Bruce Schneier: The Security Mirage

My CISO brought this up today, so I’m posting it to watch it.

Posted in Security Blog | Tagged , , , , , , | Comments Off on Bruce Schneier: The Security Mirage

More Passwords on TV

It’s been more common to post your passwords on television (like here), lol

Graham Cluley shows on his site more like the image below.

sky-password-reg

Posted in Security Blog | Tagged , , | Comments Off on More Passwords on TV

Hacker Drones Hacking Drones

I love Hak5.org and their proof of concepts with real world practicality. It’s all fun and games and you get to peer into the hacker mind, where the combining of separate technologies can be turned from prank to cybercrime and it changes the threat landscape.

For Valentine’s day, my wife bought me a quadcopter so that I can play around. I was going to buy myself one as a reward for passing my CISSP test, but too much lolly-gagging around and not going after it, gave her the opportunity to surprise me with one today.

The following videos (there are two in the playlist) show a quadcopter, using a wifi pineapple, killing off another quadcopter. The second video shows Darren Kitchens explaining the script he wrote to help him accomplish this.

This video is how they used the same set up to do some rooftop packet sniffing.

If you are new to wifi pineapple, check out the video below.

Posted in Security Blog | Tagged , , , , , , , , , , | Comments Off on Hacker Drones Hacking Drones

Happy Valentine’s Day & Be Cautious

valentines malware

Posted in Security Blog | Tagged , , , | Comments Off on Happy Valentine’s Day & Be Cautious

Six Failures of Target’s Non-Compliance

Ira Winkler, is very well known champion in the security arena who is super busy and he still found time to write this article on ComputerWorld in regards to the 6 Failures of Target.

To summarize the article, basically, there wasn’t just a single point of failure that was vulnerable.

  1. The network was not properly segregated, thus, PCI systems and non-PCI systems were commingled, leading to the ability of someone without need to know (the HVAC contractor) to have the ability to reach PCI systems.
  2. Attacker(s), once logged in, probed the network, in which an IDS would be able to detect or at least log.
  3. Analysis shows the POS systems were infected all worm style, network monitors should have picked that up.
  4. POS systems enable whitelisting, since malware still ran, whitelisting was not enabled.
  5. To get the information out of Target, systems were hacked to store the information that was getting stolen AND
  6. Network lines weren’t monitored for DLP, as the stolen data was transmitted out.

 

Posted in Security Blog | Tagged , , , , , , , | Comments Off on Six Failures of Target’s Non-Compliance

400Gbps DDoS using NTP

JOAGEug

Amplification attacks using NTP are on the rise. The UDP-based protocol can use a small request and cause a heavy payload response. CloudFlare has done an outstanding job explaining how the following picture is possible.

CloudFlare's Amplification Attack Image

Read about it here on CloudFlare’s blog.

Team-Cymru has posted some secure NTP templates for Cisco, UNIX, and Juniper perimeter hosts so you won’t be part of the problem.

Posted in Security Blog | Tagged , , , , , | Comments Off on 400Gbps DDoS using NTP

Verizon’s 2014 PCI Compliance Report

The Verizon PCI Compliance Report is available here (good if you DON’T have Adobe Reader) or from it’s original location here (good if you DO have Adobe Reader).

The Verizon 2014 PCI Compliance Report uses data and insights drawn directly from assessments they have conducted for global enterprises across a variety of industries.

Posted in Security Blog | Tagged , , | Comments Off on Verizon’s 2014 PCI Compliance Report

Old and Tech Saavy

Do you know anything about QR code safety? If you don’t know what the QR code is for, don’t scan it!

qrsafety

This may seem like a fun prank to try on your friends or whatnot, but how easy would it be for a wannabe thief to slap some QR codes around a grocery store or bank and try to phish you?

Posted in Security Blog | Tagged , , | Comments Off on Old and Tech Saavy

SQLmap for Auto SQL Injection

Ultimate Peter demonstrates how easy it is to find a vulnerable to SQL injection website and uses SQLmap to quickly find the users and passwords.

Remember, it is against the law to perform this type of testing on systems you do not own or have written permission to attack.

Posted in Security Blog | Tagged , , , , | Comments Off on SQLmap for Auto SQL Injection

Albert Gonzalez

It’s hard not to be a little envious of the amazing technical skills and charismatic charm of Albert Gonzalez. Then again, I’m glad I haven’t done anything as crazy and super happy to not be serving a 20 year sentence. Albert and his friends were the ones behind the credit card theft for Dave & Busters, TJ Maxx, and Heartland Payment; All while being an undercover U.S. Secret Service informant.

 Credit_Cards

Read all about it here: http://www.rollingstone.com/culture/news/sex-drugs-and-the-biggest-cybercrime-of-all-time-20101111

What is the best take-away from reading this?

  • Validate and sanitize your data inputs.
  • Code review, code review, code review!
  • Separate your payment card data and protect it with access controls and encryption.
  • Monitor your network and critical hosts.
  • Most importantly! Don’t trust all the people who work for you!

 

Posted in Security Blog | Tagged , , , , , , , , , , , , | Comments Off on Albert Gonzalez