Thursday, April 17, 2014

Heartbleed

As of now, everyone has heard about the Heartbleed bug (vulnerability CVE-2014-0160). There are a number of articles, postings and blogs about the bug and its implications. I have listed below some of the most useful links and articles relating to this vulnerability and managing this situation.


Recommended reading:

The Hacker news has a list of FAQs on this vulnerability, it also includes links to PoC code and sites/ services that check whether a server is vulnerable
http://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html#

Bruce Schneier has a very interesting post on Heartbleed and its implications
https://www.schneier.com/blog/archives/2014/04/heartbleed.html

Pentura Labs has a very good writeup and includes instructions for testing if your version of openssl is impacted even if you are offline
http://penturalabs.wordpress.com/2014/04/08/yet-another-heartbleed/

the SANS Diary has some very good posts on this evolving situation
https://isc.sans.edu/diary/The+Other+Side+of+Heartbleed+-+Client+Vulnerabilities/17945
http://digital-forensics.sans.org/blog/2014/04/10/heartbleed-links-simulcast-etc

A large number of servers and devices are impacted, some of the vendor notifications are listed below
http://www.symantec.com/connect/blogs/detect-heartbleed-vulnerability-remediate-and-harden-your-infrastructure-control-compliance-su
http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623
http://kb.bluecoat.com/index?page=content&id=SA79
https://isc.sans.edu/diary/Heartbleed+vendor+notifications/17929




Even if your main business servers are not impacted, it is possible that a web appliance, phone or networked device on your infrastructure is at risk.

Happy Patching!

Tuesday, December 24, 2013

Merry Christmas and Happy Holidays to All!

Merry Christmas and Happy Holidays to All!

It's been a very busy year overall and unfortunately I haven't been able to post as often as I would have liked to.

I recently had the great pleasure of speaking at the TASK Oct 2013 event (Toronto Area Security Klatch).
The presentation was very well received and there was plenty of quality discussion. I had a great time, made some new friends and got some excellent feedback. It was very special to speak at an event at home-base.

TASK is a very interesting group that holds monthly events with various speakers from the security community. These talks are free and also qualify for CISSP credits. The organizers of this event are also responsible for bringing the well known Sector Security conference to Toronto each year. More information on TASK and upcoming TASK events can be found at  http://www.task.to/


Interesting course from SANS:

SANS has a new course offering by Benjamin Wright called LEG523: Law of Data Security and Investigations, if you are an investigator, law enforcement, deal with legal counsel or are called as an expert witness this is definetly soemthing to think about.

Ben has some very interesting insights from a legal point of view; I am a big fan of his ideas on using a screencast or video capture to complement or  replace an investigator or incident handler's notes:
http://computer-forensics.sans.org/blog/2011/01/26/preserve-cyber-investigation-evidence-screencast-tool#comments

You can find more of Ben's insights and Blog posts at:
https://plus.google.com/+BenjaminWright1/posts
https://twitter.com/benjaminwright


Updates:

I have added a number of new sites to the OSINT engine. If you use this Google Custom Search, it is worth checking out.

Saturday, February 2, 2013

Updates - new sites added to various engines

I have added new sites to the
Open Source Intelligence Deep Web Search

(http://www.google.com/cse/home?cx=013791148858571516042:eygbr9xc-ys),

the Social Networking Intel/ Footprint web search
(http://www.google.com/cse/home?cx=013791148858571516042:ntbykhk-kus )

and the Pastebin and collaborative tools intelligence deep web search
(http://www.google.com/cse/home?cx=013791148858571516042:gqsws13ehog&hl=en ).

Enjoy!

Saturday, October 27, 2012

Malware and domains search

I've put together a custom google search for malicious software, known bad sites and dangerous ip addresses, it can be found here:

http://www.google.com/cse/home?cx=013791148858571516042:mkgwsgd9da8

Examples of the sites on the list include:

https://atlas.arbor.net/summary
http://www.blade-defender.org/
http://mtc.sri.com/

I will be constantly updating the search engine.

Monday, September 3, 2012

Attacks on the stock market: some thoughts

I have recently been thinking about stock markets and possible attacks on them; Die Hard 4 (http://en.wikipedia.org/wiki/Live_Free_or_Die_Hard), Hackers and any number of hacker movies have some very complicated looking system with great looking Angelia Jolie lookalikes or other attractive people who have these super elite skills and can hack the Gibson or do some increasingly complex attack to bring the main system down etc.

These attacks are certainly entertaining and also complex, and have a greater likelihood of being detected and also failing. What if there was a simpler way to launch attacks without directly attacking the market itself?

Let's look at day-traders as an example:

  • When launching trades, you need to use trade execution software
  • Most of these pieces of software are proprietary in nature and supplied either by brokerages or independent software houses
  • Since these pieces of software have a smaller market share, I began to think about how many people actually check to see whether the software they are downloading is really what it is supposed to be. How many people actually check the md5/sha-1 hash to see if there is a match?

An attacker could conceivably put a link on a legitimate vendor page that re-directs clients to a malicious piece of software (for a temporary period of time) or offer a 'free' version that works just as well. 

Another plausible scenario could have an attacker flooding various message boards and other locations that he/she is leaking a great new algorithm that is similar to or used by traders at a large firm like Goldman and watch to see how many people download this just to get an edge in their trading strategies. 

This malicious code could behave in a manner similar to which the the user expects or remains dormant until several trades have gone through and when the traders funds are in their account, execute its own trades and transfer an amount to a another brokerage or western union account.

If these transfers are randomized or if the malicious code monitors the traders' behavior and carries out transactions that appear similar to the traders own activity,  or deletes itself after x number of successful trades or transfers, this can make things much more difficult to detect.

Saturday, April 14, 2012

IIT Guwahati and the Market Intelligence Search

In February, I had the privilege of speaking at the Indian Institute of Guwahati as part of the ISEA 2012 workshop and conference. I had a wonderful time, enjoyed amazing hospitality, got some very encouraging and positive feedback and made some great new friends.

I have put together a custom search for stocks, bonds and related securities. While there are a number of different sites and blogs that provide market intelligence this engine leverages various sources to bring a large amount of relevant information in one place with the ease of a simple Google search.

The engine can be found here:

http://www.google.com/cse/home?cx=013791148858571516042:lse_tm-ugfq&hl=en

Monday, January 30, 2012

i2p, and onion/ tor search

I have put together a custom search for the hidden web. This search goes through various sources to leverage and scour through various i2p and onion/ tor sites. The advantage here is that even if you do not have tor installed, or do not want it installed you can still search for the information you need and then using your results either dig deeper by installing tor or take any actions you need to. I do not link directly to any of the sites in question.

http://www.google.com/cse/home?cx=013791148858571516042:adxvhgecf4m&hl=en