Unusual Vectors

Threatpost is reporting the use of the more unusual malware vectors with a pentester sending bogus CDs and letters supposedly from the National Credit Union Administration containing training materials. The CDs, of course, contain malware and the real lesson is not to judge a CD by its cover letter.

There's nothing new about this type of attack vector; its similar to an old case of pentesters who left usb sticks outside their target and watched the employees 'find' the drives and then, as expected, plug them in their computers as soon as they got into the office.

While a well trained staff should have had second thoughts about the latter, the former is much more troubling. How would even a trained security officer know the difference between a 'real' training CD from an official body (or partner company) and a fake?

Many organizations are constantly receiving CDs in the mail, legitimate CDs from partners, regulatory and government bodies or software trials/updates from vendors. Should someone with malicious intent be targeting an institution (or institutions), then slipping this type of trojan-laden CD into the mail probably wouldn't be all that hard. Especially if it was disguised as something the organization was expecting or receives on a regular basis.

The downside of this type of spear-phishing attack is it becomes more difficult to maintain the level of anonymity that the internet can provide once you are passing out physical discs, so although it might have a higher strike rate for the attacker, the risks of being caught are also greatly increased.

I can recall once dealing with a company in the past who had simply removed all the CD drives from their PCs to stop employees bringing in malware. This is something similar to the old 'supergluing the usb ports' trick. While an effective measure, it is somewhat extreme and will more than likely cause more problems than it will solve.

Nonetheless this type of attack is a troubling thought for those tasked with protecting a company's information assets. The only good part is it is unusual and unlikely to happen to you, but might be worthwhile mentioning in your next security awareness course.

In plain sight

Darkreading has a great article on Weaponizing the ipod touch.

In short it is an article from a DefCon presentation about turning the ipod touch into a wireless network penetration tool. Although not blessed with great processor or memory capability it does have a generous storage capability and with some specialized versions of tools such as TCPDump and NMap it can quickly become a rather stealthy headache for the corporate security guy.
While the guy (or gal!) sitting in the lobby of your building or in the carpark with a laptop out may arouse some suspicion, the same person pecking away on their iphone or ipod touch wouldn't even warrant a second glance in most cases.

As processing power becomes more and more portable, from smarter phone and personal entertainment devices to wearable computers ensuring any wireless security in your company is properly secured will become more and more crucial. Standards and configurations that may have been sufficiently secure a year or two ago will need constant review to ensure security is maintained. The wired network is far from immune from danger, as smaller and smaller devices can be plugged into rarely used network ports in conference rooms or unused offices can be used to sniff traffic and beam data back to an attacker, or simply collect information until they are retrieved.

Educating the corporate user base to ensure they understand the dangers of using wireless networking outside the office will also become increasingly important. With more and more corporate users demanding access to increasing amounts of corporate data from home or on the move, from cafes and airport lounges, the danger increases of malicious networks performing MITM (man in the middle) attacks or capturing credentials by impersonating 'free' wireless services.

While for some, simply not providing wireless access is the current option, the day where that is acceptable for business is coming to an end, so get ready. Even the wireless police can only do so much!

Now where did I put my ipod touch?

Failing Securely.

The Australian is reporting a clever fraud scam where the criminals arrive after hours and cut the phone lines to stores before turning up during business hours and purchasing expensive items with stolen credit cards. With the phone lines down, the merchants have the choice of turning away the sale or manually processing the card and therefore doing without the normal credit card verification. A difficult choice, especially in the current tough economic times.

What this scam highlights for the security conscious is not so much the lack of physical security around the phone lines (although that is a concern, it is not under the control of the merchants) but the fact that the backup system (manual processing) lacks the verification of the primary system.

Businesses can suffer the same problem, where security is relaxed in a Disaster Recovery environment or is viewed as a secondary concern to restoring business processes. It may be that systems and applications at a DR site are patched less frequently or software is not kept at the current version as backup sites can be 'out of sight, out of mind'.

It should be kept in mind that when designing a Business Continuity Plan that should the business have the need to fail over to backup systems or a DR site that it can do so not only quickly but also without compromising the normal level of security.

After all if you are already suffering from an event that requires the use of a DR site (like a fire or flood), the last thing you need is a massive virus outbreak on your DR network or your backup web servers hacked....

Security Theatre - An Example

Bruce Schneier frequently talks about 'security theatre' or the illusion of security. I saw the perfect example the other day when visiting a secure datacentre's co-lo. Visitors are required to sign in with a receptionist who is sitting behind bullet resistant glass behind bullet resistant doors. Having verified who you are they take you to the co-lo, through a door with swipe card access which must be closed before using the hand print scanner and a pin to open the next door in a kind of airlock setup. "Wow, this must be a secure datacentre" you think, until you realise that at the other end of the lobby from the first door with the swipe card access is another door, still with swipe card access but no pin or biometrics, that gives you access to the exact same datacentre. I'll give you one guess which door the staff use.


I came across this CAPTCHA method while reading Whirlpool today (original thread here). Interesting idea but a horrible implementation, I like it from the point of view of accessibility and usability but incredibly easy to defeat in its current implementation. As was pointed out in the thread in order to be effective both the span class and the separating character need to be random as well as probably the interval at which the hidden characters are inserted.

Our first follower...

Hey hey, we have our first follower... Welcome... I guess that means we had better add some more content (hmmmm.... that mug shot looks spookily familiar)

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme