A recent review of data from some recent botnet activity indicates that as many as 62% of known Medical or Medically related websites could be hacked by hackers. This is troubling and many of the vulnerabilities are common and widely used by botnets. The ONLY thing keeping information on these systems safe is that medical records are not being stored on the same servers as web related services. If there are trust relationships between these web servers and the systems that house those records hackers could already be snooping.
What's even worse is that many of these companies that provide medical hosting have poor to dismal records of protecting data and poor website reputations. Host on Amazon and you will be a target. AWS (Amazon Web Hosting) is known to be lax in the security realm. Thousands of attacks annually are traced back to Amazon and they do little to nothing to prevent customers from attacking others. In their complacency they are almost as guilty as the hackers themselves. New Dream Networks is another large offender as are Host Gator (although Host Gator is getting better at catching malicious activity than in the past). Most web providers fail to prevent abuse and only do something after multiple notices, why not protect customers before the malicious activity even starts? Please comment and tell us. We are perplexed here.
The purpose of this page is to provide awareness to individuals and organizations that are leaking information and the information of their customers. The entities listed on this site are verified to be leaking personal information sometimes without the company even being aware. SLC Security is now owned and operated by Jigsaw Security Enterprise. We are currently in process and as such this blog will eventually be taken offline and merged with Jigsaw Security resources.
Sunday, November 30, 2014
Thursday, November 27, 2014
CRITICAL ALERT: Hackers are just waiting on Cyber Monday...
SLC Security Services LLC is providing this alert in regards to the upcoming "Cyber Monday". We are seeing indicators that hackers are preparing for a large infiltration of websites and are poised to scarf up your personal details at some major retailers on Monday.
With the release of some pretty hard to detect code on Thursday and indications that over 500+ sites have been attacked we really want to get the word out that the number of retail intrusions this upcoming Monday is expected to be extremely destructive to retailers.
Be on the lookout for inbox viruses. That's the biggest tip we can give you.
UPDATE: After much research we have noted a very large uptick in the number of messages being sent out of Romania. We have tracked over 25 different phishing campaigns to sites such as Amazon and other retailers such as NoMoreRack. Be vigilant folks. Every single one of these messages we have seen have been to phishing sites and a few have had APT installers embedded in Java and some other nastiness.
With the release of some pretty hard to detect code on Thursday and indications that over 500+ sites have been attacked we really want to get the word out that the number of retail intrusions this upcoming Monday is expected to be extremely destructive to retailers.
Be on the lookout for inbox viruses. That's the biggest tip we can give you.
UPDATE: After much research we have noted a very large uptick in the number of messages being sent out of Romania. We have tracked over 25 different phishing campaigns to sites such as Amazon and other retailers such as NoMoreRack. Be vigilant folks. Every single one of these messages we have seen have been to phishing sites and a few have had APT installers embedded in Java and some other nastiness.
Wednesday, November 26, 2014
SLC Staff are in the SOC... Monitoring the situation! ELEVATED PROTECTION LEVEL
Members of the security team at SLC Security are in the SOC.
ALERT: Violent agitators, shots fired, looting, bricks & rocks being thrown at police in multiple locations. Multiple fires. Law Enforcement helicopters monitoring from the air.
11:08PM EST: McDonalds and Walgreens both confirmed on fire.
11:09PM EST: 2 Vehicles, one passenger is shot
11:10PM EST: Beauty Salon and Strip Mall on fire
11:11PM EST: Additional Confirmed Fire Wallgreens
11:11PM EST: Confirmed live ammunition being deployed by demonstrators
11:12PM EST: Confirmed they are not blocking any media coverage, allowing media to go where they feel safe.
11:13PM EST: ToysRUs confirmed attacked by protesters
11:14PM EST: Highways being blocked to prevent additional people from joining the protest
11:15PM EST: Additional calls for help. Police advising they can only cover critical issues at this time. A business calls for additional assistance. Command post unsure of the name of the business.
11:16PM EST: Curves and Kathy's Kitchen confirmed looted.
11:17PM EST: Request for additional air units to ToysRUs.
11:18PM EST: I-44 shutdown due to protesters in roadway.
11:19PM EST: Sonic restaurant requesting assistance.
11:20PM EST: 1531 Lafayette check-in
11:22PM EST: Press starts releasing injury photos from Officer Wilson. Clearly visible swelling.
11:23PM EST: Second Building fire being reported. Occupants on the roof of the building.
11:25PM EST: Third Building fire reported.
11:26PM EST: Police reporting to storage building and Sonic locations.
11:27PM EST: Anonymous claims to have taken down Cleveland Ohio Police website after 12 year old shot by police. The 12 year old was shot because he drew a black toy gun from waistband as police arrived.
11:28PM EST: Continued peaceful protest being reported from New York City.
11:30PM EST: Storage building fire being reported. Fire Department attempting to respond.
11:33PM EST: Little Caesar's reported as a total loss.
11:34PM EST: Trooper 987 non responsive to radio request for location.
11:35PM EST: National Guard checks in.
11:36PM EST: 220 reports they are under heavy gunfire.
11:38PM EST: Shots reported. Shots at Fire Department personnel. Fire Department pulls out so safe location.
11:39PM EST: Armed subjects behind Red's BBQ reported.
11:40PM EST: Still looking for Trooper 987. No response from Trooper. Ask Trooper to report in to a TOC and report status.
11:41PM EST: Fox 2 sends in security personnel to recover 2 reporters in trouble.
11:42PM EST: Still looking for Trooper 987's last known location. Stated that he was at the fire department.
11:46PM EST: O'Reilly's store being looted.
11:54PM EST: Additional backup being requested at Police Station
11:55PM EST: Dollar General officer requesting 1 in custody.
11:57PM EST: 200 subjects reported to be looting businesses in (unintelligible)
11:58PM EST: Emerson Complex people climbing walls
12:01AM EST: 200+ at Shop and Save looting
12:01AM EST: 60+70 personnel (reported armed) setting fires at Reds BBQ
12:02AM EST: Gunfire being reported by CNN but may be canisters exploding in Beauty Supply Shop
12:03AM EST: 110 Church St Ferguson City Hall subjects attempting to break into the building.
12:09AM EST: Over 100 cars reported at ToysRUS. Police told to leave as it is not safe.
12:11AM EST: Air units asked to report on police cars at ToysRUS. Air unit reports no police cars visible. They are requesting air unit keep looking.
12:13AM EST: Trooper 987 located and is safe.
12:21AM EST: Advance Auto Parts being looted at this time. Gunshots being reported.
12:21AM EST: Smoke coming from Beauty Supply place near the PD.
12:23AM EST: Country Club activity noted.
12:23AM EST: Ambulance requested at ToysRUS.
12:26AM EST: Ambulance refuses to respond to ToysRUS until secured.
12:30AM EST: Sam's Meat Market on fire.
12:33AM EST: Black truck with subject in back of the truck bed firing rounds. No additional information. Police are looking for the vehicle.
Suspending reporting at this time. Only major updates will be noted in this post.
ALERT: Violent agitators, shots fired, looting, bricks & rocks being thrown at police in multiple locations. Multiple fires. Law Enforcement helicopters monitoring from the air.
11:08PM EST: McDonalds and Walgreens both confirmed on fire.
11:09PM EST: 2 Vehicles, one passenger is shot
11:10PM EST: Beauty Salon and Strip Mall on fire
11:11PM EST: Additional Confirmed Fire Wallgreens
11:11PM EST: Confirmed live ammunition being deployed by demonstrators
11:12PM EST: Confirmed they are not blocking any media coverage, allowing media to go where they feel safe.
11:13PM EST: ToysRUs confirmed attacked by protesters
11:14PM EST: Highways being blocked to prevent additional people from joining the protest
11:15PM EST: Additional calls for help. Police advising they can only cover critical issues at this time. A business calls for additional assistance. Command post unsure of the name of the business.
11:16PM EST: Curves and Kathy's Kitchen confirmed looted.
11:17PM EST: Request for additional air units to ToysRUs.
11:18PM EST: I-44 shutdown due to protesters in roadway.
11:19PM EST: Sonic restaurant requesting assistance.
11:20PM EST: 1531 Lafayette check-in
11:22PM EST: Press starts releasing injury photos from Officer Wilson. Clearly visible swelling.
11:23PM EST: Second Building fire being reported. Occupants on the roof of the building.
11:25PM EST: Third Building fire reported.
11:26PM EST: Police reporting to storage building and Sonic locations.
11:27PM EST: Anonymous claims to have taken down Cleveland Ohio Police website after 12 year old shot by police. The 12 year old was shot because he drew a black toy gun from waistband as police arrived.
11:28PM EST: Continued peaceful protest being reported from New York City.
11:30PM EST: Storage building fire being reported. Fire Department attempting to respond.
11:33PM EST: Little Caesar's reported as a total loss.
11:34PM EST: Trooper 987 non responsive to radio request for location.
11:35PM EST: National Guard checks in.
11:36PM EST: 220 reports they are under heavy gunfire.
11:38PM EST: Shots reported. Shots at Fire Department personnel. Fire Department pulls out so safe location.
11:39PM EST: Armed subjects behind Red's BBQ reported.
11:40PM EST: Still looking for Trooper 987. No response from Trooper. Ask Trooper to report in to a TOC and report status.
11:41PM EST: Fox 2 sends in security personnel to recover 2 reporters in trouble.
11:42PM EST: Still looking for Trooper 987's last known location. Stated that he was at the fire department.
11:46PM EST: O'Reilly's store being looted.
11:54PM EST: Additional backup being requested at Police Station
11:55PM EST: Dollar General officer requesting 1 in custody.
11:57PM EST: 200 subjects reported to be looting businesses in (unintelligible)
11:58PM EST: Emerson Complex people climbing walls
12:01AM EST: 200+ at Shop and Save looting
12:01AM EST: 60+70 personnel (reported armed) setting fires at Reds BBQ
12:02AM EST: Gunfire being reported by CNN but may be canisters exploding in Beauty Supply Shop
12:03AM EST: 110 Church St Ferguson City Hall subjects attempting to break into the building.
12:09AM EST: Over 100 cars reported at ToysRUS. Police told to leave as it is not safe.
12:11AM EST: Air units asked to report on police cars at ToysRUS. Air unit reports no police cars visible. They are requesting air unit keep looking.
12:13AM EST: Trooper 987 located and is safe.
12:21AM EST: Advance Auto Parts being looted at this time. Gunshots being reported.
12:21AM EST: Smoke coming from Beauty Supply place near the PD.
12:23AM EST: Country Club activity noted.
12:23AM EST: Ambulance requested at ToysRUS.
12:26AM EST: Ambulance refuses to respond to ToysRUS until secured.
12:30AM EST: Sam's Meat Market on fire.
12:33AM EST: Black truck with subject in back of the truck bed firing rounds. No additional information. Police are looking for the vehicle.
Suspending reporting at this time. Only major updates will be noted in this post.
BREACH: Xerox and Texas Health and Human Services Commission Dispute Leads to Breach Notification via OSINT-X Newswires
An ongoing legal dispute between the Texas Health and Human Services
Commission and its former contractor, Xerox, has led the state agency to
report to federal authorities that the business associate was
responsible for a data breach affecting 2 million individuals.
The dispute, which arose when the state ended its contract with Xerox, serves as an important reminder of the importance of preparing for the ending of relationships between covered entities and BAs by including specific details about data return or destruction in business associate agreements.
Despite the ongoing nature of the legal battle, the breach already has been added to the Department of Health and Human Services' "wall of shame" tally, which tracks breaches affecting 500 or more individuals since September 2009, when the HIPAA breach notification rule kicked in. The tally now includes 1,167 incidents affecting a total of nearly 41.3 million individuals. Business associates have been involved in approximately 25 percent of those incidents.
The dispute, which arose when the state ended its contract with Xerox, serves as an important reminder of the importance of preparing for the ending of relationships between covered entities and BAs by including specific details about data return or destruction in business associate agreements.
Despite the ongoing nature of the legal battle, the breach already has been added to the Department of Health and Human Services' "wall of shame" tally, which tracks breaches affecting 500 or more individuals since September 2009, when the HIPAA breach notification rule kicked in. The tally now includes 1,167 incidents affecting a total of nearly 41.3 million individuals. Business associates have been involved in approximately 25 percent of those incidents.
Stolen Cards used on Charity Sites to Validate if they are Valid Cards
We have seen several reports today and yesterday of stolen cards being tested by carders on charity sites. If you operate a charity web site you may want to be on the lookout for fraud indicators. One of the things to look for are $1.00 donations. We have seen several reports that indicate this type of activity is occurring.
Monday, November 24, 2014
BREACH: City of Cleveland Police Website Hacked
Anonymous claims responsibility for the hacking of the Cleveland Police Website.
A group of hackers claimed responsibility Monday for shutting down the city of Cleveland's websites after police killed a 12-year-old boy over the weekend.
A group of hackers claimed responsibility Monday for shutting down the city of Cleveland's websites after police killed a 12-year-old boy over the weekend.
Thursday, November 20, 2014
General Mills has 3 Compromised Host
A company of this size should be able to manage their security infrastructure however 3 of their machines have showed up on our blacklist as performing malicious activity against other organizations. As such we have added these systems to our blocklist. Customers are already dropping traffic from the 3 IP addresses in question.
146.217.15.254
146.217.15.253
146.217.5.189
Thought you all might like to know...
146.217.15.254
146.217.15.253
146.217.5.189
Thought you all might like to know...
GPS Tracker Vulnerability
During some research this week we tested several GPS trackers that offer bluetooth and we made an interesting discovery. All of the GPS trackers utilize AT&T or T-Mobile for the service side reporting of location data so they can be tracked remotely. Upon testing some of the devices with Kali Linux and a bluetooth dongle we were able to pull the GPS position off of the bluetooth side of the devices with passcode "1234" as the pairing key.
While this is not really an issue for these devices it should be noted that using the bluetooth chipset on the devices you can verify if the device is nearby and some even allowed outbound voice calls from the GPS sim card telephone number. Also when text we were able to get some of them to reply with the GPS location of the device.
Just letting you know, if you use GPS trackers make sure you disable the bluetooth if the device supports it!
While this is not really an issue for these devices it should be noted that using the bluetooth chipset on the devices you can verify if the device is nearby and some even allowed outbound voice calls from the GPS sim card telephone number. Also when text we were able to get some of them to reply with the GPS location of the device.
Just letting you know, if you use GPS trackers make sure you disable the bluetooth if the device supports it!
1.5 Million Passwords Floated for Sale
SLC Security Services LLC has been made aware of a new password list being put up for sale on Darknet. The password file consist of major service accounts at GMail, Yahoo, Facebook, LinkedIN and several other larger sites as well as some Universities and public access locations.
It appears as though the information was collected either on Tor or some sort of proxy due to the format that we observed. We verified that the information is new and is not on any of the existing previously disclosed dumps.
It appears as though the information was collected either on Tor or some sort of proxy due to the format that we observed. We verified that the information is new and is not on any of the existing previously disclosed dumps.
EMAIL ISSUES: Texas A&M University-Kingsville
For the past few weeks, a phishing e-mail has had success in catching
people’s information, causing it to circulate further throughout the
school, said Bob Paulson, chief information officer of iTech.
“Other systems start rejecting our e-mail because they think it’s bad,” Paulson said. “What ends up happening is that when someone tries to send a message, it might get rejected, and you may never know if it sent, depending on the system (that rejected it).”
It’s only been a faculty-side issue so far. Although there are no reports of a student e-mail being compromised, that doesn’t mean it couldn’t happen, Paulson said.
“If the student replied to a phishing e-mail, if they gave their information away, then the same thing could happen to them. I have not heard of that yet, but there’s no reason it couldn’t happen,” Paulson said.
“Other systems start rejecting our e-mail because they think it’s bad,” Paulson said. “What ends up happening is that when someone tries to send a message, it might get rejected, and you may never know if it sent, depending on the system (that rejected it).”
It’s only been a faculty-side issue so far. Although there are no reports of a student e-mail being compromised, that doesn’t mean it couldn’t happen, Paulson said.
“If the student replied to a phishing e-mail, if they gave their information away, then the same thing could happen to them. I have not heard of that yet, but there’s no reason it couldn’t happen,” Paulson said.
BOTNET Wall of Shame 11-20-2014
11-20-2014,50.193.61.78,Comcast Cable Communications Holdings, Inc
11-20-2014,54.68.211.27,Amazon Technologies Inc.
11-20-2014,67.222.114.236,Transwave Communications Systems, Inc.
11-20-2014,72.182.33.119,Time Warner Cable Internet LLC
11-20-2014,98.223.50.225,Comcast Cable Communications, Inc.
11-20-2014,54.68.211.27,Amazon Technologies Inc.
11-20-2014,67.222.114.236,Transwave Communications Systems, Inc.
11-20-2014,72.182.33.119,Time Warner Cable Internet LLC
11-20-2014,98.223.50.225,Comcast Cable Communications, Inc.
Monday, November 17, 2014
BOTNET Wall of Shame
11-17-2014,71.43.89.74,Time Warner Cable Internet LLC
11-17-2014,70.154.153.120,BellSouth.net Inc.
11-17-2014,70.154.153.120,BellSouth.net Inc.
Sunday, November 16, 2014
SLC Security Services LLC OSINT system attacked by botnet
We want to send out personal thank you to the operators of this particular botnet for allowing us the opportunity to map out all the host that were part of your campaign. You see it takes us a long time to find compromised host so we can protect our clients but this type of activity makes it easy for us to collect our intelligence.
In addition it was very nice of you to identify one of our customers issues for us. Security is not 100% but we definitely appreciate the help. Starting at 9:00PM EST on 11-15-2014 we started seeing an influx in the number of failed logins to several of our systems. Within minutes our mining operation had collected over 7000 node endpoint IP addresses and added them to our paid blacklist product. Over the next 3 hours over 100 organizations that have purchased or operate our devices and software were updated with some great intelligence information that will now allow them to protect themselves.
Thanks guys... The whole purpose of open source is to collect this type of information so you actually gave us a great amount of data that is invaluable to our organization. Have a great week!
No systems were compromised and the attackers were blacklisted after the third attempt to login. Also it's funny seeing usernames come in during our two factor authentication process. This helps us to collect the data more easily as it was logged. This was truly awesome!
In addition it was very nice of you to identify one of our customers issues for us. Security is not 100% but we definitely appreciate the help. Starting at 9:00PM EST on 11-15-2014 we started seeing an influx in the number of failed logins to several of our systems. Within minutes our mining operation had collected over 7000 node endpoint IP addresses and added them to our paid blacklist product. Over the next 3 hours over 100 organizations that have purchased or operate our devices and software were updated with some great intelligence information that will now allow them to protect themselves.
Thanks guys... The whole purpose of open source is to collect this type of information so you actually gave us a great amount of data that is invaluable to our organization. Have a great week!
No systems were compromised and the attackers were blacklisted after the third attempt to login. Also it's funny seeing usernames come in during our two factor authentication process. This helps us to collect the data more easily as it was logged. This was truly awesome!
BREACH: U.S. State Department Hacked - Unclass Network Shut Down via OSINT-X Newswires
Unclassified Email Network Shut Down For Security Reasons
The U.S. State Department has temporarily shut down its entire unclassified email network because of a suspected hacker attack. While no classified information appears to have been taken, officials told the Associated Press “activity of concern” was detected at around the same time a White House data breach was reported in October.
The email shut down was part of a scheduled downtime meant to give
technicians access to the system so they could make any necessary
security updates. The unnamed official told the AP that the State
Department's network is expected to be operating normally again when the
updates are completed on Monday or Tuesday.
The U.S. State Department has temporarily shut down its entire unclassified email network because of a suspected hacker attack. While no classified information appears to have been taken, officials told the Associated Press “activity of concern” was detected at around the same time a White House data breach was reported in October.
ADVERTISEMENT
Friday, November 14, 2014
DHL the next to fall?
Remember when UPS stores started getting smacked? How there was a delay in information that we reported right here. Today we are making a prediction based on information we have seen over the past week that DHL may be the next shipper to come out and disclose an issue.
We started seeing network issues earlier in the week and with some preliminary research we are seeing similar activity to what was seen with UPS in the weeks leading up to their disclosure that they were compromised.
As these shipping companies have found out it's very difficult to secure logistical networks that contain consumer, point of sale, logistics, transportation and interfaces between other organizations that they need to share data to conduct business.
Keep your eyes and ears open. Let's see how long it takes them to let us know they have a problem.
We started seeing network issues earlier in the week and with some preliminary research we are seeing similar activity to what was seen with UPS in the weeks leading up to their disclosure that they were compromised.
As these shipping companies have found out it's very difficult to secure logistical networks that contain consumer, point of sale, logistics, transportation and interfaces between other organizations that they need to share data to conduct business.
Keep your eyes and ears open. Let's see how long it takes them to let us know they have a problem.
NOTICE: Virginia Polytechnic Institute and State Univ
Although it has not been publicly disclosed we can tell you that we have data coming from this entity that is quite troubling. It looks like either a students laptop or a server has been compromised and is being used to launch farther attacks on other organizations.
Though you all might like to know.
Though you all might like to know.
BOTNET Wall of Shame - This will be an ongoing feature of the blog
The following host were detected during our last review. These are the results out of the first 100 in the list. There are over 7600 in the full list. We will put these out there as we have time to review.
Of interest here is activity coming from DoD Network Information Center and DFN Systems. Most of the other records are the ISP and not the organization but we will post the raw information as our honeypot sensors pick up the traffic.
11-14-2014,167.15.41.2,Munich Reinsurance America, Inc.
11-14-2014,67.222.114.236,Transwave Communications Systems, Inc.
11-14-2014,216.117.191.22,Advanced Internet Technologies, Inc.
11-14-2014,162.243.234.167,Digital Ocean, Inc.
11-14-2014,38.84.134.199,PSINet, Inc.
11-14-2014,72.80.31.179,Verizon Online LLC
11-14-2014,199.87.232.185,eSited Solutions
11-14-2014,11.38.64.251,DoD Network Information Center
11-14-2014,204.152.209.74,QuadraNet, Inc
11-14-2014,23.19.39.19,Nobis Technology Group, LLC
11-14-2014,71.183.67.163,Verizon Online LLC
11-14-2014,74.116.128.15,DFN Systems
11-14-2014,162.219.179.101,Amanah Tech Inc.
11-14-2014,209.190.42.138,eNET Inc.
11-14-2014,54.68.211.27,Amazon Technologies Inc.
11-14-2014,50.63.35.1,GoDaddy.com, LLC
11-14-2014,192.210.53.49,Psychz Networks
Of interest here is activity coming from DoD Network Information Center and DFN Systems. Most of the other records are the ISP and not the organization but we will post the raw information as our honeypot sensors pick up the traffic.
11-14-2014,167.15.41.2,Munich Reinsurance America, Inc.
11-14-2014,67.222.114.236,Transwave Communications Systems, Inc.
11-14-2014,216.117.191.22,Advanced Internet Technologies, Inc.
11-14-2014,162.243.234.167,Digital Ocean, Inc.
11-14-2014,38.84.134.199,PSINet, Inc.
11-14-2014,72.80.31.179,Verizon Online LLC
11-14-2014,199.87.232.185,eSited Solutions
11-14-2014,11.38.64.251,DoD Network Information Center
11-14-2014,204.152.209.74,QuadraNet, Inc
11-14-2014,23.19.39.19,Nobis Technology Group, LLC
11-14-2014,71.183.67.163,Verizon Online LLC
11-14-2014,74.116.128.15,DFN Systems
11-14-2014,162.219.179.101,Amanah Tech Inc.
11-14-2014,209.190.42.138,eNET Inc.
11-14-2014,54.68.211.27,Amazon Technologies Inc.
11-14-2014,50.63.35.1,GoDaddy.com, LLC
11-14-2014,192.210.53.49,Psychz Networks
Thursday, November 13, 2014
Entity Portal Coming Soon...
Honestly we are very tired of telling companies that they are infected, hosting malware or owned. What we are about to start doing is just posting the list of companies with the data attached so you can see for yourself what is being leaked. Why are we doing this? Because companies don't listen. We are looking at it this way. By automating the process we take out the human element. We will let our computers do the work for us and allow us to get back to what it is we want to do, which is auditing and securing companies that actually take their security posture seriously.
We have provided list of companies in the past and the media response is ridiculous and somewhat annoying. Everybody wants to jump on the big story but nobody wants to do the work of correlating the data to find the companies in data that is publicly available. Add in some proprietary analytics and soon enough our software will paint a bleak picture of what is really going on. I'll be interested in seeing if companies actually do anything to fix the issues or if they will just keep ignoring it like what has been happening.
Is it wrong to use analytics to correlate the data to point at the individual entities involved? This data is already out there in the public so I don't see an issue with it. And whois data is public data so if your responsible for the IP blocks in question you should be doing something to prevent the issue. Sending out notifications is time consuming at best. We are just gonna start blasting you with data and let you all make your own determinations... We will just point to the original sources so you don't think we are storing the data on our systems, lord knows we don't wanna create another incident. Even though we could just take the route of the world and just ignore it!
Buckle up folks, shits about to get interesting...
We have provided list of companies in the past and the media response is ridiculous and somewhat annoying. Everybody wants to jump on the big story but nobody wants to do the work of correlating the data to find the companies in data that is publicly available. Add in some proprietary analytics and soon enough our software will paint a bleak picture of what is really going on. I'll be interested in seeing if companies actually do anything to fix the issues or if they will just keep ignoring it like what has been happening.
Is it wrong to use analytics to correlate the data to point at the individual entities involved? This data is already out there in the public so I don't see an issue with it. And whois data is public data so if your responsible for the IP blocks in question you should be doing something to prevent the issue. Sending out notifications is time consuming at best. We are just gonna start blasting you with data and let you all make your own determinations... We will just point to the original sources so you don't think we are storing the data on our systems, lord knows we don't wanna create another incident. Even though we could just take the route of the world and just ignore it!
Buckle up folks, shits about to get interesting...
Botnet List - PENDING
Later this week we will post a list of organizations that have been identified as having machines that are actively part of a larger botnet. The botnet is related to Japan and we are seeing the number of machines impacted growing.
Keep your eyes and ears open. This one is gonna be nasty. China may be getting the blame but Japan holds the keys to the castle... Utilizing open source tools and cloud computing nodes to find company's that fail to disclose breaches - that's what we do!
Keep your eyes and ears open. This one is gonna be nasty. China may be getting the blame but Japan holds the keys to the castle... Utilizing open source tools and cloud computing nodes to find company's that fail to disclose breaches - that's what we do!
BREACH: Anthem Blue Cross Data Breach
This is not news to us but we are glad they finally disclosed it. Now if the other 2 Blue Cross locations would do the same we would feel like some of these entities would finally come clean.
Earlier in the month we started detecting information pointing to a problem at BCBS. They would be smart to hire a firm with extensive monitoring capabilities because guest what folks?! They are still showing up on our blacklist....
Let's see how long it takes their "Forensics Experts" to contain this one...
Just to be nice let us tell you it would be a good idea for you guys to check your systems for bot activity. Our sensors are still seeing activity!
Earlier in the month we started detecting information pointing to a problem at BCBS. They would be smart to hire a firm with extensive monitoring capabilities because guest what folks?! They are still showing up on our blacklist....
Let's see how long it takes their "Forensics Experts" to contain this one...
Just to be nice let us tell you it would be a good idea for you guys to check your systems for bot activity. Our sensors are still seeing activity!
HACKING ACTIVITY: TSB Bank
Cyber-criminals are stealing signatures and personal details from
hacked email accounts to try and dupe bank staff into releasing cash.
TSB Bank has posted a warning on its website after receiving an influx of fraudulent requests in the last week.
Chief executive Kevin Murphy said customers needed to remain vigilant about the risks posed by hackers.
"They have clearly compromised somebody's email and got access to contact details and signatures. It's quite sophisticated," he said.
Murphy said all affected customers had been alerted, and none had lost money.
TSB Bank has posted a warning on its website after receiving an influx of fraudulent requests in the last week.
Chief executive Kevin Murphy said customers needed to remain vigilant about the risks posed by hackers.
"They have clearly compromised somebody's email and got access to contact details and signatures. It's quite sophisticated," he said.
Murphy said all affected customers had been alerted, and none had lost money.
Wednesday, November 12, 2014
BREACH: HSBC Turkey Confirms Card Breach via OSINT-X Newswires
HSBC Turkey confirms that a recent cyber-attack exposed payment card information for 2.7 million customers.
The bank is a subsidiary of London-based HSBC Group, which has operations worldwide in 74 countries and territories.
Information compromised in the breach includes debit and credit cardholder names, account numbers and expiration dates. The bank says that, so far, it has not seen any evidence of fraud or other suspicious activity arising from the incident.
HSBC Turkey detected the attack in the past week through its internal security controls, according to an FAQ. The attack was limited to Turkey, and all card operations have been restored to normal functioning, the bank says. No other details about the nature of the incident were revealed.
The bank is a subsidiary of London-based HSBC Group, which has operations worldwide in 74 countries and territories.
Information compromised in the breach includes debit and credit cardholder names, account numbers and expiration dates. The bank says that, so far, it has not seen any evidence of fraud or other suspicious activity arising from the incident.
HSBC Turkey detected the attack in the past week through its internal security controls, according to an FAQ. The attack was limited to Turkey, and all card operations have been restored to normal functioning, the bank says. No other details about the nature of the incident were revealed.
Many companies infected and they don't even realize it
SLC Security Services has been performing analysis of malware infections as detected by Internet honeypots, threat data (From other vendors) and our own honeypot infrastructure. What has come to light is pretty incredible.
Upon importing the logs from these sources and pivoting off of known malware MD5 hashes, Domain and IP Information and Whois we discovered that many of the top 500 companies are infected with Malware and do not even know it.
We have seen infections at major defense contractors, utilities, Government, Schools and home users networks. Many times the organizations are not even aware that they have been compromised.
We have thought about releasing the information but what good would it do? These companies ignore notifications because if they don't know about it they feel that they can claim ignorance. Some of these same entities are ones that we have reported on previously.
We can tell you this. There are 41 hospitals, 5 government sites, 95 us corporations, 17 banks and 34 retailers in the list and about 1250 users (give or take 50).
Fun fun fun!!!
Upon importing the logs from these sources and pivoting off of known malware MD5 hashes, Domain and IP Information and Whois we discovered that many of the top 500 companies are infected with Malware and do not even know it.
We have seen infections at major defense contractors, utilities, Government, Schools and home users networks. Many times the organizations are not even aware that they have been compromised.
We have thought about releasing the information but what good would it do? These companies ignore notifications because if they don't know about it they feel that they can claim ignorance. Some of these same entities are ones that we have reported on previously.
We can tell you this. There are 41 hospitals, 5 government sites, 95 us corporations, 17 banks and 34 retailers in the list and about 1250 users (give or take 50).
Fun fun fun!!!
BREACH: US weather systems hacked by Chinese: Report via OSINT-X Newswires
The Washington Post is saying China hackers have breached a U.S. weather network, with CNBC's Eamon Javers.
This story is developing. Please check back for further updates.
Chinese hackers allegedly broke into U.S. weather systems in September, The Washington Post reported.
Federal cybersecurity forces had to seal off sensitive data on disaster planning and more in response to the hack, officials told the Post. The report indicated that officials did not acknowledge the attack until October, when the National Oceanic and Atmospheric Administration said it was undergoing "unscheduled maintenance."
This story is developing. Please check back for further updates.
Chinese hackers allegedly broke into U.S. weather systems in September, The Washington Post reported.
Federal cybersecurity forces had to seal off sensitive data on disaster planning and more in response to the hack, officials told the Post. The report indicated that officials did not acknowledge the attack until October, when the National Oceanic and Atmospheric Administration said it was undergoing "unscheduled maintenance."
BREACH: City and Industrial Development Corporation's (CIDCO)
The personal records of about 85,000 applicants to the City and
Industrial Development Corporation's (CIDCO) housing scheme have
inadvertently been made public by the government establishment. Details
such as residential address, mobile number, Permanent Account Number
(PAN), bank account number, Indian Financial System Code (IFSC)
information related to their bank accounts and birth records are freely
available on the CIDCO website.
While officials at the corporation were unsure when the data became accessible to the public, a review of the application process to the housing scheme reveals that forms were made available in August this year and entries were closed on September 19, after which the information received was collated.
Type: Financial
Area: Government
First Noted: 12 Nov 2014
Location: Various
Total Records: Unknown
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)
While officials at the corporation were unsure when the data became accessible to the public, a review of the application process to the housing scheme reveals that forms were made available in August this year and entries were closed on September 19, after which the information received was collated.
Type: Financial
Area: Government
First Noted: 12 Nov 2014
Location: Various
Total Records: Unknown
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)
BREACH: Eastern Iowa Airport
The Eastern Iowa Airport recently learned of a security incident
involving credit and debit card data collected at the Airport Parking
Facilities between September 29 and October 29, 2014.
Customers who utilized the public parking facility at the Airport could have had their credit card information compromised.
More Details:
http://www.cbs2iowa.com/news/features/top-stories/stories/creditdebit-card-breach-at-e-iowa-airport-31717.shtml
Type: Aviation
Area: Aviation
First Noted: 12 Nov 2014
Location: Various
Total Records: Unknown
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)
Customers who utilized the public parking facility at the Airport could have had their credit card information compromised.
More Details:
http://www.cbs2iowa.com/news/features/top-stories/stories/creditdebit-card-breach-at-e-iowa-airport-31717.shtml
Type: Aviation
Area: Aviation
First Noted: 12 Nov 2014
Location: Various
Total Records: Unknown
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)
BREACH: USPS (Updated 11-11-2014 4:22PM EST)
USPS is reporting that employee data and now customer data, has been compromised.
Major news articles started reporting on the issue earlier this morning. It appears as though over 500,000 employees may be affected. We are working to find out if this includes contractor information or is limited to actual USPS employees.
Update @16:22 ET 11-11-2014
VulnerableDisclosures received information indicating that the VPN services for USPS have been taken offline and it is believed to be the attack vector that allowed hackers into the USPS network.
Update @21:02 ET, 2014
Additional information is now indicating that the actual number may be higher than the original report of 3 million. We are monitoring the situation.
Update @15:19 ET, 2014
In a report by CNN, it now appears that the information of 2.9 million Postal Service customers may have been compromised as well.Update @14:29 ET, 2014
It appears that the US Congressional Committee on Oversight and Government reform is paying close attention to this breach.Earlier this morning, the ranking minority member, the Honorable Elijah E. Cummings, sent an email to the USPS Postmaster General/CEO, Mr. Patrick R. Donahoe requesting additional information regarding the breach be provided to the committee.
It appears that this breach may have been discovered in early-to-mid October 2014 whereupon Postal Service officials provided fulsome briefings to this same committee.
Webster's Dictionary notes that "fulsome" is an adjective meaning "of large size or quantity; generous or abundant", as in "a fulsome harvest".
This begs the question "How long did the actors have access to USPS information systems which would allow them " a fulsome harvest" ??
One of the requests made in this letter to USPS Postmaster General Donahoe was that [the USPS] provide "the findings from forensic investigative analyses or reports concerning the breaches, including findings about vulnerabilities to malware, the use of data segmentation to protect PII (Personally Identifiable Information) and why the breach went undetected for the length of time it did...."
We will update this threat as additional information becomes known.
As of 10:00ET, Nov 11th, 2014
Hackers have breached US Postal Service networks, leading to a significant data breach.
The US Postal Service said on Monday the break-in was discovered in mid-September, according to the Washington Post. Although officials are said to have declined to comment on who they thought was responsible, hackers associated with the Chinese government are thought to be high on the list.
Data of more than 800,000 employees has been compromised. That data includes names, dates of birth, Social Security numbers, and addresses were taken in the attack.
No customer data was taken, the US Postal Service said.
According to a USPS spokesperson who spoke to the Post, the attack was led by a "sophisticated actor that appears not to be interested in identity theft or credit card fraud."
That points the finger at a state actor rather than a lone-wolf or hacker group interested in financial gains.
It comes as President Obama meets with his Chinese premier counterpart, President Xi Jinping, for discussions into cybersecurity, among other things.
China has over the years consistently denied it has attacked US networks. When the Edward Snowden revelations landed in mid-2013, it gave Beijing an advantage to defend itself, in the wake of the disclosure of the US government's massive global surveillance operations.
As employees were notified on Monday, the FBI continues to lead the investigation into the US Postal Service data breach.
Tuesday, November 11, 2014
It's Quiet... You should be worried
We are seeing some indicators of some serious malware distribution today. We are starting to see compromised servers popping up all over the US from our partner feeds. We started seeing indicators of a problem yesterday. This may or may not be related to the DarkHotel activity that we have been observing.
We can tell you that we are seeing activity from 85.52.165.157 that is quite suspicious.
Here is the timeline that we have observed so far today from this IP:
8:33AM EST: Host observed at customer site outbound traffic from an internal network. Attempted to connect on port 8080 to 85.52.165.157. When that traffic failed the traffic switched to port 80 and was allowed. Upon looking at the packets we determined that it was a string saying "IMHERE" with another string showing the public IP of the infected host.
8:43AM EST: Host observed with same activity
8:45AM EST: Firewall at organization starts seeing activity from 85.52.165.157 with encoded strings with destination of the public IP of the infected host.
8:51AM EST: Forensics of infected machine started.
9:55AM EST: Submitted binary samples to virustotal and noted 2 detections but no previous reports on this binary.
10:00AM EST: MD5 added to SLC Security Feeds and distributed to clients.
16:04PM EST: Reports started coming in from 92 sensors indicating infections are widespread at customer locations to include Government, Private Entities, Healthcare Entities, Regulated Clients, Covered Entities, Private Individuals (through our SLC Client) and 2 captures indicating DOD source traffic (NIPRNET). We are also seeing reports from some AV vendors of increased activity from this same network.
Looking at the history it may be a good idea to block the orange network identified by RIPE until an alternative or better detection can be realized.
MD5: bb8b6562d6723b04117762e375f3fd2b
Additional Host Involved: 89.137.17.19
We can tell you that we are seeing activity from 85.52.165.157 that is quite suspicious.
Here is the timeline that we have observed so far today from this IP:
8:33AM EST: Host observed at customer site outbound traffic from an internal network. Attempted to connect on port 8080 to 85.52.165.157. When that traffic failed the traffic switched to port 80 and was allowed. Upon looking at the packets we determined that it was a string saying "IMHERE" with another string showing the public IP of the infected host.
8:43AM EST: Host observed with same activity
8:45AM EST: Firewall at organization starts seeing activity from 85.52.165.157 with encoded strings with destination of the public IP of the infected host.
8:51AM EST: Forensics of infected machine started.
9:55AM EST: Submitted binary samples to virustotal and noted 2 detections but no previous reports on this binary.
10:00AM EST: MD5 added to SLC Security Feeds and distributed to clients.
16:04PM EST: Reports started coming in from 92 sensors indicating infections are widespread at customer locations to include Government, Private Entities, Healthcare Entities, Regulated Clients, Covered Entities, Private Individuals (through our SLC Client) and 2 captures indicating DOD source traffic (NIPRNET). We are also seeing reports from some AV vendors of increased activity from this same network.
Looking at the history it may be a good idea to block the orange network identified by RIPE until an alternative or better detection can be realized.
MD5: bb8b6562d6723b04117762e375f3fd2b
Additional Host Involved: 89.137.17.19
Monday, November 10, 2014
Applebee's Quietly Disabling Wifi Payment System?
Just this week we were advised that 2 of our local Applebee's no longer allowed customers to pay via the tableside tablet system that has been in place well over a year. It appears as though the retailer may be concerned about the security of the system after many highly publicized breaches. We have confirmed 3 of the 4 locations we checked indicated that the system no longer works.
If any researchers have any insight into what prompted this we would be interested in working with you.
If any researchers have any insight into what prompted this we would be interested in working with you.
BREACH: Grand Casino Mille Lacs via OSINT-X Newswires (WCCO)
Update 11-11-2014 @ 10:00AM ET:
Grand Casino Mille Lacs has posted a website notice and has a toll-free phone number - 866-328-1987 - for customers with questions.
--
The Grand Casino Mille Lacs says approximately 1,600 card transactions were accessed by an unauthorized person and used for fraudulent transactions.
After finding out on Sept. 15, 2014, the casino says it immediately engaged a leading forensic investigation firm that determined that malware was used to access certain payment card transactions at the Onamia location between April 24 and Oct. 9 of 2014.
The information accessed includes customer names, payment card numbers and card expiration dates.
Customers who used cards at the casino between the dates mentioned and see a fraudulent charge on their card should immediately contact their financial institution.
“Security and privacy are extremely important to Grand Casino Mille Lacs and we deeply regret any inconvenience this may cause. In order to help prevent something like this from occurring again, Grand Casino Mille Lacs continues to work closely with the forensic investigation firm to implement additional security measures,” the casino said in a statement.
Grand Casino Mille Lacs has posted a website notice and has a toll-free phone number - 866-328-1987 - for customers with questions.
--
The Grand Casino Mille Lacs says approximately 1,600 card transactions were accessed by an unauthorized person and used for fraudulent transactions.
After finding out on Sept. 15, 2014, the casino says it immediately engaged a leading forensic investigation firm that determined that malware was used to access certain payment card transactions at the Onamia location between April 24 and Oct. 9 of 2014.
The information accessed includes customer names, payment card numbers and card expiration dates.
Customers who used cards at the casino between the dates mentioned and see a fraudulent charge on their card should immediately contact their financial institution.
“Security and privacy are extremely important to Grand Casino Mille Lacs and we deeply regret any inconvenience this may cause. In order to help prevent something like this from occurring again, Grand Casino Mille Lacs continues to work closely with the forensic investigation firm to implement additional security measures,” the casino said in a statement.
Don't change your IP camera passwords, end up an Internet star
A website finds and displays web camera's that have not had the default passwords changed.
Hosted out of Russia... Who knew?
http://www.insecam.com/
Might be a good idea to check your security camera's huh?!
Hosted out of Russia... Who knew?
http://www.insecam.com/
Might be a good idea to check your security camera's huh?!
Sunday, November 9, 2014
BREACH: Wyoming State Library
The Wyoming State Library said its statewide online catalog
was breached last month by unknown hackers, but no sensitive personal
data was compromised.
The breach was discovered after library security detected unusual activity, state librarian Lesley Boughton said.
Friday, November 7, 2014
BREACH: Idaho Supreme Court (Website Defacement)
State officials learned at about 12:15 p.m. Thursday that the website hosting court opinions, jury information and other resources for Idaho's legal system had been hacked.
The Department of Administration, which runs the server that the website is on, took the page down until it could be fixed, according to Linda Trout, interim administrative director of the courts. The site was functioning again by Thursday evening.
...
Read Full Article
The Department of Administration, which runs the server that the website is on, took the page down until it could be fixed, according to Linda Trout, interim administrative director of the courts. The site was functioning again by Thursday evening.
...
Read Full Article
NEWS: FBI Seized Darknet Sites
List of Darknet sites that were seized or taken offline.
Silkroad 2.0
Agora
Alpaca
Blackmarket
BlueSky
Cloud Nine
Hydra
OnionShop
OutLaw
Pandora
The Hub
Related: Krebs on Security
Silkroad 2.0
Agora
Alpaca
Blackmarket
BlueSky
Cloud Nine
Hydra
OnionShop
OutLaw
Pandora
The Hub
Related: Krebs on Security
Microsoft has 16 Patches in the Queue for Next Week
All you Micro$oft users be aware a large update is coming next week. Corporate customers can expect the patches Sunday evening or Monday and other users can expect the Windows Updates on Tuesday. Just giving you a heads up.
Thursday, November 6, 2014
Quotes and Comments - Your news our way
Protecting the Perimeter From the Cloud - Why not fight fire with fire?
Why Ebola Makes HIPAA Training Urgent - We thought HIPAA training was a requirement to protect your organization. It should have been and should remain urgent.
Hackers and how to protect yourself from them - Unplug, move to Montana and get yourself a tin foil hat!
4 Ways to Avoid Malicious Links on Social Media - Actually your wrong sir. The 1 way to stop malicious links on social media is to stop using social media. Who knew?
Can anti-hacker insurance cut cybercrime? - Can car insurance stop vehicle accidents? Didn't think so!
Are remote workers a security risk to company data? - Every worker is a security risk to company data. How many audits and investigations have you all completed lately?
Chinese hackers targeting Apple devices - Well that makes sense they built the damn things
Apple malware targeted at Chinese users lets hackers 'crack the hard shell of iPhone security' - Hell all they had to do was drop it on concrete. They are easy to crack!
That's all for today folks! Happy Friday to you all. Have a great weekend!
Quotes and Comments - Your news our way
NSA Director Says Agency Shares Vast Majority of Bugs it Finds: Yeah they share them 10 years after they find them and exploit them. They share them AFTER they use them to steal your data!
Users can't tell Facebook from a scam: Isn't Facebook itself a scam?
Security for the Cloud and on the Cloud: Who the hell are you kidding. Cloud by design is insecure. It's the data you have to secure not the damn cloud you idiots!
Be Ready: Next Internet Bug Won’t Be The Last: Well that's an intelligent headline. Tell us something we don't already know!
IBM Rolls Out Hybrid Cloud Security: Well that will go the way of OS2Warp for sure. Those guys couldn't sell water in a desert. It's all good just make sure you wear a white shirt and a black tie!
Well that's all for today. Now back to the analytics that will be running for the next 18 hours... Have a great day everybody! - Raptor
Leveraging Hadoop for Security Analysis in Networks
I have been trying to stay active on the blog but as you all can tell we have become somewhat busy over the past few weeks. This is to be expected when we are in a predictive mode instead of a reactive one. Earlier tonight I was showing another security engineer how we can pull various data points into our hadoop cluster and analyze things quicker and more efficiently than we can on a single computer. Over the past 5 years I have built cloud environments for many purposes some of which ended up being long term solutions and some of which went away when administrators realized that operating a cloud requires a specific set of skills and the right people in the right places. A single person can maintain a cloud computing environment with the right software management in place but the work can be consuming until you automate everything.
As part of our business model the cloud is an integral part of what we do. From collecting news and intelligence information for analysis, to running batch jobs to do task that would take a security engineer hour upon hour to complete manually, the cloud makes life easier. There are some tradeoffs when utilizing the cloud as you have to fully understand what each piece of software does and how they interact with one another to get a job to a completed state.
So why this article? Because as security engineers you can't possibly look at all the data in an enterprise. You can however build watch list in a cloud to notify you when certain content is being ingested into the system. This saves the engineers time. Here's an example. Say a new malware variant comes on the scene and you want to analyze how many machines are infected with the malware. You will need a few things to get the task done in a reasonable time frame. Doing task manually make take weeks or even months but leveraging hadoop, solr, cassandra, hive, pig, etc, etc. you can do these same task in under a day. I like to let the cloud work while I sleep. I wake up feeling somewhat productive if the task are completed when I start my work day. But let's get back to our example. In order to find that elusive new malware variant you need some things. Let me list them out.
Computing Power (CPU's) - Processing Gigabytes or Petabytes of data requires heavy usage of CPU's. By leveraging multicore CPU's in a cluster of machines you eliminate this problem.
Memory (RAM) - You have to have memory. Things are read and written much quicker in memory than on disc drives (think solid state drives here). If you can afford them put SSD's in your cloud. Your batch jobs will thank you.
Disc Space - You have to have the space to store things. If you can't store the Petabytes of data you can't analyze it either. You need a place to store your vectors, configurations, investigative files, etc.
Vectors - You have to have points of data to work with. In our malware example let's say we will use the MD5 hashes of the malware to detect it. That's a vector of identification. Once we identify it we need to process it.
Scripts, Parsers, Libraries and such - You have to have a consistent, and standardized way of doing things so your jobs are repeatable. You want predictable results without error. You will use a multitude of scripts, mapreduce jobs, indexes (to speed searches and queries), and parsers to find what your looking for.
Now that we have found the malware on the network what do we do with it. One of the most likely things you will do with a cloud is build statistics. In this case we want to build a list of infected IP addresses and domain names so we know what entity is infected so we can report on it (probably on a blog such as this one). However we don't want to sit and sift through Petabytes of data so we write our process out in mapreduce or some other language and let it work while we sleep.
Live Streaming Data - In order to find malware infections in near real time we need to have near real time data. Products such as sqoop and flume help in this regard. So we pull in things such as network pcaps, honeypot logs, malware submission reports, etc, etc.
So using all these various tools and data points we begin collecting statistics but that's not all we have to do. We want to identify the IP address or domain owners so we can notify them (just like we do when a patients information get's released to the public). We have to know whom to notify so it's imperative to identify.
Tracking - Once you have the information in hand you now need a way to track the outcome of your notifications. This is where old technology such as a pen and paper, an electronic notebook or hell maybe even one of those fancy trouble ticketing systems would work.
In order to make it in this fast moving world you have to do things quicker, more accurate and get the information out there before your competition. This is what a cloud does for us and what it could do for your organization.
Happy Hadooping!
About the author: Kevin Wetzel has been a leading researcher and cloud engineer since 2006. He has worked for various organizations to include the Department of Defense, Department of Homeland Security, various Health Care and Insurance organizations, business owners and politicians as well as private parties. Mr. Wetzel is a fan of cloud computing to make business processes run more efficiently. SLC Security Services LLC relies heavily on this type of technology in many of our services and products. Cloud computing can mean the difference between just getting the job done and getting the job done efficiently and before your competition. Kevin is a CCHA (yeah I got the certification before they changed it to CCAH), a licensed Investigator and Counterintelligence Specialist with SLC Security Services LLC. For more information on SLC Security you can visit the company website at www.slcsecurity.com.
As part of our business model the cloud is an integral part of what we do. From collecting news and intelligence information for analysis, to running batch jobs to do task that would take a security engineer hour upon hour to complete manually, the cloud makes life easier. There are some tradeoffs when utilizing the cloud as you have to fully understand what each piece of software does and how they interact with one another to get a job to a completed state.
So why this article? Because as security engineers you can't possibly look at all the data in an enterprise. You can however build watch list in a cloud to notify you when certain content is being ingested into the system. This saves the engineers time. Here's an example. Say a new malware variant comes on the scene and you want to analyze how many machines are infected with the malware. You will need a few things to get the task done in a reasonable time frame. Doing task manually make take weeks or even months but leveraging hadoop, solr, cassandra, hive, pig, etc, etc. you can do these same task in under a day. I like to let the cloud work while I sleep. I wake up feeling somewhat productive if the task are completed when I start my work day. But let's get back to our example. In order to find that elusive new malware variant you need some things. Let me list them out.
Computing Power (CPU's) - Processing Gigabytes or Petabytes of data requires heavy usage of CPU's. By leveraging multicore CPU's in a cluster of machines you eliminate this problem.
Memory (RAM) - You have to have memory. Things are read and written much quicker in memory than on disc drives (think solid state drives here). If you can afford them put SSD's in your cloud. Your batch jobs will thank you.
Disc Space - You have to have the space to store things. If you can't store the Petabytes of data you can't analyze it either. You need a place to store your vectors, configurations, investigative files, etc.
Vectors - You have to have points of data to work with. In our malware example let's say we will use the MD5 hashes of the malware to detect it. That's a vector of identification. Once we identify it we need to process it.
Scripts, Parsers, Libraries and such - You have to have a consistent, and standardized way of doing things so your jobs are repeatable. You want predictable results without error. You will use a multitude of scripts, mapreduce jobs, indexes (to speed searches and queries), and parsers to find what your looking for.
Now that we have found the malware on the network what do we do with it. One of the most likely things you will do with a cloud is build statistics. In this case we want to build a list of infected IP addresses and domain names so we know what entity is infected so we can report on it (probably on a blog such as this one). However we don't want to sit and sift through Petabytes of data so we write our process out in mapreduce or some other language and let it work while we sleep.
Live Streaming Data - In order to find malware infections in near real time we need to have near real time data. Products such as sqoop and flume help in this regard. So we pull in things such as network pcaps, honeypot logs, malware submission reports, etc, etc.
So using all these various tools and data points we begin collecting statistics but that's not all we have to do. We want to identify the IP address or domain owners so we can notify them (just like we do when a patients information get's released to the public). We have to know whom to notify so it's imperative to identify.
Tracking - Once you have the information in hand you now need a way to track the outcome of your notifications. This is where old technology such as a pen and paper, an electronic notebook or hell maybe even one of those fancy trouble ticketing systems would work.
In order to make it in this fast moving world you have to do things quicker, more accurate and get the information out there before your competition. This is what a cloud does for us and what it could do for your organization.
Happy Hadooping!
About the author: Kevin Wetzel has been a leading researcher and cloud engineer since 2006. He has worked for various organizations to include the Department of Defense, Department of Homeland Security, various Health Care and Insurance organizations, business owners and politicians as well as private parties. Mr. Wetzel is a fan of cloud computing to make business processes run more efficiently. SLC Security Services LLC relies heavily on this type of technology in many of our services and products. Cloud computing can mean the difference between just getting the job done and getting the job done efficiently and before your competition. Kevin is a CCHA (yeah I got the certification before they changed it to CCAH), a licensed Investigator and Counterintelligence Specialist with SLC Security Services LLC. For more information on SLC Security you can visit the company website at www.slcsecurity.com.
Wednesday, November 5, 2014
The Latest Hacking Craze - Old Attacks - New Technology
SLC Security provides an SDR course for beginners. What is an SDR you ask? SDR stands for "software defined radio". No longer is it the craze to go and buy or construct a tinfoil hat in 2014. In fact even if you did there are still ways to pickup very tiny signals, in much larger signals (trace signals) that used to be nearly impossible. OK, OK enough of the rambling.
One vector we are starting to see from hackers is definitely old technology. Remember TEMPEST? Well if you don't know anything about it, let me just say it's the unintentional transmission of signals from devices that are not properly shielded. Or in some cases that can't be shielded due to their design.
Everything with electrical energy passing through it has some sort of emission. Some devices such as transmitters are designed to emit this RF energy, some things like your computer monitor or your USB keyboard are not (but they do). Utilizing $20 USD in equipment it is possible to capture keystrokes and recover the text being typed at around 85% accuracy. It's possible to get about 80% of your monitors pixels also from the same methods and while the picture may be fuzzy it is somewhat readable.
Don't believe me? Well you don't have to. Here's something you can play with if you have a monitor and an AM radio. That's right your computer monitor likes to transmit AM radio...
Download "Tempest for Eliza" and give it a shot. I think you will have some fun with it. Then when your done call us and we can show you how we can recover your works screens during an audit from 21 feet away, through a wall from a parking lot, another floor, etc, etc. Oh and don't get us started on some of the lovely Cisco equipment out there that is inexpensive. That wireless router is leaking like you wouldn't believe (and not on the intended frequencies either).
We have so much fun doing our jobs. It's nice to take a break and get silly from time to time.
SLC Security Services LLC is licensed for Counterintelligence Service in the State of North Carolina. We operate in all 50 states and are available for TSCM related sweeps and consulting, RF engineering and Satcom Engineering work. Call (919)441-7353 and request to talk to a TSCM tech.
One vector we are starting to see from hackers is definitely old technology. Remember TEMPEST? Well if you don't know anything about it, let me just say it's the unintentional transmission of signals from devices that are not properly shielded. Or in some cases that can't be shielded due to their design.
Everything with electrical energy passing through it has some sort of emission. Some devices such as transmitters are designed to emit this RF energy, some things like your computer monitor or your USB keyboard are not (but they do). Utilizing $20 USD in equipment it is possible to capture keystrokes and recover the text being typed at around 85% accuracy. It's possible to get about 80% of your monitors pixels also from the same methods and while the picture may be fuzzy it is somewhat readable.
Don't believe me? Well you don't have to. Here's something you can play with if you have a monitor and an AM radio. That's right your computer monitor likes to transmit AM radio...
Download "Tempest for Eliza" and give it a shot. I think you will have some fun with it. Then when your done call us and we can show you how we can recover your works screens during an audit from 21 feet away, through a wall from a parking lot, another floor, etc, etc. Oh and don't get us started on some of the lovely Cisco equipment out there that is inexpensive. That wireless router is leaking like you wouldn't believe (and not on the intended frequencies either).
We have so much fun doing our jobs. It's nice to take a break and get silly from time to time.
SLC Security Services LLC is licensed for Counterintelligence Service in the State of North Carolina. We operate in all 50 states and are available for TSCM related sweeps and consulting, RF engineering and Satcom Engineering work. Call (919)441-7353 and request to talk to a TSCM tech.
Over 1000 Backoff Malware Infected Machines in the US, 2500 in Europe
Researchers at SLC Security Services LLC have been able to identify over 3500 positive infections utilizing 3 variants of the Backoff malware over the past 30 days. By capturing data over networks and comparing against known MD5 hashes we can first detect the infection. Then the infected host will start making DNS request to Google DNS servers (8.8.8.8) and then the encrypted data stream we feel as though our detection methods are accurate.
One of the interesting things to note is that of the affected hosts we published earlier this month nearly half of their networks are still sending data through 8 hub locations in which we were able to analyze traffic through one of our business partners that is a major Internet Service Provider in North America. We created and were able to get our partners to run a set of 10 snort signatures that we provided as well as a customized program to capture binary streams off the wire to analyze them for known MD5 matches without storing the data.
It seems that the vendors and corporations affected either do not have adequate detection in place or have failed to lock down their networks sufficiently to protect the infrastructure. In one case we even found a misconfigured POS system sending dns request to 1.1.1.1 in encapsulated P2P traffic which was very unusual.
If you are a vendor or operate a POS system and require an audit call us. We have more experience dealing with malware than some of the largest antivirus firms. To protect your point of sales equipment from allowing this type of activity we recommend hardware based firewall network interface cards from Intel and our OS level shim to protect the POS hardware and our X-Gateway Hardware Firewall to detect and alert you to any activity and manage your Intel cards, Switches, Firewalls and IDS/IPS systems. The X-Gateway will provide customized rule sets, ACL's and Firewall Rules for all of your network devices and allow management from a single web based interface. Our Compliance Framework ensures that you will pass your audit, the first time!
Trust the leaders in this space and find out why 98% of our clients pass their audits after initiating our security model.
SLC Security Services LLC can be reached at (919)441-7353 or www.slcsecurity.com.
One of the interesting things to note is that of the affected hosts we published earlier this month nearly half of their networks are still sending data through 8 hub locations in which we were able to analyze traffic through one of our business partners that is a major Internet Service Provider in North America. We created and were able to get our partners to run a set of 10 snort signatures that we provided as well as a customized program to capture binary streams off the wire to analyze them for known MD5 matches without storing the data.
It seems that the vendors and corporations affected either do not have adequate detection in place or have failed to lock down their networks sufficiently to protect the infrastructure. In one case we even found a misconfigured POS system sending dns request to 1.1.1.1 in encapsulated P2P traffic which was very unusual.
If you are a vendor or operate a POS system and require an audit call us. We have more experience dealing with malware than some of the largest antivirus firms. To protect your point of sales equipment from allowing this type of activity we recommend hardware based firewall network interface cards from Intel and our OS level shim to protect the POS hardware and our X-Gateway Hardware Firewall to detect and alert you to any activity and manage your Intel cards, Switches, Firewalls and IDS/IPS systems. The X-Gateway will provide customized rule sets, ACL's and Firewall Rules for all of your network devices and allow management from a single web based interface. Our Compliance Framework ensures that you will pass your audit, the first time!
Trust the leaders in this space and find out why 98% of our clients pass their audits after initiating our security model.
SLC Security Services LLC can be reached at (919)441-7353 or www.slcsecurity.com.
Tuesday, November 4, 2014
Drupal Hacks allowing purps to build massive botnet...
Over the past month we have been monitoring a situation with Drupal based web site security and several vulnerabilities that were being distributed. Research conducted the past week indicated that there are 12,621,419 host that have been hijacked as a direct result of the Drupal vulnerabilities.
"If you are running Drupal the best advice we can give you right now is to shutdown your website, archive the database data and then use the migration scripts to install the latest non vulnerable version".
Host infections have slowed now as most of the vulnerable systems are already hijacked.
There have been a rise in botnet's after this issue. We are seeing much larger DDOS attacks taking place and it is believed that the increase in infected bots is partially the reason behind these more successful attacks.
"If you are running Drupal the best advice we can give you right now is to shutdown your website, archive the database data and then use the migration scripts to install the latest non vulnerable version".
Host infections have slowed now as most of the vulnerable systems are already hijacked.
There have been a rise in botnet's after this issue. We are seeing much larger DDOS attacks taking place and it is believed that the increase in infected bots is partially the reason behind these more successful attacks.
Monday, November 3, 2014
Today's Naughty List - 3 Nov 2014
50.74.234.66 | United States (USA) | New York | New York | ||
81.137.204.83 | United Kingdom (GBR) | n/a | n/a | ||
37.159.209.6 | Italy (ITA) | n/a | n/a | ||
95.48.123.105 | Poland (POL) | Kujawsko-Pomorskie | Polska | ||
200.241.45.146 | Brazil (BRA) | n/a | n/a | ||
81.137.204.83 | United Kingdom (GBR) | n/a | n/a | ||
196.38.228.2 | South Africa (ZAF) | n/a | n/a | ||
151.236.52.44 | United Kingdom (GBR) | n/a | n/a |