By now everybody has caught on to the (presumed) LinkedIN breach, except the people at LinkedIN themselves but they're probably digging through their treasure trove of social big data in the cloud. However, the most heard comment today must've come from several people saying that it doesn't make sense to change your password because the attackers could just get it again. While not an invalid point, I believe it's the worst advice to give.
There are three main components to this attack :
1. finding the vulnerability enabling the attacker to extract the data.
2. extract the data
3. crack the password
Assuming your password was cracked, the attacker has succesfully performed all three steps. If you change your password now, the attacker will have to perform step 2 and step 3 again. Given that this was a wake-up call for you, you probably chose a much more complex password and thus making step 3 much much harder for the attacker. Even though the vulnerability was not fixed (yet), changing your password does make you safer.
A good analogy would be your seatbelt (I know it's old but it works ...). After a minor crash, you may finally make a habit of wearing your seatbelt. There is obviously still a (big) chance that you'd die in a major crash but it will be much less likely.
Update :
Someone remarked that, if the attacker still has access to LinkedIN, step 1 and 2 become unnecessary. Especially if the attacker has access to the plaintext stage of chpass. Obviously, we don't know how they got owned so any theory goes. I'm placing my bet on SQLi but in case it is worse than that, I might go back to my rolodex :-)
Rock on,
/W
woensdag 6 juni 2012
maandag 4 juni 2012
a few honest questions about Flame ... answer 'em
While I invited some of the most vocal people on the issue of #flame to our humble podcast tonight, nobody actually stepped up to the opportunity to openly discuss the issue. Too bad, so I'll put out the random questions that are floating around my head right now that I can't find a good answer to. If you have additional questions, I'm happy to add them to the list.
1) Microsoft, WHAT THE F- HAPPENED THERE ??? You're practically the only vendor that I've read sensible documentation on how to build a reasonably secure PKI infra from and now you come telling me that FOR ALL THESE YEARS any customer with a Terminal Services License was able to sign code, create MITM certs, etc.? If this actually was malware created by a "western intelligence agency" (see question 6 ;-)) you were pretty much thrown under the bus at terminal velocity. Here's a *hug*
2) Infosec community, WHAT THE F- HAPPENED THERE ??? We're there when Google updates the certs blocked by Chrome to cry wolf on a forged gmail.com cert because that kills people but we succeed in missing a flaw that should be blatantly obvious in a product of a vendor that is probably the most scrutinized in the world? (obviously, part of that blame is mine. I'm ashamed for the lot of us.)
3) AV companies, WHAT THE F- HAPPENED THERE ??? So yeah, samples dating back to 2010 (unsigned, I've learned by now) didn't trigger any of the automated triage systems you employ. If we had triage systems like that in disaster situations ... WE WOULDN'T NEED TO BE LOOKING FOR SURVIVORS !
4) AV companies, WHAT THE F- HAPPENED THERE ??? Everybody's pushing out Flame-related content front, left and center but it doesn't even sound like you're all speaking the same languages. Is there actually any communication between you guys? Or is it each to their own and everybody trying to outrun eachother?
5) AV companies, WHAT THE F- HAPPENED THERE ??? So, Kaspersky got some major DNS providers to work with them and sinkhole domains identified to be related to the Flame malware. So, are you guys aware of those actions? Do you guys tip each other off? Wouldn't it make sense TO DO THIS TOGETHER? WTH are y'all spending resources on analyzing that piece of malware and one of you is jokingly redirecting all C&C traffic to their own servers. Seriously, last time I checked you needed a court order or you needed to be the US government to sinkhole domains.
6) US gov, Israel, WHAT THE F- HAPPENED THERE ??? Nope, I don't believe you guys are actually behind this one. You're scratching your head in disbelief and are actually happy that people are attributing you with the leet skills needed to pull this one off ;-)
1) Microsoft, WHAT THE F- HAPPENED THERE ??? You're practically the only vendor that I've read sensible documentation on how to build a reasonably secure PKI infra from and now you come telling me that FOR ALL THESE YEARS any customer with a Terminal Services License was able to sign code, create MITM certs, etc.? If this actually was malware created by a "western intelligence agency" (see question 6 ;-)) you were pretty much thrown under the bus at terminal velocity. Here's a *hug*
2) Infosec community, WHAT THE F- HAPPENED THERE ??? We're there when Google updates the certs blocked by Chrome to cry wolf on a forged gmail.com cert because that kills people but we succeed in missing a flaw that should be blatantly obvious in a product of a vendor that is probably the most scrutinized in the world? (obviously, part of that blame is mine. I'm ashamed for the lot of us.)
3) AV companies, WHAT THE F- HAPPENED THERE ??? So yeah, samples dating back to 2010 (unsigned, I've learned by now) didn't trigger any of the automated triage systems you employ. If we had triage systems like that in disaster situations ... WE WOULDN'T NEED TO BE LOOKING FOR SURVIVORS !
4) AV companies, WHAT THE F- HAPPENED THERE ??? Everybody's pushing out Flame-related content front, left and center but it doesn't even sound like you're all speaking the same languages. Is there actually any communication between you guys? Or is it each to their own and everybody trying to outrun eachother?
5) AV companies, WHAT THE F- HAPPENED THERE ??? So, Kaspersky got some major DNS providers to work with them and sinkhole domains identified to be related to the Flame malware. So, are you guys aware of those actions? Do you guys tip each other off? Wouldn't it make sense TO DO THIS TOGETHER? WTH are y'all spending resources on analyzing that piece of malware and one of you is jokingly redirecting all C&C traffic to their own servers. Seriously, last time I checked you needed a court order or you needed to be the US government to sinkhole domains.
6) US gov, Israel, WHAT THE F- HAPPENED THERE ??? Nope, I don't believe you guys are actually behind this one. You're scratching your head in disbelief and are actually happy that people are attributing you with the leet skills needed to pull this one off ;-)
vrijdag 1 juni 2012
Forensics Training courses
yesterday I posted a question on Twitter to see what other training offerings there are out there in the area of computer forensics, beyond what we know is a quality offering from SANS. Not because I don't like SANS but because I kinda knew everybody would start sending me SANS links and since I know their offering, I was mostly looking for others. Here's what people came up with :
- EC-COUNCIL CHFI : http://www.eccouncil.org/Computer-Hacking-Forensic-Investigator/index.html
- Tigerscheme has malware and forensics courses : http://www.tigerscheme.org/qualifications/Tiger_Digital_Forensics_Certified_Incident_Handler.pdf
- CERT CC offers such a course : http://www.sei.cmu.edu/training/P107.cfm
- 7Safe offers such a course : http://7safe.com/forensic_investigation_course-technical_hands-on.html
- CFE is such a course : http://www.digitalintelligence.com/training/cfe.php
- TrustWave Spiderlabs offers personalized forensics training (no link to training curriculum available) : https://www.trustwave.com/spiderLabs-services.php
Abonneren op:
Posts (Atom)