Wednesday, January 29, 2020

2020-003- Liz Fong Jones, tracking Pentesters, setting up MFA for SSH, and Developer Advocates


What is Honeycomb.io?

From the site: 

“Honeycomb is a tool for introspecting and interrogating your production systems. We can gather data from any source—from your clients (mobile, IoT, browsers), vendored software, or your own code. Single-node debugging tools miss crucial details in a world where infrastructure is dynamic and ephemeral. Honeycomb is a new type of tool, designed and evolved to meet the real needs of platforms, microservices, serverless apps, and complex systems.”

 

SSH 2FA gist https://gist.github.com/lizthegrey/9c21673f33186a9cc775464afbdce820

 

Honeycomb.io for digging into access logs & retracing what pentesters do.

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Wednesday, January 22, 2020

2020-002-Liz Fong-Jones discusses blog post about Honeycomb.io Incident Response


Ms. Berlin's appearance on #misec podcast - https://www.youtube.com/watch?v=Cj2IF0zn_BE with @kentgruber and @quantissIA

Blog post: 

https://www.honeycomb.io/blog/incident-report-running-dry-on-memory-without-noticing/

 

What is Honeycomb.io?

From the site: 

“Honeycomb is a tool for introspecting and interrogating your production systems. We can gather data from any source—from your clients (mobile, IoT, browsers), vendored software, or your own code. Single-node debugging tools miss crucial details in a world where infrastructure is dynamic and ephemeral. Honeycomb is a new type of tool, designed and evolved to meet the real needs of platforms, microservices, serverless apps, and complex systems.”

 

What are SLOs and how do you establish them? Are they anything like SLA (Service level agreements)?

 

Can you give us an idea of timeline? Length of time from issue to IR to resolution? 



Are the dashboards mentioned in the blogs post your operations dashboard?

[nope! hashtag no-dashboards]

 

Leading and lagging indicators ( IT and infosec call them detection and mitigation indicators)

    https://kpilibrary.com/topics/lagging-and-leading-indicators

 

How important is telemetry (or meta-telemetry, since it’s telemetry on telemetry, if I’m reading it right --brbr) in making sure you can understand issues?

 

Do you have levels of escalation? How do you define those?

 

When you declared an emergency, how did brainstorming help with addressing the issues? Do that help your org see the way to a proper fix?

    Did you follow any specific methodology? Did you have a warroom or web conference?

   

 

Communications:

https://twitter.com/lizthegrey/status/1192036833812717568

 

Can being over transparent be detrimental? 

 

Communication methods in an IR:

    Slack

    Phone Tree

    Ticket system

    Emails

   

    What does escalation look like for Ms. Berlin? Mr. Boettcher?  (stories or examples?)

 

Confirmation bias (or “it’s never in our house”) fallacy

    “I’ve seen and been a part of that, very prevalent in IT” --brbr

    Especially when the bias is based on previous outages/issues

 

From the blog: “We quickly found ourselves locked in a state of confirmation bias…”



Root Cause Analysis:

    Once you diagnosed the issue, how quickly was a fix pushed out?

    What kind of documentation or monitoring was generated/added to ensure this won’t happen again?

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Monday, January 13, 2020

2020-001- Android malware, ugly citrix bugs, and Snake ransomware


Educause conference: https://events.educause.edu/security-professionals-conference/2020/hotel-and-travel 

 

Amanda’s Training that everyone should come to!!! https://nolacon.com/training/2020/security-detect-and-defense-ttx

Follow twitter.com/infosecroleplay

 

Part 1: New year, new things

 

Discussion:

 

What happened over the holidays? What did you get for christmas?

 

PMP test is scheduled for 10 March



Proposal:  Anonymous Hacker segment

    Similar to “The Stig” on Top Gear. If you would like to come on and discuss any topic you would like. You’ll have anonymity, we won’t share your contact info

 

  1. Will allow people worried that they’ll be ridiculed to share their knowledge
  2. We can record your 20-30 segment whenever (will need audio/video for it)
  3. You can take a tutorial from another site (or your own) and review it for us
  4. 1-2 segments per month 
  5. We can discuss content prior to (we won’t put you on the spot)
  6. We do have a preliminary





News:

 

Google removed 1.7K+ Joker Malware infected apps from its Play Store                   

 

Full article: https://securityaffairs.co/wordpress/96295/malware/joker-malware-actiity.html

 

Excerpt:

Google revealed it successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware.

Google provided technical details of its activity against the Joker malware (aka Bread) operation during the last few years.

The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.

The spyware is able to steal SMS messages, contact lists and device information along with to sign victims up for premium service subscriptions.

In October, Google has removed from Google Play 24 apps because they were infected with Joker malware, the 24 malicious apps had a total of 472,000 installs.

“Over the past couple of weeks, we have been observing a new Trojan on GooglePlay. So far, we have detected it in 24 apps with over 472,000+ installs in total.” 

 

apps typically fall into two categories: SMS fraud (older versions) and toll fraud (newer versions). Both of these types of fraud take advantage of mobile billing techniques involving the user’s carrier.” reads the post published by Google.

The newer versions of the Joker malware were involved in toll fraud that consist of tricking victims into subscribing to or purchasing various types of content via their mobile phone bill.



WAP billing: https://en.wikipedia.org/wiki/WAP_billing

Example: “pokemon go allows in-app purchases

Over 25,000 Citrix (NetScaler) endpoints vulnerable to CVE-2019-19781

 

Full Article: https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/

 

Excerpt:

On Friday, January 10, 2020, our honeypots detected opportunistic mass scanning activity originating from a host in Germany targeting Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers vulnerable to CVE-2019-19781. This critical vulnerability allows unauthenticated remote attackers to execute commands on the targeted server after chaining an arbitrary file read/write (directory traversal) flaw.

 

What type of organizations are affected by CVE-2019-19781?  (industries with typically poor or outdated security practices… --brbr)

4,576 unique autonomous systems (network providers) were found to have vulnerable Citrix endpoints on their network. We’ve discovered this vulnerability currently affects:

 

  • Military, federal, state, and city government agencies
  • Public universities and schools
  • Hospitals and healthcare providers
  • Electric utilities and cooperatives
  • Major financial and banking institutions
  • Numerous Fortune 500 companies

 

How is CVE-2019-19781 exploited and what is the risk?

This critical vulnerability is easy for attackers to exploit using publicly available proof-of-concept code. Various methods demonstrating how to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India and TrustedSec. A forensic guide is available detailing how to check Citrix servers for evidence of a compromise.

Further exploitation of this vulnerability could be used to spread ransomware (similar to CVE-2019-11510) and cryptocurrency mining malware on sensitive networks. If multiple servers are compromised by the same threat actor, they could be weaponized for coordinated malicious activity such as DDoS attacks.

SNAKE #Ransomware Targets Entire Corporate Systems?

 

Full Article: https://www.ehackingnews.com/2020/01/snake-ransomware-targets-entire.html 

Excerpt:

 

The new Snake Ransomware family sets out to target the organizations’' corporate networks in all their entirety, written in Golang and containing a significant level of obfuscation, the observations and disclosure for the attacks were made by a group of security specialists from the MalwareHunterTeam.

 

The Ransomware upon successful infection subsequently erases the machine's Shadow Volume Copies before ending different processes related to SCADA frameworks, network management solutions, virtual machines, and various other tools.

 

After that, it continues to encrypt the machine's files while skirting significant Windows folders and system files. As a feature of this procedure, it affixes "EKANS" as a file marker alongside a five-character string to the file extension of each file it encrypts. The threat wraps up its encryption routine by dropping a ransom note entitled "Fix-Your-Files.txt" in the C:\Users\Public\Desktop folder, which instructs victims to contact "bapcocrypt@ctemplar.com" so as to purchase a decryption tool.

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!