Press "Enter" to skip to content

Security On The Bayou

Monday, May 20th, 2019

Sophos tells users to roll back Microsoft’s Patch Tuesday run if they want PC to boot

Slack Bug Allows Remote File Hijacking, Malware Injection

TeamViewer Confirms It Was Hacked in 2016


Hello, Friends, it is Monday, May 20th. Twenty nineteen in here’s today’s security news first off from the registered echo that UK Sophos tells users to roll back Microsoft patch Tuesday run if they want to. P.S. If they want their P.C. to boot this is written by Gareth Corfield. So Sophos has released a statement that says hey if you’re using our product and you want to use your computer you had to roll back the Microsoft patches. That seems like a bad idea if you ask me. So not just like one patch all of the patches the full patch Tuesday kit they want you to roll it back. And to top things off when asked if they had a plan or what’s going to how are they going to update what’s going on. They said Sophos is working diligently on determining the issue and will provide ongoing customer guidance. Not that we will have an update for you in a week. Give us three days just hey we’re working on it. So if this was any other regular Patch Tuesday for Microsoft I wouldn’t be too concerned with it. But this was a pretty big deal there from where we talked about this that one of the vulnerabilities is worm rule just like they used in want to cry one encrypt whatever you want to call it. So it’s a pretty big deal and it affects all it all the way down to Windows XP. Even released patches for Windows XP. So this isn’t just some run of the mill AII right remote cold vulnerability. This is a pretty big deal. So interesting I hope Sophos fixes this quickly. It’s been a bad couple of weeks in general for every provider with everything that happened with Matt McAfee and trend and Symantec last week with their source code and now this was Sophos it’s tough to be in a vendor right now.

All right. Next from the threat post dot com slack bug allows remote file hijacking malware injections. So a researcher from tenable David Wells. I apologize. This article is written by terrorists seals a researcher from tenable named David Wells discovered a bug in Slack desktop version 3 2 3 7 4 Windows only that essentially allows an attacker to post a link into a slap or a link into us. Slack channel that is used to download a document in essentially in that protocol it allows them to change the destination of where that file is located to a local SMB share, therefore, downloading something other than intended. So somebody could put in a link to a Google Doc and all of a sudden that link now turns into an SMB file sharing your downloaded good piece of malware. So there’s erm it’s remote exploitation both authenticated and unaffected users malware and more. I mean so it goes into detail here. And as you know slack is pretty large. So the this is mitigated currently by upgrading to the next version to three top to zero. So I highly I mean this is obviously already been fixed. So go upgrade your Slack client on windows if you’re using it. Interesting that we don’t see a ton of slack stuff. So next from security Wycombe by Edward Kovacs team view confirms it was hacked in 2016.

This should not come as a surprise as many issues as Team viewers had over the years. One more thing for them. So apparently they were targeted in 2016 by a piece of Chinese malware we’ll just call it that for now. Or let me rephrase that a piece of malware that is commonly used by the Chinese they go on to talk about how they did their full you know they did the research they did the forensics and everything and nothing was stolen. So the direct quote independent experts conducted a thorough investigation using all I.T. forensic resources available and found no evidence that the security of our users or their I.T. systems was affected in any way. Yeah, I took those with a grain of salt right. I know there’s a lot of good forensics people out there everywhere you go. I just sometimes you just wonder right. Is there things that you didn’t see. There probably is. So we’ll take that statement with a grain of salt. Once again team view confirms it was hacked in 2016. All right, folks, that’s it for Monday, May 20th. Twenty nineteen everybody has a wonderful week. Hey, it’s a three day weekend for those in the United States coming up so just finish strong right and if you’re taking off Friday Whew boy a four day weekend so everybody finishes strong. Have a good week and we’ll talk tomorrow.

Thursday, May 16th, 2019


‘GozNym’ Banking Malware Gang Dismantled by International Law Enforcement

Russian government sites leak passport and personal data for 2.25 million users


 Welcome to security on the bayou. It is Thursday, May 16th, 2019. And here’s today’s security news and why it matters to you.

‘First off big news of the day this articles on wired one thing in this article you could google and find almost anywhere probably be on your local news Google replace tighten security key over a Bluetooth flaw. This is written by Lily Hay Newman. Essentially there is a flaw in the Titan key with the BLT that could allow an actor to intercept and relay signals including credentials so while there is a flaw or a misconfiguration in this piece of hardware. In reality, this attack would be extremely difficult to pull off. You’re going to have to be within 30 feet of someone using a key. You’re also gonna have to already know their username and password. But if you have both those things and you’re able to pull this off you can get access to the user’s machine and their account locally. So it is dangerous. The fact that you could do this you know increases the danger associated with this account or with this attack. And you know according to you know one of the things they point out in this article is that those people that are using this type of thing are probably extremely security conscious and really really worried about this. So a good part on Google is they’re going to replace it with a new version that does not have this issue it’s going to have a three on the back. I take it back anything as T1 or teal it to on the back they will replace. So if you’ve got one go get it replaced. And also good for you for using something like this.

Next from the hacker news by Moet Kumar goes Nim. Jose and why am banking malware gang dismantled by international law enforcement. So this was a multinational group from Bulgaria Germany Georgia Moldova Ukraine United States Euro justice and Euro pull. They were able to bring down this big banking malware Trojan group cybercrime network whatever you want to call it a bunch of bad guys with the malware stealing money. They’re responsible for stealing nearly a hundred million dollars from 41000 victims across the globe. Anytime I see one of these I get excited. This is good stuff. I mean any cooperation between multiple countries multiple law enforcement. This is just good for the world in general for people. You know it’s one less thing you have to worry about there’s already enough going on in this world that you have to worry about your money get stolen less than you want is your money stolen while you’re on the Internet. So they were able to get these guys one of them has green hair which is an interesting sort of fitting the other one’s wearing a black beanie. I mean if there are hackers these are them right. Proof super hackers one of them’s got some me if she’s going to it’s perfect. It fits the profile exactly how they didn’t catch him earlier.

Next from Xena Russian government sites leaked passport and personal art. Let me try again. Russian government sites leak passport and personal data for 2.5 million users. Written by Caitlin Sim poncho for zero-day. So this is an interesting article. This researcher found that he was able to collect P.I. is what I would call it for Russian folks. Employees government employees citizens and high ranking politicians from all these different sites that have passport information or an S and ISIS which is the equivalent to a social security number here in the United States. So he did the responsible thing. He found all this he wrote and reported it to the Russian government and the Russian government said no it’s all good. It’s supposed to be public information. And then he went to the press. And now they’ve gotten a hold of the story obviously. So it’s interesting a couple of times they’ve come back and said No no no it’s all good. This is supposed to be out there. Which makes you wonder what is the Russian government you know defying P.I. eyes in my mind if the U.S. government said no. Everybody can have your passport information in your social security number. It’s ok we would lose our collective minds. So I don’t you know I don’t know if this is just a misstatement by the Russian government or if somebody really just doesn’t know what’s going on over there. So they were notified eight months ago. So plenty of time to fix it. I think you know this guy did his due diligence right. He’s you know he alerted all the right people and they chose to do nothing about it. So that is your security news for the day. This is security on the bayou and it is Thursday, May 16th, 2019. Everybody have a wonderful day we’ll talk tomorrow.

Wednesday, May 15th, 2019

Baltimore Ransomware Attack Takes Strange Twist

UPDATE NOW! Critical, remote, ‘wormable’ Windows vulnerability

Israeli TV’s Eurovision webcast hijacked by hackers. Hamas blamed


Hello friends welcome to security on the bayou It is Wednesday May 15th 20 19 and here’s your security news for the day.

First things first from Sophos The Naked Security blog. You know this is one of my favorites. Title is update now. Critical remote work Mobile Windows vulnerability so normally I would just skip right over Patch Tuesday because it’s everywhere all the time. It’s not even patched choosey anymore what do we even call anymore windows update day. I don’t know. Anyways this is written by Mark starkly. And the reason I’m calling this out today is because there is a vulnerability in the remote desktop services that is warming bill. So the reason this is important is because Whirlpool essentially means that it can spread throughout the network. This is the same type of thing that happened with want to cry that the ransomware. So this is actually a pretty big vulnerability they’re all big right. But this one has a large impact across the environment. This isn’t something that will just cause you’re a single remote code execution in a browser or something like that an isolated incident. This could potentially affect the entire network of your enterprise. So if you haven’t patched yet. Go ahead go through the cycle I know most large enterprises it’s not a day of right you get a good test and it’s going to be a month to a quarter. But this is one of those that you want to put a high priority on and push through change control probably as quick as you can get tested get it get it out in the next week or so protect your network.

All right. Next. This is also once a man ransomware is everywhere. Maybe I’m seeing it maybe I’m obsessed with it. I don’t know. But we’re going to keep talking about it. So if you didn’t hear last week Baltimore the city city of Baltimore had a ransomware attack. And normally I would just gloss over it move on right. Because it’s just another city with another ransomware attack. Well this one gets a little bit more interesting today because on the old tweet box somebody posted a tweet that essentially is dark pictures of documents that would have been from the city so not only is there ransomware here but it appears that there was a fairly large data breach. So this is significant because the hacker is acting asking for about 76000 dollars and they’re saying that after 10 days they will no longer pass them the decryption keys. So after 10 days theoretically all these systems could get wiped out. Which is interesting. So they have 10 days. You know I my guess would be that if they don’t get paid they’re going to wipe all the systems and they’re probably going to dump all these documents. Now if you have nothing to be afraid of. Well that’s not the raw. That’s not the right mentality. This is just not good in general for the city of Baltimore. So one of the things when I was reading this article is like we know where all this is happening. How many other cities or municipalities or counties or whatever. And so actually in this article this person she read my mind Kelly Jackson Higgins. She read my mind and listed all of the other places it happened so I’m one of 22 against state local government entities so far in 2019. So I’ll read them off Washington Pennsylvania Amarillo Texas Cleveland airport Cleveland Ohio I guess the city center Augusta Maine. Stuart Florida Imperial County California. Garfield County Utah. Greenville North Carolina Albany New York. Jackson County Georgia school system of Taos New Mexico. Del Rio Texas Atlanta Georgia in Leominster Massachusetts just to name a few. So it’s happening it’s out there and that’s all just in 2019 and it’s only May. So these are going to keep going up. I imagine that you’ll probably see there’s a lot of cities right. They’re going to keep going after these guys especially if you’re on patched.

All right. Next the from Graham Cooley which is a great blog. Well my favorite probably seen his name wrong. Right. I don’t know if that’s right or not anyway. Israeli TV Eurovision webcasts hijacked by hackers. Hamas is blamed. So I’m not going to dig into this too much I just find it interesting this is like something you’d see on Mr. Robot right there took over the broadcast in Israel and played their own message. What that message is less here. Oh it was essentially a it’s a warning symbol says risk of missile attack. Please take shelter. Israel. Israel is not safe. You will see. So you know taking advantage of the fear in people so interesting that they would do this. I mean that continues to escalate over there with everything going on. Not that it’s ever going to de-escalate anytime soon I’m afraid. All right. So that is Wednesday May 15 20 19 everybody have a good week it is Wednesday we’re almost to the weekend keep pushing forward get those patches out get rid of the ransomware already what are we doing. All right everybody have a good week. We’ll talk tomorrow.

Tuesday, May 14th, 2019

Update WhatsApp now! One call could give spies access to your phone

Over 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw.

FBI Detects New Surveillance Malware Linked to North Korea’s Lazarus Group


 [00:00:00] Hello folks. Welcome to security on the bayou It is Wednesday Wednesday. It’s not Wednesday. It’s Tuesday, May 14 20 19 and here’s security news and why it matters to you.

So if you’ve been living under a rock this morning you may not know that WhatsApp has a fairly severe vulnerability. Essentially what happens here is there’s a vulnerability in the VoIP stack that allows somebody to call your phone via that number right via WhatsApp and execute remote code execution. There’s a buffer overflow vulnerability here. So I’m not going to dig too much into what a buffer overflow is but go look it up. Essentially they’re able to call you create a buffer overflow and run remote code. That’s bad. That means they can essentially own your phone and what’s been happening is they’ve been using this to install malware on phones. So if you have what’s an app on your phone go update it. So you know what. Actually, at this point, you might as well just dial uninstall WhatsApp. I’m going to do bad radio right now I’m going to go to my phone. I’m going to find WhatsApp where you at WhatsApp you tell how often I use it’s updating so I can’t even actually delete it. But as soon as I’m done with this I’m gonna delete WhatsApp. I’m done. I’m over it. I’ll move. I’ve already moved pretty much the signal anyways. I am done with WhatsApp. I recommend you do the same thing if you listen to a couple of weeks ago we talked about how Facebook is integrating WhatsApp into the Messenger Platform. It’s just going to get worse folks. Get rid of it. Be done with it. Move on. It’s my official recommendation. This article is everywhere the one I’m looking at is from Naked Security. But if you go. But this one’s written by Mark starkly. But anywhere you go just Google what’s app today. You’re going to find it. All right.

Next from bit defender dot com FBI detects new surveillance malware linked to North Korean Lazarus group. So if you may remember last month or so there was some malware called hop light which targeted critical infrastructure. So we’re talking power generation high tech manufacturing the lights the water anything that is critical to the operations of the country in your daily life. It was called hop light. It was going after critical infrastructure. There’s a new one in and it’s called electric fish to surveillance weapons so essentially what this does is allows them to create a tunnel on the machine and run a proxy so they can actually trade data. And I assume push additional malware persistent malware to the endpoint. This is also not good. I mean if this is targeting critical infrastructure that’s never good. But you know we’re starting to see this more and more and more and all those ISIS PCM guys out there yelling right now saying Chris it’s been going on forever. Yes, I know but now it’s more in the limelight. People are starting to see it more and more we talked a few weeks ago about the issue that happened the detox while not a nation-state but it’s becoming more and more prevalent across the country in the world. It’s not going to stop. It’s not going to slow down. There’s a reason the critical infrastructure protection is in place at a government level.

All right next. This one from If you don’t follow bad packets on Twitter I highly recommend it. They release these really cool reports about the marine botnet about how many new machines are seen every once in a while. It’s pretty cool. But at the end of the day, they are all about IO T botnets network a boot abuse an emerging threat. So they do a lot of scanning and monitoring. And this one has entitled over 25000 links this smart Wi-Fi routers vulnerable to send for sensitive information disclosure flaw. So you’re thinking yourself what do you mean what is going on here. We all know that IoT devices routers are vulnerable right. Yes. But this is a bit different. This is a little bit easier than what you may be thinking of. So the steps are actually in here this is pretty simple and I recommend if you have a link to this router give this a shot. It’s pretty simple. You put the public IP address in the web browser you go and you open your head after 12. If you’re on like Chrome or something like that to get to the developer console you go to the network tab you look for a Jane app and you open it and it starts to leak out information such as where you go mac address Device name and operating system. So that’s how you would do it in the gooey fashion right. But then they’ve also got on here a one-liner that is pretty simple. I mean it’s shorter than a tweet. It’s not long at all x Tak Jaina attack action colon the ha the U R L and then that’s it. So now you’re able to grab a MAC address Device name an operating system of all the devices that are on that networks and not talk about just one or two. Right. We’re talking about a whole thing. So hold internal home network which is not necessarily in and of itself bad right. Well, this is bad right. This isn’t something that they can use directly to own your system or own your network but what it does is it enables them to do some recon on what’s on your network before they go after it. So they’re easy they can more tailor their attacks as opposed to just like a spray and pray method on the network of trying everything and anything. Now they know that you are running Windows 7 right. Let’s go find the easiest vulnerability I can for Windows 7 and start there. So once again make sure your firmware is up to date. They’re calling it shadow hammer. Let’s see is there a home that did it. Are there other ones. The specific models are listed here too. There’s maybe 35 or so. Where are they located? Here we go here’s a list of names. The United States has 11000. Where’s the issue is there good news. Oh, I didn’t know this. Over half the vulnerabilities linked to smart Wi-Fi routers currently, have automatic firmware updates enabled. That’s good. So if they push a new update you’ll be fixed. So go check and make sure that your router is up to date. Hopefully, there’s a new firmware for it. Hopefully, that fixes it if not just pray. There’s a lot you can do. This is where we start to rely on the vendors right. All right, folks, I think that does it. It is Tuesday, May 15th, 2019. This has been Security on The Bayou

Friday, May 10th, 2019

U.S. charges Chinese national in hacks of Anthem, other businesses

Two crypto-mining groups are fighting a turf war over unsecured Linux servers

Bumper Crop of New Briefings Added for Black Hat USA


 [00:00:06] All right first things first from Reuters by Diana Childs how editing by Susan Thomas and Peter Cooney. So I don’t know why they needed two editors. It’s like four paragraphs. The U.S. charges Chinese national hacks of Anthem and other businesses. So a federal grand jury charged a Chinese national in a 2014 hacking campaign that affected large U.S. businesses including anthem. So we all remember the anthem was a pretty big breach. It was right on the tail of a lot of large breaches so it got a lot of attention to a lot of P.I. obviously not great. So this. They call it an extremely sophisticated hacking group stole nearly 80 million people’s worth of data from Anthem anthem. So obviously quite a bit. Included birthdays names Social Security number street address e-mail address employment information including income data. So a Chinese national has been charged. I don’t see anything in here about this person being extradited. We know how that goes. It’ll probably never happen. This is a shot across the bow but attribution is tough. More power to these people for being a motive to do this. It’s a good thing.

 [00:01:17] From ZDnet by Caitlyn Kimpower now to crypto mining groups are fighting a turf war over unsecured Linux servers. So there are two large crypto mining groups out there called Pacha and rocky. Probably pronouncing both of those wrong but currently, they both have developed their own malware which is not necessarily anything new. You know bad guys do that. That’s what they do. That’s why they’re bad guys but they’re using this malware in order to mine Martin Monaro on the end. So and obviously they’re going back and forth with each other so one guy you know they pop a box and they rip the other person’s malware off and it just keeps going back and forth back and forth to gain quote unquote market share which is interesting. I mean everything has a market share right. So one of the interesting things here is they’re mostly going after cloud-based services due to the amount of resources that those machines have. Makes perfect sense right. I mean imagine if you could get a pop box that had that scale to automatically based on load right. I mean it probably wouldn’t last long but there’d be an interesting one. So some interesting notes in here one of the newest ways they are getting into these boxes are with the Atlassian confluence server vulnerabilities that got released in March. So apparently they’re using three separate ones to really do this in this rocket group has an advantage because their power is more superior because it has the ability to uninstall cloud-based security products which is interesting so it can go on a box in the route removing HIV. And it’s also removing the competitor’s malware. So it sees what there was one other thing in here. Oh there. Exploit portfolio systems that they’re going after. Jenkins confluence Apache struts Jay Bos and others. So those are all we know all of those systems have a lot of vulnerabilities. So if you have them protect them to make sure they’re good to go. Hopefully, none of those systems are like at least your confluence. I don’t know why it would be Internet-facing. But anyways here we go next. And this one is pretty light but it is almost hacker summer camp time which means hopefully you’ve got all your papers submitted. Black hat has announced 50 plus new briefings today. This article comes from Dark Reading obviously black hat dark reading. Can’t believe they announced it on Dark Reading. It’s called bumper crop of new briefings added for Black Hat USA written by Black Hat staff. So they highlight a few of these big ones trust here. Here’s what they’ve got on here. Trust and transformation the post breeds journey so you’re gonna learn about the Home Depot and Equifax breaches which are you know those are big breaches so that’ll be an interesting one in the next inside the Apple T2 which is the inner workings of the apple T2 security chip so if you’re in a hardware hacking and that kind of stuff that’ll be a good one for you. And then next Bruce Schneier. That’s pretty big. He’s gonna have a talk called information security in the public interest. I would highly recommend if you’re going to be a black hack go see this. I don’t know how often he speaks this is the first time I’ve heard of him speaking in public at least is something like this. So go check him out a very smart guy. Don’t be surprised if half of what he says goes straight over your head it does for a lot of people even the smartest people in this industry have a hard time grasping all the concepts he can put out in one small piece of time very smart guy. So that’s it for today. Nice easy day it’s a wet day here in Houston I hope everybody has a wonderful weekend and we’ll talk on Monday.

Thursday, May 9th, 2019

Breach Incidents on Record Pace for 2019

C-level executives increasingly and proactively targeted by social breaches

IT Specialist Convicted on Cyber Hacking Charges Sentenced


 [00:00:00] Good morning friends. It is Thursday May 9th 2019. And this is Security on the bayou. Hope everybody’s having a wonderful week two more days you’re almost done get there it’s can be a beautiful we can hopefully wherever you are. All right.

First up from security Boulevard dot com by Erica chick while whiskey breach incidents on record pace for 20 19. So this is an interesting report. And this is again one of those articles that you’re going to find multiple people reporting on it throughout the industry and all over the news right. So in quarter one of 20 19 there were 1903 data compromise incidents exposing more than one point nine billion records. Obviously this sounds like a lot because it is a lot. Let’s compare it to last year twenty eighteen The volume of reported breach incidents was up 56 percent in one quarter and expose records was up by nearly 30 percent. That’s a huge jump year over year. That’s I mean that’s really really hit 56 percent and 30 percent anywhere else. Those percentages jump like that most usually you’re getting rich right. Not here this is bad news it’s gone backwards and some more perspective on this. Usually in between 2009 and 2016 the average records exposed was right around and one quarter was right around 100 million to 200 million. So in 2015 there was a R there was a larger number. 2015. I don’t remember exactly what was breached then but also look that up for you guys. So there I mean there’s been a huge increase over you go from 100 million to 200 million and then you go to a billion in less than two years. That’s significant. That’s quite a bit. This just goes to show you it’s not stopping. It’s not slowing down. People are continuing to get breached. So you got to do your do your part right protect yourself. So I don’t want this to be a scare tactic. You know you shouldn’t be scared by some of this stuff. This is just information you can use to go make things better. Right. Put this in your tool belt and move along

Next from help net security dot com title the article sea level executives increasingly and proactively targeted by social breaches. Normally this is not something I would have included. I mean this is sort of a no brainer C-level executives are getting fish wailed horrible vicious whatever you want to call it pretty consistently over the time over forever. Right. It’s just something that’s going to continue to happen surely because of the amount of access to information they have. But here we go. This again came from the rise in DVR we’ll start to see more and more stuff. People will start digging in this and pulling out little nuggets here and there so I’m not going to read one of these every day hopefully but for a while you’re going to be hearing about this stuff. So senior executives are 12 times more likely to be target of social incidents and nine times more likely to be the target of social breaches than in previous years. So once again this is big because increase year over year 12 times and nine times more likely than they were last year. That’s that’s significant. Once again the six significant so there’s things you have to be focusing on right. You know you don’t need to go buy all these fancy technical solutions right and the security tools and DLP and Cosbys I mean eventually in order to mature your organization you should. Right. But at the end of the day one of the biggest things is your I.T. hygiene right. What are your your helpdesk processes to investigate phishing. What are you patching. How are you filtering emails real basic sort of business operations items right. So I.T. hygiene it always comes back to I.T. hygiene. Right. Do the small things right to build upon and build your organization up right. You can’t have a good. You can’t build a big house if you ain’t got a good foundation create a good foundation for your house next.

I like this one. If you’re ever on Reddit or just in the world you know people always talk about what would you do if you got fired from this job. You know people that really hate their job always end up you know I’m going to delete everything I’m going to take everything down I’m a hack this right on my delete number write a script that’s going to blow up the machine right I’ve heard that one before. Here it is from security week via the Associated Press I.T. specialist convicted on cyber hacking charges is sentenced you may or may not remember this but there’s a gentleman named Edward Sobel. He was convicted by a federal jury in December on 12 counts of computer hacking. The 35 year old soy Bell of Chicago acted after the industrial supply company fired him in 2016 for quote unquote on unprofessional conduct and punctuality issues. So you his late and he was an asshole so essentially he got fired and he decided well if that’s the case and I’m going to take down everything I can guess what still illegal. Now he’s in jail for three years. So there you go. Don’t do it. It’s pretty simple right. One of the principles of life. Don’t be an asshole and you’ll be OK. All right folks I hope you learned something today. Someone put in your tool belt and take back to work with you. Everybody have a wonderful Thursday it is May 9th 2019 the security on the bayou.

Wednesday, May 8th, 2019

LulZSec and Anonymous Ita hackers published sensitive data from 30,000 Roman lawyers

CIA camps out in anonymized Tor network

Highlights from the Verizon DBIR 2019


 [00:00:00] Welcome friends. It is Wednesday May 8th 20 19 and here’s today’s security news.

 [00:00:07] First thing’s first let’s start with this from security affairs by Pierluigi Paganini which I think he wrote an article yesterday if I remember correctly. This one entitled little SEC anonymous IPA hackers published sensitive data from 30000 Roman lawyers. So I.T. here standing for Italian. So they were able to collect the data of 30000 different lawyers over there all with personal information and evidence of access to PCC accounts which is the certified email account so it sounds like all of the lawyers in Italy are given a certified email account which sort of makes sense him audit purposes and know regulatory stuff. So keep that going. It appears that maybe the actual target of this was the mayor of Rome Virginia Froggy. So which is a member of this group? So I originally when I first saw this headline I assumed they were you know they were on the warpath for maybe for the Catholic Church but it appears not. I’m not to do some bit more research on this but the reason that they did this is we want to remember our friends arrested a few years ago and make them understand that we ate Anonymous is legion. So I don’t know who our friends are from a few years ago author look around but it’s an interesting hacker from little sac who you know we hear from stuff from occasionally little sex slash anonymous. How you know pretty much the same thing at this point. But this is probably one of their larger hacks in quite some time so it appears they’re back. Maybe they’ve reorganized a little bit or just maybe some new motivation that’s probably the correct answer there next. Yep

 [00:02:03] So this one’s fun from ZDnet by Charlie Osborne and this is one of those articles that this just happens to be the link I found it’s going to be everywhere it’s all over the place title that article is CIA camps out in anonymous toward the network. So the CIA has spun up their own onion version of the CIA’s Web site at really long address dot onion. So it’s a mirror image of the standard web site. But the CIA CIA says that creating this version meets the agency’s intelligence collection mission by being secure on anonymous and untraceable. If you believe any of those last three words I got I got some beach front land in a desert to sell you. Secure anonymous and untraceable in CIA and onion all in one sentence. I just have a hard time believing this. I don’t even believe that their intentions are pure here. I think this is there’s something going on here and there has to be. It’s the CIA. That’s what they do. They try to make you believe that everything is hunky dory in the background they’re actually doing something nefarious. Let’s call it nefarious. So you best believe I’m to go check this thing out. It’s curious. Right. I want to go see it and then I just burn my laptop. I don’t know. I might probably do this in a virtual machine that’s what I’ll end up doing. Even though it’s probably not going to matter some. An interesting article from Xena about the CIA the new tor Web site.

 [00:03:42] Next from the state of security on Tripwire by Tim Erland highlights from the Verizon DBIR 2019 so I’m not going to read this whole article but for those that don’t know Verizon over year over year releases a report it’s called the Data Breach Investigations Report. It’s sort of an industry standard at this point. I look forward to it pretty much every year. Do I. I don’t know. It’s usually a pain in the ass but I like reading it every year because there’s usually some good findings in there. Essentially what it is they send these surveys out to people across the industry that work in security all the time and they start you know they let them know sort of what happened in their world that year. So for instance look let’s see let me pick one of the things out of here the grid. There were six hundred and eighty-four information incidents related to denial of service. So don’t forget what this thing is. This graph is that they. This matrix I guess it would be that they built. There’s a specific name for it but it’s interesting because it breaks down incidents and breaches by pattern action and assets. So like that same one, the information incident had 684 denials of service seven hundred ninety-six were classified as hacking. 874 were servers so you know there are different categories in here like under asset you have user development server person network media kiosk slash terminal. So in that report, they define all this stuff. There’s always usually some interesting things that come out apparently. Here we go. This is right off the top so I will give you a little bit of it. Health care has the most problems with miscellaneous errors a departure for most other sectors. That’s interesting. I mean health care has a huge M&A aspect to it. So anytime you start putting that much MD&A into it things get harry but  Banks also do a lot of. So why don’t they have the same problem? So just answer there’s always some interesting things in here but always take into account right. Humans wrote this down and no matter how many times they read a definition of something they may get it wrong. Like the difference between malware and hacking misuse, social error and physical one can lead to the other. Right. All the time. And where does phishing fall in there right? Is it hacking or is that malware. It could also fall into social obviously. So there’s a lot of things that can change in here but it’s a good report. Go find it. Once again it’s the rise and D.B.I.RE Delta Bravo India Romeo Romeo Romo hey Tony Romo. OK. I think that’ll do it it is Wednesday, May 8th, 2019. Everybody have a wonderful day we’ll talk again tomorrow.

Tuesday, May 7th, 2019

A bug in Mirai code allows crashing C2 servers

DuckDuckGo proposes “Do-Not-Track Act of 2019” to require sites to respect DNT browser setting

‘Matrix’-Themed Ransomware Variant Spreads


 [00:00:00] Welcome to Security led by you it is Tuesday, May 7th, 2019. Hope everybody had a wonderful weekend.

All right let’s kick things off here. First off from security affairs echoed by Pier Luigi Pagani a bug in Meri code allows crashing CE to servers. So as you may know the MRI botnet is out there and it’s taking over as the devices like crazy. It’s hard to go anywhere and not hear about MRI. Now when it comes to botnet society. So it is it’s prevalent. It’s across the world but apparently, it has a bug which according to this article the bad guys have known about for a while and they actually use this to take down a rival botnet which is fairly interesting. So essentially what this bug is is that the C2 several crashes when someone tries to connect to it using a user name sequence of 125 plus characters. So in this happens because the function within the code sets the byte limit at 1024. So if you do a thousand and twenty-five it will crash the server. So you know that that in and of itself is neat right. But what this article goes on to talk about is why isn’t somebody just running a script to constantly check to see if these C2 servers are up. I don’t pad packets tracks these things. Why isn’t somebody just pinging them seeing if they’re up and then if they are you take them down? Well, unfortunately, that would be illegal. But I would say well what they’re doing is illegal as well. Right. So you know two can play this game. Why not just go get a bulletproof server spin up this script and start pounding these things and taking them down. I’m not going to do that. I got enough to do in my life but I’m not saying that maybe you know I’m not saying it’s a bad idea. So you can go check that article out it’s really quick and easy there’s a link to the get hub although if you don’t know. The more I get sources. Just go search for it on Google I’m sure it’s been fought a thousand times. It’s pretty neat to read within the source code or in on the Github repos. There’s a list of username the password so fun project you can do that’s not illegal but you want to see maybe you’ve got a web server that is you can pump that listen and see if anybody see what the hits are there are some unique user names that are being used. So any little project for you if you’ve got a web server running whether AWB says or something like that. All right.

Next, from Security Boulevard, this one by strong got a lady Duck Duck Go proposes do not track the act of to 2019 to require sites to respect D.A. browser sizing settings. So for those that don’t know do not track essentially as a way of telling the Web site that no I don’t want you to track my activity across the browser across the site that I’m on is. You’re not allowed to do that. So that doesn’t necessarily some browsers have this but doesn’t necessarily mean they’re going to respect those wishes. So this act would do two things. No third party tracking by default which means that Web sites wouldn’t be allowed to use hidden trackers anymore on the sites that you visit. So on average when you go to a site there are up you know 15 20 different trackers running in the background that are collecting data whether it be Facebook Twitter Instagram all the social media’s or even in-house or even in-house trackers. One way to sort of combat that right now is I use personally it’s called ghost story. So it’ll tell you for instance actually let’s do this on security Boulevard right now. There are 12 trackers I see a Google. I see a discus HubSpot forums Google Tag HubSpot gravity car add any Twitter button Twitter syndication. So I mean that in that’s a security Web site. Imagine you know a bad Web site and no trackers are out there so you can use something like that to currently protect yourself from this to an extent. The next part of this would be no first party tracking outside what the user exempt it expects. I think you’re right. They gave a great example of this I’m just gonna read it right here. For example, if you use WhatsApp its parent company Facebook wouldn’t be able to use your data from WhatsApp you know unrelated situations like for advertising on Instagram also owned by Facebook as another example if you go to a weather site it could give you the local forecast but not share or sell your location history. So this is an extremely common practice and this is one of the reasons that these companies go and buy all this stuff up Facebook went and bought WhatsApp because as a massive user base. Right. And that just feeds right into its advertising. So that’s a separate conversation but you’ve got to be on the lookout for this stuff. Understand where the software you’re using comes from and how it’s connected for you know most folks that have used WhatsApp in the past have now shifted away from WhatsApp because of this exact purpose. If you’ve created an Instagram account lately you’ll know that it asked you if to use your Facebook account or associate your Facebook account so know what you’re using when you use things on the internet. Don’t talk to strangers either.

Next. This is your sort of you’re funny of the day. This one is from dark reading one of my favorite Web sites Kelly Jackson Higgins writes matrix themed ransomware variant spreads. So this is it’s called Mega cortex. At this point I think can we just call it its standard ransomware. But this isn’t standard but it’s just ransomware. It comes from the ransom note is read in the voice of Laurence Fishburne character Morpheus from the Matrix which is you know I want to hear that it’d be pretty funny I’m gonna go track that down. Maybe I’ll find it I’ll play for you guys. So what it is instead of asking for a bitcoin theorem whatever it is they’re asking for these days for monetary value. It is asking for consultation on how to improve your company’s cybersecurity and a promise that taking the attackers upon will on that will guarantee they won’t attack you again. I’m called bullshit on that right away. So this is something that Sophos found. Apparently whoever these guys are guys whoever these people are that are doing this they conducted 47 attacks in a 48 hour period so they’re clearly they’re trying to make money they’re just trying to do it in a different way. I hope to God that this isn’t some security consulting firm out there trying to drum up business because this is the fastest way to go out of business. So interesting read there’s some details in here about what makes it different. They’re using domain controllers and they’re snagging credentials off the domain controllers to do a lot of this and then it’s also they see this being dropped by Emotet So if you have iEmotet. You should already be cleaning them. But here’s another reason to do that. All right, folks, that’s it. That is our day today. It is what it was today. It is Tuesday, May 7th 20 19 is Security on the bayou. Everybody have a wonderful day. We’ll talk again tomorrow.

Friday, May 3rd, 2019

McAfee Survey Finds IT at Cybersecurity Fault Most

President Trump Signs EO to Bolster Federal Digital Security Workforce



[00:00:00] Hello folks it is Friday, May 3rd 20. And here is today’s security news first. [00:00:06][6.0]

[00:00:06] Let’s start with security Boulevard dot com from Michael Vizard. The title is McAfee survey finds I.T. at cybersecurity fault. Most first things first that headline terrible I clicked it because it said Mac Freeman intrigued me to try to figure what the hell he’s talking about. So here it is. This week McAfee published a survey they conducted of 700 professionals working in organizations with over 1000 employees entitled Grand Theft data too. All right if you’ve been in the industry long enough you know what these reports are going to boil down to right. They’re going to try and sell you something at the end of the day. But what I want to bring up what is interesting about this report is something that hasn’t come up before but is probably 100 percent spot on the report finds 52 percent of respondents claim I.T. is at fault when data leakage event occurs versus twenty-nine percent who say business operations. So essentially what they’re saying all these I.T. professionals is that more often than not it’s the I.T. professional fault and it’s not the user which is common in this industry it’s extremely common to try and blame the user for our issues right. One of the reasons that this number is higher is that there is more opportunity for an I.T. professional to mess something up. All it takes is one misconfigured server. Right. And then there you go. You may have a back door open and boom daily. Right. So this you know this directly speaks to you here all the time people process technology right for sort of you know the people part of the thing. We you know we know what we’ve got to do there. It’s all about training and building these people up to make sure they have the right skill sets. But if they don’t have the right processes in place to help them then you know they’re screwed. All right. So I think that’s it here. You know this article goes on to talk about CASB and EDR tools all of which are things that McAfee would love to sell you let’s move on from there. [00:02:05][118.8]

[00:02:06] Speaking of people process and technology the next one big one coming to the White House today. This is from trip wire dot com. Although you could find this probably anywhere it’s coming on CNN Fox News all over the place. President Trump science EO to bolster federal digital security workforce. This one by David Bissonnette. So President Trump is signing an executive order on America’s cybersecurity workforce. So they realize that there is a skills gap within the cybersecurity workforce whether it be in the federal government or even in the public sector so they’re doing a few things. Obviously, this is more about the federal government. They are going to develop a digital security rotational program within 90 days. This platform for purpose is to enable federal 18 digital security practitioners to receive temporary assignments in the Department of Homeland Security and vice versa thereby facilitating the exchange of knowledge training and experiences. So this is something that gets talked about in good practice all the time within a security organization is that you should be rotating people around nine times out of ten it never happens. So this is the White House making that happen for these folks. So I mean this, in my opinion, nothing but good can come from this 90 days to create that program and make a sustainable program seems a bit far fetched. But you know more power to them see if they can get it done if done correctly this can do a lot of good for that that the cyber is the federal cybersecurity workforce. And this is not just is the which is pretty interesting. I’m curious to see with where this goes is called the President’s Cup cybersecurity competition which is going to be not just for government employees but also it sounds like they’re going to let third-party contractors that are in the cybersecurity space compete in this as well so they’re talking about you know cash prizes days off which if you’ve never been in the military or the federal government that’s a thing they award you with the day you know a week off or whatever. I’d rather have the cash personally and then another thing they’re doing which is not listen to this article but as you know some I saw in another one I read was that they’re also going to start doing some programs where they’re going to award Elementary in junior high teachers for their accomplishments and cybersecurity education which I think is great start them young right. I mean this industry is new enough now that this quote-unquote cybersecurity that most the people that are in their prime if you will. This is stuff that came about when they were late in high school or college right. It didn’t necessarily exist at that time. And those that have been around for quite a while they started out as I.T. folks. They were not cybersecurity quote unquote people. So I think this is good stuff. I really hope this works out. I’m rooting for it should be good. We’ll see what happens. [00:04:58][171.8]

[00:05:00] Next. This is a long article on I’ll give you a quick recap of it. Some things I pulled out that I thought were interesting but go read this-this is a sort of an expose a. This is from Wired dot com and mysterious hacker group is on supply is on a supply chain hacking hijacking spree by Andy Greenberg. Yeah, I guess they’re mysterious but you’re gonna know the name either known as barium shadow hammer shadow pad a pad or wicked Panda. So that right there wicked panda should give you an idea of where these folks are based. So these are the folks that will be blamed for hijacking the software update stuff from a Seuss and then also this S.S. cleaner tool issue. And so one of their attacks their tactic here is sort of a spray and pray tactic where use harkens back to the Russian submarine force back in the day where they didn’t necessarily aim they just shot as much as they could to hope to hit something and take something else out. Right. So that’s sort of what’s going on here with their attacks is they’re just spraying it everywhere collecting the data see what they have that looks interesting and then going after that. So it’s an I mean it’s a tactic that has worked in the past and many different things not just cybersecurity submarine warfare as well. And then in the article, they interviewed some folks and you know they claim to say that if they were to try and deploy a ransomware sort of like not pet. Yeah, it would be even more destructive around the world. So I don’t necessarily disagree at the I’d like to dig into that a bit more before I really get into that some of this. Those are the three articles for the day. [00:06:40][100.7]

[00:06:41] One last thing a quick update with the other day we talked about the ICS security stuff with California and Utah. Well apparently there’s some more information has come out. It’s still a little fuzzy here but there was a denial of service attack but no service was disrupted. No, no service or production was disrupted. So why that report was filed. We’re still kind of unsure I guess within the organizations in these states. Everybody’s pointing fingers say hey we didn’t do it. Did you guys do it? Who filed this thing where did it come from. So there’s some question as to what happened here but it appears that there was a denial of service and there was no disruption to service or production. So I think all’s well that ends well and that one there is clearly some process and procedure issue that they’ve got to figure out there. All right folks thank you. It is Friday, May 3rd and this is security on the bayou. Everybody have a wonderful weekend. We will talk again on Monday. [00:06:41][0.0]

Thursday, May 2nd, 2019

Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it’s Cisco again

Putin Signs Controversial Internet Law

We dunno what’s worse: Hackers ransacked Citrix for FIVE months, or that Equifax was picked to help mop up the mess


 [00:00:00] Good morning folks it is Thursday May 2nd 2019 and here’s today’s security news.

 [00:00:05] First things first from security week by AFP. Putin signs controversial Internet law. So today Putin signed this sovereign internet bill act in Russia which would essentially do a few things. One of those is it creates a central point of entrance and exit out of the country for the country’s Internet traffic. A lot of criticism of this bill comes from its vagueness in the way it was written. A lot of people are trying to get a lot of people. People are trying to claim that this will create an avenue censor the voice and opinion of the folks on the Internet in Russia. I don’t necessarily disagree and I don’t think this is one of those we have to see how it plays out. This is pretty well bad off for everybody involved. You know I tried not to get too deep into the privacy stuff on this thing is how it’s a security podcast but it’s sort of part of the deal. So for this one, I’m going to steer away from the privacy aspect to this and I want to try to sort of ask a few questions about the security aspect of this. One of those being if there is a central point of entrance and exit for all internet traffic coming from Russia. No attribution is already really hard, especially for the regular non-government agencies. So this. My assumption is that we’ll make it extremely difficult because now they can control more heavily what they can and will mask in and out of that country. So you know common tactics of hopping VPN or different boxes upon boxes around the world. That’s common, I think. Obviously, they use it. Everybody uses it. I think that having this central point of entrance and exit is gonna make it extremely difficult for there to be any further additional attribution for anything Russian related. You know this comes off the heels of last year when the federal government essentially said that Russia meddled in the elections and it was their fault. So this feels like a response to that in such that they say Well you figured out who it was well good luck finding out next time. So we’ll keep an eye on this we’ll see what happens. You know this reminds me a lot of when net neutrality was repealed the first time all these companies said oh well well we’ll never actually you know use these stipulations that are in here. We’re still for the consumer. This feels a lot like that right. We know that eventually at some point they’re going to use this for the wrong reasons. OK let’s stop on that let’s move on.  

[00:02:40] Next a from the Register by Ian Thompson in San Francisco. Sinister secret backdoor found networking gear perfect for government espionage. The Chinese are Oh no wait it’s Cisco again. So Cisco issued a fix yesterday for their 9000 Series Nexus switches. Excuse me Cisco Nexus 9000 Series Application Centric Infrastructure mode switch software that is a mouthful anyway. A piece of software on one of their switches. There was a backdoor into it and it was it was caused by. Let me get this right. Default SSH key pair. Hardcoded into the software so understandably people make mistakes. That’s a pretty big mistake. We talked about default passwords yesterday and IOT law that came from me that’s coming out of the UK. Clearly, anything default is bad because once you get it one of them you’ve got access to everything. So they are now it’s patched. You know this is an interesting article because the author immediately was turned it right into the highway stuff so he got back to the point but I know there’s clearly another incentive here in this article but nonetheless, Cisco patch a vulnerability due to SSH key management not being up to par they’re doing me wrong. That is not easy. That is a hard problem is not a hard problem to solve. There’s plenty of solutions for it. It’s a hard problem to continue to solve and get developers and training people to do things the right way.

Next from the register. By Ian Thompson still in San Francisco. We don’t know what’s worse. Hackers ransacked Citrix for five months. Or that Equifax was picked to help mop up the mess. So yesterday we talked about the Citrix breach and how their employee’s information was stolen while more and more is coming out about this six terabytes of data were pulled out. They suspect that some of that was not just employee data but was also intellectual property. You know any business document sort of like Crown Jewels sort of stuff. But here’s the deal so as you guys know we’ve all had our accounts taken over dinner. Identity issues. So when this happens there’s always free credit monitoring offered for the employees or the users whoever it may be. Well, in this case, Citrix has chosen to go with Equifax which is just dripping with irony considering everything that happened with Equifax. Not even two years ago at this point. And so my question is there are three of these credit reporting agencies there’s plenty of other consumer report credit reporting agencies out there companies third party companies that do this. You had to pick Equifax you couldn’t just go with one of the other two. That’s what you had to pick Equifax. Something stinks here. From my perspective. All right. I know I got my rant on today. Thank you for listening. I appreciate it. I hope you get as upset as about this stuff as I do because it just motivates me to go out there and change things. Today is Thursday, May 2nd. This is security in the bayou. Thank you for listening everybody have a wonderful day.