Gemalto and the Great Sim Encryption Key Theft

Posted on February 23, 2015 by Carmelo

Edward Snowden leaked via the Intercept, The National Security Agency (NSA) and the Government Communications Headquarters (GCHQ) jointly hacked into the internal network of the largest Subscriber Identity Module (SIM) card creator and manufacturer, who also puts the chips into credit cards, in order to get the encryption keys the very fundamental part of every phone that makes calls and data private.

Gemalto produces 2 billion SIM cards a year.

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted.

Here is a basic video on how key exchange works.

Posted in Security Blog | Tagged , , , , , , | Comments Off on Gemalto and the Great Sim Encryption Key Theft

Identity Theft, of the Children

Posted on February 20, 2015 by Carmelo

Imagine getting credit card bills and hospital bills for your children, yet they are very young and barely in school yet.

This is what is happening to children throughout the United States, and will continue to happen by the millions. Since the Anthem theft of information that is linked to primary account holders (children of parents), their IDs are much easier to compromise and commit fraud against than adults who most likely now have credit monitoring against. Not only that, but Frank Abagnale, the famous ID Thief that the movie Catch Me If You Can is based off of, says that ID thieves can use the youngsters IDs for much longer than an adults.

Read more here.

Posted in Security Blog | Tagged , , , , | Comments Off on Identity Theft, of the Children

Lenovo Superfish

Posted on February 19, 2015 by Carmelo

Superfish is pre-installed Lenovo adware (thanks Lenovo!), which is meant to place advertisements in your web browser. The problem is that the software also intercepts encrypted traffic, which opens up your computer to man-in-the-middle attacks.

Superfish intercepts HTTPS connections. Security researcher, Chris Palmer, found that when he visited Bank of America’s web site on a computer with Superfish installed, the bank’s certificate was signed by Superfish rather than VeriSign.

This means attackers could use the certificate to create fake HTTPS web sites that grab your passwords, or even create viruses that are “signed” to look legitimate.

Superfish Features:

  • Hijacks legitimate connections.
  • Monitors user activity.
  • Collects personal information and uploads it to it’s servers
  • Injects advertising in legitimate pages.
  • Displays popups with advertising software
  • Uses man-in-the-middle attack techniques to crack open secure connections.
  • Presents users with its own fake certificate instead of the legitimate site’s certificate.

Filippo, the gentleman who warned most of the world about Heartbleed, has a test on his website that can be found here.

 

Posted in Security Blog | Tagged , , , , , , , , | Comments Off on Lenovo Superfish

Kapersky Reports Increase in Phishing

Posted on February 18, 2015 by Carmelo

Kaspersky recently reported that 28.8 percent of phishing attacks in 2014 tried to steal financial data from consumers. Information as of late, that has been getting stolen, WILL be used in more phishing attacks in 2015.

Here is a snippet from the Kapersky report.

Screenshot from 2015-02-18 21:11:11

Posted in Security Blog | Tagged , , , | Comments Off on Kapersky Reports Increase in Phishing

Survey Says 80% of Security Risks are Users

Posted on February 18, 2015 by Carmelo

Bromium surveyed 100 security professionals to see what they thought their biggest security risk was.

Screenshot from 2015-02-18 20:38:14

Through my own research, I have found that the best way to give security awareness training, is NOT this way, with one time security awareness training/testing.
workHarder

Give your readers real world news, frame it so it’s real, and make learning fun with prizes. That is the formula for success!

Posted in Security Blog | Tagged , , , , | Comments Off on Survey Says 80% of Security Risks are Users

The Equation Group

Posted on February 17, 2015 by Carmelo

Possibly around 1996, but more actively in 2001, the Equation Group has been doing some really hardcore hacking on targets throughout the world. Their methods are far up the supply chain, as they would intercept and infect CDs and other media prior to them being sold. Other media like hard drives and such. A report found exploits for hard drives made by many of the largest brands in the industry, including Samsung, Western Digital, Seagate, Maxtor, Toshiba, and Hitachi. Exploits that reprograms the device firmware and creates hidden partitions and making it’s host machine the ultimate espionage platform.

The group is closely tied to Stuxnet, using many overlapping vulnerabilities and techniques over the same time period, and those similarities combined with previously published NSA hard drive exploits have led many to believe that Equation may be part of the NSA.

Read the Kapersky report here.

Posted in Security Blog | Tagged , , , , | Comments Off on The Equation Group

Billion Dollar Bank Hack

Posted on February 17, 2015 by Carmelo

Multiple banks to be exact, over the last two years, by an unknown but very organized group.

The bank’s internal computers, used by employees who process daily transfers and conduct bookkeeping, had been penetrated by malware, through social engineering/phishing attacks, that allowed cyber-criminals to record their every move. The malicious software lurked for months, sending back video feeds and images that told a criminal group how the bank conducted its daily routines.

Hackers send email containing a malware program called Carbanak to hundreds of bank employees, hoping to infect a bank’s administrative computer.

ATMs were even compromised and programmed to spit out money.

Then the group impersonated bank officers, not only turning on various cash machines, but also transferring millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries.

Kaspersky Lab says it has seen evidence of $300 million in theft through clients, and believes the total could be triple that.

drevil1billion

Posted in Security Blog | Tagged , , , , , | Comments Off on Billion Dollar Bank Hack

Digital Home Privacy Invasion

Posted on February 14, 2015 by Carmelo

According to HP’s report on the Internet of Things, there will be 25 billion connected things (that’s a technical term) by the year 2020. On the way to the year 2020, as we walk this crazy road, we keep finding that there are a ton of unsatisfactorily un-securable features to poorly keep intruders out.

Why bother?

Without naming names, here is a list of the worst security features of the best selling products available today:

  • 100% of device interfaces allowed the use of weak passwords
  • 100% lacked an account lockout mechanism to prevent automatic attacks like brute force, or dictionary attacks
  • 100% are vulnerable to account harvesting, allowing attackers to guess login credentials and gain access
  • Some systems allowed to view video without authentication if they were local on the wifi or straight plugged into the network
  • 50% exhibited improperly configured or poorly implemented SSL/TLS
  • 70% allowed unrestricted account enumeration through their cloud-based web interface
  • 50% allowed unrestricted account enumeration through mobile application interface
  • 60% didn’t allow update capabilities
  • 100% didn’t allow for automatic update functionality

The long and short of it, is the future is going to be very hackable.

Posted in Security Blog | Tagged , , , , , , , , , | Comments Off on Digital Home Privacy Invasion

SpearPhishing in Omaha Tricked a Financial Controller to send $17.2 Million to China

Posted on February 14, 2015 by Carmelo

The FBI was brought in to investigate The Scoular Company after the controller wired $17.2 million dollars to China through their accounting firm, KPMG.

  • There were emails to the controller from an email address that resembled but was not the CEO’s official email address.
  • The controller was told to not tell anybody, saying that this would infringe on SEC regulations.
  • The instructions were to contact and wire the money through KPMG with a (fake)email and a (fake)number provided.
  • The controller thought they were doing their due diligence by contacting their KPMG representative on the phone, who answered correctly.

The controller has since been either let go or left after this negative event was uncovered.

How much does your company spend on Security Awareness? Enough to prevent a $17.2 million dollar oops?

Read more on CSO Online along with recommendations from experts on what should have been done. Hindsight, right?

Posted in Security Blog | Tagged , , , , , , , , | Comments Off on SpearPhishing in Omaha Tricked a Financial Controller to send $17.2 Million to China

White House Summit on Cybersecurity and Consumer Protection

Posted on February 14, 2015 by Carmelo

That’s not an Illuminati hand sign, it’s the CIA Triad!

On February 12th, President Obama signed an Executive Order to encourage and promote sharing of cybersecurity threat information within the private sector and between the private sector and government. Rapid information sharing is an essential element of effective cybersecurity, because it enables U.S. companies to work together to respond to threats, rather than operating alone. This Executive Order lays out a framework for expanded information sharing designed to help companies work together, and work with the federal government, to quickly identify and protect against cyber threats on the confidentiality, integrity, and availability of the people’s information.

Read about the executive order http://www.whitehouse.gov/the-press-office/2015/02/12/fact-sheet-executive-order-promoting-private-sector-cybersecurity-inform

At the State of Union, Obama had asked Congress to pass new legislation, saying that “no foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families.”

Two years ago, the President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity.

One year ago, NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity.

Posted in Security Blog | Tagged , , , , , , , , | Comments Off on White House Summit on Cybersecurity and Consumer Protection