crowmoor.se

Military attacks are quite often interesting from the viewpoint that they will sooner or later find its way into the attacks geared towards different civil companies. I doubt that there is a possible gain to target civil nuclear centrifuges but of course there are other possibilities. Reading this article you get a bit of an insight of how Stuxnet where initially deployed and the first type of attack that was launched. It turned out that a vector of attack was highly specialised contractors that are lousy at cyber security.

With the trend of outsourcing everything and acquiring systems where you depend on a contractor to manage the system you need you are possibly giving an attacker a possible foothold.

If you ever been to Sweden you now that the third Friday in June is Midsummer Eve and all of Sweden goes to celebrate that summer has finally arrived. I´m not an exception here so just a short post today.

If a credit card costs as much as $40 and is resold for $20, $10$, $2, $1, $0.1 making it a grand total of $73.1 how much money is there in a hack rendering you a total of 300 000 credit cards with CVV code? Simple enough $21 930 000. Any one still thinks that credit card theft is a declining business?

There is way too much money in it still.

If you decided to start working with security you have understood by now that you need to read, read and read a lot more that you originally thought. Not everything is about that happy moment when you manage to open up a DOS-prompt and get full root access to a server. Most of the time you try to understand the complexity of an environment and understand where the vulnerabilities are.

One paradigm that has been around for quite a while is the belief that you could protect everything and that you could manage to build a hackproof system. This has finally changed into the notion that you WILL be hacked and that you should focus on protecting what has a value instead of trying to protect everything. Otherwise the cost for security will be too high making it impossible to do business. In conjunction with this every manager should include costs for managing breaches as part of the cost of conducting business on the web. At least for now.

Currently the situation resembles that of trying to conduct business during a war. In any given time enemy troops could come running in through your door and either shoot you or loot your store. Sadly we need to focus on resilience of our business rather than protecting it making sure that it could withstand at least being partly hacked.

One of the more interesting malware I encountered is CryptoLocker. As most of you are aware of it exploits peoples inability to take aand manage backups of their files. When it manages to install itself on a user´s computer it encrypts a number of different file types and demands money from the user to decrypt the files again.

Cryptolocker uses an algorithm for creating new domains on a daily basis for the command and control servers. When BitDefender managed to break the algorithm and registered the domains before CryptoLocker did they found that about 12 000 computers where infected by CrytpoLocker and that the most part where in US.

For some reason the culprits behind this infection have decided to target only US computers and infected computers outside of US are mostly collateral damage.

So if you are not living in US you are most possible safe from any infection for now but this will change when the pay-out rate goes down. Others will create similar malware like CryptoLocker and start targeting on a bigger scale.

If you havn´t taken a backup yet now is a very good time to do it. ?

Not all my clients are big international companies with subsidiaries all over the world, on the contrary quite a number are small to medium companies with a lot less budget to manage security and hence a lot of my assignments are focused on minimising cost while giving them as much security as possible.

As very few of them has ever experienced a major security incident (hopefully due to my work) they tend to underestimate the risks of ever experiencing a breach. No matter the numbers I produce I´m typically met with the belief that ‘We are too small to be of interest and have nothing that is valuable.’

Quite often that is seldom the case. Even small companies have valuables in one way or another. Most of the times they have some kind of intellectual property that should be protected but at the very least they have infrastructure that an attacker possibly would like to user for their own interest, either as Bit-Coin miners or as a jump station to launch attacks at others, and during the pass time check for credit cards, commit some minor fraud with ordering phones to another address and utilise the affected company´s accounts for hardware purchases.

Now and then I enjoy reading war stories, especially when they have a more personal touch. I´m no cryptologist so understanding the math behind breaking a crypto is not my cup of tea but when they point out a flaw I laugh as much as everyone else.

This is a rather fun description on how Bitcrypt malwares crypto turned out to be flawed and possible to break to the relief of a father that got all his photos of his kid encrypted.

Just a short post this time. Are you interested in exploit kits and not sure which one to get? Take a look at this page and find out…or just stay informed on the patches you need to mitigate.

You may have heard the term ‘targeted attacks’. This is simply an attack that has pinpointed a specific company or person as a target and most possibly uses APT to get to it. Intellectual property has been a prime target for years but during the last year national disputes, diplomatic espionage and full blown military conflict has popped up. This mean that beside that those organisations needs to stay secure the tools used to attack those targets will eventually move down to be used in more standard attacks giving the attacker the upper edge. In the end this means that not investing enough in security will wear you down and start cost you money in recovery costs or worse cost you your company. A more detailed report is here

’Follow the money’ is a very useful phrase when working with financial institutions. It´s a rather common misperception that there are money everywhere in a bank. Most data that flows is mainly different kind of confirmation or personal data that is not connected the highly regulated transaction flows. In one end of the money flow sit the ATMs. The networks nowadays are highly controlled and it is a struggle to get to control a trojan you managed to install on an ATM. So how do you manage that then? You of course use a credit card. ?
A specially crafted credit card lets you open up the management window and do whatever you need to do with the Trojan, like looking at statistics, delete logs etc. Some interesting pictures and a story how it works could be read here

I have returned to the problems with not testing the business systems during a pen-test. ‘They are way too critical for us to take the risk of a test. Beside they are way too complex for a hacker to understand.’ When has that ever stopped a hacker?

During an architectural review a few years back I showed that a security setup up with zones was faulty. They had put the servers in one zone and the clients in another. The way the thoughts went was that the servers contained all the critical data and that the client could only access the server after logging onto it. I described how I, with a trojan, could get full access to their SAP system and register myself as a valid consultant and that I should have full access to all their buildings.

Interesting enough it took quite a few hours of explaining before they understood that with a client you could access the server and that it wasn´t about sorting through a database and try to insert the right data into it but using the standard flow in their SAP-installation.

Funny enough Trojans have started to appear that targets SAP.