BuzzSec

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xxii/86

Interview with Mike Vecchione , Curator of Cephalopoda — now that’s a job title — at the Smithsonian Museum of National History. One reason they’re so interesting is they are intelligent invertebrates. Almost everything that we think of as being intelligent — parrots, dolphins, etc. — are vertebrates, so their brains are built on the same basic structure. Whereas cephalopod brains have evolved from a ring of nerves around the esophagus. It’s a form of intelligence that’s completely independent from ours. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2020/10/friday-squid-blogging-interview-with-a-squid-researcher.html

Sunoo Park and Kendra Albert have published “ A Researcher’s Guide to Some Legal Risks of Security Research .” From a summary : Such risk extends beyond anti-hacking laws, implicating copyright law and anti-circumvention provisions (DMCA §1201), electronic privacy law (ECPA), and cryptography export controls, as well as broader legal areas such as contract and trade secret law. Our Guide gives the most comprehensive presentation to date of this landscape of legal risks, with an eye to both legal and technical nuance. Aimed at researchers, the public, and technology lawyers alike, its aims both to provide pragmatic guidance to those navigating today’s uncertain legal landscape, and to provoke public debate towards future reform. Comprehensive, and well worth reading. from Schneier on Security https://www.schneier.com/blog/archives/2020/10/the-legal-risks-of-security-research.html

Your IT risk assessment is one of the most important pieces of a solid Information Security Program. A strong IT risk assessment helps in the development of strong policy as well as the improvement of an organization's security structure. However, not all IT risk assessments are equal. To get the most value from your IT risk assessment, which, in the end, allows you to make stronger security-minded decisions, there are going to be some features that must be included. The way you lay out your assets, threats, and controls in your IT risk assessment is critical in not only identifying risk to the organization but identifying where that risk lies and what your organization should be doing about it.   Identifying Assets To ensure IT assets, both internally and externally hosted, are included in your organization's risk mitigation strategy, you must include all of the IT assets you use in your IT risk assessment; not simply the assets that you maintain on the organization's netw

A security researcher discovered a wulnerability in Waze that breaks the anonymity of users: I found out that I can visit Waze from any web browser at waze.com/livemap so I decided to check how are those driver icons implemented. What I found is that I can ask Waze API for data on a location by sending my latitude and longitude coordinates. Except the essential traffic information, Waze also sends me coordinates of other drivers who are nearby. What caught my eyes was that identification numbers (ID) associated with the icons were not changing over time. I decided to track one driver and after some time she really appeared in a different place on the same road. The vulnerability has been fixed. More interesting is that the researcher was able to de-anonymize some of the Waze users, proving yet again that anonymity is hard when we’re all so different. from Schneier on Security https://www.schneier.com/blog/archives/2020/10/tracking-users-on-waze.html

Editor’s Note : Over the next several weeks, we’re sharing excerpts from the third edition of our popular book, “ The Security Intelligence Handbook: How to Disrupt Adversaries and Reduce Risk with Security Intelligence .” Here, we’re looking at chapter one, “What Is Security Intelligence?” To read the entire section, download your free copy of the handbook. Today, anyone with a desire to do harm — from your run-of-the-mill bad guys to nation-state attackers — has the ability to put your organization’s most sensitive data at risk simply by accessing underground marketplaces and easily purchasing off-the-shelf tools . These adversaries assume you’re at a disadvantage, hindered by legacy vulnerabilities , a lack of secure code development processes, explosive growth of connected devices , and a dispersed workforce that’s increasingly difficult to secure. By the time you see threat indicators on your network, it’s often too late — and you’re probably at least two steps behind your a

On Monday, Oct. 27, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive Russian cybercriminal gang known for deploying ransomware was preparing to disrupt information technology systems at hundreds of hospitals, clinics and medical care facilities across the United States. Today, officials from the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” The agencies on the conference call, which included the U.S. Department of Health and Human Services (HHS), warned participants about “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.” The agencies said they were sharing the information “to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”

We are in the middle of business email compromise (BEC) season and there is a new tactic that is currently running rampant. from SBS CyberSecurity https://sbscyber.com/resources/threat-advisory-business-email-compromise

In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of thousands of sensitive documents — including schematics of client bank vaults and surveillance systems. The Gunnebo Group is a Swedish multinational company that provides physical security to a variety of customers globally, including banks, government agencies, airports, casinos, jewelry stores, tax agencies and even nuclear power plants. The company has operations in 25 countries, more than 4,000 employees, and billions in revenue annually. Acting on a tip from Milwaukee, Wis.-based cyber intelligence firm Hold Security , KrebsOnSecurity in March told Gunnebo about a financial transaction between a malicious hacker and a cybercrimin

Key Takeaways Stockholm Public Transportation (or Storstockholms Lokaltrafik in their local Swedish), the organization responsible for running all land and sea-based public transport systems in Stockholm, Sweden, has adopted elite intelligence from Recorded Future to transform its vulnerability management approach and: Protect critical transportation infrastructure and keep citizens safe Close the vulnerability gap between detection and response Prioritize patching and boost productivity and availability by minimizing off-cycle patching Connecting and Protecting a Major City As transportation systems become increasingly connected and digitized, cyber threats are rising in parallel. While threat actors’ motivations vary, experts agree that attacks on these critical infrastructure systems are particularly concerning because, in addition to data loss, breaches may result in large-scale disruption or even physical damage. Serving more than 900,000 people each day, Stockholm Pu

Ray Felch // Introduction Continuing with my ongoing Smart Lock attack research (see blog Reverse Engineering a Smart Lock), I decided to move my focus to a different type of attack technique, namely a relay attack. The relay attack is a form of MitM attack, not to be confused with the more well-known replay attack.   […] The post Machine-in-the-Middle (MitM) BLE Attack appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/machine-in-the-middle-mitm-ble-attack/

Senator Ron Wyden asked, and the NSA didn’t answer : The NSA has long sought agreements with technology companies under which they would build special access for the spy agency into their products, according to disclosures by former NSA contractor Edward Snowden and reporting by Reuters and others. These so-called back doors enable the NSA and other agencies to scan large amounts of traffic without a warrant. Agency advocates say the practice has eased collection of vital intelligence in other countries, including interception of terrorist communications. The agency developed new rules for such practices after the Snowden leaks in order to reduce the chances of exposure and compromise, three former intelligence officials told Reuters. But aides to Senator Ron Wyden, a leading Democrat on the Senate Intelligence Committee, say the NSA has stonewalled on providing even the gist of the new guidelines. […] The agency declined to say how it had updated its policies on obtaining specia

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xxii/85

They say, “Everything old is new again.” Or, if you are a Game of Thrones fan, “What is dead may never die.” For me, however, a mentor once told me, “Everyone is going forward. I’m going backward.” Enter NetSync… I find Twitter to be a good source for InfoSec tactics, techniques, and procedures (TTPs). Anytime I see a tweet published by Benjamin Delpy ( @gentilkiwi ), the father of Mimikatz and Keko, I am quick to capture the contents into my workflow. However, one tweet in April 2019 about a little-documented feature within Mimikatz called NetSync caught me by surprise. What is also interesting is that in the thread of this tweet, Delpy referenced a previous tweet back in 2016 . I tried looking at the wiki page on the Mimikatz GitHub for more information on NetSync, but I had no luck finding any information beyond the two tweets. I also came across Delpy’s 2017 BlueHat IL talk, but beyond these three resources much of what else I found was documented incorrectly or just said t

This is a continuation of The Tale of the Lost , but not Forgotten, Undocumented NetSync (part 1) and in this section, we will look to answer: What are Some Early Indicators to Detect NetSync at the Host-based Level? What are Some Possible Controls to Deter NetSync? In an accompanying blog post, Wes Lambert ( @therealwlambert ) steps through a packet capture ( pcap ) file to highlight what is happening on the “wire” during the execution of a NetSync attack. Through his network-based analysis, Wes extracts the Indicators of Compromise (IOCs) and crafts the according detections. 2.1      What are Some Early Indicators to Detect NetSync at the Host-based Level? 2.1.1     Host-based Detection 2.1.1.1 Windows Event Logging – What is Needed? Two (2) of the main Windows Event IDs (EVTX) needed to help detect this attack are 4624 (An Account Was Successfully Logged On) and 5145 (A Network Share Object Was Checked To See Whether Client Can be Granted Desired Access) . Both logs need