February 10, 2015

Top 1000 Passwords

![Passwords](/Volumes/DOCS/blog-images/FImcPiG.png) I can across a photo on the hacker I can across a photo on the hacker news today that I found to be very amusing. In the photo, we see the top 1000 most used passwords, and as expected, 123456 appears to be the overwhelming leader. Followed by the usual suspects 123456789, password, qwerty, and 12345678 just to name a few. How are we going to easily get the idea across that this is not ok in a way that is not harsh or off-putting? We can try to force users to use more complex, or longer passwords, but we see what that does in the end. Users start writing them down or using the same password across multiple systems and accounts. Using password lockers, or vaults, such as LastPass, PassKey, or OneKey could be some options. A user only needs to remember one stronger password to gain access to the rest of their passwords. They would just to need to make sure that they commit the phrase to memory so that they do not have to write it down. I personally like LastPass. It was really easy to set up and get use to. I also added two-factor authentication to the account as well.
With computers and technology and the Internet becoming more and more ingrained as a necessity for everyday tasks, it is going to be even more important that we find an easier and better way to protect our online assets.
Source: https://news.ycombinator.com/item?id=9024751

February 9, 2015

Anthem Hack - The Monday After

Anthem Inc. is the second largest insurance group in the United States. They service nearly Anthem Inc. is the second largest insurance group in the United States. They service nearly 67 million people through their affiliate programs including 37 million enrolled in it family health plans. On February 4, 2015 Anthem released that it had been impacted by a recent data breach affecting a large number of its members and affiliate groups. A statement from CEO Joseph Swedish (http://www.anthemfacts.com/) regarding the data breach and a FAQ page answering some of the outstanding questions that everyone has can be found here (http://www.anthemfacts.com/faq).

What do we know so far ...
  • We know that Personally Identifiable Information (PII) of over 80 million healthcare members has been accessed . This includes: Social Security Numbers (SSN), addresses, emails, salary information, birthdays, phone numbers, and other such data.
  • According to Anthem’s statement, the impacted (plan/brands) include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. http://krebsonsecurity.com/2015/02/data-breach-at-health-insurer-anthem-could-impact-millions/
  • The FBI believes, with High Certainty, that these attacks are state-sponsored in nature, and it appears that they are originating from Chinese IP spaces. http://krebsonsecurity.com/2015/02/china-to-blame-in-anthem-hack/
  • The attacks could have started as early as April 2014.
  • Deep Panda is the hacking group that is being blamed for some, if not all, of these attacks. CrowdStrike is the information security firm that has given the group this name and has been monitoring Deep Panda's movements over the past year. http://www.crowdstrike.com
  • According to a memo received by Steve Ragan, a writer for the CSO Online blog Salted Hash, Anthem database administrator credentials where used to run queries on their systems. The memo also states that the attackers had a good understanding of the database infrastructure. Read more at http://www.csoonline.com/article/2881532/business-continuity/anthem-how-does-a-breach-like-this-happen.html
  • Anthem says that they will be notifying the affected via postal services. This will most likely be something along the lines of free credit and ID monitoring for a years. Nothing we have not heard from past data breach victims.
What do we not know ...
  • How were the attackers able to get in?
  • When did the attack actually begin?
  • How long did Anthem know about the breach before notify authorities and the public?
  • Why did they not see so much data leaving their network?
  • What can other organizations and other domains learn from this attack?
  • What are they going to do about further mitigation?
What should we do for now ...
  • Watch out for phishing scams relating or referencing to the Anthem data breach.
    • DON'T click on any links within unknown emails.
    • DON'T respond to suspicious emails or try to contact the sender of such emails.
    • DON'T give out any of your personal information such as credit card numbers, usernames, passwords, etc ...
    • DON'T open or view any attachments from emails that you were not expecting, and even if you were expecting any email from someone, it is best to contact the individual before opening the document.
  • Be on the lookout for phony phone calls from individuals claiming to be associated with Anthem or the like.
  • Be sure to keep an eye on your credit reports and transaction history. Possibly consider requesting a credit freeze. This will stop anyone from opening new lines of credit under your name unless a 4-digit PIN is provided. (The PIN will be issued to you by one of the 3 credit clearing houses) http://www.equifax.com/help/credit-freeze/en_cp
  • Be on the lookout for Anthem's notification via mail.
I am interested to know more about this breach. Especially sense it affects such large group. I wonder what the credentials consisted of and what kind of awareness programs where happening within Anthem. Even the best security programs can be cracked if the human element is compromised.

More information to come as it is released.

January 22, 2015

Java Updates Fix Security Holes

This quarters Java patch will update 19 security vulnerabilities with both Java 7 and Java 8. Also to note, Oracle will be using the auto updater feature in Java 7 to automatically migrate users to Java 8. Those of you out there that have or run applications reliant on a certain version of Java 7 should make sure to stop the update until you have updated your software to run with the current version of Java. This will be a definite headache, especially if your company uses software from a vendor who's product runs using Java 7. Basically, you are at the mercy of the vendor and your users.

In any right, patch that cup of joe!

Source: http://krebsonsecurity.com/2015/01/java-patch-plugs-19-security-holes/
Oracle Release Notes: http://www.oracle.com/technetwork/topics/security/alerts-086861.html

January 15, 2015

Keurig K-Cup 2.0 Spoofing Hack

This hack allows the user to brew any coffee pod not just the ones with the Keurig branding on them. Evidently, if someone tries to brew coffee other than a K-Cup coffee pod, they will get the error message, "Oops, this pack was not designed for this brewer ...", well that's just not cool.  So, there is a camera in the 2.0 model that scans for a specific label before running water through the pod.  If you want to use a different brand, it is actually pretty simple to get around the camera thing.

Steps to completing the hack:

Step 1: Attacker uses a genuine K-Cup in the Keurig machine to brew coffee or hot chocolate.
Step 2: After brewing is complete, attacker removes the genuine K-Cup from the Keurig and uses a knife or scissors to carefully remove the full foil lid from the K-Cup, ensuring to keep the full edges intact. Attacker keeps this for use in the attack.
Step 3: Attacker inserts a non-genuine K-Cup in the Keurig, and closes the lid. Attacker should receive an "oops" error message stating that the K-Cup is not genuine.
Step 4: Attacker opens the Keurig, leaving the non-genuine K-Cup in the Keurig, and carefully places the previously saved genuine K-Cup lid on top of the non-genuine K-Cup, lining up the puncture hole to keep the lid in place.
Step 5: Attacker closes the Keurig, and is able to brew coffee using the non-genuine K-Cup.
Since no fix is currently available, owners of Keurig 2.0 systems may wish to take additional steps to secure the device, such as keeping the device in a locked cabinet, or using a cable lock to prevent the device from being plugged in when not being used by an authorized user.
So, come on guys, really?!? If you want to stop people from using pods other than your own. Try doing something like barcode or RF scanner or something better than a camera looking for a little photo.

January 13, 2015

How a $10 USB Charger Can Record Your Keystrokes Over the Air | Threatpost | The first stop for security news

How a $10 USB Charger Can Record Your Keystrokes Over the Air | Threatpost | The first stop for security news

This little device seems pretty cool. After watching the short video, it wouldn't take much to build one of these devices. The author has made all of the information available to the public, including source code, hardware needed, and a lot of cool pictures documenting the whole process.

January 12, 2015

New Data Breach Legislation

Data Breaches: Does the Government Need to Step In? - credit.com

Today President Obama proposed the formation of a national data breach notification standard. The standard will cover the private sector, making it easier for law enforcement to track cyber criminals selling stolen financial information overseas, as well as the public school system as more and more educational material is being hosted on the Internet. The President wants to be sure that the information presented to students is being use to educate not to market to them. There should be a better, faster, way to notify individuals of their data being leaked across the Web. Organizations falling victim to a data breach will have a 30 day window to notify all affected. 
"Consumes have the right to know!"
            - Barack Obama
Update: 01.15.2015 - On the same day, Central Command's Twitter and YouTube accounts were hacked by individuals claiming to be with the ISIS group. Photos were posted appearing to contain information relating to place of residence for retired military personnel. Officials then said that the information was not actually classified and anything posted on those accounts is designated as "official use only". Just to make us feel better, lol, the white house released a statement saying that they are monitoring the situation. 

Further Reading: http://threatpost.com/president-proposes-national-breach-notification-standard/110363

January 9, 2015

No More Microsoft Advanced Notification Services

From thehackernews.com
Starting in 2015, Microsoft will stop providing Advanced notification services for Patch Tuesday alerts to non-premium users, because they feel that there are less and less organization who are reliant on the service. Full blog release here. People are turning to Microsoft Updater, Microsoft Auto Server Updater, and other avenues for their patch information. Microsoft says that if there are any premium members or organization that are still a part of their security program, Microsoft will continue to deliver ANS content.
We are making changes to how we distribute ANS to customers. Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page. 
It should also be noted that this decision will apply to all emergency patch releases as well that to not happen on the planned Tuesday schedule. Meaning the general public will not get the early notifications until the day of the patch release. That's a bummer for sure. Although, I have to say that I usually do not get my Microsoft bug fix info from the software giant. Instead, I look to places such as krebsonsecurity[dot]com, threatpost[dot]com, and many others. I would have to assume that these media outlets will have some kind of insider information made available to them. At least one would think so, right?

To be fair, when I first heard the news of the is yesterday, I thought that Microsoft was just going to stop releasing security patch related information to its non premium users all together. However, after some searching it now sounds like they will be simply rethinking the way that they deliver updates related to security bugs and the fixes associated with them. One former Microsoft employee made a good point when he said that the ANS releases were vary valuable because people had time to create virtual machines with the right versions of software, so that they could test the updates to see how they would affect their environment.