Search This Blog

Tuesday, December 31, 2013

(humor) The NSA is coming to town

Year end humor for everyone.. 'The NSA is coming to town' spoof on Christmas classic.

NSA Christmas song video

Happy New Year everyone!!!!

2014 is year 5 for BSidesAustin, Mar 20-21

#InfoSec #HackerHurricane

Tuesday, November 19, 2013

Austin ISSA Malware Discovery training a HUGE success

Last Friday we held a Malware Discovery training "From Joe to Pro, how to discover malware in your environment" for the local Austin ISSA chapter.

For an all day event it went pretty quick from my perspective being the trainer, but the feedback was GREAT! We received so many great comments we will be holding another training event just before BSides Austin 2014! March 19th.

In addition we have been asked to hold the training in Dallas Jan 31st for our local NAISG, ISSA and infraGard folks and other invited guests.

What made the training really cool, was the lab infrastructure that were graciously sponsored by Rackspace! These bad boys made the training smooth and the exercises fast! How fast you ask? Well in our development of the labs we were using an Amazon AWS Windows 2008 R2 server and the Hash_Master scans took roughly 21 mins on the AWS Server. On the sponsored Rackspace servers it took.. Wait for it....... 5 mins! Yup, five whole mins to scan the entire disk. Since we had to do this 3 times, it was an impressive improvement.

Here is the screenshot of our configuration from the Virginia region.

So cloud providers are not created equal and Rackspace has my appreciation for their performance, ease of use and all around awesomeness!

So if you are in Dallas Jan 31st, sign up for the training and come see how to discover malware like a Pro!

For more information, visit our Training page at:

Malware Discovery Training page

#InfoSec #HackerHurricane #malware

Friday, November 8, 2013

Like natives, InfoSec needs to become more hunters, less gatherers

Today we are faced with an ever increasing threat of advanced malware and the attacks associated with it. Compliance has created a gathering mentality in Information Security and it is no longer adequate to defend our tribe.

We must move more towards a hunters mentality and seek out the bad stuff in order to protect our tribe. We must detect and respond to the threats and seek them out because they are sneaky prey looking to take your goods while you gather data, stats, reports and check compliance reports for auditors.

Be an InfoSec Hunter and less a gatherer.

#InfoSec #HackerHurricane

Friday, November 1, 2013

(O) E&Y Poll states 96% of organizations are not prepared for a Cyber attack.. Hmmmm

This is an article I have to render an opinion on as it is a great example of 'What the heck have you been working on all these years?'

The Ernst & Young article may be found here discussed on Naked Security:

65% of larger corps stated 'Financial' as a reason they are unprepared for a large Cyber event and 71% of small Orgs under $10million.  So let me get this straight, you have staff, you have bought many tools and most likely since this is an E&Y poll, you follow some sort of compliance framework.

In Wendy Nathers talk at LasCon in Austin she discussed the results of a poll that she asked industry experts to pick the technologies if starting from scratch for a 1000 person company... What did the list look like?  I shouted out "PCI", and the next slide said... PCI.  

I was even bold enough to state that I didn't need all that technology to practice "real security," that myself and another qualified InfoSec pro could do it with a few tools, if exploited properly.  Of course someone pointed out that I would never pass an audit and he is correct.  As a former State of Texas InfoSec resource I understand compliance all too well and years at HP dealing with SOX, PCI, HIPAA, ISO and others, I understand too much how compliance is a time sucking, resource pig that does not achieve what we really need to secure our companies and nation.

So why are so many not prepared for a cyber attack?  In doing many presentations I ask the following question, "How many are confident their environment is malware free, or once you find malware that the system is malware free?"  How many hands do we get?  0-1 per Preso!

Why is InfoSec so broken, or lack confidence?  I blame compliance.  I have stated compliance does not equal security as too often it is achieved by an auditor saying "Check, you pass".   There is no real evaluation of how you are actually doing at security defense.  Many say get Penetration Testing regularly to test your defenses.  I say "Phooey" to that as well, it proves little that your defenses are good enough.

Most Pen Testers I know will find a way in or fool a person to 'Click on That', just look at Trustwave's report on hacking a reporter who asked them too and knew they were coming!  There is merit in Pen Testing, but I feel most people, say 96% will fail the Pen Test.  Why? Because the way we currently think about Information Security, in that compliance frameworks like Implementing PCI will make you secure enough, but people, almost everyone is getting popped and they have some basic security framework in place.

"Real Security" is a dirty in the trenches kind of work.  HackerHuntress stated people didn't like Blue Team jobs because it is "hard" and I said "No it's not"...  We talked some and agreed in the end it is management and lack of trained staff that can do what I and others I know that are complete defenders can do.  Maybe we just don't know how, or lack confidence to defend all that is good.

We don't need to train the users and create and give more Employee Awareness as the E&Y article indicates.  We need to teach 'Real Security' to the in the trenches blue team defenders that are employed at many, if not most companies.  We need to teach them how to actually detect and respond to any size Cyber event and do so at the speed of business so that they may move on and you can get back to defending your network.  And the policy statement... Really?  Did E&Y not read that employees will disregard company policies where BYOD was involved?  We already know they surf non-business related sites on work systems because they can.  What makes anyone think policies will prevent anything?  They are guides on how to do things, or how a person will be reprimanded if caught.  Policies are regularly broken and the Internet has become an entitlement to most employees these days... Take it away and see what happens, I dare you!

This is why I do presentations on malware, logging and I challenge people at talks, to inject some thinking, to get people thinking, 'Is there another way?'  Thawt Leadership I think it' scaled ;-)  I share what I know about logging and malware at local ISSA 1/2 day and all day events, I do presentations at many Cons all to educate and share the love and a new way of thinking.  

Most people I talk with do not have the basic Windows auditing tweaked to actually record the events needed to detect a Cyber Attack of any kind.  If they do, they have not refined their audit rules and are not alerting via email to real actionable events.  They also do not monitor well known locations for malware or suspicious changes to a Windows system and sending that to the logs either.  Example;  How many of you have enabled the Advanced Auditing Security 'create files' property for one or more Windows directories (Windows, System32, Drivers, WBEM) to detect if a new file, not replaced files by Windows Update, but new files like malware are recorded and sent to you via email by your logging solution?  Implement and refine this feature alone and you are well underway to detecting a small to large Cyber Attack!  Don't leave out actually enabling the Windows Audit Policy as it (Yay Microsoft) is off by default and record success of privileged items and others of course.

Logging is HUGE to being prepared for a Cyber event of any size.  It can detect behavior of a Malwarian or Bad Actor reaching beyond a compromised system.  It can also allow defenders to report on who did what, where and when, but not why unless you ask them.  If you also monitor key locations across your Windows systems for file additions or changes you can detect odd files, which if happening from one system to many is also suspicious and can be alerted via email if you have a solution that can do this like BigFix, Tanium or others.

We also have to give up on spending tonnage of $$$$ on protecting the endpoint.  It WILL get popped if you allow users to surf the InterWebbings without strict controls.  Bad sites serving up malware are all over and the majority are on legitimate websites.  No, FireEye will not prevent all this threat, what about Thumb Drives?  Or users on their company laptops surfing outside the company when not protected by your proxy solution like FireEye?  The endpoint WILL get popped and InfoSec really needs to move more towards Detect and Respond to this threat in their budgets and focus less on prevention to move forward.  Start thinking like hackers and be a detective, not a preventive InfoSec program as it will serve you well and prepare you for any size Cyber event.

So I leave you with this to consider...

1.  What is 'Real Securiy' to you?
2.  Do you have a robust logging solution in place?
3.  Do you alert to the items I stated above?
4.  Have you attended a local BSides event to interact with the people in the know?
5.  Do you believe you have the people that can learn these tricks and skillz?

Or do you just believe compliance will get us there?

Let me know your thawts at the next Con.

#InfoSec #Logging #Malware

Monday, July 8, 2013

(I) Cyber-Ark Threat survey says 51% of companies think they are currently compromised

Here is another report by a security tools company that has some interesting data. 'Cyber-Ark's Global Threat Landscape Survey - June 2013'.

51% of companies think they have or had an active compromise going on.. Hmmm

Later in the report it states a rather high number of companies can detect 'attacks' in minutes or hours. An important distinction here is an attack is NOT a compromise. The question should have been "How long would it take you to detect a compromise?"

There is a significant difference between 'attack detection' and 'compromise detection'. Your goal should be minutes and hours to detect a compromise as detecting attacks is almost worthless with the sheer quantity of noise we all receive from the Internet. The recent Verizon DBIR and Trustwave reports clearly show an average of 210 days to detect a compromise and the notification of compromise usually comes from outside the company! In addition less than 5% of companies could detect a compromise in hours or days. These reports are believable, not sure Cyber-Ark asked the right questions.

Companies that create these reports need to ask the right questions to help those that participate get real actionable information. Not 'Wooo Hooo, I can detect an attack fast', when in fact clearly they can not detect the more important compromise.

The fact that 51% indicated they are or have been compromised again points towards Detect and Respond is where your InfoSec efforts should focus, NOT prevention as clearly prevention techniques of buying security tools is NOT enough.

Cyber-Ark Advanced Threat Survey


Thursday, June 6, 2013

(I) Calling for a "Malware Reporting Standard"

So what is a "Malware Reporting Standard"?  In short, a consistent way to report data and information about malware, usable by everyone, for use by any tool.  The bits of malware information that all of us Information Technology and Infosec professionals need to enter or import into our myriad of security solutions or scripts that we may use.

Why is this an issue?  Have you ever read virus descriptions from Sophos, Seculist/Kasperski, McAfee and others and tried to glean some data to enter into a security tool or search script?  Have you read the Mandiant APT1 report with the IOCs (MD5s) listed in the Appendix document, the Kasperski Red October report with the MD5s listed, or even the Kasperski WinNTI report which lacked any Indicators Of Compromise (IOC)?

So what do we need?  What we need is for all the vendors and malware researchers to provide and report data about malware in a concise format that makes it easy to identify and consume the valuable details littered throughout the above mentioned reports and virus descriptions.

For many security solutions, the following information is needed to create an analysis we use to detect any anomalies;

  • Filename
  • Path found
  • File extension
  • MD5/SHA1
  • Any Digital Signature info
  • Dates
  • Registry entries for Windozs systems 
A security professional does not necessarily need all the details to perform or setup an analysis.  The path or location the file was found and the extension of the file is fantastic information to setup an analysis for anything odd.  Look for anything in location \XYZ with the extension of .ABC that was found in the last 24 hours for example, and give me the SHA1 or MD5 of the file and maybe compare it to a file with the MD5 or SHA1 of the known bad IOCs (if necessary).  This is a better method as now automated scans can look for a few files and compare it to an IOC list (if necessary) versus checking every file on the system against the IOC MD5 list, which is growing daily and will soon, if not already be out of control and unusable.

I am well aware that there is unique malware tracked by Anti-Virus companies (no alert  triggered to the user)  that are purposefully kept secret.  Whatever reason they are not alerted to the end-user, legal, law enforcement and specific requests by customers not wanting any details of an identified malware released while investigations are ongoing.  We do not get to see these details that can help protect us, we are denied!  There is no reason AV companies cannot add certain minimum bits and still keep details secret.  AV companies can just add the following as a minimum to a monthly or quarterly report/list for the secret Shhh dont alert malware items;

  • Location/path malware was found
  • File extension of the malware
  • Anything else in the Malware Reporting Standard
As a part of implementing a “Malware Management Framework” (we recommend everyone start adopting), the review of malware reports, virus descriptions and any malware analysis details is a fundamental part of the “Malware ManagementFramework” process.  Look for the items mentioned above within the last 24 hours using a tool like IBM Endpoint Manager (formerly BigFix) or Tanium would allow you to detect even the “Shhh dont alert malware items” as suspicious or unknown files and to investigate.  If you used the "MalwareManagement Framework" approach, malware that dropped additional .OCX files in System32 would be obvious as there are only 5 or 6 .OCX files normally in C:\Windows\System32 as was seen in Gauss.  All you would need to know is to setup your analysis tools and/or scripts to look for this condition in the last 24 hours and alert you for example.

Far too often IOC's provided by many of the sources mentioned above, only provide information based on what is fed into their respective tool(s).  Mandiant's APT1 report with MD5 hashes to be fed into MIR, just as the JIB reports that Homeland Security/FBI/InfraGard provide.  I cant use this data in my malware detection tools.  Any and all malware researchers and vendors need to provide the industry more information!  I dont feel it is necessary to scan every file on a system to match how many MD5s?  It is not practical with 110 million pieces of new malware detected in 2012 and growing!  This is no longer a practical approach.  60 million already by May 2013, more than all of 2011!

The "Collective Intelligent Framework" (CIF) project is a step in the right direction, but we need to take the feeds and schema used by CIF, OpenIOC and others and standardize it.  A researcher or AV company can collect all or even parts of the bits of malware, but it must report it in a standardized manner.  Also provide the data in two formats, not just the XML to be consumed or imported by a tool, but also in CSV format like CIF supports.  Maybe each vendor can provide the same info in readable reports like we see with AV descriptions as well for easy consumption.  For AV companies, please add the data in your descriptions that match the "Malware Reporting Standard" in a consistent and obvious way to make it easy for us to consume and use. 

Aren’t we just letting the malefactr's, ne`er-do-wellers and malwarians know where and what we are looking for?  Absolutely!  If we can squeeze them into a smaller and smaller target, we win, they lose.  Malware authors will have to spend more time on their warez to avoid detection. This is a good thing if we can change their behavior and reduce hiding spots.

Something needs to change, something MUST change if we are to get ahead of malware and improve our investigation, detection and response capabilities.  Support the CIF schema as the start of a Malware Reporting Standard!

Read the CIF feed config and schema here:

We will support reporting any malware bits in the format discussed, so should you!

Monday, May 13, 2013

(F) Truly secure banking from the Onion at Chase banks expense

If only we could do this kind of banking. But actually you CAN! Boot a PC with a Linux distro of your choice. Every time you finish banking, rebooting will wipe out the session and anything you might have contracted. Use a USB thumb drive with a read-only switch to allow customization. A CD is best being read-only.

If you prefer Windows, then use Virtual Box and create a small Win7 VM to run Quicken, download your data or just do online banking. Be sure to store your Quicken files on a network drive so when you revert your VM snapshot you don't lose your Quicken data.

And of course use the longest most complex password your bank allows and change it yearly if not quarterly!

This is about as secure as you can get without doing any online banking.

The Onion on Chase online banking - FUNNY

#InfoSec #SecureOnlineBanking

Thursday, April 25, 2013

(F) Funny Ellen segment on password management

Clearly this is how NOT to manage passwords, but grandma and grandpa might have actually bought this solution from a late night Infomercial.

Thanks Ellen for the spoof!

Link to Ellen show clip on password management

Use LastPass! As I have stated before, the easiest way to manage passwords across all your computers and smart devices. Free Two-Factor Auth too!!!

LastPass website

#InfoSec #Ellen

Tuesday, April 23, 2013

(I) Time to dump AV as Endpoint Protection? Not yet

I read an article by Robert Lemos on Dark Reading and thought, 'He missed some points'. So I emailed him and shared, now I'm sharing here too.

I think many things about Anti-Virus or Anti-Malware solutions, mostly that they suck at detecting anything new or unique. Sophos states 70% of malware is unique to one company and 80% to ten or less. But they are good for the 20% of malware that is not unique like BlackHole and other wide spread malware. AV is also good for the older lingering pestware, cracks, keygens and other undesirable known applications.

So is AV dead as Endpoint Protection? Not by a long shot. I would recommend to anyone asking me, don't go spending a ton of $$$ on an AV solution, or replace one vendor with another, maybe consider a free version, or cheaper solution. Unless of course you are already using a product like McAfee EPO where you have multiple solutions integrated into one console like database, data loss prevention, encryption, etc. But I sure wouldn't spend much to maintain AV.

If you really want to maximize the security bang for your buck, consider detection solutions like BigFix or Tanium that can do analysis that you craft to look for new files in WBEM for example where malware likes to inject. Or tweak Tripwire to send email alerts on changes to the WBEM directory. You will need agents deployed on every client you want to manage, but this is no different from AV.

What about Log Management? I mean real log management with alerting to nefarious behavior like 'net use', 'cscript', PSExec, RDP, successful logins, etc. and email your admins when their accounts are used successfully so logging is actually useful. Don't forget to enable the proper logging on your Windows systems (advanced logging) and proper logs and auditing on UX systems. Yes, you will need storage, but the data you can alert on with a log management solution or SIEM solution is going to do more with your security budget then AV $$$$.

Just read the Verizon DBIR and Trustwave reports and look at 'Time to Detection after Compromise' figures... If you are not in the 'within an hour' region, you are doing it wrong. Also referred to as Mean Time to Detection (MTTD). A dump term as mean time should not be calculated as you are only as good as your maximum time to detection, the mean is irrelevant.

Spend your security budget on detection items as "Prevention is DEAD" (you read me right) as far as a reliant way to protect your ASSets. Just accept you will get p0wned and work towards a detect, respond and erradicate mentality as Time Based Security suggests. Refine and improve your detection so that you are in the minutes and hours column and laughing at how fast you caught and stopped the malefactors the next day.

And NEVER trust your default security tools installations, they will fail you! Test, test and test again using attack scenarios and a Pen Test if needed to prove they do what you expect and paid for. Implement a "Malware Management Framework" and you CAN get a leg up on the ne’er-do-wellers.

Robert Lemos Dark Reading article on Dumping AV


(I) Funny video blog on Log Management

Take a watch of this video blog on log management... Sums it up.

Video Blog on Log Management

#InfoSec #LogManagement

Wednesday, April 10, 2013

(I) We are all doing it wrong, well you are according to the stats

At this years BSides Austin, Ian and discussed a new method for malware analysis and detection. In the presentation was a slide that indicated from the Verizon 2012 DBIR report and Trustwave's 2012 report that the industry is STOOPID slow at detecting a compromise, as the following images show.
Verizon 2012 DBIR report

Trustwave's 2013 Global Security Report

HP sent me an email with the following tag line.

I don't know where HP got 416 days, as Verizon and Trustwave both indicate around 200+ days. Nevertheless these numbers are proof InfoSec and the security vendors selling us defenses are failing us all. Or is it us using the tools?

In the presentation Ian and showed red boxes around the two images above indicating we can detect a compromise within hours or less, not weeks, months or longer. A 180 degree change from the report findings. Why? Because we tweak our security tools to do more. We do not rely on default installations of security tools and expect them to work. We heavily use the analysis feature of BigFix (Fracking AWESOME BTW) to watch areas on the systems that have been and are regularly used for malware. We also have a methodology known as the "Malware Analysis Framework" that we use to keep up and defend our networks, and analyze what we find.

For 2013 I give you the following challenge, be honest about it to, where do you sit on the Verizon and Trustwave Detection of a Compromise timeline? Here is the challenge - Do a 180 turnaround as we have done and place your origination in the minutes to hours detection and containment area that is currently at 0%-5% according to the two reports, or worse HP's number of 416 days.

It can be done! If you need help, I guess we are available to do some simple consulting to help you figure it out, but you CAN do it !!!


Monday, April 1, 2013

National “Take Your Computer to Work” Day


Today marks the inaugural “Take Your Computer to Work Day”. First conceived by security researchers Michael Gough and Ian Robertson (the Thoughtful Hackers), this day has exploded in popularity and has now become a world-wide national phenomenon.

Says Mr. Robertson of its introduction, “We always hear stories of how much productivity people gain by using their own mobile phones and tablets at work – by some studies, as much as 110%. We thought, wow, that is so smart and has absolutely no downsides. The next logical extension of that is to offer all our workers to bring in any of their computers, so we did.”

“The results were absolutely astonishing”, said Mr. Gough. “We were seeing user productivity up at least 0.5 times with Commodore 64’s alone. Our database searches got faster with home-built white-box servers, and our janitorial staff was able to clean the restrooms twice as fast thanks to their TRS-80’s.”
The duo said that they had to share their results with others. “We really can’t take full credit for this. We’re just building on the success of others.”
What’s next up for this duo? “We seem to have a lot of malware recently, so we’re working to figure out what that’s all about.”


Thursday, March 28, 2013

(C) BSides Austin a HUGE success and spawns additional effort - Hackers in Uganda

2 years ago I hounded the director of CODE 2600 to allow BSides Texas events (DFW, Austin & San Antonio) show his movie at our awesome Cons. He agreed and the rest is history as they say.

At the BSides DFW post Con reception I had a discussion with Jeremy on the efforts of Johnny Long and Hackers for Charity and thought it would make a good documentary. Our own HFC supporter and Austinite @Spridel11 (Justin Brown) was in attendance and I introduced the two and they talked.

A short 4 months later at BSides Austin's CODE 2600 movie showing, also the following day during the Con, Jeremy made the following announcement. Roughly stated:

'We are pleased to announce Zerchak Films and 'Hackers for Charity' have officially launched 'Hackers in Uganda' KickStarter to raise $15,000 to help fund a documentary of the impact and efforts of Hackers for Charity on the people and country of Uganda.'

I am proud to have been a part of this and look forward to seeing what comes out of this endeavor. We need films like CODE 2600 and 'Hackers in Uganda' in order for people to truly understand the Information Security and Hacker communities and the good we do.

Hackers are not bad, just curious, and we help people just like anyone else. We are the good of our community and help to find flaws in systems before the criminal element does, we are the good guys and gals of the Information Technology community.

So PLEASE support the Kickastarter "Hackers in Uganda” effort and let's make this movie and a difference. There are lots of good stuff you can get as a part of your donation, so take a look.

Hackers in Uganda website

Hackers for Charity website

CODE 2600 website

#InfoSec #HFC #HackersinUganda

Wednesday, March 27, 2013

(W) Amazon leaking data found by one Thoughtful Hacker in July 2012

Recent press by Rapid7 on Amazon S3 Buckets leaking data was first shared with me by my partner Ian. In June/July of last year he was working on a side project and found some disturbing information with me.

I wanted to share his findings as Rapid7 missed something. Here is his comments to me.

"OK, here are some additional details that I didn't see touched upon. I've been keeping this one quiet within the community, but since Rapid7 broke it, might as well...

Back in June of last year I was working with an Amazon EC2 instance and something caught my eye. I made a mental note to come back and check it out. I did later and found a whopper.

In EC2 you can create additional S3 drives. When you go through that process, you can select a "public" image to use. Just by scrolling through the list, some of these looked like they shouldn't have been public. I later came back and started examining them manually. The first one I tried was pretty significant. Let's just say it was a company that has a fondness for a type of dog and the color red. 'Nuff said. There were tons of email addresses, SSH keys, and so forth all over this.

So I went to work writing a utility for scraping called so I could pull out and analyze more of this stuff and see what the common thread was. As you found, there is lots of stuff exposed on there that shouldn't be.

Now, here's where it gets really interesting.

I found that most, but NOT ALL, of the "public" drives were configured as "public". That is, there was a clear subset that were NOT marked as being public. And I found a really easy way of seeing this in the Amazon portal. Here's how it works. If you go to the S3 side of the house and go to the option where you can see all public images in a list, take a copy of that list. Now, go to where you would create a new drive and attach an image. Take a copy of that, and compare. Back in July through probably September, if you did this you would have a discrepancy -- you could attach to more drives that weren't yours than you could see on the public list. And, these were the most, let's say, juicy.

I let some folks know and made attempts to contact others. At some point, sometime around or after September, it seems those "extra" drives disappeared from view and things went back to normal.

Although clearly people still are leaking data. But I suspect, but have no hard proof, that there was something else wrong in the cloud."

Ian and I got side tracked with malware work, but planned to get back to it. Since Rapid7 released the info,it only seemed right to release this info.

Got leaky storage?

Rapid 7 article on data leaking S3 buckets

#InfoSec #Amazon

Tuesday, February 5, 2013

(I) Safer Internet Day? Who knew

Ever wonder what to tell your kids about Internet safety? Do you know yourself? I would say the BEST thing you can teach them, and yourself is to use a Password Manager since passwords SUCK in general and even worse for children. Unique passwords per website is KEY! So lets start them off with a high bar and start with Password Management with apps like LastPass or Password Safe with a YubiKey, because it works and is secure and easy.

Sophos article on 10 things Kids should know and do

#InfoSec #SaferInternetDay #Passwords

(I) Everyone should understand how Cyber crime works

This is a decent overview of how Cyber (drink) crime happens. You can apply this to anything the nefarious ne'er-do-wellers want to steal.
How to Rob a Bank - Cyber style
#InfoSec #CyberCrime

Enough said!

#InfoSec #ClickOnCrap

Friday, January 25, 2013

(W) Browser Plug-Ins act as Malware launchers

Ever wonder about plug-ins that are forced on you, I mean included in the install of Java, Adobe or many other applications that annoy us asking "Do you want this toolbar which has NOTHING to do with the application you're installing, possibly installed without you knowing it cuz i'm sneaky?"

This particular Adware/Malware uses The Ask, Bing, Weather and other browser plug-ins to launch additional files to do nefarious things. These seemingly helpful utilities actually add additional risk by allowing an easy exploit entry point by adding a modify crafted support .DLL that points to additional malware files infecting your system, adding a backdoor or worse.

Similar to DLL injection, just dropping additional files could totally P0wn your system. Just avoid miscellaneous plug-ins you don't need and refuse them when installing ANY software offering an unrelated plug-in and PLEASE tell the vendors "I won't use your damn product (cough cough Java, Adobe) if you continue to do this". I've had enough and NOT going to take it anymore!!!!

SecureList Evaluation of AdWare/Malware Win32.Gamevance.hfti

#InfoSec #BadPlugIns

Thursday, January 24, 2013

(I) Hackin9 Magazines launches FREE Monthly Online Mag

Proud sponsors of BSidesAustin, Hackin9 Magazine announced today they are offering A FREE monthly InfoSec online magazine.

Check it out and sign up!

Sign up for the Magazine

Hackin9 website

#InfoSec #Hackin9

Tuesday, January 22, 2013

(I) Feb 1st - Change your password day - Gizmodo (snicker)

Hmmm a 'National Change your Password Day', would that really work?

First off, it's not your password that's bad, it's what you do with it, it's YOUR BEHAVIOR!!!!

If you have a crappy password aka short < 8 characters and use it everywhere, then changing it won't do you any good, it will still be a crappy password.

Now a 'National Manage your Credential Day' makes more sense. Really, October is Cyber Security Awareness month, but lets go with it... If you resolved to improve your credential management, that means the whole process of managing your usernames, passwords, accounts, sites you use, etc. then that would make sense.

We need to actually start managing our credentials before we change a password to really make a difference. How many of us in IT or InfoSec have a SmartPhone and use 2-factor Auth like The Google Authenticator App or a YubiKey? It's low I'm sure ;-(

Start by using a Password vault like LastPass or Password Safe (with YubiKey or Google Auth) and capture all the sites and credentials you use and start managing them. Then if some site you use gets popped (and it will) you can change your passwords quickly with a good long random password and be safer then you are now.

I guess Gizmodo didn't learn from being popped themselves.

Gizmodo article

#InfoSec #Passwords

Monday, January 21, 2013

(I) So what do we do about Java?

With the latest scare with Java and right after Java 7 release 11 yet another vulnerability announced - what do we do about Java?


No really - NOTHING!!!!

The Feds say remove it, articles say the Feds say to remove it... So when did a vulnerability in software require us to stop using it? We would have stopped using Windows years ago, but we can't. You can uninstall the runtime Java on your system (if you can), but it is built into browsers and the Internet.

Could you really remove Java? Have you ever visited a city, county, state, federal or local government website. Java is everywhere, can you really remove it? Apple solved it by flipping a switch that disables it across all Apple Macs.. How cool is that !?

Seriously though, the only thing that you need to do is CHANGE YOUR BEHAVIOR!

Oracle in release 10 allows you to disable Java directly in your browser. But I don't do this... In many a post I have stated Not Script for Chrome and NoScript for FireFox. If you stop using IE and start using Chrome and FireFox with the add-ons to block Java and Javascript (which has nothing to do with Java FYI) except when you know you need it and trust (in theory) the site, then you really do not need to do a darned thing other than change your behavior.

These Java exploits are going away and will come in email attachments and drive by surfing. If you block Ads with AdBlock+, use Web of Trust (WOT) when you search the InterWebbings to avoid known bad sites and NoScript and Not Script then you don't have to do anything except pay attention.

If you are an enterprise admin, then deploy the add-ons and train your users and of course 'Don't Click on That!'


Tuesday, January 1, 2013

(I) 2012 in review - Cybercrime and Malware

Another year has passed us by and we saw more Cybercrime and the discovery of malware that went undetected for years... WTF?

What did 2012 teach us? (More importantly will we and management learn from it?). Will history of 2012 repeat itself? You betcha!

Cybercrime is here to stay, passwords suck and advanced malware can't be detected by any Anti-Malware, I mean any and all.. For YEARS!!!

We need a new way to detect malware once it strikes so that we may respond to the threat. Stop relying on Anti-Malware would be a start, it's just one of many security tools you have to reduce risk, stop thinking you can prevent malware, you can't! Convert your mentality and processes to look for malware regularly, with new tools, like the Sniper Forensics Toolkit.

I read a recent SC Magazine article on how malware has made it to POS systems. Duh! They're Windows based with a browser, what do you think would happen? Give employees a browser to the Internet and they will infect your systems in no time flat.

SC Magazine article on Malware on POS systems

So I set out to find a Windows based POS system with a browser... It didn't take me but my first restaurant to find one. Seriously, it was open to employees to surf the web on the system that takes our credit cards, and our orders, why oh why would you do this POS company. And yes, I played with it... Just needed a little Social Engineering.

Windows based POS has a new meaning... Piece Of Sh!t

I am sure the Sniper Forensics Toolkit would work GREAT for these types of turn-key Windows based POS systems since we should have a gold image (the vendor) that we can baseline to run a scan against and then compare it to systems in the field, easy.

Have a speciality type of system you want to know for certain is malware free? Let me know.

2012 showed us malware is a significant concern since it can go years undetected if a little thought and engineering goes behind it. Isn't that ANY and ALL Cybercrime and advanced malware that I talk about and Brian Krebs blogs about? Yes it is and it IS far more common than you ever thought!!!

Good Luck in 2013!!!

V3 article on the year of security

The Sniper Forensics Toolkit

#InfoSec #malware #sniperforensicstoolkit

(W) Proof Anti-Malware is not enough - Flame, Ducu, Stuxnet

I have always said if you rely on Anti-Virus/Anti-Malware as your sole defense against the nefarious neer-do-wellers of the InterWebbings you will get p0wned! Most home users may have AV, hopefully also their local operating system firewall is enabled and have a DSL/Cable router with firewall capabilities, but is that enough?

We have learned over the past year that the analysis of The Flamer, Ducu and Stuxnet malware went undetected so long by Anti-Malware software, Intrusion Protection Solutions and other security solutions because they all use signature based analysis.

The moral? We only can detect what we know about and all these solutions are designed to monitor what we know, not what we don't know. This is why user behavior is so important when it comes to browsing the InterWebbings.

Only YOU can prevent Forest Fires... I mean Malware by your behavior. Use Extensions for Chrome, Plugins for FireFox to block unwanted scripting on sites you might just visit or 'drive by' as we say. Using Web of Trust (WOT) will give you an indication of links that may be bad on google searches and websites. NotScript and NoScript prevent auto loading of scripting and allows you to only enable the sites and content you actually need versus seeing all of it all the time. Using AdBlock, blocks those often malware distributing ads.

Browsers are also becoming more aware of blocking tracking as well, so utilize these features and avoid using Internet Explorer to browse as this is a great browser to catch malware from. Proof is the latest MS XML 0-Day that is currently out for all versions of IE.

Build your environment to protect users from themselves and make a more secure browser with extensions or plugins required for all users and get used to having them and using them all the time!

Oh yeah... It goes without saying... DON'T CLICK ON THAT... Dot com

Safe browsing in 2013