October, 2014

now browsing by month


Hacking Now Every American’s Worst Nightmare

Source: Jewish Business News & Statista

According to stats gathered by Statista, Hacking is now every American’s worst nightmare. Honestly, I’m a little shocked by this statistic, not because I don’t think hacking is way to prevalent in our world, but because I thought people/American’s cared about many other things, as opposed to hacking.

An important thing to remember, for companies out there, you have to do more than PCI compliance. There are vulnerability scans and penetration testing that you need to do, to ensure, or the more correct term would be to minimize risk.
Infographic: Hacking Has Become Every American's Worst Nightmare | Statista

You will find more statistics at Statista

RSS Feeds – Wow! I am old school

Not sure if all the new kids out these days are using RSS feeds, but I still am; and I love them.

Figured I would share out an opml of the rss feeds that I read regularly.

Here is my current opml file, I use in my RSS news reader (currently using RSSOwl and Liferea)

Average company now compromised every four days, with no end to the cybercrime wave in sight

Source: ZDNet

A scary new statistic out about why it is important to maintain security within your organization. Please contact us to help you ensure that your company isn’t being actively attacked, and to secure not only your exterior, but your internal systems as well.

Here is a short quote from the article:

In a rapidly shifting attack landscape against the backdrop of a hackers’ black market worth billions, if you wait to pentest — you lose.

Still, unless required by law, too many companies and organizations only do a penetration test when they have to.

Often, it’s because they need to comply with regulations or they’ve been told they need to prove they’re secure, in which case it’s a checklist security audit by the numbers.

Most unfortunately, too many only do a penetration test after they’ve been scorched: When hackers have successfully gotten in, executed a payload, and made off with valuable IP, records, customer PII, and cost the company more than it probably knows or can calculate.

Don’t worry about getting hacked. Worry about getting socially engineered.

Source: Washington Post

So, first and foremost; I think this article is a little bit deceptive. Yes, social engineering IS in fact, the #1 way companies get popped. However, certain technical, security, and education controls can be put in place to help mitigate the factors of social engineering. For instance, if I give a “bad guy” my username and password, that could be rendered nearly useless if I require 2-factor authentication, on some sort of keyfob, or device.

Read more at Washington Post:

We commonly refer to these incidents as “hacks,” as if someone commandeered the victim’s computer and pulled things from it without her knowledge. And in some cases, that is indeed what happened. But frequently, and surprisingly, the opposite is also true: Users freely give up their information, or their friends’ information, to total strangers. They just don’t realize those strangers mean harm until it’s far too late.

5 Killer Tricks to Get the Most Out of Wireshark

Source: HowToGeek

Here are 5 excellent tricks, to get more out of Wireshark, when you’re using it to examine traffic you see traversing your network. These are 5 excellent tips, but there are a lot of more we recommend. We have taken the course from Wireshark University, and highly recommend it to anyone.

Network Name Resolution

While capturing packets, you might be annoyed that Wireshark only displays IP addresses. You can convert the IP addresses to domain names yourself, but that isn’t too convenient.

Start Capturing Automatically

You can create a special shortcut using Wirshark’s command-line arguments if you want to start capturing packets without delay. You’ll need to know the number of the network interface you want to use, based on the order Wireshark displays the interfaces.

Capturing Traffic From Remote Computers

Wireshark captures traffic from your system’s local interfaces by default, but this isn’t always the location you want to capture from. For example, you may want to capture traffic from a router, server, or another computer in a different location on the network. This is where Wireshark’s remote capture feature comes in. This feature is only available on Windows at the moment — Wireshark’s official documentation recommends that Linux users use an SSH tunnel.

Wireshark in a Terminal (TShark)

If you don’t have a graphical interface on your system, you can use Wireshark from a terminal with the TShark command.

Creating Firewall ACL Rules

If you’re a network administrator in charge of a firewall and you’re using Wireshark to poke around, you may want to take action based on the traffic you see — perhaps to block some suspicious traffic. Wireshark’s Firewall ACL Rules tool generates the commands you’ll need to create firewall rules on your firewall.

Hacker Myths Debunked

Source: TripWire

Interesting article discussing the culture, and/or the lies about the stereo-typical “hacker”. I remember, reading a book in high school (can’t find the title now), that mentioned stuff about your average hacker, and how the stereotypes back in pre-2000 were that they are fat, and have cats, and attempted to disprove those stereotypes.

Quote from TripWire:

 Myth #1: Hackers Are Maladjusted Young People Who Live In Their Mothers’ Basements

We all know this one quite well. Some of the most dangerous hackers—the myth goes—wear black T-shirts, have long hair and are under 30 years of age.


Myth #2: Hacking Is A “Boys Only” Club

Hacking may be a predominantly male activity but that doesn’t mean that there aren’t female hackers out there.


Myth #3: All Hackers Are Masters of Their Craft

The way we paint hackers today elevates them to a level of unmatched technical prowess. Using this platform of expertise, they compromise any system they want with ease, regardless of whatever security protocols may be in place.


Myth #4: All Hacking Is Bad

The notion that all hackers intend to cause harm is one of the biggest hacking myths today.

The threat intelligence problem

Source: FierceITSecurity

There are a bunch more problems with threat intelligence, that aren’t discussed in this article. I also highly recommend watching the following video from DEF CON 22, Alex Pinto and Kyle Maxwell’s: Measuring the IQ of your Threat Intelligence feeds (paper here). This discusses the problem of the threat intelligence feeds, from multiple different companies, and the fact that they share very little commonalities with one another. So, in order to get a full scope of coverage from a threat intelligence network, one must subscribe to several feeds, that have a very high cost.

Quoted from FierceITSecurity:

Here are five problems with threat intelligence products (and this also serves as a great warning sign checklist for any other new technology products that are being sold to you at RSA as the ‘next big thing’):

1.    It offers malware analysis, even though the massively expensive undertaking helps nobody but the threat intelligence company, as it resells that information to other customers;
2.    You can replace “indications of compromise” in any supplied literature with “AV signatures” without any change in how the product really works;
3.    It is sold on a per-host basis–just like AV!;
4.    Your company gets the same anomaly model as every other company; and
5.    After installing a “lightweight” agent, the CISO gets no additional real situational awareness other than where an incident occurred. Ask yourself if you can quickly and easily tell your board that you know every executable that has been run across your enterprise today. If not, you’re not buying the situational awareness you need in the modern world. And if you are, you don’t need indicators of compromise to make your enterprise more secure–you just need to look at the data!

You can read more on this article at FierceITSecurity

SSL 3.0 – Poodle Attack

Source: OpenSSL

It may be time to retire SSL v3.0. Seems like a new bug has taken shape. More research will be going on shortly.

The POODLE Attack
To work with legacy servers, many TLS clients implement a downgrade dance: in a first
handshake attempt, offer the highest protocol version supported by the client; if this
handshake fails, retry (possibly repeatedly) with earlier protocol versions. Unlike proper
protocol version negotiation (if the client offers TLS 1.2, the server may respond with, say,
TLS 1.0), this downgrade can also be triggered by network glitches, or by active attackers.
So if an attacker that controls the network between the client and the server interferes with
any attempted handshake offering TLS 1.0 or later, such clients will readily confine themselves to SSL 3.0.

Computer Scientist – Grace Hopper

I saw this post on Rear Admiral Grace Hopper on Wired, and thought I would share.

If you aren’t familiar with who Grace Hopper is, I suggest you follow the links above, that link to her Wikipedia page. She was a remarkable woman that was an extreme positive for women in computer science, let alone, all of computer science alone.

Heck, Hopper is one of the most important people in the history technology, period. Working with early computers like the Harvard Mark I and the UNIVAC, she eventually created the first compiler for turning human readable programming language code into something a machine can understand. She popularized the notion of the computer “bug.” And she helped spawn a language, Cobol, the would lay the groundwork for all other languages over the years—and is still used to today.

Dave Shackleford’s rant against Security Conferences – Rethinking the Security “Con”

Source:  DaveShackleford.com

Dave Shackleford, who is a very respected security consultant; who I personally respect a lot; recently had a “rant” against security conferences, that he posted on his website (see source above).

See the contents of the first couple of paragraphs of his post:

I realized a while back that I had lost the zeal to attend security conferences. I’ve been attending security conferences for a long damn time, as many of you have too. DEF CON, RSA, Shmoo, a whole $HIATLOAD of B-Sides, SANS of course, etc. Lots of smaller ones here and there, too (logistics have prevented me from getting to Derby yet, which makes me a little sad). The number of security conferences being held is off the chart. If you take a look at SECore, you’ll see just how many conferences are going on anywhere in the world at one point or another.

I think it’s gotten out of hand, honestly. Not because security cons are a bad thing, truth be told. Because we’re saying the same damn thing at all of them. The themes are the same, it’s a lot of the same people talking, the talks sometimes even say the exact same thing in different language. I can hear the criticism now. “Shack, that’s bullshit. We learn things at cons.” Mmmm hmmm. Sure you do. You hear what people say, you may find it fascinating, but very rarely will it make an impact on what you do day-to-day. Especially the heaping quantities of “Internet of Things” flaws and “sky is falling” talks about how doomed we all are when our thermostat becomes sentient, remotely takes over our cars, and we all die. Get a grip. It’s interesting, but we have major problems today, they’re a lot damn simpler than any of that “forward looking research”, and we’re still sucking ass at the basic stuff.

If you can’t lock down your desktops, what the hell are you doing listening to someone talk about malware reversing and shellcode? If you can’t detect a freaking port scan, let alone a DNS C2 channel, why are you waiting hours in line to hear a talk about hijacking car internals? I am a true believer in lifelong learning, so learning something just for the sake of learning is A-OK with me, I get it. But cons aren’t really helping us accomplish anything, unless they are straight-up training cons. And I don’t mean training your livers, since most cons involve staggering quantities of alcohol. . .


I agree almost completely with most of the statements Dave makes here; however, I have a couple comments/disagreements with a couple of the points he brings up.

I for instance, have a hard time connecting with people in the information security realm. While there are some great local security groups, they meet, maybe monthly, but often times, meetings get canceled. Also, like many others I have my family. Often times, I find it easier to go out of town, to attend a conference, where my wife can prepare the time with my son, and where she doesn’t always try and interfere with the time I spend with these people. For that instance, I almost think it is easier to travel out of town, rather than go to a meeting that is 1 hour away.

I would consider myself maybe 75% blue team, and 25% red team, type experience and work experience, etc. . . So, I don’t consider myself a 100% pen-tester; and most of my work experience I look back to my experience as a defender (ala Blue team). I find it an important detail to understand what both the attacker and defender are doing, and how to “fix” problems that may occur.

I also think that it is somewhat important to discuss where we are failing. If I discuss where I/my organization is failing, maybe others have been in a similar situation and have overcome that certain challenge. Not a complete waste of time, but maybe there is something that can help me. It is nice to understand the threat landscape, and see where organizations are getting hit, and how they are getting hit; and developing a way to overcome those challenges.

Anyways, check out more at Dave Shackleford’s blog.

More about Dave: