Go Hack Yourself

Today’s online criminals are sophisticated and out for financial gain, not bragging rights. Targeted, multipronged intrusions draw on a range of techniques and tools, including exploitable vulnerabilities, inside information, and sheer persistence.  Could your systems stand up to these sophisticated threats?  For many enterprises, the best way to find out is to attack yourself first, or hire somebody to do so.  A good penetration test may spot security vulnerabilities before attackers do.

Our standard security product lineup focuses on the Internet as the attack vector, but that’s not the only way in.  A determined attacker can break in by gaining the cooperation of an insider or even through physical access to buildings.  To really test your defenses, you need to attempt penetration via all of these methods.

This Information Week article explores penetration testing some of the commonly exploited avenues into an organization, the upsides and downsides of outsourcing, and dealing with trust when choosing a pen-tester.  After all, you are authorizing them to probe and penetrate your defenses.  It would be reassuring to know that they are not just going to turn around and sell this intelligence to someone else…

InformationWeek

Canadian Base Under Attack in Afghanistan

The main Canadian military base in Afghanistan came under attack Saturday after insurgents fired rockets and mortars before quickly launching a ground attack.  The attack at the Kandahar airfield base occurred at about 8 p.m. local time as militants tried unsuccessfully to breach the northern perimeter.  A small number of people were injured and are being treated for their injuries.  This is the third major assault on NATO’s military hubs in Afghanistan in six days.

I hope all the troops overseas and at home remain secure, and my prayers are with you.  Come home safely.

CP24

Secure Your Home for Vacation

Our homes are both an asset and a form of protection for our other assets.  They have both a real (property) and a personal (nostalgic) value.  Securing our homes is often more difficult than it should be, especially when we go on vacation!  We want to make sure that our house can be converted into a fortress for our belongings, a safe haven for any family members staying behind, and a refuge for us to return to.  To do this, we need to understand security, and all of the controls that we can use to secure our home.  This guide aims to be that course of action in the form of advice and a checklist.
ISECOM

Prepare For Breach Notification Rules

Don’t wait until your organization experiences an information breach to figure out a detailed game plan for how to react to an incident.  That’s the urgent message from three security experts.  Breach notification legislation is coming, and its coming to a Province and State near you…

• Be sure to understand what constitutes a breach under the rule and what kinds of incidents must be reported.
• Make widespread use of encryption. That’s because the rule contains a safe harbor exempting organizations from reporting breaches of encrypted data.
• Work closely with business associates, such as software companies, billing services and banks, to make sure they’re prepared to comply with the rule, which requires them to promptly report breaches to covered entities, such as hospitals and clinics.

HealthcareInfoSec

$6m Game Code Stolen At Tech Show

Justin May of Boston appeared in court today charged with trying to download the code of an unreleased video game at the PAX East 2010 tech convention.  Justin was attending the event in Boston where he allegedly used his laptop to hack into an Xbox 360 Test Kit that was demonstrating the game Breach.  The game, due out this summer and worth an estimated $US6m, was being shown at the convention by Atomic Games, a subset of Destineer.

“Breach, and our Hydrogen game engine, are the result of millions of dollars of investment and years of hard work.  It would have been very harmful if Breach had been posted on the internet months before its planned release” said Peter Tamte, President of Atomic Games.

Mr May faces charges of larceny over $US250 and buying, selling or receiving stolen trade secrets.  If convicted, he could face up to five years in prison or a $US25,000 fine for the first charge and up to five years or a $US500 fine and imprisonment of up to two years on the second charge.  He was released without bail and is due back in court on June 27.

News.com

Carders.cc Hacked

Score one for the good-guys!  A German online crime forum was hacked and the underground dealings of the criminal denizens, exposed.  The hackers snagged the database containing what appears to be all the private correspondence of the forum members, and posted it to the web.  The hackers also posted information on the IP addresses forum members used when they signed up for membership, noting that most of the administrators and moderators on the site didn’t use a proxy to access it.  They also posted usernames, e-mail addresses and some cracked passwords of members, who number 5,000.  The data was posted to the RapidShare file-trading site.

Carders.cc was hacked through a poorly secured web server, according to the attackers, who disclosed their method and reason for hacking the
forum in an e-zine they published with one of the data files:   Carders is a marketplace full of everything that is illegal and bad.  Carding, fraud, drugs, weapons and tons of kiddies.  They used to be only a small forum, but after we erased 1337-crew they got more power.  The rats left the sinking ship.  The voices told us to own them since carders is our fault and we had to fix our flaw.  So we did.

Read More http://www.wired.com/threatlevel/2010/05/carderscc/#ixzz0ocBWBNjr

Facebook Friend Deletion Flaw

Facebook has had its share of problems again lately.  Last week it was a fast moving worm, this week it’s a bug that allows someone to delete all of a users’ friends without permission.  The flaw was reported Wednesday, but could still be exploited over 48 hours later.  Proof-of-concept code is now publicly available.  “A malicious hacker could combine an exploit for this bug with spam or even a self-copying worm code to wreak havoc on the social network,” IDG says.

The cross-site request forgery (CSRF) bug that makes this possible is the same one reported earlier that exposed user birthdays and other sensitive data even when they were designated private.  Facebook representatives said engineers had closed the hole, but that turned out to be premature.  The flaw could still be exploited to control the site’s “like” feature, a button users click to endorse ads and other types of content.

TheRegister

SANS Digital Forensics & Incident Response Summit, DC July 8-9

One of the biggest events of the year for digital forensics practitioners and incident responders is coming up.  The SANS Digital Forensics and incident Response Summit takes place in Washington, DC on July 8th and 9th, 2010.  Judging by the reviews from last year, if you have an interest in digital forensics or incident response this is a must attend event.

More info is available over at the SANS Forensics Blog.

Even if you can’t make it, or you need to be convinced of the value, you can always check out the presentations from the 2008 and 2009 versions of the summit.

Malware Watch: Bogus Facebook apps, Amazon orders, and Adobe updates

Dancho Danchev has an article up detailing a handful of new campaigns to spread the nasty Zeus Trojan via email using “Adobe Security Update” as a theme, a fake Amazon orders scam, Adult content themed “Watch Video” campaign, and an overview of the “sexiest video ever” rogue application campaign, spreading across Facebook.  These clowns REALLY want to hook into your bank account and celebrate the coming of summer on your nickel.  Be aware, and don’t let them at a penny!

ZiffDavis

What is this APT Thing, Anyway?

Ther term APT has been tossed about in various forums and associated with security, hacking, terrorism, state sponsored attacks, botnets, advanced malware, next generation malware, etc.  The net result is that the term means quite different things to different people.  Gunter Ollman, VP of Research at Damballa talks about the futility of defining what an Advanced Persistent Threat is, and is not. 

I subscribe to the simplified definition as:  A malicious software threat of sufficeint engineering and limited, targeted deployment so as to defeat signature based scanners.  It is advanced in that it is tactically made to target an individual, business, or organization.  It is persistent in that its strategically contained ditribution and reduced potential for noise generation allow it to remain covertly deployed.

Damballa Blog