Posts

Showing posts from January, 2020

Schneier - Friday Squid Blogging: The Pterosaur Ate Squid

New research : " Pterosaurs ate soft-bodied cephalopods (Coleiodea) ." News article . As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2020/01/friday_squid_bl_714.html

Krebs - Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security

Image
On Sept. 11, 2019, two security experts at a company that had been hired by the state of Iowa to test the physical and network security of its judicial system were arrested while probing the security of an Iowa county courthouse, jailed in orange jumpsuits, charged with burglary, and held on $100,000 bail. On Thursday Jan. 30, prosecutors in Iowa announced they had dropped the criminal charges. The news came while KrebsOnSecurity was conducting a video interview with the two accused (featured below). The courthouse in Dallas County, Iowa. Image: Wikipedia. Gary DeMercurio , 43 of Seattle, and  Justin Wynn , 29 of Naples, Fla., are both professional penetration testers employed by Coalfire Labs , a security firm based in Westminster, Colo. Iowa’s State Court Administration had hired the company to test the security of its judicial buildings. Under the terms of their contract  (PDF), DeMercurio and Wynn were permitted to impersonate staff and contractors, provide fals...

SANS - Issue #9 - Volume XXII - SANS Newsbites - January 31st, 2020

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xxii/9

Schneier - NSA Security Awareness Posters

Image
From a FOIA request, over a hundred old NSA security awareness posters . Here are the BBC's favorites . Here are Motherboard's favorites . I have a related personal story. Back in 1993, during the first Crypto Wars, I and a handful of other academic cryptographers visited the NSA for some meeting or another. These sorts of security awareness posters were everywhere, but there was one I especially liked -- and I asked for a copy. I have no idea who, but someone at the NSA mailed it to me. It's currently framed and on my wall. I'll bet that the NSA didn't get permission from Jay Ward Productions. Tell me your favorite in the comments. from Schneier on Security https://www.schneier.com/blog/archives/2020/01/nsa_security_aw.html

Schneier - U.S. Department of Interior Grounding All Drones

The Department of Interior is grounding all non-emergency drones due to security concerns: The order comes amid a spate of warnings and bans at multiple government agencies, including the Department of Defense, about possible vulnerabilities in Chinese-made drone systems that could be allowing Beijing to conduct espionage. The Army banned the use of Chinese-made DJI drones three years ago following warnings from the Navy about "highly vulnerable" drone systems. One memo drafted by the Navy & Marine Corps Small Tactical Unmanned Aircraft Systems Program Manager has warned "images, video and flight records could be uploaded to unsecured servers in other countries via live streaming." The Navy has also warned adversaries may view video and metadata from drone systems even though the air vehicle is encrypted. The Department of Homeland Security previously warned the private sector their data may be pilfered off if they use commercial drone systems made in ...

Schneier - Collating Hacked Data Sets

Two Harvard undergraduates completed a project where they went out on the Dark Web and found a bunch of stolen datasets. Then they correlated all the information , and then combined it with additional, publicly available information. No surprise: the result was much more detailed and personal. "What we were able to do is alarming because we can now find vulnerabilities in people's online presence very quickly," Metropolitansky said. "For instance, if I can aggregate all the leaked credentials associated with you in one place, then I can see the passwords and usernames that you use over and over again." Of the 96,000 passwords contained in the dataset the students used, only 26,000 were unique. "We also showed that a cyber criminal doesn't have to have a specific victim in mind. They can now search for victims who meet a certain set of criteria," Metropolitansky said. For example, in less than 10 seconds she produced a dataset with more than 1,...

Krebs - Sprint Exposed Customer Support Site to Web

Image
Fresh on the heels of a disclosure that Microsoft Corp.  leaked internal customer support data to the Internet, mobile provider Sprint has addressed a mix-up in which posts to a private customer support community were exposed to the Web. KrebsOnSecurity recently contacted Sprint to let the company know that an internal customer support forum called “Social Care” was being indexed by search engines, and that several months worth of postings about customer complaints and other issues were viewable without authentication to anyone with a Web browser. A redacted screen shot of one Sprint customer support thread exposed to the Web. A Sprint spokesperson responded that the forum was indeed intended to be a private section of its support community, but that an error caused the section to become public. “These conversations include minimal customer information and are used for frontline reps to escalate issues to managers,” said Lisa Belot , Sprint’s communications manager. A revie...

SBS CyberSecurity - Hacker Hour: What to Look For in Your Next IT Audit or IT Exam

Join SBS as we reflect back on the some of the most impactful and valuable audit findings of 2019, and discuss what you can be looking for in your next IT audit or exam. from SBS CyberSecurity https://sbscyber.com/resources/hacker-hour-what-to-look-for-in-your-next-it-audit-or-it-exam

Black Hills InfoSec - Dumping Firmware With the CH341a Programmer

Rick Wisser // Note: This blog will also be a lab for any of the upcoming Wild West Hackin’ Fest Conferences. During a recent engagement, I came across an issue. The issue I encountered was that the SPI chip I was trying to dump the firmware off of was a 1.8v chip. This would not […] The post Dumping Firmware With the CH341a Programmer appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/dumping-firmware-with-the-ch341a-programmer/

Recorded Future - Protecting the Hospitality Sector With Security Intelligence

The hospitality sector has always been a popular target for cyberattacks. For the past decade, hardly a month has gone by without a hotel, airline, or other hospitality breach to remember it by. In the last year alone, two huge breaches stand out — Marriott and British Airways — both of which were among the largest data breaches in history. In Marriott’s case, around 500 million guest records were compromised. The infected system — a legacy booking system belonging to the Starwood hotel chain, which was acquired by Marriott in 2016 — had been compromised for four years before it was finally detected in late 2018. When the dust settled, the breach had cost Marriott $28 million. That’s nothing compared to the British Airways breach, which also exposed around 500 million passenger records and saw the company fined an incredible $229 million . The Stats Behind Hospitality Threats Many industries have one or two “mega breaches” to point to, but few have quite such a history of cyberat...

Schneier - Customer Tracking at Ralphs Grocery Store

To comply with California's new data privacy law, companies that collect information on consumers and users are forced to be more transparent about it. Sometimes the results are creepy. Here's an article about Ralphs, a California supermarket chain owned by Kroger: ...the form proceeds to state that, as part of signing up for a rewards card, Ralphs "may collect" information such as "your level of education, type of employment, information about your health and information about insurance coverage you might carry." It says Ralphs may pry into "financial and payment information like your bank account, credit and debit card numbers, and your credit history." Wait, it gets even better. Ralphs says it's gathering "behavioral information" such as "your purchase and transaction histories" and "geolocation data," which could mean the specific Ralphs aisles you browse or could mean the places you go when not shopping ...

FBI - Sentence in BEC Scheme

A leader of a business email compromise ring that stole more than $120 million from two American companies is spending time behind bars. Learn how to protect yourself from this growing crime. from Cyber Crimes Stories https://www.fbi.gov/news/stories/ringleader-of-business-email-compromise-scheme-sentenced-012820

SANS - Issue #8 - Volume XXII - SANS Newsbites - January 28th, 2020

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xxii/8

SBS CyberSecurity - {GSB Webinar} FDIC, OCC Release Joint Warning of Increased Cybersecurity Risk

Recording available. This webinar will break down the recent FDIC and OCC guidance warning financial institutions against the likelihood of increased cyberattack activity targeting US businesses, particularly the financial sector. from SBS CyberSecurity https://sbscyber.com/resources/gsb-webinar-fdic-occ-release-joint-warning-of-increased-cybersecurity-risk

Krebs - Wawa Breach May Have Compromised More Than 30 Million Payment Cards

Image
In late December 2019, fuel and convenience store chain Wawa Inc.  said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground’s most popular crime shops, which claims to have 30 million records to peddle from a new nationwide breach. On the evening of Monday, Jan. 27, a popular fraud bazaar known as Joker’s Stash began selling card data from “a new huge nationwide breach” that purportedly includes more than 30 million card accounts issued by thousands of financial institutions across 40+ U.S. states. The fraud bazaar Joker’s Stash on Monday began selling some 30 million stolen payment card accounts that experts say have been tied back to a breach at Wawa in 2019. Two sources that work closely with financial institutions nationwide tell KrebsOnSecur...

SBS CyberSecurity - IT Strategic Planning: Meaningful Exercise or Check Mark on Compliance?

To ensure the IT Strategic Plan is valuable, executive management must take an active role in its development and maintenance. Whether or not your IT Strategic Plan acts as your north start or is done to simply check the box is up to you. from SBS CyberSecurity https://sbscyber.com/resources/it-strategic-planning-meaningful-exercise-or-check-mark-on-compliance

TrustedSec - SIGINT to Synthesis

Image
Not too long ago, I was at a hardware store and I came across some lights that I wanted to play with because I had a feeling they could be fun for Halloween and make for a decent blog post. Before I purchased the lights, I looked at their online manual and checked to see if they were compliant with Part 15 of the Federal Communications Commission (FCC) rules. This notice is an indication that the lights use radio frequencies to communicate rather than infrared signals. Since these lights use a simple remote and not a mobile application, it was a relatively safe bet that the signal would not use a complicated modulation. Figure 1 – Target Device Figure 2 – Manual Confirms Part 15 FCC Compliance Since the device is FCC-compliant, I popped open the package and looked at the back of the remote for its FCC ID. Figure 3 – FCC ID From Remote In the United States, whenever a device transmits radio frequencies, it has to undergo a series of tests before it can be sold, and the result...

Schneier - Google Receives Geofence Warrants

Sometimes it's hard to tell the corporate surveillance operations from the government ones: Google reportedly has a database called Sensorvault in which it stores location data for millions of devices going back almost a decade. The article is about geofence warrants , where the police go to companies like Google and ask for information about every device in a particular geographic area at a particular time. In 2013, we learned from Edward Snowden that the NSA does this worldwide. Its program is called CO-TRAVELLER . The NSA claims it stopped doing that in 2014 -- probably just stopped doing it in the US -- but why should it bother when the government can just get the data from Google. Both the New York Times and EFF have written about Sensorvault. from Schneier on Security https://www.schneier.com/blog/archives/2020/01/google_receives.html

Recorded Future - More Than Just SOAR: How to Automate Security With Intelligence

Why work harder when you can work smarter? It’s a question many threat actors are asking themselves as they embrace automation to scale efforts and unleash a new wave of attacks — from password stuffing to software bot attacks and extortion. With the ability to multiply and spread rapidly, these automated attacks put even the best protected companies at risk. Staying one step ahead of them requires more time and resources than ever before, and organizations are feeling the pain. Automated Intelligence Versus Automated Threats The most effective way to combat automation is by taking a similar approach — fighting automation with automation . Recognizing this, some organizations already use security orchestration, automation, and response (SOAR) technology to streamline repeatable incident response tasks. Many of these early adopters use SOAR to augment existing SIEM systems and empower their security teams to drive down their mean time to detection (MTTD) and mean time to response (MT...

Krebs - Russian Cybercrime Boss Burkov Pleads Guilty

Image
Aleksei Burkov , an ultra-connected Russian hacker once described as “an asset of supreme importance” to Moscow, has pleaded guilty in a U.S. court to running a site that sold stolen payment card data and to administering a highly secretive crime forum that counted among its members some of the most elite Russian cybercrooks. Aleksei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Andrei Shirokov / Tass via Getty Images. Burkov, 29, admitted to running CardPlanet , a site that sold more than 150,000 stolen credit card accounts, and to being the founder and administrator of DirectConnection — a closely guarded underground community that attracted some of the world’s most-wanted Russian hackers. He pleaded guilty last week in a Virginia court to access device fraud and conspiracy to commit computer intrusion, identity theft, wire fraud and money laundering. As KrebsOnSecurity noted in a November 2019 profile of Burkov’s hacker nickname ‘k0pa,’ “a dee...

Schneier - Modern Mass Surveillance: Identify, Correlate, Discriminate

Communities across the United States are starting to ban facial recognition technologies. In May of last year, San Francisco banned facial recognition; the neighboring city of Oakland soon followed, as did Somerville and Brookline in Massachusetts (a statewide ban may follow). In December, San Diego suspended a facial recognition program in advance of a new statewide law, which declared it illegal, coming into effect. Forty major music festivals pledged not to use the technology, and activists are calling for a nationwide ban. Many Democratic presidential candidates support at least a partial ban on the technology. These efforts are well-intentioned, but facial recognition bans are the wrong way to fight against modern surveillance. Focusing on one particular identification method misconstrues the nature of the surveillance society we're in the process of building. Ubiquitous mass surveillance is increasingly the norm. In countries like China, a surveillance infrastructur...

Black Hills InfoSec - What You Should Actually Learn From a Pentest Report

Dakota Nelson // Unknown Unknowns: So you’ve been pentested. Congrats! It might not feel like it, but this will eventually leave you more confident about your security, not less. The real question is – why might it not feel like it? Pentest findings can be broken down many ways, of course – the obvious one […] The post What You Should Actually Learn From a Pentest Report appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/what-you-should-actually-learn-from-a-pentest-report/

Recorded Future - Teachers, Trainers, and Educators

Our guest this week is Jeremy Blackthorne, president of the Boston Cybernetics Institute . They provide a variety of cybersecurity services, and our conversation focuses on their unique approach to training, specifically for members of the U.S. military. Jeremy served in the U.S. Marine Corps, and we explore the advantages that provides when approaching both training and operational security issues. We’ll get his take on threat intelligence , as well. This podcast was produced in partnership with the CyberWire . The post Teachers, Trainers, and Educators appeared first on Recorded Future . from Recorded Future https://www.recordedfuture.com/podcast-episode-143/

Schneier - Smartphone Election in Washington State

This year : King County voters will be able to use their name and birthdate to log in to a Web portal through the Internet browser on their phones, says Bryan Finney, the CEO of Democracy Live, the Seattle-based voting company providing the technology. Once voters have completed their ballots, they must verify their submissions and then submit a signature on the touch screen of their device. Finney says election officials in Washington are adept at signature verification because the state votes entirely by mail. That will be the way people are caught if they log in to the system under false pretenses and try to vote as someone else. The King County elections office plans to print out the ballots submitted electronically by voters whose signatures match and count the papers alongside the votes submitted through traditional routes. While advocates say this creates an auditable paper trail, many security experts say that because the ballots cross the Internet before they are printed...

Schneier - Friday Squid Blogging: More on the Giant Squid's DNA

Following on from last week's post , here's more information on sequencing the DNA of the giant squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2020/01/friday_squid_bl_713.html

SANS - Issue #7 - Volume XXII - SANS Newsbites - January 24th, 2020

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xxii/7

Krebs - Does Your Domain Have a Registry Lock?

Image
If you’re running a business online, few things can be as disruptive or destructive to your brand as someone stealing your company’s domain name and doing whatever they wish with it. Even so, most major Web site owners aren’t taking full advantage of the security tools available to protect their domains from being hijacked. Here’s the story of one recent victim who was doing almost everything possible to avoid such a situation and still had a key domain stolen by scammers. On December 23, 2019, unknown attackers began contacting customer support people at OpenProvider , a popular domain name registrar based in The Netherlands. The scammers told the customer representatives they had just purchased from the original owner the domain  e-hawk.net — which is part of a service that helps Web sites detect and block fraud — and that they were having trouble transferring the domain from OpenProvider to a different registrar. The real owner of e-hawk.net is Raymond Dijkxhoorn , a securit...