Tuesday, May 25, 2010

A New Type of Phishing Attack

This is an amazing little bit of social engineering that Aza Raskin has come up with.....Extremely insidious....I like it...

"The web is a generative and wild place. Sometimes I think I missed my calling; being devious is so much fun. Too bad my parents brought me up with scruples.

Most phishing attacks depend on an original deception.  If you detect that you are at the wrong URL, or that something is amiss on a page, the chase is up.  You've escaped the attackers.  In fact, the time that wary people are most wary is exactly when they first navigate to a site.

What we don't expect is that a page we've been looking at will change behind our backs, when we aren't looking.  That'll catch us by surprise."

Tuesday, May 11, 2010

ATM Hacking Demo set for Black Hat 2010


His Black Hat 2009 presentation on hacking ATMs was pulled at the last minute, but security researcher Barnaby Jack is back this year, promising to hack an unaltered, garden-variety ATM to make it dispense all of its cash."I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I've got that kid beat," said Jack in his presentation overview for Black Hat 2010. The conference, presented by TechWeb, runs July 24th - July 29th in Las Vegas.

Jack's presentation last year, "Jackpotting Automated Teller Machines," was canceled at the last minute, reportedly due to the affected ATM manufacturer pressuring his then employer, Juniper Networks. In a statement released at the time, Juniper said that "to publicly disclose the research findings before the affected vendor could properly mitigate the exposure would have potentially placed their customers at risk. That is something we don't want to see happen."
This year, Jack no longer works for Juniper, but has become director of security research for IOActive. "The upside to this is that there has been an additional year to research ATM attacks, and I'm armed with a whole new bag of tricks," he said.

Wednesday, April 28, 2010

Inside The Brains Of A Professional Bank Hacking Team

A great blog post about the social networking side of a professional bank hack. The guys at the SNOsoft research team are real professionals....

Hacking Your Bank
We were recently hired to perform an interesting Advanced Stealth Penetration test for a mid-sized bank. The goal of the penetration test was to penetrate into the bank’s IT Infrastructure and see how far we could get without detection. This is a bit different than most penetration tests as we weren’t tasked with identifying risks as much as we were with demonstrating vulnerability…


The first step of any penetration test is reconnaissance. Reconnaissance is the military term for the passive collection of intelligence about an enemy prior to attacking that enemy. It is technically impossible to effectively attack an enemy without first obtaining actionable intelligence about the enemy. Failure to collect good intelligence can result in significant casualties, unnecessary collateral damage and a completely failed attack. In penetration testing, damages are realized by downed systems and a loss of revenue.


More Here...

Facebook from the Hackers Perspective

This is old, a year plus old to be exact but is great stuff anyways....

Facebook from the hackers perspective.
For the past few years we've (Netragard) been using internet based Social Networking tools to hack into our customer's IT Infrastructures. This method of attack has been used by hackers since the conception of Social Networking Websites, but only recently has it caught the attention of the media. As a result of this new exposure we've decided to give people a rare glimpse into Facebook from a hackers perspective. Credit for designing this specific attack methodology goes to Kevin Finisterre and Josh Valentine both core members of our team.

Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest).


More Here...

Tuesday, April 27, 2010

Hyper Social Craziness Continues.....Why Social Sites Can Be A Very Bad Thing.

As if we needed another example of why this social-networking-sharing-everything-you-have craze is a bad thing, up pops this story from The Register about a little information sharing site called Blippy.  The premise of Blippy is to find out what your friends are buying by registering and Blippy shows your "friends" what you bought on your credit card.....You can already see where this is heading right?  So do you really want to give your credit card to someone else online?  Do you really trust people that much?

Inevitably, because of a process that was still ingrained in Blippy's site from the beta-testing days, 4 user's CREDIT CARD numbers were publicly searchable via a simple Google search.  This is the kind of thing that can get a CSO fired or in Blippy's case, get around to hiring one. 

So what is it about us that makes us want to share every little detail about ourselves and our lives with everyone, even random strangers?  What makes people so trusting to think that there isn't someone just waiting to take whatever they can from you?  After all the stories about stolen identities and phishing scams you would think people would start to listen and take notice.....But that may be to much to ask for.

Full Story Here..... 

Thursday, April 22, 2010

Facebook b0rks privacy AGAIN.....

Facebook has opted you in to their "Instant Personalization" program which allows select partners to personalize their features with YOUR public information.  Your public information is categorized as anything you have made visible to "everyone", or if you haven't touched your privacy settings this amounts to pretty much anything you put on Facebook as well as your publicly available information.  Such information includes your Name, Profile Picture, Gender, Current City, Networks, Friend List and Pages.

If you have adjusted your Facebook privacy settings then good for you, you are a step ahead of the game, If you haven't then you need to get into the Privacy Settings within Facebook and start making it harder for people you don't know to get your information.  I know what you're saying, there really isn't anything on Facebook that someone can do bad things with, but information is power.  The more information a bad guy has about you the easier it makes it for him to steal your identity, your money, you name it.....and good luck getting that mess cleaned up.
















Thanks to Jack Mannino for pointing this out and Mubix for re-tweeting it...



Thursday, April 15, 2010

10 Password Commandments « securityphile

10 Password Commandments from SecurityPhile

Password management is a two-way effort. The website you are signing up for should have secure, effective controls in place to protect your password. As a user, you need to protect your password as best as you can.

Here is how you do you part:

More Here...

Tuesday, April 13, 2010

Apache gets Pwned and goes the route of Full Disclosure.....

There are some bigwigs in corporate-land that could learn alot from the Apache infrastructure team.

FX said it best "From XSS to root, an incident documentation by the Apache infrastructure team:"


More Here...

NASA Website Defaced!!

Check this out, NASA's website gets hacked by what appear to be Turkish hackers.

Pics here....

Tuesday, March 9, 2010

Setting up a mobile botnet is alarmingly easy to do

Maybe Cyber-Shockwave wasn't a total effort in futility?

"The relative easiness of setting up a mobile botnet of nearly 8,000 phones has been demonstrated by Derek Brown and Daniel Tijerina at this year's edition of the RSA Conference in San Francisco.

The two researchers with TippingPoint's Digital Vaccine Group built WeatherFist, a weather application for iPhones and Android smartphones, which is able to harvest information such as phone numbers and GPS coordinates from the phones of the people who downloaded it."


More Here... 

Wednesday, February 24, 2010

The Spy at Harrington High

A more in depth look at what went on in the Lower Marion School District.  Were they just trying to secure their assets as they say, or was it more?  You be the judge....

"This investigation into the remote spying allegedly being conducted against students at Lower Merion represents an attempt to find proof of spying and a look into the toolchain used to accomplish spying. Taking a look at the LMSD Staff List, Mike Perbix is listed as a Network Tech at LMSD. Mr. Perbix has a large online web forum footprint as well as a personal blog, and a lot of his posts, attributed to his role at Lower Merion, provide insight into the tools, methods, and capabilities deployed against students at LMSD. Of the three network techs employed at LMSD, Mr. Perbix appears to have been the mastermind behind a massive, highly effective digital panopticon."

More Here...

Criminals Hide Payment-Card Skimmers Inside Gas Station Pumps

Criminals hid bank card-skimming devices inside gas pumps -- in at least one case, even completely replacing the front panel of a pump -- in a recent wave of attacks that demonstrate a more sophisticated, insidious method of stealing money from unsuspecting victims filling up their gas tanks.


Some 180 gas stations in Utah, from Salt Lake City to Provo, were reportedly found with these skimming devices sitting inside the gas pumps. The scam was first discovered when a California bank's fraud department discovered that multiple bank card victims reporting problems had all used the same gas pump at a 7-Eleven store in Utah.

Card skimming has been on the rise during the past year, with most attackers rigging or replacing merchant card readers with their own sniffer devices or ATM machines. The devices typically include a scanner, transmitter, camera, and, most recently, Bluetooth- or wireless-enabled links that shoot the stolen data back to the bad guys.

More Here...

Thursday, February 18, 2010

More than 75,000 computer systems hacked in one of largest cyber attacks, security firm says

With scary stuff like this going on the need for "Hack3rs" on the good side will not be going away any time soon....

"More than 75,000 computer systems at nearly 2,500 companies in the United States and around the world have been hacked in what appears to be one of the largest and most sophisticated attacks by cyber criminals discovered to date, according to a northern Virginia security firm.


The attack, which began in late 2008 and was discovered last month, targeted proprietary corporate data, e-mails, credit-card transaction data and login credentials at companies in the health and technology industries in 196 countries, according to Herndon-based NetWitness.

News of the attack follows reports last month that the computer networks at Google and more than 30 other large financial, energy, defense, technology and media firms had been compromised. Google said the attack on its system originated in China." 

More Here...

Vice Over IP: The VoIP Steganography Threat

This is a great article about the capabilities of Steganography within VoIP.  The threat landscape is changing, and quickly.

"A single 6 minute MP3 occupies 30 MB, enough to conceal every play Shakespeare ever wrote."

More Here....

School used student laptop webcams to spy on them at school and home

According to the filings in Blake J Robbins v Lower Merion School District (PA) et al, the laptops issued to high-school students in the well-heeled Philly suburb have webcams that can be covertly activated by the schools' administrators, who have used this facility to spy on students and even their families. The issue came to light when the Robbins's child was disciplined for "improper behavior in his home" and the Vice Principal used a photo taken by the webcam as evidence. The suit is a class action, brought on behalf of all students issued with these machines.


More Here....

Who was the genius that thought that this was a good idea or even legal?  When someone comes up with zany ideas like this you should always consult your LEGAL COUNSEL......I'm pretty sure it would have gotten shut down immediately.  Stay Creepy Lower Merion SD.....

Thursday, January 28, 2010

Anatomy Of A Targeted, Persistent Attack

A new report published today sheds light on the steps ultra-sophisticated attackers take to gain a foothold inside governments and company networks and remain entrenched in order to steal intellectual property and other data. The bad news is these attacks -- including the recent ones on Google, Adobe, and other companies -- almost always are successful and undetectable until it's too late.

More Here...

Monday, January 18, 2010

Google Hacks the Chinese Back.....

SANTA CLARA, Calif. — Last month, when Google engineers at their sprawling campus in Silicon Valley began to suspect that Chinese intruders were breaking into private Gmail accounts, the company began a secret counteroffensive.

It managed to gain access to a computer in Taiwan that it suspected of being the source of the attacks. Peering inside that machine, company engineers actually saw evidence of the aftermath of the attacks, not only at Google, but also at at least 33 other companies, including Adobe Systems, Northrop Grumman and Juniper Networks, according to a government consultant who has spoken with the investigators.

More Here...

Thursday, January 7, 2010

The Decade’s 10 Most Dastardly Cybercrimes

It was the decade of the mega-heist, when stolen credit card magstripe tracks became the pork bellies of a new underground marketplace, Eastern European hackers turned malware writing into an art, and a nasty new crop of purpose-driven computer worms struck dread in the heart of America.
Now that the zero days are behind us, it’s time to reflect on the most ingenious, destructive or groundbreaking cybercrimes of the first 10 years of the new millennium.

Hack Pinpoints Victim's Physical Location

Samy might know where you live: Samy Kamkar, the hacker who spread the massive MySpace worm in 2005, has published a proof-of-concept attack that identifies a victim's geographic location via his home router.
Kamkar says it all started when he found a cross-site scripting (XSS) bug in a Verizon FiOS wireless router, which allowed him to grab the browser's MAC address and then map it to the GPS coordinates via Google Location Services. The attack works on any browser and doesn't rely on browser-based geolocation features.

More Here...