www.nextgov.com/cybersecurity/2015/11/secret-dhs-audit-could-prove-governmentwide-network-surveillance-isnt-really-governmentwide/124018/ By Aliya Sternstein Nextgov.com November 25, 2015 A secret federal audit substantiates a Senate committee’s concerns about underuse of a governmentwide cyberthreat surveillance tool, the panel’s chairman says. The intrusion-prevention system, named EINSTEIN 3 Accelerated, garnered both ridicule and praise following a hack of 21.5 million records on national security employees and their relatives. The scanning tool failed to block the attack, on an Office of Personnel network, because it can only detect malicious activity that people have seen before. At OPM, the attackers, believed to be well-resourced Chinese cyber sleuths, used malware that security researchers and U.S. spies had never witnessed. Still, EINSTEIN came in handy, according to U.S. officials, after the OPM malware was identified through other monitoring tools. The Department of Homeland Security loaded EINSTEIN with the “indicators” of the attack pattern so it could scan for matching footprints on other government networks. […]
http://www.wired.com/2015/08/ava-human-vulnerability-scanner-finds-your-weakest-security-link/ By Klint Finley Business Wired.com 08.11.15 TRICKING PEOPLE INTO bypassing security measures, revealing passwords, and disclosing confidential information is called “social engineering” in the computer security business. It’s a huge problem, and it’s one Laura Bell, founder of the New Zealand security consultancy SafeStack, was contemplating while home on maternity leave two years ago. Although many companies have mandatory security trainings, she realized there’s no real way of knowing whether such training is effective until it’s too late. What her clients really needed, she decided, was a way to identifying the employees most vulnerable to social engineering attacks. There wasn’t anything like that available at the time, so working in half-hour increments as her daughter slept, she created AVA, a free open-source tool for what Bell calls human vulnerability scanning. But not everyone is happy with the results. “Some people have said I should go to prison for releasing this,” Bell says. First, a hypothetical example of social engineering at work. Imagine you’re a junior help desk technician at a large company. You’re low on the corporate ladder, and constantly worried about keeping your job. One night you get a text from a number you don’t recognize. “It’s Ted,” the message reads. “I need my password reset immediately. Lots of money riding on this deal.” […]
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t Mary Ann Davidson Blog By User701213-Oracle Aug 10, 2015 I have been doing a lot of writing recently. Some of my writing has been with my sister, with whom I write murder mysteries using the nom-de-plume Maddi Davidson. Recently, we’ve been working on short stories, developing a lot of fun new ideas for dispatching people (literarily speaking, though I think about practical applications occasionally when someone tailgates me). Writing mysteries is a lot more fun than the other type of writing I’ve been doing. Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it.
http://www.wired.com/2015/02/hacker-claims-feds-hit-44-felonies-refused-fbi-spy/ By Andy Greenberg Threat Level Wired.com 02.18.15 A year ago, the Department of Justice threatened to put Fidel Salinas in prison for the rest of his life for hacking crimes. But before the federal government brought those charges against him, Salinas now says, it tried a different tactic: recruiting him. A Southern District of Texas judge sentenced Salinas earlier this month to six months in prison and a $10,600 fine after he pleaded guilty to a misdemeanor count of computer fraud and abuse. The charge stemmed from his repeatedly scanning the local Hidalgo County website for vulnerabilities in early 2012. But just months before he took that plea, the 28-year-old with ties to the hacktivist group Anonymous instead faced 44 felony hacking and cyberstalking charges, all of which were later dismissed. And now that his case is over, Salinas is willing to say why he believes he faced that overwhelming list of empty charges. As he tells it, two FBI agents asked him to hack targets on the bureau’s behalf, and he refused. Over the course of a six-hour FBI interrogation in May, 2013, months after his arrest, Salinas says two agents from the FBI’s Southern District of Texas office asked him to use his skills to gather information on Mexican drug cartels and local government figures accepting bribes from drug traffickers. “They asked me to gather information on elected officials, cartel members, anyone I could get data from that would help them out,” Salinas told WIRED in a phone interview before his sentencing. “I told them no.” “Fundamentally this represents the FBI trying to recruit by indictment,” says Salinas’ lawyer Tor Ekeland, who took the case pro bono last year. “The message was clear: If he had agreed to help them, they would have dropped the charges in a second.” […]
http://www.thesecuritysetup.com/home/2014/10/1/hd-moore [Interesting website I found while following someone else who was profiled earlier, Uri with @redteamsblog, the idea here is ‘what setup do folks in security use to attack, defend, build, break, hack, crack, secure, etc.’ which should make for some interesting reading. – WK] H D Moore OCTOBER 1, 2014 Who are you, and what do you do? My name is H D Moore (since the day I was born, it doesn’t stand for anything). I am a security researcher and the chief research officer for Rapid7. Some folks may be familiar with my work on Metasploit, but these days I also spend a lot of time scanning the internet as part of Project Sonar. My servers send friendly greetings to your servers at least once a week. Howdy! What hardware & operating systems do you use? Lots. My normal workload involves crunching a billion records at a time, running a dozen different operating systems, and still handling corporate stuff via Outlook and PowerPoint. As of 2009, I finally made the switch to Windows as my primary OS after being a die-hard Linux user since 1995. That doesn’t mean that I use Windows itself all that much, but I find it to be a useful environment to run virtual machines and access the rest of my hardware with SSH and X11. The tipping point was the need to quickly respond to corporate email and edit Office documents without using a dedicated virtual machine or mangling the contents in the process. The second benefit to using Windows is on the laptop front; Suspend, resume, and full hardware support don’t involve weeks of tuning just to have a portable machine. Finally, I tend to play a lot of video games as well, which work best on overspecced Windows hardware. All that said, Windows as productivity platform isn’t great, and almost all of my real work occurs in web browsers (Chrome), virtual machines (VMWare for Intel/AMD64 and QEmu for RISC), and SSH-forwarded XFCE4 tabbed-terminals. The laptop I currently use started life as a banged up ASUS ROG G750 (17″) bought as the display model from a Best Buy. The drives, video card, and memory were swapped out bringing the total specs up to 32Gb RAM, a 512Gb SSD boot disk, a 1Tb backup disk, and a GeForce GTX 770 GPU. This runs the most loathed operating system of all, Windows 8.1 (Update 1) Enterprise, but it has a huge screen, was relatively cheap, and can run my development virtual machines without falling over. It also runs Borderlands2 and Skyrim at maximum settings, critical features for any mobile system. Given that the total cost was under $1,500, it is a great machine for working on the road and blocking automatic weapons fire (as its weighs about 20 Lbs with accessories). I carry this beast around in a converted ammunition bag, sans the grenade pouches. […]
http://www.forbes.com/sites/kashmirhill/2014/08/13/so-many-pwns/ By Kashmir Hill Forbes Staff 8/13/2014 There are technologists who specialize in “scanning the Internet.” They are like a search team making its way through a neighborhood, but instead of checking the knob of every door, they check Internet entrances to online devices to see which ones are open. These people have been screaming for some time that there is a lot of stuff exposed on the Internet that shouldn’t be: medical devices, power plants, surveillance cameras, street lights, home monitoring systems, and on and on. But incredibly, their message doesn’t seem to get through, because their scans keep on picking up new devices. While talking about the issue at hacker conference Defcon on Sunday, security engineer Paul McMillan sent his winged monkey scanners out looking for computers that have remote access software on them, but no password. In just that short hour, the results came pouring in: thousands of computers on port 5900 using a program called VNC for remote access. The total number is likely over 30,000. Those using the program failed to password-protect it, meaning anyone who comes looking can see what they’re doing, and manipulate their computers. McMillan set a scanner to take a screenshot of every exposed computer it came across. I went through the screens captured Sunday and saw people checking Facebook, playing video games, watching Ender’s Game, reading Reddit, Skyping, reviewing surveillance cameras, shopping on Amazon, reading email, editing price lists and bills, and, of course, watching porn. I saw access screens for pharmacies, point of sale systems, power companies, gas stations, tech and media companies, a cattle-tracking company, and hundreds of cabs in Korea. This isn’t just about watching people use their computers; the fact that the scanner got in means anyone could manipulate the devices, changing the power company’s settings, pausing the porn stream, going through a company’s records, or reviewing the prescriptions for a pharmacy’s patients. There is no need for hackers to go to great lengths to compromise these computers; their owners have built in backdoors with no locks. “It’s like leaving your computer open, unlocked and ready to rock in a crowded bus terminal and walking away,” says security engineer Dan Tentler, who presented with McMillan. Increasingly, everything is connected to the Internet, and unfortunately, people don’t always know how to connect their things securely. “It’s important to remember that this scan only scratches the very surface of the problem,” says McMillan. “We can’t legally scan for default passwords, but I’m certain if we did, the results would be orders of magnitude worse.” […]
http://arstechnica.com/security/2014/05/antivurus-pioneer-symantec-declares-av-dead-and-doomed-to-failure/ By Dan Goodin Ars Technica May 5, 2014 Commercial antivirus pioneer Symantec has finally admitted publicly what critics have been saying for years: the growing inability of the scanning software to detect the majority of malware attacks makes it “dead” and “doomed to failure,” according to a published report. Over the past two reported quarters, Symantec has watched revenue fall, and sales are expected to flag again in the most recent period when the company releases financial results later this week, an article published Monday by The Wall Street Journal reported. The declines come as Juniper Networks, FireEye, and other companies have rolled out products and services that take a decidedly different approach to securing computers and networks. Rather than scan for files that are categorized as malicious, these newer techniques aim to detect, minimize, and contain the damage that attackers can do in the event that they penetrate a customer’s defenses. Citing Symantec Senior President Brian Dye, the WSJ said: […]