwest and eastern United States. Two financial industry sources who track payment card fraud and asked to remain anonymous for this story said the four million cards were taken in breaches recently disclosed by restaurant chains Krystal , Moe’s , McAlister’s Deli and Schlotzsky’s . Krystal announced a card breach last month. The other three restaurants are all part of the same parent company and disclosed breaches in August 2019. K

Recording available. This webinar will give you a good starting point at understanding the new areas of focus and how to navigate the first 49 pages of expectations. from SBS CyberSecurity https://sbscyber.com/resources/gsb-webinar-new-ffiec-business-continuity-guidance

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xxi/92

Tiny hidden spy cameras are a common sight at ATMs that have been tampered with by crooks who specialize in retrofitting the machines with card skimmers. But until this past week I’d never heard of hidden cameras being used at gas pumps in tandem with Bluetooth-based card skimming devices. Apparently, I’m not alone. “I believe this is the first time I’ve seen a camera on a gas pump with a Bluetooth card skimmer,” said Detective Matt Jogodka of the Las Vegas Police Department, referring to the compromised fuel pump pictured below. The fake panel (horizontal) above the “This Sale” display obscures a tiny hidden camera angled toward the gas pump’s PIN pad. It may be difficult to tell from the angle of the photograph above, but the horizontal bar across the top of the machine (just above the “This Sale $” indicator) contains a hidden pinhole camera angled so as to record debit card users entering their PIN. Here’s a look at the fake panel removed from the compromised pump: A fron

If you are of a certain age — an age where you may have spent a good bit of your time online using Myspace — you may recall an incident with the Samy worm , which in 2005 spread through Myspace so quickly and uncontrollably that they had to temporarily shut the service down to regain control. It was, by all accounts, a prank that got out of hand, but the authorities were not amused, and Samy Kamkar , who wrote the worm, was eventually sentenced to probation, community service, and a hefty fine. Since then, Samy Kamkar has set his sights on security research, with a specific focus on open source software. We caught up with Samy at Recorded Future’s RFUN: Predict 2019 conference in Washington, D.C., where he was delivering one of the keynote presentations. This podcast was produced in partnership with the CyberWire . The post From Infamous Myspace Wormer to Open Source Advocate appeared first on Recorded Future . from Recorded Future https://www.recordedfuture.com/podcast-episod

A ransomware outbreak has besieged a Wisconsin based IT company that provides cloud data hosting, security and access management to more than 100 nursing homes across the United States. The ongoing attack is preventing these care centers from accessing crucial patient medical records, and the IT company’s owner says she fears this incident could soon lead not only to the closure of her business, but also to the untimely demise of some patients. Milwaukee, Wisc. based Virtual Care Provider Inc. (VCPI) provides IT consulting, Internet access, data storage and security services to some 110 nursing homes and acute-care facilities in 45 states. All told, VCPI is responsible for maintaining approximately 80,000 computers and servers that assist those facilities. At around 1:30 a.m. CT on Nov. 17, unknown attackers launched a ransomware strain known as Ryuk inside VCPI’s networks, encrypting all data the company hosts for its clients and demanding a whopping $14 million ransom in exchang

"Squid Pro Quo" T-shirt . As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2019/11/friday_squid_bl_704.html

The NSA has released a security advisory warning of the dangers of TLS inspection: Transport Layer Security Inspection (TLSI), also known as TLS break and inspect, is a security process that allows enterprises to decrypt traffic, inspect the decrypted content for threats, and then re-encrypt the traffic before it enters or leaves the network. Introducing this capability into an enterprise enhances visibility within boundary security products, but introduces new risks. These risks, while not inconsequential, do have mitigations. [...] The primary risk involved with TLSI's embedded CA is the potential abuse of the CA to issue unauthorized certificates trusted by the TLS clients. Abuse of a trusted CA can allow an adversary to sign malicious code to bypass host IDS/IPSs or to deploy malicious services that impersonate legitimate enterprise services to the hosts. [...] A further risk of introducing TLSI is that an adversary can focus their exploitation efforts on a single device

As an attacker, I frequently leverage LSASecrets to escalate privileges within the context of an ongoing compromise. Generally, the attack path is something like this: Gain Initial Foothold > Escalate to Limited User > Dump LSASecrets on Systems Where Credentials are Administrator A pretty slick way to identify targets to dump LSASecrets on is to query Active Directory for systems where Service Principal Names (SPNs) are set. There are many ways to do this, but I like LDAPPER , or if I have Bloodhound data, that can be used as well. LDAPPER Query for SPNs BloodHound Query for SPNs You are looking for instances where systems you have Administrator access to are also systems with an SPN set. This is because on those types of systems, it is likely that the account set up as a service is also running as a service, which means the credentials are stored in the registry (LSASecrets) and available in plaintext. There are several methods for extracting these, and while I will n

Editor’s Note : Over the next few weeks, we’ll be sharing excerpts from the newly released second edition of our popular book, “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program.” Here, we’re looking at the first chapter, “What Is Threat Intelligence?” To read the full chapter, download your free copy of the handbook. You may have heard threat intelligence discussed at a conference or trade show. Perhaps you were informed by a consultant that threat intelligence provides external context for security decisions. Maybe you read a report about state-sponsored attacks and want to know how to protect your business. You have probably noticed that in many organizations, from multinational enterprises to midmarket companies, information security teams are racing to add threat intel­ligence to their security programs . However, you may also have heard some misconceptions: that threat intelligence is just data feeds and PDF reports, is simply a research service

Long article on the manipulation of GPS in Shanghai. It seems not to be some Chinese military program, but ships who are stealing sand. The Shanghai "crop circles," which somehow spoof each vessel to a different false location, are something new. "I'm still puzzled by this," says Humphreys. "I can't get it to work out in the math. It's an interesting mystery." It's also a mystery that raises the possibility of potentially deadly accidents. "Captains and pilots have become very dependent on GPS, because it has been historically very reliable," says Humphreys. "If it claims to be working, they rely on it and don't double-check it all that much." On June 5 this year, the Run 5678 , a river cargo ship, tried to overtake a smaller craft on the Huangpu, about five miles south of the Bund. The Run avoided the small ship but plowed right into the New Glory (Chinese name: Tong Yang Jingrui), a freighter heading north.

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xxi/91

Major Booklet Restructuring As you may have already seen, the FFIEC pushed out a press release informing the public of the new Business Continuity Management (BCM) Booklet on November 14, 2019. Major updates to FFIEC booklets usually lead to many questions regarding what was changed, potential new requirements, or even if your current Business Continuity Plan has fallen out of compliance from the new release. Don’t worry – we’ve got you covered. We’ll dig into all of the important changes to the FFIEC Business Continuity Management Booklet and answer your burning questions.   Digging into the Changes At first glance, you might notice that the booklet looks very different. From the table of contents to the appendices, the Business Continuity Management (BCM) Booklet has undergone a pretty significant restructuring. While the change can be overwhelming, upon closer inspection, you will notice the original foundation and requirements for creating a Business Continuity Plan are still there

As your ecosystem of third parties, contractors, and partners grows in size and complexity, you’ve likely embraced new ways to manage third-party risk. Many organizations have adopted governance, risk, and compliance (GRC) technology to consolidate risk information from internal and external sources and better understand their third-party risk landscape. However, even with these tools in place, it can be difficult to maintain the relevant, real-time data required to feed these systems. We’ve expanded our integration portfolio with ServiceNow to bridge this gap and help expedite security and risk teams’ decision-making processes. This enhanced integration, available now in the ServiceNow App Store , provides security teams with a true measure of risk by delivering context in real time so intelligence stays relevant and integrates seamlessly with ServiceNow. In this blog, we’ll take a look at three important use cases supported by Recorded Future’s ServiceNow Third-Party Risk Managem

A 21-year-old Illinois man was sentenced last week to 13 months in prison for running multiple DDoS-for-hire services that launched millions of attacks over several years. This individual’s sentencing comes more than five years after KrebsOnSecurity interviewed both the defendant and his father and urged the latter to take a more active interest in his son’s online activities. A screenshot of databooter[.]com, circa 2017. Image: Cisco Talos. The jail time was handed down to Sergiy P. Usatyuk of Orland Park, Ill., who pleaded guilty in February to one count of conspiracy to cause damage to Internet-connected computers and owning, administering and supporting illegal “booter” or “stresser” services designed to knock Web sites offline, including exostress[.]in , quezstresser[.]com , betabooter[.]com , databooter[.]com , instabooter[.]com , polystress[.]com and zstress[.]net . According to the U.S. Justice Department, in just the first 13 months of the 27-month long conspiracy, Usa