(W) Browser Plug-Ins act as Malware launchers

Ever wonder about plug-ins that are forced on you, I mean included in the install of Java, Adobe or many other applications that annoy us asking "Do you want this toolbar which has NOTHING to do with the application you're installing, possibly installed without you knowing it cuz i'm sneaky?"

This particular Adware/Malware uses The Ask, Bing, Weather and other browser plug-ins to launch additional files to do nefarious things. These seemingly helpful utilities actually add additional risk by allowing an easy exploit entry point by adding a modify crafted support .DLL that points to additional malware files infecting your system, adding a backdoor or worse.

Similar to DLL injection, just dropping additional files could totally P0wn your system. Just avoid miscellaneous plug-ins you don't need and refuse them when installing ANY software offering an unrelated plug-in and PLEASE tell the vendors "I won't use your damn product (cough cough Java, Adobe) if you continue to do this". I've had enough and NOT going to take it anymore!!!!

SecureList Evaluation of AdWare/Malware Win32.Gamevance.hfti

#InfoSec #BadPlugIns

(I) Hackin9 Magazines launches FREE Monthly Online Mag

Proud sponsors of BSidesAustin, Hackin9 Magazine announced today they are offering A FREE monthly InfoSec online magazine.

Check it out and sign up!

Sign up for the Magazine

Hackin9 website

#InfoSec #Hackin9

(I) Feb 1st - Change your password day - Gizmodo (snicker)

Hmmm a 'National Change your Password Day', would that really work?

First off, it's not your password that's bad, it's what you do with it, it's YOUR BEHAVIOR!!!!

If you have a crappy password aka short < 8 characters and use it everywhere, then changing it won't do you any good, it will still be a crappy password.

Now a 'National Manage your Credential Day' makes more sense. Really, October is Cyber Security Awareness month, but lets go with it... If you resolved to improve your credential management, that means the whole process of managing your usernames, passwords, accounts, sites you use, etc. then that would make sense.

We need to actually start managing our credentials before we change a password to really make a difference. How many of us in IT or InfoSec have a SmartPhone and use 2-factor Auth like The Google Authenticator App or a YubiKey? It's low I'm sure ;-(

Start by using a Password vault like LastPass or Password Safe (with YubiKey or Google Auth) and capture all the sites and credentials you use and start managing them. Then if some site you use gets popped (and it will) you can change your passwords quickly with a good long random password and be safer then you are now.

I guess Gizmodo didn't learn from being popped themselves.

Gizmodo article

#InfoSec #Passwords

(I) So what do we do about Java?

With the latest scare with Java and right after Java 7 release 11 yet another vulnerability announced - what do we do about Java?

Nothing!

No really - NOTHING!!!!

The Feds say remove it, articles say the Feds say to remove it... So when did a vulnerability in software require us to stop using it? We would have stopped using Windows years ago, but we can't. You can uninstall the runtime Java on your system (if you can), but it is built into browsers and the Internet.

Could you really remove Java? Have you ever visited a city, county, state, federal or local government website. Java is everywhere, can you really remove it? Apple solved it by flipping a switch that disables it across all Apple Macs.. How cool is that !?

Seriously though, the only thing that you need to do is CHANGE YOUR BEHAVIOR!

Oracle in release 10 allows you to disable Java directly in your browser. But I don't do this... In many a post I have stated Not Script for Chrome and NoScript for FireFox. If you stop using IE and start using Chrome and FireFox with the add-ons to block Java and Javascript (which has nothing to do with Java FYI) except when you know you need it and trust (in theory) the site, then you really do not need to do a darned thing other than change your behavior.

These Java exploits are going away and will come in email attachments and drive by surfing. If you block Ads with AdBlock+, use Web of Trust (WOT) when you search the InterWebbings to avoid known bad sites and NoScript and Not Script then you don't have to do anything except pay attention.

If you are an enterprise admin, then deploy the add-ons and train your users and of course 'Don't Click on That!'

#InfoSec

(I) 2012 in review - Cybercrime and Malware

Another year has passed us by and we saw more Cybercrime and the discovery of malware that went undetected for years... WTF?

What did 2012 teach us? (More importantly will we and management learn from it?). Will history of 2012 repeat itself? You betcha!

Cybercrime is here to stay, passwords suck and advanced malware can't be detected by any Anti-Malware, I mean any and all.. For YEARS!!!

We need a new way to detect malware once it strikes so that we may respond to the threat. Stop relying on Anti-Malware would be a start, it's just one of many security tools you have to reduce risk, stop thinking you can prevent malware, you can't! Convert your mentality and processes to look for malware regularly, with new tools, like the Sniper Forensics Toolkit.

I read a recent SC Magazine article on how malware has made it to POS systems. Duh! They're Windows based with a browser, what do you think would happen? Give employees a browser to the Internet and they will infect your systems in no time flat.

SC Magazine article on Malware on POS systems

So I set out to find a Windows based POS system with a browser... It didn't take me but my first restaurant to find one. Seriously, it was open to employees to surf the web on the system that takes our credit cards, and our orders, why oh why would you do this POS company. And yes, I played with it... Just needed a little Social Engineering.

Windows based POS has a new meaning... Piece Of Sh!t

I am sure the Sniper Forensics Toolkit would work GREAT for these types of turn-key Windows based POS systems since we should have a gold image (the vendor) that we can baseline to run a scan against and then compare it to systems in the field, easy.

Have a speciality type of system you want to know for certain is malware free? Let me know.

2012 showed us malware is a significant concern since it can go years undetected if a little thought and engineering goes behind it. Isn't that ANY and ALL Cybercrime and advanced malware that I talk about and Brian Krebs blogs about? Yes it is and it IS far more common than you ever thought!!!

Good Luck in 2013!!!

V3 article on the year of security




The Sniper Forensics Toolkit

#InfoSec #malware #sniperforensicstoolkit

(W) Proof Anti-Malware is not enough - Flame, Ducu, Stuxnet

I have always said if you rely on Anti-Virus/Anti-Malware as your sole defense against the nefarious neer-do-wellers of the InterWebbings you will get p0wned! Most home users may have AV, hopefully also their local operating system firewall is enabled and have a DSL/Cable router with firewall capabilities, but is that enough?

We have learned over the past year that the analysis of The Flamer, Ducu and Stuxnet malware went undetected so long by Anti-Malware software, Intrusion Protection Solutions and other security solutions because they all use signature based analysis.

The moral? We only can detect what we know about and all these solutions are designed to monitor what we know, not what we don't know. This is why user behavior is so important when it comes to browsing the InterWebbings.




Only YOU can prevent Forest Fires... I mean Malware by your behavior. Use Extensions for Chrome, Plugins for FireFox to block unwanted scripting on sites you might just visit or 'drive by' as we say. Using Web of Trust (WOT) will give you an indication of links that may be bad on google searches and websites. NotScript and NoScript prevent auto loading of scripting and allows you to only enable the sites and content you actually need versus seeing all of it all the time. Using AdBlock, blocks those often malware distributing ads.

Browsers are also becoming more aware of blocking tracking as well, so utilize these features and avoid using Internet Explorer to browse as this is a great browser to catch malware from. Proof is the latest MS XML 0-Day that is currently out for all versions of IE.

Build your environment to protect users from themselves and make a more secure browser with extensions or plugins required for all users and get used to having them and using them all the time!

Oh yeah... It goes without saying... DON'T CLICK ON THAT... Dot com

Safe browsing in 2013

#InfoSec

(I) Sophos wins VB100 award for best Anti-Malware contest - Yeah right

I saw this article today on how Sophos Anti-Virus won the "Virus-Bulletin 100 title by detecting 100% of the viruses in Virus Bulletin's "in-the-wild" collection and not having any false alarms."
After I stopped laughing, since it was for Windows Server 2003.... Yes it is 2012, 8 years later; but that's not the funny part.
I was just up in Dallas describing how malware we had been collecting had a whopping 3% detection rate on VirusTotal and that the industry generally accepts Anti-Malware is roughly 60% effective.
Then I saw this from Symantec...

8,000,000 users CAN be and are wrong... Detecting 25% more of 60% or even better 25% more of our 3% which equates to.. Wait for it... 3.75% is still pathetic.
The reality is Anti-Malware does nothing for the real malware that is being targeted towards users and enterprises. The nefarious ne-er'do-wellers craft real malware to evade AV and even know what AV you are running as a part of their payload delivery.
We need a new way to detect malware and we happen to have the tool!
The Sniper Forensics Toolkit
Check it out
Article from Naked Security
Sorry Chet ;-)
#InfoSec #SniperForensicsToolkit

(W)(I) WTF Microsoft.. really? I mean SERIOUSLY????

I was sitting next to Rafal Los at ConSec 2012 and he showed me the official statement from Microsoft on their latest IE 0-Day.


Microsoft's recommendation? Make sure you keep your Anti-Virus updated.

Seriously?

With ANY flaw like this one that affects all IE versions, the ONLY prudent action to take is DO NOT USE THAT BROWSER UNTIL IT IS FIXED!!!!

The proper response from Microsoft should be "Microsoft is working diligently on the issue and will push out an update as soon as one is available, in the meantime use an alternative browser like FireFox, Chrome or Safari."

Get real Microsoft.. Anti-Virus/Anti-Malware does NOTHING for a flaw in your browser design.

Stoooopid

#InfoSec #Microsoft

Things I ponder

Hmmm... How do I lock or pick this lock?




#InfoSec

More Humor

#InfoSec

Humor

#InfoSec

(W)(I)(E) Why any and all Security Tools WILL fail you

If you are one of the people that believes by implementing one or more security tools will prevent or help protect you from being hacked, think again. First off, an apology to all my colleagues that work for vendors, many of whom I respect, trust and admire.

IPS, IDS, File Integrity, Anti-Malware, Patching solutions, Logging solutions, VPN's, Vulnerability scanners, Pen Testing tools, Code scanners, Mobile Device Management, the list is endless.

All of us in information Security budget for serious dollars to buy all the fancy gizmos, widgets and InfoSec gadgets we are about to see at BlackHat, DefCon and BSides in Las Vegas this week. Not to mention the budget we ask for head count.

So "Why do security tools fail us"? because we fail at implementing to the best ability of not only the tools total ability; but the new owner/user/admin's lack of knowledge of the tool and what it can and CAN'T do. Some tools just can't do what we want.. it's reality.

Most importantly it is the failure of the vendor or person implementing the solution to understand how to apply the "real world of the organization" to the product and tweak it if you will to the unique things the owner will need it for.

Ask the vendors you are considering purchasing a solution from, or more importantly the person that will be implementing your next security solution this question. "What security incident did you implement this tool for and what tweaks did you have to make over the default implementation to detect, deter, monitor and alert on the incident so a similar incident would not go undetected"? I think you will be shocked by the response.

I worked for HP for many years and implemented many products and yet I was also guilty of the "it's an engagement, installed, working, doing stuff... I'm done, bill the client, next" mentality of a vendor and consultant. Some engagements went on long enough we did some real good, most I left wondering what would happen with the solution or effort we put forth, would it last or is it just to pass compliance at that moment? couch couch.. PCI.. cough.. SOX... cough....

What is lacking in every single security tool is critical thinking and practical real world application of the tool to a real world incident or event specific to YOUR environment.

The default installation of a File Integrity solution will NOT catch a piece of malware being placed on your systems in many directories. Why?, because many directories like Windows and their sub-directories are noisy and would generate alerts up the wazoo making the tool noisy and worthless to many. You may find it in the forensics folder, but how does one review hundreds or thousands of forensic folders? How can you tell a patch from malware when they are named the same? Where would a hacker place their Malware anyway? Windows? System32? SysWOW64? ProgramData? Local? LocalLow? Temp? bin? etc?

Have you tweaked your IPS and the alerts to detect real SA, Admin, root failures that differ from the pattern of an Administrator or does your solution just log it as an event? What about your logging solution? If you do not have a logging solution today, you should! In fact it should be the #1 item in your budget !!! Send your syslogs, Event logs and YES, even workstation logs to a central log server. If you have a log solution have you created reports and alerts to known conditions that are bad? Do you know what is normal behavior of administrators so you even know what is suspicious activity? If you are not a log management fan.. talk to me and I will change your mind, or at least make you think seriously about the subject.

Everyone has Anti-Malware, does it work ? Sure it goes off for stuff it knows about, but what does it do for REAL PITA (Pain In The Ass) Malware, not the annoying crap that your users catch surfing and opening emails, but the 0-Day, Duku, Stuxnet, Flame type malware that there are NO signatures for? Does it even have a feature/option to detect nefarious activity by a ne'er-do-weller? What I would I ask an Anti-Malware vendor would totally vary from your questions.. trust me.

This is where head count and budget come into play. Do you have people that have experienced, lived or recovered from one or more of the REAL PITA Events that all of the above would have missed in a default installed configuration and had to recover from a PITA event? If not... seek out and hire one or more of us to tweak your security tools to do everything they are capable of that product training and the vendor that installed it unfortunately do not know enough about, nor can they. I left consulting 4 years ago to get more personal ownership and live in the trenches... boy what a learning experience that has been, but I am better for it for sure.

It is these truly experienced folks that were/are on the front lines that have critical thinking skills you want and are after.. they are the only thing that will keep your security tools from failing you when the poop hits the fan. They are not taboo because they were involved with the major incident at XYZ Corp... they are seasoned at a real world incident. If a candidate can convey what they learned and how they could help you improve your security posture, you have struck pay dirt and maybe your security tools won't suck any longer...

Assuming management will budget for the head count and cares ;-)

Find me at BSidesLV or DefCon to discuss.

#InfoSec

(I) Skype Supernodes are dead...Long live thousands of Linux servers hosted by M$

Yup, Microsoft updated Skype in May to do away with the Supernodes concept which had hijacked many a computer to relay Skype info.

Even more interesting is Microsoft is using LINUX servers to be the the Supernode servers. Hosted in their many data enters around the world, yes Linux, not Windows.... Have no fear, I am sure Microsoft will port the code to the next version of Windows server.. Just guessing...

The importance of this change means all those people who had their computer hijacked by the Skype Supernode formula and thus suffered performance issues can now fix and avoid the issue by upgrading Skype to the latest version.

In addition corporate users and and administrators can relax a bit knowing Supernodes will stop consuming computer CPU when Skype is installed and meets the Skype Supernode criteria and not freak out us InfoSec folks seeing all this traffic on a users system.

arsTechnica article on the new Skype Supernodes

#InfoSec #Skype

(I) How you can mitigate the LinkedIn and e-not-so-Harmony breaches -LastPass

Be aware that hackers create scripts to use compromised credentials to attempt logging in to other websites, it is easy to do... Presidential candidate Mitt Romney had his Email account hacked and the hackers tried the same credentials on his Dropbox account and low and behold they were the same... 2 birds with one stone... Popped and pwned... And WHY password reuse is a bad, VERY bad idea! This occurred with the Gawker hack as well in late 2010.

Use the LastPass LinkedIn tool to see if your account is within the hacked credentials:

LastPass LinkedIn hacked account tool website

While checking my own LastPass vault for any threat due to the LinkedIn breach, I stumbled upon 2 bugs that I worked with LastPass to verify, one that is due to FireFox ver 13 ( don't upgrade), the other with their Security Challenge); but I also found a way to use LastPass to check and remediate your credentials when a cloud provider is breached.

First off I am assuming like most users that you indeed use the same 'name@email.com' username and 'password' for multiple websites. It goes without saying you should never use the same password for multiple websites since most usernames these days are your email address, but many people do, so we will roll with it for this example.

I was curious in my own LastPass vault of 170+ logins if I had any username/password combos that matched my LinkedIn credentials or if any were in fact duplicates...

I recalled the LastPass Security Challenge I have blogged about before (found here)

LastPass Security Challenge website

And recalled it showed you sites that had the same password grouped by similar password and it nicely shows you the username for each within a grouping.

So how do you use this to check and remediate?

First: Install and use LastPass of course
Second: Run the LastPass Security Challenge by either selecting the "LastPass icon-Tool-Security Check" or by using this URL:

Third: Once the Challenge completes, scroll down to the 'Sites with similar passwords' area, and there will probably be several since you reuse passwords and you will see all sites with the same password grouped together (the password is NOT visible unless you select 'Show'.

Review the list(s) to see if a username (your email) from a site (LinkedIn, eHarmony, Zappos, Gawker, etc.) that was compromised matches other sites where you are using the same password. If you are... Visit the site, change your password (use the LastPass unique generator) and update your vault!

You can quickly go through all similar credentials and change them to hopefully something unique so you don't have this issue in the future when another service you use gets popped, and they will, bet on it!

* NOTE: LastPass ignores case and spaces in the challenge evaluation so some passwords may be grouped as similar when they could be very different. They do this since some sites convert to one case and strip spaces.

Again, LastPass rocks ! And allows you to quickly remediate any username/password issues you might have after a breach of a Cloud provider you might use!

Want to know if an email address you use has a known password from one of the many breaches? Check it using the following website:

Pwned List website

Put in your email(s) and see if it shows up.. If so, you have a LOT of passwords that need changing.

#InfoSec #LastPass

(W) Chase banking users beware !!!

I recently received the following email and informed my Brother-In-Law NOT to take action as banks like Chase would NEVER send a generic email with links that are cryptic... Or would they?


I had my Bro-In-Law go into a local Chase Bank Branch and ask the manager about it and verify it. Turns out the Bank manager also had never seen such an email.
It was a notification from Adeptra Fraud prevention service used by Chase informing my Bro-In-Law that his Debit account account (yup.. debit) was used to purchase computer equipment in Honduras of all places and to approve the purchase or report it as fraud.

Really Chase and Adeptra, I mean REALLY ??? WTF !

He did call Chase after my warning and indeed it was fraud and thus a victim of Card Skimming as Brian Krebs writes so much about. His debit card number was skimmed somewhere and thusly used for nefarious charges by Honduran ne'er-do-wellers. He cancelled his card and got a refund very quickly. Remember Debit unlike Credit Cards are linked directly to your Checking account! If you get skimmed you might have an issue paying your mortgage and car payment before your case is resolved and you only have a few days to detect the fraud or the bank might not believe you.

Banks should NEVER send this type of email with links or telephone numbers. Rather they should tell you to call or visit your local branch (a number you should know) and ask to be transferred to the Fraud department, no email, no telephone, just URGENT - CONTACT US!!!

There are lawsuits over Wire Transfer Fraud where affected bank users felt their bank communication methods conditioned them to click on links in emails. This IS and always WILL BE a very BAD practice. Financial and Health organizations should never do this in emails.

Remember these Tips when using your Debit/ATM card.

1. When you use your Debit Card on a device that is outside or portable ATM or bad part of town... bad things can happen.
2. Be careful when you use your Debit Card and NEVER let it leave your sight when used, preferably never let it leave your hand.
3. If you need cash.. Go to a WalMart or Grocery store and buy a pack of gum and get Cash Back. These units are less likely (not impossible) to be modified with skimmers.
4. Contact your financial institution if you ever get an email with links to verify it is REAL.

Brian Krebs BLOG on Skimmers

#InfoSec #Fraud #Skimming

(I) Funny video on what people think about Computer Security

I laughed my pASSword off watching this. Describe Computer Security in one word...

Hilarious... maybe not so much after the LinkedIn breach.

YouTube video on describing Computer Security

#InfoSec

(W) Warning - LinkedIn Hacked ! Change your password NOW

Well, yet another large Cloud service provider has fallen and 6.5 million usernames and passwords have been popped as we say.

If you use the email address and password for your LinkedIn account for other websites... you may be in for some compromised accounts in the near future... Change all web logins you have that are the same email and password as LinkedIn immediately !!!

Graham Cluley from Naked Security gave a nice summary of how to change your LinkedIn password:

Naked Security Blog on Changing LinkedIn password

Why is this a problem ?

Most users of Internet Cloud Services reuse the same password for multiple websites, if not most or all websites. In late 2010 Gawker was popped and their user credential database taken. Providers like Facebook, Twitter, Hotmail, Yahoo, Google, LinkedIn and others locked/reset their users accounts that were found in the Gawker breached data. Because they know like we do in InfoSec that people reuse passwords across the InterWebbings and these providers did not want a massive user accounts compromise to deal with, so the accounts were locked and/or passwords reset.

Time will tell if the LinkedIn breach results in the same account lockout across the net, it should as those of us with LinkedIn accounts, CLEARLY use all the InterWebbings has to offer.

Want to protect yourself from this type of breach? Use a password manager solution like LastPass. Let LastPass remember your logins and use the Password Generator LastPass offers to create ridiculously good passwords. You now need only remember your master password to gain access to your vault and thus all your logins... and don't forget to add Google Authenticator or YubiKey for 2 factor authentication to further protect your vault from nefarious ne'er-do-wellers. Both solutions are FREE !

LastPass website

More on the LinkedIn breach HERE

More details about the LinkedIn hashes

#InfoSec #LinkedIn #Breach

(W) House Key in your Smartphone Yikes !!!!

Ever wish your smartphone could open the door to your house? I just watched Shark Tank and this was one of the products. A lock for your home that has the technology (via Bluetooth) when in close proximity can unlock your door when you press a button on the door lock.

We all love gadgets and using your iPhone, Droid or Crackberry to open your house seems like a cool idea.... Or is it?

First question... How many of you have your home address in your phone for a contact card to be used with Bump for example on the iPhone?

Second question... If I steal your phone will you be worried I can unlock your house?

Known this first before you answer... By looking at the lock on your front door, I know you have this type of lock because it has two buttons to lock and unlock the door.

Afraid yet?

Smartphone, DumpApps as Dan Cornell says in one of his many entertaining InfoSec presentations. This application must send a command sequence via Bluetooth to your door lock in a secure manner... What if the developers don't consider us Security researchers know how to sniff BT traffic? What if they use just a pin or code to open the lock? Or send it in the clear versus encrypting it as that adds $$$ to the lock, needs a processor and battery to decrypt it all in the lock. What if they forget to do this?

Afraid yet?

I reviewed a solution similar to this years ago for a large customer service entity looking to add features to their service to break into the home market. The solution is now available by Schlage at Home Depot. What I found with the first gen of this solution was that each code sent to each home over the service, in this case the Internet, was the same code for each house, so I was able to turn on and off the lights that were in the pilot users home... They were not happy this could be done and killed the project... Let's hope Schlage corrected the issues I found...

Now would you use UniKey?

The potential of what could go wrong with this solution is scary, VERY scary!

The reason keyless entry for cars works is the ring of keys don't have the license plate and location of the car if you were to find or steal the keys. Your smartphone has your home address in most cases so you know exactly what the key belongs to and where the key fits or works.

Knowing all I would need to gain entry into your home is to steal your phone, or reverse engineer the solution, as we did with the Key Card exploit, there is not much you could do. Worse.. People leave their phones in their cars often to run into a store, go to a movie, hospital and various other businesses or situations like the beach, volleyball, softball, etc. where we leave our phones in our cars so we don't lose them.

And what about kids? How many have lost their phones?

I will be contacting them to share my thoughts and warn the sharks about their investment risk...

Stay tuned.

UniKey website

#InfoSec

BSidesAustin is over, but BSidesDFW coming Nov 2012

Well, BSidesAustin 2012 is over and it was GREAT! We had 2 days of talks, presentations, discussions and panels. Lots was learned and even a gr33nh0rn elevated to beginner by winning the CTF Badge challenge.

As we collect speaker preso's, pictures and video we will post them on the BSidesTexas website so watch for them.

It was a blast and we look forward to 2013! Watch for announcements in the next few months!!!!

BSidesTexas website

#InfoSec

(I) 5 more things you probably aren't doing... OK now 11

I just read Roger Grimes InfoWorld Security Advisor latest Blog entry and couldn't agree more to the "5 big security mistakes you're probably making" article. Here are a few more and expand on his 5.

1. Security mistake No. 1: Assuming that patching is good enough
2. Security mistake No. 2: Failing to understand what apps are running
3. Security mistake No. 3: Overlooking the anomalies
4. Security mistake No. 4: Neglecting to ride herd on password policy
5. Security mistake No. 5: Failing to educate users about the latest threats

I like where he went with this thread, many organizations still miss the basics, like basic training in the military or practice in sports, the basics must still be done, done well and done well always!

To expand on Roger's post...

1. Patching - Do you really even know what is installed and needs patching ? Start with priorities, if it's Internet facing or a user has Internet access, make these apps a priority to patch. More importantly, make an approved list of software so you can track what you have so you know what to patch, assuming you get or follow alerts and notifications. Can you say 'Google Alerts'...

2. What Apps are running - In the old days we called this baselining. When you build a system, dump what users and applications, services, daemons are on the system so you can compare it to the baseline list when you troubleshoot. Also keep track of which services, apps and daemons need credentials and where these creds are stored so #4 can be maintained. If your system is already deployed, then start with that and identify all the components and get a build document created. Then you have a chance to do #1. Same priority applies, Internet facing systems first and systems with users that access the Internet, high risk, etc.

3. Anomalies - You may be lean and mean in staffing and unless you have a good forensic team, re-imaging systems with anomalies might be your best bet. You WILL get compromised at some point so how fast can you recover, re-image or revert a VM snapshot is key.

4. Passwords - If you don't know where all you user repositories are, you can't enforce policy. Local accounts, services, daemons, apps that attach to other systems, etc. Learn where you have accounts, document them in a matrix and make those passwords long and complex if rotation is not an option or the risk is low and monitor for misuse of these service type accts and please disable login if all they need is to authenticate. And NEVER use the default accounts as these make great nefarious activity detectors.

5. Regular and ongoing education or exposure to real threats that users face needs to be enforced or reminded, often. When you get a good phishing email, print and post it in a public area, rotate them quarterly and fill up a 2x3 Poster Board with real examples. Discuss using Browser plug-ins to help protect the user from themselves. Remind them how Microsoft says being an Admin is bad by posting the studies everyone puts out these days. This is real world info to remind people the Internet IS a scary thing to use with protection. Don't forget to post Brian Krebs research on ATM skimmers and Credit Card fraud with images of the units and screen shots... These are powerful educators.



Now for my $.02 worth...

6. If you couldn't guess, administrative access is my next one. Remove it and do everything you can to get your users into the Standard User model with VM's to run admin tasks or do development, or issue separate systems on a test/lab/Dev network that does not allow email clients or open surfing.

7. Implement re-imaging of user systems on a malware alert or every 2 years. This will accomplish a couple things, one, it will curb user behavior of visiting sites with malware, they know where they were when the AV triggered. Two, reduce the applications that developers and users install at any given time that they 'think' they need (see #6). Reduce your installed application list reduces patching requirements and software inventory lists. And we all know re-imaging is the only real way to clean an infected system. Create a process of when to re-image user systems. Applies to servers too, but only ones that have VM snapshots, but develop DR for the others too. Remember.. You WILL get Pwned at some point.

8. Don't install Java, Adobe, browsers or mail clients on servers, if you must, use plug-ins and only allow security minded admins to use the browser to update the system. NO open surfing on servers, there is no reason, instead surf on a workstation, download what you need, expand the archive so AV can do its thing and copy over to the server. Yeah I know.. "iiiiiiitssss haaarrrrrd"...

9. Apply the same internal processes to cloud apps and servers. Studies have shown that the processes we follow for internal firewalls for example, are not applied to cloud firewalls or security policies leaving cloud systems open to hacking or exploitation attempts. Lack of process I feel is the #1 Cloud risk.

10. Prepare for the BIG ONE, it will happen to you at some point, so how fast can you recover? Or will you be like Stratfor, Sony, Zappos, Gawker, Amazon and Azure and suffer untold reputational damage. Prepare to recover as a part of BCP and DR and yes... Incident Response...DR/BCP lives!

11. And last but not least.. ENCRYPT your user credentials, laptops, desktops and removable drives so you don't end up like the people mentioned in #10.

Roger Grimes Blog Post

#InfoSec #RogerGrimes

(I) Auzzie police in Brisbane to War Drive and tell you to secure your WiFi

Yeah... The cops down-unduh will achieve what InfoSec and Geeks have been unable to do.. Tell you to secure your Home or business WiFi..

Good luck with that.

Register article on OZ WiFi cops

#InfoSec #WiFi

(I) Feds crack Colorado woman's password avoiding 5th Amendment fight

The Feds managed to finally crack the pass-phrase of a Colorado woman's laptop that contained potential evidence of her and her husband involvement in real estate fraud.

For now this puts to rest, delays really, the battle over whether a person can be forced to give up their password to encrypted data that can, may or will lead to self incrimination.

For now, your 5th Amendment rights are in tact and your encrypted info safe. Along with this weeks 11th District Appeals court ruling that a user does NOT have to provide their TruCrypt password seems to indicate we own our passwords and pass-phrases.

It should be pointed out that the use of poor passwords and pass-phrases WILL lead to discovery given enough time. I guess Ramona should have used a MUCH stronger and longer pass-phrase!

"

The Register article

#InfoSec #5thAmendment #Encryption

(C) BSides Austin 2012 - April 12th & 13th

Year 3 of BSides Austin will be taking place in downtown Austin April 12th & 13th at the Hideout Theatre, 617 Congress.  It's looking to continue the Eclectic, Weird and Quirky Information Security Con we have come to enjoy... Complete with 'Hackers on a Duck, and 'U can't shut us down Fire Marshall Talks' on Thursday evening with the After Party on Friday night down the street.

 

A FUN and educational time for all InfoSec, Nerds, Developers and geeks of any kind.

Security BSides Austin Wiki page

 

#InfoSec #BSidesTexas #BSidesAustin #SecurityBSides

 

(W) Ahhhhhhhhhh ! Your 5th Amendment personal password rights just died

Many of us have been watching the Colorado Court Case where a woman used encryption to protect files on her laptop. She was arrested for bank fraud and as a part of the investigation she refused to give up her password that would produce more evidence of her guilt - thus self incrimination and a violation of her 5th Amendment rights...

US District Judge Robert Blackburn ruled against the defendant.

She is appealing the ruling...

I hope she wins !!! The authorities should build a case without this data or obtain it from a witness or whistleblower, not by being ordered!

Article on CO Judge ruling




#InfoSec #Password #5thAmendment

(I) Expanding on people's passwords - InformationWeek article

Kevin Casey of InformationWeek magazine wrote a bit on "9 Password Security Policies For SMBs" and though mostly OK in the 9, I would add the following to each of the 9 password items mentioned:

1. Password complexity - Should or must be set by GPO or via the OS, Application and Database where available to force policy compliance

2. Password reuse - Can you say LastPass... but really, you can't force user to use unique passwords for each website, but for LastPass users, the LastPass password challenge web page helps to educate the user the impact. Now you just need to test everyone in your organization once they use it to convince them to change the passwords to be unique wherever possible.

LastPass User Security Challenge

3. Change Passwords regularly - 30 days ? uhh.. if you force a long complex (meaning 12 characters or more, all 4 char sets aA1!) password via GPO, OS, App or DB level... rotation is not necessary.. 90 days is plenty internally and two (2) times per year for Internet accessible Apps (Expense Watch, SalesForce and Marketo do this now) Logging and monitoring Internet facing systems further mitigates this risk as hopefully failed and successful login attempts with some alerting is being performed.

4. Email accounts - If your email is not tied to AD or some forced policy... Use 2-Factor authentication like Google Authenticator for Cloud based Email

5. Restrict App settings - Anything Internet facing should or must have strict password policies enforced or p0wnage will occur. For Mobile devices in the enterprise, use Mobile Device Management to enforce policy on iDevices, Droid and BBerrys.

6. Password wallet - LastPass again - Yeah !! - You CAN have different passwords for each login.. a GREAT thing. Remembers the URL, username and password of your Web based Apps. You can share logins too and create secure notes. Also sync to mobile devices. The only wallet you will ever want or need. Don't forget to use 2-Factor authentication with the FREE Google Authenticator app on your smart device or a YubiKey. I use both !

7. Device Locking - Who doesn't use a ScreenSaver? On all PC's and laptops enable a 5 minute screensaver... OK.. 10 mins at most. Autolock on handhelds and smartphones to 5 mins... seriously! Use GPO or the OS and App settings and a Mobile Device Manager for your phones and smart devices like BoxTone.

8. Jailbreak or rooted devices - I agree, block them from corporate use, too bad for you... get a personal device if you want to do this, but it is not acceptable for corporate devices - period!

9. Exit Apps - It has been shown that not timing out Web/Browser based apps can be tab nabbed or XSS from the user surfing on other sites and thus steal session and cookie info... Short timeouts for Web based user interfaces is a good thing... annoying to login, but a good thing. Don't save username or password info on Mobile Apps... and time them out to 15 mins. A pain I know, but if all I have to guess is your password... bummer for you. Browsers will sandbox this in the future. Look at the way HootSuite terminates your session for an example. I blogged about this apps session timeout here:

Session TimeOut Post

Just some education and things to ponder as you develop and administer your enterprise, SMB or even home systems.

InfoWeek article

#InfoSec #KevinCasey