Skip navigation
All Places > Information Security > Blog > Tags news
1 2 3 Previous Next

Information Security

771 Posts tagged with the news tag

Late last night in the US, we became aware that the threatened dump of Ashley Madison subscriber details finally came to pass, exactly 30 days after the attack was first announced. If you'd like to catch up, check the reporting here at The Guardian. Now that the data dump is available on the Internet, curiosity seekers, suspicious spouses, and zealous divorce attorneys would do well to avoid wasting too much time hunting for "one true and correct" Ashley Madison dump on their own. While there are already several fake dumps being circulated, the "real" dump from last night appears to be credible according to the few forensic experts who have looked at it. However, even in the "real" dump, the data is rather suspect, with fake profile information interleaved with "real" profile information.


For starters, it's trivial to set up a fake account on Ashley Madison, since Avid Life Media's  (ALM's) account setup procedures encourage, but do not require, an e-mail address to be verified by the user registering. Registering a fake address might be done for a variety of reasons from various actors, ranging from pranksters to bitter divorce rivals.


Second, the majority of "real" account holders tend to use fake, throw-away data and details, for obvious reasons. If some of those fake details happen to coincide with a real person, then it can create a sticky problem for that real person.


Finally, even if the real data is a real person, and that person really registered for the site, there is no indication in the data if that person was successful at, or even intending to, pursue an illicit affair.


One of the appeals of online dating sites -- especially niche services like the ones offered by ALM -- is the low bar to entry combined with the promise of anonymity. According to discussions on Reddit's various relationship and dating groups, Ashley Madison users, as well as users of other "edgy" dating services, appear to be just as likely to be fantasizing "tourists" as they are to be serious philanderers. For these people, the perceived anonymity and ease of signup, even without intent of follow-through, can spell trouble at home if (and in this case, when) that anonymity is blown.


Dating sites of all types are trusted with perhaps the most sensitive, personal data imaginable. Not only credit card payment information and personal identifiers such as addresses and phone numbers, but personal details that few people would be comfortable discussing in public. In addition, these particular datapoints are rarely, if ever, governed by established regulation or law, at least in the US and Canada. The breach is almost certainly a crime, but while it's still unclear how the breach at ALM's online properties occurred, I'm hopeful that CISOs around the world take securing customer data to heart in light of these events. This concern for user data needs to be internally driven, since going above and beyond compliance requirements is especially critical when those CISOs are entrusted with the emotional, psychological, and physical well-being of their customer base.


As security researchers and onlookers, we should also be mindful that this breach is not just another object lesson for CISOs. As with many breaches, this dataset can severely impact the real lives of real people, but this set goes beyond the normal health and and privacy concerns spelled out in compliance documentation. Some people are literally put in physical danger if their details are connected with Ashley Madison. Among the at-risk population include physically and emotionally abused spouses, people coping with sexual orientation, gender identity, and addiction and compulsion issues, and the children of people who are named, falsely or accurately, in the datasets.


I'm hopeful that some good can come from these developments, and hopefully the victims of this breach, like the Sony breach and the iCloud breach of last year, the people most affected and most at-risk make it through this uncertain period and we can all work harder at educating service providers and security professionals on how to best ensure a safe and stable Internet.


Update: ALM has released a statement regarding the breach and subsequent dump, here.

Update: Also, most credit card details are still safe.

40% of security positions will remain unfilled in 2014, according to a recent study by the Ponemon Institute. The inability to find skilled staff to grow security programs remains one of the key challenges for the industry. By contrast, criminal hacking teams seem to be fully staffed. We’ve all seen the outcome of this inequality in the high profile breaches of 2014.


Universities are doing the best they can to educate the next generation of security professionals. One big challenge they face is that their teaching lab budgets are not funded to replicate an enterprise network with all of its security solutions.


Rapid7 partners with universities to reduce the global shortage of skilled professionals

About half a year ago, a few folks here at Rapid7 reached out to some universities to see how we could help. We were encouraged and inspired by our conversations with faculty and got buy-in from the executives at Rapid7 to stand up a Higher Education Program. Now, we’ve got all the pieces in place to launch it.


As part of the program, eligible universities will receive the following benefits:

  • Free licenses of Nexpose Enterprise and Metasploit Pro for teaching labs
  • Free training and certifications for faculty
  • Teaching materials for faculty to leverage
  • Manuals on how to build a lab for vulnerability management and penetration testing
  • Virtual machines for the labs
  • Professional certifications for Rapid7 Nexpose Enterprise and Rapid7 Metasploit Pro at great rates for students
  • Community-driven technical support


Program already piloted with dozens of universities around the world

We’ve already piloted this program with a number of universities, as far as Germany, Singapore, Australia, and Bosnia and Herzegovina. We thought we’d share their feedback with you:



“Students have been requesting more hands-on ‘real world’ experiences for several semesters and the academic licenses helped provide them that experience which they felt was 'awesome'. One student has been hired by a security firm doing junior level penetration testing because of his exposure to Nexpose Enterprise and Metasploit Pro. It was the main difference that set him apart from other recent college graduates that also had similar experience in penetration testing.”

Gaelan Adams, University of Central Florida, USA


“Free Metasploit Pro and Nexpose Enterprise licenses enabled my students to have hands on experience with the best and most current penetration testing software and see its full potential. They were able to discover and exploit various vulnerabilities with such an ease that it was really an eye-opening experience. Now, they know that security is a serious issue and are familiar with tools that can help them.”

Sasa Mrdovic, Associate Professor, University of Sarajevo, Bosnia and Herzegovina


“My goal is to expose our students to the industry leading tools, like those published by Rapid7, so that they will be immediately marketable upon graduation.”

Dr. Shannon McMurtrey, Senior Instructor, Missouri State University, USA


“I believe that exposure to enterprise security tools is critical for the next generation of InfoSec Professionals. “

Jim Furstenberg, Cyber Security Professor, Ferris State University, USA


Eligible universities can sign up now

If you are a faculty that teaches a cyber-security course that touches on vulnerability management or penetration testing, you can apply to be included in the program. Licenses may only be used for teaching purposes, not for the protection of the university network or commercial work. If you are a student, please let your faculty member know about the Rapid7 Higher Education Program.

If you force yourself to forget the attribution argument over the recent attack on Sony Pictures Entertainment, you need to recognize that too little effort has been made to learn from the technical details of the attack, and while the technology was not as sophisticated as some believe, there are definitely important lessons here for those charged with protecting their organization.


Prevention and detection are universally too focused on the perimeter


Getting in may be the hardest part for an attacker, but only because the subsequent actions are so easy for someone with a moderate amount of technical skills. A contributing reason to the debate around attributing this breach to the right attacker group is just how many individuals are capable worldwide. A detailed timeline of the Sony attack has not been released, and likely never will be, but it is widely agreed that the initial compromise occurred when "Targeted Destructive Malware" was opened from one to many email attachments. Email attachments as an attack vector are no new invention, as their involvement in the 2011 RSA breach was widely publicized. A few experts have examined the malware and determined it to be riddled with bugs and built by amateurs, but it was still effective at getting the malicious group passed Sony's perimeter defenses, so no debate over code quality is necessary.


Whether or not you consider the malware sophisticated is irrelevant when trying to learn from its traits to properly defend your organization. The US-CERT analysis of the malware reveals that has five specific components:

  1. a listening implant
  2. a lightweight backdoor
  3. a proxy tool
  4. a destructive hard drive tool
  5. a destructive target cleaning tool


Possibly the most interesting part of this description is that these five parts do nothing to explain the significant action that simulates a proven human approach to compromising a network: lateral movement. Also known as propagation, the "SMB Worm Tool" scans ports 445 and 139 and uses built-in Windows shares to test stolen passwords and password hashes to move from discovered system to discovered system. This is especially noteworthy because the automation of this technique is starting to gray the line between malware and manual human-at-keyboard attacks. The human element has not been completely replaced, however, because the malicious actors needed to use established command and control (C&C) connections to pivot to other assets, steal more credentials, and escalate privileges, as the malware would not do this alone. If Sony's defenses were all focused on the perimeter, as details indicate, the attackers had no reason to rush after the C&C servers were created; they could take their time exploring the network, siphoning emails, and exfiltrating thousands of documents to be slowly perused from the safety of their lairs.


Credentials are a weapon and all types of attackers now know how to use them

The FBI has stated that "90% of the net defenses that are out there today in private industry" would have failed to detect the malware used in this attack, but what about the hours to days after this initial compromise necessary to move through the network and obtain the broad range of information that was successfully exfiltrated and is now being continually released to the public? As with almost every breach examined by Verizon in 2013 and publicly scrutinized in 2014, the attackers extracted passwords and password hashes from the systems they compromised and used them to impersonate legitimate users undetected while they confidently explored the network. This may have started with the "SMB Worm Tool" successfully burrowing into some Windows SMB shares, but it continued with the attackers performing similar actions through the backdoors initially created through the malware. Given these kinds of access points, attackers simply need to keep moving until they locate a system to which a domain administrator has authenticated and then they have unfettered (and privileged) access across the network for a significant period of time.


changed-my-passwords.jpgWhile credentials were used to expand across the network undetected, this is not shocking news because that is the case in nearly all attacks. One of the more shocking revelations was that a total of 139 files, containing thousands of passwords, were found within the data the Guardians of Peace managed to extract under complicated names like "passwords.xlsx" and "password list.xls". These passwords could allegedly be used to access almost any system, social media account, or web service belonging to Sony and its employees. This is exactly the kind of real world example that security professionals need to explain why their organizations should be seeking out employees with poor security awareness and enforcing better password care. That is, unless you believe no one will ever get in or no damage could ever be done with unencrypted documents labeled "passwords". The attackers' backdoors may have already been blocked when this information was discovered in the mounds of files they managed to copy to their servers, but even so, it could escalate the breadth of the corporate takedown to anything related to a Sony movie currently scheduled for release in the future. We might think it is over and then see messages injected into a movie's Facebook page twelve months from now.


This attack reminds us that every organization can be targeted and needs a continuity plan

Many attackers look to evade detection while inside and cover their tracks, when possible, but their main goal is to impact as few systems as possible on the way to their goal. Whatever the reason for this attack, these attackers reached a point where they were satisfied with the extracted data, announced to the entire company that they were inside and essentially set fire to a great deal of what they had touched, as evidenced by their choice of malware. The most shocking difference in this attack from the many previously under public scrutiny is the motive. Anyone that has previously depicted an attacker group as evil is changing their classification process:scrabble-strategy1.jpg

  • Breaches that leak passwords have a significant impact on consumers' level of security, but it is indirect, as they need to be used before we are hurt
  • Attacks that siphon highly regulated data to monetize, such as PCI, PII, and PHI, have a more direct impact on consumers and force us to think twice about trusting our information with any given company, but they are not carried out as an act of retaliation, just parties with questionable morals willing to steal information for financial gain
  • State-sponsored attacks have been acts of surgical precision to enable long-term spying on the target
  • Hacktivists have historically defaced websites and leaked small amounts of information that fingers an organization as having lied or deceived the public


The varying types of attackers out there make it essential for every organization to know what information is fundamental to its business continuity. Not everyone processes financial information or stores health records, but there is something that is at the core of what you do and you need highly detailed plans to both protect and collect the necessary data to closely monitor on a continuous basis. All organizations should be adding the indicators of compromise (IOCs) for the targeted destructive malware to their detection solutions, but more proactively, you should be focused on ways to prevent and detect the many threat actions that frequently occur no matter which malware may be used in conjunction.

The name’s Monkey.  SOC Monkey.


I’m here to provide you with a new free app for the iPhone/iPad/iPod Touch that will search through infosec topics that are trending on the social web.  I’ll also rank them based on what the biggest news items and hottest topics are, so you can make sure to get your banana's worth. 


Now, I’m not going to just barrage you with links.  I’m going to use my incredibly advanced simian brain to curate these news items, so you can focus more on what you need to get done, instead of spending a huge chunk of time trying to sort through the noise of the social web to find the infosec gems underneath.  I’ll even go ahead and color code them to indicate how big the stories are, with red being the hottest, down through amber and yellow.


My amazing simian synapses aside, I can’t do this all alone.  I'm working with my pals The Pips: infosec experts who help me identify which stories are important, and then group and rate them and curate the stories into similar topics and levels of importance.


You can save or hide stories, as well as voting them up or down with a like or dislike.  You can even retweet directly from the app or start a whole new tweet.  Don't worry though, I promise not to monkey with your twitter account!


So what are you waiting for? It’s FREE and available in beta in the Apple App Store now so head over and start checking it out for yourself.  Search for "SOC Monkey" - what could be simpler!


If you’ve got more questions, feedback, or think you can hack it as one of my Pips, send me a message, and we’ll talk again soon.


Keep your SOCs on,


Filter Blog

By date: By tag: