Skip to content

Brian Krebs has updated his Blog: and his famous picture (how much is your hacked computer worth):

becstats IC3 data - Internet Crime /about/default.aspx  ic3-banner4

The BEC is a global scam with subjects and victims in many countries. The IC3 has received BEC complaint data from victims in every US state and 45 countries. from 10/1/2013 to 12/1/2014 the following stats were reported(now look at image above):

total US victims: 1198

total US dollar loss: $179mil

total nonUS victims: 928

total nonUS dollar loss: $35mil

combined victims: 2126

combined dollar loss: $214mil

So Brian Krebs has updated his how much is your computer worth to hackers image:

So Brian reviews what can happen to your email account if somebody is able to take it over and use it for their own money making schemes.

If I attempted to put a small dollar amount on these accounts, how much is your email account worth?

Google: $2

Facebook: $2

iTunes: $3

Amazon: $3

Walmart: $3

Netflix: $2

Dropbox: $2

Salesforce: $2


UPS: $1.50

Bank acct: $4


Total:  $28.50 ? or more?

this is my image:



My list is only a partial one, but I am trying to make it more personal - and give the hack a certain dollar amount. I am trying to create awareness, also note the comments in BrianKrebs post:


You can click on the image or go to Brian's site to read them, but I qwant to transcribe one of them in specific(bottom one):

"Almost word for word what happened to an affiliate company of ours. Slightly altered domain name appearing as someone’s VP, email request to wire funds, funds were sent, fund transfer frantically reversed at the 11th hour."

This attack is used in a manner that was not even a hacked email account, just a slightly modified domain name with a wire transfer fund using the name of the VIP. What are the odds that 2 comments similar in nature one after the other? Criminals are preying on our good graces and naivety.


If you need help in working on your compliance on passwords, or testing other aspects of your security policy, i can help with the Omega Scan service:

Omega-Logo-819x1024  It is a unique service.


Here is the video to go along with this post

Pentesting every 3 months for entities with more than 20k transactions

annually for less than 20k transactions.

Why do you need to pentest?

Because things happen, and it is good to review your security profile


Have some Philotimo -


philotimohuffingtondo the right thing - defend your site by scanning.

Philotimo video:

Today's Fixvirus Security Video:

Also discussing the Oversitesentry blog post about QWERTY keylogger:


Risk analysis and patch management is important.

We discuss that on this day, since there were 2 Adobe vulnerabilities that we discuss on our blog:

Patch Management is when you decide with risk based analysis which patches get installed to your environment over time.

Tools can be used to improve the time and resources used to implement.


Because as the blog post and video discuss, 169 Oracle, 62 Chrome, 9 Firefox, and at least 2 Adobe patches cause quite a resource issue.  You must have a plan in place as this is just the first month (there were over 7000 vulnerabilities last year).ciscoreportcumalerttotal

the image is from the Cisco Security report that just came out.  also from another Ovresitesentry post:


Contact us to help you with patch management and compliance requirements.



This morning (1/21/15) attended ISACA (previously the Information Systems Audit and Control Association) meeting:

The past present and future of Web Application Security by Christopher Boyd


Good quote  sometimes I talk to the "Security echo chamber"  i.e. talking to other security people


the first web page is still on the Internet:  The Web became publicly accessible on Aug. 6, 1991.


OWASP is important

OWASP top 10:

1. Injection

2. Broken authentication and session management

3. (XSS) Cross-Site Scripting

4. Insecure Direct Object Reference

5. Security Misconfiguration

6. Sensitive data exposure

7. Missing level function access control

8. (CSRF) Cross-site request forgery

9. Using components with known vulnerabilities

10. Unvalidated redirects and forwards


All of the Web app problems stem from 3 basic issues

1. Input validation

2. Redirection

3. authentication


Of course SQL injection is important, but not as prevalent as it used to be

I focus on more esoteric problems, since many programmers have fixed many security issues already, like improper error handling where an error sends more information than you anticipated to the hacker.  (Burp Suite can find the differences in bytes)


How to fix some of these problems?

Validate all input

context sensitive escaping/coding (redirection)

use libraries for encryption


for cross-site scripting the enemy is the following: < ' "

this is a typical test case: <script> alert("xss") ; </script>


The browser exploitation framework (BeEF is a good program to work with testing your programs) and typically if someone is trying hook.js someone is using BeEF.


CSRF (Cross-site Request Forgery) means to click on a link and use all the current open connections


Double submit cookies is a no no


creating a Data flow Diagram will help you. you can even use Microsoft flow diagram

WAF - Web Application Firewall "But control"   App profiling


OWASP top10 Proactive controls are important to understand


But the OWASP App security verification standard is really good.  (Chris thought this would appeal to ISACA due to the auditing nature of the group)


TLS 1.2 is current SSL version (POODLE takes advantage of SSL v3.0)

POODLE is the https downgrade attack example

HSTS is ok Strict Transport Security even though programmmers don't like to be shoe horned


Certificate transparency is coming

"Content Security Policy" on your websites

report collection

Source whitelisting

OWASP Appsensor   Application  Intrusion Detection & Response

embedded into logic


Ubiquitous HTTPS is coming

chrome SPDY protocol requires TLS already

" Let's encrypt"   was another good quote before time ran out.

We are explaining a little more about pentesting and the service that we have (Sigma Scan) in tip of day.

In News of day we discuss #OpFrance where the political hackers are trying to attack various French Websites including France24:

anonopSaudiX2 Here is a tweet from "Anonymous Saudi hacker" off Twitter


SigmaScan info on Oversitesentry:

What will be your solution to potential attacks on your machines? will it be to trust in your provider that they are doing everything they can? or will you be proactive and do some testing (like the Sigma Scan)


Contact Us as we can help you test your website to reduce the likelihood of hacker penetration and exploits.


Created a SVAPE & C only video as well:


Our video of the fixvirus security show:

news of day:  Cybersecurity has priority in State of the Union (Why ? due to Sony Hack)

as in our blog post:

tip of day : run a recon scan on your machines:  our Alpha scan for example.   Alpha scan link

Contact us



To be PCI compliant means there is a Security policy in place.

We can help with a security policy or with the documentation for PCI compliance -

There are a lot of items to check and verify.


Don't forget to check cloud services that you may have.


Contact us with any concerns of security policies and PCI compliance issues

New Fixvirus Security Show Jan9 on vulnerability Assessment in Tip of day as well as News of Day CES show quotes ...

Some of the quotes I already researched on my Blog:

News of Day:

FTC chairwoman commissioner Edith Ramirez’ opening remarks at the CES show on the 6th of January.

We are told that, in 2015, the world will have 25 billion connected devices; the number of smart home devices will reach nearly 25
million; and IoT software platforms will “become the rage”
But we have also been warned that 2015 will be the year we start hearing about smart-home hacking.”
I heard the headlines about the privacy aspect of the IoT (Internet of Things) but also in her statements she discussed security risks of IoT. She poses a valid concern, security in the IoT space has not been thought about for decades, so as we start introducing all of these devices everywhere (home and business) there should be a focus of Security by Design, instead of functionality first.
And finally the chairwoman finishes with:
As is evident here this week, companies are investing billions of dollars in this growing industry; they should also make appropriate investments in privacy and security.“


vulnerability Assessment in tip of day -


SVAPE& C comes from the Mandiant report diagram:



I talk about more of SVAPE & C


Scan first, Vulnerability Assessment next, Penetrate and Exploit systems, Control the systems until you take back or he sell

"Do the right thing" = Philotimo

PCI compliance best practices(from page 13 PCI DSS 3.0 doc):

  1. Monitoring of security controls—such as firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), file-integrity monitoring (FIM), anti-virus, access controls, etc.—to ensure they are operating effectively and as intended.
  2. Ensure all failures in security controls, such as firewalls and IDS/IPS, file integrity monitoring, anti-virus.
  3. Review changes to environment
    1. Determine impact to PCI DSS scope
    2. Identify PCI DSS requirements applicable to item affected by the change
    3. Update PCI DSS scope and implement security controls as appropriate
  4. Changes to organizational structure (adding offices, mergers, etc)
  5. Periodic reviews and communications
  6. Review HW and SW at least annually that is continued to be supported by the vendor. Alpha scan  helps you review your systems.

We need a permission document

then we nmap scan your systems.

If you have certain ports open then I may perform vulnerability scan using tools.

I write a report - if problems exist

Your IT department fixes the problem

I run another scan to see if the problem was fixed.

Will write another report and discuss with you.$500/ip address for external IPs, if internal ips (requires onsite visit) then an onsite fee is assessed


On News of Day I discuss


"Our goal is to protect our critical assets, quickly know when they have been compromised and respond with immediate action to contain and eradicate the threat. If anyone believes they are going to create the perfect secure environment, let me save you some pain in discovery: It does not exist. However, if you can narrow your attack surface area through smart security operations that fully integrate the right people, the right processes, and good technology, then you drive up the skill required by an attacker to the point where most threat actors will give up and go after easier, softer targets."

In Tip of Day I discuss how Netcat can help you do some "banner grabbing"

Which will help you view applications as they send information in the first review

from the Netcat Power Tools pdf Chapter 4:

The Web server will take this request, locate the file requested, and send it back to
the client. When given a file of “/”, Linux and UNIX servers will return index.html,
while Windows Internet Information Server (IIS) will find and return default.htm.

I recommend to obfuscate your web and other applications banners:

"For many different reasons, usually security-related, many Web sites do not wish to
show the version software that they’re running. They can alter this information by
editing their Web server configuration to use a new ServerTokens value, or by using
third-party software."


You can actually test your webserver to see what it responds with:

For protocols like HTTP that require user interaction, it is still possible to
automate the process. All you need to do is pipe the echo of your input to
Netcat. Simple enough, no? The trick that catches many people is how to
transmit that extra carriage return after the command. This can easily be
done with the following Linux command:
echo –e “GET / HTTP/1.0\n” | nc <host> <port>
In the example above, echo uses the \n string to signify a new line.



Let me know if you need help with this.

Contact Us.