Implementing Intrusion (Cyber) Kill Chain -A Plenary Overview

Implementing an Intrusion (Cyber) Kill Chain 

The Intrusion (Cyber) Kill Chain is a phrase popularized by infosec industry professionals and introduced in a Lockheed Martin Corporation paper titled; “ Intelligence Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”. 

The intrusion kill chain model is derived from a military model describing the phases of an attack. The phases of the military model are: find, fix, track, target, engage, and assess. The analyses of these phases are used to pinpoint gaps in capability and prioritize the development of needed systems. The first phase in this military model is to decide on a target (find). Second, once the target is decided you set about to locate it (fix). Next, you would surveill to gather intelligence (track). Once you have enough information, you decide the best way to realize your objective (target) and then implement your strategy (engage). And finally, you analyze what went wrong and what went right (assess) so that adjustments can be made in future attacks.

Lockheed Martin analysts began by mapping the phases of cyber attacks. The mapping focused on specific types of attacks, Advanced Persistent Threats (APTs) - The adversary/intruder gets into your network and stays for years– sending information, usually encrypted – to collection sites without being detected. Since the intruder spent so much time in the network, analysts were able to gather data about what was happening. Analysts could then sift through the data and begin grouping it into the military attack model phases. Analysts soon realized that while there were predictable phases in cyber attacks, the phases were slightly different from the military model.  The intrusion (cyber) kill chain shown below, describe the phases of a cyber attack.

The chain of events or activities are as follows:

  

Link in the Chain	Description
1.  Reconnaissance	Research, identification and selection of targets- scraping websites for information on companies and their employees in order to select targets.
2.  Weaponization	Most often, a Trojan with an exploit embedded in documents, photos, etc.
3.  Delivery	Transmission of the weapon (document with an embedded exploit) to the targeted environment.  According to Lockheed Martin's Computer Incident Response Team (LM-CIRT), the most prevalent delivery methods are email attachments,websites, and USB removable media.
4.  Exploitation	After the weapon is delivered, the intruder's code is triggered to exploit an operating system or application vulnerability, to make use of an operating system's auto execute feature or exploit the users themselves.
5.  Installation	Along with the exploit the weapon installs a remote access Trojan and/or a backdoor that allows the intruder to maintain presence in the environment
6.  Command and Control	Intruders establish a connection to an outside collection server from compromised systems and gain 'hands on the keyboard' control of the target's compromised network/systems/applications.
7.  Actions on Objective	After progressing through the previous 6 phases, the intruder takes action to achieve their objective.  The most common objectives are:  data extraction, disruption of the network, and/or use of the target's network as a hop point.

Lockheed Martin's analysts also discovered while mapping the intruder's activities, that a break (kill) in any one link in the chain would cause the intrusion to fail in its objective. This is one of the major benefits of the intrusion kill chain framework as security professionals have traditionally taken a defensive approach when it comes to incident response. This means that intrusions can be dealt with offensively too.

Lockheed Martin's case studies reveal that knowledge about previous intrusions and how they were accomplished allow analysts to recognize those previously used tactics and exploits in current attacks.  For example, mapping of three intrusions revealed that all three were delivered via email, all three used  very similar encryption, all three used the same installation program and connected to the same outside collection site. All of the intrusions were stopped before they accomplished their objective.

How did they do this? How can my company utilize this approach?

Monitoring and mapping is the key.

The following list contains some of the necessary components (not in any particular order) needed to do intrusion mapping and setting up the kill.

·         Network Intrusion Detection (NIDS)

·         Network Intrusion Prevention (NIPS)

·         Host Intrusion Detection (HIDS)

·         Firewall access control lists (ACL)

·         Full packet inspection

·         A mature IT asset management system

·         A mature and comprehensive Configuration Management Database (CMDB)

·         Device and system hardening

·         Secure configurations baselines

·         Website inspection

·         Honeypots

·         Anti-virus and anti-malware

·         Verbose logging – network devices, servers, databases, and applications

·         Log correlation

·         Alerting

·         Patching

·         Email and FTP inspection and filtering

·         Network tracing tools

·         Information Security staff trained in tracking and mapping events end-to-end

·         Coordination and partnering with IT, Application Owners, Database Administrators, Business Units and Management both in investigation and communicating the mapped intrusions.

In short, in order to implement intrusion kill chain activity a company needs to have a mature inter-operating and information security program. Additionally, they need trained staff that can investigate, map and advise 'kill' activities, keep a compendium of mapped intrusions, analyze and compare old and new intruder activity, code use, and delivery methods to thwart current and future intrusions.

The intrusion (cyber) kill chain is not an endeavor that can be successfully implemented in place of a comprehensive Information Security Program, it’s another tool to be used to protect the company's data assets.

The good news is if your company doesn't have a mature information security program there is a lot you can do while making plans to introduce an intrusion kill chains in your department's arsenal.

·         Educate your employees to watch for suspicious emails. For instance, emails that seem to be off – such as, someone in accounting receiving an invitation to attend a marketing conference. Let them know that they shouldn't open attachments included in email like this.

·         Make sure you have anti-virus and anti-malware software installed and up to date.

·         Start an inventory of your computing devices, laptops, desktops, tablets, smartphones, network devices and security devices.

·         You have an advantage over intruders. You know your network and what is normal and usual, they don't.  Notice user behavior that is not usual and look into it.  For example, a login at 2am for someone who works 9 to 5. Or an application process that normally runs overnight that is kicking off during the day.

·         Keep your security patches up to date.

·         Create and monitor baseline configurations.

·         Write, publish and communicate information security policies and company standards.

·         Turn on logging and start collecting and keeping logs. Start with network devices and firewalls and then add servers and databases.  Set up alerts for things such as repeated attempts at access.

·         Spend some time using search engines from outside your network to see how much information can be learned about your company from the Internet.  You'd be surprised how much you can find including sensitive documents.

All of these practices and activities give you more information about your computing environment and what is normal and usual. The more you know about your environment, the more likely it is that you will spot the intruder before any damage is done.

Disclaimer:- Before conclusion, on behalf of Team VOGH, I would like to personally thank Mr. Adrian Stolarski for sharing this remarkable article with our readers. I would also like to thank Ryan Fahey  of Infosec Institute for his spontaneous effort. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Implementing Intrusion (Cyber) Kill Chain -A Plenary Overview "https://www.voiceofgreyhat.com/2014/02/implementing-intrusion-cyber-kill-chain.html</a>

Twitter & Yahoo Tightening Their Security to Prevent Eavesdropping of NSA

Twitter & Yahoo Tightening Their Security to Prevent Eavesdropping of NSA & Other Govt Agencies 

Last month a untold and sensational story came to light, when the whistle blowers Edward Snowden unveiled one of the top secret program of NSA called called “Muscular” Former NSA contractor Snowden himself disclosed that the National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world in order to collect and snoop the private data of millions of internet users. NSA’s acquisitions directorate sends millions of records every day from internal Yahoo and Google networks to data warehouses at the agency’s headquarters at Fort Meade, Md. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records including “metadata,” which would indicate who sent or received e-mails and when, as well as content such as text, audio and video. Both Yahoo & Google said that they had never gave access to nay Govt agency to their data centers. Yahoo spokeswoman said, “We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.” Google’s chief legal officer, David Drummond said “We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform,” 

But the matter of fact is that NSA has indeed sniffed the personal & private communication of million internet users of tech giants like Yahoo and Google. To get rid of this kind of privacy breach, now the tech giants who hold the personal record and credential of mass, are tightening and enhancing their existing security system. According to Marissa Mayer, CEO of Yahoo "We’ve worked hard over the years to earn our users’ trust and we fight hard to preserve it." Yahoo also says it will encrypt all information moving between its data centers by the end of the first quarter, and it will work on getting international partners to enable HTTPS encryption in Yahoo-branded Mail services.Yahoo says it will give users an option to encrypt all data flow to and from Yahoo. "Yahoo has never given access to our data centers to the NSA or to any other government agency ever. There is nothing more important to us than protecting our users’ privacy. To that end, we recently announced that we will make Yahoo Mail even more secure by introducing https (SSL - Secure Sockets Layer) encryption with a 2048-bit key across our network by January 8, 2014." added Marissa Mayer.

Not only Yahoo, but the social networking giant Twitter, who have registered users of almost 550 million with an active user of 250 million across the globe has also taken immediate steps after this breathtaking story of spying by NSA get the spot light. Twitter is implementing new security measures that should make it much more difficult for anyone to eavesdrop on communications between its servers and users. The entire security mechanism has been taken to tighten the data privacy of its users. According to a blog post of twitter the company has implemented "perfect forward secrecy" on its Web and mobile platforms, which made eavesdropping almost impossible. "As part of our continuing effort to keep our users’ information as secure as possible, we’re happy to announce that we recently enabled forward secrecy for traffic on twitter.com, api.twitter.com, and mobile.twitter.com. On top of the usual confidentiality and integrity properties of HTTPS, forward secrecy adds a new property. If an adversary is currently recording all Twitter users’ encrypted traffic, and they later crack or steal Twitter’s private keys, they should not be able to use those keys to decrypt the recorded traffic." -said the blog post.

While talking about Muscular program of NSA, we would also like to remind you that couple weeks ago we came to know about 'Royal Concierge' another secret program of GCHQ & NSA to spy foreign diplomats through hotel bookings uncovered by Edward Snowden.

-Source (CIO & PC World) 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Twitter & Yahoo Tightening Their Security to Prevent Eavesdropping of NSA"https://www.voiceofgreyhat.com/2013/11/twitter-yahoo-tightening-security-2stop-eavesdropping.html</a>

Cupid Media Network Breach Exposes 42 Million Passwords in Plain Text

Cupid Media Network Breach Exposes 42 Million Passwords in Plain Text (Uunencrypted)

Cupid Media one of the leading niche online dating network that have more than 35 large online dating website, faced a massive intrusion that effects more than 42 million of its registered users. From an exclusive report of Kerbs On Security we came to know that the breach was taken earlier in this year. Where the hackers managed to gain access into the crucial servers belongings to Cupid Media network. According to the managing director of Cupid Media, Mr Andrew Bolton - "In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts.” After a preliminary investigation it has been found that the purloined database of Australia-based niche dating service Cupid Media was found on the same server where hackers had amassed tens of millions of records stolen from Adobe. More than 42 million peoples' unencrypted names, dates of birth, email addresses and passwords have been found from the pinched database. I am very much wearied to see that a high value site like Cupid is unconcerned about the basic security counter measure. Even their confidential tables remained unencrypted which allows the hacker to gain the personal information in plain text. Like the Cupid Media security team, the registered users also found very much inadvertent and unaware of basic security measures. I am saying this because of the leaked passwords, almost two million picked "123456", and over 1.2 million chose "111111". "iloveyou" and "lovely" both beat out "password", and while 40,000 chose "qwerty", 20,000 chose the bottom row of the keyboard instead - yielding the password "zxcvbnm". 

Jason Hart of famous data protection firm Safenet said "The true impact of the breach is likely to be huge. Yet, if this data had been encrypted in the first place then all hackers would have found is scrambled information, rendering the theft pointless."

This security breach of Cupid Media reminds us  the decent history of breach where we have seen a slew of attacks against the following sites: Drupal.org  Scribd, Guild Wars 2, Gamigo, Blizzard, Yahoo, LinkedIn, eHarmony, Formspring, Android Forums, Gamigo,  Nvidia,Blizzard, Philips, Zynga, VMWare, Adobe,  Twitter,  New York Times, Apple and so on. While covering this story on behalf of VOGH, I am warning our readers across the globe to use strong alphanumeric passwords to avoid such disaster. Also the webmasters and security administrator are highly recommended to use salted encryption in their database to prevent fortuitousness cyber attack. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Cupid Media Network Breach Exposes 42 Million Passwords in Plain Text "https://www.voiceofgreyhat.com/2013/11/cupid-media-breach-exposes-42million-plaintext-passwords.html</a>

Evernote Security Breached! Causing 50 Million Passwords Reset

Evernote Security Breached! Causing 50 Million Passwords Reset

World famous online information storage firm Evernote, allows millions of people to store and organised personal data on an external server from cross-platform have fallen victim to latest round of cyber attacks where hackers had managed to breach the company network which results a massive data breach effecting more than 50 million of its registered users. The breach on Evernote follows malicious activity at Twitter, NBC, New York Times, Facebook and others in recent weeks. In their blog release the firm has acknowledged the incident while saying "Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service." But the matter of relief for the millions of its users are that, whether the hackers have gained access inside Evernote user information, which includes usernames, email addresses associated with Evernote accounts, but due to salted encryption; hackers fail to gain decrypt those  credentials. But to avoid further massacre Evernote did password reset of all it's registered users. Phil Libin, Evernote’s CEO and founder, told press that the services are running, although if you try to access the site things may not work as normal at the moment: “We just pushed out a password reset, so the servers are going to be saturated for a bit,” he wrote. “Everything is up, although response is choppy. There’s no threat to user data that we’re aware of” -said Phil. Evernote also claimed that also have no evidence of any payment information for Evernote Premium or Evernote Business customers was accessed during the hack. 

The security response team of Evernote apologized for the annoyance of having to change your password, but, ultimately, they believed that; this simple step will result in a more secure Evernote experience.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Evernote Security Breached! Causing 50 Million Passwords Reset"https://www.voiceofgreyhat.com/2013/03/Evernote-Security-Breached.html</a>

NASA Laptop Theft Puts Thousands of Employees & Contractors at Risk

NASA Laptop Theft Puts Thousands of Employees & Contractors at Risk

So far NASA have been targeted several times, where hackers penetrated the digital security. But here comes a bit different type of breach. A laptop with data on thousands of employees and contractors has been stolen from a NASA employee's car. NASA issued serious warning and it it informing its employees that a laptop computer with personnel information such as social security numbers was stolen from a locked car two weeks ago, potentially putting thousands of workers and contractors at risk. The laptop, issued to an employee at NASA headquarters in Washington, was password protected but its disk was not fully encrypted, making it relatively easy to access the information stored in that hard disk. This security breach  may affect thousands of employees and contractors at NASA facilities around the United States.

NASA has contracted a specialist consulting firm to identify and contact persons affected by the data breach, saying that the process could take up to 60 days due to the large amount of data. NASA Administrator Charlie Bolden banned the removal of unencrypted laptops containing sensitive information from any NASA facility and ordered security software upgrades to be finished by December 21. NASA has now instructed its employees to use full disk encryption (FDE) to lock down hard drives on all devices that process critical data by this 21st December. The agency also warned employees about storing sensitive data on smart phones and mobile devices. The agency is offering employees free credit-monitoring services and other support.

The laptop theft is the latest in a string of NASA security breaches over the past few years. In March, a Kennedy Space Center worker's laptop that contained personal information on about 2,300 employees and students was stolen. A NASA inspector general report this year determined 48 NASA laptops and mobile computing devices were lost or stolen between April 2009 and April 2011, many containing sensitive data.

-Source (Reuters)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">NASA Laptop Theft Puts Thousands of Employees & Contractors at Risk"https://www.voiceofgreyhat.com/2012/11/NASA-Laptop-Theft-Puts-Employees-at-Risk.html</a>

SecretLayer: Advanced Steganography Software [Pro Version Download Now]

SecretLayer: Advanced Steganography Software [Pro Version Download Now]

Hackers, security professionals and also many other people who are involved in this cyber domain must be familiar with the term 'steganography'. I do believe that many of us have used this finest technique many times, may be some times for fun, or may be some nasty jobs. For those who are not so familiar with Steganography, then it is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. In very simple word its one of finest art of deception. For your information, now a days Steganography has been widely used, or I should say misused by many terrorist organizations for transmitting their hidden messages. One of the most dangerous changeless with Steganography is, researcher can detect whether an image or text is containing hidden message, but so far they can't unveil the inside message. 

Today we will talk about an advanced tool which is designed to tweak the color of specific pixels. The tool is named 'SecretLayer' which lets you encrypt your data (so you're no worse off than before) and then hide that encrypted data in ordinary images, like the ones used every day on all websites and email attachments. 

The Pro version of Secret Layer supports encryption of your data: -

Encryption type: AES, Key length: 128, 196, 256 (bits)

Encryption type: Blowfish, Key length: 128, 196, 256, 384, 448 (bits)

Encryption type: Cast-128, Key length: 40, 64, 128 (bits)

Encryption type: Cast-256, Key length: 128, 160, 192, 224, 256 (bits)

Encryption type: DES, Key length: 64 (bits)

Encryption type: IDEA, Key length: 128 (bits)

Encryption type: RC5, Key length: 64, 128, 192, 256, 384, 448, 512, 1024, 1536, 2040 (bits)

Encryption type: Twofish, Key length: 128, 192, 256 (bits)

A container with the encrypted data is hidden inside of an ordinary-looking image. This is all done automatically and in the background: you don't have to do anything extra. To download SecretLayer click Here. Earlier I told you that Steganography is on the finest way of hiding your secrete message, besides it contains many threats, as it has been widely used by criminals for transmitting messages. So far those hidden contains can not be decrypted easily. So now its upto you, that how will you use such tools. Remember one lesson which we have already learnt from a Famous movie SpiderMan, that is 'With greater power there comes greater responsibility...'. So I urge you not to use such tools for negative purposes. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">SecretLayer: Advanced Steganography Software [Pro Version Download Now]"https://www.voiceofgreyhat.com/2012/10/SecretLayer-Advanced-Steganography-Software.html</a>

BlackBerry PlayBook The Most Secure Tablet For BYOD Solution

BlackBerry PlayBook The Most Secure Tablet For BYOD Solution

Now a days users of tablet is increasing everyday. Millions of people across the globe are using tablet for both personal and professional purposes. While the number of users and purposes of using tablet are rising, besides the matter of privacy and security arises. There are many companies who are manufacturing tablet, but before choosing, we should know which one is secured than others. According to a recent report by Context Information Security -the PlayBook of BlackBerry is the only device among three top tablets that gives users a good, safe division between their work and personal computing, a recent technology audit concluded.  The report faulted the PlayBook, as well as the Apple iPad and the Samsung Galaxy Tab, for default settings that don't automatically encrypt backups, and for not offering complementary and compatible tools for IT teams to manage a large number of devices at the business level. According to Jonathan Roach, Principal Consultant at Context and author of the report "While the iPad and BlackBerry PlayBook performed better, both still have security deficiencies -- including desktop software that fails to encrypt backups by default." He also said "Context found the PlayBook to be the most work-ready personal tablet of the three, due to its Bridge application's excellent support of barriers between work and personal profiles," 

According to report by contrast, Apple's wildly popular iPad sold more than 17 million units last quarter. Context found the iPad to be the second-most-secure device, citing its "robust data protection and damage limitation facilities," but said on its news page that the device was still vulnerable to jailbreak attacks and "ineffective disk encryption unless a strong passcode policy is applied." 

The report also found the Galaxy Tab's security features to be the least work-play ready, with weak disk-encryption support. The Galaxy Tab's lack of tools tailored to enterprise use makes it "very difficult to manage more than a small number of Galaxy Tabs in an enterprise environment," a point Apple also falls short on. The report criticized the Galaxy Tab's encryption as well. Even with encryption enabled, the report found that Samsung's device still "allows badly-written apps to store sensitive information on the unencrypted SD card." The report also praised all three tablets for their support of Exchange ActiveSync, a feature that allows crucial security settings to be managed from a central server running Microsoft software. But the study noted important differences among the devices that may make some tablets more appropriate for dual use in both the home and the office.

"Despite that security advantage, RIM only managed to ship 130,000 tablets last quarter. By contrast, Apple's wildly popular iPad sold more than 17 million units last quarter. Context found the iPad to be the second-most-secure device, citing its 'robust data protection and damage limitation facilities,' but said on its news page that the device was still vulnerable to jailbreak attacks and 'ineffective disk encryption unless a strong passcode policy is applied" -Jonathan added

To Download the full Report Click Here

-Source (Context Information Security & NBC News)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">BlackBerry PlayBook The Most Secure Tablet For BYOD Solution"https://www.voiceofgreyhat.com/2012/10/BlackBerry-PlayBook-The-Most-Secure-Tablet.html</a>

Three Secrets & Full Analysis of Flame's Command & Control Servers Unraveled

Three Secrets & Full Analysis of Flame's Command & Control Servers Unraveled

Flame the next generation cyber weapon which is also known as 'The Super Spy' has already fascinated the cyber-security industry with its sophistication and versatility as a Swiss-Army knife of cyber-spying. Recently security firm Kaspersky lab has published a new report on the sophisticated nation-state sponsored Flame cyber-espionage campaign. During the research, conducted by Kaspersky Lab in partnership with International Telecommunication Union’s cybersecurity executing arm - IMPACT, CERT-Bund/BSI and Symantec, a number of Command and Control (C&C) servers used by Flame’s creators were analyzed in detail. The analysis revealed new, groundbreaking facts about Flame. Particularly, traces of three yet undiscovered malicious programs were found, and it was discovered that the development of the Flame platform dates back to 2006.

Main findings:

• The development of Flame’s Command and Control platform started as early as December 2006.
• The C&C servers were disguised to look like a common Content Management System, to hide the true nature of the project from hosting providers or random investigations.
• The servers were able to receive data from infected machines using four different protocols; only one of them servicing computers attacked with Flame.
• The existence of three additional protocols not used by Flame provides proof that at least three other Flame-related malicious programs were created; their nature is currently unknown.
• One of these Flame-related unknown malicious objects is currently operating in the wild.
• There were signs that the C&C platform was still under development; one communication scheme named “Red Protocol” is mentioned but not yet implemented.
• There is no sign that the Flame C&Cs were used to control other known malware such as Stuxnet or Gauss.

The Flame cyber-espionage campaign was originally discovered in May 2012 by Kaspersky Lab during an investigation initiated by the International Communication Union. Following this discovery, ITU-IMPACT acted swiftly to issue an alert to its 144 member nations accompanied with the appropriate remediation and cleaning procedures. The complexity of the code and confirmed links to developers of Stuxnet all point to the fact that Flame is yet another example of a sophisticated nation-state sponsored cyber operation. Originally it was estimated that Flame started operations in 2010, but the first analysis of its Command and Control infrastructure (covered by at least 80 known domains names) shifted this date two years earlier.

The findings in this particular investigation are based on the analysis of the content retrieved from several C&C servers used by Flame. This information was recovered despite the fact that Flame’s control infrastructure went offline immediately after Kaspersky Lab disclosed the existence of malware. All servers were running the 64-bit version of the Debian operating system, virtualized using OpenVZ containers. Most of the servers’ code was written in the PHP programming language. Flame’s creators used certain measures to make the C&C server look like an ordinary Content Management System, in order to avoid attention from the hosting provider.

Sophisticated encryption methods were utilized so that no one, but the attackers, could obtain the data uploaded from infected machines. The analysis of the scripts used to handle data transmissions to the victims revealed four communication protocols, and only one of them was compatible with Flame. It means that at least three other types of malware used these Command and Control servers. There is enough evidence to prove that at least one Flame-related malware is operating in the wild. These unknown malicious programs are yet to be discovered.

Another important result of the analysis is that the development of the Flame C&C platform started as early as December 2006. There are signs that the platform is still in the process of development, since a new, yet not implemented protocol called the “Red Protocol” was found on the servers. The latest modification of the servers’ code was made on May 18, 2012 by one of the programmers.

“It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its Command and Control servers. Flame’s creators are good at covering their tracks. But one mistake of the attackers helped us to discover more data that one server was intended to keep. Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale,” commented Alexander Gostev, Chief Security Expert, Kaspersky Lab. 

Here we want to remind you that after the episode of 'Duqu'; In the middle of this year The Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new targeted Stuxnet attacking the country's internal system. This newly found Stuxnet have been dubbed Flame (also known as Flamer or Skywiper). Later it was spotted in the wild when software giant Microsoft confirmed that its Windows Server Update Services (WSUS), Windows Update (WU) has been infected by Flame malware. Also in many fields, the name of 'Flame' was on the high node. 

For detailed analysis on Flame's command and control (C&C) servers click Here

-Source (Kaspersky)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Three Secrets & Full Analysis of Flame's Command & Control Servers Unraveled"https://www.voiceofgreyhat.com/2012/09/Full-Analysis-of-Flame-Command-and-Control-Servers-Unraveled.html</a>

Twitter Hires Renowned Apple Hacker Charlie Miller For Twitter Security Team

Twitter Hires Renowned Apple Hacker Charlie Miller For Twitter Security Team

It is almost impossible task for social networks to keep everything safe against hacks and other vulnerabilities. Hackers will constantly find their way around anything that you put in place. So they often deals with hackers & turn themselves to beef up the security level. Social networking giant Twitter exactly did the same thing. The micro-blogging network has hired the famous/infamous Apple hacker, Charlie Miller, to be a part of its security team. Charlie Miller, a popular figure among hackers, broke the news via his Twitter account, saying, “Monday I start on the security team at Twitter. Looking forward to working with a great team there!” Twitter issued a short statement noting that Miller’s title will be that of Software Engineer, but declined to discuss any further details.

Charlie Miller has a background as a Global Exploitation Analyst in the National Security Agency, and has hacked devices running on iOS, OSX, and Android. He is considered to be a white-hat hacker, which means that he hacks to expose vulnerabilities in a system in order to have those weaknesses fixed. Five year ago, Miller was said to be the first to hack the iPhone using the device’s browser, exposing the handset’s vulnerability to security attacks. Several months after this, he was likewise able to hack a MacBook Air in just two minutes. This feat allowed Miller to win the Pwn2Own hacking competition. Miller also showed a way to hijack iPhones through SMS in 2009. In 2011, he used the MacBook power adapter to implant malware on the laptop. In the same year, his license as an Apple developer got revoked because Apple found that he breached the development agreement. 

In more recent times, Miller had been working on Android devices. In June, he was able to overcome Bouncer, Google’s security program. He has furthermore experience in using Near Field Communications to control Samsung and Nokia handsets with a simple wave of another phone that is within the vicinity. 

While talking about Charlie Miller, we must have to take another name and that is Nicholas Allegra, the world-famous hacker known as "Comex", creater of JailbreakMe.com; who later has been hired by Apple itself . In case of Twitter we must have to say, apart from Miller, Twitter also hired Moxie Marlinspike, a hacker who specializes in SSL and VPN encryption.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Twitter Hires Renowned Apple Hacker Charlie Miller For Twitter Security Team"https://www.voiceofgreyhat.com/2012/09/Twitter-Hires-Renowned-Apple-Hacker-Charlie-Miller.html</a>

Ubuntu 12.10 Codenamed "Quantal Quetzal" Beta 1 Released !!

Ubuntu 12.10 Codenamed "Quantal Quetzal" Beta 1 Released !!

After the release of two Alpha version (Alpha1 & Alpha 2), now its time for beta; and as expected both Canonical and the Ubuntu developer team has released the first beta of version 12.10 of their Ubuntu Desktop, Server, Cloud, and Core products, code named "Quantal Quetzal". Ubuntu 12.10 Beta 1 uses a Linux kernel which is based on the recent 3.5.3 Linux kernel, the current stable version of Linux 3.5.

12.10 continues Ubuntu's proud tradition of integrating the latest and greatest open source technologies into a high-quality, easy-to-use Linux distribution.  The team has been hard at work through this cycle, introducing new features and fixing bugs. For the client, this release now has a consolidated Ubuntu image.  There is no longer a traditional CD sized image, DVD or alternate image, but rather a single 800MB Ubuntu image that can be used from USB or DVD.  This change does not affect Ubuntu Server, which remains a traditional CD sized image.  With Ubuntu 12.10, Kubuntu, Edubuntu, Lubuntu, and Ubuntu Studio also reached Beta 1 status today.   These images, along with Xubuntu will continue to have daily updates for the remainder of the release. The final version of Ubuntu 12.10 is expected to be released on October 18, 2012. 

Key Features at a Glance:- 

• The consolidated client images now support the logical volume manager (LVM) as well as full disk encryption.
• Update Manager has been renamed Software Updater and now checks for updates when launched.
• A new X.org stack has been introduced which includes xserver 1.13 candidate versions, mesa 9.0, and updated X libs and drivers. 
• Unity has been updated to version 6.4 including support for dash previews and coverflow view.  Now that compiz with GLES support has  landed, unity-3d works again on the pandaboard.
• The Ubuntu desktop has begun migrating from Python 2 to Python 3. Most Python applications included in the desktop is now using Python 3, and most Python modules that are included by default are available for both Python 2 and Python 3.

Changes in Ubuntu Server and Cloud Images:-

• ARM hard float (armhf) cloud images are now available.
• OpenStack folsom testing packages are available.  Openstack instance architecture testing support has been added, as has a heterogenous scheduler for ARM.
• Apache Tomcat 7 is now the default supported version. Ceph has updated to 0.48.1 (upstream argonaut stable release), and includes RADOS Gateway (S3 and Swift Compatible), as well as performance improvements.
• Floodlight (Openflow Network Controller) and mininet (Network Simulation) packages are now available.

According to the project's release schedule, the beta release will be followed by a second beta on 27 September. The current stable release is Ubuntu 12.04.1 LTS, the first point update to the Long Term Support (LTS) edition of the distribution.

To Download Ubuntu 12.10 Beta 1 (Both Ubuntu Desktop and Ubuntu Server) Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Ubuntu 12.10 Codenamed "Quantal Quetzal" Beta 1 Released !!"https://www.voiceofgreyhat.com/2012/09/Ubuntu12.10-Codenamed-Quantal-Quetzal-Beta1-Released.html</a>

A Chicago Woman Sentenced To 2.5 Years in Prison For $9 Million ATM Hacking

A Chicago Woman Sentenced To 2.5 Years in Prison For $9 Million ATM Hacking

$9 million ATM hacking case takes a new direction. The Federal authorities have track down a ring of cyber-criminals. A Chicago woman was busted and sentenced to two years and six months in federal prison for helping steal more than $9 million USD back in 2008. She was also ordered to spend five years on supervised release following prison, and pay $89,120.25 in restitution. According to federal prosecutors, 45-year-old Sonya Martin was the member of a cell in what they claim was "one of the most sophisticated and organized computer hacking and ATM cashout schemes ever." Her Chicago cell was one of many "cashing crews" that drained millions of dollars from roughly 2,100 ATMs in 280 cities across the globe.

U.S. District Court officials claim that a group of hackers obtained unauthorized access to Atlanta-based payment processing company WorldPay U.S. Inc. back in November 2008. WorldPay handles companies who use payroll debit cards to pay their employees that in turn use these cards to make purchases or withdraw their salaries from an ATM. The hackers allegedly used "sophisticated techniques" to compromise the data encryption used to protect customer data on these cards. Once they gained access to these accounts, the hackers fraudulently raised the balances and ATM withdrawal limits. They then handed over 44 debit card account numbers and their associated PIN numbers to the cashing crew cells to cash out the accounts. Martin's cell and others located around the world including United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan, and Canada drained those accounts in less than 12 hours on November 8, 2008.

Officials said Sonya Martin worked with one of the lead cashers and supervised a cashing crew in Chicago. This cell withdrew approximately $80.000 from various Chicago area ATMs using counterfeit debits cards she manufactured using a payroll card number and PIN code. "While this was a complex, internationally coordinated crime with many different players and components, it would not have gotten very far without the cashing crews [like the one Martin worked with]," said Brian D. Lamkin, Special Agent in Charge, FBI Atlanta Field Office.

-Source (TOM'S HARDWARE)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">A Chicago Woman Sentenced To 2.5 Years in Prison For $9 Million ATM Hacking"https://www.voiceofgreyhat.com/2012/08/Chicago-Woman-Sentenced-To-2.5-Years-in-Prison.html</a>

LibreOffice Addresses Multiple Heap-based Buffer Overflow Vulnerability (CVE-2012-2665)

LibreOffice Addresses Multiple Heap-based Buffer Overflow Vulnerability (CVE-2012-2665)

Just a few weeks after releasing the LibreOffice 3.5.5, The Document Foundation has confirmed that security holes in earlier versions of the open source LibreOffice, that could be exploited to execute arbitrary code with the privileges of the active user. According to the security advisories of LibreOffice, dubbed CVE-2012-2665 - "Multiple heap-based buffer overflow flaws were found in the XML manifest encryption tag parsing code of LibreOffice. An attacker could create a specially-crafted file in the Open Document Format for Office Applications (ODF) format which when opened could cause arbitrary code execution." Users are recommended to upgrade to 3.5.5 or 3.6.0 to avoid this flaw.  Red Hat released updated OpenOffice.org and LibreOffice packages for both Red Hat Enterprise Linux version 5 and Red Hat Enterprise Linux version 6. Users are advised to upgrade to these updated packages, which contain backported patches to correct the issues, Red Hat said in three security advisories published on Tuesday. Linux vendor Novell released updated LibreOffice packages for SUSE Linux Enterprise Desktop 10 and a LibreOffice update is also available for Ubuntu 12.04 (Precise Pangolin)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">LibreOffice Addresses Multiple Heap-based Buffer Overflow Vulnerability (CVE-2012-2665)"https://www.voiceofgreyhat.com/2012/08/LibreOffice-Addresses-Multiple-Vulnerabilities.html</a>

Black Hat 2012- Key-Card of Hotel Door Can Be Bypassed With An Open-Source Tool "Arduino"

Black Hat 2012- Key-Card of Hotel Door Can Be Bypassed With An Open-Source Tool "Arduino"

For millions of travelers the ubiquitous hotel key card is the primary and essentially the only way to access their rooms at the end of day. But when you will heard that the key card, you use to access your private room is no longer safe then its very much possible that you will shock. And trust me this happened in Black Hat 2012. A security researcher, Cody Brocious believes the current systems used to secure hotel doors throughout the United States and elsewhere are severely flawed. Speaking at the Black Hat security conference here, Brocious demonstrated how locks from Onity a company that sells security products to hotels and other businesses can easily be bypassed. At the show, Brocious detailed the primary security flaws that allowed him to bypass Onity locks and gain access to rooms.

According to eWEEk -Brocious used an open-source tool known as Arduino, a portable programming platform. Arduino was used as a substitute for the commercial portable programmer that an Onity lock would typically require. Brocious explained that the Onity locks have a serial hardware connection that is easily accessible, as well. In addition to the Arduino tool, Brocious used an oscilloscope that allowed him to see what was happening in the lock whenever a key card was put in and the door opened or closed. He was able to determine through his research that the underlying firmware on the lock does not require any form of authentication to arbitrarily access the memory of the lock. This means it is possible to read out every bit of information that is on the lock, which makes it possible for anyone to gain access or make a key.

In theory, programming for the lock should go over a secure channel, rather than doing direct unencrypted memory access, said Brocious. The problem, according to his research, is that the existing Onity lock design does not easily allow for that, and there is no easy way to update the firmware. Another potential option is to actually provide physical security on the door lock. For example, the company could make the serial port harder to access. However, with 5 million of these locks in use today, Brocious said this would be an expensive and challenging way to add additional security. The actual door locks are only half the problem exposed by Brocious. The card keys are also at risk. Typical card keys in the Onity system use only 32-bit key encryption making them easy to decrypt, according to Brocious. "The system is broken at every layer," said Brocious.

The severity of the issue and its high impact is what led Brocious to choose to release his research at Black Hat. In addition to his research, he is also releasing a software tool so that others can continue or expand on his efforts. "Something needs to be done about this problem, and I didn't want to put it out there in a way that could be defeated by process," said Brocious. "No doubt, this vulnerability has been found before, and it has been in the locks for years."

Brocious added: “I'd be surprised if this hasn't been used by malicious actors in the past.” What Brocious is hoping to achieve from this disclosure is not a mass string of hackers getting unauthorized access to hotel rooms, but rather some kind of fix and industry response. "I'm saying that this is what you're vulnerable [to], so come up with a way to solve the problem," said Brocious.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Black Hat 2012- Key-Card of Hotel Door Can Be Bypassed With An Open-Source Tool "Arduino""https://www.voiceofgreyhat.com/2012/07/BlackHat2012KeyCardofHotelDoorsBypassed.html</a>