Implementing Intrusion (Cyber) Kill Chain -A Plenary Overview

Implementing an Intrusion (Cyber) Kill Chain 

The Intrusion (Cyber) Kill Chain is a phrase popularized by infosec industry professionals and introduced in a Lockheed Martin Corporation paper titled; “ Intelligence Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”. 

The intrusion kill chain model is derived from a military model describing the phases of an attack. The phases of the military model are: find, fix, track, target, engage, and assess. The analyses of these phases are used to pinpoint gaps in capability and prioritize the development of needed systems. The first phase in this military model is to decide on a target (find). Second, once the target is decided you set about to locate it (fix). Next, you would surveill to gather intelligence (track). Once you have enough information, you decide the best way to realize your objective (target) and then implement your strategy (engage). And finally, you analyze what went wrong and what went right (assess) so that adjustments can be made in future attacks.

Lockheed Martin analysts began by mapping the phases of cyber attacks. The mapping focused on specific types of attacks, Advanced Persistent Threats (APTs) - The adversary/intruder gets into your network and stays for years– sending information, usually encrypted – to collection sites without being detected. Since the intruder spent so much time in the network, analysts were able to gather data about what was happening. Analysts could then sift through the data and begin grouping it into the military attack model phases. Analysts soon realized that while there were predictable phases in cyber attacks, the phases were slightly different from the military model.  The intrusion (cyber) kill chain shown below, describe the phases of a cyber attack.

The chain of events or activities are as follows:

  

Link in the Chain	Description
1.  Reconnaissance	Research, identification and selection of targets- scraping websites for information on companies and their employees in order to select targets.
2.  Weaponization	Most often, a Trojan with an exploit embedded in documents, photos, etc.
3.  Delivery	Transmission of the weapon (document with an embedded exploit) to the targeted environment.  According to Lockheed Martin's Computer Incident Response Team (LM-CIRT), the most prevalent delivery methods are email attachments,websites, and USB removable media.
4.  Exploitation	After the weapon is delivered, the intruder's code is triggered to exploit an operating system or application vulnerability, to make use of an operating system's auto execute feature or exploit the users themselves.
5.  Installation	Along with the exploit the weapon installs a remote access Trojan and/or a backdoor that allows the intruder to maintain presence in the environment
6.  Command and Control	Intruders establish a connection to an outside collection server from compromised systems and gain 'hands on the keyboard' control of the target's compromised network/systems/applications.
7.  Actions on Objective	After progressing through the previous 6 phases, the intruder takes action to achieve their objective.  The most common objectives are:  data extraction, disruption of the network, and/or use of the target's network as a hop point.

Lockheed Martin's analysts also discovered while mapping the intruder's activities, that a break (kill) in any one link in the chain would cause the intrusion to fail in its objective. This is one of the major benefits of the intrusion kill chain framework as security professionals have traditionally taken a defensive approach when it comes to incident response. This means that intrusions can be dealt with offensively too.

Lockheed Martin's case studies reveal that knowledge about previous intrusions and how they were accomplished allow analysts to recognize those previously used tactics and exploits in current attacks.  For example, mapping of three intrusions revealed that all three were delivered via email, all three used  very similar encryption, all three used the same installation program and connected to the same outside collection site. All of the intrusions were stopped before they accomplished their objective.

How did they do this? How can my company utilize this approach?

Monitoring and mapping is the key.

The following list contains some of the necessary components (not in any particular order) needed to do intrusion mapping and setting up the kill.

·         Network Intrusion Detection (NIDS)

·         Network Intrusion Prevention (NIPS)

·         Host Intrusion Detection (HIDS)

·         Firewall access control lists (ACL)

·         Full packet inspection

·         A mature IT asset management system

·         A mature and comprehensive Configuration Management Database (CMDB)

·         Device and system hardening

·         Secure configurations baselines

·         Website inspection

·         Honeypots

·         Anti-virus and anti-malware

·         Verbose logging – network devices, servers, databases, and applications

·         Log correlation

·         Alerting

·         Patching

·         Email and FTP inspection and filtering

·         Network tracing tools

·         Information Security staff trained in tracking and mapping events end-to-end

·         Coordination and partnering with IT, Application Owners, Database Administrators, Business Units and Management both in investigation and communicating the mapped intrusions.

In short, in order to implement intrusion kill chain activity a company needs to have a mature inter-operating and information security program. Additionally, they need trained staff that can investigate, map and advise 'kill' activities, keep a compendium of mapped intrusions, analyze and compare old and new intruder activity, code use, and delivery methods to thwart current and future intrusions.

The intrusion (cyber) kill chain is not an endeavor that can be successfully implemented in place of a comprehensive Information Security Program, it’s another tool to be used to protect the company's data assets.

The good news is if your company doesn't have a mature information security program there is a lot you can do while making plans to introduce an intrusion kill chains in your department's arsenal.

·         Educate your employees to watch for suspicious emails. For instance, emails that seem to be off – such as, someone in accounting receiving an invitation to attend a marketing conference. Let them know that they shouldn't open attachments included in email like this.

·         Make sure you have anti-virus and anti-malware software installed and up to date.

·         Start an inventory of your computing devices, laptops, desktops, tablets, smartphones, network devices and security devices.

·         You have an advantage over intruders. You know your network and what is normal and usual, they don't.  Notice user behavior that is not usual and look into it.  For example, a login at 2am for someone who works 9 to 5. Or an application process that normally runs overnight that is kicking off during the day.

·         Keep your security patches up to date.

·         Create and monitor baseline configurations.

·         Write, publish and communicate information security policies and company standards.

·         Turn on logging and start collecting and keeping logs. Start with network devices and firewalls and then add servers and databases.  Set up alerts for things such as repeated attempts at access.

·         Spend some time using search engines from outside your network to see how much information can be learned about your company from the Internet.  You'd be surprised how much you can find including sensitive documents.

All of these practices and activities give you more information about your computing environment and what is normal and usual. The more you know about your environment, the more likely it is that you will spot the intruder before any damage is done.

Disclaimer:- Before conclusion, on behalf of Team VOGH, I would like to personally thank Mr. Adrian Stolarski for sharing this remarkable article with our readers. I would also like to thank Ryan Fahey  of Infosec Institute for his spontaneous effort. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Implementing Intrusion (Cyber) Kill Chain -A Plenary Overview "https://www.voiceofgreyhat.com/2014/02/implementing-intrusion-cyber-kill-chain.html</a>

Security Onion, A Linux Distrubution for Intrusion Detection

Security Onion:-
The Security Onion LiveCD is a bootable CD that contains software used for installing, configuring, and testing Intrusion Detection Systems.

What software does it contain?
The Security Onion LiveCD is based on Xubuntu 9.04 and contains Snort 2.8.4.1, Snort 3.0.0b3 (Beta), sguil, idswakeup, nmap, metasploit, scapy, hping, fragroute, fragrouter, netcat, paketto, tcpreplay, and many other security tools.

What can it be used for?

• The Security Onion LiveCD can be used for Intrusion Detection. Simply boot the CD and double-click either the Snort-Sguil or SnortSP-Sguil desktop shortcuts. The Snort and Sguil daemons will then start, listening on eth0 for any suspicious traffic and creating alerts in the Sguil console.
• The Security Onion LiveCD can be used to test an Intrusion Detection System. Simply boot the CD and use the included tools (such as nmap, metasploit, idswakeup, scapy, hping, and others) to test your existing IDS or to test the included Snort 2.8.4.1 and Snort 3.0 Beta 3.
• The Security Onion LiveCD can be used to install an Intrusion Detection System. Simply boot the CD and double-click the Install desktop shortcut. For more information about installation, please see the README desktop shortcut.

Click here to Download Security Onion Live iso.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Security Onion, A Linux Distrubution for Intrusion Detection"https://www.voiceofgreyhat.com/2011/06/security-onion-linux-distrubution-for.html</a>

3 Russian Cyber Criminal Who Was The Master Mind of Banking Trojan 'Gozi' Charged in New York

3 Russian Cyber Criminal Who Was The Master Mind of Banking Trojan 'Gozi' Charged in New York 

Yet again another serious issue of cyber crime get resolved when the FBI tracked and figured out the master mind of infamous 'Gozi banking Trojan' which effected more than millions of system world wide, including a handful at NASA, leading to tens of millions of dollars in lost banking funds and damages to computer systems and networks. Three alleged international cyber criminals from Russia, responsible for creating and distributing 'Gozi' that infected over one million computers and caused tens of millions of dollars in losses charged in Manhattan Federal Court. Mihai Ionut Paunescu aged 28, a Romanian, Deniss Calovskis, 27, a Latvian, and Nikita Vladimirovich Kuzmin, 25, of the Russian Federation, are charged with computer intrusion, conspiracy to commit bank and wire fraud and access device fraud. Federal authorities said the three were arrested last week; Kuzmin is being held in New York, while Paunescu is in custody in Romania and Calovskis in Latvia. 

According to the press release of FBI -Deniss Calovskis, a/k/a “Miami,” a Latvian national who allegedly wrote some of the computer code that made the Gozi virus so effective, was arrested in Latvia in November 2012. Mihai Ionut Paunescu, a/k/a “Virus,” a Romanian national who allegedly ran a “bulletproof hosting” service that enabled cyber criminals to distribute the Gozi virus, the Zeus trojan, and other notorious malware and to conduct other sophisticated cyber crimes, was arrested in Romania in December 2012. 

The cases are being handled by the Complex Frauds Unit of the United States Attorney’s Office. Assistant United States Attorneys Sarah Lai, Nicole Friedlander, and Thomas G.A. Brown, along with Trial Attorney Carol Sipperly of the Computer Crime and Intellectual Property Section of the Department of Justice on the Paunescu case, are in charge of the prosecution. The charges contained in the Indictments are merely accusations, and the defendants are presumed innocent unless and until proven guilty.

Defendant	Age and Residence	Charges	Maximum Penalty
Nikita Kuzmin	25; Moscow, Russia	Conspiracy to commit bank fraud; bank fraud; conspiracy to commit access device fraud; access device fraud; conspiracy to commit computer intrusion; computer intrusion	95 years in prison
Deniss Calovskis	27; Riga, Latvia	Conspiracy to commit bank fraud; conspiracy to commit access device fraud; conspiracy to commit computer intrusion; conspiracy to commit wire fraud; conspiracy to commit aggravated identity theft	67 years in prison
Mihai Ionut Paunescu	28; Bucharest, Romania	Conspiracy to commit computer intrusion; conspiracy to commit bank fraud; conspiracy to commit wire fraud	60 years in prison

Brief About Gozi:-
The Gozi virus is malicious computer code, or “malware,” that steals personal bank account information, including usernames and passwords, from the users of affected computers. It was named by private sector information security experts in the U.S. who, in 2007, discovered that previously unrecognized malware was stealing personal bank account information from computers across Europe on a vast scale, while remaining virtually undetectable in the computers it infected. To date, the Gozi virus has infected over one million victim computers worldwide, among them at least 40,000 computers in the U.S., including computers belonging to the National Aeronautics and Space Administration (NASA), as well as computers in Germany, Great Britain, Poland, France, Finland, Italy, Turkey, and elsewhere, and it has caused tens of millions of dollars in losses to the individuals, businesses, and government entities whose computers were infected.

The Gozi virus was distributed to victims’ computers in several different ways. In one method, the virus was disguised as an apparently benign .pdf document which, when opened, secretly installed the Gozi virus on the victim’s computer. Once installed, the Gozi virus—which was intentionally designed to be undetectable by anti-virus software—collected data from the infected computer in order to capture personal bank account information including usernames and passwords. That data was then transmitted to various computer servers controlled by the cyber criminals who used the Gozi virus. These cyber criminals then used the personal bank account information to transfer funds out of the victims’ bank accounts and ultimately into their own personal possession.

For Detailed Information Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">3 Russian Cyber Criminal Who Was The Master Mind of Banking Trojan 'Gozi' Charged in New York"https://www.voiceofgreyhat.com/2013/02/MasterMind-of-Banking-Trojan-Gozi-Charged.html</a>

Sony pegs loss of PlayStation Network and Qrirocity service to an ‘external intrusion’

Sony officially confirms that the loss of service on PlayStation Network and Qrirocity is the result of an "external intrusion," though hacker group Anonymous denies any involvement.

Sony has a bit of a problem on its hands. For a few days now, users have experienced a total blackout on the company’s PlayStation Network and Qrirocity online services. The loss of access is largely believed to the work of the hacker group Anonymous, which has pledged to keep the pressure on the Japan-based company in the wake of a very public legal dust-up with PlayStation 3 jailbreak hacker George “GeoHot” Hotz.

Sony’s online gaming and music streaming networks both went down in the middle of last week. The cause hasn’t been specified until today, with a new post on PlayStation Blog which pegs the loss of service to a Sony-initiated shutdown prompted by an “external intrusion.”

Sony senior director of communications and social media Patrick Seybold writes:

“An external intrusion on our system has affected our PlayStation Network and Qriocity services. In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services on the evening of Wednesday, April 20th. Providing quality entertainment services to our customers and partners is our utmost priority. We are doing all we can to resolve this situation quickly, and we once again thank you for your patience. We will continue to update you promptly as we have additional information to share.”

Don’t hold your breath, account holders. This is a significant event, and a pretty widespread one. Sony will certainly fix it as quickly as possible, and no doubt has a full team in the office this weekend to work on just that, but here are two subscription-driven services that had to be taken completely offline. You can almost hear the disgruntled masses gathered and throwing around words like “class action lawsuit.”

Interestingly, Anonymous is taking no credit for the service outage, and actually stepped forward to distance itself from the situation before Sony admitted to an “external intrusion” being the cause. The hacker group’s web-based news & updates outlet AnonNews features a post entitled “For Once We Didn’t Do It,” which pretty much says it all, doesn’t it? Anonymous admits that individual members may be responsible for the action, but the loss of service is not a group-wide initiative.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Sony pegs loss of PlayStation Network and Qrirocity service to an ‘external intrusion’"https://www.voiceofgreyhat.com/2011/04/sony-pegs-loss-of-playstation-network.html</a>

Security Breach on The Linux Foundation, Linux.com & their Subdomains

Dig a the history and go back into the previous week I hope you can surely remember  the attack on Linuxkernel.org. Now The Linux foundation is under cyber attack. the Linux Foundation has pulled its websites from the web to clean up from a “security breach.”
A notice posted on the Linux Foundation said the entire infrastructure including LinuxFoundation.org, Linux.com, and their sub domains are down for maintenance due to a security breach that was discovered on September 8, 2011.
“The LinuxFoundation made this decision in the interest of extreme caution and security best practices. We believe this breach was connected to the intrusion on kernel.org,” the group said.

Official Notice By The Linux Foundation is posted on their website and that is:- 

"Linux Foundation infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011. The Linux Foundation made this decision in the interest of extreme caution and security best practices. We believe this breach was connected to the intrusion on kernel.org.
We are in the process of restoring services in a secure manner as quickly as possible. As with any intrusion and as a matter of caution, you should consider the passwords and SSH keys that you have used on these sites compromised. If you have reused these passwords on other sites, please change them immediately. We are currently auditing all systems and will update this statement when we have more information.
We apologize for the inconvenience. We are taking this matter seriously and appreciate your patience. The Linux Foundation infrastructure houses a variety of services and programs including Linux.com, Open Printing, Linux Mark, Linux Foundation events and others, but does not include the Linux kernel or its code repositories.
Please contact us at info@linuxfoundation.org with questions about this matter."

For More Information Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Security Breach on The Linux Foundation, Linux.com & their Subdomains"https://www.voiceofgreyhat.com/2011/09/security-breach-on-linux-foundation.html</a>

FBI's Cybercrime Unit Taken New Initiative to Nab Hackers & Intruders

FBI's Cybercrime Unit Taken New Initiative to Nab Hackers & Intruders 

The month of October has been declared by FBI as the National Cyber Security Awareness Month of 2012 , and in the last week of this month the cyber crime division of FBI has started a new program which will specially emphasis on hackers and intrusion. The main aim of this program is to focusing on hackers and to prevent cyber crime. Last month  Federal Bureau of Investigation (FBI) has issued a report based on information from law enforcement and complaints submitted to the Internet Crime Complaint Center (IC3) detailing recentcyber crime trends and new twists to previously-existing cyber scams. Now the recent movement of FBI will surely inject fear into the heart & mind of hackers. According to FBI's official release - Early last year, hackers were discovered embedding malicious software in two million computers, opening a virtual door for criminals to rifle through users’ valuable personal and financial information. Last fall, an overseas crime ring was shut down after infecting four million computers, including half a million in the U.S. In recent months, some of the biggest companies and organizations in the U.S. have been working overtime to fend off continuous intrusion attacks aimed at their networks. The scope and enormity of the threat—not just to private industry but also to the country’s heavily networked critical infrastructure—was spelled out last month in Director Robert S. Mueller’s testimony to a Senate homeland security panel: “Computer intrusions and network attacks are the greatest cyber threat to our national security.”

To that end, the FBI over the past year has put in place an initiative to uncover and investigate web-based intrusion attacks and develop a cadre of specially trained computer scientists able to extract hackers’ digital signatures from mountains of malicious code. Agents are cultivating cyber-oriented relationships with the technical leads at financial, business, transportation, and other critical infrastructures on their beats. 

Today, investigators in the field can send their findings to specialists in the FBI Cyber Division’s Cyber Watch command at Headquarters, who can look for patterns or similarities in cases. The 24/7 post also shares the information with partner intelligence and law enforcement agencies—like the Departments of Defense and Homeland Security and the National Security Agency—on the FBI-led National Cyber Investigative Joint Task Force.

A key aim of the Next Generation Cyber Initiative has been to expand our ability to quickly define “the attribution piece” of a cyber attack to help determine an appropriate response, said Richard McFeely, executive assistant director of the Bureau’s Criminal, Cyber, Response, and Services Branch. “The attribution piece is: who is conducting the attack or the exploitation and what is their motive,” McFeely explained. “In order to get to that, we’ve got to do all the necessary analysis to determine who is at the other end of the keyboard perpetrating these actions.”

The Cyber Division’s main focus now is on cyber intrusions, working closely with the Bureau’s Counterterrorism and Counterintelligence Divisions.  “We are obviously concerned with terrorists using the Internet to conduct these types of attacks,” McFeely said. “As the lead domestic intelligence agency within the United States, it’s our job to make sure that businesses’ and the nation’s secrets don’t fall into the hands of adversaries.”

In the Coreflood case in early 2011, hackers enlisted a botnet—a network of infected computers—to do their dirty work. McFeely urged everyone connected to the Internet to be vigilant against computer viruses and malicious code, lest they become victims or unwitting pawns in a hacker or web-savvy terrorist’s malevolent scheme.

“It’s important that everybody understands that if you have a computer that is outward-facing—that it’s connected to the web—that your computer is at some point going to be under attack,” he said. “You need to be aware of the threat and you need to take it seriously.” 

To Listen the Podcast of FBI's "“The intrusions are occurring 24/7, 365 days a year.” Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">FBI's Cybercrime Unit Taken New Initiative to Nab Hackers & Intruders"https://www.voiceofgreyhat.com/2012/10/FBI-Focusing-on-Hackers-and-Intrusions.html</a>

White House sends Congress a long-awaited cybersecurity proposal

The White House on Thursday sent Congress a formal proposal for cybersecurity legislation to help Senate lawmakers craft a passable bill from 50-some measures currently pending in both chambers.
The long-awaited framework would formally grant the Homeland Security Department oversight of cybersecurity operations within civilian federal agencies -- a role it has played in practice since last summer. Given the dearth of cyber experts in civilian agencies, the proposal would give DHS the same flexibility the Pentagon currently has to rapidly hire skilled professionals at competitive salary levels, Obama administration officials told reporters during a Thursday conference call.
The guidelines, which were expected to be released later on Thursday, largely rely on industry's know-how and willing compliance to certify their systems are safe and ask for federal assistance when attacked.
The proposal is silent on several sticking points, including cyberwarfare, classified information and the criteria for so-called critical infrastructure -- or systems that, if disrupted, could wreak havoc on national security. Such networks would be subject to greater regulation under a key Senate bill sponsored by the leaders of the Homeland Security and Governmental Affairs Committee. The White House framework also stays clear of a dispute over whether the president should have the power to hit a "kill switch," shutting down the Internet during emergencies.
The guidelines were prompted by a request from Senate Majority Leader Harry Reid, D-Nev., and chairmen of the committees with jurisdiction over computer security for input from President Obama on the various congressional proposals, White House officials said. The HSGAC and commerce panels passed comprehensive cybersecurity legislation about a year ago, while numerous other congressional panels and individual members have introduced their own piecemeal measures. The executive branch took about a year to reach consensus on which provisions agencies would support and what new ones they would propose.
The proposal would make so-called intrusion prevention systems a permanent fixture in the federal government, according to a fact sheet. As opposed to intrusion detection systems, which flag attacks and alert the appropriate responders, prevention software can actively respond by blocking intrusions. The guidelines say DHS should have the authority to supervise all such programs, including the existing "Einstein" tool. Internet service providers also would have to use the applications for any government traffic they manage.
The White House plan touches on one security element of a growth area in government IT: cloud computing. The practice allows organizations to access computer power, storage and software stored on the Internet by a third-party provider, rather than build on-site server farms. Administration officials are concerned that state protectionist measures are hampering the cloud industry, so the proposal would block state governments from requiring that companies in their states build data centers there, unless authorized by federal law, the fact sheet stated.
The guidelines would enable industry to obtain immediate assistance from Homeland Security in responding to an intrusion, if they wish, officials said. Currently, when organizations ask DHS to review logs to determine when a hacker attacked, the department's ability to intervene is slowed by legal uncertainty. To protect individuals, if a firm or local government wants to share such information with DHS, the organization must first strip out identifying information that is irrelevant to the infraction, according to the fact sheet.
Companies and local governments would be granted immunity for sharing information with the federal government about new computer viruses and cyber events that have compromised their systems. Should entities choose to provide such information, their customers' privacy would not be violated, according to the proposal.
White House officials said their proposal focuses on transparency and incentives to ensure companies managing networks for critical infrastructure in industries like energy and banking are accountable for service continuity. The draft bill directs Homeland Security and the private sector to jointly figure out which operations are the most critical and prioritize the most important threats to those services. An outside commercial auditor would assess the company's plans for mitigating such vulnerabilities.
On the consumer side, the proposal would require that businesses notify customers of certain data breaches to reduce the risk of identity theft. Sony recently took heat for not immediately telling customers that perpetrators had infiltrated the company's online gaming and music networks. The administration's plan would loop together a patchwork of 47 state laws on data breach reporting.
Many in the legislative branch and business community applauded the White House plan on Wednesday.
"The Senate and the White House are on the same track to make sure our cyber networks are protected against an attack that could throw the nation into chaos," HSGAC Chairman Joe Lieberman, I-Conn., ranking Republican Susan Collins, R-Maine, and Federal Financial Management Subcommittee Chairman Tom Carper, D-Del., said in a joint statement. The Senate and the administration "both recognize that the government and the private sector must work together to secure our nation's most critical infrastructure, for example, our energy, water, financial, telecommunications and transportation systems. We both call for risk-based assessments of the systems and assets that run that infrastructure."
The trio agreed with the administration that Homeland Security should take the lead in safeguarding civilian cybersecurity. Other lawmakers, particularly in the House, say the Defense Department, with its established expertise and deep pockets, should play a larger role in guarding U.S. networks. Currently, the Pentagon can monitor only the .mil domain and many civil liberties advocates would like to keep it that way.
Commerce Committee leaders also largely praised the proposed measure. "The White House has presented a strong plan to better protect our nation from the growing cyber threat," Chairman John D. "Jay" Rockefeller, D-W.Va., said in a statement. "I look forward to continuing to work with the White House, and my colleagues in the House and Senate, to pass a comprehensive cybersecurity bill this year."
Ranking member Sen. Olympia Snowe, R-Maine, said, "While the administration's delay in providing critical input to the legislative process is regrettable, it is my understanding that the administration proposal parallels many of the objectives, particularly pertaining to modernizing the public-private partnership, that Sen. Rockefeller and I have advocated."
Officials with trade group TechAmerica generally supported Obama's framework but said they had lingering questions about the flexibility the proposal grants firms to tailor their security strategies.
"The administration's proposal is a clear step forward in the process and we hope that it strikes the right balance between accountability and innovation in this shared responsibility between the public and private sectors," TechAmerica President Phil Bond said in a statement.
"We encourage Congress and the administration to draw a bright line between critical and noncritical infrastructure," Bond said. "Industry and government need to work together to make the right determinations for what is critical, and what the implications are for that designation."
Should the government require firms to take certain actions, the law must provide liability protections to shelter companies from any unanticipated consequences, he said.
Given that the Senate has been pursuing cybersecurity legislation in a bipartisan fashion, and both parties in the House last year actually passed elements of the White House proposal, the expectation is that a law could be enacted this year.
Disagreements over engagement in cyberwar or the job of the Pentagon's National Security Agency and the new U.S. Cyber Command likely will be worked out in separate legislation. Pending House defense and intelligence authorization bills, for instance, address cyberwarfare and require the development of systems for detecting unauthorized activities on classified networks.
But talks on the civilian-oriented bill may take months, especially since all sides appear to want industry involved in the vetting process. One item overlooked in the White House proposal that Congress wants -- the creation of a Senate-confirmed cyber czar -- may take some time to negotiate. And Congress has never considered some of the information-sharing measures the White House introduced on Thursday.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">White House sends Congress a long-awaited cybersecurity proposal"https://www.voiceofgreyhat.com/2011/05/white-house-sends-congress-long-awaited.html</a>

VMware acquires Shavlik Technologies for vulnerability, configuration management

Virtualization security giant VMware Inc., has announced it will acquire Shavlik Technologies, extending the company’s security portfolio into patch and configuration management.

Financial terms of the acquisition were not disclosed. New Brighton, Minn-based Shavlik Technologies is a security firm that sells patch and configuration management software that can be configured to work in virtual environments. The company sells both on-premise and SaaS-based software that appeal to small and midsized businesses.

In March, Shavlik announced VMware GO, a SaaS offering it developed with VMware, which assists SMBs with deployment and management of VMware vSphere software. Mark Shavlik, CEO of Shavlik, said the company has been building its portfolio around its presence in the SMB market. Last Spring, the company announced a Web-based version of its software, stripped down to vulnerability and virtual machine management.

"The enthusiasm, creativity and operational excellence of our two companies will allow us to better serve our global customers and partners by accelerating IT management innovations," Shavlik said in a statement.

VMware said the two companies would develop a complete portfolio for managing, monitoring and securing IT environments, including developing a centralized IT management console and automated tools for patch management, compliance and configuration for virtual environments. The software could be used by managed service providers to better service their SMB customers, VMware said.

"With the Shavlik acquisition, VMware will be able to provide simple to use and affordable management services developed to address the specific demands of SMBs," Raghu Raghuram, senior vice president and general manager of cloud infrastructure and management at VMware, said in a statement.

VMware has slowly built up its security arsenal starting with the acquisition of Determina in 2006, which sold host-based intrusion prevention system (HIPS) technology that were configured to work in a variety of virtual scenarios.  It acquired BlueLane Technologies in 2008. BlueLane can sit between the hypervisor and the virtual machine for application-aware firewalling, visibility of traffic between virtual machines and intrusion prevention capabilities.

In 2010, VMware acquired Tricipher for identity and access management services. Tricpher provides secure authentication and single sign-on access for SaaS-based software. 

VMware’s acquisitions make it clear that it expects to grow out the features of its security product sets, said Pete Lindstrom, a research director with Spire Security. Lindstrom said Shavlik has a stellar reputation in the security industry for its patch management capabilities.  Shavlik has been slowly building out its capabilities into configuration and compliance management and extended it for virtual systems, he said.

“We’ve been talking forever about potential benefits for patching in virtual environments,” Lindstrom said. “It will be interesting to see if we get some traction into the benefits we’ve anticipated with patching for virtual instances.”

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">VMware acquires Shavlik Technologies for vulnerability, configuration management"https://www.voiceofgreyhat.com/2011/05/vmware-acquires-shavlik-technologies.html</a>

Security Onion Live DVD For Intrusion Detection Systems

The  Security Onion LiveDVD is a bootable DVD that contains software used  for installing, configuring, and testing Intrusion Detection Systems. It  is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert,  Xplico, nmap, metasploit, Armitage, scapy, hping, netcat, tcpreplay, and  many other security tools.

Official Change Log for Security Onion 20110909:-

• The “IDS Rules” menu now has a new entry called “Add Local Rules” which will open /etc/nsm/rules/local.rules for editing using the “mousepad” GUI editor.  You can then add any rules that you want to maintain locally (outside of the downloaded VRT or Emerging Threats rulesets).

• A new menu called “IDS Config” was added with a new menu entry called “Configure IDS engine(s)”.  This will list all of the IDS engines on your system and allow you to choose one to configure.  It will then open the proper config file for whatever IDS engine you’re running.  After you save and close the config file, it will offer to restart the IDS engine for you.

For more information & to see their official blog release Click Here

To download Security Onion Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Security Onion Live DVD For Intrusion Detection Systems"https://www.voiceofgreyhat.com/2011/09/security-onion-live-dvd-for-intrusion.html</a>

Sony Online Entertainment Shut Down After 25 Million More Acounts Hacked

Sony Online Entertainment has temporarily shut down its online games service and its Facebook games after discovering the April break-in that led to the theft of 77 million user accounts also affected its system.
A spokesman for the online games unit said the service was taken down at 1:30 am Pacific time on Monday. The spokesman declined to say how many customers were affected and none were alerted beyond a terse message on its website.
Facebook games developed by Sony Online Entertainment including "PoxNora," "Dungeon Overlord," "Wildlife Refuge," as well as games based on the Star Wars movies, were all shut down.
Sony posted a message on Facebook saying "we had to temporarily take down SOE services during the night." A Sony spokesman said the Facebook games make money from microtransactions and the sale of virtual goods like costumes and weapons.
Facebook could not immediately be reached for comment.
Sony Online Entertainment is a division of Sony Corp, the global electronics company that operates online games such as "EverQuest" and is separate from the PlayStation video game console division.

Story continues below

The spokesman, who could not confirm a Nikkei report that 12,700 credit card numbers were stolen from the intrusion of Sony Online Entertainment, said it was not "a second attack" and was related to the April 17-19 break-in of the Sony PlayStation Network.
"In the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down effective immediately," the company said on its website.
Sony on Monday denied on its official PlayStation blog that hackers had tried to sell it a list of millions of credit card numbers.
The news comes less than a week after Sony alerted customers that a hacker broke into Sony's PlayStation video game network and stole names, addresses, passwords and possibly credit card numbers of its 77 million customers.
Sony alerted customers a week after discovering the break-in.
Sony executives apologized on Sunday and said it would gradually restart the PlayStation Network with increased security and would offer some free content to users.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Sony Online Entertainment Shut Down After 25 Million More Acounts Hacked"https://www.voiceofgreyhat.com/2011/05/sony-online-entertainment-shut-down.html</a>

The Washington Post Server Breached! Chinese Hackers Apprehend For This Cyber Attack

The Washington Post Server Hacked! Suspected That Chinese Hackers Are Behind This Cyber Attack 

Last week the story of Chinese eavesdropping on European ministries and diplomats at G20 summit draws the attention of the entire cyber world and made headlines. Yet again another breathtaking issue came in-front where also China found responsible for security breach that effected The Washington Post - the most widely circulated newspaper published in Washington, D.C. Sources reveled that hackers broke into The Washington Post’s servers and gained access to employee user names and passwords. Mandiant, a cyber security contractor that monitors The Washington Post’s networks, said the intrusion was of relatively short duration. The extent of the loss of company data was not immediately clear, still the matter of relief is that the company passwords are stored in encrypted form, hackers in some cases have shown the ability to decode such information. although to avoid any further mishap Washington Post have planned to ask all employees to change their user names and passwords on the assumption that many or all of them may have been compromised. Officials at Washington Post said that they saw no evidence that subscriber information, such as credit cards or home addresses, was accessed by the hackers. Nor was there any sign that the hackers had gained access to The Post’s publishing system, e-mails or sensitive personal information of employees, such as their Social Security numbers. Post officials found that this hack is more-recent than the 2011 one. They also said, began with an intrusion into a server used by The Post’s foreign staff but eventually spread to other company servers before being discovered. “This is an ongoing investigation, but we believe it was a few days at most,” said Post spokeswoman Kris Coratti. 

China not only targeted Washington Post,  If you look at the story of major cyber attacks of this year we will find that the name of China has been involved several times for engaging cyber attacks against several high profile news organization of U.S. including New York Times, NBC and so on. So far Chinese Government have not responded to this issue, also none of Chinese hacker community take the responsibility of this breach. For upcoming updates on this story stay tuned with VOGH. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">The Washington Post Server Breached! Chinese Hackers Apprehend For This Cyber Attack "https://www.voiceofgreyhat.com/2013/12/washington-post-hacked-by-chinese-hackers.html</a>

Sony says 25 million more accounts hacked

Sony Corp. said Monday that hackers may have taken personal information from an additional 24.6 million user accounts after a review of the recent PlayStation Network breach found an intrusion at a division that makes multiplayer online games.

The data breach comes on top of the 77 million PlayStation accounts it has already said were jeopardized by a malicious intrusion.

The latest incident occurred April 16 and 17 - earlier than the PlayStation break-in, which occurred from April 17 to 19, Sony said.

About 23,400 financial records from an outdated 2007 database involving people outside the U.S. may have been stolen in the newly discovered breach, including 10,700 direct debit records of customers in Austria, Germany, the Netherlands and Spain, it said.

The outdated information contained credit card numbers, debit card numbers and expiration dates, but not the 3-digit security code on the back of credit cards. The direct debit records included bank account numbers, customer names, account names and customer addresses.

Company spokeswoman Taina Rodriguez said Sony had no evidence the information taken from Sony Online Entertainment, or SOE, was used illicitly for financial gain.

"We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1 we concluded that SOE account information may have been stolen and we are notifying you as soon as possible," Sony said in a message to customers.

Sony said that it shut service Monday morning to Sony Online Entertainment games, which are available on personal computers, Facebook and the PlayStation 3 console. Its most popular games include "EverQuest," "Free Realms" and "DC Universe Online."

The company said it will grant players 30 days of additional time on their subscriptions, along with one day for each day the system is down. It is also creating a "make good" plan for its multiplayer online games.

On Sunday, Sony executives bowed in apology and said they would beef up security measures after an earlier breach caused it to shut down its PlayStation network on April 20. The company is working with the FBI and other authorities to investigate what it called "a criminal cyber attack" on Sony's data center in San Diego, Calif.

The company said it would offer "welcome back" freebies such as complimentary downloads and 30 days of free service to PlayStation customers around the world to show remorse and appreciation.

PlayStation spokesman Patrick Seybold, in a blog post Monday, denied a report that said a group tried to sell millions of credit card numbers back to Sony.

He also said that while user passwords had not been encrypted, they were transformed using a simpler function called a hash that did not leave them exposed as clear text.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Sony says 25 million more accounts hacked"https://www.voiceofgreyhat.com/2011/05/sony-says-25-million-more-accounts.html</a>