InfoSec links June 18, 2014

Employees of USAA are now banned from wearing Google Glass, other wearables - Stephen Hall - 9 to 5 Google

First, good for them. Second, this brings up an interesting topic. Why stop at Google Glasses? Cell phones, which just about everyone carries, can record audio, video and take pictures. This being a media blog, I know of several tools that could be used to record and or grab images and possibly compromise people’s data. It’s a very slippery slope banning Google Glasses, because we all carry devices in our pockets do the same thing. They’re just not attached to our head.

Twitter Users Urged To Kill Tweetdeck After Bug Alert - Thomas Brewster - TechWeek Europe

In case you missed it. A serious cross-site scripting (XSS) bug was found in TweetDeck that could potentially allow someone to take over accounts. Twitter has fixed the bug, but at the time it was recommended that you log off TweetDeck and de-authorize it from your account on Twitter’s main site. I should probably thank the person who found the bug (potentially accidentally), as it gave me an opportunity to de-authorize several other apps that I haven’t used in a while. Yes, I know, bad security person.

Gmail Bug Could Have Exposed Every User's Address - Andy Greenberg - Wired

For anyone that’s watched Top Gear, we’ve started the uncool wall at work for infosec news and other technology related items. The categories are exactly like the show: Seriously Uncool, Uncool, Cool and SubZero. This links got put on the seriously uncool wall. Not only did a Trustwave researcher discover a vulnerability in Google that allowed the harvesting of Gmail accounts fairly easily, but Google also begrudgingly gave him only $500 for his efforts. I don’t know how much a list of half a billion emails would go for on the black market, but I’m certain it would be worth more than $500.  

This post first appeared on Exploring Information Security.

InfoSec links June 17, 2014

Phish or legit, Can you tell the difference? - John Shier - Naked Security

Really good article on identifying a legit email from a phishing one. There are some technical things, but the overall message has some good tips on what to look out for in identifying a phishing email.

Don't Let Lousy Teachers Sink Security Awareness - Corey Nachreiner - Dark Reading

Security awareness seems to be in debate within the infosec community. Some think it's useful; while others think it's worthless. I tend to think that it's useful based on the fact that I've been with two different organizations on opposite spectrum of security awareness. I felt the users were very much more aware about security issues when they had training. The article tries to debunk some of the arguments against security awareness training, as well as give some tips on how to handle security training. I don't agree with everything, but I think the overall idea is good and security awareness worth implementing.

How to Get Started in CTF - Steve Vittitoe - Endgame

CTF stands for Capture the Flag and its something I've always been kind of interested in learning, but never had a desire to spend the time learning. This article, however, feels like a good starting point if I ever wanted to get into CTF. It breaks down some of the different aspects of CTF and encourages you to explore your strengths.

 This post first appeared on Exploring Information Security.

Infosec links June 16, 2014

GCHQ Intercept sites in Oman - Bruce Schneier - Schneier on Security

The Brits have a spy base in the Middle East that taps into undersea cables, according to a Guardian story. What's more interesting than the story itself is that this information did not come from Edward Snowden or his plethora of files. Are we seeing more leakers and whistleblowers within the government? It's very possible.

To defeat encryption, feds deploy the Subpeona - David Kravets - ars technica

Project on Government Oversight's (POGO) mission is:

nonpartisan independent watchdog that champions good government reforms. POGO’s investigations into corruption, misconduct, and conflicts of interest achieve a more effective, accountable, open, and ethical federal government.

According to the story, POGO suggests that whistleblowers use Tor to report abuses to their encrypted submission portal. As a result, and after the most recent potential US Veterans Administration scandal, the government is trying to use super subpoena power to get at the information being submitted to POGO. The response from POGO, "You no has our data:"

If the VA doesn't drop its subpoena, POGO said it would never turn the data over, even if ordered to by a judge.

"We are certainly prepared to go to court," Newman said. "We are certainly prepared to go to jail to prevent any of that information from being released."

Bravo

Trickle down surveillance - Nathan Freed Wessler - Aljazeera America

More and more local police forces are use a device called stingrays. These devices are technology that have trickled down from the NSA and allow the user to track cellphones and identifying information. I can see where this becomes handy, but it's not a pinpoint type of device. It grabs everyone's cell phone information within an area, because it essentially acts like a cellphone tower. There's supposed to be some transparency with these devices, but it appears that some entities are trying to hide the usage of the device.

 

 This post first appeared on Exploring Information Security.

InfoSec links June 13, 2014

Safely Storing User Passwords: Hashing vs. Encrypting - Michael Coates - Dark Reading

A good description on the difference between symmetric encryption and hashing and some of the process involved in protecting passwords with those two methods.

Peek Inside a Professional Carding Shop - Brian Krebs - Krebs on Security

Krebs takes us on a wonderful tour of the professional carding shop "McDumpals." It's got the McDonalds arches and everything. It's a good read if you want to learn more about where stolen credit card information goes.

OpenSSL DTLS Fragment Out-of-Bounds Write: Breaking up is hard to do - Brian Gorenc - HP

A new vulnerability in OpenSSL has been found. This one isn't as scary as Heartbleed, but systems do need to be checked and patched. I know that Cisco has a long list of devices affected by this and that VMWare recently released a patch for ESXi 5.5 for the vulnerability. The article itself takes an in-depth technical look at the vulnerability.

This post first appeared on Exploring Information Security.

Disable multiple Active Directory accounts using PowerShell

Two weeks ago I created my first PowerShell script. It’s nothing special, just a script to disable multiple Active Directory accounts from a .csv file. Still, I’m quite proud of it considering I’ve never created a PowerShell script before and that I was able to do it on my own (Google searches notwithstanding).

Preparation

First, I grabbed PowerGUI Script Editor to create my PowerShell script (http://en.community.dell.com/techcenter/powergui/m/bits/20439049.aspx). Next I put all the accounts that need to be disabled in single column on a new spreadsheet. At the top of the column I put ‘samaccount.’ This is needed for part of the script to work. I then saved the spreadsheet as a .csv file.

Building the script

I opened PowerGUI Script Editor and started a new script. A Google search found me these lines of code::

$namelist=Import-Csv C:\DisableADAccounts.csv

foreach($name in $namelist){Disable-ADAccount -Identity $name.samaccount }

With ‘$namelist’ you are defining where your .csv file will import from. The ‘C:\DisableADAccounts.csv’ will be wherever you place the file you want the script to use. I placed the script and the .csv file right onto the C drive. If you prefer a little more organization you can put it in a folder on the C drive, just make sure the location reflects that, example: ‘C:\Scripts\DisableADAccounts.csv’

‘foreach’ is a looping statement (http://www.powershellpro.com/powershell-tutorial-introduction/logic-using-loops/). It will execute a command for each item or ‘$name’ in your .csv file. The statements inside the { } are the command you want to execute. In this case I am disabling the AD Account (Disable-ADAccount) for the names under (-Identity) the samaccount column ($name.samaccount).

Before you execute the script you can use the ‘-whatif’ command after ‘$name.samaccount’ and see what the script will do. I ran this from PowerGUI by hitting the green play triangle button on the toolbar.

Now, if you try to run this script as is (like I did), error messages will pop up indicating bad commands and syntax. In my case I was missing Import-Module activedirectory, which opens up all the commands to run a PowerShell script in Active Directory.

The final script should look like this:

Import-Module activedirectory

$namelist=Import-Csv C:\PortalDisableFinal.csv

foreach($name in $namelist){Disable-ADAccount -Identity $name.samaccount }

Running the script

Once you have the .csv file and the PowerShell script put together, both need to be transferred to the server that Active Directory is on. Make sure Active Directory Module for Windows PowerShell is installed on the server (http://technet.microsoft.com/en-us/library/hh847837.aspx; http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx). That will be needed to run the script.

Open the Active Directory Module for Windows PowerShell. Change to the directory that the files are saved. To get back to C drive use “cd ../..” or if the files are in a different location use “cd c:\scripts\powershell.” Once you’re in the directory where the files are located begin typing the name of the script then hit the Tab key and PowerShell will autofill the script for you. Hit enter. Script should execute. Check to make sure the accounts or a handful of accounts (if you’re disabling hundreds or thousands of accounts) have been properly disabled and if they are you’ve successful run the script.

You can also run the script from PowerGUI on the box that the script needs to run.

Any questions or feedback can be left in the comment section.

This post first appeared on Exploring Information Security.

InfoSec links June 12, 2014

Striking similarities between a WoW raid team and an infosec team - Tripwire - The State of Security

If you’re not a gamer or hate World of Warcraft (WoW), then go ahead and pass on this article. It talks about how a WoW raid team has different roles, responsibilities and skill sets to make a successful raid run. Those same ideas and concepts can be applied to a infosec team which requires different roles, responsibilities and skill sets to accomplish its objective of securing the business. I primarily played a healer on my WoW raid teams and I think I could make a case I’ve done the same thing in information security.

Flash Poll: The Hunt For Cyber Talent - Marilyn Cohodas - Dark Reading

Information security professionals are at a premium right now. Companies are struggling to find not only security professionals, but the right security professionals with the right skillsets and at the right price to secure an environment. I’ve seen this within organizations. While it’s frustrating from a day to day operation standpoint, finding the right people and the right amount of people; I’m actually starting to see some personal career benefit.

InfoSec Conferences - Client Side Vs Server Side - Javvad Malik - J4vv4d

Javvad gives some great tips on going to security conference. If you’re in information security or trying to get into the field, one of the best things you can do for your career is attend security conference. They’re all over the place and take place throughout the year. In the last month I’ve been to two and in about a week and half I plan to go to another one. It’s a great place to learn and explore as well as make connections within the infosec community. Javvad’s final suggestion is to make content, which I’ve begun doing. You can check that stuff out in my photography section under media.

 This post first appeared on Exploring Information Security.

ZeuS GameOver links June 11, 2014

Apologizes for the formatting. Squarespace appears to be having text format issues on its backend.

Mounties join crack down on Russian cyber crime - Dave Lewis - CSO Online

Recently a new botnet was taken over by authorities across the globe (Canada, and more importantly the mounties, in this story). This was a particularly nasty botnet in that it featured both cryptolocker (ransomware) and a distributed denial of service (DDoS) functionality.

We've Set Up a One-Click Test For GameOver ZeuS - Antti - F-secure

F-Secure has a link you can use to test your computer to see if it has GameOver on it as well as a technical description on how they accomplish the test.

Click here to check your computer for GameOver.

Backstage with the Gameover Botnet Hijackers - Brian Krebs - Krebs on Security

Of course Brian Krebs got an interview with two of the people involved in the GameOver ZeuS botnet takeover. Very interesting read.

This post first appeared on Exploring Information Security.

InfoSec fun links June 10, 2014

Alleged robber caught after trying to befriend his victim on Facebook - Lisa Vaas - Naked Security

Apparently, mugging someone and then trying to friend them on Facebook is the new thing for criminals. Not much else to say here, except /facepalm.

Secret Service Software Will 'Detect Sarcasm' Social Media Users - Aliya Sternstein - Nextgov

Humans can barely do this! Now some software is going to do it? Good luck with that.

14-year-old code crackers hack Winnipeg ATM - Doug Lunney - Toronto Sun

ATMs are notoriously insecure. Not only can skimmers be placed on them and 90% of them around the world are running Windows XP, but also default settings aren't being changed on them. Two teenagers found a manual online for an ATM machine that allowed them to get into the operators mode. The best part of the story is that they went to the bank and informed the staff that they had done it, they didn't believe them. So the got permission to get proof and returned with six documents printed out from the operator mode. Only then did the staff take them seriously. Welcome to the world of security research kids.

 This post first appeared on Exploring Information Security.

InfoSec links June 9, 2014

Complexity as the Enemy of Security - Brian Krebs - Krebs on Security

The Syrian Electronic Army (SEA) has been at the center for several high profile hacks. They've hacked major news websites such as Time, CNN and The Washington Post. More recently they got into the RSA Conference site after they were called coachraoches by Ira Winkler. They accomplished this by a third-party content provider. This past weekend I went to BSides Asheville and Paul Coggins had an interesting talk on cloud networks and how "third-party" service providers could be the weak point in a network's infrastructure. The more entities you add the bigger the attack surface and the more potential vulnerabilities that may be out there.

Which of your favourite websites are terrible at passwords? - Lisa Vaas - Naked Security

Strong passwords are something that's preached pretty regularly by the infosec community. Typically, it's preached at users, but it should also be preached at websites that offer you to create accounts. Match.com tops the list of sites that allow weak passwords such as:

  • Qwerty

  • 123456

  • 111111

  • and many others

They also don't lock accounts after a certain number of attempts or limit how long a password can be. Seriously, why would you limit someone from creating a longer password? or not allow you to use special characters?

They Hack Because They Can - Brian Krebs - Krebs on Security

Highway signs are being hacked again for....well because they can be hacked and because the security on these types of signs is awful. The prankster appears to be a foreign script kiddie who enjoys defacing websites, according to Krebs. The methods used to perform the hack appear to be trivial at best.

This post first appeared on Exploring Information Security.

Heartbleed Links June 6, 2014

Hearbleed

New Heartbleed Attack Vectors Impact Enterprise Wireless, Android Devices - Eduard Kovacs - Security Week

Nearly two months after the Heartbleed bug was discovered, new attack vectors are being discovered. The vectors in this article involve wireless and Android smart phones. It's a very technical article and not for the uninitiated.

Beware Of Fake 'HeartBleed Bug Remover Tool,' Hijacks System with Malware - Wang Wei - The Hacker News

Repeat after me. "Heartbleed is a bug, not a virus, trojan or any other form of malicious software." A bug is code in a piece of software or application that when exploited gives an unexpected, unattended result. A virus, trojan and keylogger all fall under the malicious software (or malware) category. They are software or a program designed to perform malicious acts on your computer for nefarious gains. Now that we've established that, don't fall for any scams that say you need to remove Heartbleed from your computer, because Heartbleed is a bug, not a piece of malware. The Hearbleed bug is located in a critical piece of infrastructure on the internet called OpenSSL, and there is no removing it. The entities that use OpenSSL have to patch the bug for you to be safe. Again, Heartbleed is not something on your computer that can be removed.

The Human Side of Heartbleed - Bruce Schneier - Schneier on Security

This Schneier special dives into some of the nuances involved in reporting the Heartbleed bug. Which was discovered several days before the rest of us heard about it, by two separate researchers:

One of the biggest problems we face in the security community is how to communicate these sorts of vulnerabilities. The story is technical, and people often don't know how to react to the risk. In this case, the Codenomicon researchers did well. They created a public website explaining (in simple terms) the vulnerability and how to fix it, and they created a logo -- a red bleeding heart -- that every news outlet used for coverage of the story.

As bad as Heartbleed was, the InfoSec community handled it really well.


This post first appeared on Exploring Information Security.

Hacking links June 5, 2014

'Half of American adults hacked' in the past year - really? - John Zorabedian - Naked Security

Recently, CNN reported on a study that claimed that 47% of US adults have been hacked. The thing is those percentages and the numbers might not actually be representative of the population. Also at question, the term hacked. Should employee negligence or insider theft be considered negligence? Probably not.

Thieves Planted Malware to Hack ATMs - Brian Krebs - Krebs on Security

This occurred in the Chinese territory of Macau. The process for the hack is quite interesting. The criminals slide a long skimming board down the ATMs card slot to install the malware. The malware would log anyone that used that information and a few days later they'd follow the same process to get the logged information and to remove the malware. Pictures of the device and the rest of the kit are featured in the article.

Hacking the Registry to keep Windows XP Updating - A Bad, Bad Idea - Rafal Los - Following the Wh1t3 Rabbit

Apparently, someone has figured that you can change the registry of a Windows XP machine to make it look like a Point-of-Sales (POS) terminal, which are still getting Windows XP updates. This might not be the best idea in the world as POS terminals are much different than a computer installed with Windows XP and patches could negatively affect system stability. If you're that desperate to get Windows Updates, just go ahead and upgrade your system. It will save you a love headache in the long run.

 This post first appeared on Exploring Information Security.

TrueCrypt Links June 3, 2014

TrueCrypt Compromised/Removed? - Johannes Ullrich - Infosec Handlers Diary Blog

Last week the anonymous developers rocked the infosec community by announcing an abrupt end to the TrueCrypt project that many (millions?) of people use. TrueCrypt, for those that don't know, is a program that allows you to encrypt a drive that you can set a password and store files in. There are alternatives out there, but TrueCrypt seems to be the most popular.

True Goodbye: 'Using TrueCrypt Is Not Secure' - Brian Krebs - Krebs on Security

Krebs has a good roundup on the TrueCrypt saga.

YES...TrueCrypt is still safe to use - Gibson Research Corporation

It appears that TrueCrypt will not die. The audit of TrueCrypt will continue this summer and there is talk of forking the license and continuing on the program, likely, under a different name. I don't know if the full story will ever come up, but I imagine that TrueCrypt won't entirely die off with the original developers.

 This post first appeared on Exploring Information Security.

InfoSec links May 28, 2014

Fitness apps are a "privacy nightmare," shedding personal data to the highest bidder - Lisa Vaas - Naked Security

Information can be a powerful thing. Fitness apps can give you detailed information about your training, that allows you to structure workouts better, but you might not be the only one getting that information. You're also giving that information to the apps, and then the question becomes what are they doing with that information. Information is a powerful, and profitable thing.

Comey: FBI 'Grappling' With Hiring Policy Concerning Marijuana - Charles Levinson - The Wall Street Journal

The FBI needs smart and talented people to help battle the ever increasing population of cyber criminals.  The problem for the FBI is that due to their drug policy they eliminate a large pool of those smart and talented people. FBI Director, James Comey, has recognized this and is looking at possibly changing some of the FBI's policy in regards to marijuana use.

Worst Day for eBay, Multiple Flaws leave Millions of Users vulnerable to Hackers - Mohit Kumar - The Hacker News

eBay has had a rough go of it recently (if you have an eBay account and have no idea what I'm talking about you might want to go change your eBay account password, immediately).  They've not only bungled the handling of their breach, but apparently there are still a few vulnerabilities live that can still get their systems compromised. This article is from Friday, May 23, 2014, so the vulnerabilities may have been fixed by now,.

This post first appeared on Exploring Information Security.

Snowden aftermath links May 28, 2014

New Al Qaeda Encryption Software - Bruce Schneier - Schneier on Security

There's beginning to be some discourse about the effect of the Snowden released documents and how it's helped enemies of the US. Schneier thinks that this might actually be a good thing as entities try to create their own crypto that might be weaker than what's available for free.

NSA reform falters as House passes gutted USA Freedom Act - David Kravets - ars technica

Hey look! It's the government being the government. Just before the vote things were changed and congress passed what appears to be a much weaker attempt at reigning in some of the governments heinous surveillance programs. It might take more drastic measures for real change to take place.

Disclosing vs. Hoarding Vulnerabilities - Bruce Schneier - Schneier on Security

Vulnerabilities are a balancing act for the government. Do you disclose the vulnerability that could be used to get into an enemies network or do you keep it for future use. I'm with Schneier and believe the the US government should disclose vulnerabilities, because part of their mission is defense, but I still think there is some reason for them to keep some vulnerabilities to help with their offensive mission.

 This post first appeared on Exploring Information Security.

InfoSec links May 27, 2014

Hackers now crave patches, and Microsoft's giving them just what they want - Gregg Keizer - Computer World

Criminals are using Windows 7 patches to try and figure out vulnerabilities in Windows XP.  According to the article, "By conducting before- and after-patch code comparisons, attackers may be able to figure out where a vulnerability lies in Windows 7 -- which will be patched -- then sniff around the same part of XP's code until they discover the bug there." Just another reason to get off Windows XP.

CBS picks up 'CSI: Cyber' with Patricia Arquette - Scott Collins - LA Times

I used to watch a lot of CSI: Las Vegas. After several seasons, though, I realized it was the same episode with slightly different variations. This looks interesting enough that I might just check it out. My expectations for an accuracy and/or entertainment quite low. Still, it could be used to give the masses a small peak into the electronic "battlefield" and might even make for a good jumping off point for infosec professionals to teach the uninitiated.

Meet the Zberp Trojan - Dana Tamir - Security Intelligence

New malware has been discovered. According to Trusteer researchers the new malware combines the Zeus and Carberp Trojans, hence the name Zberp.

This post first appeared on Exploring Information Security.

Brian Krebs InfoSec links May 23, 2014

Teen Arrested for 30+ Swattings, Bomb Threats - Brian Krebs - Krebs on Security

Canadian teen is arrested for making fraudulent emergency calls. These emergency calls involve things like “phony bomb threats” and “swatting” which as Krebs puts is, “a hoax in which the perpetrator spoofs a call about a hostage situation or other violent crime.” If you’ve been reading Krebs, you’ll know that this isn’t anything new to him and that this particular teen actually attempted to swat him twice.

'Blackshades' Trojan Users Had It Coming - Brian Krebs - Krebs on Security

Blackshades is a, “password-stealing Trojan horse program designed to infect computers throughout the world to spy on victims through their web cameras, steal files and account information, and log victims’ key strokes.” You could buy the program for as low as $40 in the US. If you did purchase and use this piece of software, you might be getting a visit from the FBI soon.

eBay Urges Password Changes After Breach - Brian Krebs - Krebs on Security

You’re going to want to change your password, if you have an eBay account. There is no “indication” that anyones information has been used maliciously, however, employee credentials were compromised and “customers’ name, encrypted passwords, email address, physical address, phone numbers and date of birth” were compromised.

This post first appeared on Exploring Information Security.

NSA owns your tweets May 14, 2014

This post first appeared on Exploring Information Security.

FIX: Message sent using invalid number of digits - Msg 2114

I bought my wife a new iphone 5s for Mother's Day. She of course loves it, but informed me that she was unable to message me and kept getting the following message:

Message sent using invalid number of digits. Please resend using 10 digit number or valid short code. Msg 2114.

Our carrier is Sprint and there seems to be an issue with trying to send a text message using only seven digits. In researching the problem I found that this problem was not exclusive to the iPhone 5s, but the fix seems to involve similar setting changes. For the most part you need to delete the person you're having problems texting from your contact list and delete any text messages you attempted to send. Also delete the error messages you received for each attempt. After you've done that reboot the phone and try sending that person a text. For my wife's phone I went straight to messages and composed a new message with my number.

You'll need to try something similar on other phones, but here are the exact directions on an iPhone 5s:

Open Contacts -> select the contact -> select edit -> scroll all the way to the bottom and delete contact (delete multiple entries of the same phone number, my wife had five).

Open the Messages app -> select Edit -> select the red circle and then select delete. Do this for both the person and the messages you received.

Open the Settings app -> scroll down and select Messages -> turn off messages, by selecting the switch, and any other options turned on.

Turn off your phone and then turn it back on.

Go straight to messages and compose a new message and put in the phone number of the person you're trying to text. Send and that person should receive the text message. Add the person to your contacts and go back into message settings to turn on any other options you want on that you turned off.

 This post first appeared on Exploring Information Security.