On May 1, 2010, smoke was observed in Times Square in New York City, emitting from a sport utility vehicle laden with an improvised explosive device. After authorities disarmed the device, an investigation began to uncover the identity and whereabouts of those responsible for assembling and attempting to detonate the device. As a result of the investigation, Faisal Shahzad was identified as a suspect, placed on the Transportation Security Administration’s (TSA) no-fly list, and later captured after he attempted to fly to Dubai on Emirates Airlines.
Authorities are calling this capture a success: the bomb did not detonate, no lives were lost, and a suspect is in custody. Yet just four months prior, the White House cited “totally unacceptable” systemic failure after Umar Farouk Abdulmutallab was unsuccessful in his detonation of plastic explosives concealed in his underwear during a Christmas Day transatlantic flight to the U.S. Both scenarios seem similar: failed explosion, no lives lost, suspected perpetrator apprehended. Yet, the first is a “failure” and the second a “success?” How can this be? Politics aside, I think there is an answer.
Read More »
As highlighted in this week’s Cyber Risk Report, the FTC is raising concerns on how consumer data is collected and shared within the context of social media. Facebook is at the front and center of this issue with its user base estimated at over 400 million people globally. But it should also be top of mind for a different reason: its privacy policies seem to be shifting with regularity, dragging an increasingly complex and confusing interface for managing that privacy along in tow. Wired’s Eliot Van Buskirk stated that Facebook is “leaving the onus on users to figure out its Rubik’s Cube-esque privacy controls.” I agree.
When security professionals are left scratching their heads trying to twiddle the nerd knobs or decipher the market-speak of Facebook’s opt-out dialogs, how does this bode for an ordinary user?
Read More »
Popular opinion suggests that between sexting, posting pictures of drunken revelry on Facebook, and making inappropriate tweets, today’s youth culture does not value privacy. In conjunction with the explosion of mobile phone Internet access and multimedia recording, this opinion would hold that there is nothing more dangerous to a workplace with sensitive information than a college grad with an iPhone. Researchers from UC Berkeley and the University of Pennsylvania recently released a study that confronts these stereotypes, and the findings could make security awareness and education programs much more effective.
Read More »
Eleonore Exploits Pack, Liberty Exploit System, Yes Exploit System, ZueEsta Exploit Pack and Fragus Exploit Pack are all “exploit” systems that a miscreant can purchase to aid in building and monitoring a botnet. These exploit systems will set the botmaster back a few hundred dollars, but in return they provide the aspiring botmaster with several exploits, an administration and tracking panel and some sort of software support. These crimeware systems are often grouped as “Russian Crimeware” and are often times advertised for sale in various forums on the Internet. These crimeware systems advertise varying levels of effectiveness, and often times additional modules can be purchased to increase that effectiveness. The systems work by essentially aiding a botmaster in putting up a malicious website. The botmaster then uses social engineering to lure victims to the malicious site where, once infected, the victims become a part of the botmaster’s botnet. Once the victim system is part of the botnet, the botmaster uses the endpoint for profit, either through leasing the systems to provide service such as spam or denial of service, or by stealing credentials from the victims and bundling these credentials and selling them.
During the course of research, I decided to take a look at the YES exploit system to learn more about it and to see how effective a system it really was. This post will give an overview of the YES exploit system, as well as look more in depth at the first exploit the it delivered during testing, which was an older PDF exploit.
Read More »
The Cyber Risk Report this week contained a short mention of the attacks against the Apache Software Foundation (ASF). These attacks were documented last week in fantastic detail by Philip M. Gollucci of the ASF. The attackers used a previously undisclosed cross-site scripting vulnerability and password brute forcing to gain initial access to the ASF systems. They then used additional attacks to learn user credentials, browse file systems, and access other computers. The level of openness demonstrated last week is not a first for the ASF; in May 2001 and in August 2009 they published similar reports in response to security incidents.
When reading the ASF report several things came to mind. For example, “wow, if they only did…” or “people always say that is not a big deal…” Well, hindsight is always 20/20 and, in this case, it was a relatively big deal.
There was a somewhat lively debate among my teammates about the ASF blog post. Nobody disagreed that it provided a great window through which to examine a real world attack. But of course, there were many opinions presented as to what the key takeaways for organizations should be. I have listed some of these takeaways below.
Read More »