Archive for February 25th, 2014

Social Engineering – Corporate Security breach in 20 minutes

This account illustrates how excellent acting skills and technological know-how can be combined into social engineering attack

QUOTE: How long would it take for an attacker to break into a business? Get on the corporate network as an authenticated user? If you think it would take a few days or even a few hours, you are way, way off.  Try 20 minutes.

It took David Jacoby, a senior security researcher with the Global Research and Analysis Team at Kaspersky Lab, three minutes to sneak into the building, four minutes to get network access, five minutes to get authenticated access to the network, and ten minutes to install a backdoor onto the corporate network. He was able to download and walk away with “gigabytes of data” from the company, he told attendees at last week’s Kaspersky Lab Security Analyst Summit. Jacoby was invited by a company come in and tests its defenses. As it turned out, he didn’t need any fancy hacks or zero-days to get through. It was all social engineering. “They spent so much money [on security], and I still got in,” Jacoby said.

Being Nice to Tailgaters – The company required employees to use a badge to enter and leave the building. Jacoby waited for other employees to go inside, and just hurried in after them. Most people want to be polite and will hold the door open if someone is going in at the same time—something most tailgaters take advantage of. Jacoby went a step further, in case the employee thought to ask to see the badge. He dressed up a bit to look a little managerial and held a cell phone up to his ear as if he was having a conversation with someone. As he was going through the door, he said, “I am right in the lobby. I will be up in a minute.”  No one will interrupt a phone call, and if you convey the impression that you are someone important heading off to meet someone important, most people won’t stop to question you, Jacoby said.

Next Step of Finding Connection – he went straight to the printer room, where there is invariably a network hub for the printer. He plugged his laptop into the hub and as easy as that, he was on the network. Getting on the network as a valid user took more talking than hacking. Jacoby found an employee sitting next door to the printer room and explained he was having trouble with the network. He asked if he could borrow the employee’s computer. When he sat down, the employee was still logged in, which meant he could do whatever he wanted on the network.  At this point, he installed a backdoor on the network, giving him full control. He no longer needed the employee’s computer or credentials.

Exploring Vulnerabilities – After getting access to the network, Jacoby found that the network was segmented incorrectly, so sensitive systems were easily accessible. He found outdated and vulnerable software. He also found 300 user accounts with passwords set to never expire. All these things made his job, as an attacker, much easier.  Think like an attacker. You will be surprised at just how vulnerable your organization may be.

RSAC 2014 – Patch Management improves security

Another informative talk in 2014 RSA conference

QUOTE: Are your PCs all configured for Automatic Update? If not, you’re risking more than just missing out on the latest version of Internet Explorer. At the RSA Conference, Simon Edwards, Technical Director of London-based Dennis Technology Labs, presented the results of a study showing that keeping Windows up to date seriously improves your security. Edwards noted that one obvious way to get even more protection is to patch significant third-party tools like Flash, Adobe, and Java. “If you kept those things up to date,” said Edwards, “the graph of improved protection in a patched system would be a lot higher. The bad guys specifically use toolkits that attack vulnerabilities in those third-party apps.” He noted that using a patch manager like Secunia Personal Software Inspector 3.0 can help.

Overall, 32 percent of the malware samples used in testing were neutralized by the simple act of fully updating the test systems. Those antivirus products with the lowest scores in the unpatched state naturally got the most benefit from patching. Does this mean you don’t need antivirus if you keep your system patched? Not at all! Think about the other 68 percent of malicious programs that were not stopped by patching. And if you want to know more, dig into the full report on the Dennis Labs website


RSAC – Lax Home security affects corporate security

Best security practices should begin at home, as there is valuable personal data at risk. As article notes, almost half of all users surveyed don’t use password protection on mobile devices and valuable data & services are at risk if stolen.  Likewise in corporate environment, even greater levels of safety are needed

QUOTE: What sort of personal data is stored on your laptop or mobile device? And just what do you do to secure that device? The encryption experts at WinMagic contracted with Harris Interactive to ask over 2,000 Americans those questions. The results may surprise you; if you’re an IT administrator, the results may horrify you. I met with WinMagic COO Mark Hickman and WinMagic Senior Director of Product Marketing Darren Leroux at the RSA Conference to discuss what they learned.

No Password? Big Problem –  “We commissioned the survey and got the results,” said Leroux. “There were just two questions: What kind of info is on your laptop? And what do you do to secure it? 71 percent responded that they secure their devices with antivirus and firewall. Only about 14 percent actually encrypt the device.” He went on to note that only 56 percent of respondents said that they password-protect their devices. “Think what they do on those devices,” said Leroux, “and imagine the damage a thief could do!”

Malware – RAM Scraping Point of Sales attacks in-depth

Bromium Labs shares in-depth analysis:

QUOTE: Back in 2009 several companies (including Visa and Verizon) published threat reports describing a new kind of malware – RAM scrapers (Verizon report, Visa report). These are malicious programs that search memory of point-of-sale (POS) systems for bank card information. After that a number of blog entries appeared, but neither of them (to our best knowledge) reveal the inner workings of RAM scrapers. Recently this issue has come back into the limelight with the recent Target breach. The exact details of the Target malware are still unknown but it is important to understand how RAM scrapers work and why they’re a big risk to the retail industry.  In this blog, we analyze several families of POS malware and investigate techniques and approaches deployed to scrape bank card information in the infected system’s volatile memory.

IE10 Exploit – Recommendation to promptly apply patches

Corporate & home users should patch expediently.  IE11 also offers improved protection & functionality.  It has been a solid browser in both home & corporate environments, as “compatibility view” option helps work around legacy site issues.

QUOTE: There’s never a dull moment in the security industry, just as we heard about the latest IE 0day; one of our field security engineers in the Americas stumbled upon a YouTube link that was hosting malware. The vulnerability is not in YouTube as such, but the ad-network seems to be the culprit in this case. We’re working with Google security team to get to the bottom of this, in the meantime some quick details about the infection below.


Classic drive-by download attack, infects the user by exploiting client software vulnerabilities.

– The ad network was discovered to be hosting the Styx exploit kit. This exploit kit was recently in the news for compromising at Well, the attackers seem to have upped their target this time by somehow getting into YouTube ads.

– The exploit leveraged in this was a Java exploit.

– The Trojan appears to be a Banking Trojan belonging to the Caphaw family.

– The outbound CnC went out to Europe in this infection, where the server is likely to be hosted. It uses a DGA (Domain Generation Algorithm) for CnC, we’re still digging into the various IP addresses leveraged.

RSAC – Risks related to Shortage of IT Security professionals

Corporate Security must  implement a blend of “technology” and “people” solutions, to safeguard information resources.  While the best technical defenses are always required, users are a vital part of the equation.  Otherwise, attackers will eventually learn enough to bypass physical, technical, or user based controls.  As evident in recent attacks, the highly advanced skills and methods of attackers can often defeat defenses in even major corporations.  Security requires a continuous improvement approach in attempts to be one step ahead of attackers.   A shortage of experienced IT experts is cited as a key corporate and even national risk.

QUOTE: Your castle is under attack, but nearly half of your defenders and over half of their commanders are missing in action. OK, there’s no castle, but in the war between business and the malware ecosystem, a vast number of defensive positions remain unfilled. At the RSA Conference, Art Gilliland, SVP and general manager, Enterprise Security Products for HP, explained just what HP is doing to fill this security gap.

Security Gap – “The bad guys are so effective because there’s a massive gap in the number of skilled IT security people,” said Gilliland. “We researched it, we looked at the job environment with Ponemon. 40 percent of essential IT security jobs go unfilled; it’s a huge gap. Trying to fight this well-financed adversary, well, if you don’t have the skills, you lose. We see that happening. “We’re putting our money where it matters,” said Gilliland. “We’ve allocated a quarter million dollars towards scholarships for women studying IT security. And we’re investing in the industry in general by helping universities develop a practical IT security curriculum

Information Security Professionals – Reading recommendations

PC Magazine shares beneficial resources for IT Security professionals

QUOTE: And now, the top five titles:

1. Cryptonomicon, by Neal Stephenson

2. Confront and Conceal: Obama’s Secret Wars and the Surprising Use of American Power by David E Sanger

3. Kingpin: How One Hacker Took Over the Billion-Dollar Cyber-Crime Underground by Kevin Poulsen

4. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stollhave

5. We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency by Parmy Olson

EMET 4.1 – Researchers share recommendations for improvement

As EMET 5.0 will improve endpoint security protection, Bromium Labs shared in a responsible disclosure highly advanced techniques that could work around this protective agent.  The research report can be found in this thread:

QUOTE: We found that EMET was very good at stopping pre-existing memory corruption attacks (a type of hacker exploit).  But we wondered: is it possible for a slightly more technical attacker to bypass the protections offered in EMET?  And yes, we found ways to bypass all of the protections in EMET.  We provide our full technical whitepaper here: [Bypassing EMET 4.1].  We provided our research to Microsoft before speaking about these problems publically.  We also provided recommendations to upgrade the protections where possible.