A Checklist for Every Security Awareness Presentation

Infosec Institutes

Date Published: 26 August 2015




"As an IT Security Officer for a large financial services organization, maintaining a high level of staff awareness is a key aspect of my role. 

While we have been fortunate enough to date (touch wood, fingers crossed, etc., etc.!) to have avoided any major security incident, my experience would bear out the widely-acknowledged view that the weakest point in the security regime is most likely to be the user. Incidents caused by the user – usually inadvertently – represent the highest percentage by far of those reported or detected.

And so, an effective security awareness program is one of the most important measures to safeguard against the potentially significant, if not catastrophic, business impact to an organization such as ours arising from a major security breach whether in terms of financial loss or damage to reputation. 

The priority given to security awareness, which our organization’s chief executive and senior management team have endorsed, may be a key reason for our good fortune up to now. (Again, touch wood, fingers crossed, etc.!). This has helped to embed a culture of good practice in relation to security within our organization.

Security Awareness presentations are a vital part of any awareness program (but not the only one and I will touch on other components that should also be considered later), and a useful checklist for a security awareness presentation would be as follows:" 

To read the complete article see:




PayPal Patches Serious Flaw in Payment System

Eduard Kovacs, Security Week

Date Published: 26 August 2015 



"Flaw in PayPal “SecurePayments” Page Allowed Hackers to Steal Users’ Data

PayPal has patched a serious vulnerability that could have been exploited by malicious actors to trick users into handing over their personal and financial details. 

The vulnerability, discovered by Egypt-based researcher Ebrahim Hegazy, was caused by a stored cross-site scripting (XSS) bug in the SecurePayments.PayPal.com domain. The domain is used for PayPal’s hosted solution, which enables online shop owners to allow buyers to pay with a payment card or their PayPal account, eliminating the need to capture or store sensitive payment information.

According to Hegazy, a malicious actor could have set up a rogue shopping site or hijacked a legitimate website, and alter the “Checkout” button with a URL designed to exploit the XSS vulnerability. This allowed the attacker to change the contents of the SecurePayments page and display a phishing page where the victim is instructed to enter personal and financial information."

 To read the complete article see:




Businessman who hacked 900 phones as "revenge" is jailed

Paul Ducklin, Naked Security (Sophos Blog) Date Published: 26 August 2015



 "Imagine that you're a network security company, and you're in the middle of a demonstration to a prestigious customer in the insurance industry - a customer who is worth £80,000 a year in business.

Imagine that you want to show how quickly and efficiently you could remotely wipe a mobile device to render it useless to a crook, for example after it was reported lost or stolen.

And now imagine that an estranged former business partner managed to hack into your network, perhaps using legitimate-looking credentials set up when he was still an insider, to stage a sort of "demo-within-a-demo"of his own, right in the middle of your demo...

 ...so that not only the test device got wiped, but also a further 900 of your important customer's mobile phones."

 To read the complete article see:




Agora Dark Web Marketplace Shuts Down Due to Security Concerns

Catalin Cimpanu, Softpedia

Date Published: 27 August 2015



"Tor deanonymization vulnerability prompts Agora admins to temporarily shut down access to the website. 

Agora, a Dark Web marketplace used by nefarious actors to exchange drugs, weapons, and other illegal products, has decided to temporarily shut down due to a security weakness in the Tor anonymization network.

The weakness in question was discovered by researchers at MIT and the Qatar Computing Research Institute (QCRI), and allows third-parties to deanonymize Tor traffic using malicious nodes added to the network, all with an 88% accuracy percentage. 

Since Agora is operated as a Tor hidden service, allowing users access based on an Onion address alone, the site is 100% dependent on Tor and the Onion routing system, making the aforementioned vulnerability, a very serious threat, even if the researchers said it relies on a lot of luck to get it working."

To read the complete article see: 



Sphinx: New Zeus Variant for Sale on the Black Market

Bev Robb, Dark Matters

Date Published: 24 August 2015



"The 0Day marketplace was a busy beaver this weekend. I’ve been waiting and watching Sphinx for the past 10 days to see if the 0Day admin would verify this new threat:

New Zeus Variant

On Sunday evening, Sphinx, a new variant of the Zeus banking trojan was admin-verified. Sphinx is coded in C++ and based on ZeuS source code and operates fully through the Tor network using a Tor hidden service. This variant is listed as being immune to sinkholing, blacklisting, and the ZeuS tracker.

The seller claims that you do not need bulletproof hosting (generally immune from takedown requests) when operating a Sphinx botnet, though he still recommends it.

Sphinx Features (as listed in the forum with minor edits):


 * Formgrabber and Webinjects for latest Internet Explorer, Mozilla.

 * Firefox and Tor Browser with cookie grabber and transparent page redirect(Webfakes).

 * Backconnect SOCKS, VNC.

 * Socks 4/4a/5 with UDP and IPv6 support.

 * FTP, POP3 grabber.

 * Certificate grabber.

 * Keylogger."

To read the complete article see:



Malware Meets SysAdmin – Automation Tools Gone Bad

Alex Chiu and Xabier Ugarte Pedrero, Talos Group (Cisco Blog)

Date Published: 25 August 2015



"Talos recently spotted a targeted phishing attack with several unique characteristics that are not normally seen. While we monitor phishing campaigns used to distribute threats such as Dridex, Upatre, and Cryptowall, targeted phishing attacks are more convincing because the format of the message is personalized to the targeted user. This targeted attack was more difficult to detect because adversaries chose to leverage AutoIT, a well known freeware administration tool for automating system management in corporate environments. This notable characteristic made this attack worthy of further analysis.

Utilizing AutoIT within a payload is unique because it is a legitimate management tool. In this attack, AutoIT was utilized to install a Remote Access Trojan (RAT) and maintain persistence on the host in a manner that’s similar to normal administration activity. RATs allow adversaries to fully control compromised hosts remotely to conduct malicious operations, such as exfiltrating sensitive information. The use of AutoIT is potentially an extremely effective method of evading detection by traditional anti-virus technologies and remaining hidden on the system if it is used by the target to manage systems. The combination of a legitimate administration tool being used to install a back-door onto a target system is unique and is why this attack caught our attention."

 To read the complete article see:




Top 5 problems with data breach insurance

Mark Painter, HP Security Products Blog

Date Published: 24 August 2015



"The costs associated with data breaches continue to rise while security only grows in complexity. For those reasons and more, data breach insurance has gained an incredible amount of traction in a relatively short amount of time.   In fact, almost 50 insurance companies now offer some type of data breach coverage.  However, there are some specific issues with data breach insurance that need to be considered before making that investment.  Here are the top five."

 To read the complete article see:




British Travel Company Breached, Hundreds of Customers’ Information Exposed

Maritza Santillian, The State Of Security (Tripwire Blog)

Date Published: 24 August 2015



"A data protection breach at Thomson, a British travel firm, has led to the accidental exposure of more than 450 customers’ personal information.

Passenger details, including home addresses, telephone numbers, names and flight information, were unintentionally disclosed in an email, which the company said it quickly recalled.

Thomson released a statement apologizing for the “genuine error.”

However, the company noted it would not be offering affected customers with any compensation.

“We are aware of an email that was sent in error, which shared a small number of customers’ information,” read the statement."

To read the complete article see:



AlienSpy RAT Resurfaces as JSocket

Michael Mimoso, Threat Post (Kaspersky Lab Blog)

Date Published: 24 August 2015



"Researchers at Fidelis in April reported on an outbreak of AlienSpy infections moving via phishing messages. Shortly after the publication of that report, domain registrar GoDaddy suspended the AlienSpy domain and within two weeks, the current jsocket[.]org domain was registered at provider eNom, Fidelis said in a report published today. By July 11, they said, AlienSpy was no more and users were told to point to jsocket[.]org at a UK-based host called LayerIP.

Since then, new phishing campaigns have been moving the RAT to new targets in industries such as utilities, government agencies, telecommunications and others. JSocket, like its predecessor, is commercially available and likely susceptible to the same type of takedown, researchers said."

To read the complete article see:




Linux Machines Produce Easy to Guess Random Numbers

Catalin Cimpanu, Softpedia

Date Published: 23 August 2015



"A study carried out by two security researchers revealed that the internal system used by Linux systems to produce random numbers, which are later utilized to encrypt data, is much weaker than previously thought.

The authors of this study are Bruce Potter and Sasha Moore, which presented their findings at the recent Black Hat USA 2015 security conference in Las Vegas.

As they highlight in their paper, "nearly every crypto system relies heavily on access to high quality random numbers.""

To read the complete article see:




NICE news about the cybersecurity skills shortage

Stephen Cobb, We Live Security

Date Published: 18 August 2015



"The information security news is not all bad, despite the annual August double-tap of Black Hat and DEF CON. The raft of vulnerabilities revealed at those two events can leave you feeling like everything’s hacked and hopeless, but fortunately some folks are busy addressing one of the main reasons that the struggle to protect information systems can seem like an uphill battle: the global shortage of skilled security practitioners, predicted to reach 1.5 million by 2020*. In the United States there are currently more than 209,000 unfilled cybersecurity jobs and the demand for information security professionals is expected to grow by 53 percent through 2018 (according to an independent study cited by CSO Online**).

In the United States, one way in which the federal government has addressed this problem is NICE, the National Initiative For Cybersecurity Education. And one of the ways in which NICE seeks to promote cybersecurity education and workforce development is with a two-day annual conference. In 2015, the NICE conference is being held in November, in San Diego, and you can find the details here. If you or your organization are involved in cybersecurity education and workforce development then you might want to consider not only attending NICE 2015, but also sharing your knowledge, experiences, lessons learned, and so on. The Call for Proposals is still open."

To read the complete article see:


Pentagon Researchers Will Wage Counterattack On Crippling DDoS Cyber Strikes

Allya Sternstein, NextGov

Date Published: 17 August 2015



"The Pentagon has in mind a three-pronged counterattack against a decades-old form of cyber assault that continues to paralyze government and industry networks, despite its low cost of sometimes $10 a hit.

Beginning next spring, military-funded researchers are scheduled to produce new tools that would quickly enable organizations to bounce back from so-called distributed denial-of-service attacks.

A recovery rate of at most 10 seconds is the goal, according to the Defense Department.


"Responses to DDoS attacks are too slow and manually driven, with diagnosis and formulation of filtering rules often taking hours to formulate and instantiate. In contrast, military communication often demands that disruptions be limited to minutes or less," DARPA officials said in an Aug. 14 announcement about the new program.

The funding level for the project was not disclosed but multiple grants are expected to be awarded. Interested researchers must submit proposals by noon Oct. 13."

To read the complete article, see:


Web.com Loses 93,000 Credit Card Numbers in Breach

Michael Mimoso, Threat Post (Kaspersky Lab blog)

Date Published: 19 August 2015



"Florida-based web hosting company Web.com on Tuesday announced that it had suffered a data breach and payment card and personal information belonging to 93,000 customers was accessed.

The company did not say in a statement or press release whether the stolen data was encrypted, nor how it was accessed.

The breach was detected Aug. 13 and Web.com said it contacted law enforcement and a security consulting firm to assist with its investigation."

To read the complete article see:




Target to Pay Visa Issuers Up To $67M in Settlement Over 2013 Breach

Maritza Santillan, The State of Security (Tripwire Blog)

Date Published: 19 August 2015



"Target Corp. has reached an agreement with Visa Inc. to settle claims over the massive 2013 data breach that exposed 40 million credit and debit cards to fraud.

According to a report by the Wall Street Journal, the retail giant will reimburse thousands of financial institutions up to $67 million for costs associated with the compromise.

In addition, Target said it is currently working on a similar agreement with MasterCard issuers."

To read the complete article see:




Investigating and Prosecuting Cyber Crime:

Forensic Dependencies and Barriers to Justice

Cameron S. D. Brown, International Journal of Cyber Criminology

Date Published: Volume 9 Issue 1, January - June 2015



The primary goal of this paper is to raise awareness regarding legal loopholes and enabling technologies, which facilitate acts of cyber crime. In perusing these avenues of inquiry, the author seeks to identify systemic impediments which obstruct police investigations, prosecutions, and digital forensics interrogations. Existing academic research on this topic has tended to highlight theoretical perspectives when attempting to explain technology aided crime, rather than presenting practical insights from those actually tasked with working cyber crime cases. The author offers a grounded, pragmatic approach based on the in-depth experience gained serving with police task-forces, government agencies, private sector, and international organizations.

The secondary objective of this research encourages policy makers to reevaluate strategies for combating the ubiquitous and evolving threat posed by cybercriminality. Research in this paper has been guided by the firsthand global accounts (via the author’s core involvement in the preparation of the Comprehensive Study on Cybercrime (United Nations Office on Drugs and Crime, 2013) and is keenly focused on core issues of concern, as voiced by the international community. Further, a fictional case study is used as a vehicle to stimulate thinking and exemplify key points of reference. In this way, the author invites the reader to contemplate the reality of a cyber crime inquiry and the practical limits of the criminal justice process."

To read the complete article see:




New Activity of the Blue Termite APT

Suguru Ishimaru, Secure List

Date Published: 20 August 2015



"In October 2014, Kaspersky Lab started to research “Blue Termite”, an Advanced Persistent Threat (APT) targeting Japan. The oldest sample we’ve seen up to now is from November 2013.

This is not the first time the country has been a victim of an APT.

However, the attack is different in two respects: unlike other APTs, the main focus of Blue Termite is to attack Japanese organizations; and most of their C2s are located in Japan. One of the top targets is the Japan Pension Service, but the list of targeted industries includes government and government agencies, local governments, public interest groups, universities, banks, financial services, energy, communication, heavy industry, chemical, automotive, electrical, news media, information services sector, health care, real estate, food, semiconductor, robotics, construction, insurance, transportation and so on.

Unfortunately, the attack is still active and the number of victims has been increasing.

You will see a significant increase in the middle of July (marked in orange). The spike resulted from new attack methods that the Blue Termite group employed and that Kaspersky Lab detects. This article introduces the new methods and technical details on how they work.

New method of initial infection

Originally, the main infection vector of the APT was spear-phishing emails. Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit (CVE-2015-5119, the one leaked from The Hacking Team incident).

Several Japanese web sites have been compromised with this method."

To read the complete article see:




The Secret History of Cyber Crime - Infographic

Alan, Focus Blog (Focus Training and Solutions)

Date Published: 18 August 2015




"The Secret History of Cyber Crime

What it means for us, corporations and governments

Modern computers have their root deeply entrenched in the history of the last Great War. The so called "thinking machine" was invested based purely on the need of breaking the Axis naval Enigma code. In short, the predecessors of modern computers were amount the first high-tech spy tools."

To read the complete article see:




China vows to "clean the internet" in cybercrime crackdown, 15,000 arrested

John Zorabedian, Naked Security (Sophos Blog)

Date Published: 20 August 2015



"The Ministry of Public Security in China said this week that 15,000 people have been arrested since the launch of a major anti-cybercrime operation called "cleaning the internet."

So far, the six-month operation, launched in July, has produced investigations of over 7400 cases of cybercrime and 66,000 websites.

In an announcement on its website, the ministry said the arrests were for crimes that "jeopardized internet security," and described in detail a handful of cases, ranging from network attacks and website intrusions to sophisticated frauds.


The ministry also described one case where hackers used phony ads on Baidu, China's largest search engine, to scam people who thought they were calling an airline customer service line.

Another case involved hackers sending mass SMS messages containing malicious links to take control of mobile devices.


According to a report from Reuters, the current crackdown also targets websites providing "illegal and harmful information" as well as ads for pornography, firearms and explosives.

Although the ministry said the campaign is focused on crushing organized cybergangs in the country, some analysts suspect China's broad cybercrime law could sweep up activists and dissidents along with the crooks."

To read the complete article see:




Upon reflection, BitTorrent amplifies DDoS attacks

Davey Winder, SC Magazine

Date Published: 20 August 2015



"New DRDos attack using BitTorrent investigated: able to amplify traffic up to a factor of 50 times on average, and 120 times in the case of BTSync.


Although DRDos attacks are not exactly new, new methods to launch them are always high on the agenda of both those out to cause problems, and to prevent them. So when we heard that a new DRDos attack using BitTorrent  was being demonstrated, SCMagazineUK.com decided to investigate further. This particular DRDos methodology was published by City University London researcher Florian Adamsky along with cloud security outfit Plumgrid, in a paper rather extravagantly entitled "P2P File-Sharing in Hell: Exploiting BitTorrent Vulnerabilities to Launch Distributed Reflective DoS Attacks".

A quick look at the abstract of the paper reveals that what Adamsky is talking about here is how the BitTorrent protocol family, specifically the Micro Transport Protocol (uTP), Distributed Hash Table (DHT), Message Stream Encryption (MSE) and BitTorrent Sync (BTSync), can be exploited to reflect and amplify traffic from peers in a DRDos attack scenario. Under lab test conditions, the researchers were able to amplify traffic up to a factor of 50 times on average, and 120 times in the case of BTSync.

This wasn't some irresponsible disclosure though, as Adamsky had already revealed his findings with BitTorrent some weeks earlier. Which is just as well, considering that he reckons an attacker could put all this theoretical stuff into practice by collecting millions of potential amplifiers using trackers or peer exchange for example. A single BTSync ping message would then be all it takes to amplify the traffic by more than 100 times."

To read the complete article see:




The Curious Case Of The Document Exploiting An Unknown Vulnerability – Part 1

Wayne Chin Yick Low, Security Research (Fortinet Blog)

Date Published: 20 August 2015



"Recently, we came across an unknown document exploit which was mentioned in a blogpost by the researcher @ropchain. As part of our daily routines, we decided to take a look to see if there was something interesting about the document exploit. The sample’s SHA1 used in the analysis is FB434BA4F1EAF9F7F20FE6F49C4375E90FA98069. The file we’re investigating is a Word document called amendment.doc.


We are going to analyze the vulnerability on the following test


 * Windows 7 X86

 * Microsoft Word 2007 SP3

 * WINWORD and WWLib version 12.0.6718.5000

As we already expected, Microsoft Word crashes immediately upon opening the document:

We reproduce the crash a few times to make sure that this is the actual code that we should look into before we dive deeper into the code.

Interestingly, we see the ECX always contains the constant address

0x7c38bd50 in all of the crashes. Thus we are fairly convinced that this is the actual code path that we want to look into. Without further ado, we attach WinDBG to WINWORD again and set a DLL loading breakpoint on MSVCR71.dll. This address seems to belong to a Microsoft DLL component because the exploit document attempts to load otkloadr.dll, which in turn loads MSVCR71.dll that will be used to bypass ASLR. We confirm our hypothesis with the following output from WinDBG:"

To read the complete article see:



Cyber espionage campaign targets India and Tibetan activists

Pierluigi Paganini, Security Affairs

Date Published: 24 August 2015



"Security experts at FireEye uncovered a cyber espionage campaign that targeted organizations in India and the Tibetan activists.

Security firm FireEye revealed an intense activity of hackers based in China particularly interested in entities and organization linked to the Indian Government as well as in information on Tibetan activists. Also in this case we are dealing with a cyber espionage campaign conducted by an Alleged Chinese APT. The Chinese hackers run spear phishing attacks against their targets, the malicious email have an attachment containing a script called Watermain. When victims open it the malicious code creates backdoors on target machines.


Experts at FireEye are monitoring the Watermain’s activity since 2011, the APT targeted more than 100 entities since now, about 70% of them are from India.

“Collecting intelligence on India remains a key strategic goal for China-based APT groups, and these attacks on India and its neighbouring countries reflect growing interest in its foreign affairs,” said Bryce Boland, FireEye chief technology officer for Asia Pacific."

To read the complete article see: