Sunday, December 28, 2014

DISCLOSURE: Independence Blue Cross

Independence Blue Cross has indicated that a maintenance worker discarded 12,500 paper records in the normal trash in October.

Thursday, December 25, 2014

H.J. Russell & Company - Owned

This companies IP address block has shown up in OSINT-X as a compromised host. This organization has machines attacking many other companies so they are presumed hacked at this point.

This activity started early 25 Dec 2014 and is ongoing.

Type: General
Area: Engineering

First Noted: 25 Dec 2014
Location: Various Locations
Total Records: 2500+ attacks noted
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC) 

Merry Christmas from the SLC Security Team...

We wish you all a safe and happy holiday season... We will see you all on the 2nd...

Tuesday, December 23, 2014

Hey where did the domain monitoring go?

We wanted to let you all know that we are no longer offering notification services on domains. In order to get this information you will be required to subscribe to OSINT-X or purchase a system to host the solution at your location. Our business model has changed significantly over the past year and it is not longer in our best interest to provide a notification service that you can setup for yourself in the OSINT-X product line.

"This change may affect some people but at the end of the day the information being ingested into OSINT-X is more up to date than the system that scours our feeds for your companies information. This move is a win for our customers." said Kevin Wetzel of SLC Security.

First Citizens Bank and Covert Electronic Surveillance

We are seeing indications that this bank is under covert electronic surveillance. This could be auditors hired by the bank, bad actors looking for attack vectors or some other party. We are not sure of the reason but our investigators have noted on several different dates that sophisticated attacks may be taking place at branch locations that are in non heavily populated areas or that these areas are under surveillance.

If you have any additional information on what may be occurring here please contact Kevin Wetzel at (919) 441-7353 or call our TSCM line at (717) 831-TSCM. Reports may remain anonymous if requested. 

2014 Historical Data to be released to Tableau Desktop or Public Users

As part of our technology share program SLC Security Services LLC will be releasing intelligence information formatted for users of Tableau Desktop or Public software so you can perform your own network analysis. The information being provided will be for a 30 day period and will include several of our feeds so you can run comparisons against your own network traffic.

Some of our clients have begun running the data against firewall and server logs to identify compromised machines and host so this may be valuable to you to determine if you should hire a third party to perform a network or security analysis of your data.

The tableau data will be released to the public area of the Tableau Server and will be available to the public. The time periods of the data will be from 15 Nov - 15 Dec 2014. The purpose of the release is so you can evaluate some of the same data that we utilize in our security appliances to determine if the devices are a good fit for your organization. If you come up with other use cases please let us know. We would love to work with some new faces in 2015 and we will do profit sharing on any use case that is adopted into our commercial gateway appliance.

The SLC Secure Gateway is an appliance that acts as a firewall and gateway on networks and also collects information from workstations to include MD5 list of files, network traffic data and action logs to match indicators of compromise with known virus, malware and network security threats.

Covert Listening Threats even worse than recent hacking attempts

Over the past few weeks we have been researching data from various audits on the east coast. We are noting a large increase in the identification, location and disabling of covert listening devices. In the month of November alone we have discovered 14 separate listening devices at 7 different companies. One thing we also have noticed are some similarities between the various devices that have been located.

1. In several of the cases there were multiple listening devices in the same area. We believe this is being done so that if the primary is found the backup may continue to provide useful information to the attackers.

2. Fax machines are being heavily targeted at many businesses. We have been able to locate stolen documents in 4 of the cases out of the 14 being researched.

3. Ultrasonic devices are being used to avoid detection.

4. Networks are also being attacked with malware reporting back to These IP's are also attempting to attack SMTP servers to verify accounts at these same organizations. This was determined through log file analysis.

5. 1 of the 14 companies is a major US Military Contractor.

These are the finding for November. We are still seeing covert listening devices in December and the numbers this month even with the holiday breaks are much higher than November so we are alerting companies to look for traffic to this host and call us if you have identified any. We would like to look for accompanying planted devices to see if this pattern remains. Only 1 of the 14 entities was not bugged or we did not locate any devices during the sweep.

SLC Security customers please read bulletin 2014-141 for additional information on the network IOC's and signal identification notations for these 14 locations.

Copycat Hacks Becoming Commonplace

While Government experts have pointed the finger at North Korea in the recent attack of SONY. We are still not convinced. The reason we are not convinced lies in the OSINT-X data we have archived and analyzed, the malware used in the attack and the similarities of an earlier attack on South Korean banks. One thing is for sure that the Government is not an OSINT-X customer at this time although we have had contact and interest in the product for other uses within the DOD. The FBI probably could use the system to help them in this type of case but as of yet they have not requested access or a stand alone system at any of their locations even though we have offered in the past.

One thing stinks in this whole North Korea blame game. There are misspellings in some of the code used in the first attack and the second attack does not show the same signs. We find it hard to believe that the same people are responsible based on word structure and simple elimination due to the fact that the IP addresses that were cited in an earlier report have changed hands in the botnet wars on more than four separate occasions over the past year and one of the IP's is in direct control of a known China group that would be more suited to carry out this type of attack. This same IP also is hosting malware and has been listed as a compromised system 2 times in the past 2 months.

Truth be told nobody knows exactly who has committed this act and secondly it is nearly impossible without having access to the Internet Service Providers (ISP) core networks to analyze traffic. I say show me proof and I"ll believe that it was North Korea. There are too many ways for these guys to cover their tracks than to make a connection through one of the 1024 official IP addresses that are in use in North Korea. This information is also wrong as there are over 5000 IP addresses in our systems that lead to North Korean associate entities masked as news and public information sites (most of which are hosting propaganda on servers outside of North Korea). It stands to reason based on our intelligence that the North Korean Government is responsible for these systems directly as they do not allow outside entities to utilize communications systems and have played mock games with various releases of "malware" and viruses on these same systems infecting thousands of other entities. If they were in fact responsible they would do like every other hacker and use jump servers to mask their identity.

If you really want to see something interesting look at the block  and look at connections going to and from the Internet via that IP block. Then you may be able to tell us something.

Friday, December 19, 2014

BREACH UPDATE: Staples admits to customers data being lost

Staples Inc. has come out with the following statement today.

The number of cards affected 1.16 million.

Staples Inc. (SPLS), the largest U.S. office-supply retailer, said 1.16 million payment cards may have been affected in a series of data breaches that occurred from July into September.
The theft occurred after criminals deployed malware on point-of-sale systems at 115 of Staples’ 1,400 U.S. stores, the Framingham, Massachusetts-based company said today in a statement. The company disclosed in October that it was investigating a potential breach.

Thursday, December 18, 2014

The Grinch?? Alert Logic's Claim's Not Adding Up

So as penetration testers we immediately took the information provided by Alert Logic in a recent notification concerning a vulnerability in Linux systems known as "the grinch". Our technical staff have all tried to confirm the information provided with the information provided in their post. Guess what?! We can't get any of the systems we have been testing to actually prove this exploit exist.

We have tested on RHEL, Fedora, Ubuntu and a few other distros and as of 5PM EST have not seen a single system that will allow us to exploit this vulnerability.

If anybody has more specific details on how this is accomplished we would love to hear about it.

Wednesday, December 17, 2014

WE AGREE: SONY did not get hacked by North Korea

Those of us in the security research arena are not buying the statement in mainstream news that SONY was hacked by North Korea. In fact there are many indicators to indicate otherwise. We are not gonna speculate on this and are surprised at the number of news organizations that are putting out information on a whim.

Additional Reading:
Data Breaches also agree's
North Korea Tech
And This...
And This...

Yeah, Yeah we know there are not many that agree but North Korea is pretty much cut off from the outside world. They may have asked another rogue state to help them but again we are not gonna go the way of the mainstream news.

In non US news circles many outlets are reporting that the attackers are unknown but in the US it seems the media would like to make it appear as though North Korea is responsible. We all know North Korea couldn't hack it's way out of a wet paper bag.

Monday, December 15, 2014

Guess What?! Your owned... UPDATED 12/16/2014 1:37PM EST

On 15 December, 2014 SLC Security Services LLC kicked off an analytic job to determine what host are owned or have been compromised. The following organizations came out of our analysis as being compromised and either used to perform additional attacks or part of a larger issue such as botnets, malware distribution or brute force activity. The following entities have been seen by sensors owned or operated by SLC Security Services LLC volunteers.

If you show up on this list you may want to find a reputable security firm to help you secure your infrastructure. If you have any questions you can email

Pinellas County Schools, FL
Etech Group Pty Ltd, FL*
Turner Broadcasting Systems Inc, GA
New Life Homes LLC, GA*
CocaCola Company, GA
Grant County, Moses Lake WA
Indiana Department of Education, IN
Massachusetts Institute of Technology, MA
New England Telehealth Consortium*
Arvixe LLC, Santa Rosa CA*
National Center for Atmospheric Research
Boston University, MA
Automated Data Systems
Georgia Public Web Inc, GA
Mainstream Consulting Group, MN
Minnesota State Colleges and Universities, MN
George Mason University, DC

Disclaimer: The information included in this report was provided by third parties such as WHOIS, Domain Registrations, Private Databases and proprietary information. We do not warrant this information to be free from error. In fact we are seeing fraudulent WHOIS data on an increasing basis but we believe the information to be accurate. Item's marked with a star were only verified with WHOIS so these names may not be accurate.

62 man hours of research and analytic processes were utilized to identify these organizations.

Another Round - Compromised Host

We will be publishing another round of compromised host later this evening at approx. 10PM EST.

We are running a batch analytic job in Analytic Desktop as we speak. We will release the results when the job is finished. 

BREACH: NCUA Flash Drive Lost - Data being sold on Darknet

NCUA confirmed that an examiner lost an external flash drive containing names, addresses and social security number as well as the account numbers belonging to the members of the Palm Springs Federal Credit Union.

They were quick to note that the data did not require passwords or PINS of the associated accounts.

We have noted information pertaining to be from this loss being sold on Darknet.


SONY Hack - What they are not telling you

It goes without saying that SONY is in deep trouble. We started seeing problems back in February of 2014 as several Sony related host had shown up on our blacklist of compromised systems. We were not doing the blogging thing back then but we can assure you that they are not being 100% honest about what has happened since they first discovered the breach.

You see Sony did exactly what some of the other entities we are blogging about. NOTHING. They knew they had security problems but they took the road that many of the companies we notify do. They sit back and try to cover up the issue before anybody notices. What's different this time in Sony's case is that the hackers had ample time to farther attack the Sony network. This bought the attackers much needed time to dig in really deep and to start shuffling data off the Sony network.

Here's what we know today:

1. Sony was attack far earlier than reported. We started seeing indicators back in February on our Compromised Host and Brute Force Attackers list.
2. The attack went unreported until the attackers started releasing troves of information.
3. The attackers notified Sony and tried to extort money from executives numerous time, Sony did not cave in to the attackers demands.
4. Information is being sold and the FBI is actively investigating the incident. Security researchers have confirmed that the FBI visited them after they downloaded Sony's proprietary documents.
5. Information is currently being sold on Underground Web Sites.
6. While the media is pointing to North Korea they are basing this information on the fact that some of the malware was written in Korean. This is really an assumption and we have seen this tactic being used to misdirect blame in the past.
7. Iran is releasing torrents with Sony information in them so they should also be given a second look but as of today it is not known who exactly is behind this attack.

Sunday, December 14, 2014

UPDATE: UC Berkeley Acknowledge Breach

Previously we reported  on a list of college systems that were showing up in our OSINT system as being compromised. Earlier today we were notified that an alert was sent to UC Berkeley students and staff advising them of the breach.

Read our previous post here.

This is exactly why we started this blog and we are glad to see that they reported this in such a timely manner.

From the information being provided it appears as though the Real Estate Division is the affected Berkeley entity. They are stating that they first detected the activity in September. Although UC Berkeley is not a customer of ours we are glad that they took action.

Wireless the Number 1 Vector

If your organization is running wireless we are advising you that this is the number one attack vector. It is recommended that you move to certificate based authentication. In 57 of 60 assessments we are reviewing wireless is by far the easiest vector to gain access to corporate networks. Even if corporate wireless networks are segregated the information sent through these networks may lead to actual compromises of legitimate network resources due to the fact that many devices will still try and authenticate to resources over the network.

When conducting penetration testing we are successful over 95% of the time in gaining credentials over guest networks so just because you think your guest network is not connected to your corporate network you should still be vigilant in monitoring.

EXCLUSIVE: The Top 10 Items Missed During an Audit (Article 3 of 10 in a series)

This is an exclusive provided by SLC Security Services LLC the leader in Medical, Compliance and DOD Auditing Solutions.

Number 10 on the list is attacks on your Disaster Recovery Plan or Third Parties that handle your data. We are seeing more and more third party vendors of large companies open them up to compromise due to standards not being in place and no auditing of third parties that you share data.

If you remember Target this was a perfect example whereas their air conditioning contractor failed to secure their network and malware was introduced via this path. Many times businesses open up firewalls to vendors without any auditing and verification of what data is moving through those trusted connections. Here are some recommendations to prevent your vendors from allowing a hacker to jump through a third party and gain access to unauthorized resources.

1. Even though a vendor may be "trusted" they should only be trusted to particular systems. The systems should not reside in your network. Host that data in a separate network segment that you can introduce DLP or monitoring protections such as IPS and IDS and make sure you are alerted if any attempts are made to access resources other than the destinations you have authorized.

2. Grant the least access required. Open only single IP and services in your firewall. Don't completely allow them to access any resource on your internal networks.

3. ENCRYPT YOUR DATA as it leaves your network. Ensure that information that is taken is encrypted. This prevents somebody other than your vendor from accessing data in which they are not authorized to view. Use time based encryption so that the keys are generated and discarded daily using security devices made for this purpose.

4. Require 2 factor authentication to view or access systems. Sure it may be inconvenient but so is losing your customer base to hackers.

If possible use hardware based network cards (INTEL makes a great solution) that only allows one device on your customer network to access only the single device on your internal network that they require to carry out authorized functions and processes.

Another great idea is to use an endpoint firewall solution.

If you would like to audit your third party vendors contact SLC Security at (919) 441-7353 to schedule an audit.

Friday, December 12, 2014

BREACH: Las Vegas Sands Corp

Breached by Iranian hackers in response to a comment made by the CEO of the company. Attack bears similarities with SONY as information was stolen and then the hard drives of the companies machines were wiped.

BREACH: St. Louis Parking Company

St Louis Parking Company has released a press release indicating that customers information may have been breached from 6 Oct 2014 - 31 Oct 2014.

The affected server was identified and isolated to avoid any further data from being compromised. Datapark, the manufacturer of the revenue controls system, is investigating the incident and following the Payment Card Industry Data Security Standard.

Third-party forensic experts were also hired to help investigate the matter. The breach has been contained.

Type: Card Processing
Area: Parking

First Noted: 9 Oct 2014
Location: MO
Total Records: Unknown
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC) 

BREACH: Kickback Jack's

We have confirmation that Kickback Jack's has been attacked. As of today the attack appears to be limited to just a few locations however that could rise as the investigation unfolds.

They are not a customer so we will not be following the activity but thought that it best for us to advise you that credit cards are being used that were swiped from Kickback locations.

Type: POS
Area: Hospitality

First Noted: 12 Dec 2014
Location: Various
Total Records: 4500+
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

List of Owned Colleges and Universities

Over a weeks worth of research and sensor data has indicated a very large amount of college and universities that are infected with malware and/or viruses. In order to be listed a college would have to have been infected for a period of more than 7 days without detecting the botnet, virus, malware or compromised host. This report is only a snapshot in time but is current as of 12/12/2014. If you are in data security at these universities you can research public blacklist as we have already listed out the IP address ranges in our feed at Check the feed and if your in that list you might want to check your computing resources as soon as you can.

If you have trouble locating the infected boxes please reply to this post and we attempt to help you locate the infected or offending devices that we are observing.

University of Arkansas
University of Waterloo
University of California - This entity has acknowledged and is actively re-mediating the breach
University of Missouri Columbia
University of Maryland
University of Pennsylvania (PENNSTATE)

These are the universities that are currently show up in our OSINT systems. We are still working on a master list.

Thursday, December 11, 2014

Colleges Largely Already Owned by Hackers or Spreading Malware

During research on our analytic system this week he are noticing a bad trend concerning educational institutions. We started looking at colleges and conducted some analytic research that indicates that 52% of college and university networks currently have at least one host that is actively participating in bot or malware campaigns. What is troubling us lately is that many of the organizations we are seeing in our OSINT products have remained compromised or infected for very long periods of time.

We have scheduled an analytics job to run tonight that will look through our systems and match educational institutions to known indicators of compromise and we will be releasing the list of infected schools in the next several days once we have had a chance to analyze the results.

"These schools have students studying cyber security and forensics so it's concerning that they have not had their students take an inner look at their networks and secured these vulnerabilities".

Wednesday, December 10, 2014

NEWS: Hackers contacted top Sony executives before attack via OSINT-X Newswires

Top executives at Sony Pictures received an email extorting money three days before the company’s computer network was taken offline in a major hack.

The email message was among thousands released on Monday when the email boxes of two top Sony executives were leaked online. It was the latest release of potentially embarrassing corporate information following a major hack on the company’s computer networks two weeks ago.

“We’ve got great damage by Sony Pictures,” the message began. “The compensation for it, monetary compensation we want.”

“Pay the damage, or Sony Pictures will be bombarded as a whole. You know us very well. We never wait long. You’d better behave wisely,” it reads.

Tuesday, December 9, 2014

Data Security Excellence Note: Smithfield Johnston Memorial Hospital

During a recent walk through of Smithfield Johnston Memorial Hospital our staff noted that this hospital takes data security seriously. There were no wireless networks spewing data such as what has been observed at other hospitals and all patient consultations look to be held in private offices and not in shared spaces.

It was also noted that none of the workstations remained logged in when users walked away. In addition we can report that this hospital although not a client really took the data privacy of their clients seriously.

This hospital would be easy to audit as they have their act together. Good job Johnston Memorial!

Sunday, December 7, 2014

BREACH: WellCare informs Medicare subscribers of data breach via OSINT-X Newswires

Some personal information of a few dozen Monroe County residents who are Medicare subscribers with WellCare Health Plans recently was mishandled by a subcontractor for the insurer.
In late November, WellCare sent letters to 47 people affected in Monroe County, telling them the breach did not include Social Security numbers or any financial information. The insurer notified more than 500 people throughout New York state who were affected.
The insurer said it was not aware of misuse of anyone's information. Nevertheless, it urged the 47 individuals to review their credit card bills and other financial statements. The insurer is providing one-year credit protection.



We previously reported on General Mills. As of today we are still seeing indications of an infection coming from their network. We believe the host to be compromised.

Affected Host:

We have sent a notification for them to check their systems. We will update this post if we receive any follow up from them.

COMPROMISED HOST - University of Minnesota

We are starting to see reports of a compromised host out of the University of Minnesota. The IP address looks to have been breached sometime around 11-26-2014 and as of 12-02-2014 was still showing infected although it has since dropped from our nightly analytic runs.

Friday, December 5, 2014

EXCLUSIVE: The Top 10 Items Missed During an Audit (Article 2 of 10 in a series)

This is an exclusive provided by SLC Security Services LLC the leader in Medical, Compliance and DOD Auditing Solutions.

Issue 9 - Inadequate security of network path and access control systems

Yes we are jumping around a bit that's just because we have been really tied up with some clients this week. So here goes...

The number 9 issue on the top 10 list of items missed during audits is something most auditing companies never even check. When doing audits one of the items we check as part of our TSCM sweeps are the network, phone and cable paths. What we are referring to here are network cables that actually are accessible outside of your building, telephone connections in shared closets or alert system components in public areas that can be manipulated without gaining physical access to your secure space.

How many times have you been in a building and seen a closet labeled "Telecom Closet" or some similar title? These areas are troublesome for many of our clients that lease space in buildings. One of the things we have had to do at some client locations is request separate telephone lines and communications lines be brought directly into our customer space. We also insist on full metal conduits into the building as to prevent wire tapping and similar physical attacks on the lines. Full metal conduits also prevent some really neat tricks in which you don't even have to cut the phone lines to be able to monitor them.

At one bank recently we noted that in the walk in area beside the ATM was a network jack on the wall. When we tested the network jack it was connected directly to the customers network switch and the port was active. The port gave us an IP address and through passive network monitoring we are able to run wireshark and get at a ton of very sensitive information to include the domain information for network that the tellers in the branch were logging into. With some arp poisoning we were able to capture login credentials, needless to say the client disabled the port after the audit.

One important thing to note: 95% of the companies that we initially audit are not even aware of the TSCM threats that exist. Many times our audits are eye opening as we can tell who is in a building, login information to networks, etc, etc. just because they are not aware of some of these attack vectors. I can't tell you the number of wireless networks we find. It's very surprising and somewhat easy to obtain access to these networks when we do stumble upon these links.

So there you have it. Check your cable paths and make sure your devices are not going into shared space. If you really want to ensure the security of your communications here are a few other tips.

1. Do not use fax machines to send medical, PII or sensitive information over the telephone network. While most people think telephone networks are secure there are many stops along the way whereas your competition can get at your information and reconstruct your faxes, emails, etc.

2. Do not allow employees to bring personal electronic devices into areas that house PII or PHI. It has been proven that this is an attack vector that can be exploited.

3. Ensure cable paths are properly secured.

4. Do not use wireless handsets even if they are DECT "secure". DECT can be reconstructed it just takes the know how and tools to do it.

5. Do not send PII over wireless networks.

6. Do not allow third party vendors into any network that houses PII, PHI or PCI.

Have a great day folks and be sure to look for the next article in this series.

Spotify Cell Phone Tracking

We wanted to alert you to a VERY interesting thing we noted today on a wireless penetration test. While conducting the test we started seeing some strange traffic from the Spotify client that actually is not good, not good at all. What we observed were packets going over the network that included the cell phone number, model of the phone and various meta data identifying the handset to include the IMEA of the handset.

This is troubling as we observed the phone looking for it's home network, as soon as we spoofed that home network the handset connected and then spewed out the information identified above. The information is going back to spotify and we have seen similar things from pre-loaded Verizon handsets as well so this is a bit concerning as that information could be used to mount very specific attacks on an individual.

We ended up with enough information to verify the following information:

1. Cell Phone Owners Name
2. IMEA of the Handset and Phone Number
3. MAC Address of the Phone when it associated to the network
4. The Model of the Phone

I am not sure why Spotify would be collecting this information but we wanted to let you know.

We may be able to reproduce this. This would be a great method for verifying somebody is inside a building or some similar attack. 

Tuesday, December 2, 2014

FRAUD ALERT: Domain's posing as Valve Corp (Russian)

We were contacted by the hosting provider Akamai and advised that the domain in the capture below is actually an imposter out of Russia. Upon researching the information provided the registration information of the associated record below does not match other legitimate Akamai domain registrations so we have taken the following actions to correct this bulletin.

1. Removed the Akamai netblock from our temporary block list
2. Blocked all associated domains related to the fraudulant actors
3. Provided an update on the VD blog

We are glad that we were contacted as this helps us in keeping our information accurate. If you reach out to us as Akamai did we will work with you to confirm, verify or remove information that is in error.

Thank You for assisting us Akamai

Original Vuln Disclosure Article:

This isn't in the news but we can tell you that Valve is once again owned. We have seen clear evidence, packet captures and information being sold in the underground that are clearly not for public disclosure. Why don't these "Media" companies hire people that understand media. Valve is another repeat offender with the likes of Sony (which also has issues this week).

Valve keeps trying to keep hackers out but they have to understand that hackers are who made them in the first place. Game on my friends. Let's see if Valve put's out any public statements or see if they can find their Spreadsheets out on the Internet anywhere...     You might wanna try Pastebin guys!

Oh and your still on our blacklist for NOT securing your network the first time.

UPDATE: Oh and it's great that your web servers are now hosting the malware... Maybe they are planning on attacking your customers as well....

12-02-2014,,Valve Corp.

Quotes and Comments - Your news our way

There is no malware involved, so an antivirus program has nothing to detect, Mandia said. To confirm it has been attacked, a company must crack into its email server, review its logs and look for signs someone has connected to the server from an IP address outside the company. 

OK Call me stupid here but why the hell would you let an outside IP address connect to your mail server? I get it you mean allow a company to send email into your companies mail servers. Ha! We don't recommend that either... We are not giving away our trade secrets for protecting email for free I can tell you that!

Businesses need to implement two-factor authentication for email access, meaning employees would have to enter another code in addition to their username and password, he said.  

That's definitely a good start.

Hackers Leak Data Taken From Sony Pictures

Yep that's usually how this game works! I mean it's nice they are not charging for the Intel. People pay A LOT of money for business intelligence these days.

FireEye tattles on hackers. Investors love it.

Yeah but do their customers love it? I mean they are good about notifying you AFTER the attack!

Sorry but I can't do this any more today. None of this news is making much sense... Ugggghhhh

Why I love the big security companies! Here we go again Sony!!!

We keep reading these articles about very large corporate security giant's such as Mandiant and Fireeye and we sort of chuckle. These companies are great at protecting the organizations don't get me wrong but there are some vectors that these solutions consistently miss. They are so focused on the networks, Internet and the people. You did remember the people right?! Well we love the companies that go to these firms AFTER the fact. Look at Sony's recent public announcement that it has hired Mandiant to secure their network. Let's hope they do secure that network because that network has more holes in it than the swiss cheese on my sandwich at lunch time. I mean what Sony this is like the 10000th time you've been hacked.

Honestly there is nothing wrong with Mandiant or Fireeye. Like I said they are good at getting to the bottom of things when a breach has occurred. The biggest problem here is that Sony is just throwing money at the problem. Money alone will not fix these issues. Sony has been listed in our feeds for months so when it's all said and done you will see that Sony has been hacked for far longer than what they have thought. In addition if you know anything at all about DOX you can check some historical archives and find a treasure trove of information on Sony and quite possibly who is behind the attack. You did do your OSINT on this issue right?

So while I love you guys to death let it be known that in the 34 companies that we have audited and 6 US and Canadian Government Agencies not a single agency has been compromised after our audit and lockdown process. I don't think Mandiant or Fireeye can say that with confidence.

I think Sony really needs to look at how their "network" is build and revamp from the ground up. If I'm not mistaken they brought in Mandiant the last time they were breached. What that tells me is that we can probably look forward to future breaches from Sony and we should just take our money elsewhere. I can tell you that your not getting my credit card information any time soon.

Leveraging Big Data in your Enterprise

You cannot possibly view every single log file, every single login, every single password change, email, forum post, blog access, etc, etc. within your organization with the limits to staffing. It's not possible. This may be why Mandiant says that it takes over 200+ days to recognize an intrusion. The reason that it takes so long is because no administrator or security engineer can possibly read everything that comes into your network. This is where big data comes into play as well as analytics and data warehousing.

If your short on staff you should look into ways to make your existing staff more effective. One very easy win for the enterprise is to utilize distributed computing and big data together to find those needles in a hay stack.

So why aren't more company's investing in big data? Don't get it wrong many companies are using big data for business processes. Only a handful are using big data for use in analytic log monitoring. You and I both know that you cannot possibly look at every single line of code, every single log file, every single email or document stored on your network, and who would want to? So how can you use big data to find security issues in your network? Build a cloud and run analytics to look at the data differently.

I will be posting more on distributed computing and cloud storage in the upcoming weeks. Stay tuned and have a great day!

BREACH: Highlands-Cashiers Hospital

"The hospital says a company hired to handle healthcare information, TruBridge, made a misconfiguration that put patients' names, addresses, treatments, even some social security numbers at risk between May 2012 and September of this year."

This company is still leaking information. This was confirmed last on 11/9/2014 while we were on an audit in Western North Carolina. A quick check today indicates information is still being leaked. 

It should be noted that the breach is much larger than what has been reported. 

Area: Medical 

First Noted: 9 Nov 2014
Location: NC
Total Records: 25000+
Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC) 

Monday, December 1, 2014

EXCLUSIVE: The Top 10 Items Missed During an Audit (Article 1 of 10 in a series)

This is an exclusive provided by SLC Security Services LLC the leader in Medical, Compliance and DOD Auditing Solutions.

One of our clients recently had a discussion with our auditing team and brought up a good point. John ask us specifically what are the 10 most common items missed during an audit or that IT personnel or security personnel fail to catch when preparing or when being audited by our firm? I stood there for a minute just digesting the question that was just posed and actually listed what I thought from my perspective the top 10 items would be. Then I started thinking some more about how I could actually make something useful out of the question and present it to customers and others that could benefit from that question.

Once I returned to the office I decided that I would take a look at the last years failed items and try and generate a top 10 list of items from the data that we had from our customers. After all I wouldn't be releasing what items were failures at each customer and all of the items in the failure block have already been corrected or accepted as a risk item so little to no harm could be done by compiling stats and expounding on this question a bit.

This is the first of 10 articles that we will be writing on this topic over the next few weeks. The goal is to get this series completed by the 1st of the year.

The Number One Issue - Failure to Document
Every single audit this past year has had this issue. There was at least one system that was connected to the network that was not documented. In order to ensure that systems are patched, secured, accounts that are no longer being used are removed, etc, etc. You have to know that a system exist. And worse yet you have to know what operating system is installed on that system so you can map out what vulnerabilities may be present. A good example of this is a particularly large client. Because we are under NDA we won't name them but just know they are one of the largest companies in Internet communications. An audit was conducted and as part of the audit we identified nearly 1400 devices on the LAN (Local Area Network) for this company. Honestly this number is small but we were only dealing with a regional office so this was our number. The company could account for nearly all of the devices except 64 of them. We received valid responses to probes in our scanning software and we knew that the system work running Linux but we could not locate them anywhere. We checked everything from the security cameras, VOIP phones, etc, etc and were having a hard time locating them until we were about to give up.

I was walking from the third floor heading to the parking lot when I swiped my card to exit the building and just froze. My team mate looked at me because he could sense the rubber burning in my head and I said to him "that's it". He said "What's it?". I said right there... He looked at me confused I said it's the door access readers that are running Linux. We went back to the third floor and ask who maintains the door access system and the security manager said that's managed by corporate. After a quick 10 minute phone call we had located all of the devices and accounted for them and were able to document the finding. Guess what?! Four of these devices had been compromised and were being used as a jump point into the internal network of this "company". We were able to get on the same VLAN as the devices and we determined that each and every one of them were vulnerable to the bash bug as the readers were running Busybox. The vendor had even notified the IT department but that information never got back to the security department. This is why having a third set of eyes is important. For months information was being stolen from the company without anybody even being aware of it. Luckily it was only the reader data which included the card number and employees name and email address but it was still a significant finding. Upon additional research we noted that this information was being used in Phishing attacks against individuals within the company and two personnel's computers were compromised using data that was obtained through the card readers.

Since the company did not document these devices our counts were off during the audit and we were certainly not going to leave the company until we knew what these devices were and could ensure that they were secured. This audit was a preliminary audit that ended up getting us a major support contract with the company because the security staff realized that we would ensure that each and every connected device was accounted for and documented properly. This contract was just signed on the 22nd of November and we look forward to auditing many other locations in the upcoming year.

Make sure you are documenting every device. When a vulnerability comes along if you don't know what devices are running what operating system it is nearly impossible to ensure that your networks and connected devices are secured.

If you can't document your finding or your devices correctly make sure you hire a company that can. The sad part of this story is that this company had passed 2 previous audits in the preceding 6 months and swore they were compliant. Luckily the network in which these readers were placed were in a separate VLAN but there were problems with shared space as these devices were directly addressable from the Internet as were the controllers that connected the office back to corporate to obtain the list of authorized personnel for each location. These were the systems that were vulnerable and what caused us to fail the organization. The good news is that the issue uncovered was not reportable so the company maintained their reputation but that is not always the case. As part of our audits we report any findings if we can confirm that information has been leaked to unauthorized third parties and we follow the reporting recommendations of CMS, HIPAA, ITSG, STIG, etc, etc.

Here are the other 9 items missed on most audits. These items will be followed up on in later articles with specific and detailed examples and information.

Ask yourselves today do you know where every single connected or mobile device is that is attached to your network? Have you secured all guest networks, access networks, VLAN's? Have you patched all security systems, telephone systems, copier machines, faxes, computers, servers, routers, switches, etc.? I we audited your organization today do you know what versions of software are running on every device? Are you current with all third party vendor patches?

The answer obviously is no. No organization ever can document every single device, patch level, operating system, etc. The goal of the audit is to do just that. Provide the documentation that turns a 3 month audit into a 2 week audit. If you can answer the auditors questions the first time you may pass but don't you want to pass with flying colors? Don't you want real piece of mind? Remember Target passed their audits too but that's because the audits were only for a specific system and not how the systems interacted. It doesn't matter if a system is patched to the latest version of your guest network has vulnerabilities that can allow MITM or Malware to infect those systems. Just because you passed that audit doesn't mean you have passed an SLC Security Services LLC audit. If we don't find it, your audit is free!

The Rest of the List... (Future Articles)

2. Failure to remove old accounts or have a system in place to deactivate unused accounts.

3. Incorrect workstation settings not in line with your business need. Insecure servers and workstations.

4. Reliance on Anti-Virus and Malware Protection that is inadequate

5. No signal and propagation protection in regards to wireless, paging, cellular and other wireless technologies.

6. Inadequate email protection.

7. No ability to audit email, files leaving the enterprise or the removal of proprietary information via electronic systems.

8. Social networking succeeded at the organization leading to a compromised system.

9. Inadequate security of network path and access control systems.

10. Attacks on disaster recovery plan whereas data was stolen from a third party or a third party provider to our clients in transit.

We hope you have enjoyed this initial article. We will cover the other nine topics in future post. We hope you have all had a great holiday and now we are all back to the grind. Have a great week and remember to keep things secured!