“Details of the tools, techniques and procedures used by the hackers behind the RSA security breach have been revealed in a research paper (PDF) published by Australian IT security company Command Five. The paper also, for the first time, explains links between the RSA hack and other major targeted attacks. This paper is a vendor-neutral must-read for any network defenders concerned by the hype surrounding ‘Advanced Persistent Threats.’”
Latest Entries »
An unnamed fraudster managed to steal $2.1 million from a hospital chain’s Wells Fargo Bank escrow account by faxing a money transfer signed with a copied-and-pasted signature he has taken off the Internet.
The brazen theft was pulled off ingeniously, but the biggest responsibility for its successful realization seems to lay with the Wells Fargo escrow agent who authorized the transfer without thoroughly checking on the legitimacy of the requests.
To understand what happened, you must know that Catholic Healthcare West, the hospital chain in question, signed a contract with Merced County, California, to operate a medical center in the San Joaquin Valley.
In order to be able to do that, the chain had to maintain an escrow account with $7.5 millions in it. At the same time, it decided to change banks, but needed the approval of the county’s Board of Supervisors to do that. They did approve but, unfortunately, the county put a partial copy of this agreement on its official website, complete with the signatures of the chain’s CFO Michael Blaszyk and the Merced County Director of Public Health Tammy Chandler.
Armed with the name of the bank where Catholic Healthcare West had the account and the name and signature of the chain’s CFO, the fraudster put the plan in motion in December 2011, Forbes reports.
First he faxed a request for Wells Fargo to wire $445,000 from the chain’s escrow account to one in the HSBC bank in New York. Although “signed” by Blaszyk and Chandler, the transfer was denied because the account at HSBC was nonexistent.
The escrow agent moved to check with HSBC why the request was rejected – or so he thought. Unfortunately, he called the bank’s number he got off the fax, and got an answering machine. The number actually belonged to the fraudster, who called back after a short period of time, posed as Blaszyk, and told the escrow agent to ignore the wire transfer request.
A week later, the fraudster tried again. This time, a request was made for the same amount to be transferred to an account under the same name in bank in Hong Kong. Again, the request was rejected on same grounds.
Almost a week later, the escrow agent received a third wire transfer request: to send $989,000 to an account in the name of Textil Trading UK Limited at another bank at the Standard Chartered Bank in Hong Kong. And this time, the account existed, the request was approved and the money was transferred.
Seeing that the scheme was finally successful, the fraudster tried again three times. The first request was denied because the transfer of the amount requested would require the bank to sell securities, and the fraudster didn’t indicate which ones. The second one hit another jackpot, and $1.1 million were wired to the Hong Kong account.
And the third one – a request for a transfer of $2.2 million – was when the escrow agent began to suspect something was wrong. He finally called Catholic Healthcare West and found out that all the earlier requests were not sent by them.
Wells Fargo has since reimbursed Catholic Healthcare West for the stolen money, and has engaged a legal team to try to get the stolen money – or what is left of it – back from the hong Kong account. They are also working with law enforcement on finding the individual(s) behind the fraudulent scheme.
It is a given that the escrow agent should have been more careful when checking whether the requests were legitimate, but I can’t help but wonder whether putting that (partial) agreement signed by Merced County and CHW online for everybody to see was really necessary.
In this day and age, when anyone can search and find almost anything on the Internet and use the information for social engineering attacks, I believe we all should be more careful about what really needs to be online. This particular example just goes to show that fraudsters don’t need much – just good googling skills and the knowledge on how to use the found information.
Source: www.net-security.org
Just a quick post as I sit around at Jury Duty. Backtrack 5 R2 was released today. Update and enjoy the goodness.
WWW.backtrack-linux.org/downloads
In addition to the aforementioned updates and additions, we have also added the following new tools to BackTrack:
| arduino | bluelog | bt-audit | dirb | dnschef | dpscan | easy-creds | extundelete |
| findmyhash | golismero | goofile | hashcat-gui | hash-identifier | hexorbase | horst | hotpatch |
| joomscan | killerbee | libhijack | magictree | nipper-ng | patator | pipal | pyrit |
| reaver | rebind | rec-studio | redfang | se-toolkit | sqlsus | sslyze | sucrack |
| thc-ssl-dos | tlssled | uniscan | vega | watobo | wcex | wol-e | xspy |
What’s missing from Information Sec_ _ity? UR
You’ve probably heard that starting March 1, Google is going to unify all your privacy data from your various accounts, such as Gmail, YouTube and Web searches. What that means, in part, is that your past Web searches could become part of a big pot of information that’s out there for Google to use to establish better profiles of its users for advertisers.
Don’t want that? It’s easy to clear your Google Web search history, but you’ll need to do it with haste. Starting Thursday, the privacy policy goes into effect, although it’s under fire, both in the U.S. and abroad. Despite the concerns, Google has said that the changes will not bring any new or additional data collection, and that most of its product-specific policies already allow information to be shared across product lines when users sign into their Google accounts.
Still, it doesn’t hurt to wipe some things off your personal data map, including your searches. To get started, first, go to: Google.com/history. There, you will log in, using your Google sign-in.
source: MSNBC.com
http://news.cnet.com/8301-17938_105-57376903-1/spray-on-antenna-wireless-in-a-can/
What’s missing from Information Sec_ _ity? UR
http://news.cnet.com/8301-27080_3-57377932-245/senators-introduce-new-cybersecurity-bill/
What’s missing from Information Sec_ _ity? UR
These calendars make great wallpapers, I really liked the 2011 one better though.
http://www.securelist.com/en/calendar
Securelist Malware Calendar
Let’s face it; Backtrack is one tool that every security professional has in their kit and one of the hardest issues is keeping your tools up-to-date. Well there are several scripts out there that will help you with this, the one I have found to do the best job is from Bl4ck5w4n (http://bl4ck5w4n.tk/?p=44), the current version is 1.1. This script will help you keep the some of the most popular tools current, I have found a few bugs in it, such as some of the tools not updating due to a bad URL or typo, but it gives you a great starting platform and all you need to do is add any additional items that you need.
The script is written in Python so it is quite easy to modify. The first thing I did was to run the program and run each update separately, it does have an option to Update All but I want to watch each item run and note any errors so that I can go back and fix them in the script. Then once you have all the updates running correctly then you can just run the Update All option and watch it do the work for you.
One item that I do want to add is some type of log file so that I can review what all was updated or changed for my documentation. There are so many tools in Backtrack that it is hard to keep everything updated but keep track of the tools you use most and add these to the script.
How do you keep your Backtrack up-to-date? Do you have a better script or procedure?
Script to update BackTrack5 V.: 1.1
Bt5up is a script coded in Python that was rewritten form Sickness original version coded in C (Doesn’t exist anymore).
The purpose of Bt5up is to update/add BackTrack 5 tools.
As you can see in the screen it display the version you have installed and the latest version available and the Main Menu with all the different topics to update/install, here is the complete menu:
1. Update and clean Backtrack.
2. Exploit tools.
- Metasploit Framework.
- Exploit-db.
- SET – Social Engineering Toolkit.
- Update all.
3. Wireless & Telephony.
- Aircrack-ng and Airdrop.
- WarVox.
- Giskismet.
- FeedingBottle
- Update all.
4. Web & Database.
- W3AF.
- Nikto.
- Sqlmap.
- Fimap.
- Update all.
5. Others.
- Nessus.
- Pyrit.
- Wireshark
- OpenVAS.
- SSLStrip
- Update all.
6. Update All
7. Update Script
8. Changelog
9. Feedback (Gmail)
10. Fix BT5 Bugs/Customize BT5
- Startx after login
- Change Login message(motd)
- Install FlashPlayer 64Bits
11. Additional Tools
- Axel & apt-fast
- Nessus
- FeedingBottle
- HexorBase
- Install All
Download: bt5up
How to run:
wget http://bl4ck5w4n.tk/wp-content/uploads/2011/07/bt5up.tartar -xvf bt5up.tarpython bt5up.pyYou can copy the bt5up.py to /bin/ to make it easy to use it:chmod +x /bin/bt5upThis is a repost of the SANS alert (http://isc.sans.org/)
Wi-Fi Protected Setup (WPS) is a Wi-Fi Alliance specification (v1.0 – available since January 2007) designed to ease the process of securely setup Wi-Fi devices and networks. A couple of days ago US-CERT released a new vulnerability note, VU#723755, that allows an attacker to get full access to a Wi-Fi network (such as retrieving your ultra long secret WPA2 passphrase) through a brute force attack on the WPS PIN. The vulnerability was reported by Stefan Viehböck and more details are available on the associated whitepaper. In reality, it acts as a “kind of backdoor” for Wi-Fi access points and routers.
The quick and immediate mitigation is based on disabling WPS. Your holiday gift for the people around you these days is to tell them to disable WPS.
It is important to remark that this vulnerability affects both the WPS design (which typically means higher impact and longer fix times) and the current Wi-Fi vendor implementations. The design is affected as WPS presents serious weaknesses that allow an attacker to determine if half of the PIN is correct (Do you remember Windows LANMAN (LM) authentication? 7+7 != 14). Therefore the brute force process can be split in two parts, significantly reducing the time required to brute force the entire PIN from 100 million (108) to 11,000 (104 + 103) attempts.The vendor implementations (in Wi-Fi access points and routers) are also affected due to the lack of a proper (temporarily) lock out policy after a certain number of failed attempts to guess the PIN, plus some collateral DoS conditions.
The researcher used a Python (Scapy-based) tool that has not been release yet, although other tools that allow to test for the vulnerability have been made public, such as Reaver . The current tests indicate that it would take about 4-10 hours for an attacker to brute force the 8 digit PIN (in reality 7 digit PIN, 4+3+1 digits).
Lots of Wi-Fi devices available in the market implement WPS, a significant number seem to implement the PIN authentication option (the vulnerable mechanism – called PIN External Registrar), as it seems to be a mandatory requirement in the WPS spec to become WPS certified (by the Wi-Fi Alliance), and still a very relevant number seem to have WPS enabled by default. Based on that, and the experience we had on similar Wi-Fi vulnerabilities over the last decade, it might take time to the Wi-Fi industry to fix the design flaw and release a new WPS version, it will take more time to (all) vendors to release a new firmware version that fixes or mitigates the vulnerability, and it will take even extra time to end users and companies to implement a fixed and secure WPS version and/or implementation, or to disable WPS (although this is the quickest option… we know it takes much more time than we would like 
).
To sum up, millions of devices worldwide might be affected and it will take months (or years – think on WEP) to fix or mitigate this vulnerability… so meanwhile, it is time to start a global security awareness campaign:
Disable WPS!!
This diary extends the Wi-Fi security posture of previous ISC diaries, were we covered the security of common Wi-Fi usage scenarios, and will be complemented by two upcoming Wi-Fi security end-user awareness resources: the SANS OUCH! January 2012 issue and lesson 12 of Intypedia (both will be available on mid January 2012).
—-
Raul Siles
Founder and Senior Security Analyst with Taddong
www.taddong.com
