Category: May 2019

Subscribe: Apple Podcasts | Google Podcasts | Spotify | Stitcher | Email | TuneIn | RSS

A bug in Mirai code allows crashing C2 servers

DuckDuckGo proposes “Do-Not-Track Act of 2019” to require sites to respect DNT browser setting

‘Matrix’-Themed Ransomware Variant Spreads

Transcript:M

 [00:00:00] Welcome to Security led by you it is Tuesday, May 7th, 2019. Hope everybody had a wonderful weekend.

All right let’s kick things off here. First off from security affairs echoed by Pier Luigi Pagani a bug in Meri code allows crashing CE to servers. So as you may know the MRI botnet is out there and it’s taking over as the devices like crazy. It’s hard to go anywhere and not hear about MRI. Now when it comes to botnet society. So it is it’s prevalent. It’s across the world but apparently, it has a bug which according to this article the bad guys have known about for a while and they actually use this to take down a rival botnet which is fairly interesting. So essentially what this bug is is that the C2 several crashes when someone tries to connect to it using a user name sequence of 125 plus characters. So in this happens because the function within the code sets the byte limit at 1024. So if you do a thousand and twenty-five it will crash the server. So you know that that in and of itself is neat right. But what this article goes on to talk about is why isn’t somebody just running a script to constantly check to see if these C2 servers are up. I don’t pad packets tracks these things. Why isn’t somebody just pinging them seeing if they’re up and then if they are you take them down? Well, unfortunately, that would be illegal. But I would say well what they’re doing is illegal as well. Right. So you know two can play this game. Why not just go get a bulletproof server spin up this script and start pounding these things and taking them down. I’m not going to do that. I got enough to do in my life but I’m not saying that maybe you know I’m not saying it’s a bad idea. So you can go check that article out it’s really quick and easy there’s a link to the get hub although if you don’t know. The more I get sources. Just go search for it on Google I’m sure it’s been fought a thousand times. It’s pretty neat to read within the source code or in on the Github repos. There’s a list of username the password so fun project you can do that’s not illegal but you want to see maybe you’ve got a web server that is you can pump that listen and see if anybody see what the hits are there are some unique user names that are being used. So any little project for you if you’ve got a web server running whether AWB says or something like that. All right.

Next, from Security Boulevard, this one by strong got a lady Duck Duck Go proposes do not track the act of to 2019 to require sites to respect D.A. browser sizing settings. So for those that don’t know do not track essentially as a way of telling the Web site that no I don’t want you to track my activity across the browser across the site that I’m on is. You’re not allowed to do that. So that doesn’t necessarily some browsers have this but doesn’t necessarily mean they’re going to respect those wishes. So this act would do two things. No third party tracking by default which means that Web sites wouldn’t be allowed to use hidden trackers anymore on the sites that you visit. So on average when you go to a site there are up you know 15 20 different trackers running in the background that are collecting data whether it be Facebook Twitter Instagram all the social media’s or even in-house or even in-house trackers. One way to sort of combat that right now is I use personally it’s called ghost story. So it’ll tell you for instance actually let’s do this on security Boulevard right now. There are 12 trackers I see a Google. I see a discus HubSpot forums Google Tag HubSpot gravity car add any Twitter button Twitter syndication. So I mean that in that’s a security Web site. Imagine you know a bad Web site and no trackers are out there so you can use something like that to currently protect yourself from this to an extent. The next part of this would be no first party tracking outside what the user exempt it expects. I think you’re right. They gave a great example of this I’m just gonna read it right here. For example, if you use WhatsApp its parent company Facebook wouldn’t be able to use your data from WhatsApp you know unrelated situations like for advertising on Instagram also owned by Facebook as another example if you go to a weather site it could give you the local forecast but not share or sell your location history. So this is an extremely common practice and this is one of the reasons that these companies go and buy all this stuff up Facebook went and bought WhatsApp because as a massive user base. Right. And that just feeds right into its advertising. So that’s a separate conversation but you’ve got to be on the lookout for this stuff. Understand where the software you’re using comes from and how it’s connected for you know most folks that have used WhatsApp in the past have now shifted away from WhatsApp because of this exact purpose. If you’ve created an Instagram account lately you’ll know that it asked you if to use your Facebook account or associate your Facebook account so know what you’re using when you use things on the internet. Don’t talk to strangers either.

Next. This is your sort of you’re funny of the day. This one is from dark reading one of my favorite Web sites Kelly Jackson Higgins writes matrix themed ransomware variant spreads. So this is it’s called Mega cortex. At this point I think can we just call it its standard ransomware. But this isn’t standard but it’s just ransomware. It comes from the ransom note is read in the voice of Laurence Fishburne character Morpheus from the Matrix which is you know I want to hear that it’d be pretty funny I’m gonna go track that down. Maybe I’ll find it I’ll play for you guys. So what it is instead of asking for a bitcoin theorem whatever it is they’re asking for these days for monetary value. It is asking for consultation on how to improve your company’s cybersecurity and a promise that taking the attackers upon will on that will guarantee they won’t attack you again. I’m called bullshit on that right away. So this is something that Sophos found. Apparently whoever these guys are guys whoever these people are that are doing this they conducted 47 attacks in a 48 hour period so they’re clearly they’re trying to make money they’re just trying to do it in a different way. I hope to God that this isn’t some security consulting firm out there trying to drum up business because this is the fastest way to go out of business. So interesting read there’s some details in here about what makes it different. They’re using domain controllers and they’re snagging credentials off the domain controllers to do a lot of this and then it’s also they see this being dropped by Emotet So if you have iEmotet. You should already be cleaning them. But here’s another reason to do that. All right, folks, that’s it. That is our day today. It is what it was today. It is Tuesday, May 7th 20 19 is Security on the bayou. Everybody have a wonderful day. We’ll talk again tomorrow.

Subscribe: Apple Podcasts | Google Podcasts | Spotify | Stitcher | Email | TuneIn | RSS

McAfee Survey Finds IT at Cybersecurity Fault Most

President Trump Signs EO to Bolster Federal Digital Security Workforce

A MYSTERIOUS HACKER GROUP IS ON A SUPPLY CHAIN HIJACKING SPREE

Transcript:

[00:00:00] Hello folks it is Friday, May 3rd 20. And here is today’s security news first. [00:00:06][6.0]

[00:00:06] Let’s start with security Boulevard dot com from Michael Vizard. The title is McAfee survey finds I.T. at cybersecurity fault. Most first things first that headline terrible I clicked it because it said Mac Freeman intrigued me to try to figure what the hell he’s talking about. So here it is. This week McAfee published a survey they conducted of 700 professionals working in organizations with over 1000 employees entitled Grand Theft data too. All right if you’ve been in the industry long enough you know what these reports are going to boil down to right. They’re going to try and sell you something at the end of the day. But what I want to bring up what is interesting about this report is something that hasn’t come up before but is probably 100 percent spot on the report finds 52 percent of respondents claim I.T. is at fault when data leakage event occurs versus twenty-nine percent who say business operations. So essentially what they’re saying all these I.T. professionals is that more often than not it’s the I.T. professional fault and it’s not the user which is common in this industry it’s extremely common to try and blame the user for our issues right. One of the reasons that this number is higher is that there is more opportunity for an I.T. professional to mess something up. All it takes is one misconfigured server. Right. And then there you go. You may have a back door open and boom daily. Right. So this you know this directly speaks to you here all the time people process technology right for sort of you know the people part of the thing. We you know we know what we’ve got to do there. It’s all about training and building these people up to make sure they have the right skill sets. But if they don’t have the right processes in place to help them then you know they’re screwed. All right. So I think that’s it here. You know this article goes on to talk about CASB and EDR tools all of which are things that McAfee would love to sell you let’s move on from there. [00:02:05][118.8]

[00:02:06] Speaking of people process and technology the next one big one coming to the White House today. This is from trip wire dot com. Although you could find this probably anywhere it’s coming on CNN Fox News all over the place. President Trump science EO to bolster federal digital security workforce. This one by David Bissonnette. So President Trump is signing an executive order on America’s cybersecurity workforce. So they realize that there is a skills gap within the cybersecurity workforce whether it be in the federal government or even in the public sector so they’re doing a few things. Obviously, this is more about the federal government. They are going to develop a digital security rotational program within 90 days. This platform for purpose is to enable federal 18 digital security practitioners to receive temporary assignments in the Department of Homeland Security and vice versa thereby facilitating the exchange of knowledge training and experiences. So this is something that gets talked about in good practice all the time within a security organization is that you should be rotating people around nine times out of ten it never happens. So this is the White House making that happen for these folks. So I mean this, in my opinion, nothing but good can come from this 90 days to create that program and make a sustainable program seems a bit far fetched. But you know more power to them see if they can get it done if done correctly this can do a lot of good for that that the cyber is the federal cybersecurity workforce. And this is not just is the which is pretty interesting. I’m curious to see with where this goes is called the President’s Cup cybersecurity competition which is going to be not just for government employees but also it sounds like they’re going to let third-party contractors that are in the cybersecurity space compete in this as well so they’re talking about you know cash prizes days off which if you’ve never been in the military or the federal government that’s a thing they award you with the day you know a week off or whatever. I’d rather have the cash personally and then another thing they’re doing which is not listen to this article but as you know some I saw in another one I read was that they’re also going to start doing some programs where they’re going to award Elementary in junior high teachers for their accomplishments and cybersecurity education which I think is great start them young right. I mean this industry is new enough now that this quote-unquote cybersecurity that most the people that are in their prime if you will. This is stuff that came about when they were late in high school or college right. It didn’t necessarily exist at that time. And those that have been around for quite a while they started out as I.T. folks. They were not cybersecurity quote unquote people. So I think this is good stuff. I really hope this works out. I’m rooting for it should be good. We’ll see what happens. [00:04:58][171.8]

[00:05:00] Next. This is a long article on I’ll give you a quick recap of it. Some things I pulled out that I thought were interesting but go read this-this is a sort of an expose a. This is from Wired dot com and mysterious hacker group is on supply is on a supply chain hacking hijacking spree by Andy Greenberg. Yeah, I guess they’re mysterious but you’re gonna know the name either known as barium shadow hammer shadow pad a pad or wicked Panda. So that right there wicked panda should give you an idea of where these folks are based. So these are the folks that will be blamed for hijacking the software update stuff from a Seuss and then also this S.S. cleaner tool issue. And so one of their attacks their tactic here is sort of a spray and pray tactic where use harkens back to the Russian submarine force back in the day where they didn’t necessarily aim they just shot as much as they could to hope to hit something and take something else out. Right. So that’s sort of what’s going on here with their attacks is they’re just spraying it everywhere collecting the data see what they have that looks interesting and then going after that. So it’s an I mean it’s a tactic that has worked in the past and many different things not just cybersecurity submarine warfare as well. And then in the article, they interviewed some folks and you know they claim to say that if they were to try and deploy a ransomware sort of like not pet. Yeah, it would be even more destructive around the world. So I don’t necessarily disagree at the I’d like to dig into that a bit more before I really get into that some of this. Those are the three articles for the day. [00:06:40][100.7]

[00:06:41] One last thing a quick update with the other day we talked about the ICS security stuff with California and Utah. Well apparently there’s some more information has come out. It’s still a little fuzzy here but there was a denial of service attack but no service was disrupted. No, no service or production was disrupted. So why that report was filed. We’re still kind of unsure I guess within the organizations in these states. Everybody’s pointing fingers say hey we didn’t do it. Did you guys do it? Who filed this thing where did it come from. So there’s some question as to what happened here but it appears that there was a denial of service and there was no disruption to service or production. So I think all’s well that ends well and that one there is clearly some process and procedure issue that they’ve got to figure out there. All right folks thank you. It is Friday, May 3rd and this is security on the bayou. Everybody have a wonderful weekend. We will talk again on Monday. [00:06:41][0.0]

Subscribe: Apple Podcasts | Google Podcasts | Spotify | Stitcher | Email | TuneIn | RSS

Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it’s Cisco again

Putin Signs Controversial Internet Law

We dunno what’s worse: Hackers ransacked Citrix for FIVE months, or that Equifax was picked to help mop up the mess

Transcript:

 [00:00:00] Good morning folks it is Thursday May 2nd 2019 and here’s today’s security news.

 [00:00:05] First things first from security week by AFP. Putin signs controversial Internet law. So today Putin signed this sovereign internet bill act in Russia which would essentially do a few things. One of those is it creates a central point of entrance and exit out of the country for the country’s Internet traffic. A lot of criticism of this bill comes from its vagueness in the way it was written. A lot of people are trying to get a lot of people. People are trying to claim that this will create an avenue censor the voice and opinion of the folks on the Internet in Russia. I don’t necessarily disagree and I don’t think this is one of those we have to see how it plays out. This is pretty well bad off for everybody involved. You know I tried not to get too deep into the privacy stuff on this thing is how it’s a security podcast but it’s sort of part of the deal. So for this one, I’m going to steer away from the privacy aspect to this and I want to try to sort of ask a few questions about the security aspect of this. One of those being if there is a central point of entrance and exit for all internet traffic coming from Russia. No attribution is already really hard, especially for the regular non-government agencies. So this. My assumption is that we’ll make it extremely difficult because now they can control more heavily what they can and will mask in and out of that country. So you know common tactics of hopping VPN or different boxes upon boxes around the world. That’s common, I think. Obviously, they use it. Everybody uses it. I think that having this central point of entrance and exit is gonna make it extremely difficult for there to be any further additional attribution for anything Russian related. You know this comes off the heels of last year when the federal government essentially said that Russia meddled in the elections and it was their fault. So this feels like a response to that in such that they say Well you figured out who it was well good luck finding out next time. So we’ll keep an eye on this we’ll see what happens. You know this reminds me a lot of when net neutrality was repealed the first time all these companies said oh well well we’ll never actually you know use these stipulations that are in here. We’re still for the consumer. This feels a lot like that right. We know that eventually at some point they’re going to use this for the wrong reasons. OK let’s stop on that let’s move on.  

[00:02:40] Next a from the Register by Ian Thompson in San Francisco. Sinister secret backdoor found networking gear perfect for government espionage. The Chinese are Oh no wait it’s Cisco again. So Cisco issued a fix yesterday for their 9000 Series Nexus switches. Excuse me Cisco Nexus 9000 Series Application Centric Infrastructure mode switch software that is a mouthful anyway. A piece of software on one of their switches. There was a backdoor into it and it was it was caused by. Let me get this right. Default SSH key pair. Hardcoded into the software so understandably people make mistakes. That’s a pretty big mistake. We talked about default passwords yesterday and IOT law that came from me that’s coming out of the UK. Clearly, anything default is bad because once you get it one of them you’ve got access to everything. So they are now it’s patched. You know this is an interesting article because the author immediately was turned it right into the highway stuff so he got back to the point but I know there’s clearly another incentive here in this article but nonetheless, Cisco patch a vulnerability due to SSH key management not being up to par they’re doing me wrong. That is not easy. That is a hard problem is not a hard problem to solve. There’s plenty of solutions for it. It’s a hard problem to continue to solve and get developers and training people to do things the right way.

Next from the register. By Ian Thompson still in San Francisco. We don’t know what’s worse. Hackers ransacked Citrix for five months. Or that Equifax was picked to help mop up the mess. So yesterday we talked about the Citrix breach and how their employee’s information was stolen while more and more is coming out about this six terabytes of data were pulled out. They suspect that some of that was not just employee data but was also intellectual property. You know any business document sort of like Crown Jewels sort of stuff. But here’s the deal so as you guys know we’ve all had our accounts taken over dinner. Identity issues. So when this happens there’s always free credit monitoring offered for the employees or the users whoever it may be. Well, in this case, Citrix has chosen to go with Equifax which is just dripping with irony considering everything that happened with Equifax. Not even two years ago at this point. And so my question is there are three of these credit reporting agencies there’s plenty of other consumer report credit reporting agencies out there companies third party companies that do this. You had to pick Equifax you couldn’t just go with one of the other two. That’s what you had to pick Equifax. Something stinks here. From my perspective. All right. I know I got my rant on today. Thank you for listening. I appreciate it. I hope you get as upset as about this stuff as I do because it just motivates me to go out there and change things. Today is Thursday, May 2nd. This is security in the bayou. Thank you for listening everybody have a wonderful day.

Subscribe: Apple Podcasts | Google Podcasts | Spotify | Stitcher | Email | TuneIn | RSS

Phone and laptop searches at US border ‘quadruple’

Plan to secure internet of things with new law

A ‘Cyber Event’ Disrupted the Power Grid in California and Wyoming, But Don’t Panic Just Yet

Hackers went undetected in Citrix’s internal network for six months

Transcript:a

 [00:00:00] Hello folks it is Wednesday May 1st twenty And here’s today’s security news.

First from BBC News. Phone and laptop search at U.S. border quadruple. That’s a lot quadrupling that’s four times that’s a lot in 2018. There were three thirty-three thousand two hundred ninety-five searches at the border. So this is all coming out because of the NFF and the ACLU ACLU have filed a lawsuit alleging that these are warrantless and unconstitutional searches. So this is what I would call this a pretty big deal in the privacy world. One of the things that we know is that when you go through the border there’s a lot of things that can happen to you physically enter your stuff right. I don’t think anybody likes having their cell phone touch or their laptop. It sucks right. It’s no fun you don’t know. I don’t have anything to hide. But the last thing I want is somebody else going through my stuff. So obviously there is a spot for this and quote-unquote protecting the country and it’s needed at certain points. But how far is too far as I really think was what the crux of the issue is here. So an interesting article here from the BBC. I’ll try and keep up with it it seems like it’s in its infancy. But I’ll see if I can’t keep track of it and give you guys some updates on it next.

Also from the BBC in the UK they have proposed a piece of legislation to regulate IO T manufacturers a title that article is “plan to secure Internet of Things with the new law”. So I don’t know the full process of you know law in the UK or something becoming a law. But I do like the basis of this. It’s a start. It’s not perfect but it will get where we need to go. It’s three things they want to implement. First, every I.T. device comes with a unique password by default. So no more default passwords of default or password or password with a capital P.. Right. That’s one of the big issues we see in the hacking of all these routers is every links us device out there has the same default password a password right. Well not necessarily IO T. You get the point right. No more default passwords second state clearly for how long security updates would be made available. This is great. This means you’re not going to buy a product and then it’s going to go out of warranty or no more support after a year. Right. What does that timeline look like in the enterprise world this helps big time with scheduling tech refreshes. Right. We don’t want to buy a product that’s going to not be supported in two years. If we can get the same thing for the same price for five years so on and so forth. Third one offering a public point of contact to whom any cybersecurity vulnerabilities may be disclosed. This is also big because a lot of these smaller companies don’t have that out there available. So now if a researcher finds a vulnerability it just doesn’t go and float in the wind on Reddit or Twitter right. They can go to report these things in proper fashion so that they can be fixed. These all seem like no brainers but apparently, they’re not because they’re going to have to enact a law in the UK to fix some of these things hopefully this moves across the pond. We’ll see. Time will tell

Next. From motherboard “a cyber event disrupted the power grid in California and Wyoming. But don’t panic just yet.” So the Department of Energy has a program called the O E 417 its electric emergency and disturbance report. So these electric or providers are required to report anytime that they have an emergency or a disturbance. So this was listed in one of those. And there’s really no detail at all it just says a cyber event in California Khem County Los Angeles County Utah Salt Lake County Wyoming Converse County. So something happened in those three counties. We’re not really sure cyber event that causes interruption of electrical system operations. So the key here is that there wasn’t an interruption. But what. While this is all good Well they’re they reported what I find the most interesting thing about this article is my new discovery that o e 417 is a thing and everybody has access to it. So in this article go click on the link and you’ll see there is a link to the Department of Energy’s o e 417 forms and submarines page which anytime one of these are filed you can go and look at. So it’s just an interesting item to add your tool box of knowledge right. If you have a question or you think something may have happened. Well, here you go. Here you go look now there is some stuff around what they it’s some gray area about what they will and will report. Obviously, if it’s you know the critical infrastructure and it’s super important to the plant and you know it’s a vulnerability it’s probably not going to be on here. But in any case it’s some visibility into what goes on. So this is a good thing.

Last but not least from Tech Crunch and Zach Whitaker hackers went undetected in Citrix’s internal network for six months. All right. Nobody freak out. It was Citrix because internal network nothing to do with their products. So as bad as this may sound it’s just another breach. The employee’s information was stolen at this point. This has run of the mill every day. This is caught my eye because it’s Citrix. This is not just some random little company. This is Citrix. This is I would be hard pressed to find an enterprise in this country that does not have some form of a Citrix product. So even the people we think that is the most secure and that we can trust the most in the products we use all the time even they are vulnerable to bad things happening. It’s just part of the world we live in this day. All right folks. That’s it for today Wednesday, April 1st. Everybody have a wonderful day.