After a long hiatus, I’m finally going to post a blog entry! Yeah me!
Business Insider Malaysia posted a review of CrowdStrike’s groups to watch out for. Most are based in China, Russia, and Iran shockingly. Deep Panda, Putter Panda, Flying Kitten top the Business Insider article but I have yet to review the complete report myself. You can link to it here. Thanks to Hack In The Box.
ZDNet’s Jason Perlow comments on how the use of virtual or throw away card numbers for credit accounts could drastically cut down on fraud. It’s a wonderful thought as you could provide your trusted payees one card number, online services could use something else, and you could use throw-away numbers for anything else. I see two big issues here, first carrying multiple cards for one account. The second and much bigger problem - card numbers are derived from a schema, and there is a limited number of card numbers available to any one merchant. What happens when someone runs out of numbers? Thanks to Hack In The Box.
Tom Webb posted to SANS ISC Diary regarding using MASSCAN tool for scanning a large range of hosts for a single vulnerability, and even passing the results on to NMAP using plugins. I haven’t used the tool myself but I am actually planning on using it for my current vulnerability assessment. I have to find all the active IP’s on a portion of a Class B network, and one of our IT service providers has been fairly willy-nilly with our address allocations across the board. I’ll post a review of this once I’m done.
This article provides a very good example of the many ways cloud service providers themselves can abuse your personal data. Before moving to a cloud services for anything, you need to fully vet the provider to some level. You will face all the same risks are hosting the service internally, however you won’t have any actual control over the situation. Make sure any contracts or EULAs stipulate some sort of recovery and compensatory measures, and back the service up yourself somehow.
TL;DR summary: Properly prepare for the exercise; Involve parties throughout organization, Know the ground rules of the exercise, Leverage resources from within your industry and the government; When exercising, broader can be better; Make the scenario as realistic as possible.
I can attest to the benefits of tabletop testing - I’ve participated in regulator required exercises as well as training exercises. You really don’t see the bonuses until you’ve completed the test and learned something you didn’t expect.
Worth the review - I’ve torn apart a couple phishing PDF and Word attachments in the last few weeks for fun, and they pose a significant risk. Every one of them made it clear past our defenses into inboxes, and I was able to download the payloads for several hours until requests to take them down were processed. I’ve seen multiple throw-away Dropbox accounts, Google redirects to dynamic IPs, and even “business” file sharing services such as copy.com. These attacks further demonstrate the real weakens in cybersecurity - people.
ZScaler posted a blog about the Koler ransom-ware spreading by SMS in what I am assuming is the United States. The SMS links the user to a Dropbox-hosted APK which the user must install. As soon as the user installs the file, it locks the device and displays a message asking for $300 to unlock the phone. It doesn’t appear to encrypt the data, but it’s unclear if any data could be removed via USB or other method. All of this can be avoided if you stick to trusted online app stores and leave the default security of preventing installs from anything but the Play Store active.
One last word of caution: Be careful running strings on malware due to a exploit similar to the recent bash exploits. Use the -a option to prevent strings from using GNU libbfd and sidestep the issue completely.