tag:blogger.com,1999:blog-30507091149972041082024-02-19T16:09:26.359+11:00security samuraiInformation Security news and opinionUnknownnoreply@blogger.comBlogger261125tag:blogger.com,1999:blog-3050709114997204108.post-1157147014021030752015-03-18T15:57:00.001+11:002015-03-18T16:05:27.283+11:00Bye Bye IE!<div xmlns="http://www.w3.org/1999/xhtml">
<blockquote class="twitter-tweet">
<br />
Bye Bye IE! <a href="http://t.co/Cpw9iY0g2t">http://t.co/Cpw9iY0g2t</a> …<br /><a href="http://ift.tt/Tn8TEl">#SS</a> <br />
<br />
— JRK (@jrkurosawa) <a href="http://ift.tt/1FyRzRD">March 18, 2015</a> </blockquote>
<br />
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js" type="text/javascript"><br /></script><br />
<br />
from Twitter http://ift.tt/1nhrYAw</div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-3050709114997204108.post-69583897674539005282014-08-30T10:59:00.001+10:002015-03-18T16:05:42.398+11:00What could possibly go wrong?<div xmlns="http://www.w3.org/1999/xhtml">
<blockquote class="twitter-tweet">
<br />
What could possibly go wrong? “<a href="http://ift.tt/ZeUJk1">@Bruce_Schneier</a>: Cell Phone Kill Switches Mandatory in California <a href="http://t.co/sFTm3CTtLY">http://t.co/sFTm3CTtLY</a>” <a href="http://ift.tt/1qwyTdy">#ss</a> <br />
<br />
— JRK (@jrkurosawa) <a href="http://ift.tt/1vvozpL">August 30, 2014</a> </blockquote>
<br />
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js" type="text/javascript"><br /></script><br />
<br />
from Twitter http://ift.tt/1nhrYAw<br />
<br />
<br />
<br />
August 30, 2014 at 09:56AM<br />
<br />
via <a href="http://ift.tt/16Xitlp">IFTTT</a></div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-3050709114997204108.post-22541937421560296482014-08-30T08:35:00.001+10:002015-03-18T16:06:02.648+11:00One for the password shame file<div xmlns="http://www.w3.org/1999/xhtml">
<blockquote class="twitter-tweet">
<br />
One for the password shame file: “<a href="http://ift.tt/1bMre4h">@Viss</a>: sigh. Multi million dollar security program. They still don't get it. <a href="http://t.co/1im3YyMfem">http://ift.tt/1qOfMfk</a>” <a href="http://ift.tt/1qwyTdy">#ss</a> <br />
<br />
— JRK (@jrkurosawa) <a href="http://ift.tt/1n5MeFl">August 29, 2014</a> </blockquote>
<br />
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js" type="text/javascript"><br /></script><br />
<br />
from Twitter http://ift.tt/1nhrYAw<br />
<br />
<br />
<br />
August 30, 2014 at 07:31AM<br />
<br />
via <a href="http://ift.tt/16Xitlp">IFTTT</a></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-65025818743099918952014-08-29T11:41:00.001+10:002015-03-18T16:06:27.540+11:00NSA's homegrown Google, mega metadata searching!<div xmlns="http://www.w3.org/1999/xhtml">
<blockquote class="twitter-tweet">
<br />
NSA's homegrown Google, mega metadata searching!: <a href="https://t.co/5ZCMX1stjc">https://t.co/5ZCMX1stjc</a> <a href="http://ift.tt/1qwyTdy">#ss</a> <br />
<br />
— JRK (@jrkurosawa) <a href="http://ift.tt/1tg0wdR">August 29, 2014</a> </blockquote>
<br />
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js" type="text/javascript"><br /></script><br />
<br />
from Twitter http://ift.tt/1nhrYAw<br />
<br />
<br />
<br />
August 29, 2014 at 10:31AM<br />
<br />
via <a href="http://ift.tt/16Xitlp">IFTTT</a></div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-3050709114997204108.post-68028197824654141432014-08-28T16:35:00.001+10:002015-03-18T16:06:40.052+11:00Use google? You may be a hacker!<div xmlns="http://www.w3.org/1999/xhtml">
<blockquote class="twitter-tweet">
<br />
Use google? You may be a hacker! “<a href="http://ift.tt/13jHUdT">@briankrebs</a>: DHS: Only you can prevent Google-dorking <a href="http://t.co/IZEVQV6TdM">http://t.co/IZEVQV6TdM</a>” <a href="http://ift.tt/1qwyTdy">#ss</a> <br />
<br />
— JRK (@jrkurosawa) <a href="http://ift.tt/XUuabI">August 28, 2014</a> </blockquote>
<br />
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js" type="text/javascript"><br /></script><br />
<br />
from Twitter http://ift.tt/1nhrYAw<br />
<br />
<br />
<br />
August 28, 2014 at 03:22PM<br />
<br />
via <a href="http://ift.tt/16Xitlp">IFTTT</a></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-68252648736138523632014-08-24T23:53:00.001+10:002015-03-18T16:06:51.761+11:00Somehow I'm not surprised...<div xmlns="http://www.w3.org/1999/xhtml">
<blockquote class="twitter-tweet">
<br />
Somehow I'm not surprised... “<a href="http://ift.tt/PMHjgj">@troyhunt</a>: Hackers Unmask Anonymous Posters On Secret, Including App's Founder <a href="http://t.co/obQQjzuvpl">http://t.co/obQQjzuvpl</a>” <a href="http://ift.tt/1qwyTdy">#ss</a> <br />
<br />
— JRK (@jrkurosawa) <a href="http://ift.tt/1qD7wLm">August 24, 2014</a> </blockquote>
<br />
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js" type="text/javascript"><br /></script><br />
<br />
from Twitter http://ift.tt/1nhrYAw<br />
<br />
<br />
<br />
August 24, 2014 at 10:43PM<br />
<br />
via <a href="http://ift.tt/16Xitlp">IFTTT</a></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-56040416105579822622014-08-24T18:37:00.001+10:002015-03-18T16:07:03.271+11:00 Tackling the software security problem at the root.<div xmlns="http://www.w3.org/1999/xhtml">
<blockquote class="twitter-tweet">
<br />
Great talk. Tackling the software security problem at the root. <a href="http://t.co/XD2qEAwcMm">http://t.co/XD2qEAwcMm</a> <a href="http://ift.tt/1p11AxA">#infosec</a> <a href="http://ift.tt/1ltTptd">#education</a> <a href="http://ift.tt/1qwyTdy">#ss</a> <br />
<br />
— JRK (@jrkurosawa) <a href="http://ift.tt/1zlYqas">August 24, 2014</a> </blockquote>
<br />
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js" type="text/javascript"><br /></script><br />
<br />
from Twitter http://ift.tt/1nhrYAw<br />
<br />
<br />
<br />
August 24, 2014 at 05:24PM<br />
<br />
via <a href="http://ift.tt/16Xitlp">IFTTT</a></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-86263435550499642972014-08-24T17:50:00.001+10:002015-03-18T16:07:17.247+11:00Gmail gets the headline, but other android apps also vulnerable<div xmlns="http://www.w3.org/1999/xhtml">
<blockquote class="twitter-tweet">
<br />
Gmail gets the headline, but other android apps also vulnerable: <a href="http://t.co/hWGzPJsFLn">http://t.co/hWGzPJsFLn</a> <a href="http://ift.tt/1p11AxA">#infosec</a> <a href="http://ift.tt/1oeaeLh">#android</a> <a href="http://ift.tt/1qwyTdy">#ss</a> <br />
<br />
— JRK (@jrkurosawa) <a href="http://ift.tt/1tGkn2C">August 24, 2014</a> </blockquote>
<br />
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js" type="text/javascript"><br /></script><br />
<br />
from Twitter http://ift.tt/1nhrYAw<br />
<br />
<br />
<br />
August 24, 2014 at 04:35PM<br />
<br />
via <a href="http://ift.tt/16Xitlp">IFTTT</a></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-70974260631079042692014-08-24T17:34:00.001+10:002015-03-18T16:07:28.315+11:00Fear of fines not improving security - fear of bad publicity is?<div xmlns="http://www.w3.org/1999/xhtml">
<blockquote class="twitter-tweet">
<br />
Fear of fines not improving security - fear of bad publicity is? <a href="http://t.co/PIbMgtzcdt">http://t.co/PIbMgtzcdt</a> <a href="http://ift.tt/1p11AxA">#infosec</a> <a href="http://ift.tt/1tGi3Zb">#reputationrisk</a> <a href="http://ift.tt/1qwyTdy">#ss</a> <br />
<br />
— JRK (@jrkurosawa) <a href="http://ift.tt/1psG5rB">August 24, 2014</a> </blockquote>
<br />
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js" type="text/javascript"><br /></script><br />
<br />
from Twitter http://ift.tt/1nhrYAw<br />
<br />
<br />
<br />
August 24, 2014 at 04:27PM<br />
<br />
via <a href="http://ift.tt/16Xitlp">IFTTT</a></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-84142329324446648002014-08-22T17:09:00.001+10:002014-08-22T18:57:39.134+10:00Aquaman<div xmlns="http://www.w3.org/1999/xhtml">
<blockquote class="twitter-tweet">
<br />
Aquaman in top 3 superheroes used by cybercrims.1st time ever a top 3 list except "heroes who talk to fish" <a href="http://t.co/DuyNlsjZua">http://t.co/DuyNlsjZua</a> <a href="http://ift.tt/1qwyTdy">#ss</a> <br />
<br />
— JRK (@jrkurosawa) <a href="http://ift.tt/YHb0pQ">August 22, 2014</a> </blockquote>
<br />
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js" type="text/javascript"><br /></script><br />
<br />
from Twitter http://ift.tt/1nhrYAw<br />
<br />
<br />
<br />
August 22, 2014 at 04:06PM<br />
<br />
via <a href="http://ift.tt/16Xitlp">IFTTT</a></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-31998610043853282052014-08-01T14:01:00.000+10:002014-08-01T14:01:14.727+10:00EMET 5.0 releasedMicrosoft have released EMET 5.0 details <a href="http://blogs.technet.com/b/srd/archive/2014/07/31/announcing-emet-v5.aspx" target="_blank">here</a>. I've been running EMET for quite some time now, it's very unobtrusive and fairly intuitive. It can also be integrated to good effect with the MS System Center suite. If you're running Windows, install it and make a bad guy's life that little bit harder.Richardhttp://www.blogger.com/profile/03616893276957095975noreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-14670685705187728162014-07-17T13:53:00.000+10:002014-07-19T15:25:12.996+10:00SSL BlacklistThe guys over at <a href="http://www.abuse.ch/">abuse.ch</a> who publish the ZeuS and SpyEye tracking lists among others have added another <a href="https://sslbl.abuse.ch/blacklist/" target="_blank">list</a>, this time tracking the SSL certificates in use by various pieces of malware for C&C traffic. There are two types of lists, a list of fingerprints of observed certificates and a list of IP addresses associated with the traffic. The fingerprint list also comes as a ruleset for the Open Source (IDS/IPS) Suricata, unfortunately Snort doesn't support SSL/TLS fingerprinting so Snort users are out of luck (the IP lists would certainly be of some use). It also comes as a CSV.<br />
<br />
This got me to thinking about other ways to do this without having a Suricata instance or doing this with historical data (maybe you run full packet capture at the gateway and don't discard ssl?). Granted for the historical use case you could just fire up Suricata and run the pcaps through it, but where's the fun in that? *nix has a utility called ssldump which looks at network data, live or pcap, and parses out the session information including the certificate. Once we have the certificate it can be fingerprinted with OpenSSL and compared to our list of known bad fingerprints.<br />
<br />
This is still a work in progress and currently doesn't work with live traffic (something goes awry with the awk script I think) and I can't clain to have written all the code, more glued some bits and pieces together but it seems like it could be quite effective with a bit more fiddling. I'd be interested to see how it goes on a reasonable size data set. I still need to write something to grab the Source and Destination IP from the ssldump too.<br />
<br />
<pre style="background: rgb(240, 240, 240); border: 1px dashed rgb(204, 204, 204); color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="-ms-word-wrap: normal; color: black;"> ssldump -AN -r ssl.pcap | awk 'BEGIN {c=0;} { if ($0 ~ /^[ ]+Certificate$/) {c=1;}
if ($0 !~ /^ +/ ) {c=0;} if (c==1) print $0;} ' | tr "\\n" " " | sed 's/ *//g' |
perl sslbacklist.pl
</code></pre>
<br />
The contents of the Perl script is as follows<br />
<br />
<pre style="background: rgb(240, 240, 240); border: 1px dashed rgb(204, 204, 204); color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="-ms-word-wrap: normal; color: black;"> use strict;
use warnings;
use Text::CSV;
use Data::Dumper;
my %bad_thumbprints;
my $csv = Text::CSV->new( { sep_char => ',' } );
my $file = 'sslblacklist.csv';
open( my $data, '<', $file ) or die "Could not open '$file' $!\n";
while ( my $line = <$data> ) {
chomp $line;
if ( $csv->parse($line) ) {
my @fields = $csv->fields();
if ( $fields[1] ) {
$bad_thumbprints{ $fields[1] } = $fields[2];
}
}
else {
warn "Line could not be parsed: $line\n";
}
}
my @certificates = split( /certificate\[\d+\]=/, <> );
foreach my $certificate (@certificates) {
unless ( $certificate eq 'Certificate' ) {
my $thumbprint = `echo $certificate | xxd -r -p | openssl x509 -inform der -fingerprint`;
$thumbprint = lc substr $thumbprint, 17, 59;
$thumbprint =~ s/://g;
if ( exists( $bad_thumbprints{$thumbprint} ) ) {
print
"ALERT: Bad Thumbprint ($thumbprint) detected indicating $bad_thumbprints{$thumbprint} malware \n";
}
}
}
</code></pre>
<br />
References:<br />
Awk script came from <a href="http://serverfault.com/questions/313610/extracting-ssl-certificates-from-the-network-or-pcap-files">http://serverfault.com/questions/313610/extracting-ssl-certificates-from-the-network-or-pcap-files</a><br />
OpenSSL and xxd commands from <a href="http://stackoverflow.com/questions/22211140/conversion-x-509-certificate-represented-as-a-hex-string-into-pem-encoded-x-509">http://stackoverflow.com/questions/22211140/conversion-x-509-certificate-represented-as-a-hex-string-into-pem-encoded-x-509</a><br />
<br />
edit: Updated Perl script to do the awk part and other cleanup, also extracts IP addresses<br />
<br />
<pre style="background: rgb(240, 240, 240); border: 1px dashed rgb(204, 204, 204); color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="-ms-word-wrap: normal; color: black;"> ssldump -ANn -r ssl.pcap | perl sslbacklist.pl
</code></pre>
<br />
<pre style="background: rgb(240, 240, 240); border: 1px dashed rgb(204, 204, 204); color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="-ms-word-wrap: normal; color: black;"> use strict;
use warnings;
use Text::CSV;
use Data::Dumper;
my %bad_thumbprints;
my $csv = Text::CSV->new( { sep_char => ',' } );
my $file = 'sslblacklist.csv';
open( my $data, '<', $file ) or die "Could not open '$file' $!\n";
while ( my $line = <$data> ) {
chomp $line;
if ( $csv->parse($line) ) {
my @fields = $csv->fields();
if ( $fields[1] ) {
$bad_thumbprints{ $fields[1] } = $fields[2];
}
}
else {
warn "Line could not be parsed: $line\n";
}
}
my $c = 0;
my $certificatestring;
my $source_ip;
my $dest_ip;
while (<>) {
chomp; # strip record separator
if ( $_ =~
m/New TCP connection #\d+: (\d+\.\d+\.\d+\.\d+)\(\d+\) <-> (\d+\.\d+\.\d+\.\d+)\(\d+\)/
)
{
$source_ip = $1;
$dest_ip = $2;
}
if ( $_ =~ /^[ ]+Certificate$/ ) {
$c = 1;
}
if ( $_ !~ /^ +/ ) {
$c = 0;
}
if ( $c == 1 ) {
$certificatestring = $certificatestring . $_;
}
}
$certificatestring =~ s/\n//g;
$certificatestring =~ s/ //g;
my @certificates = split( /certificate\[\d+\]=/, $certificatestring );
foreach my $certificate (@certificates) {
unless ( $certificate eq 'Certificate' ) {
my $thumbprint =
`echo $certificate | xxd -r -p | openssl x509 -inform der -fingerprint`;
$thumbprint = lc substr $thumbprint, 17, 59;
$thumbprint =~ s/://g;
if ( exists( $bad_thumbprints{$thumbprint} ) ) {
print
"ALERT: Bad Thumbprint ($thumbprint) detected indicating $bad_thumbprints{$thumbprint} malware. Source IP: $source_ip Dest IP: $dest_ip \n";
}
}
}
</code></pre>
<br />
edit 2: now works when sniffing and needs a refactor... <br />
<br />
<pre style="background: rgb(240, 240, 240); border: 1px dashed rgb(204, 204, 204); color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="-ms-word-wrap: normal; color: black;"> sudo ssldump -ANn -i eth0 | perl sslbacklist.pl
</code></pre>
<br />
<pre style="background: rgb(240, 240, 240); border: 1px dashed rgb(204, 204, 204); color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="-ms-word-wrap: normal; color: black;"> use strict;
use warnings;
use Text::CSV;
my %bad_thumbprints;
my $csv = Text::CSV->new( { sep_char => ',' } );
my $file = 'sslblacklist.csv';
open( my $data, '<', $file ) or die "Could not open '$file' $!\n";
while ( my $line = <$data> ) {
chomp $line;
if ( $csv->parse($line) ) {
my @fields = $csv->fields();
if ( $fields[1] ) {
$bad_thumbprints{ $fields[1] } = $fields[2];
}
}
else {
warn "Line could not be parsed: $line\n";
}
}
my $c = 0;
my $certificatestring;
my $source_ip;
my $dest_ip;
my $connection_no;
while (<>) {
chomp; # strip record separator
if ( $_ =~
m/New TCP connection #(\d+): (\d+\.\d+\.\d+\.\d+)\(\d+\) <-> (\d+\.\d+\.\d+\.\d+)\(\d+\)/
)
{
$connection_no = $1;
$source_ip = $2;
$dest_ip = $3;
}
if ( $_ =~ /^\s+Certificate\s*$/ ) {
$c = 1;
}
if ( $_ !~ /^ +/ ) {
$c = 0;
}
if ( $c == 1 ) {
$certificatestring = $certificatestring . $_;
}
if ( $c == 0 && $certificatestring ) {
$certificatestring =~ s/\n//g;
$certificatestring =~ s/ //g;
my @certificates = split( /certificate\[\d+\]=/, $certificatestring );
foreach my $certificate (@certificates) {
unless ( $certificate eq 'Certificate' ) {
my $thumbprint =
`echo $certificate | xxd -r -p | openssl x509 -inform der -fingerprint`;
$thumbprint = lc substr $thumbprint, 17, 59;
$thumbprint =~ s/://g;
if ( exists( $bad_thumbprints{$thumbprint} ) ) {
print
"ALERT: Bad Thumbprint ($thumbprint) detected indicating $bad_thumbprints{$thumbprint} malware. Source IP: $source_ip Dest IP: $dest_ip \n";
}
}
}
$certificatestring = "";
}
}
</code></pre>
<br />
There's now
a github for this <a href="https://github.com/richardmhope/CheckSSLBL" target="_blank">here</a>Richardhttp://www.blogger.com/profile/03616893276957095975noreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-15613668291040060912014-06-30T16:22:00.000+10:002014-06-30T16:22:23.385+10:00Olé, Olé, Olé, Oh no!With World Cup fever sweeping most of the globe, this snippet of the Wireless SSID and password for the World Cup’s security center being <a href="http://www.infosecnews.org/want-to-know-the-wifi-password-for-the-brasil-world-cup-security-center/" target="_blank">accidentally exposed</a> in the background of a media photo made me chuckle!<br />
<br />
<br />Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-3050709114997204108.post-56907782174669610092014-05-01T18:24:00.003+10:002014-05-01T18:24:39.987+10:00Traffic TroubleThe fact that SCADA systems and embedded controllers are woefully insecure is hardly news to security folk. But is is always somewhat eye opening to see how some of these systems can be compromised. One of those is in t<a href="http://blog.ioactive.com/2014/04/hacking-us-and-uk-australia-france-etc.html" target="_blank">his</a> blog post from IOActive Labs that a friend sent to me, where they used remote control drones to hack the systems that send data to the traffic control systems.<br />
While the specific details haven't been revealed yet, IOActive did reveal the responses they received after reporting the bugs to the manufacturers including in one case where:<br />
<blockquote class="tr_bq">
(T)he vendor said that since the devices were designed that way (insecure) on purpose, they were working as designed, and that customers (state/city governments) wanted the devices to work that way (insecure), so there wasn't any security issue.</blockquote>
Nice to know the poor security isn't an accident, it was done on purpose due to customer demands!Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-90083351957489065032014-03-12T20:08:00.000+11:002014-03-12T20:08:00.718+11:00New Australian Privacy Principles.Not that I'm in Australia at present, but I'm keeping an eye on things at home. Here is a nice little article from CSO.com,au on the <a href="http://www.cso.com.au/article/540185/brief_guide_ict_security_controls_required_by_australian_privacy_principles/" target="_blank">ICT Security Controls Required by the Australian Privacy Principles</a>.<br />
<h1 id="article_header" style="background-color: white; font-family: Arial, sans-serif; font-size: 30px; line-height: 34px; margin: 0px 0px 2px; padding: 0px;">
<br /></h1>
<div>
It will be interesting to see what impact the new principles have on Australian businesses and government. I wonder, do the privacy laws extend to <a href="http://www.smh.com.au/federal-politics/political-news/asylum-seekers-personal-details-made-public-on-website-immigration-department-concedes-20140219-32zx8.html" target="_blank">non-citizen asylum seekers</a>?</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-36620113205945191082014-02-14T17:17:00.000+11:002014-02-14T17:17:09.200+11:00Blame the catEarly last year the big domestic infosec story here in Japan was a hacker who was running rings around the police, while making death and bomb threats against airlines and kindergartens.<br />
The Police arrested several suspects - 'extracting' confessions from some of them who later turned out to be victims whose computers had been used by the the hacker via remote access.<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj81WhcQejkGZ7xB_SQqzT-FTCF8wzxxlV5sDa4KWopUnFcwJm0eed9geRsE1Kyv6vwCTErhuZO0zyexGF3H2S9ZcJUG4Hy8Ha7krVq8vmH2Ef9Js1pEQRQ88CCzJvkXWvR4K1WwVZY62k/s1600/370203-hacker-cat.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj81WhcQejkGZ7xB_SQqzT-FTCF8wzxxlV5sDa4KWopUnFcwJm0eed9geRsE1Kyv6vwCTErhuZO0zyexGF3H2S9ZcJUG4Hy8Ha7krVq8vmH2Ef9Js1pEQRQ88CCzJvkXWvR4K1WwVZY62k/s1600/370203-hacker-cat.jpg" height="204" width="320" /></a>The best part of the tale (tail?) is the hacker attached a memory card to the collar of a cat(!) and invited the press to 'play a game' by answering quizzes that<a href="http://www.japantimes.co.jp/news/2013/01/08/news/cyberharassers-trail-of-riddles-leads-cops-to-memory-card-on-cat-collar/" target="_blank"> led to the cat with the memory card</a>. Possibly the first hack in history to involve a actual cat, and not just LOLcats.exe.<br />
<br />
The police eventually captured and charged a new suspect, who is <a href="http://motherboard.vice.com/blog/japans-alleged-death-threat-making-cat-hacking-programmer-says-hes-innocent" target="_blank">now claiming his innocence</a> and pointing to the previous dubious police investigation (and confession extracting) as proof.<br />
<blockquote class="tr_bq">
Prosecutors say they found on Katayama’s office computer, searches for the words “cat” and “Enoshima” that predate the email of riddles sent to journalists. But the defense asserts that the real suspect would've planted the searches, recalling the untraceable nature of the virus, which was dispersed widely through the popular online forum, 2channel. The defense, meanwhile, called the allegations “complete nonsense."</blockquote>
Did he do it? Who knows, that's for the lawyers to decide but I hope there's more to the evidence than searching for cats on the internet!<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-90778193481020861792014-01-28T19:35:00.000+11:002014-01-28T19:35:01.300+11:00ADD - Memory anti-forensicsCame across this <a href="http://www.techrepublic.com/blog/it-security/researchers-describe-tool-that-manipulates-ram-misleads-cybercrime-investigators/" target="_blank">interesting article</a> today about a new anti-forensics tool that can basically add a bunch of stuff into memory to obfuscate what an attacker has really been up to, or even plant evidence to implicate someone else! Interesting stuff, I'm looking forward to hearing more about it!Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-26693832689462060672014-01-17T17:12:00.001+11:002014-01-17T17:12:23.379+11:00NTP - not just for time any more!I came across <a href="http://www.kb.cert.org/vuls/id/348126" target="_blank">this advisory</a> today, which i believe is the result of the DDoS attacks that were launched against a number of online games platforms such as Steam and the Playstation Network over the Christmas break.<br />
<br />
Team Cymru have s <a href="https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html" target="_blank">secure NTP template</a> available for Cisco, Juniper and Unix systems, the Canadians have more information available <a href="http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2014/av14-001-eng.aspx" target="_blank">here</a> and CERT have some information; including how to verify if you're vulnerable; <a href="http://www.kb.cert.org/vuls/id/348126" target="_blank">here</a>.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-19561781918226056792014-01-16T17:01:00.000+11:002014-01-16T17:01:15.464+11:00Happy New Year明けましておめでとございます!<br />
<span style="font-family: Verdana, sans-serif;">Happy New Year from Security-Samurai.net!</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Some interesting articles that recently caught my eye on the impending changes to the Privacy Act in Australia (courtesy of<a href="http://www.itnews.com.au/" target="_blank"> itnews.com.au</a>):</span><br />
<br />
<li style="background-color: white; background-image: url(http://www.itnews.com.au/Images/list-dot.gif); background-position: 0em 0.3em; background-repeat: no-repeat no-repeat; line-height: 16.899999618530273px; list-style-image: none; list-style-type: none; margin: 5px 0px; padding: 0px 0px 0px 90px;"><a href="http://www.itnews.com.au/BlogEntry/369416,is-your-ip-address-personal-information.aspx" style="color: #0054a6; text-decoration: none;" title="Is your IP address personal information?"><span style="font-family: Verdana, sans-serif;">Is your IP address personal information?</span></a></li>
<li style="background-color: white; background-image: url(http://www.itnews.com.au/Images/list-dot.gif); background-position: 0em 0.3em; background-repeat: no-repeat no-repeat; line-height: 16.899999618530273px; list-style-image: none; list-style-type: none; margin: 5px 0px; padding: 0px 0px 0px 90px;"><a href="http://www.itnews.com.au/BlogEntry/369539,the-privacy-act-and-the-cloud.aspx" style="color: #0054a6; text-decoration: none;" title="The Privacy Act and the cloud"><span style="font-family: Verdana, sans-serif;">The Privacy Act and the cloud</span></a></li>
<li style="background-color: white; background-image: url(http://www.itnews.com.au/Images/list-dot.gif); background-position: 0em 0.3em; background-repeat: no-repeat no-repeat; line-height: 16.899999618530273px; list-style-image: none; list-style-type: none; margin: 5px 0px; padding: 0px 0px 0px 90px;"></li>
<br />
<li style="background-image: url(http://www.itnews.com.au/Images/list-dot.gif); background-position: 0em 0.3em; background-repeat: no-repeat no-repeat; list-style-image: none; list-style-type: none; margin: 5px 0px; padding: 0px 0px 0px 90px;"><a href="http://www.itnews.com.au/BlogEntry/369592,consent-and-the-privacy-act-in-the-big-data-era.aspx" style="color: #0054a6; text-decoration: none;" title="Consent and the Privacy Act in the Big Data era"><span style="font-family: Verdana, sans-serif;">Consent and the Privacy Act in the Big Data era</span></a></li>
<li style="background-image: url(http://www.itnews.com.au/Images/list-dot.gif); background-position: 0em 0.3em; background-repeat: no-repeat no-repeat; list-style-image: none; list-style-type: none; margin: 5px 0px; padding: 0px 0px 0px 90px;"><span style="color: #0054a6; font-family: Verdana, sans-serif;"><a href="http://www.itnews.com.au/BlogEntry/369595,are-you-ready-for-a-data-request-deluge.aspx" style="color: #0054a6; text-decoration: none;" title="Are you ready for a data request deluge?">Are you ready for a data request deluge?</a></span></li>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The posts raise some interesting points (such as is your IP address or mobile phone number PII?) and highlight some of the challenges Governments now face when trying to legislate privacy today.</span><br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-22285218083991012822013-12-21T16:55:00.001+11:002013-12-21T16:55:59.832+11:00R$AIf true, <a target="_blank" href="http://gizmodo.com/nsa-paid-security-firm-10-million-bribe-to-keep-encryp-1487442397">this</a> just leaves me speechless....<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-23784605539133883802013-12-03T17:32:00.000+11:002013-12-03T17:32:47.305+11:00VMware SecurityThe VMware hardening guide for vSphere 5.5 has been released and is available here: <a href="https://www.vmware.com/support/support-resources/hardening-guides.html">https://www.vmware.com/support/support-resources/hardening-guides.html</a><div>
<br /></div>
<div>
I've only had a chance to have a cursory look at it so far, but it looks pretty good. </div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-59869381021216737852013-12-03T13:25:00.001+11:002013-12-03T14:58:02.693+11:00Women prefer length and men diversity.You know I'm referring to <a href="http://www.bbc.co.uk/news/technology-24519306" target="_blank">passwords </a>right?<br />
<br />
Also from the article:<br />
<blockquote class="tr_bq">
"<span style="background-color: white; color: #333333; font-family: Arial, Helmet, Freesans, sans-serif; font-size: 14px; line-height: 18px;">studies suggest</span><span style="background-color: white; color: #333333; font-family: Arial, Helmet, Freesans, sans-serif; font-size: 14px; line-height: 18px;"> </span><span style="background-color: white; color: #333333; font-family: Arial, Helmet, Freesans, sans-serif; font-size: 14px; line-height: 18px;">red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst."</span></blockquote>
<span style="background-color: white; color: #333333; font-family: Arial, Helmet, Freesans, sans-serif; font-size: 14px; line-height: 18px;">Did that study include *nix admins?</span><br />
<span style="background-color: white; color: #333333; font-family: Arial, Helmet, Freesans, sans-serif; font-size: 14px; line-height: 18px;"><br /></span>
<span style="background-color: white; color: #333333; font-family: Arial, Helmet, Freesans, sans-serif; font-size: 14px; line-height: 18px;">Also from the BBC, an an analysis on the<a href="http://www.bbc.co.uk/news/technology-24821528" target="_blank"> Adobe passwords</a> that were leaked. No real news here, except to say people <a href="http://www.security-samurai.net/2010/01/passwordsagain_22.html" target="_blank">still </a><a href="http://securitycircus.blogspot.com/2009/10/passwords.html" target="_blank">choose </a>terrible passwords....</span><br />
<span style="background-color: white; color: #333333; font-family: Arial, Helmet, Freesans, sans-serif; font-size: 14px; line-height: 18px;"><br /></span>
<h2 style="background-color: white; border-bottom-color: rgb(216, 216, 216); border-bottom-style: solid; border-bottom-width: 1px; border-top-color: rgb(216, 216, 216); border-top-style: solid; border-top-width: 1px; color: #505050; font-family: Arial, Helmet, Freesans, sans-serif; font-size: 1.231em; line-height: 16px; margin: 0px 0px 8px; padding: 11px 0px 12px; text-rendering: optimizelegibility;">
Top 20 passwords</h2>
<ul style="background-color: white; clear: both; color: #505050; font-family: Arial, Helmet, Freesans, sans-serif; font-size: 13px; line-height: 16px; list-style: none; margin: 0px 0px 16px; padding: 0px;">
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">123456</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">123456789</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">password</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">adobe123</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">12345678</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">qwerty</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">1234567</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">111111</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">photoshop</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">123123</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">1234567890</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">000000</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">abc123</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">1234</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">adobe1</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">macromedia</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">azerty</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">iloveyou</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">aaaaaa</li>
<li style="background-image: url(http://news.bbcimg.co.uk/view/3_0_18/cream/hi/shared/img/story_sprite.gif); background-position: -1200px 5px; background-repeat: no-repeat no-repeat; font-size: 1em; margin: 0px 0px 8px; padding: 0px 0px 0px 16px; text-rendering: auto;">654321</li>
</ul>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-50989048562099349612013-11-22T20:33:00.000+11:002013-11-22T20:33:29.698+11:00Trouble in transitWe've probably all done it. I have. You know you have too. Go on, admit it!<br />
Done what you ask? Scrounged around for some free WiFi when travelling. With data roaming costs being so high, free wifi can be a blessing - except when it's a curse!<br />
<br />
Here's a<a href="http://www.tripwire.com/state-of-security/security-data-protection/nabil-ouchn-airport-hotel-security/" target="_blank"> fun article</a> from tripwire highlighting how easy it can be to capture credentials from unwitting travellers at an airport and how poor the information security practices in some hotels can be.<br />
<br />
What Nabil describes in his article about default passwords and poorly segmented networks pretty much matches some of the stuff I've seen when travelling. What makes it worse is when the place is charging a small fortune for daily internet access - where is that money going? Not on security apparently!<br />
<br />
Long story short - don't let down your guard even when connected to 'safe' networks and VPN is your friend!<br />
<br />
Oh and Nabil's <a href="http://www.toolswatch.org/">http://www.toolswatch.org/</a> page is pretty cool too. Go check it out!Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-23593958776412940942013-11-19T13:04:00.000+11:002013-11-19T13:04:00.655+11:00EMET Uncovered<a href="http://0xdabbad00.com/wp-content/uploads/2013/11/emet_4_1_uncovered.pdf" target="_blank">This</a> is a nice rundown on Microsoft EMET's functionality and its strengths and weaknesses. I've been running EMET for about 6 months, its very unobtrusive and I'm yet to see it cause an issue with the applications that I run. I believe the more recent versions are also able to be managed with MS System Center for larger environments.Richardhttp://www.blogger.com/profile/03616893276957095975noreply@blogger.com0tag:blogger.com,1999:blog-3050709114997204108.post-4384555534165752012013-11-05T11:27:00.002+11:002013-11-05T11:27:55.036+11:00Microsoft Expands Mitigation Bypass BountyMicrosoft have <a href="http://blogs.technet.com/b/bluehat/archive/2013/11/01/bounty-evolution-100-000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive.aspx" target="_blank">expanded</a> their mitigation bypass bounty to include not just bypass techniques researched and developed specifically for the program, but also bypass techniques observed in the wild, thereby vastly increasing the number of researchers looking and the chance of finding something novel.<br />
<blockquote>
Today’s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass
techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.</blockquote>
Increasing the chance of finding a novel technique is only the first benefit that Microsoft hope to gain from this expansion, as they point out in the quote below they are also hoping to have an influence on the underground vulnerability markets, increasing the costs to those looking to buy exploits. This is a nice use of market forces to drive security benefit, artificially increasing the cost to the bad guys, I wonder who has more money... (and no, I'm not going down the rabbit hole of nation state actors)<br />
<blockquote>
This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets. Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.</blockquote>
The use of market forces to drive up the cost of exploits ties in quite nicely with some discussions I've been having recently about raising the entry criteria for attackers, be it at a micro level such as what you might be doing in your organisation or a macro level such as what Microsoft are doing here. Attempting to 'raise the bar' for adversaries, either by technical or financial means is nothing new, this is the point of every security control or bug bounty program. What is different from other bounty programs with this effort and its predecessor is that Microsoft is incentivising researchers to find new defensive strategies rather than individual vulnerabilities with point solutions, effectively eliminating whole classes of vulnerabilities.Richardhttp://www.blogger.com/profile/03616893276957095975noreply@blogger.com1