Articles & Presentations

Wednesday, June 29, 2011

Best InfoSec quote ever... On people plugging in USB devices they found




Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp., told Bloomberg: "There's no device known to mankind that will prevent people from being idiots."

#InfoSec #USB

Sunday, June 26, 2011

(I) Ever wonder if your email address is in any of the well known hacks of recent past?




With all these website hacks going on, ever wonder if your email is inside one of these stolen databases? If your email account is inside one of these databases there is one thing for sure that you must do... CHANGE YOUR PASSWORDS everywhere you use it, and make it different for each website.

Behold... @dagrz created a website where you can lookup your email address to see if your email address is in one of the recently hacked databases. You can also see which databases were used in this lookup under 'Sources'.. I can see this type of service having a business model that you could subscribe and be alerted if your email or account information ends up in one of these hacked databases... Very kewl idea...



@dagrz website 'ShouldIChangeMyPassword'

#InfoSec

Thursday, June 16, 2011

(W) (I) Why you need different passwords on each website

I have blogged before on the using a unique password for each website and why you need a to do this as it is no longer an option, it is a requirement to keep you data, dollars and dignity safe.  I referrecd to the Gawker breach in the last blog, but now, the folks that brought you the Sony breaches and several others, LulzSec has posted the usernames and passwords for roughly 64,000 credentials.  MediaFire was kind enough to take down the look-up as it 'violated' their policy... gee I wonder why.

So what is everyone doing?  Trying the credentials of course... on Facebook, Twitter, eBay, PayPal, GMail, Yahoo, Hotmail, etc. etc. etc...

The problem is that people, you the reader, my friends, family and everyone you know tend (almost always) to use the same username and/or email address and the password on most or all of the websites used.  This means if I, or anyone else gets a set of credentials from say, Gawker, Sony and now LulzSec and try these credentials on many of the popular websites... most likely the success rate will be high... VERY high.

So do yourself a favor and look into a password management tool that will remember your websites,  usernames and passwords for each site you frequent and use the tool to generate a random and unique password for every website you use.  So when the next credential breach occurs, you only need to worry about changing one password versus 10-20 that you might have.

I REALLY hope your banking, financial and health related passwords are nothing alike for your sake!

LastPass (My Fav) RoboForm, SuperGenPass and others are all solutions that will help you generate a uniquely different password for each website and remember them so you don't have to worry about having 20 different passwords.
Gizmodo article on Lulz account and password leak

Wednesday, June 15, 2011

Information Security thawt leader... Thoughts




With all the breaches we have been reading about it must make us InfoSec professionals really think and worry if we can really secure our environments any longer.

Today we must take a posture that it is not a matter of if, but when we will have our systems compromised. IMF, Sony, Sony, Sony, Sony.., Gawker, Citibank, IMF, the Senate, and many others have had breaches that have made the press. What about the ones that have not? Or worse, don't know yet...

APT... A dumb term since all threats are generally advanced and you will never break in unless you are persistent, so it is nothing more that a Targeted Attack (TA), so can we call it what it is? You have been targeted and are under attack, by a serious pro.

If the ne'er-do-wellers are. ahem... Persistent, they will get in if your defenses do not meet or exceed your ability to detect and respond, as you might recall from Time Based Security that Wynn has touted for years. Yes, we have to migrate to the ability to detect attacks or for some who feel log management is just a pain in the ass, respond, eradicate and recover to incidents, quickly and swiftly.

Understand what to protect, do you have data on workstations? why?, can you re-image a system within 30 mins? Why not? If we can minimize the the systems we must protect, we can detect and respond much faster.

Recently a person I know computer got malware and the tech scanned and cleaned, scanned and cleaned and two days later she was still down. I told her to just re-image the system, it would be faster than trying to scan and clean, not to mention if you are a local Windows administrator the malware can imbed itself and be missed by all the Anti-Virus engines. Well, her system was in need of an upgrade, so they upgraded her with a new PC.. A week later she was functioning again... As an administrator.. Gee that malware won't happen again, it's Windows 7, minus some data that was local that needs to be salvaged.

What can we learn from this typical IT scenario? Well, re-imaging is far faster than getting an IT person to scan today's huge hard drives with all the bloatware installed and signatures the AV must crank through on older hardware that is sloooow. Recovery would have been faster too. We as InfoSec pros need to convince our IT staff to do better fingerprinting of systems and make re-imaging a priority, so when something nefarious occurs, we re-image the system and move on, which is far faster and easier than trying to figure out what was infected, when and where. You can always image a system if you want to do in-depth forensics after the fact.

Why do we need to re-image? For starters it guarantees your workstation is malware free. Re-imaging also helps your IT staff refine their build and recovery process, good for DR and good for Time Based Security. Re-imaging also takes discussion away from everyone saying "What do you want me to do with this PC Mr. Security Dude"... By getting IT focused at keeping business going, us InfoSec pros can focus at other issues, like protecting the systems where the data lives, the servers.

I know, you are asking why do user systems get infected.. Well I think that is obvious... URL's in emails and surfing the Internet, it is simple really. Management can't get to the point of restricting all users all the time, the InterWebbings have become an entitlement to employees these days, and besides, malware comes from legitimate websites and you can't block all websites.

Servers can also be re-imaged as well, Virtual Machines provide snapshots after you build a system or upgrade, so when something happens that is suspicious, IT can revert back to a snapshot. If you fingerprint your systems, something you REALLY should do, services/daemons, app versions, etc. that are loaded on a system, then you can reload an OS, restore a tape or disk image and point to the data and other app servers.

The data and users should be easily pointed to because developers created modular code that allows you flexibility (I know, slap me) then in theory you could re-image and recover fairly quickly. Great practice for DR too.. Refine refine refine... Cleaning some root kits and malware will probably take longer than a re-image, or at least your re-imaging should be faster than performing an investigation, analysis and forensics... Get business back up and running and ask questions later, or analyze the snapshots or disk images later. Do I really need to say patch and harden in the process?

If Sony had done this, then the PlayStation network could have been restored, but the hackers clearly ruined the environment beyond repair.. Not a good thing and clearly shows poor processes and a terrible state of DR.

Where DR practices are a thing of our predecessors, re-imaging or rebuilding a system and the process to do so needs to be refined to be as fast as possible to allow us InfoSec pros, and our IT staff the ability to quickly recover and minimize the impact of being p0wned by the true hacking pros.

Segmentation is another thing that seems to have gone by the wayside.. What the heck are we doing allowing everyone to see everything? It sure makes hackers jobs a cakewalk. Users only need to see the systems they use, that's it, not every other workstation, telco system, backup systems, admin systems, management systems and servers they will never access....

It is time to create bubbles of services, lock those bubbles to only those services and ports needed and grant access to only those user systems that need it and block all egress for ports and IP's that are not needed. Monitor this and you will know when something nefarious is occurring, 'new port detected', 'Disallowed IP attempted', hmm that's odd.

We need to do more with less these days and these two items don't cost hard $$$ and can be accomplished with existing staff and some dedication.

#InfoSec

Monday, June 13, 2011

(W) OK Mobile users with passwords... DON'T use these passwords




Do you have password protection enabled on your iPhone or Android? If not, you should, but be careful NOT to use these Top 10 used passwords. Also note what they are and why they are bad, pattern, obvious choices and just plain stupid easy...

If you set a password, make it a good one to give you time to erase the device remotely if you lose your smart device.

Kudo's to Daniel Amitay for this research!

Top 10 iPhone passwords

#InfoSec #DanielAmitay

Tuesday, June 7, 2011

(I) Great App to evaluate your passwords - Steve Gibson does it again




InfoSec legend Steve Gibson of Gibson Research (GRC), SpinRight hard disk utility, TWIT Security Now podcaster has created a password evaluation web application called Haystack.


What you do is enter your password(s) (hopefully you have more than one password) to see how long it would take a hacker to crack your password.

Haystack tests if the hacker attempted cracking by online login brute force of a website, say your Gmail or Facebook login or like the cluster f€#* Sony and Gawker where the entire password file was taken and hacked offline or with serious hacking power. Steve shows you how long it would take a hacker to get into your account(s).

You will be shocked at how fast today's hacking techniques can guess and crack passwords, but what is AWESOME about Steve's App is you can add a few dashes '-' or dots '.' for example, or any other characters to increase a weak password to a great one.

So check it out as this is a New TOP 10 utility for computer users and InfoSec pros to understand how to create a better password.

GRC Haystack Application

#InfoSec #GRC #SGGRC #Haystack

(W) Warning BitTorrent users and Parents - Hurt Locker could cost you $1500




If you or your children use BitTorrent to download files and movies.. Beware!!!!

If you have children and don't know if your kids are using BitTorrent, you best find out and block the application.

Children and Teens use BitTorrent to download bootleg versions of movies, software, games and countless other Copyrighted materials and YOU need to find out if this is going on in your home. If so, stop or block it. Voltage is asking for subpoenas to ISP's for IP addresses of users that downloaded their movies from know Torrent sites...

The makers of the blockbuster Best Picture 'Hurt Locker' are suing thousands of BitTorrent users for illegally downloading the movie. Currently 24,000 people are involved in the lawsuit with roughly 5000 in the first wave for $1500 each!!!

For Geeks... Look for or block ports 6881 to 6889. For parents, search the kids and family computer and delete BitTorrent software and use a Security Suite or Norton Online Family or OpenDNS to control family access.

Not to mention, lock down your Home Wireless network so your teenage neighbors don't use your network to break the law.

Article on BitTorrent lawsuit

#InfoSec #BitTorrent

Monday, June 6, 2011

(U) Microsoft release MS Standalone System Sweeper




Microsoft has just released a bootable malware detection tool that you create two Bootable media (USB or CD/DVD), one for 32bit and another for 64bit systems. You boot these CD's or thumb drives and they will scan your system for known malware, viruses, root-kits, etc.

Why is this good? In order to get a good idea if you are infected, you should not trust your own system that could be compromised and thus the results from local scans compromised or affected by potential malware, which they are masters of BTW.

You should first start from a known clean system and this is where the bootable CD's/USB come into play. Being a CD, it can't be written to once burned and thus gives you a clean look at a system that you might have that is behaving oddly.

I like these bootable media options better than using your installed AV or Malware protection to scan for malware since the bootable devices you created hopefully were created from known clean machines.

MS also let's you build a USB thumb drive device as well. You will need to have the latest IMAPI2 drivers loaded for the CD or USB creation to work, or you can create an ISO and burn it from your favorite burning software.

Of course if your system is acting oddly, you can just do what I usually recommend... Format your drive and reinstall Windows... Now you know you are clean. Of course follow my Top 10 items to do when rebuilding from my 'Don't Click on That', presentation.

Download MS System Sweeper from here

#InfoSec #DontClickOnThat

Friday, June 3, 2011

Hacker Hurricane discovers Credit Union iPhone and Android app flaw

Part 1 of 2



I recently discovered that my Credit Union iPhone and Android application contains what I feel is a typical bonehead developer design flaw. Yes, smartphones can quickly become vulnerable by inadequate security requirements and poor developers not using a good Information Security professional to review the design, requirements and completed project.

Unfortunately this flaw is not unique among smartphone applications. I am sure, like most companies trying to capitalize on the smartphone market, they probably outsourced the application to what they thought was a company that advertised they would develop a 'secure' application.

Not knowing anything about the developers or the team at RBFCU that led the effort, I can only assume what they decided were the minimum security requirements, one for sure that should have been on their list, clearly was not and thus this article and my communications with the Credit Union.

This flaw had me digging into my iPhone application directory (iTunes\iTunes Media\Mobile Applications) expanding the package (ipa) looking for what the application stored in the clear versus hashing. I easily found my email address in the clear, not part of the login, but still, why store this in the application package if it doesn't use it? hmmm.

What I was looking for was my account number that I found the developers store on the device in an improper way, yes IMHO. Even after you uninstall the application it is stored. And yes, even after you sync up with your PC you would think the account number would be deleted. What was worse is after I deleted everything and recently had to restore my iPhone did I find the app still knew my account number? WTF I deleted the application????

To coin a phrase my local InfoSec pro over at The Denim Group says.. 'SmartPhone, Dumb Apps'. Dan couldn't have been more on target with that phrase and lucky him the domain name too... 'Dot Com'.

We want our SmartPhones to be smart, but developers and/or the companies outsourcing development of these applications need to understand some basic secure smartphone application development requirements and good smartphone secure development.

1. Give me a choice to remember the key account or login information. For a bank or credit union it is the account number. for the IRS it is your SSN (Really IRS you want me to save my SSN on my smart.. Err dumb phone? Really? No, REALLY?? If my login is generic like my email, that might be fine, but really... Ask the user what they want to do. And if I have to tell you this also applies to the password, your developers should be fired quite frankly.

2. When developing an application, do not backup the credentials as a part of the application payload. When developers do this our credentials are now in two places and as a security dude, the less places the credentials are stored the better. Not backing up credentials also takes away the need to back them up in a secure way where many are stored in the clear or in a potentially insecure way. Storing a backup of smartphone credentials makes it easy for a compromised PC or MAC to give up smartphone credentials, which most of time is the same credentials you use on your PC or Mac.

3. If an application is uninstalled or deleted, for crying out loud delete the credentials.. All of them... If you don't back them up, then a deleting the app from your phone should be all a user needs to do as many of us don't sync all that often. There is just no reason to store the credentials for any application that is not regularly accessed. Apps like LastPass, Keeper, Password Safe, etc. Are where we should be keeping login credentials to critical items like our Internet presence login and passwords.

4. Users need help from themselves. Yes I know you want to make e app easy to use for the user of the device, but most of us can remember our login if it is not our email address... If you feel the need, then make a recommendation for the user to download a free password store like Keeper to store the unique username/account and password. Really it is pretty easy and just a habit the user should learn and know for applications like financial, health and anything the user feels is something they really want to protect

To be continued...

Dan's Smartphone dumb app Blog

#InfoSec #RBFCU #iPhone #App