Notices
General Discussion and Debate Discuss, Debate, and Converse with other Honda-Tech members in a mature, intelligent manner.
Sponsored by:
Sponsored by:

Today in InfoSec

 
Old 11-11-2014, 05:37 PM
  #1  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Today in InfoSec

Gonna just start a running thread with interesting Information Security news that I find during my day-to-day. I know this stuff has to interest some of you but, unless it's a big story and reaches national media levels, you may never see it. I may not update everyday, but feel free to add your own if you come across anything I haven't posted yet.
213374U is online now  
Old 11-11-2014, 05:39 PM
  #2  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec


Kaspersky Lab exposes cyber espionage in luxury hotels

Originally Posted by Article Text
Russian IT security supremos, Kaspersky Lab, has exposed a four-year ‘Darkhotel’ espionage campaign by a ‘threat actor’ who is actively stealing information from top-level executives and who doesn’t pursue the same target twice.
It’s not just James Bond who gets spied upon in hotels, but selected corporate executives travelling abroad and staying in luxury hotels.

Kaspersky Lab’s SecureList security researchers, who are extremely active in uncovering major malware, virus, cybercrime and cyberterrorist threats, have discovered the ‘Parkhotel’ espionage campaign has lurked in the shadows for at least four years.

Even more worryingly, the group behind ‘Darkhotel’ avoids pursuing the same target twice and ‘performs operations with surgical precision, obtaining all the valuable data they can from first contact, deleting traces of their work and melting into the background to await the next high profile individual.’

Astoundingly for major corporations, Kaspersky Lab reports ‘the most recent travelling targets include top executives from the US and Asia doing business and investing in the APAC region; with CEOs, senior vice presidents, sales and marketing directors, and top R&D staff targeted.’

Kurt Baumgartner, Principal Security Research at Kaspersky Lab said: “For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behaviour.”

“This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”
So, how does the hotel attack work?

Kaspersky Lab explains that ‘the Darkhotel actor maintains an effective intrusion set on hotel networks, providing ample access over the years to systems that were believed to be private and secure.’

‘The attackers wait until after check-in when the victim connects to the hotel Wi-Fi network, submitting their room number and surname at login.’

‘Once the user is in the compromised network, embedded iframes located within the login portals of the hotels are used to prompt them to download and install a backdoor that poses as one of several major software releases, including Google Toolbar, Adobe Flash and Windows Messenger.’

‘The unsuspecting executive downloads this hotel ‘welcome package’, only to infect his machine with a backdoor - Darkhotel’s spying software.’

Then the truly stunning stuff happens!



Kaspersky Lab says that, ‘Once on a system, the backdoor is used to further download more advanced stealing tools: a digitally-signed advanced keylogger, the Trojan ‘Karba’ and an information-stealing module.’

‘These tools collect data about the system and the anti-malware software installed on it, stealing all keystrokes, and hunting for private information, including cached passwords and login credentials.’

‘Victims are targeted for sensitive information and confidential data - likely the intellectual property of the business entities they represent. After the operation, the attackers carefully delete their tools from the hotel network and go back into hiding.’

The attackers are using spear-phishng emails with zero-day exploits to infiltrate organisations including ‘Defense Industrial Base (DIB), government and Non-Governmental Organisations (NGOs), very large electronics manufacturing, investment capital and private equity, pharmaceuticals, cosmetics and chemicals manufacturing offshoring and sales, automotive manufacturer offshoring services, automotive assembly, distribution, sales, and services, and law enforcement and military services.

There’s also sexual-content based malware being spread via Japanese p2p networks, part of a ‘large RAR archive that purports to offer sexual content, but installs a backdoor Trojan that allows attackers to perform a mass surveillance campaign’, with this ‘Darkhotel package downloaded over 30,000 times in less than six months.’

Baumgartner added “The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT scene, where targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools.”

It appears the threat actor is Korean, due to a ‘footprint in a string within their malicious code pointing to a Korean-speaking actor’.

The campaign has targeted thousands of victims worldwide, with 90 per cent of identified infections in Japan, Taiwan, China, Russia and Hong Kong, alongside smaller infection rates from victims in Germany, the USA, Indonesia, India, and Ireland.

Kaspersky Lab says it is currently working with relevant organisations to best mitigate the problem. Kaspersky Lab’s products detect and neutralise the malicious programs and their variants used by the Darkhotel toolkit.

So, how does an executive - or anyone - reduce their exposure to attacks?

Kaspersky Lab says that, when traveling, any network, even semi-private ones in hotels, should be viewed as potentially dangerous.

To prevent this, Kaspersky Lab has the following tips:

- Choose a Virtual Private Network (VPN) provider – you will get an encrypted communication channel when accessing public or semi-public Wi-Fi

- When traveling, always regard software updates as suspicious. Confirm that the proposed update installer is signed by the appropriate vendor.

- Make sure your Internet security solution includes proactive defence against new threats rather than just basic antivirus protection

- Use two-factor authentication for e-mail and other confidential services.

- Use strong, unique passwords for each resource you access.

Kaspersky Lab’s SecureList site here has even more information and detail on the DarkHotel ‘APT’ or advanced persistent threat.
213374U is online now  
Old 11-11-2014, 06:37 PM
  #3  
The Science Guy
 
Xentropa's Avatar
 
Join Date: Jun 2008
Location: Japan, UCLA
Posts: 748
Default Re: Today in InfoSec

Why did they pull the plug on truecrypt?
Xentropa is offline  
Old 11-11-2014, 06:47 PM
  #4  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

Hard to say, there was plenty of speculation flying around during the aftermath though. It's likely though that the developers simply moved on and no longer wanted to support the project. EOL was the easiest way out.

Check out CipherShed
213374U is online now  
Old 11-11-2014, 06:52 PM
  #5  
Honda-Tech Member
 
amblamps's Avatar
 
Join Date: Aug 2012
Posts: 13
Default Re: Today in InfoSec

Seriously? I would never click yes to install some random window popup after connecting to hotel internet. There's no reason a hotel would require you to install software.

This **** gets my blood pressure up. It's like when I go to my parents house and my mom complains about her comp being slow, when she has 100 search bars installed.

Didn't they learn their lesson from Bonzi Buddy?
Attached Images  
amblamps is offline  
Old 11-11-2014, 06:59 PM
  #6  
The Science Guy
 
Xentropa's Avatar
 
Join Date: Jun 2008
Location: Japan, UCLA
Posts: 748
Default Re: Today in InfoSec

Originally Posted by 213374U View Post
Hard to say, there was plenty of speculation flying around during the aftermath though. It's likely though that the developers simply moved on and no longer wanted to support the project. EOL was the easiest way out.

Check out CipherShed
Xentropa is offline  
Old 11-11-2014, 07:39 PM
  #7  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

Originally Posted by amblamps View Post
Seriously?
This is why the CISO role is becoming an imperative fixture in corporate America. It's our job to inform our Execs on the steps they take to protect themselves and the company, and then taking technological steps to ensure that their small misstep (which WILL happen with a persistent threat) doesn't became an instant disaster.
213374U is online now  
Old 11-12-2014, 06:35 AM
  #8  
Dat Dere Cell Tech
 
daklown's Avatar
 
Join Date: Aug 2003
Location: The Riff Filled Land
Posts: 4,177
Default Re: Today in InfoSec

Originally Posted by 213374U View Post
This is why the CISO role is becoming an imperative fixture in corporate America. It's our job to inform our Execs on the steps they take to protect themselves and the company, and then taking technological steps to ensure that their small misstep (which WILL happen with a persistent threat) doesn't became an instant disaster.
Assuming executives even listen.

I spent 2 years in InfoSec trying to enforce standards to people who wanted to ignore them "because corporate", then when there's a breach (it was massive and was in the news, but I no longer work there) they try to blame corporate. Endlessly frustrating.

I still report to the VP of Security at my new job but don't have to try to get people to comply anymore. It's nice. Dig your own graves, people .
daklown is offline  
Old 11-12-2014, 06:46 AM
  #9  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

You talking execs? Or just end users who didn't want to follow policy?

The big key there is working closely with, and educating senior management from across the business so that they can push the security message to the folks directly under their control. If you can get the names that everyone in a particular business unit will recognize on your side, and get them interested in the InfoSec "game" (not hard, hackers tend to pique interests pretty quick), they'll become your ambassadors to the business side and essentially do your footwork for you.

All of the above is why a CISO needs far more than technological savvy. Being able to build and maintain relationships with the rest of the C-suite, Senior Management, and above is absolutely critical to creating a successful security program that the entire organization is actually interested in participating in.
213374U is online now  
Old 11-12-2014, 06:50 AM
  #10  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

New Attack Method Can Hit 95% Of iOS Devices

Masque Attack replaces legit apps with malware using the same bundle identifier names.

Originally Posted by Article Text
The majority of non-jailbroken iOS devices are vulnerable to an attack method that could replace genuine apps with malware through a bit of application-naming skullduggery. Dubbed a "Masque Attack" by the FireEye researchers who discovered this technique this summer, the attack was described publicly for the first time in a report today.

FireEye had previously held details about the attack methods close to the vest to give Apple time to handle a disclosure made to Cupertino at the end of July. But after examining the WireLurker malware that hit headlines last week, researchers with FireEye found it was using Masque methods and felt it necessary to shed light on a vulnerability that it says affects 95% of iOS devices.

"We consider it urgent to let the public know, since there could be existing attacks that haven't been found by security vendors," they wrote in the report.

Masque works by convincing users to download an app with a tricky name and then using that install to replace a legitimate app with the same bundle identifier name. There are a number of attack implications from this method. First of all, attackers could mimic the original app's login interface to steal credentials and upload them remotely. Secondly, the data under the original app's directory remains in the malware's local directory after the switch, allowing for further data theft. Additionally, an attacker can use the Masque Attack to bypass the app sandbox and get root privileges by attacking known iOS vulnerabilities.

According to FireEye, Masque is particularly dangerous for enterprises for a number of reasons. First of all, apps distributed using enterprise provisioning profiles aren't subject to Apple's review process.

"Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring and mimic iCloud's UI to steal the user's Apple ID and password," the researchers wrote.

Additionally, Masque is very difficult for enterprises to detect because MDM software can't distinguish malware from legit apps using the same bundle identifier.

"This means that attackers can use spear phishing via email or text message to conduct targeted attacks very effectively against enterprise users," Tao Wei, senior research scientist at FireEye, told Dark Reading. "Because MDM software cannot detect this attack, and until Apple releases a fix for this vulnerability, organizations must educate their employees on the threat spear phishing now poses to their non-jailbroken iOS devices."

Because an attacker can run arbitrary code on the iOS device, malware using the Masque Attack can serve as a stepping stone into the corporate network, Wei warns. "For example, the attacker can potentially harvest email and SMS, which may have two-step login tokens, to get further access to more privileged contents."

FireEye recommends that organizations warn users to protect themselves three ways. One, users shouldn't install apps from third-party sources other than Apple's official store or an enterprise app store. Two, users shouldn't click on install buttons on a pop-up from third-party web pages. Three, if iOS shows an alert with an "Untrusted App Developer" warning, users should click "Don't Trust" and uninstall the app immediately.
213374U is online now  
Old 11-12-2014, 07:34 AM
  #11  
Dat Dere Cell Tech
 
daklown's Avatar
 
Join Date: Aug 2003
Location: The Riff Filled Land
Posts: 4,177
Default Re: Today in InfoSec

Originally Posted by 213374U View Post
You talking execs? Or just end users who didn't want to follow policy?

The big key there is working closely with, and educating senior management from across the business so that they can push the security message to the folks directly under their control. If you can get the names that everyone in a particular business unit will recognize on your side, and get them interested in the InfoSec "game" (not hard, hackers tend to pique interests pretty quick), they'll become your ambassadors to the business side and essentially do your footwork for you.

All of the above is why a CISO needs far more than technological savvy. Being able to build and maintain relationships with the rest of the C-suite, Senior Management, and above is absolutely critical to creating a successful security program that the entire organization is actually interested in participating in.
Not end users, but facility CISOs tend to blow it off because the title is tacked on to a bunch of other crap and they have too much to do as-is, so they're jaded.
daklown is offline  
Old 11-12-2014, 08:14 AM
  #12  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

My predecessors were like that and it's precisely the reason they never got anything done. They saw taking on the additional title as another rung in the ladder to the top, but had no idea what they were doing or how to do it. They thought running a successful security program meant fine-tuning firewall rulesets or buying the latest and greatest piece of technology and simply throwing it at the environment. Without a passion for this line of work and all that it entails, you'll have an extremely hard time getting anything worthwhile accomplished. It's the very reason that I've come in and blown away the Senior Management team as far as what a "kid with an AAS and no certs" can actually get done.
213374U is online now  
Old 11-14-2014, 08:02 AM
  #13  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

DIRTBOX INTRUDER marshals spy on Americans' mobiles from above

Not sky marshals. These are different aerial tin-star peeps

Originally Posted by Article Text
US marshals have fitted miniature mobile phone cells, nicknamed dirtboxes, inside aircraft so that they can locate mobile phones from the sky, it has been reported.

Or, in other words, another one of Uncle Sam's agencies has found another way to secretly track citizens.

The g-men, who work for the courts and track down fugitives, have a fleet of light aircraft equipped with the surveillance gear, which is made by Boeing subsidiary Digital Receiver Technology (DIRT - geddit?) hence the nickname.

That's according to The Wall Street Journal, which reports the two-foot-square snooping devices imitate cellphone towers and thus make contact with all handsets in range.

The onboard tech can be programmed to look out for specific handsets by comparing the uniquely identifying IMEI numbers stored in every mobile device.

When the aircraft carrying the gear flies over a suspect, and detects his or her phone, it will then fly on to another location in range and triangulate the mobe's position to within a couple of feet, even down to a particular room in a building.

"DRT has developed a device that emulates a cellular base station to attract cell phones for a registration process even when they are not in use," Boeing said in a 2010 filing [PDF].

The WSJ report said there are five light aircraft equipped with the scanners, and they're parked up at regional airports across the US. The vast majority of the population is within easy reach of the team.

Calls are not disrupted by the overheard search, we're told; the DRT gear labels cellphones as "not of interest" or "of interest."

The FBI uses similar ground-based faux cell tower stations, dubbed Stingrays, which are used in the same way. These are highly controversial, not least because the feds have reportedly tried to cover up the existence of the scanning units.

In the case of dirtboxes, the US Department of Justice which oversees the marshal service refused to confirm or deny the report, but anonymous sources familiar with their use said the flying spies-in-the-sky were technically above board (no pun intended).

"What is done on US soil is completely legal," they told the newspaper. "Whether it should be done is a separate question."
213374U is online now  
Old 11-14-2014, 08:21 AM
  #14  
Nu Sigma Alpha
 
K.F14's Avatar
 
Join Date: Feb 2003
Location: Seattle
Posts: 23,671
Default Re: Today in InfoSec

Subscribed.
K.F14 is offline  
Old 11-14-2014, 08:51 AM
  #15  
I like to party
iTrader: (1)
 
2LEM1's Avatar
 
Join Date: Mar 2008
Location: Yay Area, CA
Posts: 4,377
Default Re: Today in InfoSec

I'm just going to flash a new OS every 2 weeks or so on every device I own, **** this ****.
2LEM1 is offline  
Old 11-14-2014, 08:59 AM
  #16  
Honda-Tech Member
 
Black R's Avatar
 
Join Date: Apr 2000
Location: Atlantis
Posts: 12,948
Default Re: Today in InfoSec

The drt one is pretty good - a new school twist on old school triangulation.
Black R is offline  
Old 11-14-2014, 10:16 AM
  #17  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

Originally Posted by 2LEM1 View Post
I'm just going to flash a new OS every 2 weeks or so on every device I own, **** this ****.
Just get yourself a copy of Tails OS and load that bish on USB. Won't do much for your mobile life but easy way to secure your desktop/laptop interactions.
213374U is online now  
Old 11-15-2014, 11:29 AM
  #18  
Reigning GDD Queen
 
Kiwibird83's Avatar
 
Join Date: May 2006
Location: Tucson, AZ, USA
Posts: 1,053
Default Re: Today in InfoSec

Kiwibird83 is offline  
Old 11-15-2014, 01:25 PM
  #19  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

213374U is online now  
Old 11-15-2014, 01:48 PM
  #20  
B*a*n*n*e*d
 
Join Date: Dec 2011
Location: Off da Golden Coast!! YAAARGH!!
Posts: 402
Default Re: Today in InfoSec

Originally Posted by K.F14 View Post
Subscribed.
JoeBlue is offline  
Old 11-15-2014, 07:03 PM
  #21  
"Haters Gonna Hate"
 
FrostyDC4's Avatar
 
Join Date: Dec 2000
Location: \_(ツ)_/, AZ, USA
Posts: 6,831
Default Re: Today in InfoSec

Originally Posted by 213374U View Post
Just get yourself a copy of Tails OS and load that bish on USB. Won't do much for your mobile life but easy way to secure your desktop/laptop interactions.

Anyone have any experience with this?
FrostyDC4 is offline  
Old 11-16-2014, 03:35 AM
  #22  
no one wants to hear the truth
 
cetcivic's Avatar
 
Join Date: Aug 2006
Location: False hope is good!!
Posts: 1,913
Default Re: Today in InfoSec

Ive been hearing about those fake cell towers more and more...

Fascism lite?
cetcivic is offline  
Old 11-16-2014, 09:35 AM
  #23  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

Originally Posted by FrostyDC4 View Post
Anyone have any experience with this?
What do you want to know about it?
213374U is online now  
Old 11-17-2014, 07:23 AM
  #24  
0x5359-0055
Thread Starter
 
213374U's Avatar
 
Join Date: Feb 2005
Location: Texas doe, they do everything big. u mad?
Posts: 5,758
Default Re: Today in InfoSec

ANONYMOUS HIJACKS KKK TWITTER ACCOUNT AFTER KLAN DECLARES CYBER WAR

Originally Posted by Article Text
The brewing war between the Ku Klux Klan and Anonymous has just taken a new turn. Anonymous announced that they have taken control of the Klan’s official Twitter account, and it seems that they are telling the truth.

Anonymous recently turned their many masked faces to the Klan after the Traditionalist Knights of the KKK threatened to use “lethal force” against those protesting the murder of unarmed black teenager Michael Brown.

That threat led the hacktivist group to quite literally remove the hoods from members of the Klan — a development that greatly irritated the hate group. The hacktivists posted photographs of numerous Klan members, all of whom looked strangely naked without their white hoods and nightgowns.

The Klan responded by childishly threatening bloggers who wrote about the “de-hooding” of its members. Tiffany Willis of Liberal America has been inundated with threatening phone calls since she wrote about it.

<YouTube Vid Below>

Fortunately, Anonymous stepped back in and had more fun at the expense of the group of racists. On Sunday, Anonymous posted that they had, indeed, hijacked the KKK’s official Twitter.



The Klan’s profile image was replaced with something extremely more pleasant, and an announcement was posted that it was “under anon control.”





Hilariously, the Klan had spent much of the day taunting the hacker group.











The Ku Klux Klan really should have expected them.



It’s been a terrible week for the KKK. Anonymous released identities of members, took down numerous Klan web sites, and usurped control of the official Twitter.

What will come next? Stay tuned…
213374U is online now  
Old 11-17-2014, 07:25 AM
  #25  
Nu Sigma Alpha
 
K.F14's Avatar
 
Join Date: Feb 2003
Location: Seattle
Posts: 23,671
Default Re: Today in InfoSec

Good, **** those racist asshats

K.F14 is offline  

Thread Tools
Search this Thread
Quick Reply: Today in InfoSec


Contact Us - About Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service

© 2019 MH Sub I, LLC dba Internet Brands

We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites.