Social Icons

Sunday, July 05, 2015

Whatsapp Chat History : How to avoid chat backing up?

1.    WhatsApp has been one of the revolutionary social networking application on the lines of various past hits like Facebook,one time orkut etc and today has a huge user base in billions exchanging all kinds of official,unofficial,personal chat kind of communications.Off course keeping a backup of all these chats is sometimes essential and in few cases for whatever reasons of the user base it is not required....the users wanna refrain from backing up anywhere any kind of history..no tell tale signs to be recovered...Although I have seen people ensuring themselves deleting the chat as it happens but that’s not a technically sound way to ensure nothing is being backed up

2.   For those who want to ensure a back up ...Daily at 0400 am the Whatsapp Auto backup is taken by the app itself so no need to worry for this and if you switch off or activate flight mode at night then one might need to take manual backup.For those who do not want any backup , a simple procedure as shown below will ensure a blank backup.

3.   Goto your Android application screen and search for MyFiles :

Choose the location where you have the default whatsapp files..in my case the default saving location is internal sd card.Click this and you look for the Whatsapp folder.

Further go inside Whatsapp folder and look for Databases....delete every thing inside this before 0400 cycle comes again.That should work....here the 0400 cycle backups the entire thing but defacto there is nothing to upload and backup.



Sunday, June 21, 2015

BITWHISPER: Hidden Channel between Air Gapped Computers using Thermal Manipulations

1.   Any Cyber Security Policy in an organisation makes a clear and confident mention of the term AIR-GAP to reduce any kind of breach between a corporate Intranet PC/Standalone PC and the Internet.Sadly and surprisingly no more it is safe.Yes...the AIR-GAP is possible to be breached.Researchers at the Ben-Gurion University of Israel have recently developed a relatively new method of siphoning classified data off of air-gapped systems called “BitWhisper.” 

2.   The team has developed a method of using CPU load modulation to regulate a victim computer's thermal radiation. By monitoring this fluctuation in temperature via a surrounding system’s pre-existing thermal sensors  allows for a covert channel to be established between the two machines, and thus infiltration into a system previously believed to be secure.

Extract below from "Infiltration of Air-Gapped Systems via Thermal Emissions " by Alex W Luehm, Student, CprE 431" 

The vulnerability of an air-gapped system is the common airspace surrounding the target and attacking computers. By using this common medium, it has been found possible to establish a covert channel between the two machines.BitWhisper, a method established by Israeli researchers,utilizes this common medium to transfer thermal “pings” between the two machines in a predetermined protocol, allowing for the transmission of classified data.

The exploitation is based on two basic principles of modern-day computer systems. 

- The first principle is that physical hardware components of a computer generate and disperse heat. This heat can be generated by various sources such as the power supply, the motherboard, the graphics card, and the CPU.Typically, these thermal emissions are vented away from the computer via a system of rotating fans and ducting in the computer housing. Importantly, these fans are controlled by a series of thermal sensors mounted throughout the computer housing. Under normal circumstances, these sensors ensure that no critical components become too hot and cause damage to surrounding hardware or themselves.
 
- The second principle is that the amount of thermal energy generated and emitted by these components is directly related to the current workload of the computer in question. A system doing more intense calculations over a longer period of time produces a larger increase in the amount of heat emitted.

What the researchers have found, is that by installing a malicious program on the target machine, information could be quite literally emitted by the target in the form of thermal pulses. In addition, these thermal pulses could be detected by a surrounding computer's internal thermal sensors and, by the very same malicious program, decoded into the transmitted data. If one of these systems were connected to the internet, then it would be quite feasible to pass classified data from an air-gapped system to an internet-accessible system for further transmission.These pulses typically were detected as either a raising or lowering of temperature, by 1 – 4 degrees Celsius over a period of time. The spanning distance, arrangement, and type of case of the concerned systems caused varying degrees of transmission rate.

Source of Info : 

3.   Original paper "BitWhisper: Covert Signaling Channel between Air-Gapped Computers using Thermal Manipulations" by Mordechai Guri Matan Monitz, Yisroel Mirski, Yuval Elovici available at http://arxiv.org/abs/1503.07919

Wednesday, June 10, 2015

Cloud Forensics: Challenges Only Ahead

1.   Cloud Computing is emerging amongst all the bombilate words of acclivitous technologies as the most prodigious maturations in the chronicles of computing. As it still takes time to settle, a new egressing challenge as felt whilst its implementation across has been a relatively more newfangled field known as Cloud Forensics. Today as Cloud still needs time to mature and offer its full exploitation, the even newer subfield Cloud Forensics is a carking cause to negate immediate acceptance of cloud computing with open arms. The research in this field is still in parturient stages to say from perspective of the way cases and incidents are being handled on ground today. 

2.   My paper got published in "Cyber Times International Journal of Technology & Management".The "Cyber Times International Journal of Technology & Management" (CTIJTM) was launched in 2007 by "Cyber Times - PRESS" in order to promote Latest Research and innovations in the Area of Technology & Management.The"Cyber Times International Journal of Technology & Management" (CTIJTM) is Bi-Annual, Double Blind Peer Reviewed, International Journal with International Serial Standard Number which is available in print and online versions. It provides the new paradigms in the embryonic fields of Technology, Management, Science, Electronics, Law, Economy etc. and visualizes the future developments in the respective areas. It is meant to publish High Quality Research Papers with innovative ideas, inventions, and rigorous research which will ultimately interest to research scholars, academicians, industry professionals, etc.The paper is available at the following links :

http://journal.cybertimes.in/?q=Vol8_A_P1_01


and also for viewing at scribd as below :

Sunday, June 07, 2015

Career in CYBER SECURITY : Where to start ?

1.  I get a lot of queries on my blog posts related to cyber security courses and any time I am in some forum or discussion from all range age  groups regarding serious career scope in India in the field of Cyber Security.Is it worth taking a plunge in a field which currently only has more of a keen interest value rather then offering  lucrative pay packet job?The younger age group which generally has young engineering graduates look little restless of taking the risk but the field is pretty exciting for those who are passionately interested in it.

2.  The field is immense and huge to start with.For a fresher it would be pretty cumbersome to find where to start from.The moment any typical search is made for a cyber security course on google,the results are too huge and confusing to get started on.For a novice guy who doesn’t  have any background in this field but keen to start a career in this field, I would submit few first steps to start before ways and career road automatically starts guiding ahead.

3.   Firstly,make it very clear in your mind that this field is very dynamic...you have to be continuously on your toes to be updated around what’s happening in this field.Millions of cyber incidents are happening,thousands of zero days are being discovered,thousands of case studies are being released about various cyber incidents and as you start understanding you need to prioritize of what all to grasp in detail .....follow up good tweets of cyber security experts.The courses you do in this field will not be like the typical graduation certification that you do once and will make you a B.Tech for the rest of your life without ever some one asking about the syllaabi.Most of the course and certification have a shelf life of 2-3 years after which you need to renew them to continue your professional standing in the market.

4.   The best thing about this field is that you can build your career and get your basics clear by putting in you hard-work along with the world of open-source that’s your window to knowledge bank.Be it the white papers or applications or Operating systems etc most of the entire gambit of tools is free....yes...for last about 8-9 years of my association with the field I have not bought or purchased any software or OS or toolkit to practice basic hacks and penetration tests.

5.   For a start in respect of courses....I would submit that most of the courses valued globally like CEH,CISSP etc by EC-COUNCIL are pretty costly and just doing them does not guarantee anything with respect to job.You have to be aware of lots besides these courses.For a start for a typical Indian novice fresher I would recommend to start with CCCSP,CCCS etc...links given below :

http://cdac.in/index.aspx?id=cyber_security for courses offered by CDAC on cyber security and forensics.



more listed at http://anupriti.blogspot.in/2012/12/cyber-security-courses-in-india.html ....though slightly old post...but everything holds good today...

6. Besides these courses which only give a very basic over view of the field,you should start getting conversant with LINUX flavors available viz UBUNTU, Fedora, OpenSuse, Linux MInt etc to mention a few....besides a horde of excellent security distros are available with all possible youtube videos and manuals on the net for helping from scratch.Get conversant and start playing with maximum tools available in these.Few of the distros that I would recommend are listed  below :

- ARCHASSAULT at https://archassault.org/

- Kali Linux at

- BackBox at

- BackTrack R3 at

- Knoppix STD

- Pentoo

- DEFT

- Parrot

- Caine

- Samurai Web Testing framework

- Matriux Krypton

- Bugtraq

- Node zero

- Cyb org

- Helix

- Network SEcurity Toolkit

- Wireshark(not an OS)

- GRML

- Chaos

- Katana

-  Damn Vulnerable Linux

- Auditor

and I must tell you these are only few to test before you start getting basic idea of what’s happening around.

7.   You have to be passionate enough to carry yourself successfully in this field.The moment you are out of touch for whatever reasons you have a lot to catch.Every thing is available on the net..be it the study material...be it any software to start.....you actually do not straight away enrol for a course..prepare yourself with the basics as available vide these distros...basic linux and then do some course to start building your documented profile.If you have reached reading here and you have queries you can get back to me here ....post a comment.

Wednesday, June 03, 2015

Get Hacked on just Opening a Image

Stegnography we all know is the technique of hiding messages inside a pic and exactly on the same lines a new malicious technique by the name of STEGOSPLOIT has arrived that allows malicious code and java script execution the moment an image is opened by the user.This image can be of anything that can interest a victim viz Political figure,Actors,Tempting models,Engineering drawings or anything that is a image.The technique has been discovered by security researcher Saumil Shah from India.The technique was demonstrated at the Amsterdam hacking conference Hack In The Box with a talk titled, "Stegosploit: Hacking With Pictures".The video of demonstration is shared below...just watch it...by the looks if it goes...looks simple.


The technology opens the door for attacks executed as simply as pointing users to sites containing a booby-trapped image or delivering the image via email. By virtue of simply viewing the image, the exploit code is triggered and can deliver malware on the victim's computer.The second video below is in continuation of the above video :

The way out for a typical user is to avoid opening any tempting forwarded image from any friend or acquaint,default image downloading disabled for mobiles and PC interface in email/Whatsapp etc application settings.
technique discovered by security researcher Saumil Shah from India. - See more at: http://thehackernews.com/2015/06/Stegosploit-malware.html#sthash.wBuIwSGj.dpuf

Sunday, May 24, 2015

Android Factory Reset : How trustworthy from a PRIVACY view?

1.  It is an accepted fact that one can remove all data from Android devices by resetting it to factory settings, or doing a "force reset." One can do so by either using the Settings menu to erase all your data or by using the Recovery menu.It is also understood that by performing a factory data reset, all data — like apps data, photos, and music etc will be wiped from the device.This reset in most of the cases will be required as a maintenance issue or when the user decides to sell his mobile to some other third guy.Now when he does a factory reset for ensuring himself that all his/her data is removed from the mobile,there is a sad angle recently revealed in a paper named "Security Analysis of Android Factory Resets" by Laurent Simon and Ross Anderson@University of Cambridge available at http://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf  that proves with technical demonstrations to negate the fact that the data and all privacy of accounts goes with the reset.Read on further for brief details...

2.  Even with full-disk encryption in play, researchers found that performing a factory reset on Android smart-phones isn’t always what it’s assumed safe up to be.Researchers found the file storing decryption keys on devices was not erased during the factory reset and they were successfully able to access data “wiped” Android devices from a wide variety of sources, including text messages, images, video, and even third-party applications. What’s more, researchers were able to “recover Google authentication tokens”, thereby enabling them to sync up any data a user had tied to Google’s services, including private emails.The study unveils five critical failures:

- the lack of Android support for proper deletion of the data partition in v2.3.x devices;

- the incompleteness of upgrades pushed to flawed devices by vendors;

- the lack of driver support for proper deletion shipped  by  vendors  in  newer  devices  (e.g.  on  v4.[1,2,3]);

- the  lack  of  Android  support  for  proper  deletion  of  the internal  and  external  SD  card  in  all  OS  versions

- the fragility  of  full-disk  encryption  to  mitigate  those  problems up to Android v4.4 (KitKat)

RECOVERY DETAILS OF DATA BY RESEARCHERS

ATTRIBUTED REASON

3.   Smartphones  use  flash  for  their  non  volatile  memory storage  because  it  is  fast,  cheap  and  small.  Flash  memory is  usually  arranged  in  pages  and  blocks.  The  CPU  can read  or  write  a  page  (of  typically  512+16  to  4096+128 data+metadata  bytes),  but  can  only  erase  a  block  of  from 32   to   128   pages.   Each   block   contains   both   data,   and “out-of-band”  (OOB)  data.When  removing  a  file,  an  OS  typically  only  deletes  its name  from  a  table,  rather  than  deleting  its  content.  The situation is aggravated on flash memory because data update does not occur in place, i.e. data are copied to a new block to  preserve  performance,  reduce  the  erasure  block  count and  slow  down  the  wear.  This makes a vulnerable issue as realised here by both these researchers.

Monday, May 04, 2015

Hardware Trojans : Do we have a Solution or Clue to resolve?

1.    IT Security is an ever interesting field and those passionate about this field will always find surplus to read about so many happening things in the field.In the already chaotic environs of Cyber Security there comes another GIGANTIC issue...by the name of HARDWARE TROJANS and I use this word Gigantic not just to reflect my reaction on the subject...but for any first time reader on the subject this will be a huge issue in times to come and is already in for majors.The issue is yet unattended because no one has clue where to detect,how to detect and what to do to resolve?

2.   Electronic systems have proliferated over the past few decades to the point that most aspects of daily life are aided or affected by the automation, control, monitoring, or computational power provided by Integrated Circuits (ICs). The ability to trust these ICs to perform their specified operation (and only their specified operation) has always been a security concern and has recently become a more active topic of research. Without trust in these ICs, the systems they support cannot necessarily be trusted to perform as specified and may even be susceptible to attack by a malicious adversary.A new disruptive threat has surfaced over the past five years  , a hardware-based security threat known as the Hardware Trojan.Hardware Trojans are intentional,malicious modifications to electronic circuitry designed to disrupt operation or compromise security including circuitry added into Integrated Circuits (ICs). These ICs underpin the information infrastructure of many critical sectors including the financial, military, and industrial sectors.Consequently, hardware trojans pose a security risk to organisations due to the broad attack surface and specific organisations’ reliance on ICT infrastructure. Hardware trojans can be difficult to prevent and even more difficult to detect. Most of the current security protection mechanisms implicitly trust the hardware, allowing hardware trojans to bypass software or firmware security measures .Hardware trojans inserted during fabrication or design stages can become widely dispersed within an organisation and pose a systemic threat.

3.   Hardware Trojans are usually composed of a Trigger and a Payload.The trigger is the activation mechanism and the payload generates the effect. Prior to triggering, a hardware trojan lies dormant without interfering with the operation of any electronics.The trigger mechanism for our network hardware trojan is based on a communication channel in network packet timing, while the payload is an adjustable degradation level of the ethernet channel through noise injection into the ethernet controller’s clock.
4.  The ease with which Hardware Trojans can make their way into modern ICs and electronic designs is concerning. Modifications to hardware can occur at any stage during the design and manufacturing process, including the specification, design, verification and manufacturing stages. Hardware Trojans may even be retro-fitted to existing ICs post manufacture.

5.   With above as a preview it makes any one wonder upto what extents would one require to go for a 100 % secure IT attribute.Imagine the risk stake this would put on a typical country who is entirely dependent on global vendors for its own Defence and Consumer goods....or for that matter even developing countries would feel the pinch....no clue as to where to start from...or even if a frame work is desired to setup a standard for controlling this menace it would be prudent to only get dependent off shores since in most of the cases expertise would not exist only.......

Thanks to these two papers for giving me an over view on the subject.

Hardware Trojans – A Systemic Threat by John Shield, Bradley Hopkins, Mark Beaumont, Chris North

Hardware Trojans – Prevention, Detection,Countermeasures by Mark Beaumont, Bradley Hopkins and Tristan Newby

Sunday, March 29, 2015

Equation Group : Advanced Secretive Computer Espionage Group

The Equation Group is a highly advanced secretive computer espionage group, suspected by security expert Claudio Guarnieri and unnamed former intelligence operatives of being tied to the United States National Security Agency (NSA). Because of the group's predilection for strong encryption methods in their operations, the name Equation Group was chosen by Kaspersky Lab, which discovered this operation and also documented 500 malware infections by the group's tools in at least 42 countries.This presentation gives an over view in brief based on the Kaspersky Report.

Friday, February 27, 2015

Configuring Burp suite with Iceweasel

1.   Burp Suite is an integrated platform for attacking web applications. It contains a variety of tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All of the tools share the same framework for handling and displaying HTTP messages, persistence, authentication, proxies, logging, alerting and extensibility. There are two versions available including a free version and also Burp Suite Professional.It is a Java application that can be used to secure or penetrate web applications.The suite consists of different tools, such as a proxy server, a web spider, intruder and repeater.BurpSuite allow us to forward all of the web traffic from your browser through BurpSuite so that you can see each HTTP Request and Response and manipulate it to your heart’s content. This post will configure burp suite with Iceweasel in Kali Linux .

2.   Open Internet - Iceweasel Web Browser

3.   Click on Edit then Preferences

4.   Preference Window will be open Now go to AdvanceNetworkSetting
5.   Select Manual Proxy then set 127.0.0.1 in HTTP Proxy area and port should be 8080. Use this proxy server for all protocols by checking the box. Clear the No Proxy field then Finally Click OK.
6.   Now open burp suite Application → Kali LinuxTop 10 Security ToolsBurpsuite
7.   You get to see the following screen
8.    After Burp Suit is opened,Click on Proxy Tab then Click on Option Subtab and watch carefully local host interface running box should be check in Proxy Listeners.
9.    Scroll down in the same tab (Proxy Tab → Option subtab) 

Intercept Client Requests

    → Select URL Match type and keep Clicking UP button till URL Match type reach at the top.

    → Check Box 'Intercept requests based on the following rules.

Now select 'File Extension' and click on Edit.Edit Window will be open. Here we will add 'jpeg' file extension. You can add or remove file extension as per your need. So, Write code and click on OK.



10.  We will Add file extension match type according to below details:
      Boolean Operator : And
      Match type : File Extension
      Match relationship : Does not match
      Match condition: (^gif$|^jpg$|^png$|^css$|^js$|^ico$|^jpeg$)
11.  Select 'File extension'  and keep Clicking UP button till 'File extension' reach at the 2nd top.
12.   Now Open Iceweasel and type www.google.com in the web address area....and u r ON if all set right

Source of help : http://knoxd3.blogspot.in/2014/05/how-to-configure-burp-suite-with.html

Sunday, February 22, 2015

Cracking linux password with John the ripper – Screenshots

1.   John the Ripper is a fast password cracker for UNIX/Linux and Mac OS X.. Its primary purpose is to detect weak Unix passwords, though it supports hashes for many other platforms as well. There is an official free version, a community-enhanced version (with many contributed patches but not as much quality assurance), and an inexpensive pro version.John is different from tools like hydra. Hydra does blind bruteforcing by trying username/password combinations on a service daemon like ftp server or telnet server. John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked. Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the database, more the words covered.This post brings out screen shots showing usage of the tools with screenshots step wise....in Kali Linux

2.   In this post I am going to show you, how to use the unshadow command along with john to crack the password of users on a linux system. On linux the username/password details are stored in the following 2 files

/etc/passwd
/etc/shadow


In the screenshot below I create a user by the name of lima and create a short password for testing the tool
The unshadow command will basically combine the data of /etc/passwd and /etc/shadow to create 1 file with username and password details. Usage is quite simple as seen below :
Now this new file shall be cracked by john. For the wordlist we shall be using the password list that comes with john on kali linux. It is located at the following path
/usr/share/john/password.lst

So the password cracked is "test"
A veri simple yet powerful tool as we see from the screenshots above...

Friday, February 20, 2015

CARBANAK : BANK ROBBERY LIKE NEVER BEFORE

1.  As recent as a week back Carbanak, an APT-style campaign targeting financial institutions has been claimed to have been discovered by the Russian/UK Cyber Crime company Kaspersky Lab who said that it had been used to steal money from banks.The malware was said to have been introduced to its targets via phishing emails and is said to have stolen over 500 million dollars, or 1BN dollars in other reports, not only from the banks but from more than a thousand private customers.The criminals were able to manipulate their access to the respective banking networks in order to steal the money in a variety of ways. In some instances, ATMs were instructed to dispense cash without having to locally interact with the terminal. Money mules would collect the money and transfer it over the SWIFT network to the criminals’ accounts.The presentation brings out the executive summary of Modus Operandi of the Malware as analysed by Kaspersky.
 

2.   Carbanak is a backdoor used by the attackers to compromise the victim's machine once the exploit, either in the spear phishing email or exploit kit, successfully executes its payload.Carbanak copies itself into %system32%\com with the name svchost.exe with the file attributes: system, hidden and read-only. The original file created by the exploit payload is then deleted.

How to detect CARBANAK

One of the best methods for detecting Carbanak is to look for .bin files in the
folder:

..\All users\%AppData%\Mozilla\

The malware saves files in this location that will later be sent to the C2 server when an internet connection is detected.BAT script for detecting infections(Source : here) is given as follows :

@echo off
for /f %%a in ('hostname') do set "name=%%a" echo %name%
del /f %name%.log 2> nul
if exist "c:\Documents and settings\All users\application data\
mozilla\*.bin" echo "BIN detected" >> %name%.log
if exist %SYSTEMROOT%\System32\com\svchost.exe echo "COM
detected" >> %name%.log
if exist "c:\ProgramData\mozilla\*.bin" echo "BIN2 detected"
>> %name%.log
if exist %SYSTEMROOT%\paexec* echo "Paexec detected"
>> %name%.log
if exist %SYSTEMROOT%\Syswow64\com\svchost.exe echo "COM64
detected" >> %name%.log
SC QUERY state= all | find "SERVICE_NAME" | findstr "Sys$"
if q%ERRORLEVEL% == q0 SC QUERY state= all | find
"SERVICE_NAME" | findstr "Sys$" >> %name%.log
if not exist %name%.log echo Ok > %name%.log xcopy /y %name%.log
"\\\logVirus

Sunday, February 15, 2015

Can we trace back device make-model from a MAC address?

Mac address of a Electronic device viz mobile/laptop are very critical for a investigating team dealing with a Cyber Incident.From an investigator point of view this one attribute associated with every device can give the Name of the OEM.I searched on net to find if the make and model of the device can be traced back via the Mac Address but couldn't find much...except for the name of the OEM I couldn't get much...for a Laptop I could get Dell and for a mobile device I could get samsung....nothing much....Is their anyway to identify and trace back the make/model??????


ANTHEM INC Data Breach : What is it all about?

1.   January 29, 2015,has gone down to record one of the greatest data breaches in the history of breaches and will be long a case study for students to learn of how it all happened.This particular breach relates to  Anthem Inc,the largest for-profit managed health care company in the Blue Cross and Blue Shield Association, that discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to its IT system and obtained personal information relating to consumers who were or are currently covered by Anthem.It is believed that this suspicious activity may have occurred over a course of several weeks beginning December, 2014.

2.    Anthem disclosed that it potentially got stolen over 37.5 million records that contain personally identifiable information from its servers. According to The New York Times about 80 million company records were hacked, and there is fear that the stolen data will be used for identity theft

3.  This post brings out few key points of what ever has been discovered and revealed till now...

-   The compromised information contained names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data.

- Till now credit card ,banking information,financial,medical information  compromise has not been validated.

-   As per site...“With nearly 80 million people served by its affiliated companies including more than 37.5 million enrolled in its family of health plans, Anthem is one of the nation’s leading health benefits companies.”....shows the quantifed prone customers effected likely...and thats huge....

-   Once the attack was discovered, the company immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.

-   Analysis of open source information on the cyber criminal infrastructure likely used to siphon 80 million Social Security numbers and other sensitive data from health insurance giant.

-   Less than 6 months ago a similar breach effected CHS(Community Health Systems, Inc.) of 4.5 million patient records that was attributed to “highly sophisticated malware”.

-   The Company and its forensic expert believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Anthem Inc Company'’s systems. 

-   According to the Associated Press, the attackers who targeted and exfiltrated more than 80 million customer records from Anthem Inc, were able to commandeer the credentials of at least five different employees.  We know from Anthem themselves that at least one admin account was compromised, as the admin himself noticed his credentials being used to query their data warehouse.


HOW IT COULD HAVE HAPPENED?

"Looking at job postings and employee LinkedIn profiles it appears that the data warehouse in use at Anthem was TeraData. By doing some quick searches on LinkedIn I was able to find more than 100 matches for TeraData in profiles of current employees at Anthem, including, CXOs, system architects and DBAs. Discovering these employees emails is trivial and would be the first step attackers could take to identify who to target for spear-phishing campaigns.

Once they are able to compromise a few high level employee systems through a phishing campaign either through malware attachments or through a browser exploit, gaining access to a user’s database credentials would be trivial. This would be where the “sophisticated malware” that is being reported would be utilized, if the malware was designed specifically for this attack it would evade most anti-virus products.

What may be a key weakness here is that it appears there were no additional authentication mechanisms in place, only a login/password or key, with administrative level access to the entire data warehouse. Anthem’s primary security sin may not have been the lack of encryption, but instead improper access controls. Although it appears the user data was not encrypted, in Anthem’s defense if the attackers had admin level credentials encryption would have been moot anyway.

I should note that TeraData provides quite a few security controls, including encryption, as well as additional data masking features, even specifically called out for protecting Social Security Numbers and related data. So odds are the actual vulnerability here is not in the software, operating system or hardware, but how the system and access controls were configured based on business and operational requirements."


Source : http://www.tripwire.com/state-of-security/incident-detection/how-the-anthem-breach-could-have-happened/
Another set of possibilities vide The Hacker News THN Post refers at http://thehackernews.com/2015/02/anthem-data-breach.html

Tuesday, February 10, 2015

Quantifying your WEB SECURITY


This small presentation will sail through a set of questions for any web/Internet user and will mark for every question as the user decides to answer.The safety score as it ends up lets the user know of where he stands in terms of IT SECURITY on the web!!!!

Monday, February 09, 2015

Unsupported version 11 of data unit 'vga' : SOLVED

In one of my recent updates in UBUNTU 14.04 LTS,I faced an issue in the installed virtual box machines giving a message that goes as follows :

Unsupported version 11 of data unit 'vga' (instance #0, pass 0xffffffff) (VERR_SSM_UNSUPPORTED_DATA_UNIT_VERSION).

Result Code: NS_ERROR_FAILURE (0x80004005)
Component: Console
Interface: IConsole {1968b7d3-e3bf-4ceb-99e0-cb7c913317bb}

This was in-spite of the fact that I had saved my virtual machine in the manner it is supposed be and was not a power off.The machine as made to start vide the VB interface went showing the progress bar but was then followed by this above message.

How I solved this :

After working out many attempts to update and repair the Virtual Box,the simple way worked out like shown in the pic below : 


Yes...it is as simple as choosing the machine and selecting "DISCARD SAVED STATE"

Thursday, January 29, 2015

How to Set Up Google Chromecast : Windows 8

1.   Chromecast is a 2.83-inch (72 mm) HDMI dongle ,a digital media player developed by Google that plays audio/video content on a high-definition display by directly streaming it via Wi-Fi from the Internet or a local network. Users select the media to play using mobile apps and web apps that support the Google Cast technology. Alternatively, content can be mirrored from the Google Chrome web browser running on a personal computer, as well as from the screen of some Android devices.This post further brings you screen shots of the Chromecast setup as I set it up on one windows 8 Laptop...sadly it doesn't have a straight setup for UBUNTU OS...though I have seen few forums wherein a plugin mention in regular chrome browser would set the cast working...but alas not tried that...here it is a simply setting it up on Windows 8.

Step 1 : As you plugin the chromecast powered by USB Power in the HDMI slot ,you get a similar looking screen.
  
On your Chrome browser log onto google.com/chromecast/setup
As you click the above link you get a download setup file...around 800 kb...download that and your installation begins....
Typical Next Next.....
You get the device number as detected by the Laptop machine

Once connected a unique code is seen as below on the TV...just confirm that you see the same on your PC too as shown further below :
Unique code replicated on Laptop screen as below :
Click on That's My Code and continue as seen below :
Seen connecting to the network SSID
Setting up the Device on joining the network
and you are ready to cast :
The first time the device is ready to cast,expect recent update on the Chromecast dongle like seen below...likely to take few minutes...mine took 7-8 minutes
Updating still....12%
Updating still....61%
Updated and now applying updates
and the first look of the device on way to cast a Youtube stream as below :
What do I cast first ?...off course Rajinikanth....:-)

Few things to ponder and for info first time users :

- Why is not ready for Opensource OS?
- Works equally ready with Android devices with ease
- Does not work on a Windows OS running in Virtual Box/Machine.

Sunday, January 18, 2015

Hardening your Android Device : Few Essentials

1.   Android is the most popular mobile platform in the world, with a wide variety of applications, including many applications that aid in communications security, censorship circumvention, and activist organization. Moreover, the core of the Android platform is Open Source, auditable, and modifiable by anyone. Unfortunately though, mobile devices in general and Android devices in particular have not been designed with privacy in mind. In fact, they've seemingly been designed with nearly the opposite goal: to make it easy for third parties, telecommunications companies, sophisticated state-sized adversaries, and even random hackers to extract all manner of personal information from the user. This includes the full content of personal communications with business partners and loved ones. Worse still, by default, the user is given very little in the way of control or even informed consent about what information is being collected and how.
 
2.  This presentation brings out few basic steps that every android phone user should configure to harden his/her device.Although the list is not completely exhaustive but it brings out basic necessities as expected from any smart user.

 

Saturday, January 03, 2015

USB Condoms

1.   Ever heard of this term : USB CONDOM..first as I read about this though like some tech humour but it was not...it was for real.This device prevents accidental data exchange when device is plugged into someone else’s computer or a public charging station. This is achieved by blocking the data pins on any USB cable and allowing only power to flow through. This minimizes opportunities to steal your data or install malware on your mobile device.

2.  As I read this ,the term became ok :-) to discuss around in my blog here.So the basic Juicejacking attack becomes null and void by the use of a USB Condom.

"The simple board at its core carries only the current from the outside pins on a USB connector — which pass along the 5V needed to charge. The middle pins that would normally transmit data can’t, as there’s no circuitry to do so on the Condom. You’ll be able to confidently charge in public as long as you’ve got your USB Condom handy, safe in the knowledge that no juice jacker is going to mess with your precious device." from : http://www.geek.com



FaceDancer : Security Issue Buzzing USB !!!!

1.   The typical USB protocol requires that anything with USB  declares itself as either a "device" or "host". "Host" can be a PC and other bigger machines accessible whereas "Devices" can be iPod, iPads, USB thumb drives, and other "small" accessory-like things.  If you ever want a USB "host" to pretend to be a USB "device", you need special hardware. The FaceDancer is that key.

2.   The FaceDancer allows a computer (or "host") to masquerade as a USB "device" to communicate with other USB devices or USB Hosts. The FaceDancer allows a developer to access data on the USB bus from high level languages like C, Python, and Ruby.

Details and above info from : http://int3.cc/products/facedancer21


Thursday, January 01, 2015

HAPPY NEW YEAR 2015

WISHING YOU WONDERFUL GUYS A WONDERFUL NEW YEAR AHEAD....CHEERS FOR YEARS....

Tuesday, December 09, 2014

DeathRing: Non-removable Pre-installed Malware@Androids

The smart-phones penetration in our country and for that matter any country has been seeing explosion like never before...from cheap mobiles with luring specs to high end smart-phones by Apple,Samsung,Sony etc.The growing and already a subject matter of concern in IT ie SECURITY is majoring as a serious threat in the mobile world too...like the Microsoft b70 case few years back(click here for details)....As evidenced by the latest pre-loaded malware identified called DeathRing that’s  a Chinese Trojan that is pre-installed on a number of smart-phones most popular in Asian and African countries.
as evidenced by the latest pre-loaded malware Lookout identified called DeathRing.

Read more: DeathRing: Pre-loaded malware hits smartphones for the second time in 2014 (https://blog.lookout.com/?p=15835)
as evidenced by the latest pre-loaded malware Lookout identified called DeathRing.

Read more: DeathRing: Pre-loaded malware hits smartphones for the second time in 2014 (https://blog.lookout.com/?p=15835)
as evidenced by the latest pre-loaded malware Lookout identified called DeathRing.

Read more: DeathRing: Pre-loaded malware hits smartphones for the second time in 2014 (https://blog.lookout.com/?p=15835)

Friday, December 05, 2014

Operation Cleaver : IRAN a greater Cyber Threat then US/China????

1.    There has been a series of decisive and significant reveals in past few weeks in the field of Cyber Security. REGIN, APT28, Wirelurker and now comes another important report by the name of Operation Cleaver. The report is available here.Some time about a year back in September 2013,the ping pong blame of cyber attacks between Iran-US were made public vide US carrying out proven credentials of IRAN being part of attack in their Navy room. A screen shot of a report then is seen below :
 2.    Now, a US cyber security firm Cylance says it has evidence to prove that the same team has infiltrated not just the Navy, but also various top companies across the globe within the past two years. This report sheds light on the efforts of a coordinated and determined group working to undermine the security of at least 50 companies across 15 industries in 16 countries.


3.  Iran till date has never been considered quite as much of a serious cyber threat to the US as China and Russia have been in recent years. This could prove to be a mistake vide proofs given in this report.The report indicates that state sponsored cyber groups in Iran can be just as severe or even way ahead in terms of offered danger to few countries. Few key points of interest are mentioned below :
Victims include companies in the oil and gas sector, the energy industry, airports and the transportation sector, government and defence, and the telecommunications and technology industries.

-   Report believes all the revelations are just the tip of the ice berg and damage extends much ahead of contours identified.

-   About 10 of the victims are based in the US and include a major airline, an energy company, a medical university, and an automobile manufacturer.

-   Many of the other firms targeted by the group are based in Middle Eastern countries like Kuwait, the United Arab Emirates, Saudi Arabia, and Qatar. Cylance also found a significant number of victims in Canada, Germany, England, France, India, Israel, Pakistan, and Turkey.

-  Unlike their Russian and Chinese counterparts, which tend to grab IP and financial data where they can, the Iranian group has mostly avoided stealing such data.

-  The group is scoping networks and conducting reconnaissance as if in preparation for a major assault at some point in the future.

-   Technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort.

Wednesday, December 03, 2014

Harden your LinkedIn Settings : A Necessity Now

Most of us are part of various Social Engineering Sites and keep updating ourselves via status updates, pictures and tweeting small life updates. Related Privacy and Security issues in respect of these social engineering sites available is already a serious concern among users. Additionally for these all social engineering sites/applications whether accessible on a desktop or a mobile, we all are not so serious responding and interacting but that’s the difference when we see viz-a-viz LinkedIn. When it is LinkedIn…we are mostly serious…no jokes, no clips, no tagging, no personal comments, no WOWs…it’s all professional. And when most of us take it seriously, we also feed serious inputs on it. But do we take necessary precautions too?...I have mostly seen a negated curve amongst my friend circle….hardly anyone has spared time to configure LinkedIn Privacy and Security settings. In this post I bring you out basic and necessary configuration steps involved to harden your LinkedIn interface to the world.

Powered By Blogger