Center for Cyber Security Studies
* Provided by CDR Pablo Breuer *
- FBI warns of Iranian Cyber attacks: http://www.reuters.com/
article/2014/12/13/us- cybersecurity-iran-fbi- idUSKBN0JQ28Z20141213 The question isn't if, but how bad. What's the over-under on P5+1 talks?
- Iran has been hacking major infrastructure the last two years: http://gizmodo.com/report-
iran-has-been-hacking-major- infrastructure-for-1665961011 Here's my surprised look. SCADA, due to it's nature is often the most vulnerable and least patched item on a network.
- ***Now at Sands Casino, An Iranian Hacker in Every Server: http://www.businessweek.com/
articles/2014-12-11/iranian- hackers-hit-sheldon-adelsons- sands-casino-in-las-vegas#p2 Interesting read, but this is one key take-away, "Two years ago it had a cybersecurity staff of five people protecting 25,000 computers..."
- Flights in UK disrupted by software: http://www.bbc.com/news/uk-
30454240 Just like SCADA, ATC software has been around since the 60s/70s. It's old, buggy and didn't consider security. It's not like we've seen aircraft used as weapons in the past or anything though.
- Microsoft recalls Exchange patch: http://threatpost.com/
- Mozilla to support certificate transparency in Firefox: https://wiki.mozilla.org/PKI:
CT Using certificates is not enough, you have to KNOW where your certs are coming from.
- ***Sony hacked in February, knew about security flaws before leaks: http://www.networkworld.com/
article/2859473/microsoft- subnet/sony-hacked-in-feb- knew-about-huge-security- flaws-before-cybersecurity- train-wreck.html Read the article. Here's a cautionary tale on how NOT to do it.
- ****Hackers promise "Christmas Present" Sony won't like: http://arstechnica.com/
security/2014/12/hackers- promise-christmas-present- sony-pictures-wont-like/ This is worth the look for the screenshots of the Sony root certificate alone. Can you say, "sucking chest wound?"
- ****New version of Destover wiper malware signed by Sony certificate: https://threatpost.com/new-version-of-destover-malware-signed-by-stolen-sony-certificate/109777/ Now go back and read the two articles just above this one? Is anyone getting the TTP yet? Now imagine that someone masquerades the malware as a software update - looks legit, it's signed by Sony. TTPs, strategy and tactics.
- Sony warns news organizations to destroy "stolen" emails under threat of lawsuit: http://www.washingtonpost.com/
news/morning-mix/wp/2014/12/ 14/sony-pictures-warns-news- organizations-to-destroy- stolen-leaked-e-mails- documents/ Yeah....let's see how that works out for them. Sony already has a PR problem, maybe they should put down the shovel. Hey, if I get infected with malware signed by their certificate, I wonder if they're liable. ;-) *evil plot forming*
- Lax crossdomain policy puts Yahoo mail at risk: http://threatpost.com/
researcher-lax-crossdomain- policy-puts-yahoo-mail-at- risk/109849
- **Attackers turn focus to POS vendors: http://www.darkreading.com/
attacks-breaches/attackers- turn-focus-to-pos-vendors/d/d- id/1318129? Because that's where the money is...
- ***After Snowden, 700M move to avoid NSA spying: http://www.computerworld.com/
article/2859477/after-the- snowden-leaks-700m-move-to- avoid-nsa-spying.html Ignore the title and read for content. In my mind, ANYTHING that convinces people to up their IA posture is a good thing. IA is like the story of outrunning the bear.
- ***Shellshock worm exploits NAS devices: https://isc.sans.edu/forums/
diary/Worm+Backdoors+and+ Secures+QNAP+Network+Storage+ Devices/19061 Remember when I said that shellshock affected far more than PCs? Yeah, good times. So here is another question, why are you allowing your NAS devices to be accessible on the Internet? Why are you allowing SSH access to your NAS devices?
- *Google will mark HTTP websites as non-secure: https://www.chromium.org/Home/
chromium-security/marking- http-as-non-secure This is a good thing. There's no reason for websites to be running HTTP over HTTPS
- Google blacklists WordPress sites infected with SoakSoak: http://blog.sucuri.net/2014/
12/soaksoak-malware- compromises-100000-wordpress- websites.html WordPress is another piece of software that seems to be continuously broken.
- Honeywell POS software vulnerable to stack-based buffer overflow: http://threatpost.com/
honeywell-pos-software- vulnerable-to-stack-buffer- overflows/109868 Ouch. In the world of exploitation, stack-based buffer overflows are "t-ball;" these are VERY easy to exploit.
- Young hacker trains cops tackling cyber-crime in Punjab: http://zeenews.india.com/news/
punjab/young-hacker-trains- cops-in-tackling-cyber-crime- cases-in-punjab_1514558.html Get the expertise where you can, folks. Give this kid an honorary badge and a certificate of appreciation and you'll likely be able to hire him full time.
- ***Spy drone hacks WiFi and listens to cell phone calls: http://www.wusa9.com/story/
news/local/2014/12/11/spy- drone-hacking-cell-phones- text-messages/20214047/ (archived) Remember when this was nation-state stuff and not a middle school science fair project? (Hat tip, Lincoln Group)
- Android malware installs pirated Assassin's Creed App: http://research.zscaler.
com/2014/12/trojanized-and- pirated-assassins-creed.html? utm_source=feedburner&utm_ medium=feed&utm_campaign=Feed% 3A+zscaler%2Fresearch+% 28Zscaler+Research%29 At least you get a game with your infection now.
- ****Quantum teleportation reaches 15.5 miles: http://www.livescience.com/
49028-farthest-quantum- teleportation.html I love quantum physics. Entangled pairs could some day be used for Quantum Key Distribution. It's all about the spooky interactions. (Bonus points if you know who first used the term "spooky interactions.")
- ****Egocentric video biometrics: http://arxiv.org/abs/1411.7591
4 second of bodycam video reveal biometrics. This is FANTASTIC work. (Hat tip: Lincoln group) I need to make a T-shirt, "Millennials: Enabling targeting since 1980."
- GCHQ Makes Android App, but it won't spy on you: http://arstechnica.com/
security/2014/12/uk-spy- agency-makes-an-android-app- but-it-wont-to-spy-on-you/ Here's a good bit of PR from GCHQ.
- Man who bought bitcoin startup assets speaks, raises even more questions: http://arstechnica.com/
business/2014/12/man-who- bought-bitcoin-startup-assets- speaks-raising-even-more- questions/ Unlike physical banks, Bitcoin merchants don't go through vetting. In a currency where anyone can "print" their own money, there are some interesting opportunities for someone who can crack the code.
- Netflix denies accusations that it messed with ISPs caching system: http://arstechnica.com/
information-technology/2014/ 12/netflix-denies-accusation- that-it-messed-with-isps- caching-systems/ The battle between Netflix and ISPs is going to be a movie on Telemundo one day.