Sunday, December 28, 2014

DISCLOSURE: Independence Blue Cross

Independence Blue Cross has indicated that a maintenance worker discarded 12,500 paper records in the normal trash in October.

Thursday, December 25, 2014

H.J. Russell & Company - Owned

This companies IP address block has shown up in OSINT-X as a compromised host. This organization has machines attacking many other companies so they are presumed hacked at this point.

This activity started early 25 Dec 2014 and is ongoing.

Type: General
Area: Engineering

First Noted: 25 Dec 2014
Location: Various Locations
Total Records: 2500+ attacks noted
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC) 

Merry Christmas from the SLC Security Team...

We wish you all a safe and happy holiday season... We will see you all on the 2nd...

Tuesday, December 23, 2014

Hey where did the domain monitoring go?

We wanted to let you all know that we are no longer offering notification services on domains. In order to get this information you will be required to subscribe to OSINT-X or purchase a system to host the solution at your location. Our business model has changed significantly over the past year and it is not longer in our best interest to provide a notification service that you can setup for yourself in the OSINT-X product line.

"This change may affect some people but at the end of the day the information being ingested into OSINT-X is more up to date than the system that scours our feeds for your companies information. This move is a win for our customers." said Kevin Wetzel of SLC Security.


First Citizens Bank and Covert Electronic Surveillance

We are seeing indications that this bank is under covert electronic surveillance. This could be auditors hired by the bank, bad actors looking for attack vectors or some other party. We are not sure of the reason but our investigators have noted on several different dates that sophisticated attacks may be taking place at branch locations that are in non heavily populated areas or that these areas are under surveillance.

If you have any additional information on what may be occurring here please contact Kevin Wetzel at (919) 441-7353 or call our TSCM line at (717) 831-TSCM. Reports may remain anonymous if requested. 


2014 Historical Data to be released to Tableau Desktop or Public Users

As part of our technology share program SLC Security Services LLC will be releasing intelligence information formatted for users of Tableau Desktop or Public software so you can perform your own network analysis. The information being provided will be for a 30 day period and will include several of our feeds so you can run comparisons against your own network traffic.

Some of our clients have begun running the data against firewall and server logs to identify compromised machines and host so this may be valuable to you to determine if you should hire a third party to perform a network or security analysis of your data.

The tableau data will be released to the public area of the Tableau Server and will be available to the public. The time periods of the data will be from 15 Nov - 15 Dec 2014. The purpose of the release is so you can evaluate some of the same data that we utilize in our security appliances to determine if the devices are a good fit for your organization. If you come up with other use cases please let us know. We would love to work with some new faces in 2015 and we will do profit sharing on any use case that is adopted into our commercial gateway appliance.

The SLC Secure Gateway is an appliance that acts as a firewall and gateway on networks and also collects information from workstations to include MD5 list of files, network traffic data and action logs to match indicators of compromise with known virus, malware and network security threats.

Covert Listening Threats even worse than recent hacking attempts

Over the past few weeks we have been researching data from various audits on the east coast. We are noting a large increase in the identification, location and disabling of covert listening devices. In the month of November alone we have discovered 14 separate listening devices at 7 different companies. One thing we also have noticed are some similarities between the various devices that have been located.

1. In several of the cases there were multiple listening devices in the same area. We believe this is being done so that if the primary is found the backup may continue to provide useful information to the attackers.

2. Fax machines are being heavily targeted at many businesses. We have been able to locate stolen documents in 4 of the cases out of the 14 being researched.

3. Ultrasonic devices are being used to avoid detection.

4. Networks are also being attacked with malware reporting back to 194.165.134.66. These IP's are also attempting to attack SMTP servers to verify accounts at these same organizations. This was determined through log file analysis.

5. 1 of the 14 companies is a major US Military Contractor.

These are the finding for November. We are still seeing covert listening devices in December and the numbers this month even with the holiday breaks are much higher than November so we are alerting companies to look for traffic to this host and call us if you have identified any. We would like to look for accompanying planted devices to see if this pattern remains. Only 1 of the 14 entities was not bugged or we did not locate any devices during the sweep.

SLC Security customers please read bulletin 2014-141 for additional information on the network IOC's and signal identification notations for these 14 locations.

Copycat Hacks Becoming Commonplace

While Government experts have pointed the finger at North Korea in the recent attack of SONY. We are still not convinced. The reason we are not convinced lies in the OSINT-X data we have archived and analyzed, the malware used in the attack and the similarities of an earlier attack on South Korean banks. One thing is for sure that the Government is not an OSINT-X customer at this time although we have had contact and interest in the product for other uses within the DOD. The FBI probably could use the system to help them in this type of case but as of yet they have not requested access or a stand alone system at any of their locations even though we have offered in the past.

One thing stinks in this whole North Korea blame game. There are misspellings in some of the code used in the first attack and the second attack does not show the same signs. We find it hard to believe that the same people are responsible based on word structure and simple elimination due to the fact that the IP addresses that were cited in an earlier report have changed hands in the botnet wars on more than four separate occasions over the past year and one of the IP's is in direct control of a known China group that would be more suited to carry out this type of attack. This same IP also is hosting malware and has been listed as a compromised system 2 times in the past 2 months.

Truth be told nobody knows exactly who has committed this act and secondly it is nearly impossible without having access to the Internet Service Providers (ISP) core networks to analyze traffic. I say show me proof and I"ll believe that it was North Korea. There are too many ways for these guys to cover their tracks than to make a connection through one of the 1024 official IP addresses that are in use in North Korea. This information is also wrong as there are over 5000 IP addresses in our systems that lead to North Korean associate entities masked as news and public information sites (most of which are hosting propaganda on servers outside of North Korea). It stands to reason based on our intelligence that the North Korean Government is responsible for these systems directly as they do not allow outside entities to utilize communications systems and have played mock games with various releases of "malware" and viruses on these same systems infecting thousands of other entities. If they were in fact responsible they would do like every other hacker and use jump servers to mask their identity.

If you really want to see something interesting look at the 194.165.134.0/24 block  and look at connections going to and from the Internet via that IP block. Then you may be able to tell us something.


Friday, December 19, 2014

BREACH UPDATE: Staples admits to customers data being lost

Staples Inc. has come out with the following statement today.

The number of cards affected 1.16 million.

Staples Inc. (SPLS), the largest U.S. office-supply retailer, said 1.16 million payment cards may have been affected in a series of data breaches that occurred from July into September.
The theft occurred after criminals deployed malware on point-of-sale systems at 115 of Staples’ 1,400 U.S. stores, the Framingham, Massachusetts-based company said today in a statement. The company disclosed in October that it was investigating a potential breach.

Thursday, December 18, 2014

The Grinch?? Alert Logic's Claim's Not Adding Up

So as penetration testers we immediately took the information provided by Alert Logic in a recent notification concerning a vulnerability in Linux systems known as "the grinch". Our technical staff have all tried to confirm the information provided with the information provided in their post. Guess what?! We can't get any of the systems we have been testing to actually prove this exploit exist.

We have tested on RHEL, Fedora, Ubuntu and a few other distros and as of 5PM EST have not seen a single system that will allow us to exploit this vulnerability.

If anybody has more specific details on how this is accomplished we would love to hear about it.

Wednesday, December 17, 2014

WE AGREE: SONY did not get hacked by North Korea

Those of us in the security research arena are not buying the statement in mainstream news that SONY was hacked by North Korea. In fact there are many indicators to indicate otherwise. We are not gonna speculate on this and are surprised at the number of news organizations that are putting out information on a whim.


Additional Reading:
Data Breaches also agree's
North Korea Tech
And This...
And This...

Yeah, Yeah we know there are not many that agree but North Korea is pretty much cut off from the outside world. They may have asked another rogue state to help them but again we are not gonna go the way of the mainstream news.

In non US news circles many outlets are reporting that the attackers are unknown but in the US it seems the media would like to make it appear as though North Korea is responsible. We all know North Korea couldn't hack it's way out of a wet paper bag.

Monday, December 15, 2014

Guess What?! Your owned... UPDATED 12/16/2014 1:37PM EST

On 15 December, 2014 SLC Security Services LLC kicked off an analytic job to determine what host are owned or have been compromised. The following organizations came out of our analysis as being compromised and either used to perform additional attacks or part of a larger issue such as botnets, malware distribution or brute force activity. The following entities have been seen by sensors owned or operated by SLC Security Services LLC volunteers.

If you show up on this list you may want to find a reputable security firm to help you secure your infrastructure. If you have any questions you can email soc@slcsecurity.com.

Pinellas County Schools, FL
Etech Group Pty Ltd, FL*
Turner Broadcasting Systems Inc, GA
New Life Homes LLC, GA*
CocaCola Company, GA
Grant County, Moses Lake WA
Indiana Department of Education, IN
Massachusetts Institute of Technology, MA
New England Telehealth Consortium*
Arvixe LLC, Santa Rosa CA*
National Center for Atmospheric Research
Boston University, MA
Automated Data Systems
Georgia Public Web Inc, GA
Mainstream Consulting Group, MN
Minnesota State Colleges and Universities, MN
George Mason University, DC

Disclaimer: The information included in this report was provided by third parties such as WHOIS, Domain Registrations, Private Databases and proprietary information. We do not warrant this information to be free from error. In fact we are seeing fraudulent WHOIS data on an increasing basis but we believe the information to be accurate. Item's marked with a star were only verified with WHOIS so these names may not be accurate.

62 man hours of research and analytic processes were utilized to identify these organizations.

Another Round - Compromised Host

We will be publishing another round of compromised host later this evening at approx. 10PM EST.

We are running a batch analytic job in Analytic Desktop as we speak. We will release the results when the job is finished. 


BREACH: NCUA Flash Drive Lost - Data being sold on Darknet

NCUA confirmed that an examiner lost an external flash drive containing names, addresses and social security number as well as the account numbers belonging to the members of the Palm Springs Federal Credit Union.

They were quick to note that the data did not require passwords or PINS of the associated accounts.

We have noted information pertaining to be from this loss being sold on Darknet.

NOTHING FOLLOWS

SONY Hack - What they are not telling you

It goes without saying that SONY is in deep trouble. We started seeing problems back in February of 2014 as several Sony related host had shown up on our blacklist of compromised systems. We were not doing the blogging thing back then but we can assure you that they are not being 100% honest about what has happened since they first discovered the breach.

You see Sony did exactly what some of the other entities we are blogging about. NOTHING. They knew they had security problems but they took the road that many of the companies we notify do. They sit back and try to cover up the issue before anybody notices. What's different this time in Sony's case is that the hackers had ample time to farther attack the Sony network. This bought the attackers much needed time to dig in really deep and to start shuffling data off the Sony network.

Here's what we know today:

1. Sony was attack far earlier than reported. We started seeing indicators back in February on our Compromised Host and Brute Force Attackers list.
2. The attack went unreported until the attackers started releasing troves of information.
3. The attackers notified Sony and tried to extort money from executives numerous time, Sony did not cave in to the attackers demands.
4. Information is being sold and the FBI is actively investigating the incident. Security researchers have confirmed that the FBI visited them after they downloaded Sony's proprietary documents.
5. Information is currently being sold on Underground Web Sites.
6. While the media is pointing to North Korea they are basing this information on the fact that some of the malware was written in Korean. This is really an assumption and we have seen this tactic being used to misdirect blame in the past.
7. Iran is releasing torrents with Sony information in them so they should also be given a second look but as of today it is not known who exactly is behind this attack.


Sunday, December 14, 2014

UPDATE: UC Berkeley Acknowledge Breach

Previously we reported  on a list of college systems that were showing up in our OSINT system as being compromised. Earlier today we were notified that an alert was sent to UC Berkeley students and staff advising them of the breach.

Read our previous post here.

This is exactly why we started this blog and we are glad to see that they reported this in such a timely manner.

From the information being provided it appears as though the Real Estate Division is the affected Berkeley entity. They are stating that they first detected the activity in September. Although UC Berkeley is not a customer of ours we are glad that they took action.


Wireless the Number 1 Vector

If your organization is running wireless we are advising you that this is the number one attack vector. It is recommended that you move to certificate based authentication. In 57 of 60 assessments we are reviewing wireless is by far the easiest vector to gain access to corporate networks. Even if corporate wireless networks are segregated the information sent through these networks may lead to actual compromises of legitimate network resources due to the fact that many devices will still try and authenticate to resources over the network.

When conducting penetration testing we are successful over 95% of the time in gaining credentials over guest networks so just because you think your guest network is not connected to your corporate network you should still be vigilant in monitoring.


EXCLUSIVE: The Top 10 Items Missed During an Audit (Article 3 of 10 in a series)

This is an exclusive provided by SLC Security Services LLC the leader in Medical, Compliance and DOD Auditing Solutions.

Number 10 on the list is attacks on your Disaster Recovery Plan or Third Parties that handle your data. We are seeing more and more third party vendors of large companies open them up to compromise due to standards not being in place and no auditing of third parties that you share data.

If you remember Target this was a perfect example whereas their air conditioning contractor failed to secure their network and malware was introduced via this path. Many times businesses open up firewalls to vendors without any auditing and verification of what data is moving through those trusted connections. Here are some recommendations to prevent your vendors from allowing a hacker to jump through a third party and gain access to unauthorized resources.

1. Even though a vendor may be "trusted" they should only be trusted to particular systems. The systems should not reside in your network. Host that data in a separate network segment that you can introduce DLP or monitoring protections such as IPS and IDS and make sure you are alerted if any attempts are made to access resources other than the destinations you have authorized.

2. Grant the least access required. Open only single IP and services in your firewall. Don't completely allow them to access any resource on your internal networks.

3. ENCRYPT YOUR DATA as it leaves your network. Ensure that information that is taken is encrypted. This prevents somebody other than your vendor from accessing data in which they are not authorized to view. Use time based encryption so that the keys are generated and discarded daily using security devices made for this purpose.

4. Require 2 factor authentication to view or access systems. Sure it may be inconvenient but so is losing your customer base to hackers.

If possible use hardware based network cards (INTEL makes a great solution) that only allows one device on your customer network to access only the single device on your internal network that they require to carry out authorized functions and processes.

Another great idea is to use an endpoint firewall solution.

If you would like to audit your third party vendors contact SLC Security at (919) 441-7353 to schedule an audit.

Friday, December 12, 2014

BREACH: Las Vegas Sands Corp

Breached by Iranian hackers in response to a comment made by the CEO of the company. Attack bears similarities with SONY as information was stolen and then the hard drives of the companies machines were wiped.

BREACH: St. Louis Parking Company

St Louis Parking Company has released a press release indicating that customers information may have been breached from 6 Oct 2014 - 31 Oct 2014.

The affected server was identified and isolated to avoid any further data from being compromised. Datapark, the manufacturer of the revenue controls system, is investigating the incident and following the Payment Card Industry Data Security Standard.

Third-party forensic experts were also hired to help investigate the matter. The breach has been contained.


Type: Card Processing
Area: Parking

First Noted: 9 Oct 2014
Location: MO
Total Records: Unknown
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC) 

BREACH: Kickback Jack's

We have confirmation that Kickback Jack's has been attacked. As of today the attack appears to be limited to just a few locations however that could rise as the investigation unfolds.

They are not a customer so we will not be following the activity but thought that it best for us to advise you that credit cards are being used that were swiped from Kickback locations.

Type: POS
Area: Hospitality

First Noted: 12 Dec 2014
Location: Various
Total Records: 4500+
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

List of Owned Colleges and Universities

Over a weeks worth of research and sensor data has indicated a very large amount of college and universities that are infected with malware and/or viruses. In order to be listed a college would have to have been infected for a period of more than 7 days without detecting the botnet, virus, malware or compromised host. This report is only a snapshot in time but is current as of 12/12/2014. If you are in data security at these universities you can research public blacklist as we have already listed out the IP address ranges in our feed at http://www.slcsecurity.com/blocks/alert-ips.txt. Check the feed and if your in that list you might want to check your computing resources as soon as you can.

If you have trouble locating the infected boxes please reply to this post and we attempt to help you locate the infected or offending devices that we are observing.

University of Arkansas
University of Waterloo
University of California - This entity has acknowledged and is actively re-mediating the breach
University of Missouri Columbia
University of Maryland
University of Pennsylvania (PENNSTATE)

These are the universities that are currently show up in our OSINT systems. We are still working on a master list.

Thursday, December 11, 2014

Colleges Largely Already Owned by Hackers or Spreading Malware

During research on our analytic system this week he are noticing a bad trend concerning educational institutions. We started looking at colleges and conducted some analytic research that indicates that 52% of college and university networks currently have at least one host that is actively participating in bot or malware campaigns. What is troubling us lately is that many of the organizations we are seeing in our OSINT products have remained compromised or infected for very long periods of time.

We have scheduled an analytics job to run tonight that will look through our systems and match educational institutions to known indicators of compromise and we will be releasing the list of infected schools in the next several days once we have had a chance to analyze the results.

"These schools have students studying cyber security and forensics so it's concerning that they have not had their students take an inner look at their networks and secured these vulnerabilities".


Wednesday, December 10, 2014

NEWS: Hackers contacted top Sony executives before attack via OSINT-X Newswires

Top executives at Sony Pictures received an email extorting money three days before the company’s computer network was taken offline in a major hack.

The email message was among thousands released on Monday when the email boxes of two top Sony executives were leaked online. It was the latest release of potentially embarrassing corporate information following a major hack on the company’s computer networks two weeks ago.

“We’ve got great damage by Sony Pictures,” the message began. “The compensation for it, monetary compensation we want.”

“Pay the damage, or Sony Pictures will be bombarded as a whole. You know us very well. We never wait long. You’d better behave wisely,” it reads.

Tuesday, December 9, 2014

Data Security Excellence Note: Smithfield Johnston Memorial Hospital

During a recent walk through of Smithfield Johnston Memorial Hospital our staff noted that this hospital takes data security seriously. There were no wireless networks spewing data such as what has been observed at other hospitals and all patient consultations look to be held in private offices and not in shared spaces.

It was also noted that none of the workstations remained logged in when users walked away. In addition we can report that this hospital although not a client really took the data privacy of their clients seriously.

This hospital would be easy to audit as they have their act together. Good job Johnston Memorial!

Sunday, December 7, 2014

BREACH: WellCare informs Medicare subscribers of data breach via OSINT-X Newswires

Some personal information of a few dozen Monroe County residents who are Medicare subscribers with WellCare Health Plans recently was mishandled by a subcontractor for the insurer.
In late November, WellCare sent letters to 47 people affected in Monroe County, telling them the breach did not include Social Security numbers or any financial information. The insurer notified more than 500 people throughout New York state who were affected.
The insurer said it was not aware of misuse of anyone's information. Nevertheless, it urged the 47 individuals to review their credit card bills and other financial statements. The insurer is providing one-year credit protection.

[...]

COMPROMISED HOST: General Mills

We previously reported on General Mills. As of today we are still seeing indications of an infection coming from their network. We believe the host to be compromised.

Affected Host:
146.217.15.253
146.217.15.254

We have sent a notification for them to check their systems. We will update this post if we receive any follow up from them.

COMPROMISED HOST - University of Minnesota 128.101.165.206

We are starting to see reports of a compromised host out of the University of Minnesota. The IP address 128.101.165.206 looks to have been breached sometime around 11-26-2014 and as of 12-02-2014 was still showing infected although it has since dropped from our nightly analytic runs.

Friday, December 5, 2014

EXCLUSIVE: The Top 10 Items Missed During an Audit (Article 2 of 10 in a series)

This is an exclusive provided by SLC Security Services LLC the leader in Medical, Compliance and DOD Auditing Solutions.

Issue 9 - Inadequate security of network path and access control systems

Yes we are jumping around a bit that's just because we have been really tied up with some clients this week. So here goes...

The number 9 issue on the top 10 list of items missed during audits is something most auditing companies never even check. When doing audits one of the items we check as part of our TSCM sweeps are the network, phone and cable paths. What we are referring to here are network cables that actually are accessible outside of your building, telephone connections in shared closets or alert system components in public areas that can be manipulated without gaining physical access to your secure space.

How many times have you been in a building and seen a closet labeled "Telecom Closet" or some similar title? These areas are troublesome for many of our clients that lease space in buildings. One of the things we have had to do at some client locations is request separate telephone lines and communications lines be brought directly into our customer space. We also insist on full metal conduits into the building as to prevent wire tapping and similar physical attacks on the lines. Full metal conduits also prevent some really neat tricks in which you don't even have to cut the phone lines to be able to monitor them.

At one bank recently we noted that in the walk in area beside the ATM was a network jack on the wall. When we tested the network jack it was connected directly to the customers network switch and the port was active. The port gave us an IP address and through passive network monitoring we are able to run wireshark and get at a ton of very sensitive information to include the domain information for network that the tellers in the branch were logging into. With some arp poisoning we were able to capture login credentials, needless to say the client disabled the port after the audit.

One important thing to note: 95% of the companies that we initially audit are not even aware of the TSCM threats that exist. Many times our audits are eye opening as we can tell who is in a building, login information to networks, etc, etc. just because they are not aware of some of these attack vectors. I can't tell you the number of wireless networks we find. It's very surprising and somewhat easy to obtain access to these networks when we do stumble upon these links.

So there you have it. Check your cable paths and make sure your devices are not going into shared space. If you really want to ensure the security of your communications here are a few other tips.

1. Do not use fax machines to send medical, PII or sensitive information over the telephone network. While most people think telephone networks are secure there are many stops along the way whereas your competition can get at your information and reconstruct your faxes, emails, etc.

2. Do not allow employees to bring personal electronic devices into areas that house PII or PHI. It has been proven that this is an attack vector that can be exploited.

3. Ensure cable paths are properly secured.

4. Do not use wireless handsets even if they are DECT "secure". DECT can be reconstructed it just takes the know how and tools to do it.

5. Do not send PII over wireless networks.

6. Do not allow third party vendors into any network that houses PII, PHI or PCI.

Have a great day folks and be sure to look for the next article in this series.


Spotify Cell Phone Tracking

We wanted to alert you to a VERY interesting thing we noted today on a wireless penetration test. While conducting the test we started seeing some strange traffic from the Spotify client that actually is not good, not good at all. What we observed were packets going over the network that included the cell phone number, model of the phone and various meta data identifying the handset to include the IMEA of the handset.

This is troubling as we observed the phone looking for it's home network, as soon as we spoofed that home network the handset connected and then spewed out the information identified above. The information is going back to spotify and we have seen similar things from pre-loaded Verizon handsets as well so this is a bit concerning as that information could be used to mount very specific attacks on an individual.

We ended up with enough information to verify the following information:

1. Cell Phone Owners Name
2. IMEA of the Handset and Phone Number
3. MAC Address of the Phone when it associated to the network
4. The Model of the Phone

I am not sure why Spotify would be collecting this information but we wanted to let you know.

We may be able to reproduce this. This would be a great method for verifying somebody is inside a building or some similar attack. 

Tuesday, December 2, 2014

FRAUD ALERT: Domain's posing as Valve Corp (Russian)

UPDATE:
We were contacted by the hosting provider Akamai and advised that the domain in the capture below is actually an imposter out of Russia. Upon researching the information provided the registration information of the associated record below does not match other legitimate Akamai domain registrations so we have taken the following actions to correct this bulletin.

1. Removed the Akamai netblock from our temporary block list
2. Blocked all associated domains related to the fraudulant actors
3. Provided an update on the VD blog

We are glad that we were contacted as this helps us in keeping our information accurate. If you reach out to us as Akamai did we will work with you to confirm, verify or remove information that is in error.

Thank You for assisting us Akamai




Original Vuln Disclosure Article:

This isn't in the news but we can tell you that Valve is once again owned. We have seen clear evidence, packet captures and information being sold in the underground that are clearly not for public disclosure. Why don't these "Media" companies hire people that understand media. Valve is another repeat offender with the likes of Sony (which also has issues this week).

Valve keeps trying to keep hackers out but they have to understand that hackers are who made them in the first place. Game on my friends. Let's see if Valve put's out any public statements or see if they can find their Spreadsheets out on the Internet anywhere...     You might wanna try Pastebin guys!

Oh and your still on our blacklist for NOT securing your network the first time.

UPDATE: Oh and it's great that your web servers are now hosting the malware... Maybe they are planning on attacking your customers as well....

12-02-2014,screen-hosting.net,Valve Corp.





Quotes and Comments - Your news our way

There is no malware involved, so an antivirus program has nothing to detect, Mandia said. To confirm it has been attacked, a company must crack into its email server, review its logs and look for signs someone has connected to the server from an IP address outside the company. 

OK Call me stupid here but why the hell would you let an outside IP address connect to your mail server? I get it you mean allow a company to send email into your companies mail servers. Ha! We don't recommend that either... We are not giving away our trade secrets for protecting email for free I can tell you that!

Businesses need to implement two-factor authentication for email access, meaning employees would have to enter another code in addition to their username and password, he said.  

That's definitely a good start.

Hackers Leak Data Taken From Sony Pictures

Yep that's usually how this game works! I mean it's nice they are not charging for the Intel. People pay A LOT of money for business intelligence these days.

FireEye tattles on hackers. Investors love it.

Yeah but do their customers love it? I mean they are good about notifying you AFTER the attack!



Sorry but I can't do this any more today. None of this news is making much sense... Ugggghhhh

Why I love the big security companies! Here we go again Sony!!!

We keep reading these articles about very large corporate security giant's such as Mandiant and Fireeye and we sort of chuckle. These companies are great at protecting the organizations don't get me wrong but there are some vectors that these solutions consistently miss. They are so focused on the networks, Internet and the people. You did remember the people right?! Well we love the companies that go to these firms AFTER the fact. Look at Sony's recent public announcement that it has hired Mandiant to secure their network. Let's hope they do secure that network because that network has more holes in it than the swiss cheese on my sandwich at lunch time. I mean what Sony this is like the 10000th time you've been hacked.

Honestly there is nothing wrong with Mandiant or Fireeye. Like I said they are good at getting to the bottom of things when a breach has occurred. The biggest problem here is that Sony is just throwing money at the problem. Money alone will not fix these issues. Sony has been listed in our feeds for months so when it's all said and done you will see that Sony has been hacked for far longer than what they have thought. In addition if you know anything at all about DOX you can check some historical archives and find a treasure trove of information on Sony and quite possibly who is behind the attack. You did do your OSINT on this issue right?

So while I love you guys to death let it be known that in the 34 companies that we have audited and 6 US and Canadian Government Agencies not a single agency has been compromised after our audit and lockdown process. I don't think Mandiant or Fireeye can say that with confidence.

I think Sony really needs to look at how their "network" is build and revamp from the ground up. If I'm not mistaken they brought in Mandiant the last time they were breached. What that tells me is that we can probably look forward to future breaches from Sony and we should just take our money elsewhere. I can tell you that your not getting my credit card information any time soon.


Leveraging Big Data in your Enterprise

You cannot possibly view every single log file, every single login, every single password change, email, forum post, blog access, etc, etc. within your organization with the limits to staffing. It's not possible. This may be why Mandiant says that it takes over 200+ days to recognize an intrusion. The reason that it takes so long is because no administrator or security engineer can possibly read everything that comes into your network. This is where big data comes into play as well as analytics and data warehousing.

If your short on staff you should look into ways to make your existing staff more effective. One very easy win for the enterprise is to utilize distributed computing and big data together to find those needles in a hay stack.

So why aren't more company's investing in big data? Don't get it wrong many companies are using big data for business processes. Only a handful are using big data for use in analytic log monitoring. You and I both know that you cannot possibly look at every single line of code, every single log file, every single email or document stored on your network, and who would want to? So how can you use big data to find security issues in your network? Build a cloud and run analytics to look at the data differently.

I will be posting more on distributed computing and cloud storage in the upcoming weeks. Stay tuned and have a great day!

BREACH: Highlands-Cashiers Hospital

"The hospital says a company hired to handle healthcare information, TruBridge, made a misconfiguration that put patients' names, addresses, treatments, even some social security numbers at risk between May 2012 and September of this year."

This company is still leaking information. This was confirmed last on 11/9/2014 while we were on an audit in Western North Carolina. A quick check today indicates information is still being leaked. 

It should be noted that the breach is much larger than what has been reported. 

Type: PII/PHI
Area: Medical 

First Noted: 9 Nov 2014
Location: NC
Total Records: 25000+
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC) 
 

Monday, December 1, 2014

EXCLUSIVE: The Top 10 Items Missed During an Audit (Article 1 of 10 in a series)

This is an exclusive provided by SLC Security Services LLC the leader in Medical, Compliance and DOD Auditing Solutions.

One of our clients recently had a discussion with our auditing team and brought up a good point. John ask us specifically what are the 10 most common items missed during an audit or that IT personnel or security personnel fail to catch when preparing or when being audited by our firm? I stood there for a minute just digesting the question that was just posed and actually listed what I thought from my perspective the top 10 items would be. Then I started thinking some more about how I could actually make something useful out of the question and present it to customers and others that could benefit from that question.

Once I returned to the office I decided that I would take a look at the last years failed items and try and generate a top 10 list of items from the data that we had from our customers. After all I wouldn't be releasing what items were failures at each customer and all of the items in the failure block have already been corrected or accepted as a risk item so little to no harm could be done by compiling stats and expounding on this question a bit.

This is the first of 10 articles that we will be writing on this topic over the next few weeks. The goal is to get this series completed by the 1st of the year.

The Number One Issue - Failure to Document
Every single audit this past year has had this issue. There was at least one system that was connected to the network that was not documented. In order to ensure that systems are patched, secured, accounts that are no longer being used are removed, etc, etc. You have to know that a system exist. And worse yet you have to know what operating system is installed on that system so you can map out what vulnerabilities may be present. A good example of this is a particularly large client. Because we are under NDA we won't name them but just know they are one of the largest companies in Internet communications. An audit was conducted and as part of the audit we identified nearly 1400 devices on the LAN (Local Area Network) for this company. Honestly this number is small but we were only dealing with a regional office so this was our number. The company could account for nearly all of the devices except 64 of them. We received valid responses to probes in our scanning software and we knew that the system work running Linux but we could not locate them anywhere. We checked everything from the security cameras, VOIP phones, etc, etc and were having a hard time locating them until we were about to give up.

I was walking from the third floor heading to the parking lot when I swiped my card to exit the building and just froze. My team mate looked at me because he could sense the rubber burning in my head and I said to him "that's it". He said "What's it?". I said right there... He looked at me confused I said it's the door access readers that are running Linux. We went back to the third floor and ask who maintains the door access system and the security manager said that's managed by corporate. After a quick 10 minute phone call we had located all of the devices and accounted for them and were able to document the finding. Guess what?! Four of these devices had been compromised and were being used as a jump point into the internal network of this "company". We were able to get on the same VLAN as the devices and we determined that each and every one of them were vulnerable to the bash bug as the readers were running Busybox. The vendor had even notified the IT department but that information never got back to the security department. This is why having a third set of eyes is important. For months information was being stolen from the company without anybody even being aware of it. Luckily it was only the reader data which included the card number and employees name and email address but it was still a significant finding. Upon additional research we noted that this information was being used in Phishing attacks against individuals within the company and two personnel's computers were compromised using data that was obtained through the card readers.

Since the company did not document these devices our counts were off during the audit and we were certainly not going to leave the company until we knew what these devices were and could ensure that they were secured. This audit was a preliminary audit that ended up getting us a major support contract with the company because the security staff realized that we would ensure that each and every connected device was accounted for and documented properly. This contract was just signed on the 22nd of November and we look forward to auditing many other locations in the upcoming year.

Make sure you are documenting every device. When a vulnerability comes along if you don't know what devices are running what operating system it is nearly impossible to ensure that your networks and connected devices are secured.

If you can't document your finding or your devices correctly make sure you hire a company that can. The sad part of this story is that this company had passed 2 previous audits in the preceding 6 months and swore they were compliant. Luckily the network in which these readers were placed were in a separate VLAN but there were problems with shared space as these devices were directly addressable from the Internet as were the controllers that connected the office back to corporate to obtain the list of authorized personnel for each location. These were the systems that were vulnerable and what caused us to fail the organization. The good news is that the issue uncovered was not reportable so the company maintained their reputation but that is not always the case. As part of our audits we report any findings if we can confirm that information has been leaked to unauthorized third parties and we follow the reporting recommendations of CMS, HIPAA, ITSG, STIG, etc, etc.

Here are the other 9 items missed on most audits. These items will be followed up on in later articles with specific and detailed examples and information.

Ask yourselves today do you know where every single connected or mobile device is that is attached to your network? Have you secured all guest networks, access networks, VLAN's? Have you patched all security systems, telephone systems, copier machines, faxes, computers, servers, routers, switches, etc.? I we audited your organization today do you know what versions of software are running on every device? Are you current with all third party vendor patches?

The answer obviously is no. No organization ever can document every single device, patch level, operating system, etc. The goal of the audit is to do just that. Provide the documentation that turns a 3 month audit into a 2 week audit. If you can answer the auditors questions the first time you may pass but don't you want to pass with flying colors? Don't you want real piece of mind? Remember Target passed their audits too but that's because the audits were only for a specific system and not how the systems interacted. It doesn't matter if a system is patched to the latest version of your guest network has vulnerabilities that can allow MITM or Malware to infect those systems. Just because you passed that audit doesn't mean you have passed an SLC Security Services LLC audit. If we don't find it, your audit is free!

The Rest of the List... (Future Articles)

2. Failure to remove old accounts or have a system in place to deactivate unused accounts.

3. Incorrect workstation settings not in line with your business need. Insecure servers and workstations.

4. Reliance on Anti-Virus and Malware Protection that is inadequate

5. No signal and propagation protection in regards to wireless, paging, cellular and other wireless technologies.

6. Inadequate email protection.

7. No ability to audit email, files leaving the enterprise or the removal of proprietary information via electronic systems.

8. Social networking succeeded at the organization leading to a compromised system.

9. Inadequate security of network path and access control systems.

10. Attacks on disaster recovery plan whereas data was stolen from a third party or a third party provider to our clients in transit.

We hope you have enjoyed this initial article. We will cover the other nine topics in future post. We hope you have all had a great holiday and now we are all back to the grind. Have a great week and remember to keep things secured!

Sunday, November 30, 2014

62% of Medical Websites Vulnerable and could be hacked

A recent review of data from some recent botnet activity indicates that as many as 62% of known Medical or Medically related websites could be hacked by hackers. This is troubling and many of the vulnerabilities are common and widely used by botnets. The ONLY thing keeping information on these systems safe is that medical records are not being stored on the same servers as web related services. If there are trust relationships between these web servers and the systems that house those records hackers could already be snooping.

What's even worse is that many of these companies that provide medical hosting have poor to dismal records of protecting data and poor website reputations. Host on Amazon and you will be a target. AWS (Amazon Web Hosting) is known to be lax in the security realm. Thousands of attacks annually are traced back to Amazon and they do little to nothing to prevent customers from attacking others. In their complacency they are almost as guilty as the hackers themselves. New Dream Networks is another large offender as are Host Gator (although Host Gator is getting better at catching malicious activity than in the past). Most web providers fail to prevent abuse and only do something after multiple notices, why not protect customers before the malicious activity even starts? Please comment and tell us. We are perplexed here.

Thursday, November 27, 2014

CRITICAL ALERT: Hackers are just waiting on Cyber Monday...

SLC Security Services LLC is providing this alert in regards to the upcoming "Cyber Monday". We are seeing indicators that hackers are preparing for a large infiltration of websites and are poised to scarf up your personal details at some major retailers on Monday.

With the release of some pretty hard to detect code on Thursday and indications that over 500+ sites have been attacked we really want to get the word out that the number of retail intrusions this upcoming Monday is expected to be extremely destructive to retailers.

Be on the lookout for inbox viruses. That's the biggest tip we can give you. 

UPDATE: After much research we have noted a very large uptick in the number of messages being sent out of Romania. We have tracked over 25 different phishing campaigns to sites such as Amazon and other retailers such as NoMoreRack. Be vigilant folks. Every single one of these messages we have seen have been to phishing sites and a few have had APT installers embedded in Java and some other nastiness.

Wednesday, November 26, 2014

SLC Staff are in the SOC... Monitoring the situation! ELEVATED PROTECTION LEVEL

Members of the security team at SLC Security are in the SOC.

ALERT: Violent agitators, shots fired, looting, bricks & rocks being thrown at police in multiple locations. Multiple fires. Law Enforcement helicopters monitoring from the air. 

11:08PM EST: McDonalds and Walgreens both confirmed on fire.

11:09PM EST: 2 Vehicles, one passenger is shot

11:10PM EST: Beauty Salon and Strip Mall on fire

11:11PM EST: Additional Confirmed Fire Wallgreens

11:11PM EST: Confirmed live ammunition being deployed by demonstrators

11:12PM EST: Confirmed they are not blocking any media coverage, allowing media to go where they feel safe.

11:13PM EST: ToysRUs confirmed attacked by protesters

11:14PM EST: Highways being blocked to prevent additional people from joining the protest

11:15PM EST: Additional calls for help. Police advising they can only cover critical issues at this time. A business calls for additional assistance. Command post unsure of the name of the business.

11:16PM EST: Curves and Kathy's Kitchen confirmed looted.

11:17PM EST: Request for additional air units to ToysRUs.

11:18PM EST: I-44 shutdown due to protesters in roadway.

11:19PM EST: Sonic restaurant requesting assistance.

11:20PM EST: 1531 Lafayette check-in

11:22PM EST: Press starts releasing injury photos from Officer Wilson. Clearly visible swelling.

11:23PM EST: Second Building fire being reported.  Occupants on the roof of the building.

11:25PM EST: Third Building fire reported.

11:26PM EST: Police reporting to storage building and Sonic locations.

11:27PM EST: Anonymous claims to have taken down Cleveland Ohio Police website after 12 year old shot by police. The 12 year old was shot because he drew a black toy gun from waistband as police arrived.

11:28PM EST: Continued peaceful protest being reported from New York City. 

11:30PM EST: Storage building fire being reported. Fire Department attempting to respond.

11:33PM EST: Little Caesar's reported as a total loss.

11:34PM EST: Trooper 987 non responsive to radio request for location.

11:35PM EST: National Guard checks in.

11:36PM EST: 220 reports they are under heavy gunfire.

11:38PM EST: Shots reported. Shots at Fire Department personnel. Fire Department pulls out so safe location.


11:39PM EST: Armed subjects behind Red's BBQ reported.

11:40PM EST: Still looking for Trooper 987. No response from Trooper. Ask Trooper to report in to a TOC and report status.

11:41PM EST: Fox 2 sends in security personnel to recover 2 reporters in trouble.

11:42PM EST: Still looking for Trooper 987's last known location. Stated that he was at the fire department.

11:46PM EST: O'Reilly's store being looted.

11:54PM EST: Additional backup being requested at Police Station

11:55PM EST: Dollar General officer requesting 1 in custody.

11:57PM EST: 200 subjects reported to be looting businesses in (unintelligible)

11:58PM EST: Emerson Complex people climbing walls

12:01AM EST: 200+ at Shop and Save looting

12:01AM EST: 60+70 personnel (reported armed) setting fires at Reds BBQ

12:02AM EST: Gunfire being reported by CNN but may be canisters exploding in Beauty Supply Shop


12:03AM EST: 110 Church St Ferguson City Hall subjects attempting to break into the building.

12:09AM EST: Over 100 cars reported at ToysRUS. Police told to leave as it is not safe.

12:11AM EST: Air units asked to report on police cars at ToysRUS. Air unit reports no police cars visible. They are requesting air unit keep looking.

12:13AM EST: Trooper 987 located and is safe.

12:21AM EST: Advance Auto Parts being looted at this time. Gunshots being reported.

12:21AM EST: Smoke coming from Beauty Supply place near the PD.

12:23AM EST: Country Club activity noted.

12:23AM EST: Ambulance requested at ToysRUS.

12:26AM EST: Ambulance refuses to respond to ToysRUS until secured.

12:30AM EST: Sam's Meat Market on fire.

12:33AM EST: Black truck with subject in back of the truck bed firing rounds. No additional information. Police are looking for the vehicle.

Suspending reporting at this time. Only major updates will be noted in this post.




BREACH: Xerox and Texas Health and Human Services Commission Dispute Leads to Breach Notification via OSINT-X Newswires

An ongoing legal dispute between the Texas Health and Human Services Commission and its former contractor, Xerox, has led the state agency to report to federal authorities that the business associate was responsible for a data breach affecting 2 million individuals.

The dispute, which arose when the state ended its contract with Xerox, serves as an important reminder of the importance of preparing for the ending of relationships between covered entities and BAs by including specific details about data return or destruction in business associate agreements.

Despite the ongoing nature of the legal battle, the breach already has been added to the Department of Health and Human Services' "wall of shame" tally, which tracks breaches affecting 500 or more individuals since September 2009, when the HIPAA breach notification rule kicked in. The tally now includes 1,167 incidents affecting a total of nearly 41.3 million individuals. Business associates have been involved in approximately 25 percent of those incidents.

Stolen Cards used on Charity Sites to Validate if they are Valid Cards

We have seen several reports today and yesterday of stolen cards being tested by carders on charity sites. If you operate a charity web site you may want to be on the lookout for fraud indicators. One of the things to look for are $1.00 donations. We have seen several reports that indicate this type of activity is occurring.

Monday, November 24, 2014

BREACH: City of Cleveland Police Website Hacked

Anonymous claims responsibility for the hacking of the Cleveland Police Website.

A group of hackers claimed responsibility Monday for shutting down the city of Cleveland's websites after police killed a 12-year-old boy over the weekend.

Thursday, November 20, 2014

General Mills has 3 Compromised Host

A company of this size should be able to manage their security infrastructure however 3 of their machines have showed up on our blacklist as performing malicious activity against other organizations. As such we have added these systems to our blocklist. Customers are already dropping traffic from the 3 IP addresses in question.

146.217.15.254
146.217.15.253
146.217.5.189

Thought you all might like to know...

GPS Tracker Vulnerability

During some research this week we tested several GPS trackers that offer bluetooth and we made an interesting discovery. All of the GPS trackers utilize AT&T or T-Mobile for the service side reporting of location data so they can be tracked remotely. Upon testing some of the devices with Kali Linux and a bluetooth dongle we were able to pull the GPS position off of the bluetooth side of the devices with passcode "1234" as the pairing key.

While this is not really an issue for these devices it should be noted that using the bluetooth chipset on the devices you can verify if the device is nearby and some even allowed outbound voice calls from the GPS sim card telephone number. Also when text we were able to get some of them to reply with the GPS location of the device.

Just letting you know, if you use GPS trackers make sure you disable the bluetooth if the device supports it!

1.5 Million Passwords Floated for Sale

SLC Security Services LLC has been made aware of a new password list being put up for sale on Darknet. The password file consist of major service accounts at GMail, Yahoo, Facebook, LinkedIN and several other larger sites as well as some Universities and public access locations.

It appears as though the information was collected either on Tor or some sort of proxy due to the format that we observed. We verified that the information is new and is not on any of the existing previously disclosed dumps.


EMAIL ISSUES: Texas A&M University-Kingsville

For the past few weeks, a phishing e-mail has had success in catching people’s information, causing it to circulate further throughout the school, said Bob Paulson, chief information officer of iTech.

“Other systems start rejecting our e-mail because they think it’s bad,” Paulson said. “What ends up happening is that when someone tries to send a message, it might get rejected, and you may never know if it sent, depending on the system (that rejected it).”

It’s only been a faculty-side issue so far. Although there are no reports of a student e-mail being compromised, that doesn’t mean it couldn’t happen, Paulson said.

“If the student replied to a phishing e-mail, if they gave their information away, then the same thing could happen to them. I have not heard of that yet, but there’s no reason it couldn’t happen,” Paulson said.

BOTNET Wall of Shame 11-20-2014

11-20-2014,50.193.61.78,Comcast Cable Communications Holdings, Inc
11-20-2014,54.68.211.27,Amazon Technologies Inc.
11-20-2014,67.222.114.236,Transwave Communications Systems, Inc.
11-20-2014,72.182.33.119,Time Warner Cable Internet LLC
11-20-2014,98.223.50.225,Comcast Cable Communications, Inc.

Monday, November 17, 2014

BOTNET Wall of Shame

11-17-2014,71.43.89.74,Time Warner Cable Internet LLC
11-17-2014,70.154.153.120,BellSouth.net Inc.

Sunday, November 16, 2014

SLC Security Services LLC OSINT system attacked by botnet

We want to send out personal thank you to the operators of this particular botnet for allowing us the opportunity to map out all the host that were part of your campaign. You see it takes us a long time to find compromised host so we can protect our clients but this type of activity makes it easy for us to collect our intelligence.

In addition it was very nice of you to identify one of our customers issues for us. Security is not 100% but we definitely appreciate the help. Starting at 9:00PM EST on 11-15-2014 we started seeing an influx in the number of failed logins to several of our systems. Within minutes our mining operation had collected over 7000 node endpoint IP addresses and added them to our paid blacklist product. Over the next 3 hours over 100 organizations that have purchased or operate our devices and software were updated with some great intelligence information that will now allow them to protect themselves.

Thanks guys... The whole purpose of open source is to collect this type of information so you actually gave us a great amount of data that is invaluable to our organization. Have a great week!

No systems were compromised and the attackers were blacklisted after the third attempt to login. Also it's funny seeing usernames come in during our two factor authentication process. This helps us to collect the data more easily as it was logged. This was truly awesome! 

BREACH: U.S. State Department Hacked - Unclass Network Shut Down via OSINT-X Newswires

Unclassified Email Network Shut Down For Security Reasons

The U.S. State Department has temporarily shut down its entire unclassified email network because of a suspected hacker attack. While no classified information appears to have been taken, officials told the Associated Press “activity of concern” was detected at around the same time a White House data breach was reported in October.

ADVERTISEMENT
The email shut down was part of a scheduled downtime meant to give technicians access to the system so they could make any necessary security updates. The unnamed official told the AP that the State Department's network is expected to be operating normally again when the updates are completed on Monday or Tuesday.

Friday, November 14, 2014

DHL the next to fall?

Remember when UPS stores started getting smacked? How there was a delay in information that we reported right here. Today we are making a prediction based on information we have seen over the past week that DHL may be the next shipper to come out and disclose an issue.

We started seeing network issues earlier in the week and with some preliminary research we are seeing similar activity to what was seen with UPS in the weeks leading up to their disclosure that they were compromised.

As these shipping companies have found out it's very difficult to secure logistical networks that contain consumer, point of sale, logistics, transportation and interfaces between other organizations that they need to share data to conduct business.

Keep your eyes and ears open. Let's see how long it takes them to let us know they have a problem.

NOTICE: Virginia Polytechnic Institute and State Univ

Although it has not been publicly disclosed we can tell you that we have data coming from this entity that is quite troubling. It looks like either a students laptop or a server has been compromised and is being used to launch farther attacks on other organizations.

Though you all might like to know.

BOTNET Wall of Shame - This will be an ongoing feature of the blog

The following host were detected during our last review. These are the results out of the first 100 in the list. There are over 7600 in the full list. We will put these out there as we have time to review.

Of interest here is activity coming from DoD Network Information Center and DFN Systems. Most of the other records are the ISP and not the organization but we will post the raw information as our honeypot sensors pick up the traffic. 

11-14-2014,167.15.41.2,Munich Reinsurance America, Inc.
11-14-2014,67.222.114.236,Transwave Communications Systems, Inc. 
11-14-2014,216.117.191.22,Advanced Internet Technologies, Inc.
11-14-2014,162.243.234.167,Digital Ocean, Inc.
11-14-2014,38.84.134.199,PSINet, Inc.
11-14-2014,72.80.31.179,Verizon Online LLC
11-14-2014,199.87.232.185,eSited Solutions
11-14-2014,11.38.64.251,DoD Network Information Center
11-14-2014,204.152.209.74,QuadraNet, Inc
11-14-2014,23.19.39.19,Nobis Technology Group, LLC
11-14-2014,71.183.67.163,Verizon Online LLC
11-14-2014,74.116.128.15,DFN Systems
11-14-2014,162.219.179.101,Amanah Tech Inc.
11-14-2014,209.190.42.138,eNET Inc.
11-14-2014,54.68.211.27,Amazon Technologies Inc.
11-14-2014,50.63.35.1,GoDaddy.com, LLC
11-14-2014,192.210.53.49,Psychz Networks

Thursday, November 13, 2014

Entity Portal Coming Soon...

Honestly we are very tired of telling companies that they are infected, hosting malware or owned. What we are about to start doing is just posting the list of companies with the data attached so you can see for yourself what is being leaked. Why are we doing this? Because companies don't listen. We are looking at it this way. By automating the process we take out the human element. We will let our computers do the work for us and allow us to get back to what it is we want to do, which is auditing and securing companies that actually take their security posture seriously.

We have provided list of companies in the past and the media response is ridiculous and somewhat annoying. Everybody wants to jump on the big story but nobody wants to do the work of correlating the data to find the companies in data that is publicly available. Add in some proprietary analytics and soon enough our software will paint a bleak picture of what is really going on. I'll be interested in seeing if companies actually do anything to fix the issues or if they will just keep ignoring it like what has been happening.

Is it wrong to use analytics to correlate the data to point at the individual entities involved? This data is already out there in the public so I don't see an issue with it. And whois data is public data so if your responsible for the IP blocks in question you should be doing something to prevent the issue. Sending out notifications is time consuming at best. We are just gonna start blasting you with data and let you all make your own determinations... We will just point to the original sources so you don't think we are storing the data on our systems, lord knows we don't wanna create another incident. Even though we could just take the route of the world and just ignore it!

Buckle up folks, shits about to get interesting...

Botnet List - PENDING

Later this week we will post a list of organizations that have been identified as having machines that are actively part of a larger botnet. The botnet is related to Japan and we are seeing the number of machines impacted growing.

Keep your eyes and ears open. This one is gonna be nasty. China may be getting the blame but Japan holds the keys to the castle... Utilizing open source tools and cloud computing nodes to find company's that fail to disclose breaches - that's what we do!

BREACH: Anthem Blue Cross Data Breach

This is not news to us but we are glad they finally disclosed it. Now if the other 2 Blue Cross locations would do the same we would feel like some of these entities would finally come clean.

Earlier in the month we started detecting information pointing to a problem at BCBS. They would be smart to hire a firm with extensive monitoring capabilities because guest what folks?! They are still showing up on our blacklist....  

Let's see how long it takes their "Forensics Experts" to contain this one...

Just to be nice let us tell you it would be a good idea for you guys to check your systems for bot activity. Our sensors are still seeing activity!

HACKING ACTIVITY: TSB Bank

Cyber-criminals are stealing signatures and personal details from hacked email accounts to try and dupe bank staff into releasing cash.

TSB Bank has posted a warning on its website after receiving an influx of fraudulent requests in the last week.

Chief executive Kevin Murphy said customers needed to remain vigilant about the risks posed by hackers.

"They have clearly compromised somebody's email and got access to contact details and signatures. It's quite sophisticated," he said.

Murphy said all affected customers had been alerted, and none had lost money.

Wednesday, November 12, 2014

BREACH: HSBC Turkey Confirms Card Breach via OSINT-X Newswires

HSBC Turkey confirms that a recent cyber-attack exposed payment card information for 2.7 million customers.

The bank is a subsidiary of London-based HSBC Group, which has operations worldwide in 74 countries and territories.

Information compromised in the breach includes debit and credit cardholder names, account numbers and expiration dates. The bank says that, so far, it has not seen any evidence of fraud or other suspicious activity arising from the incident.

HSBC Turkey detected the attack in the past week through its internal security controls, according to an FAQ. The attack was limited to Turkey, and all card operations have been restored to normal functioning, the bank says. No other details about the nature of the incident were revealed.

Many companies infected and they don't even realize it

SLC Security Services has been performing analysis of malware infections as detected by Internet honeypots, threat data (From other vendors) and our own honeypot infrastructure. What has come to light is pretty incredible.

Upon importing the logs from these sources and pivoting off of known malware MD5 hashes, Domain and IP Information and Whois we discovered that many of the top 500 companies are infected with Malware and do not even know it.

We have seen infections at major defense contractors, utilities, Government, Schools and home users networks. Many times the organizations are not even aware that they have been compromised.

We have thought about releasing the information but what good would it do? These companies ignore notifications because if they don't know about it they feel that they can claim ignorance. Some of these same entities are ones that we have reported on previously.

We can tell you this. There are 41 hospitals, 5 government sites, 95 us corporations, 17 banks and 34 retailers in the list and about 1250 users (give or take 50).

Fun fun fun!!!

BREACH: US weather systems hacked by Chinese: Report via OSINT-X Newswires

The Washington Post is saying China hackers have breached a U.S. weather network, with CNBC's Eamon Javers.

This story is developing. Please check back for further updates.

Chinese hackers allegedly broke into U.S. weather systems in September, The Washington Post reported.

Federal cybersecurity forces had to seal off sensitive data on disaster planning and more in response to the hack, officials told the Post. The report indicated that officials did not acknowledge the attack until October, when the National Oceanic and Atmospheric Administration said it was undergoing "unscheduled maintenance."

BREACH: City and Industrial Development Corporation's (CIDCO)

The personal records of about 85,000 applicants to the City and Industrial Development Corporation's (CIDCO) housing scheme have inadvertently been made public by the government establishment. Details such as residential address, mobile number, Permanent Account Number (PAN), bank account number, Indian Financial System Code (IFSC) information related to their bank accounts and birth records are freely available on the CIDCO website.

While officials at the corporation were unsure when the data became accessible to the public, a review of the application process to the housing scheme reveals that forms were made available in August this year and entries were closed on September 19, after which the information received was collated.


Type: Financial
Area: Government
First Noted: 12 Nov 2014
Location:
Various
Total Records: Unknown
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

BREACH: Eastern Iowa Airport

The Eastern Iowa Airport recently learned of a security incident involving credit and debit card data collected at the Airport Parking Facilities between September 29 and October 29, 2014.

Customers who utilized the public parking facility at the Airport could have had their credit card information compromised.

More Details:
http://www.cbs2iowa.com/news/features/top-stories/stories/creditdebit-card-breach-at-e-iowa-airport-31717.shtml



Type: Aviation
Area: Aviation
First Noted: 12 Nov 2014
Location:
Various
Total Records: Unknown
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

BREACH: USPS (Updated 11-11-2014 4:22PM EST)

USPS is reporting that employee data and now customer data, has been compromised. 


Major news articles started reporting on the issue earlier this morning. It appears as though over 500,000 employees may be affected. We are working to find out if this includes contractor information or is limited to actual USPS employees.

Update @16:22 ET 11-11-2014
VulnerableDisclosures received information indicating that the VPN services for USPS have been taken offline and it is believed to be the attack vector that allowed hackers into the USPS network. 

Update @21:02 ET, 2014
Additional information is now indicating that the actual number may be higher than the original report of 3 million. We are monitoring the situation. 

Update @15:19 ET, 2014

In a report by CNN, it now appears that the information of 2.9 million Postal Service customers may have been compromised as well.

 

Update @14:29 ET, 2014

It appears that the US Congressional Committee on Oversight and Government reform is paying close attention to this breach.

Earlier this morning, the ranking minority member, the Honorable Elijah E. Cummings, sent an email to the USPS Postmaster General/CEO, Mr. Patrick R. Donahoe requesting additional information regarding the breach be provided to the committee.

It appears that this breach may have been discovered in early-to-mid October 2014 whereupon Postal Service officials provided fulsome briefings to this same committee.

Webster's Dictionary notes that "fulsome" is an adjective meaning "of large size or quantity; generous or abundant", as in "a fulsome harvest".

This begs the question "How long did the actors have access to USPS information systems which would allow them " a fulsome harvest" ??

One of the requests made in this letter to USPS Postmaster General Donahoe was that [the USPS] provide "the findings from forensic investigative analyses or reports concerning the breaches, including findings about vulnerabilities to malware, the use of data segmentation to protect PII (Personally Identifiable Information) and why the breach went undetected for the length of time it did...."


We will update this threat as additional information becomes known.

As of 10:00ET, Nov 11th, 2014
Hackers have breached US Postal Service networks, leading to a significant data breach.
The US Postal Service said on Monday the break-in was discovered in mid-September, according to the Washington Post. Although officials are said to have declined to comment on who they thought was responsible, hackers associated with the Chinese government are thought to be high on the list.

Data of more than 800,000 employees has been compromised. That data includes names, dates of birth, Social Security numbers, and addresses were taken in the attack.
No customer data was taken, the US Postal Service said.

According to a USPS spokesperson who spoke to the Post, the attack was led by a "sophisticated actor that appears not to be interested in identity theft or credit card fraud."
That points the finger at a state actor rather than a lone-wolf or hacker group interested in financial gains.

It comes as President Obama meets with his Chinese premier counterpart, President Xi Jinping, for discussions into cybersecurity, among other things.

China has over the years consistently denied it has attacked US networks. When the Edward Snowden revelations landed in mid-2013, it gave Beijing an advantage to defend itself, in the wake of the disclosure of the US government's massive global surveillance operations.
As employees were notified on Monday, the FBI continues to lead the investigation into the US Postal Service data breach.



Tuesday, November 11, 2014

It's Quiet... You should be worried

We are seeing some indicators of some serious malware distribution today. We are starting to see compromised servers popping up all over the US from our partner feeds. We started seeing indicators of a problem yesterday. This may or may not be related to the DarkHotel activity that we have been observing.

We can tell you that we are seeing activity from 85.52.165.157 that is quite suspicious.

Here is the timeline that we have observed so far today from this IP:

8:33AM EST: Host observed at customer site outbound traffic from an internal network. Attempted to connect on port 8080 to 85.52.165.157. When that traffic failed the traffic switched to port 80 and was allowed. Upon looking at the packets we determined that it was a string saying "IMHERE" with another string showing the public IP of the infected host.

8:43AM EST: Host observed with same activity

8:45AM EST: Firewall at organization starts seeing activity from 85.52.165.157 with encoded strings with destination of the public IP of the infected host.

8:51AM EST: Forensics of infected machine started.

9:55AM EST: Submitted binary samples to virustotal and noted 2 detections but no previous reports on this binary.

10:00AM EST: MD5 added to SLC Security Feeds and distributed to clients.

16:04PM EST: Reports started coming in from 92 sensors indicating infections are widespread at customer locations to include Government, Private Entities, Healthcare Entities, Regulated Clients, Covered Entities, Private Individuals (through our SLC Client) and 2 captures indicating DOD source traffic (NIPRNET). We are also seeing reports from some AV vendors of increased activity from this same network.

Looking at the history it may be a good idea to block the orange network identified by RIPE until an alternative or better detection can be realized.

MD5: bb8b6562d6723b04117762e375f3fd2b

Additional Host Involved: 89.137.17.19

Monday, November 10, 2014

Applebee's Quietly Disabling Wifi Payment System?

Just this week we were advised that 2 of our local Applebee's no longer allowed customers to pay via the tableside tablet system that has been in place well over a year. It appears as though the retailer may be concerned about the security of the system after many highly publicized breaches. We have confirmed 3 of the 4 locations we checked indicated that the system no longer works.

If any researchers have any insight into what prompted this we would be interested in working with you.

BREACH: Grand Casino Mille Lacs via OSINT-X Newswires (WCCO)

Update 11-11-2014 @ 10:00AM ET:
Grand Casino Mille Lacs has posted a website notice and has a toll-free phone number - 866-328-1987 - for customers with questions.

 --

The Grand Casino Mille Lacs says approximately 1,600 card transactions were accessed by an unauthorized person and used for fraudulent transactions.

After finding out on Sept. 15, 2014, the casino says it immediately engaged a leading forensic investigation firm that determined that malware was used to access certain payment card transactions at the Onamia location between April 24 and Oct. 9 of 2014.

The information accessed includes customer names, payment card numbers and card expiration dates.

Customers who used cards at the casino between the dates mentioned and see a fraudulent charge on their card should immediately contact their financial institution.

“Security and privacy are extremely important to Grand Casino Mille Lacs and we deeply regret any inconvenience this may cause. In order to help prevent something like this from occurring again, Grand Casino Mille Lacs continues to work closely with the forensic investigation firm to implement additional security measures,” the casino said in a statement.

Don't change your IP camera passwords, end up an Internet star

A website finds and displays web camera's that have not had the default passwords changed.

Hosted out of Russia... Who knew?

http://www.insecam.com/

Might be a good idea to check your security camera's huh?!


Sunday, November 9, 2014

BREACH: Wyoming State Library

The Wyoming State Library said its statewide online catalog was breached last month by unknown hackers, but no sensitive personal data was compromised.

The breach was discovered after library security detected unusual activity, state librarian Lesley Boughton said.

Friday, November 7, 2014

BREACH: Idaho Supreme Court (Website Defacement)

State officials learned at about 12:15 p.m. Thursday that the website hosting court opinions, jury information and other resources for Idaho's legal system had been hacked.

The Department of Administration, which runs the server that the website is on, took the page down until it could be fixed, according to Linda Trout, interim administrative director of the courts. The site was functioning again by Thursday evening.

...

Read Full Article

NEWS: FBI Seized Darknet Sites

List of Darknet sites that were seized or taken offline.

Silkroad 2.0
Agora
Alpaca
Blackmarket
BlueSky
Cloud Nine
Hydra
OnionShop
OutLaw
Pandora
The Hub

Related: Krebs on Security

Microsoft has 16 Patches in the Queue for Next Week

All you Micro$oft users be aware a large update is coming next week. Corporate customers can expect the patches Sunday evening or Monday and other users can expect the Windows Updates on Tuesday. Just giving you a heads up.

Thursday, November 6, 2014

Quotes and Comments - Your news our way

Protecting the Perimeter From the Cloud - Why not fight fire with fire?

Why Ebola Makes HIPAA Training Urgent - We thought HIPAA training was a requirement to protect your organization. It should have been and should remain urgent. 

Hackers and how to protect yourself from them - Unplug, move to Montana and get yourself a tin foil hat!

4 Ways to Avoid Malicious Links on Social Media - Actually your wrong sir. The 1 way to stop malicious links on social media is to stop using social media. Who knew?

Can anti-hacker insurance cut cybercrime? - Can car insurance stop vehicle accidents? Didn't think so!

Are remote workers a security risk to company data? - Every worker is a security risk to company data. How many audits and investigations have you all completed lately?

Chinese hackers targeting Apple devices - Well that makes sense they built the damn things

Apple malware targeted at Chinese users lets hackers 'crack the hard shell of iPhone security' - Hell all they had to do was drop it on concrete. They are easy to crack!

That's all for today folks! Happy Friday to you all. Have a great weekend!

Quotes and Comments - Your news our way

NSA Director Says Agency Shares Vast Majority of Bugs it Finds: Yeah they share them 10 years after they find them and exploit them. They share them AFTER they use them to steal your data!

Users can't tell Facebook from a scam: Isn't Facebook itself a scam?

Security for the Cloud and on the Cloud: Who the hell are you kidding. Cloud by design is insecure. It's the data you have to secure not the damn cloud you idiots!

Be Ready: Next Internet Bug Won’t Be The Last: Well that's an intelligent headline. Tell us something we don't already know!

IBM Rolls Out Hybrid Cloud Security: Well that will go the way of OS2Warp for sure. Those guys couldn't sell water in a desert. It's all good just make sure you wear a white shirt and a black tie!

Well that's all for today. Now back to the analytics that will be running for the next 18 hours... Have a great day everybody! - Raptor

Leveraging Hadoop for Security Analysis in Networks

I have been trying to stay active on the blog but as you all can tell we have become somewhat busy over the past few weeks. This is to be expected when we are in a predictive mode instead of a reactive one. Earlier tonight I was showing another security engineer how we can pull various data points into our hadoop cluster and analyze things quicker and more efficiently than we can on a single computer. Over the past 5 years I have built cloud environments for many purposes some of which ended up being long term solutions and some of which went away when administrators realized that operating a cloud requires a specific set of skills and the right people in the right places. A single person can maintain a cloud computing environment with the right software management in place but the work can be consuming until you automate everything.

As part of our business model the cloud is an integral part of what we do. From collecting news and intelligence information for analysis, to running batch jobs to do task that would take a security engineer hour upon hour to complete manually, the cloud makes life easier. There are some tradeoffs when utilizing the cloud as you have to fully understand what each piece of software does and how they interact with one another to get a job to a completed state.

So why this article? Because as security engineers you can't possibly look at all the data in an enterprise. You can however build watch list in a cloud to notify you when certain content is being ingested into the system. This saves the engineers time. Here's an example. Say a new malware variant comes on the scene and you want to analyze how many machines are infected with the malware. You will need a few things to get the task done in a reasonable time frame. Doing task manually make take weeks or even months but leveraging hadoop, solr, cassandra, hive, pig, etc, etc. you can do these same task in under a day. I like to let the cloud work while I sleep. I wake up feeling somewhat productive if the task are completed when I start my work day. But let's get back to our example. In order to find that elusive new malware variant you need some things. Let me list them out.

Computing Power (CPU's) - Processing Gigabytes or Petabytes of data requires heavy usage of CPU's. By leveraging multicore CPU's in a cluster of machines you eliminate this problem.

Memory (RAM) - You have to have memory. Things are read and written much quicker in memory than on disc drives (think solid state drives here). If you can afford them put SSD's in your cloud. Your batch jobs will thank you.

Disc Space - You have to have the space to store things. If you can't store the Petabytes of data you can't analyze it either. You need a place to store your vectors, configurations, investigative files, etc.

Vectors - You have to have points of data to work with. In our malware example let's say we will use the MD5 hashes of the malware to detect it. That's a vector of identification. Once we identify it we need to process it.

Scripts, Parsers, Libraries and such - You have to have a consistent,  and standardized way of doing things so your jobs are repeatable. You want predictable results without error. You will use a multitude of scripts, mapreduce jobs, indexes (to speed searches and queries), and parsers to find what your looking for.

Now that we have found the malware on the network what do we do with it. One of the most likely things you will do with a cloud is build statistics. In this case we want to build a list of infected IP addresses and domain names so we know what entity is infected so we can report on it (probably on a blog such as this one). However we don't want to sit and sift through Petabytes of data so we write our process out in mapreduce or some other language and let it work while we sleep.

Live Streaming Data - In order to find malware infections in near real time we need to have near real time data. Products such as sqoop and flume help in this regard. So we pull in things such as network pcaps, honeypot logs, malware submission reports, etc, etc.

So using all these various tools and data points we begin collecting statistics but that's not all we have to do. We want to identify the IP address or domain owners so we can notify them (just like we do when a patients information get's released to the public). We have to know whom to notify so it's imperative to identify.

Tracking - Once you have the information in hand you now need a way to track the outcome of your notifications. This is where old technology such as a pen and paper, an electronic notebook or hell maybe even one of those fancy trouble ticketing systems would work.

In order to make it in this fast moving world you have to do things quicker, more accurate and get the information out there before your competition. This is what a cloud does for us and what it could do for your organization.

Happy Hadooping!

About the author: Kevin Wetzel has been a leading researcher and cloud engineer since 2006. He has worked for various organizations to include the Department of Defense, Department of Homeland Security, various Health Care and Insurance organizations, business owners and politicians as well as private parties. Mr. Wetzel is a fan of cloud computing to make business processes run more efficiently. SLC Security Services LLC relies heavily on this type of technology in many of our services and products. Cloud computing can mean the difference between just getting the job done and getting the job done efficiently and before your competition. Kevin is a CCHA (yeah I got the certification before they changed it to CCAH), a licensed Investigator and Counterintelligence Specialist with SLC Security Services LLC. For more information on SLC Security you can visit the company website at www.slcsecurity.com.


Wednesday, November 5, 2014

The Latest Hacking Craze - Old Attacks - New Technology

SLC Security provides an SDR course for beginners. What is an SDR you ask? SDR stands for "software defined radio". No longer is it the craze to go and buy or construct a tinfoil hat in 2014. In fact even if you did there are still ways to pickup very tiny signals, in much larger signals (trace signals) that used to be nearly impossible. OK, OK enough of the rambling.

One vector we are starting to see from hackers is definitely old technology. Remember TEMPEST? Well if you don't know anything about it, let me just say it's the unintentional transmission of signals from devices that are not properly shielded. Or in some cases that can't be shielded due to their design.

Everything with electrical energy passing through it has some sort of emission. Some devices such as transmitters are designed to emit this RF energy, some things like your computer monitor or your USB keyboard are not (but they do). Utilizing $20 USD in equipment it is possible to capture keystrokes and recover the text being typed at around 85% accuracy. It's possible to get about 80% of your monitors pixels also from the same methods and while the picture may be fuzzy it is somewhat readable.

Don't believe me? Well you don't have to. Here's something you can play with if you have a monitor and an AM radio. That's right your computer monitor likes to transmit AM radio...

Download "Tempest for Eliza" and give it a shot. I think you will have some fun with it. Then when your done call us and we can show you how we can recover your works screens during an audit from 21 feet away, through a wall from a parking lot, another floor, etc, etc. Oh and don't get us started on some of the lovely Cisco equipment out there that is inexpensive. That wireless router is leaking like you wouldn't believe (and not on the intended frequencies either).

We have so much fun doing our jobs. It's nice to take a break and get silly from time to time.

SLC Security Services LLC is licensed for Counterintelligence Service in the State of North Carolina. We operate in all 50 states and are available for TSCM related sweeps and consulting, RF engineering and Satcom Engineering work. Call (919)441-7353 and request to talk to a TSCM tech.

Over 1000 Backoff Malware Infected Machines in the US, 2500 in Europe

Researchers at SLC Security Services LLC have been able to identify over 3500 positive infections utilizing 3 variants of the Backoff malware over the past 30 days. By capturing data over networks and comparing against known MD5 hashes we can first detect the infection. Then the infected host will start making DNS request to Google DNS servers (8.8.8.8) and then the encrypted data stream we feel as though our detection methods are accurate.

One of the interesting things to note is that of the affected hosts we published earlier this month nearly half of their networks are still sending data through 8 hub locations in which we were able to analyze traffic through one of our business partners that is a major Internet Service Provider in North America. We created and were able to get our partners to run a set of 10 snort signatures that we provided as well as a customized program to capture binary streams off the wire to analyze them for known MD5 matches without storing the data.

It seems that the vendors and corporations affected either do not have adequate detection in place or have failed to lock down their networks sufficiently to protect the infrastructure. In one case we even found a misconfigured POS system sending dns request to 1.1.1.1 in encapsulated P2P traffic which was very unusual.

If you are a vendor or operate a POS system and require an audit call us. We have more experience dealing with malware than some of the largest antivirus firms. To protect your point of sales equipment from allowing this type of activity we recommend hardware based firewall network interface cards from Intel and our OS level shim to protect the POS hardware and our X-Gateway Hardware Firewall to detect and alert you to any activity and manage your Intel cards, Switches, Firewalls and IDS/IPS systems. The X-Gateway will provide customized rule sets, ACL's and Firewall Rules for all of your network devices and allow management from a single web based interface. Our Compliance Framework ensures that you will pass your audit, the first time!

Trust the leaders in this space and find out why 98% of our clients pass their audits after initiating our security model.

SLC Security Services LLC can be reached at (919)441-7353 or www.slcsecurity.com.