Wednesday, January 28, 2015

Private Security Companies more of a threat than Government Snooping

You may think that the Governments warrantless wiretapping and surveillance programs are troubling but private companies and operators are more of a threat than even the Government. Think about it this way. When Government wants to do long term surveillance they are supposed to follow CALEA and FISA rules to conduct the surveillance and they are supposed to terminate that surveillance if the collected data exonerates the targets of that investigation. At least some of the time judges and secret courts place restrictions on the surveillance authorizing the surveillance for a certain period of time.

It should also be noted that nearly all of the request that go to the FISA court are approved. Sometimes even without a very good justification. But private operators are even more dangerous than the Government because they don't have to follow any legal rules.

Just look at rules on electronic interception that fall under 18 USC as one example. There were no prosecutions under these rules last year or the year before that. Even when there are prosecutions they usually are for associated crimes and not the interception itself.

So the next time you think that the Government is your biggest threat you should really think again. The private operators collect, store and share information about targets more easily and with virtually no oversight.

Tuesday, January 27, 2015

NOTICE: Patch your Linux Servers

As you may have read in the media recently, a new zero-day security vulnerability for a common component in the Linux operating system has been released into the wild. This vulnerability allows attackers to remotely access some vulnerable Linux-based systems without the use of compromised passwords or other user credentials. Once in the system, attackers could leverage other vulnerabilities to escalate privileges until they gain root access. A good article that describes the vulnerability can be found here:

http://www.zdnet.com/article/critical-linux-security-hole-found/

We recommend that you immediately patch your operating system with the appropriate latest version. At the time of sending this e-mail (approximately at 7pm Central time on Tuesday, Jan. 27), the following Linux distributions have issued patches:

·      Red Hat
·      Debian
·      Ubuntu

Other popular distributions, such as CentOS, have indicated publicly that patches are in the works.

Since the vulnerable library is very common and is used by a wide range of server-side software, applying the patch is not without risk of collateral damage or side effects. In other words, there is some risk that patching your system might impact the performance of other applications on your server that also use the same library.

Nonetheless, taking into account the severity of the security hole, we are advising our clients to apply the patch immediately upon it becoming available to them. The risk of not patching outweighs the potential risk from side effects.

We strongly recommend that you patch your servers immediately with the appropriate patch.

If you are running Red Hat Enterprise Linux or CentOS, you may execute the following command on your server to patch:

CentOS/Red Hat Linux: yum -y update glibc
Ubuntu/Debian Linux: apt-get upgrade glibc

Please note that patching your system WILL require a restart after you execute the above commands.

Friday, January 23, 2015

ALERT: Whale Phishing Alert

The FBI and Internet Crime Complaint Center warns of a very profitable spam campaign that has already claimed more than 2,000 victims globally.
The FBI and the Internet Crime Complaint Center (IC3) are warning of a spam email campaign known as the Business E-mail Compromise (BEC) that has resulted in the global victim dollar loss of $215 million so far.

The IC3 alert, which was issued on Jan. 22, provides statistics on the impact of the BEC campaign for the period of Oct. 1, 2013, to Dec. 1, 2014. During that period, the IC3 received complaints about BEC from 45 countries, with a combined victim count of 2,126. In the United States alone, the IC3 said there were 1,198 victims.

Read More from the Original Report:
http://www.eweek.com/security/spam-campaign-business-e-mail-compromise-pilfers-215-million.html

Activity: Confirmed
Number of Confirmed Cases Reported: 3


The FBI and Internet Crime Complaint Center warns of a very profitable spam campaign that has already claimed more than 2,000 victims globally.

The FBI and the Internet Crime Complaint Center (IC3) are warning of a spam email campaign known as the Business E-mail Compromise (BEC) that has resulted in the global victim dollar loss of $215 million so far. The IC3 alert, which was issued on Jan. 22, provides statistics on the impact of the BEC campaign for the period of Oct. 1, 2013, to Dec. 1, 2014. During that period, the IC3 received complaints about BEC from 45 countries, with a combined victim count of 2,126. In the United States alone, the IC3 said there were 1,198 victims. - See more at: http://www.eweek.com/security/spam-campaign-business-e-mail-compromise-pilfers-215-million.html#sthash.DRlL878Z.dpuf

Thursday, January 22, 2015

Drones Being Used to Smuggle Drugs Over the Border

It goes without saying that Drones provide a unique way to take photographs, explore hard to reach areas and in this case to smuggle drugs across the US/Mexico border. Border Patrol has indicated that they are seeing increased instances of the use of drones to carry packages of drugs from Mexico into the US. There have been 3 separate news articles in the past week on the topic as well as some discussion in Government circles on how to combat the problem.

Drones have been used to smuggle phones, tobacco, drugs and weapons into prison courtyards in the past and are frequently used to carry out wireless attacks by moving devices into target areas for interception purposes.

The FAA has begun issuing licenses to licensed pilots to be allowed to operate drones for hire (highly restricted). It is thought that the rules on drone use will be relaxed at some point in 2015.

We are following this topic with interest.

Wednesday, January 21, 2015

ALERT: RSA Public Key has a backdoor

We are seeing indications that the RSA public key is compromised and has a backdoor. Several security researchers have confirmed through actual data that the key's are compromised but they have not indicated the responsible party.

Dell SecureWorks put out an alerts as did several bloggers over the past 2 weeks.


Tuesday, January 20, 2015

ALERT: Barclay Card Service Phishing and Possible Customer Accounts Compromised

We are researching this information currently and are in the process of putting out a bulletin from our SOC. It is thought that the uptick in "targetted" Phishing attacks over the last 12 hours may be related to a compromise of account information at Barclay Card Services.

We will be putting out a bulletin later this evening. Please ensure that if you receive messages from Barclays that you actually verify the information in the email and that it goes back to an actual Barclays domain and not a third party.

Related Compromised Host:
NTT America Inc
GWTC - Golden West Telecommunications (more than likely a compromised customer)
Time Warner Cable South (more than likely a compromised customer)
KRM Information Services
Dwyer Products (a customer of Comcast Business Communications)

List of Compromised Host:
69.70.172.150
70.61.114.98
195.101.177.120
209.57.92.144
64.251.170.197
12.27.45.130
74.94.124.215


Sunday, January 18, 2015

So tired of seeing this Starbucks

Hey Starbucks are you just asking for a breach? 


Not that I want to give criminals any ideas but Starbucks and Waffle House need to get their acts together and fix this ASAP.

Hackers for Hire Getting Publicity

I was quite surprised the NY Times published a recent article on "Hackers for Hire".

The website in case you were curious is at http://neighborhoodhacker.com/

There are many other sites as well but this is the one getting publicity right now.

Friday, January 16, 2015

NEWS: NY Post Twitter Hacked

The New York Post on Friday said that one of its Twitter feeds focused on business news had been hacked, following a series of inaccurate Tweets on the Federal Reserve, Bank of America and military engagement with China.

"Our Twitter feed has been hacked," the newspaper said on its "@NYPostBiz" account.

Upcoming Maintenance 1/17/2015 00:00-02:00

We will be performing maintenance on our feeds during the timeframe indicated. While we do not expect any outages we will not be able to post updates to our blacklist or hosted content during this timeframe.

After this maintenance our feeds will no longer be available to the public. Only subscribers or appliance users will be able to pull updates. We have already distributed our certificates to the appliances and have been testing the certs for 7 days.

Any site that does not get the update at 3AM EST on 1/17/2015 will be updated via a non public feed.

If you have any questions please contact your account representative.

This potential for outage will NOT affect the blog or our web presence only paid subscription users and public users of our data.

Thursday, January 15, 2015

BREACH: Safeway Improper Disposal Cost Them $10 Million

Source: http://www.healthcareinfosecurity.com/hefty-fine-in-improper-disposal-case-a-7797

ThreatStream Picking Up our Feeds - Feeds Will Be Changing to Customer Only Certs Soon!

If your a ThreatStream customer and would like our indicators make sure you opt in the control panel. Check out our accuracy and you will see that we are good at what we do.

In addition we have many new products and services for 2015. Our company is leading the way in the intelligence space. Some much larger security firms are snagging our data and reselling it. For this reason we are about to change to a certificate based authentication mechanism so we can get compensated for the long hours we put into keeping you safe.

Wednesday, January 14, 2015

Hey Security Personnel - There's more to wireless than 802.11

I am amazed at how many of these breaches and attacks are taking place over WIFI and even more surprised at how many are taking place over other wireless services such as bluetooth, personal devices such as tablets and cell phones and other attacks to include paging, microwave P2P links, etc.

During root cause analysis of several attacks this week we have noted that the attack vector ended up not being the network or workstation. The attack vector recently has been through a variety of wireless hacks yet of the 122 entities we polled this week only 5 have a program in place to actively check for attacks via wireless, only 1 had a TSCM plan in place for the corporation. This is ALARMING!

I can't for the life of me believe that you can rest assured at night knowing that hackers can hack your cameras, security systems, cell phones, etc, etc.

I issue this challenge to ANY company. Call us for an audit. If we don't break in you don't pay. If we compromise your network you pay our normal consulting rate. We are trying to help you but if you don't want the help you can rest assured that hackers will penetrate your defenses. Just not the way you were expecting them to get in.

Tuesday, January 13, 2015

News Indicator Feeds, Service Plans and Security Appliance Package

SLC Security Services LLC has expanded our SOC offerings. We are offering 2 levels of service with our Intel feeds. The first is our bring your own hardware (firewall, IDS, etc). If your device can pull in a CSV feed. XML feed or STIX format feed you can subscribe to hourly updates for your own devices. We are offering a security feed site license and access to our Intelligence product all for a flat fee. Pricing starts at $99.00 per site per year and depends on the amount of traffic your site will be generating.

Our second offering is our Security Gateway Appliance. The Gateway appliance is suitable for small to medium enterprises and provides a firewall, IDS/IPS as well as our Intelligence gateway in which you can keep track of things such as reputation, external threats, news and other information without exposing your network to bad content hosted on third party web servers. Pricing starts at $1995 if you use your own hardware or $2995 for a 1U security device. If your an ISP find out how you can get the system without charge.

For more information visit http://www.slcsecurity.com/ or call us at (919)441-7353.

Monday, January 12, 2015

OUR OPINION: National Breach Notification Standard

We have been reading articles and watching interviews concerning a national breach notification standard and several people in our office and clients have stated some things that really have us thinking about this proposal.

Part of the proposal states that Americans have a right to know what information is being collected about them and how it is being used. This is interesting with the recent things that have come to light out of the Snowden debacle. In fact if that's the case I would think that the Government should play by the same rules that they are dishing out on the Corporate world.

Of course we all know they will exempt themselves from having to meet the same guidelines.

One other interesting aspect is that it will give businesses 30 days to disclose if information has been lost or stolen. Well that's fine but what about the businesses that never acknowledge having had a breach and the security researchers that have the information and are afraid to release it for fear of reprisal?

We get submissions every single day and while we cannot validate each and every one some businesses do the right thing and deal with the notifications and take care of their customers, but many don't. Many of the organizations including colleges and universities simply ignore it because they know we can't release their information. It's a catch 22 that the Government and laws are not keeping up with. They should have a program (within the Government) where these submissions can be presented without threat of legal action from the affected party. This would eliminate the general liabilities of security researchers that are privy to more information than even the Government.

Thought our comments are greatly appreciated on this topic!

Sunday, January 11, 2015

WARNING:GoGo Inflight Internet Interception

We have been seeing reports of invalid SSL certificates, Malware infections and other problems with GoGo Inflight Internet service. In fact we have had multiple independent reports come in as recent as this evening of strange activities on the network (we have screenshots and data) that indicate information is being recorded by the system utilized to provide Internet to passengers.

Just be warned and don't assume that because your using a VPN over the service that your communications are secure especially if you are utilizing an SSL VPN product. In fact some SSL vpn's won't even connect at all.

INTEL: Paris suspect in terror plot update (TERROR SUSPECT Hayat Boumeddiene) via OSINT-X (UPDATED)

The remaining subject wanted in connection with the terror attacks is back in Syria. Information shows that the subject was able to move through Turkey and is now confirmed to be in Syria.

It is believed the subject entered Turkey on 2 January, 2015.

Subject is believed to have been in the city of Sanliurfa in Turkey and has since returned to Syria.

Our sources are saying Turkey is not providing information because they cannot confirm it. The last confirmed report is that on 2 January 2015 the subject was known to be in Sanliurfa.

INTEL//OS//TIP


UPDATE: 1/12/2015:
The information noted is being heavily reported on mainstream media today. It appears as though the previous intelligence gathered through OSINT-X is being confirmed by all of the news accounts.

Friday, January 9, 2015

UPDATED: SA - Terrorist Security Alert France

FOR IMMEDIATE RELEASE

A gun assault on the Paris offices of satirical magazine Charlie Hebdo Wednesday was the deadliest terrorist attack in France's recent history. Some other terror attacks in Western Europe:

SECTOR REPORTS:
National Security: Heightened Alert Status but No Changes to Security Posture at Embassies
Homeland Security: Actively Assisting
Corporate Security: No Impact

POSSIBLE RELATED INTEL:
ISIS Video Released over the past few days possible trigger for attack

Noted Alerts to France prior to attack after first incident earlier in the week

A previous attack in Tours, France Bertrand Nzohabonayo, had used an ISIS propaganda image as his Facebook profile picture.

The very next day, a driver, also shouting “Allahu Akbar,” slammed into a crowd of 13 pedestrians in Dijon, injuring 11. Police say the former psychiatric patient, who was most likely drunk, will probably face terrorism charges.

This Monday, a second driver, with a similar history of mental illness, drove his car into 10 people in holiday market in Nantes, killing one. Both police and eyewitnesses say the suspect appeared “unbalanced” after the attack while repeatedly stabbed himself and muttered things about protecting children in Chechnya and working to free the people of Palestine.

Finally, that same evening, a bullet smashed through a window at Paris synagogue. No one was injured.

What no one has reported, however, is that only hours before the first attack in this timeline, ISIS released a new video calling for all Muslims in France unable to immigrate and join its campaigns in Syria and Iraq to pick up arms and attack local citizens, “where they stand and in their homes.”

12 Confirmed Dead with 8 Injured (critical injuries).

Previous news indicating France has disrupted a terrorist plot have been removed but are still available for review in OSINT-X.

Total Records Associated in OSINT-X: 366 Confirmed, 19 Pending, 3 Alerts

1/8/2014:
Lots of police activity in French Villages
Shots fired at Mosque
Percussion Grenades deployed at Mosque
Police Woman killed in France
French tells U.S. suspect trained with Al Qaeda
Suspects confirmed on US Watch List
Magazine states they will publish 1 million copies of next issue
U.S. and French cooperating with intelligence details
Private Company data being tapped to assist in the investigation

1/9/2014:
Search Helicopter spots the 2 suspects in the terror attack.
Terrorist still wearing black clothing when spotted from the air. 
Weather turns bad for search. The search continues on the ground and the air.
Hostages taken at printing company and supermarket in France, 4 suspects, unknown hostages
Blast, Gunshots at both France hostage sites
Woman and Man associated with Policewoman shooting earlier in the week, hostages at supermarket
2 Brothers, killed at site of hostage taking - Confirmed by Mayor
3 Terrorist Killed, Female Terrorist being pursued at this time
FBI issues alert in US on possible terrorist attacks

Analyst have downgraded this alert. 

Thursday, January 8, 2015

ACO Congress is currently undergoing Maintenance. Check back soon.

A notice was posted to the ACO Congress that the site is currently down and undergoing maintenance. SLC Security Services LLC is NOT involved with the investigation of this entity.

A historical look shows that this system may have had issue far earlier than originally thought as some information points to May as the original time frame of the attack - Unconfirmed

UPDATED WITH REFERENCES: Black Boxes being heavily utilized in ATM fraud attacks

We have several confirmed reports of recent arrest and the increase in the use of black box ATM machine hacks. There have been confirmed reports out of Russia and in the recent case of Thomas Gilbert (according to MSNBC). Many police departments are operating on memorandum that shows pictures of what the devices look like and some reports are coming in to Investigators that these devices are increasingly showing up as a result of criminal search warrants often times for unrelated issues.

It is believed that the same group responsible for the Home Depot breaches may in fact be related to the increase in the number of these devices being discovered.

In the photo above you can clearly see the serial interface utilized to conduct this attack.

Additional information will be released to members of our OSINT-X service. 

NOTHING FOLLOWS 

Related and Updated Information:

Cash machines pay out after USB module gets a call from a Galaxy S4 (Originally Reported by Krebs)

Location: UK
Carders have jackpotted an ATM by inserting a circuit board into the USB ports of an ATM, tricking it into spitting out cash.

The technique was thought to have emulated the cash dispenser of the ATM so the brains of the machine thought everything was normal, buying additional time for the brazen crooks to make off with the cash.

Additional reference material (Pic Above)

Additional Details and Reports:

NCR puts out notice to customers alerting them to be vigilant with this issue 1/6/2015 - This appears to be what alerted Krebs to the issue that he initially reported on

NCR reports black boxing being heavily utilized by criminals in Mexico 1/8/2015

SLC Security obtains independent report of organized criminal activity related in UK, Mexico and Canada via our clients and financial service partners of issues related to black boxing 1/8/2015

SLC Security noted Twitter activity of bragging of successful attacks 1/8/2015 - It is believed that plans and code are being sold to build boxing devices.

Wednesday, January 7, 2015

BREACH: www.acocongressportal.com

We have indications that this server was hacked earlier today. In addition to post showing up on popular sites for dumps we are also seeing indications of additional stolen information on other sites.

No attackers have claimed responsibility for this attack yet.


Pastebin Being Used to Launch Attacks

We are seeing code as well as commands being stored on pastebin with specific keywords and content strings used to launch denial of service and exploits. Sucuri has been researching this and we started seeing this type of activity this morning at a few sites. 

SLC Security Services LLC utilizes customer premise equipment to collect information and attack history data from clients and from Internet Service Providers that participate in our network intelligence program.


OSINT-X Service Impact

Due to the ongoing feed activity as a result of the terror attacks in Paris our OSINT-X system is under heavy load today. What this means for customers is that feeds may be delayed up to 2 hours for updates as we add additional capacity today.

Our system is being accessed at record levels today and searches are taking up to 3 minutes to complete.

XML and RSS services that feed external sources will continue to operate in real time but our web based interfaces are slower to respond. We will update this post once the load returns to a normal level.

UPDATE: We have resolved the slow query times. We have re-indexed the data and now results are coming in line with what responses we normally expect.  Updates are now set to real-time from news feeds and 10 minute updates on all other content.


Friday, January 2, 2015

Best Statement We Have Seen All Year

"Many companies are so focused on the perimeter that they have little idea what's going on inside the network."

BREACH UPDATE: Chick-Fil-A Inc

Popular fast-food chain Chick-Fil-A Inc. is investigating a payment card data breach affecting an unknown number of its U.S. locations, but early indications suggest many thousands of customer accounts may have been compromised.

First reported Tuesday evening by Krebs on Security, the Chick-Fil-A data breach may date back to December 2013.