Five Capabilities Needed For Effective Incident Response
Written by Angelo Castigliola   
Oct 06, 2014 at 07:11 AM

In Jim Aldridge’s Black Hack Asia Briefing 2014 talk “Beyond ‘Check The Box’: Powering Intrusion Investigations” Aldridge lays out the five basic capabilities for an effective Incident Response:

  • Mapping an IP address to a hostname
  • Identifying the systems to which a specific account authenticated
  • Determining the systems that communicated with a specific Internet IP address
  • Tracking domain name resolution attempts
  • Identifying indicators of compromise across the environment  

Six questions the lead IR responder is asked by executives:

  • What information was exposed?
  • Do I need to notify regulators or customers?
  • What is the extent of the compromise
  • How much money did we lose?
  • How did the attacker gain entry?
  • How do we effectively stop the attack and remove the attacker? 

 Questions the lead IR responder needs to answer during an investigation:

  • When and what was the earliest evidence of compromise?
  • How did the attacker gain entry?
  • What is the latest evidence of attacker activity?
  • What systems are (or were previous) under the attacker’s control?
  • What systems did the attacker access?
  • What actions did the attacker execute on the systems with which he interacted?
  • How does the attacker maintain access to the environment?
  • How does the attacker operate inside of the environment?
  • What tools has the attacker deployed?
  • What accounts did the attacker compromise?

Aldridge talk continues with providing strategies, for obtaining the five capabilities outlined above, so an Incident Responder can effectively answer the questions.  Obviously the sooner an organization has the capabilities the better they will be at responding to a breach incident.

Write Comment (0 comments)
Last Updated ( Oct 08, 2014 at 09:55 AM )

Unpatchable Malware
Written by Angelo Castigliola   
Oct 01, 2014 at 01:24 PM

The “BadUSB” research presented at Black Hat 2014 by Karsten Nohl and Jakob Lell demonstrated how they can completely take over a computer simply by plugging in a USB device such as a thumb drive.  They accomplished this by reprogramming the microcontrollers inside the USB device, to repurpose them so they can take full control of a computer.  Since the vulnerability is in the actual hardware of the USB device, it is possible to completely evade antivirus by sending only clean copies when antivirus software reads from the device, or simply not send any data at all.

There is no simple solution to remediate all of the vulnerabilities presented, Nohl and Lell held back releasing any proof-of-concept tools for other security researchers to experiment with.

Adam Caudill and Brandon Wilson have since reversed the same USB vulnerabilities and presented their research at the Derby Con security conference last week.  Unlike Nohl and Lell, they have released proof-of-concept tools.  From an article in Wired:

“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience on Friday. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”

“There’s a tough balance between proving that it’s possible and making it easy for people to actually do it,” he says. “There’s an ethical dilemma there. We want to make sure we’re on the right side of it.”

Responsible disclosure is once again in the spotlight for information security.  What should that process look like if there is no easy fix for a vulnerability discovered? 

Write Comment (0 comments)
Last Updated ( Oct 02, 2014 at 02:29 PM )

Summary of 2600 Summer 2014 (31:2)
Written by Angelo Castigliola   
Jul 09, 2014 at 12:49 PM

Despite having heartbleed branding logo all over the cover, in typical 2600 fashion, heartbleed is not mention once, even in the letters.

2600 Summer 2014 The following is a summary of the 2600 Summer 2014 volume 31, number 2:
  • Snowden love..
  • cDc liked heavy metal
  • Tprophet fires some poor guy and raises a Bell CO style “carrier hotel” temperature to 130 degrees because of AZ (true story)
  • Half of an exploit for connecting to Minuteman III nuclear missile silos by broadcasting DTMF tones over UHF frequencies
  • Compression before encryption
  • A 14 line python script to view a web page safely, if lynx is too easy for you
  • The deepest psycho analysis of the movie diehard you will ever read
  • Raspberry pi home lighting
  • Summary of Mandiant APT report
  • 16 year old I'm a hacker now story
  • Homeless computer repair guy stories
  • Apple gets unasked for security audit lulz
  • SanDisk Connect Wireless root password (sqn1351)
  • A way too long story about a standard toilet
  • Ransomware 101 security tips
  • Si-Fi authors who write about Hackinh/Future
  • Standard White hat/Black hat ranting
  • Some fictional story about botnets and raids of virtual worlds wearing  VR helmets

Authors: Emmanuel Goldstein, Bob Hardy, Dabu Ch’wald, D.B. LeCone-Spink, Brett Stevens, The Prophet, Bab Bobby’s Basement Bandits, Spacedawg, Sh0kwave, Gregory Porter, Michael Post, Jim L, Tyler Frisbee, eyenot, lg0p89( two articles), ook, Toilet Fixer 555C, Jason Sherman, the Piano Guy, Andy Kaiser.

Letters submitted by: Yuval Nativ, RP, Daniel, Kevin, A curious person, The Professor, Estragon, Wolf Bronski, Bill Miller, Sol, J Thompson, Dave, Robert, Jerry listening on WBAI, Tyler Frisbee, //j, Oliver, Chris, Brad, Richard Cheshire Phreak & Hacker, Scott, David, zenlunatic, Stacy, Mike, Will(NameBrand), Budo, Seymour, Name Deleted, Jared, John, Shocked998, Hunter, Darwin, 3, Variable Rush, Chris, Sh0kwave, David, Screamer Chaotix, Pic0o, ghostguard, Margaret, nico, Julia Wunder Cybertron Software, Nick Grey, Charlotte & Jess http://c63industries.com

Write Comment (0 comments)
Last Updated ( Jul 10, 2014 at 01:51 PM )

Open Source NSA Spy Gadgets
Written by Angelo Castigliola   
Jun 10, 2014 at 10:02 AM

Michael Ossmann, the researcher behind the radio testing tool HackRF, and the Bluetooth testing tool Ubertooth, is now working on research to recreate the NSA spying devices, from the ANT Catalog, as open source projects.  Michael presented his research at the Hack In The Box security conference in the Netherlands.

Write Comment (0 comments)

Vulnerability Finders Taxonomy
Written by Angelo Castigliola   
Jun 09, 2014 at 04:53 AM

Infosec researcher Bruce Schneier recently wrote the essay “The Human Side of Heartbleed,”  which outlines the process of responsible vulnerability disclosure, that took place for Heartbleed.   This is nothing new.  The process of responsible vulnerability disclosure, was formalized by researchers and self-policed by members of InfoSec new groups that would discuss these vulnerabilities in great detail.  There is actually a draft standard of the “Responsible Vulnerability Disclosure Process” submitted to the Internet Engineering Task Force (IETF) by Chris Wysopal, former l0pht researcher and co-founder of the information security company Veracode and Steve Christey, Principal at Mitre (the company who currently maintains the CVE/CWE compatibility program.)  The interesting part of Bruce Scherer’s essay is the taxonomy of people that find vulnerabilities:

What happens when a vulnerability is found depends on who finds it. If the vendor finds it, it quietly fixes it. If a researcher finds it, he or she alerts the vendor and then reports it to the public. If a national intelligence agency finds the vulnerability, it either quietly uses it to spy on others or -- if we're lucky -- alerts the vendor. If criminals and hackers find it, they use it until a security company notices and alerts the vendor, and then it gets fixed -- usually within a month.


Write Comment (0 comments)
Last Updated ( Jun 09, 2014 at 01:03 PM )

<< Start < Previous 1 2 3 4 5 6 7 8 9 10 Next > End >>

Angelo Castigliola     View Photos of Angelo (8)
    Send Angelo a Message
Sec and Sec-Tech Newsletter
Email:





Upcoming Events