Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Services
Showing posts in English
MSS Global Threat Response | 19 Feb 2014 | 0 comments


FireEye published a blog on a new unpatched vulnerability in Microsoft Internet Explorer 10 (CVE-2014-0322) being exploited in the wild on 2/14/2014. The compromised website (vwg[.]org) was injected with an iframe that redirects the user to the attacker’s malicious page, which then runs a Flash file. The Flash file contains shell code and it downloads a PNG file from a remote site upon successful execution of the IE vulnerability. The PNG file has a DLL and EXE embedded at the bottom. The DLL launches the EXE which is the payload.

Data uncovered during Symantec investigation suggests a connection between this attack and the malicious actors known to Symantec as Hidden Lynx. The data indicates the same infrastructure is being leveraged as found in a previous attack by this group who used...

MSS Global Threat Response | 10 Feb 2014 | 0 comments


Credit and debit card data theft is one of the earliest forms of cybercrime and persists today. Cybercrime gangs organize sophisticated operations to steal vast amounts of data before selling it in underground marketplaces. Criminals can use the data stolen from a card’s magnetic strip to create clones. It’s a potentially lucrative business with individual cards selling for up to $100.

There are several routes attackers can take to steal this data. One option is to gain access to a database where card data is stored.  Another option is to target the point at which a retailer first acquires that card data – the Point of Sale (POS) system.

Modern POS systems are specially configured computers with sales software installed and are equipped with a card reader. Card data can be stolen by installing a device onto the card reader which can read the data off the card’s magnetic strip. This is a process known as “skimming”. As...

Vince Kornacki | 10 Feb 2014 | 4 comments

In previous installments we constructed our mobile development toolchain and cross compiled, installed, and executed TCPDUMP on our CyanogenMod Mobile Device. Now it's time to complete our mission by forwarding packets captured by TPCDUMP on our CyanogenMod Mobile Device to Wireshark on our Debian Workstation in order to conduct realtime mobile device network traffic monitoring within a slick GUI interface. First we'll need to download Netcat, the network Swiss army knife. And of course we'll need to cross compile Netcat for ARM processors. I sure hope you were paying attention in the previous installments! First unpack Netcat:

root@debian $ tar zxvf netcat-0.7.1.tar.gz

Then move into the newly created Netcat directory and set the "CC" environment variable to specify the ARM C compiler and the "LDFLAGS" environment...

Vince Kornacki | 10 Feb 2014 | 0 comments

TCPDUMP is extremely useful for monitoring network traffic when debugging applications and performing penetration tests. Unfortunately Android mobile devices do not include the TCPDUMP program. However, do not despair. This blog series will provide step-by-step instructions for cross compiling, installing, and running TCPDUMP on Android mobile devices. As Michael Buffer would say right before Hulk Hogan brings the smack down, "Let’s get ready to rumblllllllllllle!"

First things first. You'll need to root your Android device in order to run TCPDUMP. For the purposes of this blog series we’ll use CyanogenMod 11 (based on Android 4.4 KitKat) on our mobile device and Debian Jessie (the current Testing release) on our workstation. CyanogenMod is mobile device firmware based on the open-source Android operating...

Stuart.Broderick | 03 Feb 2014 | 0 comments

This quotation is very appropriate when we consider protecting information against cyber threats. Putting this quote into context, means that as the maturity of an organizations Information Security Management System (ISMS) increases; the organization becomes less susceptible to successful cyber threats and, in many cases, prevents those threats from causing damage to the organization.

To eliminate any confusion in this blog, let’s define what we mean by “maturity” in this context. Maturity is not about the age of the ISMS program. Although many successful mature ISMSs have been developed and used over multiple years, it’s about the degree or extent of integration between the information security policy, standards and processes together with inter-dependence of associated technologies used to affect the security controls. Additionally, the maturity of the ISMS is also about how well integrated and supportive the program is with the overall goals and objectives of the...

Vince Kornacki | 29 Jan 2014 | 0 comments

Bob Shaker's compelling "Consider Security Before Building Your Nest" blog post got me thinking about Internet of Things (IoT) security. In case you've been on the moon, earlier this month Google announced the acquisition of home automation company Nest Labs for $3.2 billion, thrusting the Internet of Things into the spotlight. According to Gartner the Internet of Things will include 26 billion devices by 2020. 26 billion! Attackers are likely salivating over such an incredible number of devices just waiting to be hacked. So let's ride the trending wave and consider Nest Labs, a representative sample of Internet of Things technology.

Nest Labs currently offers two lines of smart home devices: thermostats and smoke / carbon monoxide detectors. Nest devices include super cool self-learning...

Vince Kornacki | 16 Jan 2014 | 0 comments

In the last installment we planned the vertical password guessing attack and optimized our wordlist. Now let's get our hands dirty! Attackers utilize a variety of tools to automate password guessing attacks, including Hydra, Nmap in conjunction with the http-form-brute script, and homegrown scripts. However, for the purposes of this exercise we'll use Burp Suite Pro, the Swiss Army Knife of web application penetration testing. We'll leverage Burp Intruder functionality to launch the password guessing attack. Note that Burp Intruder functionality is only available within the commercial Burp Suite Pro, not the free Burp Suite. However, at only $299 per user per year, Burp...

Robert Shaker | 15 Jan 2014 | 0 comments

Google’s acquisition of Nest brings back memories from an old blog post I wrote a couple years back. One that was pontificating on the great advances in IP connected devices; way past phones, video game systems, video cameras, televisions to coffee machines, home lighting and HVAC, vehicle alarms, refrigerators, ovens, and heck, maybe toilets.

What a great world it will be when my refrigerator sends me a text message or posts to Facebook or OmniFocus that I need to buy milk and salami. It will be even better when I can log into my oven and tell it to turn on and cook a pot roast at 350 degrees for 4 hours so I come home to a great slow cooked meal or when my oven contacts the fire department when it lights my house on fire. I'm sure over time this great technology will be adopted by supermarkets to manage their nationwide chains remotely to ensure proper temperatures are maintained in their coolers and freezers and to then communicate with the refrigerator to automatically...

Jeannie Warner | 07 Jan 2014 | 1 comment

You spoke up, we listened! We know that information is only as useful as it is easy to find, access, and use – especially security intelligence. It’s our goal to continue to make it easier for the right team members to get the right information quickly. Thanks to input from our faithful customers, we have added the following new functionality to the DeepSight portal:

  • Groups – now user administrators can create groups within their organization, assign vulnerabilities to people within those groups, and create reports by individuals within the group to improve the activity tracking
  • ‘Cloning’ a current account – to save time in setup for a new user, customers can now clone an existing account with all the privileges of another user, and then simply specify the contact information
  • Introducing workflow tracking– when a user wants to assign alerts and review the activity on that alert, we can now track and report on this functionality throughout the...
MSS Global Threat Response | 06 Jan 2014 | 0 comments

Since the 14th of December, the SOC has noticed a substantial increase in the quantity of PHP code inclusion attacks against MSS customers. Specifically, attempts to compromise and infect internet facing webservers by injecting malicious PHP code have been observed. While the primary vulnerability being targeted (CVE-2012-1823) isn’t new, a significant uptick in attempts to exploit it is worthy of note. Proof of concept exploit code has been publically available for some time. At this time, it appears that only Linux webservers running out of date versions of PHP are vulnerable.


At the time of this post, more than sixty SOC customers have been affected by these exploit attempts. There is no clear correlation between this activity and any individual industry vertical, with customers in health, financial, telecommunications, local government, and more being...