now browsing by tag
As noted before, like in this post, I am a huge fan of RSS feeds, but I also love instructional videos, demo videos, and other similar stuff.
I’ve been toying around the idea of doing video tutorials of attacking vulnerable distributions, like those found on VulnHub, and documenting the process that I go through. Maybe some other things, like various CTF challenges as well. I’m trying to get an idea, how people would react to seeing such videos posted here/on youtube.
If you have any opinions on this, please shoot me an email, and let me know if you think I should do some videos on vulnerability discussion topics and vulnerability videos.
Interesting article that states the impact of the OPM breach could cause an impact for the next 40 years.
I’m just going to say, after some conversations I’ve had with some people over this past weekend, I think the breach could last a whole lot longer than 40 years. In fact, I would go so far as saying that the damage caused by the breach, will never be repaired. Think of the long-lasting impact this will have on family members of those affected by the breach. If someone was able to pull up all the information, on say, your Grandpa, and was able to give you any/all information, you could ever want to know about him, wouldn’t that effect your trust with that person, and wouldn’t you be slightly more likely to release other information to him, as you see they already have a bunch of information? From an intelligence gathering operation, the amount of information contained in the SF-86 form, is crazy; there is so much information in the SF-86, it literally took me 3 days to fill out that form.
From the Article at FedScoop:
The theft of background investigation data on millions of federal employees and contractors has created a massive threat to U.S. national security that will last for decades and cost billions of dollars to monitor, current and former intelligence officials said.
The Office of Personnel Management announced last week that personal data on 21.5 million individuals was compromised by the hack of the agency’s background investigation database. That includes 19.7 million individuals that applied for a security clearance, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.
But while the focus continues to be on OPM’s efforts to fix vulnerabilities in the system used to manage background investigation data, known as Electronic Questionnaires for Investigations Processing (e-QIP), as well as the 30 day cybersecurity sprint ordered by the Office of Management and Budget, intelligence experts say there is little the agency can do to reverse the damage that has already been done.
Source: Courier Press
As a follow-up, to a previous article, written earlier today.
Shocked to hear more details about the hack that occurred; ok, not really. As I suspected, the attack came in from a phishing campaign.
Source: Healthcare IT News
I don’t usually do this, but I’ll start of this post, with a quote from Health Care IT News:
Think healthcare is not a target for cyberattacks? Think again. Following a pattern of increasing attack frequency, one Indiana-based hospital is the newest target, after hackers swiped the personal data of thousands.
So, you look over the part of the sensationalism associated with this article, you know, the “Think healthcare is not a target for cyberattacks” portion, it really makes you wonder about that state of security in the healthcare industry. Why is the healthcare industry being struck again and again?
Having come from that field of work, I know the answer, in fact, I can 99% guarantee you, that I know the cause of the recent hacking of St. Mary’s Medical Center. Not because I have insider knowledge into the incident that occurred, but because I know the industry, I know where the weaknesses are, and I know that nobody is doing anything to combat these problems.
I’m not a betting man, but I would be willing to take a wager, that I know exactly what happened with this incident, here we go:
Hackers/Crackers/Attackers probably got St. Mary’s Medical Center on their radar from another hacked hospital/healthcare organization. Probably by scouring email from the attacked organization. I would wager that St. Mary’s did nothing to provoke the attack.
Once attackers got St. Mary’s Medical Center’s domain name, maybe a doctor or staff member’s name and email address; a little bit of simple recon occurred, scouring for more doctors and more administrator’s names and email addresses. Also, a little bit of scouting probably occurred on the website, with bad guys looking for VPN services, remote email, or something similar, that they could log into with the proper credentials.
Once a decent list of names and emails were collected, that is when the phishing attempts began. Maybe a phishing email about how to reset your password, or a phishing email offering a raise, and you need to enter your email information. They don’t need many submissions, they only need a couple, and with that, they can leverage more and more information.
Once they have working credentials for a user or two, the attacker is then able to leverage an attack into the infrastructure, by sending out emails, as a “trusted source”, requesting user’s visit a page to dish up their credentials; which leads to an avalanche effect, where they are able to gain more and more credentials.
Next revelation, will be a little bit shocking to most, but the Personal Health Information (PHI) data that was stolen, was most likely a “secondary” target of the breach. From my experience, I have seen that attackers are motivated by more substantial, quicker, and easier ways of getting money, rather than selling PHI data. What I believe the primary goal of the attackers, was to see if they could access the doctor’s HR files, and be able to modify the doctor’s direct deposit information, to a known bank account, where the attackers could take the money and run. PHI will provide some potential money for the attackers, however, the primary source could come from the doctor’s paychecks.
So, there you have it. There is my guess on what occurred at St. Mary’s. We may see, in the upcoming months what really happened, but that is my bet on what happened.
The only other option, is that St. Mary’s could hire some big name company to help them access the damage, and they could flip it around, to say it was a nation-state actor, who was trying to get there hands on super-secret formularies for a new breakthrough cure-all drug, that St. Mary’s, a 585 bed hospital bed is producing; but in the end, we all know that would be a lie.
Like so many other people, I woke up yesterday morning, to find myself reading another breach notification (see: here). Only to find news about the Anthem hack.
This time, it was a letter from Anthem, notifying me that my health information may have been compromised. Also, in reading the letter, I saw that Mandiant and the FBI had been retained for the purpose of investigating the breach.
I usually come to the same conclusion every time I hear certain things together. When I hear about a breach affected a HIPAA agency, I usually start thinking about a phishing/spear-phishing campaign that occurred, which usually results in someone giving up the details of their account/VPN; followed by the immediate breach, and scouring of their website for information and data.
The other thing I always think of, when Mandiant comes rushing to the scene is the immediate blame to a state-run actor. Of course, China, whose population is 1.35B, is going to find the SSN of impacted customers useful; oh wait, what value is there in the SSN of people of a foreign land. Or better yet, with the joke I make about the hack of CHS. Again, the problem I see, is what is the value of a SSN to a foreign country? Some claims went on, to say they were after formularies associated with drugs and medicine, which several news agencies ran with. But consider this, hospitals don’t have the same sort of pharmaceutical horse-power that huge drug manufacturers have; I would go so far, as to say that they aren’t even comparable.
So once again, I will ask, what value does a SSN have to a nation-state?
UPDATE: First posts about this being a state-sponsored attack are now emerging.
More details are being released in regards to North Korea, and the breach that occurred at Sony.
What is now being reported is that the NSA has had access to North Korea’s computer (read: hacked) since 2010. Some are now reporting that the hack at Sony was in retaliation to the hacking that NSA had done against North Korea.
I’m still very hesitant to call the Sony breach as being a hack perpetrated by North Korea, even with the additional evidence/details about NSA being inside North Korea’s computers.
From the article:
As it turns out, the U.S. had some inside information. According to reports from Der Spiegel and The New York Times, the U.S. knew that North Korea hacked Sony because the U.S. had hacked North Korea.
The National Security Agency (NSA), in fact, has had access to North Korean networks and computers since 2010, the Times said. Officials wanted to keep tabs on the country’s nuclear program, its high-ranking officials, and any plans to attack South Korea, according to a document published by Der Spiegel.
North Korea did attack South Korea in 2013, crippling several of the nation’s leading financial and media organizations. At one point, however, the hackers revealed their IP addresses – the same IP addresses that popped up again in the Sony hack.
Another day, another company, and another breach.
The latest news is the supposed breach from Chick-Fil-A. I happen to know that the wife and I are frequent customers of Chick-Fil-A, partly for their pretty good food, but their kids play area as well. We go to Chick-Fil-A probably several times a week (This is important, I promise).
We are heading into week two (at least) after a supposed breach, which compromised customer credit cards. We are now looking at another breach where customers cards were compromised, the company will pay a minimal amount, for each of customers affected (if they can even reasonably determine the customers affected). Chick-Fil-A will be yet another company that gets off extremely light in this, their company won’t be impacted negatively (at least beyond a couple weeks, a quarter, at the absolute most). Banks and consumers will be the ones left footing the bill for the cost of this breach. The big question I’m going to ask you (and myself), will this effect my family’s patronage of Chick-Fil-A. From my wife’s prospective, I can definitely tell you, that it will have absolutely no consequences on her spending habit at Chick-Fil-A.
So, you may be asking yourself, what is your point. . .
My point, is that, Chick-Fil-A/Target/Home Depot and countless other companies are going to get their slap on the hand, pay their minimal fines, and will continue day-to-day business without any sort of consequences after losing all our credit card/payment information.
Until regulating bodies, and probably a combination of them, like PCI, banks, OCR (for HIPAA violations), FTC, and other organizations start holding companies responsible for the breaches that occur, they will keep occurring, and the consumer will be the one getting hit.
From the article:
Fast food restaurant chain Chick-Fil-A says it’s working with law enforcement, the payment industry, and security firms to determine whether reports of suspicious activity with payment cards used at some of its restaurants were due to a data breach.
“Chick-Fil-A recently received reports of potential unusual activity involving payment cards used at a few of our restaurants,” the company said in a statement. “We want to assure our customers we are working hard to investigate these events and will share additional facts as we are able to do so.”
Following up on the recent breach at Sony; this article states that 2014 was labelled as “The Year if the Breach”. The other thing that this article is pointing out, you don’t have to be a mega-corporation to get breached, you can be a small business, you can be a small start-up, it doesn’t matter. You can be targeted, your company may or may not contain valuable information, that is valued by the attacker.
Security experts are now saying there are only two types of companies left in the U.S.: Those that have been hacked, and those that don’t yet know they’ve been hacked. And although cybersecurity is being forced to the forefront of national consciousness, we still are not seeing the urgency needed to make a difference.
There is no more time to wait on the issue of cybersecurity. Government agencies and corporations alike must become both educated and absolutely determined to stop cybercrime now. Neither can afford mediocre approaches to security and customers (whether citizens, in the case of government; or paying clients, in the case of corporations) must demand better. Organizations must have the right plans and the right technologies in place to deal with the threats we’ve seen do so much damage in 2014, and the threats we know are on the way in 2015.
It is important to keep you guard up, maintain safe systems, and keep your organization secure. Remember that 556 Forensics can assist you in keeping you and your organization safe.
First, I want to point out, that I’m loving all the info that Krypt3ia is throwing out there.
There has been many battles brewing on the internet, IRC, and twitter about what is going on, and how the U.S. is attributing the Sony hack to North Korea. From everything, I have read, it has been based on circumstantial evidence, primarily from the piece that says U.S. has determined that this is directly linked to North Korea, because a) The vulnerability was developed in the Korean language, and b) Because it uses the same malware, that was attributed to 2 or 3 other breaches, that were also from “North Korea”. I’m not necessarily doubting that the other attacks came from North Korea, but what I want to point out, is that these attacks and vulnerabilities have ways of making themselves known to other people, other groups, other countries; that doesn’t 100% tie attribution to North Korea.
From Krypt3ia’s blog:
Well here we are… It’s the beginning of the cyber wars my friends. POTUS came out on stage and said that we would have a “proportionate response” to the hacking of Sony and that in fact the US believes that it was in fact Kim Jong Un who was behind this whole thing. Yup, time to muster the cyber troops and attack their infrastructure!
Anyways, all credit goes to Krypt3ia for the analysis he has performed on this, and I definitely think you should check out his blog.
I agree, that everyone jumping on the band-wagon, saying that N. Korea is behind this hack is wrong. This is the way I feel about a fair number of security ramblings coming from Mandiant/Fire Eye, Norse, and the rest of the huge companies out there. I think some of their information can be wrong. I also agree with the statements made at Krypt3ia, that we are now at “cyber-war” with North Korea. It feels like another Cold War race, with a lot more countries involved.
However, the really scary part, is that now, foreign influences have now proved, that they can hold United States (and companies within the US) at bay with attacks on there computer infrastructure.
From the article:
Everyone seems to be eager to pin the blame for the Sony hack on North Korea. However, I think it’s unlikely. Here’s why:
1. The broken English looks deliberately bad and doesn’t exhibit any of the classic comprehension mistakes you actually expect to see in “Konglish”. i.e it reads to me like an English speaker pretending to be bad at writing English.
2. The fact that the code was written on a PC with Korean locale & language actually makes it less likely to be North Korea. Not least because they don’t speak traditional “Korean” in North Korea, they speak their own dialect and traditional Korean is forbidden. This is one of the key things that has made communication with North Korean refugees difficult. I would find the presence of Chinese far more plausible. See here – http://www.nytimes.com/2006/08/30/world/asia/30iht-dialect.2644361.html?_r=0
This change in language is also most pronounced when it comes to special words, such as technical terms. That’s possibly because in South Korea, many of these terms are “borrowed” from other languages, including English. For example, the Korean word for “Hellicopter” is: 헬리콥터 or hellikobteo. The North Koreans, on the other hand, use a literal translation of “vehicle that goes straight up after takeoff”. This is because such borrowed words are discouraged, if not outright forbidden, in North Korea – http://pinyin.info/news/2005/ban-loan-words-says-north-korea/
Lets not forget also that it is *trivial* to change the language/locale of a computer before compiling code on it.