China has recently been accused of intense spying activity in cyberspace. She has been claimed to use cyber means to gain access to, for instance, military and technological secrets held by both foreign states and corporations. In this context, the rhetoric of cyberwar has also raised its head. It has been asked whether we are already at war with China.

A danger lies at the heart of cyberwar rhetoric. Declaring war, even cyberwar, has always serious consequences. Since war is acknowledged as the most severe threat to the survival and well-being of the society, war rhetoric easily creates and feeds an atmosphere of fear, provokes a raise in the emergency level and launches associated counter-measures. It may also lead to an intensified cyber arms race.

There are several good reasons to avoid unnecessary militarisation of cyberspace and mixing of cyber espionage with cyber warfare. Firstly, cyber espionage is an activity multiple actors resort to in the name of security, business, politics or technology. It is nothing inherently military. Espionage is about finding out something that was ought to remain secret and as such, it may be carried out for different motivations.

Secondly, conducting effective cyber espionage campaigns may take years. Yet, their results are uncertain. On the contrary, engaging in a long-lasting, yet iffy cyberwar would hardly be a wise policy as the costs of warfare tend to provide a negative surprise.

Thirdly, gaining information is not the prime motive for waging war. Instead, war is waged in order to re-engineer the opposing society to support one’s interests and values, that is, to prevent it from doing something or to persuade it to do something. This holds true for cyberwar as well.

The probability of a particular cyberwar in the near future is low. What we should be more aware of is the use of cyber means in conventional conflicts. Cyber espionage can be utilised in warfare for preparing for war, as part of intelligence efforts, and for preparing for peace. In addition, a long-lasting spying campaign that eventually becomes detected may lead to war if it is interpreted to justify pre-emptive or preventive actions.

Even if the concept of war has become vague and the line between war and peace is blurred, espionage should be understood as an activity of its own kind. For actions to qualify as war they should cause massive human loss and material damage ‒ cyber espionage does not do this. For the majority, there is little to be gained from confusing cyber espionage with cyber warfare, yet the potential losses in the form of increasingly restricted freedom and curtailed private space may be substantial.

Unfortunately, life does not always work out the way we plan. Security is no different. Whether it’s servers that just won’t stay up, hackers who find (and exploit) that hidden application vulnerability or Mother Nature who wipes out your internet presence, you will eventually suffer an outage. The question is, what are you going to do about it?

Being excellent at anything in life, whether it’s sports, business or security, is not about getting it right all the time. It’s about discovering your failures fast and responding to them nimbly. In sports we do that by scrimmaging against opponents early and often so we can figure out how quickly they’ll see through our new plays. In business it’s by developing rapid prototypes of our business ideas and getting them in front of customers for feedback early on (see the Lean Start-up to learn more). So how do we do this in security?

The goal is not to avoid failure, but to fail faster

As security leaders, we are always tempted to engage in the intellectual exercise of creating a nice defense in depth strategy, and calling it good. In that case, we’re just looking to confirm that what we did previously was a good idea. But what I’m suggesting here is that our goal should be to find ways to prove that our defenses are flawed.

The concept is not entirely new to us. Most organizations have a penetration testing and vulnerability scanning program, where we’re looking for systems that are vulnerable to compromise. These are a great start, but all too often they lead more to a false sense of security instead of a real assurance of security. We have system administrators focused on vanity metrics like percentage of systems patched and number of vulnerabilities patched rather than proactively seeking out new ways to make their systems secure.

Below are three steps that will help you move from vulnerability management that merely looks good, to vulnerability management that can make you secure.

Incentivize finding vulnerabilities. A well-known management truth is that you get what you incentivize. What do you base your promotions, raises and bonuses on? If it’s rolling out new systems, system enhancements and just getting through audits, then that’s exactly what your administrators will do. To create a culture that continuously improves security we must reward that behavior. If you tie spot bonuses, public acknowledgement, and even promotions to how effectively employees can identify security vulnerabilities with your systems, then you will be amazed at how quickly your employees become experts at finding those vulnerabilities.

Learn from the chaos monkey. If your disaster recovery testing is performed annually, with everyone sitting in a conference room deciding together how to take down systems and move them, then you don’t know how your organization will react during a real disaster. For years Netflix has run their Chaos Monkey against their systems. The Chaos Monkey is a utility that randomly turns off individual server instances. Just like a real disaster, there’s no warning. This may be too extreme for your organization and your recovery time objectives (not everyone needs to be 100% reliable 24x7 like Netflix does), but the concepts can apply to all organizations. To find out how you’d handle a real disaster, find ways to subject your systems to conditions that mirror a real life incident.

Understand better what failure looks like. While the majority of hacks are still preventable by relatively simple security controls (hat tip to the folks at the Verizon Data Breach Report), I’m going to make the assumption that you’ve already implemented the basics (check out the SANS Top 20 or better yet, the Australian Top 4 if you haven’t). The fact is, even the most comprehensive security programs have some holes. Since we know that we will always have some residual risk of breach, our primary goal should not always be to add yet another preventative control. Instead, focus more on getting better at detecting when something has gone wrong.

There is a spectrum of options for accomplishing this; from a simple installation of a file integrity monitoring program to advanced correlation of system, application and networking behaviors. The key is not in putting the perfect detection system in place, it’s in finding a detection system that you can afford, and then USING IT! If you are regularly owning your systems to see what real incidents look like, and ferociously tuning out false positives (insert link to the false positive blog) this tool can become an incredibly efficient means of finding out when you’ve been hacked, and responding to the incident in minutes or hours instead of days, weeks or even months.

Failure is not the enemy. Complacency, overconfidence and misaligned incentive packages are. This problem isn't rocket science, but it won’t solve itself either. Start gradually and verify that you’re making regular progress, and you can ensure that every vulnerability you discovery will only make your organization more secure.

Cross-posted from Information Security from Robb Reck.

Allan Pratt, an infosec strategist, represents the alignment of technology, marketing, and management. With an MBA Degree and four CompTIA certs in computers, networks, servers, and security, Allan translates tech issues into everyday language that is easily understandable by all business units. Expertise includes installation and maintenance of all aspects of the PC and peripheral lifecycle and the planning and integration of end-to-end security solutions. Allan has taught the CompTIA A+ cert course and currently teaches the CompTIA Security+ cert course. Follow Allan on Twitter  and on Facebook.

Cross-Posted from Tips4Tech

While investigating SafeNet, Trend Micro’s Nart Villeneuve wrote in a whitepaper that there were two attack campaigns, each targeting a specific set of organizations. In the first campaign, it was determined that Safenet snared 243 unique victims in eleven countries. The second campaign logged 11,563 victims in 116 countries.

These numbers are based on the IP data that was discovered on the Command and Control (C&C) servers used by the attackers, so the actual count may be smaller Trend Micro noted. However, India, the U.S., China, Pakistan, and the Philippines were the top five victims based on IP data, followed by Russia, Brazil, Romania, and Saudi Arabia.

“While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China. However, the relationship between the malware developers and the campaign operators themselves remains unclear,” Villeneuve said in a blog post.

Based on the whitepaper, the data collected supports an attacker somewhere in Asia given that on both C&C server logs, administrator access came from China, Hong Kong, and South Korea a majority of the time.

The malware used in the campaign was designed to steal data, but it could be quickly modified to offer additional functionality. In a whitepaper supporting the SafeNet research, it was reported that tools used to extract saved passwords from Internet Explorer, Firefox, as well as Remote Desktop Protocol credentials discovered.

“Ongoing cyber-espionage campaigns have been successfully infiltrating targets worldwide, many of which have been active for years. However, the amount of public exposure, especially of noisier and larger campaigns, has been increasing,” the whitepaper concludes.

“Perhaps due to their success, these campaigns’ operators intensified their operations, causing them to be increasingly visible. But smaller campaigns are beginning to emerge; these use small clusters of C&C servers and new malware as well as attack fewer targets.”

Trend Micro, in the first release of their report, called this campaign SafeNet. Shortly after the research was released, the whitepaper was taken offline, and the campaign was renamed to Safe, which it most certainly isn’t.

As it turns out, it would seem that SafeNet, Inc., a data protection firm in Maryland, took offence to the name given to the espionage campaign. It is unfortunate that Trend Micro had to alter their research and add the disclaimer that “...there is no connection between this attack and SafeNet, Inc. ...”

It isn’t as if a serious practitioner within the world of InfoSec would have assumed the names were related. So the fact that such a warning was required is insulting.

A full copy of the modified report is available here.

-        Neutralize attacks before they impact corporate productivity.

-        Prevent data theft.

A major hurdle to achieving these two ‘simple’ objectives stems from evolutions in the way we interact with IT such as BYOD (“Bring Your Own Device”) and cloud computing. Both of these have brought about important changes in the way data is managed. IT Departments are very often one step behind users, and unfortunately in most cases there is no real control over all devices on the corporate network. Additionally, cloud storage applications allow users to store all kinds of data in the cloud without any real control from the IT Department, with all the inherent security issues involved.

Despite perimeter solutions still being a necessity, the corporate perimeter must now expand to include new devices (mainly smartphones and tablets) that also handle confidential corporate information. Also, it is worth remembering that these devices can become an entry point for intruders into the corporate network, so it will be necessary to control the devices as well as the information.

Add to this the fact that most infections and attacks take advantage of un-patched vulnerabilities that exploit security flaws for which there are security updates available, and you realize patch management along with applications that enable full control and visibility of the network status are essential for organizations.

These needs cannot be satisfied by so called ‘traditional’ antivirus software, instead other, more advanced solutions are required. The latest trend in the computer security industry is that of Endpoint Protection Platforms, which provide a collection of security utilities including: hardware and software audits, patch and vulnerability management, application control, etc. Traditional antivirus software is still necessary but not sufficient.

For heads of corporate security it is also very important that the network monitoring tool doesn’t require new servers, VPN connections, etc. In this context, simple solutions where administrators install a lightweight agent on every managed device, allowing control regardless of whether they are in the office or on the road though a Web browser, are gaining ground spectacularly. Mobility presents new challenges in IT risk management and troubleshooting, and the ability to access devices remotely will help organizations reduce costs and boost their productivity significantly.

About the Author: Luis Corrons is Technical Director of PandaLabs, Panda Security

Since I founded Bayshore Networks, the focus on achieving innovation superiority has been paramount to our success in developing some of the most powerful next generation application firewalls to secure applications and other mission-critical assets at the network core. We've gained a solid following in what's called the 'Serious' security market: defense, critical infrastructure SCADA and industrial control system environments, and large enterprise networks. Our success, however, must be perpetual and in a continuum in order to keep proving our metal and resilience in combating modern malware. 

In early April, we announced the development and integration of a new and powerful security policy-expression language into all Bayshore firewall product lines. We call it Pallaton, meaning warrior according to Native American folklore, and a fitting descriptor for the ongoing war against modern malware perpetuation.

What makes Pallaton unique and powerful? It enables network and security administrators unparalleled control and protection of enterprise and SCADA applications down to the level of individual data elements and transactions. Pallaton also is easy to learn and use and it seamlessly scales to express access-policy and behavioral constraints, from entire global networks down to individual applications.

Pallaton also offers extremely granular controls, enabling access to actual parts of protected data streams. Pallaton's dynamic XML editor enables customers to block traffic by IP address, geographic location, timing, and other sensitive controls. Beyond its control savvy, Pallaton is protocol-aware, spanning SCADA-specific to web application protocols.

But this piece is not about plugs; it’s about recognizing the role of corporate responsibility in delivering new innovation to market, and being cognizant of the need to never rest when engaged with adversaries who have clearly mastered the art of staying ahead of the game.

Mandiant’s February APT1 report was a groundbreaker, not just because it identified a physical location where a specific and powerful nucleus of APT attackers launch 24/7 assaults, but because they used their innovation, experience, research and talents to do government-level intelligence gathering and then let the world know about it.

We believe the private sector, and more specifically vendors of information security products and services, must have a dedicated focus on innovation in order to remain competitive and relevant. Information security buyers today remain invested in heavy enterprise risk management solutions to meet compliance obligations, but we are seeing a surge in CISOs we meet who are sounding the drumbeat for more investment in tools and technologies that don’t just perform, but outperform through solid innovation.

Pallaton is just a small piece of the overall puzzle and a great example of security innovation aimed at narrowing the malware sophistication gap. We at Bayshore innovate for all the expected reasons: to sell more products, to make a measurable difference and become a truly required technology our customers can depend on for the long term. Yet we go beyond the norm by embracing innovation as a company value and instilling a culture of innovation in the talented people we hire.

We look forward to seeing more security innovation that’s aimed at narrowing the technology divide and advancing us all one step closer to security nirvana.

About the Author: Francis Cianfrocca is the founder and CEO of New York City-based Bayshore Networks, Inc.

The Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, recently issued an advisory warning of an elevated risk of cyber-based attacks against companies that are tasked with administering systems that control elements of our nation’s critical infrastructure.

The alert, which was made available only to authorized entities, provided advice on mitigation techniques and prescribed specific measures that should be undertaken to avoid disruption to services such as power and water delivery. An accompanying document outlined key indicators of an attack and guidelines for monitoring and detection efforts.

The advisory is a good example of improved efforts to break down information silos between government agencies as well as improve the mechanisms to share threat information with the public sector, said Chris Blask, Chair of the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC).

According to the organization, ICS-ISAC exists to bring together the private sector partners and stakeholders for the purpose of sharing knowledge about risks, threats and best practices across our shared critical infrastructure. The Center was created to provide the ICS community with a common platform where collaboration can be performed in an environment best suited to the needs of all involved parties.

“The ability to effectively share information has marked the progress of human social evolution since the dawn of time. In the Communication Age, the need to more efficiently share a growing volume of increasingly targeted information among expanding communities defines the challenges facing cultures,” Blask said in an interview.

“For those who are responsible for maintaining the security of information structures, there is no more pressing topic.”

On February 12th of this year, President Obama issued an Executive Order :Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD-21), both of which were designed to foster improvements in information sharing efforts among government agencies as well as between government and the private sector.

“Both documents emphasize the need to improve information sharing as a fundamental component of improving national security. ICS-ISAC is working with its members to develop an open reference architecture for situational awareness, both in support of these initiatives and as part of performing its core mission,” said Blask.

The president made the decision to issue the Executive Order and Policy Directive after years of partisan bickering prevented any significant cybersecurity legislation from being passed. Networks used to control elements of the nation’s critical infrastructure tend to be legacy systems, and when designed did not take into account the advent of the Internet and the prospect that the systems would ever be exposed to compromise via the web.

The fact that these systems are so vulnerable, yet at the same time so critical to the function of the nation and commerce, the need to better share intelligence on potential threats and active attacks is more important than ever. The good news is we already have the mechanisms to deploy such systems for information sharing at our disposal, according to Blask.

“Today we stand with all of the components in our hands from which to construct effective realtime situational awareness of our shared infrastructure. The basic technical tools necessary to create situational awareness at facilities have been developed and available for more than a decade,” said Blask.

“Knowledge sharing structures such as STIX and TAXII have recently been released in 1.0 versions,IODEF has been in use for more than five years. The REN-ISAC CIF system has developed a mechanism in use today among academic institutions which is being used to provide active shared defenses around the clock. In the public and private sectors, in technical, policy and procedural areas, the basic building blocks required have already been created from which we can build shared security,” Blask continued.

The ICS-CERT advisories are just a drop in the bucket, but show a trend in the right direction. “The type of information and detail that [ICS-CERT] is now delivering in these intelligence reports to the community has dramatically improved in the last 18 months,” SANS’ Tim Conway told the Washington Post.

Conway will be joining Blask on Wednesday May 15th from 1-2:30 PM ET for the ICS-ISAC Monthly Public Briefing. The panel will also include Michael Murray from CERT/CC at Carnegie Melon Universityand Marc Blackmer from Sourcefire in what will be the the first of a series of panel discussions on the evolution of public-private information sharing.

The series will begin with an analysis of historical information sharing efforts and lead up to the development of the ICS-ISAC’s Realtime Knowledge Sharing Reference Architecture.

According to ICS-ISAC’s press release on the panel discussions, they are “designed to benefit both the technical & non-technical attendee the ICS-ISAC Public Briefing series takes a no-nonsense approach to addressing issues that cut across industry, sector, and job function. So whether you are hands-on ICS, administrator, or C-level decision-maker you will find valuable information that you can take and implement to further secure your industrial control systems.”

Cross Posted from Tripwire's State of Security Blog

Then on top of all of this there are the “standard” things that impact security. Thankfully most are not internet connected. At least by design. Of course here is where deployment mishaps can bit you. If they are on the same network as the rest of your systems then you are asking for problems. Just as in SCADA systems that are supposedly air gapped such security measures are only as effective as the monitoring and enforcement that they go through. A rogue system plugged into the wrong (or right) port can suck all of the air out of a gap in a heartbeat. 

You also need to think about things such as How is it configured? Look at the hardware configuration and settings, the OS settings, various security policies, other network policies that are applied to each system. What additional agents is it running for management, security, etc.. 

There are lots of other things that go into ATM security that can have a big impact on ensuring that it is as secure as possible. I’m going to stop here because my intent was not to give a primer on ATM security because I don’t know enough to give more than the basics. If you want to talk true ATM security you need to go elsewhere.

What I did want to talk about is the fact that the recent ATM heist of $45 million dollars should have never happened.  Why you ask? Because this same basic attack took place a few years ago. RBS WorldPay was hit for $9 million using this same basic attack back in 2008. The attack wasn’t identical but it was close enough in nature that the lessons learned should have resulted in security improvements and controls that would have stopped or at least alerted the banks to this attack much quicker. What obviously didn’t happen was a true root cause analysis to not only find the root cause but to then learn from that and make changes. Then you also need to take what you learned from the RCA and think about how else could this attack have happened or what else could they have done using similar techniques.

We focus so much on the problem that we often fail to find and fix the root cause and if/when we do we feel that we have gone over and above and stop there. This is a problem. There is so much more that we can and should do to take our work and program to the next level. We have to take what we learn and apply it but we also have to see what else we can learn from it. Security researchers are good at this.  The bad guys are too. They take what we learn and use it against us. We get all excited about finding and fixing the root cause then we think that it would make a great papere and conference talk. We make it all fun and pretty and show the world. Then the world takes it and slaps us in the face with it because they were willing to learn more than we are. 

This is one of the big jobs of security that is so often overlooked. Our job is to secure but  we also need to drive change within our program and within the way that our business does security. Our industry is reactive in nature and we are striving to be more proactive and this is one way that we can. We have to go beyond thinking about what technology will make us proactive and think about what else can we learn from what we have already learned. Yes, this takes time and resources that many teams are already lacking in. It also takes someone who is good at thinking like this. It’s not something that will come easy to most of us but it is a necessary skill that has to be developed and implemented within our programs. We can’t keep playing catchup forever because there comes a time when you get so far behind that you will never catchup because catchup also involves cleanup and that takes more and more time. If we spend just a little extra effort in our analysis we can make changes that will have a positive impact with less resource consumption. Just as in software development it is easier and cheaper to prevent bugs than to fix them it is easier and cheaper for us to prevent incidents than to fix them.

Cross Posted from Andy ITGuy

Weaponized Malware - A Clear and Present Danger  - Originally intended for cyber-espionage and cyber-warfare, these sophisticated attacks are now available to any cyber-criminal. How can security pros protect their organizations from these emerging perils? [Download it Now] 

Evolving Endpoint Malware Detection: Dealing with Advanced and Targeted Attacks - Today's professional malware writers have gotten ahead of these trends by using advanced malware and other commercial malware techniques to defeat traditional endpoint defenses. [Download it Now]

Real World Protection and Remediation Report - AV-Test performed a comparative review of 7 enterprise endpoint security products to determine their real-world protection and remediation capabilities. The malware test used samples for real-world threats, false-positives, and remediation. [Download it Now]  

Endpoint Security: Anti-Virus Alone is Not Enough - For many organizations, endpoint security consists of anti-virus software and network security consists of a firewall. Aberdeen's research confirms - and quantifies - the prevailing wisdom that enterprise security based on anti-virus software alone is not enough. [Download it Now]

Best Practice Guide to Addressing Web 2.0 Risks - With the rise of user-generated content, social networks and readily available information offered by the Web 2.0-enabled workplace, users are more connected to people and ideas than ever before. This new level of connectivity also introduces significant risk. Organizations need to find the proper balance of risk vs. productivity through improved policy, controls and education of users. [Download it Now]

Virtualization Security Risks: How to Develop Your Strategic Approach - NowWhat virtualization software can accomplish is nearly limitless.  But has your management methodology and software kept up?  This whitepaper will take an in-depth look at virtualization technologies, security risks, and virtualization technology management models. [Download Now]

Endpoint Security Management Buyers Guide - This report by analyst firm Securosis, is focused on helping you understand what features and functions are important - in the four critical areas of patch management, configuration management, device control, and file integrity monitoring. [Download Now]

Is Your Enterprise Managing Certificates? Three Reasons It Should Be. - A new Aberdeen Group Market Report offers in-depth analysis about how attackers are targeting and successfully exploiting known vulnerabilities in the certificate infrastructure, and why most enterprises are not managing the associated risks. [Download Now]

Navigate The Future Of The Security Organization - Is your status among C-level colleagues slipping? Are your budgetary pitches falling flat? 

If you've answered "yes" to either of these questions, Forrester Research's report, Navigate the Future of the Security Organization can help. [Download Now] 

Aberdeen Research: Encryption, Without Tears - 

Like most enterprises, you're deployed encryption broadly to protect information and authenticate systems. In this report, analyst Derek Brink quantifies the costs and effects of three encryption-management strategies. [Download Now]

IT Pros Guide to Endpoint Protection: Top 5 Tips For Enabling A Self-Defending Endpoint - Stay on top of endpoint security by implementing these five tips that will help you prevent costly malware outbreaks and data breaches, even as the barrage of attacks intensifies. [Download Now]

The Busy IT Professional's Guide to Governance Risk and Compliance - Streamline your compliance efforts by implementing these five tips that will help you better tie together security deployments and processes, business goals and compliance activities. [Get it Now]

The Rising Threat of Corporate Cybercrime: Cybercriminal Motives and Methods - Compromising employee endpoints with malware has become the preferred method for attackers; a far simpler path into the corporate network than a direct network attack.  Enterprises need to recognize and address this growing danger. [Download Now]

Test Report: Antivirus Effectiveness VMware vSphere 5 Virtual Environments - Tolly benchmarked the performance of four top endpoint security vendors within VMware vSphere 5 virtual environments. [Get the free report]

Forrester Wave Report: Endpoint Security, Q1 2013   

Proving Your Vulnerability Compliance: Patches, Configuration, Reports and More - Read this whitepaper to learn how to get everything on one page, to make patch management and configuration auditing consistent and automated so you can stop wasting money and time. [Download Now]

In this article I will be covering ways that one can turn their Android based device into a powerful pocket sized penetration testing tool. If you're looking to do wireless sniffing or packet injection with your Android based device, this article will be of little help. (If interested please see this, this, this, this, and this.) To do so, one needs a specific Android device that supports OTG, with a custom ROM, and you'll most likely need an external USB wireless adapter. (Honestly, if you're looking for a device for cracking WEP keys without any external USB wireless adapters, then I highly still recommend the Nokia N900.)

(NOTE: If you're strictly looking to do wireless sniffing,  there is AndroidPCAP which I have tested with my Nexus 7 and a RTL8187 based wireless USB adapter.)

Firstly, before progressing on towards the weaponizing of your Android device, please take the time to back up any vital information. Have a look at this.  Reason being, is that you'll need to root your Android based device. Depending on your device and the method of rooting, rooting your device and unlocking the bootloader can wipe your device.

Setting up Kali Linux ARM Chroot on your rooted Android based device that has about 6GB of free space

1.) Install BusyBox
2.) Install Terminal Emulator
3.) I created a Kali Linux ARM IMG that one can easily mount and it can be downloaded here:
http://goo.gl/qmGle
https://archive.org/details/Kali.nogui.armel.zitstif.chroot.482013

kali.nogui.armel.zitstif.chroot.482013.7z

md5: d60c5a52bcea35834daecb860bd8a5c7
sha1: f62c2633d214de9edad1842c9209f443bcea385d

kali.img

MD5: be61799f8eb2d98ff8874daaf572a1d5
SHA-1: f9c6a820349530350bbb902d17ae6b4a5173937c

NOTE: This image gives you about 2GB of free space in the environment to play with so use with care.

4.) Extract the 7z file and make sure that there's a folder in this following location: /sdcard/kali
5.) In this folder you should have shell script named 'kali' and the 'kali.img' image file.
6.) To mount the kali.img file as root do this: sh /sdcard/kali/kali

Optional: If you want Terminal Emulator to open up and go directly to the chroot environment do as follows:
1.) Open up Terminal Emulator
2.) Go to preferences
3.) Tap on Initial Command
4.) Enter this: su -c "cd /sdcard/kali && sh kali"

Now if you tap on Terminal Emulator, you'll go directly to your Kali chroot environment. If you want to leave the environment and back to the Android command line, simply type exit.

Optional: If you want to access files from /sdcard/ from your Kali chroot envrionment, one way is to have an Openssh server on your Android device that listens on all interfaces. Then under your chroot envrionment do: mkdir /media/sdcard/ and then connect to your ssh server on your loopback interface to store the ssh key. Then you could use a script like this in your chroot environment (or even edit your .bashrc file to run it automatically):

http://zitstif.no-ip.org/mountsdcard.py #You'll need to edit the username and password appropriately for your situation.

I should warn you that this Kali image is not setup with the idea of using a window manager or really any GUI tools. In my humble opinion to take advantage of Kali Linux, you don't need a GUI. Using the terminal to access tools like nmap, netcat, w3af_console,sqlmap, xsser, and metasploit will be sufficient to get one started on their penetration test.

Once you're in the Kali Linux chroot environment, please do the following:

apt-get update && apt-get upgrade && msfupdate

In addition to setting up the Kali Linux chroot environment, here are a list of other tools and a quick description of each that I recommend you to install:

2X Client - Remote desktop client
AndFTP - ftp/sftp client
androidVNC - vnc viewer client
AndSMB - Android Samba client
AnyTAG NFC Launcher - Automate your phone by scanning NFC tags
CardTest -  Test your NFC enabled credit cards
Checksum -  basically a GUI tool for md5sum and shasum tools
DNS Lookup - perform DNS and WHOIS lookups
Dolphin Browser - a browser that easily allows you to change your UserAgent
DroidSQLi - automated MySQL injection tool
dSploit - Android Network Penetration Suite
Electronic Pickpocket -  wirelessly read NFC enabled cards
Fast notepad - simple but useful notepad application
Find My Router's Password - title explains it all (mostly for default passwords)
Fing - very similar to Look@LAN tool for Windows
Goomanager -  see link for more information
Hacker's Keyboard -  Miss the easily accessible CTRL key? This app is for you
HashPass - translate text into hashes
Hex Editor -  a very usable hex editor for Android
inSSIDer - wireless network scanner
intercepter-NG - multi-function network tool, sniffer, cookie intercepter, arp poisoner
Network Signal Info - basically a graphical tool for iwconfig
NFC Reader - used for reading various NFC technologies including some keycards
NFC ReTAG - Re-use/recycle write protected NFC Tags such as hotel key-cards, access badges, etc
NFC TagInfo -another NFC reader
OpenVPN Connect - open vpn client
Orbot - tor on Android
Packet Injection - poorman's GUI version of scapy
ProxyDroid - use your socks5 proxy with this application
Root Browser - great file manager for Android
Routerpwn - test how secure your router is
SandroProxy - kind of like Webscarab
Secret Letter - a  poorman's stegonagraphy tool
SSHDroid - openssh server for android
Supersu - manage what programs access root functions
Teamviewer - remotely control Windows, OSX, and Linux based systems
Terminal Emulator - no explanation needed
tPacketCapture - packet sniffer that doesn't require root
VirusTotal Uploader - test your malicious payloads
Voodoo OTA RootKeeper - maintain root access even after updates
Wifi File Transfer - access files on your phone from a web browser via an http server
WifiFinder - simple wireless scanner
WiGLE Wifi wardriving - wardriving/warwalking application

Of course this is probably not complete, but I believe this is a very good suite of tools to get one started. If you can think of any more tools or if you have any suggestions, please feel free to leave a comment below.

Cross-posted from zitstif.no-ip.org

http://zitstif.no-ip.org/?p=811

Ely’s comments came via a PR pitch to InfoSecIsland’s sister publication, SecurityWeek, and was based on a DHS advisory written one year ago this month.

In the 2012 DHS alert, the agency warned that the expanded use of wireless technology on the enterprise network of medical facilities, along with the wireless utilization of medical devices, opens up both new opportunities and new vulnerabilities to patients and medical facilities.

The DHS warnings were mirrored earlier this month by Mac McMillan, a former Department of Defense cyber-security analyst, who’s now the CEO of CynergisTek Security, during an interview with Government Health IT.

“More and more of our medical devices now communicate to the network, and more often than not they’re in a wireless network, as opposed to a direct connection. What that means is that our wireless networks need to be more secure than they’ve needed to be in the past...”

There are three main risks, McMillan explained, the first being patient safety. After that, there’s the integrity of the data itself, in terms of availability, and the integrity of the devices themselves, “...with respect to their susceptibility to compromise from other types of vectors, such as malware...”

Ely, in comments sent to SecurityWeek, disagrees with McMillan for the most part, noting that malware isn’t a big threat right now. However, his comments were based on the 2012 DHS advisory.

Before malware could become a threat, Ely added, attackers would have to write malware specifically targeted to these devices and organizations; or the devices would have to adopt a standard platforms and software.

If standard platforms and software is adopted, then the malware authors would be blindly attacking remotely accessible interfaces without knowing what it was, simply because they would be targeting the vulnerable software first and foremost.

“It stands to reason that the medical community would eventually adopt mobile device technologies, not only for convenience, but to meet the demands of their patients, who are accustomed to accessing data in all other areas of their lives (personal, work) on demand. It would also stand to reason that this adoption would increase vulnerability as mobile devices used in the medical field are in no way immune to the attacks faced by any consumer or corporate device,” Ely said in an email.

“Unfortunately, with the "always-on" nature of mobile devices and the rise in peer-to-peer communication, mobile data has quickly become a target. Previously, it had been hard to find these devices, but now that attackers have the ability to locate, attack, and compromise mobile devices they also have the ability to control an always-on mobile device — not only to steal the data, but also to use as a launch point for further attacks that may be difficult to track.”

With that said, Ely suggests a holistic approach to medical device protection. He encourages organizations to implement device, application, and data centric controls along expanding application security practices to mobile applications.

“Applying security across the entire mobile ecosystem, combined with secure development processes, will net the biggest risk reduction,” Ely concluded.

While it was written last year, the DHS advisory on risks to the healthcare and public health system is worth a read. The advisory is linked above, where it is hosted by PublicIntelligence.net.

OMG THE DAM DATA!

Last week a report came out on Wired about how the ACE (Army Corps of Engineers) database was hacked by China and "sensitive" dam data was taken.. By China, let that sink in for a bit as there was no real attribution data in the story. Anyway, aside from the BOOGA BOOGA BOOGA headlines I had to wonder just how hard it was for these "Chinese" hackers to get in and steal the all important super secret DAM data. Given the nature of this type of site and the groups involved in generating, managing, and *cough* protecting it, I had a feeling that it would be rather easy to get the information without having to be uberleet. Sure enough a quick Google Fu session showed me how easy it was to just bypass the login and password scheme as a proof of concept. You can see from the picture at the top of the page that you can just download what you like there (16 meg on dams alone) just by clicking a link on Google and then the link on the page that is not supposed to be served out without authentication.

*I feel so secure now*

So yeah, there you have it and I still cannot understand how the media types paid no attention to my attempts to make them aware of this little factoid. See, here's the thing kids, I didn't go any further. Nor did I download the 16 meg file because, well, no one else wants to be Aaron Swartz right? I am sure they could even try to squash my nuts over this post alone but hey, I am sick of the BS stories of China hacking us when in reality all one need do is GOOGLE the information. This is not to say that this information here is the SAME information that was allegedly stolen by China, but it is a PROOF OF CONCEPT that the site, EVEN TODAY is still insecure and leaking information without authentication!! (yes above pic was taken today via a tor node) So, when I stopped there one has to continue to wonder if you looked further and enumerated more of the site by directory walk could you in fact get even more access?

Feel the derp burn...

OMG CHINA!

Meanwhile back in the hallowed halls of Congress and the Pentagon we have reports coming out in pdf that China is hacking our shit to gain a better "war footing" by taking such data as what this story is all about. DAMS COULD BE BLOWN! WATER COULD LEAK! LIVES LOST! yadda yadda yadda. If you were to take it seriously then one would think that SECOPS demands that this data would be classified and protected per classification. Obviously it wasn't given the access that you see above as well as the alleged password issue that the hack was allegedly predicated on in the Wired article. But I digress.. I am meaning to talk about China... Yes, so the DOD puts out a report that is subtly saying that no longer are the Chinese only looking to steal IP but now they are looking for ways to stalemate us in war.

*blink*

NO WAY! Like we aren't doing the same thing everywhere else as well? Derp! Look, it's only natural that they would be doing so and their doctrine says as much. Just go take a read of their doctrine on all things cybery and you will see that the domination of the infoscape is really important to them. We have only been paying attention for a little while now and we have catching up to do! Alas though, not all roads lead to China so really, I would love to see some attribution on this alleged hack on the dam data when one, once again, could just GOOGLE that shit up. As they say on the internets.. "Pictures or it didn't happen!"

OMG FAIL!

So here we are again. Our cybers are FAIL and the news media perpetuates more FAIL with their non depth articles on the problem. Maybe China stole some dam data. BIG WHOOP. The real story is that the site that it came from and the people watching it are not paying attention to the cyberz. Their clue phone is broken! They do not know how to "Internet" and it is just another derpy hype cycle in the media that allows China to be blamed for our own stupidity. I swear somewhere there is a Chinese guy laughing like Chumley rolling on the ground over this.

Smell our own fail kids... And weep.

Cross- Posted from Krypt3ia

Related Reading: Military Database of U.S. Dams Compromised by Attackers

Data used to generate the infographic was based on a recent ESG survey of 200 IT and info security professionals at midmarket and enterprise organizations in North America, the company said.

According to the responses ESG received:

• Web application volume is growing. One-quarter of organizations have more than 100 web applications in production today, and this number is expected to increase steadily over the next few years.

• Organizations plan to increase their investments in application security testing tools. ESG uncovered organizations’ plans to increase web application security testing, with 78% planning to increase their investment and effort in static application security testing (SAST) and 58% planning to increase their investment and effort in dynamic application security testing (DAST) tools and services over the next 12-24 months.

• Many organizations use Web Application Firewalls (WAFs) throughout their web application security testing. Advanced organizations are aggressively integrating DAST tools with WAFs. This is a leading indicator of an impending trend examined in detail in the ESG report.

A security check list is a list of security controls that a vendor or application must meet. These controls can range from how storage back up  is to be done, to password complexity requirements. Having a checklist can help you in deciding if the application or vendor conforms to your company’s  security requirements.

When reviewing  the checklist  and analyzing the vendors answers, if you are seeing gaps or have questions, make sure you call the vendor and get your questions answered. Making sure that the vendor or application conforms to  your company’s security controls is a must and really a vendor security review should be done yearly or at the very least every other year.

So this information is great you say, but how do I go about creating a security checklist?

Resources for creating a security checklist can be found on the National Vulnerability database website as well as the Cyber Security Division on the NIST website.

Creating a vendor security checklist can be a difficult task but with help from the websites above and reviewing your company’s polices you should be able to create a list that will help you in deciding if a vendor or application will conform to your company’s security requirements.

Often in the security field we hear the question asked, “Who’s watching the watchers?” It occurred to me recently that one might make a similar rhetorical quip about other aspects of our field – in particular, the question of “Who’s standardizing the standards?”

I wrote a piece last month, titled SANS Twenty Critical Controls as an Information Security Standard of Care. The article was inspired by several conversations I had been having with some lawyer types regarding how the legal system is starting to catch up with information security, and how the notion of a standard of care is becoming a major factor in evaluating an organization’s level of liability in a post-security event scenario.

There are dozens of standards that address issues of adequate information security, some of which are general and meant to be applied widely and some which are specific to a particular industry vertical. While compliance mandates have legal teeth of their own, to an extent it is still largely up in the air as to which of the standards the courts will turn to when determining if an organization was making good faith efforts to maintain a minimally acceptable security program.

In the article, I noted that the Twenty Critical Security Controls – also commonly known as the SANS 20 Critical Security Controls, the Center for Internet Security (CIS) 20 Critical Controls, and the Consensus Audit Guidelines (CAG) – may have emerged as a leading contender after the Cybersecurity Law Institute recently anointed it as being the “defacto yardstick by which corporate security programs can be measured.”

A friend who happens to be the CSO for a large Fortune 500 company shot me a somewhat terse but friendly series of emails inquiring as to why – between my article and the series my associate Adam Montville is doing on the 20 Critical Controls – we as a company were so enamored with the SANS 20.

“You have a voice in the industry. People are listening. You and Tripwire have a responsibility to do the right thing,” they advised. “We need to think and then act. Not just blindly trust because it’s something that we think that we know, but have never truly verified.”

While I would not go so far as to say we as a company are wholly invested in the  the 20 CSC, we are in a unique position after our acquisition of nCircle to boldly assert that we are the leading network security provider with solutions to address the first four of the 20 CSC, a point which I relayed to my associate. After a series of impassioned exchanges, I asked if they would consent to a guest post or interview on the matter. As much as they wanted to, they could not due to extenuating circumstances, some of which I can not go into here.

“Unfortunately, cybersecurity is a very sensitive issue for my public affairs team and we’re at the crossroads to possible regulation in many sectors, including mine, so I can speak with you, but not officially and you can’t directly quote me,” they said.

They did however consent to my using some of the exchange if attributed anonymously. Aside from the fact that the 20 CSC are mainly being promoted by a for-profit organization with a stake in their adoption, my friend’s main gripe is that the 20 CSC are merely technical controls and not holistic enough to address the issues facing organizations where information security is concerned.

“For many years, we have all come to know and trust the SANS Top 20 as a point of reference for good technical controls to address the security problem. A Technology only approach won’t really help in the long run,” they said. “We all know that security is a balance of People, Process, and (then) Technology.”

While that is absolutely true, this sentiment is coming from a professional who administers a program at a much more mature stage than most organizations. As I mentioned in the previous article, this set of standards was developed by the NSA at the request of the Defense Department in a effort to remediate the most common network vulnerabilities that accounted for the greatest number of attacks, which makes the 20 CSC the best place for an organization to start.

They then pointed out that the 20 CSC were not meant to be an all-encompassing standard, which is quite true. “It was never meant to be a standalone body of work. OWASP Top 10 works with it. So do PROCESS-oriented security frameworks such as FISMA, COBIT, and ISO 27001,” my CSO friend explained.

“ISO 27001 is doable by most if they took the same time to implement it like they would the CAG, it’s much more holistic, and truly internationally adopted. The governments of Germany, Japan, etc. have adopted ISO,” they continued.

And they are right, ISO has a tremendous presence internationally. So that got me wondering why the ISO standards have not gained more ground here in the U.S., and given that they are more holistic in nature as my CSO pal pointed out, why it was the 20 CSC seemed to be gaining ground over ISO with the American legal community.

I was out to dinner in London with some associates during the week of the Infosecurity Europe conference last month when I brought the topic up to Dan Houser, a well known mover and shaker in the industry with a string of letters after his name as long as my arm, and who also happens to be a sitting member of the (ISC)2 Board of Directors.

I joked that 2013 had yet to be christened as “The Year of…” something, and suggested perhaps this is the year of the standard. Much to my surprise, Dan responded that I might be on to something – proving once again there is always a first time for anything.

Over several subsequent conversations, Dan and I tossed around the idea of doing a series of articles examining not only the various standards that have evolved over the last twenty years, but the entire process of standardization that the industry is going through, and will continue to go through for who knows how long.

Dan’s very apt observation was that it is akin to the process in other disciplines, and he pointed to the fact that the art of medicine is thousands of years old, but it was only one century ago that it actually became “standardized,” which plays directly into my original premise of defining an infosec “standard of care.”

We are not sure exactly where we will end up going with this series, and that is kind of the point. This is a young industry, and although the effort to set standards began almost on day one, there is still a lot of room for dialogue, consensus and disagreement – as illustrated by my to-remain-unnamed CSO friend.

Cross-Posted from Tripwire's State of Security Blog

Individual development teams tend to adopt processes that work best for them. Heterogeneous development processes wreak havoc on plans for adopting enterprise-wide secure SDLC efforts.  There are at least three reasons why development teams within the same company have different development styles, including:  

• Business needs: Large companies are often composed of units in different kinds of business. For example, a large media conglomerate could have Internet providers, movie studios, and a retail store division. The customers, employees and supply chain of each business unit also differ, often impacting the way software is developed or procured. Developers at the brokerage department of a bank might work at warp speed to get incremental improvements on trading times, whereas the retail group might be very careful about the pace of change.
• Growth through acquisition: Many corporate acquisitions include the acquired company’s software and development teams. Each company likely had a different corporate culture that impacted the way their respective teams worked. For example, a small start-up software shop may value developer autonomy and lack of process while a larger software vendor may value risk management and accountability. The former may lean towards a self-organized team without formal project management while the latter may have a central Project Management Office (PMO).
• Software type: Teams that ship software on embedded devices are often very careful about requirements analysis because the cost of shipping an update is sky-high. On the other hand, teams that build ecommerce web portals may deploy hundreds of changes every day and spend very little time in requirements planning.

Security practitioners should keep this in mind when designing a secure SDLC effort. Forcing a security process on development teams that doesn’t take into account the way they develop software is a recipe for disaster. A good goal to have for secure SDLC is to minimize the impact on the team’s existing software development practice, which may mean investing more time up front to give development teams options on how to bake security in a way that works for them.  

Cross-posted from the SD Elements blog.