Skip to content

If you are not 100% certain?

Are you 95.5%?  that is 2 sigma(σ) if you want 99.9999% then that is 6 sigma(σ)

The attackers are coming

check this link:

http://oversitesentry.com/i-want-my-internet-247hackersknowthat/

The link explains what is obvious to all - we need the Internet and the criminal knows that so they will find any mistakes that you made/ are making.

evgeniybogachevfbimostwanted    Mr. Bogachev has a $3mil bounty on his head - why do you think that is?

 

The Criminals are working when you are sleeping in relatively lawless environments trying to find a way to make more money - your money.

Here is a link if you dare to check about the "Russian Carders Army"

http://carderinfo.nm.ru/cr1.swf

A video by McAfee and FBI explaining background of Russian attackers(criminals) http://bcove.me/vchfpcni

I don't know if you understand yet, if you have any problems in your defenses, the hackers will find it, and it is only a matter of time before your company will be hacked, your company will be extorted, your equipment will be used for the criminal ends.

This phenomenon is not new and will not stop.

riskmanagmenthackedmatrix

Risk management failed us - because the system that is not important may have mistakes, and once hacked allows the more important machines to be hacked as well. So risk management failed.

We can no longer make judgements with risk and say this machine is more important and can have less problems than others. ALL machines are important

 

We can help you MAKE sure that you are as close to 100% certain as possible.

 

I believe companies need to run a minimal set of vulnerability analysis

Which I explain here:

http://oversitesentry.com/tonyz/pubhtml/fixvirus/svapec/

The idea is to at least cover your basic vulnerabilities with a regular scan, because one has to be perfect, there are too many attacks heading our way for you not to test your defenses with outside help.

Of course you can (and should have a layered defense strategy) like in this link:

http://oversitesentry.com/2-steps-stops-all-cyberattacks/

 

Or with Six Sigma (σ)

we need Six Sigma Security

Six-Sigma-Certified-Image-4 (image from www.simplilearn.com)

 

And the only way to achieve it is with testing testing testing.

We perform the  (A – Σ – Ω) Solution

 

 

In QA that is how six sigma is performed to 99.9999% error free.

1

Good Security means doing good basic IT.

And sometimes it also means keeping up with new compliance initiatives by industry or government.

This year October 1, 2015 there is a new Payment Card Industry(PCI) rule going into effect. On October 1st the liability of a security breach will go to the merchant not the bank or processor.

Here is an article that discusses certain aspects of the http://news.investors.com/technology/032015-744412-latest-point-of-sale-endpoint-security-tackles-expensive-breaches.htm Point Of Sale system.

EMV (the Europay MasterCard Visa credit card standard) will come to the US by October 1st as well. And if you will get new machines anyway get ones which have point-to-point  encryption.

cardpresentvulnerabilitiesImage from visa.com
the problems in most small merchants are basic in nature. the PCI Industry has created a standard:
which is located in the following location: https://www.pcisecuritystandards.org/
  • Insecure remote access used by attackers
  • Weak or Default passwords and setting commonly used
  • Lack of network segmentation
  • Malware deployed to capture t card data.
  • Absence of antivirus tools to detect malware

 

If you add a firewall and Intrusion Prevention Systems  you will protect yourself even further.

http://oversitesentry.com/cyberwar-you-aint-seen-nothin-yet/

Then  add the Polliwall, now it will be almost impossible for the standard criminals to take your systems. None of us can defend against the nation states, but if we can defend against everyone else then we have created the defensive system for 2015.

One does not have to be on the cutting edge of technology to be secure.

But, in my hacking classes (where we try to attack other computers with Metasploit it is  obvious very quickly that with a patched machine, even a WindowsXP system it is much harder to crack.

Now of course, WindowsXP happens to be almost obsolete. On April 8th Microsoft has said it will no longer support updates to Microsoft WindowsXP operating system. Here is a link for Enterprises to help with the transition away from WindowsXP.

So other than End Of Life Oepraitng systems one does not need to stay up on the latest OS, to have a secure computer, just keep up with the patches and you will be more secure than many others.

the key is to review your systems and network environment for unknown gotchas.

Contact Us as we can help with your review process.  Our products:

(A – Σ – Ω)

 

 

News of Day: The Rowhammer and this week is Patch Tuesday.

In tip of Day segment we have a serious problem, as Rowhammer opens a new security angle which cannot be patched for some machines.dramsmall

 

Some RAM has a bit-flipping problem in certain situations which can cause an escalation of privilege, so if the hacker is on the computer, they can get admin or root access.

We need to realize that today's researchers develop exploits that then criminals use to attack our computers, and then the script kiddies use to attack the people who don't know how to use computers.

 

So we have to develop a new method of thinking - security must be built into our processes and methods. Compliance means security first. Otherwise we will get blindsided by the newest researcher attacks.

 

Remember our systems were not built for security first, the internet was not built with security in mind. So we will have many other attacks and eploits to keep in mind.

 

This is why you need a security department, somebody who is thinking about the security angle all the time.

Contact Us

the video itself;


Here is a story on how to improve your privacy on your iPhones

http://www.zdnet.com/pictures/new-iphone-ipad-change-these-ios-8-privacy-settings-immediately/

 

Bruce Schneier's post on privacy in general:

https://www.schneier.com/blog/archives/2015/02/everyone_wants_.html

 

We also need more Cybersecurity  http://oversitesentry.com/how-do-we-improve-security/  We need more Ethical hackers in every company understanding the issues

 

Use the principle of Philotimo to be an Ethical Hacker. The friend of Honor will "do the right thing"

Also an apt Youtube video (regarding ΦΙΛΟΤΙΜΟ)  http://youtu.be/DaPF4_-gH4g

 

To listen and educate yourself on the Netneutrality is:

Interesting economist (Professor Hazlett of economics) explains the Nuts and bolts of the net neutrality

Minute 44 is DSL sales growth and usage in the telecom industry.

I saw the Internet industry grow and change like Hazlett is talking about from 1996 until today

Minute 51 had an example of a Net neutrality violation (Metro PCS streaming Youtube but not others - like Netflix or Hulu)

At about an hour questions start.

 

As in my video - even after listening to Hazlett discuss this for an hour, I still think it will depend on the political power of the various factions. Of course the law is going to come down on NetNeutrality as well.

Hmmm  there are a 1000 phone companies in America (2-4 we can name) the rural companies get government subsidies.

 

Either that or the criminals and "events" will cause you to react in ways that you will regret.

There is a good presentation from last year's Arch Con(Saint Louis Arch): http://www.youtube.com/watch?v=7GCC-0a_mVs

The opening keynote by Richard Bejtlich (@Taosecurity) - Applying Strategic Thought to Digital Defense

Is very interesting to contemplate after the Sony and Anthem breaches and the coming year ( the convention was on September 24, 2014)

taosecurityopeningkeynote

Of course when discussing with executives a "Cyber Security Strategy" consider the following:  CEO and CFO execs do not really understand the computer and Internet they use every day. They want it to work and be secure period.

Now you need to wake them up 🙂 It is 2015 and remember the Y2K scare if you will... The Y2k issue was when computer people realized there may be a problem with some software as it only accounted for the last two digits in various software when describing the year (such as 98 for 1998) So the wise IT people woke up one day in the late 90's and said: what happens in the year 2000? When the year 00 is actually greater than 99? So all of a sudden all software that for whatever reason(programmer laziness etc.) only had 2 digits for the year now needs to be 4 digits.

The switch from 2 to 4 digits was not a fast switch, all programs had to be rewritten to 4 digits. The ones most scary were what is called the BIOS (Basic Input Output System) it is the program that initially connects the operating system to the computer parts (hardware). So if this program quits working nothing will work on the computer. The whole IT industry went into a major overdrive and overtime to fix all the software by 12/31/1999.  And then hoped that all the fixes worked on New Years day Y2000.  Fortunately all the effort paid off, and the few problems that arose were handled.

y2karmageddon  y2kcountdown

 

It is my belief we need a Y2K effort for cyber security for 2015.  There is no time like today - this year this time we will do it.

We must have better security - spend the money this year get to a higher level of security and then it will not be a big deal in the future. Reduce the capabilities of the criminals by upping your security Just as recommended here:

http://www.fixvirus.com/catch-any-malware-including-equationgroup/  (setup an IPS firewall to catch all attacks from inside and out) Also similar http://oversitesentry.com/your-cyberdefense-still-2000s-thinking/

We need a new level of security testing and thinking, otherwise we will have worse and more serious attacks than Sony, which means the attackers will try and delete and disrupt actual commerce.  Do you really want to live with http://www.fixvirus.com/what-if-the-hacker-is-in-your-network/ ?

Richard Bejtlich has a good Outline to follow for all of hte people in the company to improve security:

theme                  Who is in charge?      Actions - goals

Program Goals    Board And CEO     Minimize loss due to intrusions

Strategies            CEO/CIO                Rapid detection, response, and containment

Operations/campaigns     CISO or security director                match and hunt for intruders

Tactics                       Security Staff               Collect, analyze, escalate & resolve incidents

Tools                        Vendors                         Various software

 

The Directors and CEOs have an important role and have to be brought up to speed. It is up to us the IT people to talk their language.

Y2015Securityeffort

Contact Us to get your security up to speed Y2015 and beyond don't go back to Y2000.

 

 

The Fixvirus video show that explains it:

According to Kaspersky Group  report:

http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Equation_group_questions_and_answers.pdf

There is malware that can infect hard drive firmware and then perform other tasks

At page 23 #14 says:

23

 

"14.
What C&C infrastructure do the Equation group implants use?
The Equation group uses a vast C&C infrastructure that includes more than
300 domains and more than 100 servers. The servers are hosted in multiple countries, including the US, UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia and Czech Republic.
All C&C domains appear to have been registered through the same two major
registrars, using “Domains By Proxy” to mask the registrant’s information.
Kaspersky Lab is currently sinkholing a couple dozen of the 300 C&C servers."
C&C means command & control.
The infected hard drive means nothing without being able to "phone home".  So since it has to contact its C&C server we can detect that. Once we detect it we can stop the transmission - Use an IPS system firewall (a Next Gen FireWall) properly configured can protect against the malware.
Contact Us to help you with setting up your IPS or purchasing an IPS system that works for you.


johnstewartbloomberg   Bloomberg screenshot this morning.

The news reports are out - a Stuxnet malware was installed in your firmware thus infecting your hard drives and you cant do anything about it.

the news reports are everywhere:

http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

As usual The Storm Center has the detailed information:

https://isc.sans.edu/forums/diary/A+Different+Kind+of+Equation/19345/

This is the money quote:

"You can find the original blog post here: http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-creator-of-cyber-espionage

 

This is also the true detail: http://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf"

 

But my point will be I dont care if the NSA has " listening device" on my hard drive. You can shut down the NSA completely by running an IPS system as I discussed in my blog post at oversitesentry.com

http://oversitesentry.com/2-steps-stops-all-cyberattacks/

commandandcontrol

Check that communication out the client (your computer) running the malware(NSA or other) always wants to talk to C^2 or Command&Control.

 

You can stop C&C communications!

All you have to do is install an IPS (Intrusion Prevention System) and configure it correctly. It will reset the network connection and thus drop the connection.

 

The IPS can be built into the firewall (they are now called NGFW or Next Generation Firewalls) to save on the amount of problems and

The problem that this disclosure created is the idea in the criminal mindset to create a stuxnet clone. So it is going to be even more important for all businesses to install a firewall

with IPS capabilities.

 

Contact Me for more...

TonyZ

 

 

 

People keep asking me... what can someone possibly use on my computer, I have nothing on it.

We are trying to explain this with some images

The hacked computer could have a value of about $30

Zombie computer: being controlled by other computers

zombiecomputer compromisedcomputervalue

 

tonyz-hackedemailacctworth

A hacked computer (now is called a Zombie) when it is used as an attack vehicle.

This system can be on the corporate network, could be a phone, or an "Internet of things"

Any device on the Internet has the potential to become a Zombie, and to be used as an attack vehicle.

 

When controlled from a single machine to reflectors one can control hundreds even thousands of computers.

Here is an analysis of using reflectors in DDOS  http://www.icir.org/vern/papers/reflectors.CCR.01/reflectors.html

ddos-reflectorattacks1

(Image from Datasoft: https://www.datasoft.ws/ds_whatisddos.php)

The above image is a good representation of what a DDOS reflector attack consists of.

 

So yes your hacked machine is worth $30 or more even if you do not have "valuable" data on it.  the problem is, any password that you saved on the system could be used by the hacker to penetrate your life identity on the Internet

 

And of course in 6/27/16 I put up a new blogpost at my site http://oversitesentry.com/iot-botnet-can-ddos-your-webserver/

Briefly it is about a 25000 CCTV botnet which were all hackedand now are used to attack other machines.

Contact me to discuss how we can design a vulnerability analysis on your computer network.