Skip to content

People keep asking me... what can someone possibly use on my computer, I have nothing on it.

We are trying to explain this with some images

The hacked computer could have a value of about $30

Zombie computer: being controlled by other computers

zombiecomputer compromisedcomputervalue

 

tonyz-hackedemailacctworth

A hacked computer (now is called a Zombie) when it is used as an attack vehicle.

This system can be on the corporate network, could be a phone, or an "Internet of things"

Any device on the Internet has the potential to become a Zombie, and to be used as an attack vehicle.

 

When controlled from a single machine to reflectors one can control hundreds even thousands of computers.

Here is an analysis of using reflectors in DDOS  http://www.icir.org/vern/papers/reflectors.CCR.01/reflectors.html

ddos-reflectorattacks1

(Image from Datasoft: https://www.datasoft.ws/ds_whatisddos.php)

The above image is a good representation of what a DDOS reflector attack consists of.

 

So yes your hacked machine is worth $30 or more even if you do not have "valuable" data on it.  the problem is, any password that you saved on the system could be used by the hacker to penetrate your life identity on the Internet

 

And of course in 6/27/16 I put up a new blogpost at my site http://oversitesentry.com/iot-botnet-can-ddos-your-webserver/

Briefly it is about a 25000 CCTV botnet which were all hackedand now are used to attack other machines.

Contact me to discuss how we can design a vulnerability analysis on your computer network.

Brian Krebs has updated his Blog: and his famous picture (how much is your hacked computer worth):

http://krebsonsecurity.com/2015/01/fbi-businesses-lost-215m-to-email-scams/

becstats IC3 data - Internet Crime http://www.ic3.gov /about/default.aspx  ic3-banner4

The BEC is a global scam with subjects and victims in many countries. The IC3 has received BEC complaint data from victims in every US state and 45 countries. from 10/1/2013 to 12/1/2014 the following stats were reported(now look at image above):

total US victims: 1198

total US dollar loss: $179mil

total nonUS victims: 928

total nonUS dollar loss: $35mil

combined victims: 2126

combined dollar loss: $214mil

So Brian Krebs has updated his how much is your computer worth to hackers image:

HE-1-Krebsonsecurity.com

So Brian reviews what can happen to your email account if somebody is able to take it over and use it for their own money making schemes.

If I attempted to put a small dollar amount on these accounts, how much is your email account worth?

Google: $2

Facebook: $2

iTunes: $3

Amazon: $3

Walmart: $3

Netflix: $2

Dropbox: $2

Salesforce: $2

Fedex:$1.50

UPS: $1.50

Bank acct: $4

Steam:$2.50

Total:  $28.50 ? or more?

this is my image:

tonyz-hackedemailacctworth

 

My list is only a partial one, but I am trying to make it more personal - and give the hack a certain dollar amount. I am trying to create awareness, also note the comments in BrianKrebs post:

briankrebscomments

You can click on the image or go to Brian's site to read them, but I qwant to transcribe one of them in specific(bottom one):

"Almost word for word what happened to an affiliate company of ours. Slightly altered domain name appearing as someone’s VP, email request to wire funds, funds were sent, fund transfer frantically reversed at the 11th hour."

This attack is used in a manner that was not even a hacked email account, just a slightly modified domain name with a wire transfer fund using the name of the VIP. What are the odds that 2 comments similar in nature one after the other? Criminals are preying on our good graces and naivety.

 

If you need help in working on your compliance on passwords, or testing other aspects of your security policy, i can help with the Omega Scan service:

http://oversitesentry.com/solutions/omega/

Omega-Logo-819x1024  It is a unique service.

 

Here is the video to go along with this post

Risk analysis and patch management is important.

We discuss that on this day, since there were 2 Adobe vulnerabilities that we discuss on our blog:

http://oversitesentry.com/patches-i-dont-need-those-stinkin-patches/

Patch Management is when you decide with risk based analysis which patches get installed to your environment over time.

Tools can be used to improve the time and resources used to implement.

 

Because as the blog post and video discuss, 169 Oracle, 62 Chrome, 9 Firefox, and at least 2 Adobe patches cause quite a resource issue.  You must have a plan in place as this is just the first month (there were over 7000 vulnerabilities last year).ciscoreportcumalerttotal

the image is from the Cisco Security report that just came out.

http://www.cisco.com/web/offers/pdfs/cisco-asr-2015.pdf  also from another Ovresitesentry post:

http://oversitesentry.com/new-cisco-annual-report-is-out/

 

Contact us to help you with patch management and compliance requirements.

http://www.fixvirus.com/contact-us/

314-504-3974

 

This morning (1/21/15) attended ISACA (previously the Information Systems Audit and Control Association) meeting:

http://www.isaca.org/chapters5/Saint-Louis/Pages/default.aspx

The past present and future of Web Application Security by Christopher Boyd

 

Good quote  sometimes I talk to the "Security echo chamber"  i.e. talking to other security people

The PAST

the first web page is still on the Internet: http://info.cern.ch/hypertext/WWW/TheProject.html  The Web became publicly accessible on Aug. 6, 1991.

The PRESENT

OWASP is important   https://www.owasp.org/index.php/Main_Page

OWASP top 10:

https://www.owasp.org/index.php/Top_10_2013-Top_10

1. Injection

2. Broken authentication and session management

3. (XSS) Cross-Site Scripting

4. Insecure Direct Object Reference

5. Security Misconfiguration

6. Sensitive data exposure

7. Missing level function access control

8. (CSRF) Cross-site request forgery

9. Using components with known vulnerabilities

10. Unvalidated redirects and forwards

 

All of the Web app problems stem from 3 basic issues

1. Input validation

2. Redirection

3. authentication

 

Of course SQL injection is important, but not as prevalent as it used to be

I focus on more esoteric problems, since many programmers have fixed many security issues already, like improper error handling where an error sends more information than you anticipated to the hacker.  (Burp Suite can find the differences in bytes)

 

How to fix some of these problems?

Validate all input

context sensitive escaping/coding (redirection)

use libraries for encryption

 

for cross-site scripting the enemy is the following: < ' "

this is a typical test case: <script> alert("xss") ; </script>

 

The browser exploitation framework (BeEF is a good program to work with testing your programs) and typically if someone is trying hook.js someone is using BeEF.

 

CSRF (Cross-site Request Forgery) means to click on a link and use all the current open connections

 

Double submit cookies is a no no

 

creating a Data flow Diagram will help you. you can even use Microsoft flow diagram

WAF - Web Application Firewall "But control"   App profiling

 

OWASP top10 Proactive controls are important to understand

https://www.owasp.org/index.php/OWASP_Proactive_Controls

 

But the OWASP App security verification standard is really good.  (Chris thought this would appeal to ISACA due to the auditing nature of the group)

https://www.owasp.org/index.php/Project_Information:template_Application_Security_Verification_Standard

 

TLS 1.2 is current SSL version (POODLE takes advantage of SSL v3.0)

POODLE is the https downgrade attack example

HSTS is ok Strict Transport Security even though programmmers don't like to be shoe horned

THE FUTURE

Certificate transparency is coming

"Content Security Policy" on your websites

report collection

Source whitelisting

OWASP Appsensor   Application  Intrusion Detection & Response

embedded into logic

 

Ubiquitous HTTPS is coming

chrome SPDY protocol requires TLS already

" Let's encrypt"   was another good quote before time ran out.

We are explaining a little more about pentesting and the service that we have (Sigma Scan) in tip of day.

In News of day we discuss #OpFrance where the political hackers are trying to attack various French Websites including France24:

anonopSaudiX2 Here is a tweet from "Anonymous Saudi hacker" off Twitter

Video:

SigmaScan info on Oversitesentry:  http://oversitesentry.com/solutions/sigma/

What will be your solution to potential attacks on your machines? will it be to trust in your provider that they are doing everything they can? or will you be proactive and do some testing (like the Sigma Scan)

 

Contact Us as we can help you test your website to reduce the likelihood of hacker penetration and exploits.

 

Created a SVAPE & C only video as well:

 

Our video of the fixvirus security show:

news of day:  Cybersecurity has priority in State of the Union (Why ? due to Sony Hack)

as in our blog post:

http://oversitesentry.com/?p=1291

tip of day : run a recon scan on your machines:  our Alpha scan for example.  http://oversitesentry.com/solutions/alpha/   Alpha scan link


Contact us

 

New Fixvirus Security Show Jan9 on vulnerability Assessment in Tip of day as well as News of Day CES show quotes ...

Some of the quotes I already researched on my Blog: Oversitesentry.com: http://oversitesentry.com/can-we-stop-cybersecurity-breaches/

News of Day:

FTC chairwoman commissioner Edith Ramirez’ opening remarks at the CES show on the 6th of January.

http://www.ftc.gov/system/files/documents/public_statements/617191/150106cesspeech.pdf

We are told that, in 2015, the world will have 25 billion connected devices; the number of smart home devices will reach nearly 25
million; and IoT software platforms will “become the rage”
But we have also been warned that 2015 will be the year we start hearing about smart-home hacking.”
I heard the headlines about the privacy aspect of the IoT (Internet of Things) but also in her statements she discussed security risks of IoT. She poses a valid concern, security in the IoT space has not been thought about for decades, so as we start introducing all of these devices everywhere (home and business) there should be a focus of Security by Design, instead of functionality first.
And finally the chairwoman finishes with:
As is evident here this week, companies are investing billions of dollars in this growing industry; they should also make appropriate investments in privacy and security.“

 

vulnerability Assessment in tip of day -

 

SVAPE& C comes from the Mandiant report diagram:

attacklifecycle

 

I talk about more of SVAPE & C

i.e.

Scan first, Vulnerability Assessment next, Penetrate and Exploit systems, Control the systems until you take back or he sell

On News of Day I discuss http://www.darkreading.com/operations/5-pitfalls-to-avoid-when-running-your-soc-/a/d-id/1318218

Specifically:

"Our goal is to protect our critical assets, quickly know when they have been compromised and respond with immediate action to contain and eradicate the threat. If anyone believes they are going to create the perfect secure environment, let me save you some pain in discovery: It does not exist. However, if you can narrow your attack surface area through smart security operations that fully integrate the right people, the right processes, and good technology, then you drive up the skill required by an attacker to the point where most threat actors will give up and go after easier, softer targets."

In Tip of Day I discuss how Netcat can help you do some "banner grabbing"

Which will help you view applications as they send information in the first review

from the Netcat Power Tools pdf Chapter 4:  http://dl.acm.org/citation.cfm?id=2155689

The Web server will take this request, locate the file requested, and send it back to
the client. When given a file of “/”, Linux and UNIX servers will return index.html,
while Windows Internet Information Server (IIS) will find and return default.htm.

I recommend to obfuscate your web and other applications banners:

"For many different reasons, usually security-related, many Web sites do not wish to
show the version software that they’re running. They can alter this information by
editing their Web server configuration to use a new ServerTokens value, or by using
third-party software."

 

You can actually test your webserver to see what it responds with:

For protocols like HTTP that require user interaction, it is still possible to
automate the process. All you need to do is pipe the echo of your input to
Netcat. Simple enough, no? The trick that catches many people is how to
transmit that extra carriage return after the command. This can easily be
done with the following Linux command:
echo –e “GET / HTTP/1.0\n” | nc <host> <port>
In the example above, echo uses the \n string to signify a new line.

 

 

Let me know if you need help with this.

Contact Us.

2014 reviews:

http://oversitesentry.com/?p=1196   the post I discussed in the video...

Get ready for 2015.

Not if you get hacked but "when"  so get ready for more attacks.

Get your incident response ready - When  you get hacked what will you do?

Be prepared - GET READY!!!

hospitalshacked

http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/   CNN story of 4.5 mil records of Community Health Systems - why would hackers want these records?

Because the records have ss#, names and addresses.

" But this time, the hackers stole patient data instead. Hackers did not manage to steal information related to patients' medical histories, clinical operations or credit cards. "

The patient data is supposedly protected by HIPAA, but it is only as good as the hospital network overseers.

http://oversitesentry.com/?p=1166

And if the people in charge do not do the right things, like testing:

We test your systems to reduce your Security risks with our 4 service products (listed below: A,ΣΩ, and Ψ)

Then it does not matter... One has to have a Security policy with stringent controls, physical and electronic. Wireless and wired, Internet and corporate network, Cloud and office. It must all work towards the goal of protecting your data.