Friday, May 31, 2013

Sandcat - Penetration Testing Oriented Browser for Pen-Testers

Sandcat Browser brings unique features that are useful for pen-testers and web developers

Sandcat is targeted at penetration testers - people who test websites for security holes - but could also be useful for developers, or anyone else who would like a little more low-level control over their browsing .. This is a capable security testing and developer-oriented browser.

Sandcat Browser is a freeware portable pen-test oriented multi-tabbed web-browser with extensions support developed by the Syhunt team. It is built on top of Chromium, the same engine that powers the Google Chrome browser and uses the LUA language to provide extensions and scripting support.

It has many useful security and developer oriented tools updated to version 4.0 with the fastest scripting language packed with features for pen-testers such as: 
  • Live HTTP Headers — built-in live headers with a dedicated cache per tab and support for preview extensions
  • Sandcat Console — an extensible command line console; Allows you to easily run custom commands and scripts in a loaded page
  • Resources tab — allows you to view the page resources, such as JavaScript files and other web files.
  • Page Menu extensions — allows you to view details about a page and more.
  • Pen-Tester Tools — Sandcat comes with a multitude of pen-test oriented extensions. This includes a Fuzzer, a Script Runner, HTTP & XHR Editors, Request Loader, Request Replay capabilities, Tor support and more.
Features inherited from Chromium include:
  • Multi-Process Architecture — each tab is its own process
  • Developer Tools — in addition to the Chromium Developer Tools, Sandcat comes with a Source Code Editor and its own JavaScript and Lua consoles.

Tuesday, May 28, 2013

Vulnerability in Building Control Systems

Vital buildings such as hospitals, universities and government offices are vulnerable to hackers

You're in intensive care at a hospital when the lights go out and the heating turns up. Meanwhile, doctors trying to get you to an operating theatre have been trapped in elevators for almost an hour as hackers take control.

The building control system for one of Google's offices in Sydney was hacked into by two IT security researchers who say hundreds more in Australia are also accessible via the internet.

A building control system, or building management system, is a computer-based system used to control and monitor a building's mechanical and electrical equipment using software. It monitors and controls things like ventilation, air conditioning, lighting and fire systems.

US researchers Billy Rios and Terry McCorkle of security firm Cylance found that the building control system for Google's Wharf 7 office in Pyrmont was vulnerable after finding it on the popular hacker search engine Shodan, which maps out vulnerable devices on the internet.

A search engine Shodan, indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. This makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities.

Please refer here for a good technical webcast explaining "How the information in SHODAN is put together and correlated".

The incident does highlight the need for sensitive systems (not just SCADA) to be isolated from hostile networks like the internet.

Hopefully, this incident will gain some more traction outside the security community.

Friday, May 24, 2013

BYOD is here to stay, Why?

Should enterprise adapting to an increasingly mobile world?

Statistics from major BYOD surveys and analysts over the last year shows that the BYOD trend is strong and will only get stronger. There are already 1 billion smartphone users around the world, with 1.3 billion smartphone and tablet sales expected in 2013.

Employees are using their personal smartphones for work all over the globe. However, the trend is strongest in high growth countries, such as Brazil, Russia and India, and among the youngest workers. Employees bring their own devices because they believe they let them do their jobs better, they like the flexibility to work when they want, and they prefer to carry a single device for work and personal use. Even knowing the security risks and that their companies might be watching their online activities, isn’t stopping this trend. 

IT departments are paying attention. They are aware of the growth of BYOD and are mostly positive about it. High growth countries and the US are more positive and providing the most support. While most IT departments have been supporting BlackBerry and Apple devices, many are realizing the need to support Android and Windows Mobile as well. Not surprisingly, the most popular business applications being used on mobile are email, web browsing, contacts and calendars, however more than half of IT departments report mobile apps being used for office applications, task and project management, social media, sales force automation or CRM as well. 

By embracing the rise of BYOD and enterprise mobility, 2013 presents the opportunity for IT to change their role from service providers and technology partners to leaders and business strategists. By taking the initiative and working closely with all areas of the business, IT can lead the company into the New Age of enterprise mobility – enabling increased productivity and operational efficiencies, securely, and cost-effectively. 

See below A Visual Display of the Current State of BYOD 2013:

Tuesday, May 21, 2013

Cybersecurity is about more than technology

Securing Supply Chains Beyond Vendors and Service Providers

Securing supply chains is becoming a more crucial aspect of information risk management. But the definition of the supply chain is evolving.

The supply chain, from an IT security perspective, often is perceived as the hardware and software an organization acquires from vendors as well as online offerings furnished by service providers.

According to control SA-12: Supply Chain Protection, organizations use acquisition and procurement processes to require supply chain entities to implement necessary security safeguards to reduce the likelihood of unauthorized modifications at each stage in the supply chain and protect information systems and their components, before taking delivery of such systems and components.

But that's not quite how it works with shadow suppliers. Those running IT and IT security at government agencies and businesses don't always know that a system or component has been acquired. That's because the technology was not acquired through the normal procurement process.

We see organizations acquiring a service such as Dropbox, which allows individuals to easily share documents through a public-cloud service: 
Colleagues sitting around a conference table want to share a document, but the document owner, after five attempts, can't access Microsoft SharePoint, a document management system that operates on the internal corporate network. 
Frustrated, the document owner uploads the document to Dropbox, where his colleagues can easily access it. Suddenly, Dropbox is a supplier, and the business or government agency doesn't even know it. This is a huge area of the supply chain that now exists that is completely shadowed.

Of course, NIST offers other controls to deal with cloud services, such as requiring that information stored on the cloud be encrypted for added security. And many organizations have implemented controls to limit or ban the use of employee-owned devices and cloud services, such as Dropbox.

But as long as employees can find better technology than their employers offer, they will concoct ways to use them. Even if there is a policy against doing it, people are naturally doing it anyway, not to be rebellious but just to be more productive.

Organizations must be more agile in developing policies and adopting controls because there are too many choices in the marketplace. Years ago, organizations provided their employees with the best technology; not so today.

Saturday, May 18, 2013

Cyber Infrastructure Protection Guidelines by Strategic Studies Institute

It provides the foundation for long-term policy development and a roadmap for cyber security

Increased reliance on the Internet and other networked systems raise the risks of cyber attacks that could harm our nation’s cyber infrastructure.

The cyber infrastructure encompasses a number of sectors including: the nation’s mass transit and other transportation systems; banking and financial systems; factories; energy systems and the electric power grid; and telecommunications, which increasingly rely on a complex array of computer networks, including the public Internet.

However, many of these systems and networks were not built and designed with security in mind. Therefore, our cyber infrastructure contains many holes, risks, and vulnerabilities that may enable an attacker to cause damage or disrupt cyber infrastructure operations.

Threats to cyber infrastructure safety and security come from hackers, terrorists, criminal groups, and sophisticated organized crime groups; even nation-states and foreign intelligence services conduct cyber warfare.

Cyber attackers can introduce new viruses, worms, and bots capable of defeating many of our efforts. Costs to the economy from these threats are huge and increasing. Government, business, and academia must therefore work together to understand the threat and develop various modes of fighting cyber attacks, and to establish and enhance a framework to assess the vulnerability of our cyber infrastructure and provide strategic policy directions for the protection of such an infrastructure.

This book addresses such questions as:

  • How serious is the cyber threat?
  • What technical and policy-based approaches are best suited to securing telecommunications networks and information systems infrastructure security?
  • What role will government and the private sector play in homeland defense against cyber attacks on critical civilian infrastructure, financial, and logistical systems?
  • What legal impediments exist concerning efforts to defend the nation against cyber attacks, especially in preventive, preemptive, and retaliatory actions?
Refer here to download the book.

Tuesday, May 14, 2013

4 Ways to Defend Against State Sponsored Attacks

Enterprises Challenged to Safeguard Their Infrastructure

With reports - the latest one issued this past week from the Defense Department - that document the Chinese military and government targeting key government, military and business computer systems in the United States and elsewhere, operators of those systems face a challenge of defending their IT assets.

Security experts generally agree that the best defense against nation-state attacks needn't be tailored to a specific attacker. No one solution will help organizations to defend against nation-state attacks, whether from China, Iran, Russia or elsewhere. Still, knowing who's attacking IT systems can help organizations better plan their defenses.

One of the key differences between state-sponsored espionage and organized crime or hackers is their level of persistence and determination to break through defenses.

Security experts say fundamental cybersecurity and risk management practices, if implemented properly, should reduce the damage done from all types of attackers, including those from nation-states.

Here are four steps organizations can take to shore up their defenses against nation-states cyber-attacks, although not all of these approaches would be appropriate for each organization:

  • Avoid acquiring technology from companies based in nations that pose a threat;
  • Isolate internal networks from the Internet;
  • Share cyberthreat information with other organizations;
  • Enhance employee cybersecurity awareness programs, including testing worker' knowledge of best IT security practices.

Sunday, May 12, 2013

Reputation Is A New Target For Cyber-Attacks

How organizations can protect their credibility in the midst of an incident?

Organizations have to equip themselves much better to deal with this whole attack on reputation. The Information Security forum recently issued its annual threat report, Threat Horizon: New Danger from Known Threats, which provides recommendations on protecting reputation, an area which is a high area of interest for attackers.

Word of a cyber-attack spreads fast these days and that viral impact can be a major issue. Criticism that was levied ... and fueled by social media, disgruntled employees and a whole collection of real viral traffic [causes] a major reputational hit. 

The faster an organization is able to respond, the more it knows about the particular issues that are being raised by hacktivist groups and can say credibly what their position actually is, then the less severe the impact is. 

To ensure they can respond effectively, organizations need to have clear ways of collaborating internally. They have to have honest relationships with the media in order to combat these things, plus an understanding of exactly where things are sitting from a data perspective across their own organizations.

Organizations also have an opportunity to get security and business departments together to get their arms around how they're going to deal with the issue of reputational risk because "it's very real."

Understanding threats is fundamental to enterprise risk management. Every organization needs to evaluate threats within the context of their own business to determine risks. The Information Security Forum advises that one of the key things that was noticed this year is that threats have evolved. Attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous and pose more risks to organizations, simply because they've had that degree of maturing. That increase in the sophistication of the people who are behind the attacks, behind the breaches, has increased significantly.

The Information Security Forum has that criminals have developed and we've called that "crime as a service," having upgraded to version 2.0 which gives you some view as to how we're seeing that.

It's a real opportunity for security departments and business departments to combine within organizations to get their arms around how they're going to deal with this issue of reputational risk because it's very real and we've seen some examples of it already this year.

Friday, May 10, 2013

No Room For Guessing Games in Information Security

The Global Cost of Cyber Security?

The information security industry, for the large part, has been working hard to reshape how users think about security. Before this reshaping took place, security was a nuisance for enterprises, was overlooked by developers (i.e., security-as-a-fix instead of security-at-inception), and was unknown to end users.

Fortunately, the trend is changing. For example, CXOs are now less reluctant to approve those line items in the budget related to securing their enterprises and end users are becoming more aware of cyber security and its consequences. 

For me, trying to estimate the global cost associated with cybercrime is one of those ‘somethings’. The inherent complexity associated with the global space of cybercrime events prevents us from calculating a reliable cost estimate with respectable accuracy and precision.

Not so long ago, Symantec asserted that cybercrime was costing us about $110 billion per year. Around the same time, McAfee stated that cybercrime was instead costing us approximately $1 trillion per year. I wonder which one is right? It’s a conundrum, indeed.

For years, I have watched these sorts of global cost estimates travel across the wire, and yet I have found little use of the information because the data points are, with absolute certainty, all over the board.

Nowadays I simply ignore these ‘informationals’ when they cross my path—long term exposure to them has desensitized me. However, these changes would not have occurred if our industry was desensitizing our target audience with inaccurate information.

The moral of this story—we as security professionals need to focus on relaying relevant information to the rest of the world and to do so as accurately as possible. There is no room for guessing games in our industry.

Sunday, May 5, 2013

"Likes" provide an incredible amount of insight into our private lives

Your 'Likes' Lead to Snap Judgments, False Assumptions

Much of our online behavior leaves a trail. Sometimes we are aware of it; sometimes we aren't. "Liking" on Facebook (or "+1-ing" on Google+, and all the other clickable options allowing you to show your appreciation for posts) may be one such behavior done with reckless abandon. Often a user will "Like" something only because a friend asked him or her to. These users may not be aware of the picture those "Likes" can paint.

The Wall Street Journal has written a fantastic article that may change mindless "Liking" behavior somewhat. The article highlights a recent study that revealed our "Likes" provide an incredible amount of insight into our private lives. Individually, the "Likes" may not reveal much; but monitored and analyzed overtime, they can shed light on very personal, private details. One example:

The researchers found that "Likes" for Austin, Texas; "Big Momma" movies; and the statement "Relationships Should Be Between Two People Not the Whole Universe" were among a set of 10 choices that, combined, predicted drug use.

Whoa. How's that for crazy assumptions? Or scarier, how's that for accuracy? You can bet this research is only the beginning and that the algorithms these researchers used are soon to be commercialized and sold to any number of entities... with any number of intentions.

The takeaway for now? Watch what you "Like," and keep up-to-date on the privacy settings that can prevent others from tracking your online trail. 


If you use the Chrome browser, you can go "incognito" and hide many of your online activity trails  automatically collected. To do this, press <CTRL><SHIFT><N>. See this Google resource for more information.  

How You Can Get Hacked at Starbucks?

Be extra careful when using free public Wi-Fi
For those who frequently use the free public Wi-Fi in coffee shops such as Starbucks and Dunkin' Donuts, you're likely already aware of how easy it is for hackers to steal your personal and financial information over the shared network.
But what you may not realize is how cybercriminals could gain access to sensitive data in other ways that might not be on your radar.
According to ThreatMetrix, a provider of cybercrime prevention solutions, some hackers even leave malicious USB drives on tables for curious customers to plug into their devices. This allows them to retrieve personal information and even social network passwords. Although this may seem unlikely, ThreatMetrix says the scenario actually occurs.
Cybercriminals can also use video cameras on a mobile device to capture what you're doing nearby. This means if you are entering your credit card or email login information into a smartphone, you could be recorded doing so. Creepy, right?
More sophisticated techniques include network scanners, which detect open ports on a device connected to the network, and "hotspot honeypots" which intercept a user’s Internet connection and give full access to that network.
Here's a look at what to keep your eyes peeled for when cozying into a coffee shop near you.