Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Group
Showing posts in English
Vince Kornacki | 10 Feb 2014 | 0 comments

TCPDUMP is extremely useful for monitoring network traffic when debugging applications and performing penetration tests. Unfortunately Android mobile devices do not include the TCPDUMP program. However, do not despair. This blog series will provide step-by-step instructions for cross compiling, installing, and running TCPDUMP on Android mobile devices. As Michael Buffer would say right before Hulk Hogan brings the smack down, "Let’s get ready to rumblllllllllllle!"

First things first. You'll need to root your Android device in order to run TCPDUMP. For the purposes of this blog series we’ll use CyanogenMod 11 (based on Android 4.4 KitKat) on our mobile device and Debian Jessie (the current Testing release) on our workstation. CyanogenMod is mobile device firmware based on the open-source Android operating...

Stuart.Broderick | 03 Feb 2014 | 0 comments

This quotation is very appropriate when we consider protecting information against cyber threats. Putting this quote into context, means that as the maturity of an organizations Information Security Management System (ISMS) increases; the organization becomes less susceptible to successful cyber threats and, in many cases, prevents those threats from causing damage to the organization.

To eliminate any confusion in this blog, let’s define what we mean by “maturity” in this context. Maturity is not about the age of the ISMS program. Although many successful mature ISMSs have been developed and used over multiple years, it’s about the degree or extent of integration between the information security policy, standards and processes together with inter-dependence of associated technologies used to affect the security controls. Additionally, the maturity of the ISMS is also about how well integrated and supportive the program is with the overall goals and objectives of the...

Vince Kornacki | 29 Jan 2014 | 0 comments

Bob Shaker's compelling "Consider Security Before Building Your Nest" blog post got me thinking about Internet of Things (IoT) security. In case you've been on the moon, earlier this month Google announced the acquisition of home automation company Nest Labs for $3.2 billion, thrusting the Internet of Things into the spotlight. According to Gartner the Internet of Things will include 26 billion devices by 2020. 26 billion! Attackers are likely salivating over such an incredible number of devices just waiting to be hacked. So let's ride the trending wave and consider Nest Labs, a representative sample of Internet of Things technology.

Nest Labs currently offers two lines of smart home devices: thermostats and smoke / carbon monoxide detectors. Nest devices include super cool self-learning...

Vince Kornacki | 16 Jan 2014 | 0 comments

In the last installment we planned the vertical password guessing attack and optimized our wordlist. Now let's get our hands dirty! Attackers utilize a variety of tools to automate password guessing attacks, including Hydra, Nmap in conjunction with the http-form-brute script, and homegrown scripts. However, for the purposes of this exercise we'll use Burp Suite Pro, the Swiss Army Knife of web application penetration testing. We'll leverage Burp Intruder functionality to launch the password guessing attack. Note that Burp Intruder functionality is only available within the commercial Burp Suite Pro, not the free Burp Suite. However, at only $299 per user per year, Burp...

Robert Shaker | 15 Jan 2014 | 0 comments

Google’s acquisition of Nest brings back memories from an old blog post I wrote a couple years back. One that was pontificating on the great advances in IP connected devices; way past phones, video game systems, video cameras, televisions to coffee machines, home lighting and HVAC, vehicle alarms, refrigerators, ovens, and heck, maybe toilets.

What a great world it will be when my refrigerator sends me a text message or posts to Facebook or OmniFocus that I need to buy milk and salami. It will be even better when I can log into my oven and tell it to turn on and cook a pot roast at 350 degrees for 4 hours so I come home to a great slow cooked meal or when my oven contacts the fire department when it lights my house on fire. I'm sure over time this great technology will be adopted by supermarkets to manage their nationwide chains remotely to ensure proper temperatures are maintained in their coolers and freezers and to then communicate with the refrigerator to automatically...

Jeannie Warner | 07 Jan 2014 | 1 comment

You spoke up, we listened! We know that information is only as useful as it is easy to find, access, and use – especially security intelligence. It’s our goal to continue to make it easier for the right team members to get the right information quickly. Thanks to input from our faithful customers, we have added the following new functionality to the DeepSight portal:

  • Groups – now user administrators can create groups within their organization, assign vulnerabilities to people within those groups, and create reports by individuals within the group to improve the activity tracking
  • ‘Cloning’ a current account – to save time in setup for a new user, customers can now clone an existing account with all the privileges of another user, and then simply specify the contact information
  • Introducing workflow tracking– when a user wants to assign alerts and review the activity on that alert, we can now track and report on this functionality throughout the...
MSS Global Threat Response | 06 Jan 2014 | 0 comments

Since the 14th of December, the SOC has noticed a substantial increase in the quantity of PHP code inclusion attacks against MSS customers. Specifically, attempts to compromise and infect internet facing webservers by injecting malicious PHP code have been observed. While the primary vulnerability being targeted (CVE-2012-1823) isn’t new, a significant uptick in attempts to exploit it is worthy of note. Proof of concept exploit code has been publically available for some time. At this time, it appears that only Linux webservers running out of date versions of PHP are vulnerable.


At the time of this post, more than sixty SOC customers have been affected by these exploit attempts. There is no clear correlation between this activity and any individual industry vertical, with customers in health, financial, telecommunications, local government, and more being...

uuallan | 26 Dec 2013 | 2 comments

Over the last few weeks Symantec has seen a significant spike in NTP reflection attacks accross the Internet.


NTP is the Network Time Protocol, it is a relatively obscure protocol that runs over port 123 UDP and is used to sync time between machines on a network.  If you have ever set up a home computer or server and been asked which time server you want to use, that is an NTP connection.

NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don't worry about it after that.  Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks.

How do NTP reflection attacks work?

Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP...

Vince Kornacki | 18 Dec 2013 | 0 comments

In our last blog series we explored horizontal password guessing attacks. Check out Horizontal Password Guessing Attacks Part I and Part II in case you missed them. This time we'll test our web application with vertical password guessing attacks. Whereas horizontal password guessing attacks entail trying only a few common passwords against a long list of usernames, vertical password guessing attacks entail trying a long list of passwords against a single username. But where do you get a long list of passwords? Wordlists are readily available on the internet. For example, CrackStation offers a ridiculous 15 GB wordlist containing 1,493,677,782 words. CrackStation also offers a more practical 684 MB wordlist containing approximately 64 million common passwords. However, before getting our hands dirty let's consider several important factors:

  • Does the web application allow valid account determination? For example, does login functionality return deterministic error...
Trent Healy | 11 Dec 2013 | 0 comments


Customers tend to ask me "how do I integrate data loss prevention into my enterprise"? Before any integration of a data loss solution, I give my customers an idea of where data loss can help them. Lets me discuss in an abstract case study.

One large oil company was concerned with losing their bid data to their competitors, and they wanted to understand how a data loss prevention solution can help guard their intellectual property. First to understand the threat to bid data we should start by understanding the underlying business processes that create that data (note: this is not all the processes involved, merely an abstract)

  1. The company performs a geological survey on land that is up for bid to see if it will produce oil, natural gas, etc. During this stage scientists are deployed to the land to do drilling and deploy equipment to view the layers of earth and rock below the surface of the land.
  2. Scientists...