Category Archives: Uncategorized

Another Bot Infection from Common Password Use- “Finding Neutrino”

Kirill Shipulin from Positive Technologies wrote up some very good research he did on a Neutrino infection of one of his honeypots. The article can be found here and is well worth the read.

For me, the biggest take-away was once again a Bot infected a system- this time a LAMP stack- using only the 500 passwords in the payload’s wordlist. We see this way to much.

Giraffes, Ostrich and Six Mental Health Survival Skills for New Cyber Security Managers

Giraffes can’t talk, but if they could they’d tell you they were tired. Really tired. You see, giraffes are so consumed with being on the lookout for predators they have evolved to only sleep for a few seconds at a time. They have to continually wake up and look for predators thus missing out on some of their basic requirements.

Ostriches, I suspect are much happier. They live an abyss of ignorance where at the first sign of a predator they can put their head in the sand and have nothing to worry.

As a Security manager, you don’t really have the luxury of being an ostrich. We are continually bombarded with an unpredictable amount of audit findings, intrusion detection alerts and vulnerabilities that have to be addressed within a set budget and headcount. The challenge is that finding will always happen at a faster rate than fixing giving you a never-ending list of top priorities. This pushing the rock up the hill can lead to job stress and burn-out.

Over the years I have developed some giraffe survival skills that I’d like to pass along to you folks new to security management:

  1. Know your risks. If you don’t have a deep understanding of your organization’s risks you will never be able to properly prioritize your work and everything will become your #1 priority.
  1. Don’t get distracted by low hanging fruit. A quick fix often feels like a quick win. But if you continually focus on low-value activities you’ll never tackle the important stuff and never actually make progress. I know, this runs counter to every self-help book ever written.
  1. Embrace the messenger. As hard as it is some days to have one more issue come across your desk, when people stop coming to you you’ve lost the battle.
  1. Network with other Security people. No matter how well you work with the rest of your non-security colleagues they’ll never understand what it’s like to know what you know and carry the responsibility.
  1. Work where you’re wanted. I don’t care how good you are, you won’t be successful implementing security at an organization that doesn’t want security.
  1. Have realistic expectations. Know up front you can’t fix everything, and what you can fix takes a long time.

(Cross posted to LinkedIn.com)

Worst Phish Ever #2

The number of openings is limited so I need to act fast…

,Dear..
 
Need to earn a little extra cash? Want to work from home?
You can earn up to $375 a week or more as an Online Mystery-Shopper.
Our system is simple and produces great results. 
Here's how we do it:
 
We work out what our online retailers need from you, the online mystery shopper.
The best thing about online mystery shopping is its simplicity.
Instead of spending millions of dollars in advertising their products and services,
Online companies go directly to the consumer.
Companies are able to improve their customer service through the feedback you provide for them.
 
If you are interested,Email us the below details :
1. Full_Name:
2. Email:
3. Street :
4. City:
5. State :
6. ZIP_Code:
7. Phone:
8. Gender:
9. Birth-Year :
 
All shoppers must be 18 or over
All shoppers must live in and be a citizen of the United States.
 
Unfortunately, we can only take on a limited number of applicants, so not everyone will be accepted.
If you are accepted, congratulations and welcome to our company.
 
Yours Sincerely,
Shannon Calleja.
@Copyright 2005 - 2016
All Rights Reserved.

Google’s Firing Range Test Site

[ Giigle Firing Range: Download it | Hack it | Alternatives to it]

Google's Firing Range

Yesterday, Google Security Engineer Claudio Criscione released version 0.42 of the web scanner test application called Firing Range. The author of the test app describes Firing Range as “a Java application built on Google App Engine and contains a wide range of XSS…” They make the source available on github or there is a public website available for target practice.

At first glance, Firing Range looks sparse. However, those who don’t look past the landing page and launch a tool or two are not going to be able to appreciate the elegance of the test site. Firing Range is a unique and valuable addition to the web’s portfolio of test sites.

While the Hackazon test site provides what I have described as a “torture test” for scanners Firing Range is more of a “Rubik’s cube.” Most scanners will complete a test of Firing Range in well under an hour and nothing about the site is resource intensive or attempts to hide vulnerabilities from the test tool. Instead, Firing Range takes the opposite approach and focuses on completeness of the assessment. That is, every test page is directly available within the first two levels of the landing page and all the test pages are labeled for the target test. For example, all of the pages that test for reflective cross site scripting are available from the reflected cross site scripting page. This page is then broken in to clearly defined sections:

Firing Range Screen Capture

Firing Range on its own should not be considered a single source for testing a scanner (and I do not believe the author ever meant for it to be). However I believe that it will soon become a gold standard when assessing a scanner’s ability to detect and report on cross-site scripting.

Google's Firing Range

Pros:

  1. For evaluating a scanner’s strengths and weaknesses in detecting and reporting on cross-site scripting, you won’t find a better tool than Firing Range.
  2. The author has carefully and thoroughly labeled each test and offered explanations where needed.
  3. Firing Range allows an assessor to map the true positive findings and false negative findings.

 

Cons:

  1. Firing Range makes no attempt to test a scanner’s ability to test in real life situations such as complex workflows like you would find in an eCommerce site.
  2. Firing Range tests very little beyond cross site scripting. It would be great to see this model extended to other vulnerability families.

The Needed Contributions and Needless Death of Alan Turing

Alan Turning ImageThis week a claim was made that the sixty-five year old Turing test was finally passed. If this proves true, it will be one of the greatest computing milestones of the decade. While the achievement is being debated this is a good time to revisit the author of the test and his remarkable life and tragic death.

If you were to make a list of computer scientists who have most changed the World, Alan Turing’s name would follow closely behind Bill Gates and Steve Jobs. While Gates and Jobs are household names, Turing’s contributions to defeating the Nazi’s, the field of cryptography and being considered by most as the father of modern computing go largely unknown outside of geek academia. Perhaps even more tragic is the lack of public knowledge surrounding the circumstances of his suicide.

During WWII the Nazi’s had developed ciphers that prevented the Allies from reading their intercepted communications. Being able to communicate without the enemy being able to understand gives an opponent a great advantage. Turing and his team devised a number of techniques for breaking these ciphers aiding the war effort.

After the war he went on to study physics where he is generally considered the “Father of Modern Computing.” One of his many influences during this time was creating the Turning Test- a test that essentially is passed if a computer can convince human interviewers that it too is a human.

In spite of his amazing contributions, his accomplishments were overshadowed during his lifetime by the fact that he was gay. In 1952 he was convicted of the crime of “homosexuality.” To avoid going to prison Turing accepted being injected with high levels of estrogen as a method of chemical castration. This all proved to be too much for him and a few weeks before his 42nd birthday Alan Turing took his own life by ingesting cyanide.

The suicide rate for LGBT teens in our Country is four times higher than that of their straight cohorts. This is in large part attributed to the bullying they experience for being gay. Of the roughly 1,500 gay teens who commit suicide each year, how many Turings has the world lost? What great discoveries has the world been robbed of by their untimely deaths?

If you like this blog entry please click one of the social media buttons below. No haters need reply…

 

11/13/2014 Update: The Association for Computing Machinery reported today that the prize money for building a machine that can pass the Turing Test has now quadrupled to $1,000,000 thanks to an infusion of cash from Google.