Nasdaq Hack teaches network vigilance

BloombergBusinessweek article 7/17/2014

a. Discusses how Russian hackers infiltrated the NASDAQ network,

b. Placed malware on one of the NASDAQ webservers.Serversincage2

c. Thus creating a  classic “watering hole” attack – where customers of NASDAQ were attacked by malware as they navigated NASDAQ websites.

d. The malware used 0-day vulnerabilities to hack the servers and network. In fact the article mentioned (2) 0-day vulnerabilities being used.

A 0-day vulnerability is called that, because it has not been patched yet. I.e. a vulnerability was found and the manufacturer has not had time to patch it. So even if the IT department did it’s job and patched the new Microsoft patches on patch Tuesday (2nd Tuesday of the month)

So now there is a vulnerability that has no patch and the hackers can attack and own(hacker parlance for control) your computers at will.

heartbleed1Remember the heartbleed vulnerability?


This story makes one wonder if there is a third party doing any penetration testing for private company computers and networks.

Patch Tuesday is here 7/8/14

Patch Tuesday is the day Microsoft has deemed to give us their vulnerability fixes.

It has to be done some time and so it is done on a Tuesday  (right after Monday) and still in beginning of week. So the computer departments can schedule reboots and patching as soon as they are able.

the second Tuesday of the month is patch Tuesday

BetaNews discusses  6 bulletins, of which 2 are critical

Some affect different systems.

Technet advance discussion

Microsoft Security Bulletin

This one could be the bad one:


Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689) 

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Please plan and patch accordingly


Serversincage pluggedinwiressmall

New PCI DSS v3.0 released Nov 2013

DARKReading has the highlights of the changes of v3.0 compared with v2.0

SearchSecurity also has a synopsis – with the 5 most important changes:

1. Pentesting (Penetration testing)

2. inventory system components

3. Vendor relationships

4. Antimalware

5. Physical access

All of the changes make sense in light of the Target breach which we will review in more detail on a separate post. the most important is the Pentesting and segmentation of networks from your vendors.  It is likely that one of the vendors at Target caused the breach, or at least helped the exfiltration of the Credit card data.

Here is a snapshot from the actual v3.0 PCI DSS doc


4 Future Internet trends and how they affect Security

RealclearTechnology  has an interesting article

(the 4 headings below is my synthesis of the article)

It is based out of the Cisco projections (linked in article).

#1 issue  there will be 4Billion Internet users, and 52% will be in Asia. (2.1Billion)


(image from the Cisco site).


This means that there will be more security issues, as there will be more criminals and teenagers trying to prove themselves.  If you are having 10 scans per day today by 2018 that will Quadruple.

#2 There will be a marked increase in machine to machine traffic (M2M), “robots” is my interpretation.  “Globally, machine-to-machine connections will grow 3-fold, from 2.3 billion in 2013 to 7.3 billion by 2018.”

This means that criminals will try to find the robot weaknesses and take them over for their purposes. yes you guessed it – testing and Security compliance is not going away.

#3 The PC will shrink in relevance, this is already happening, and in fact the prediction is ” the PC will shrink to just 50.5 percent in 2018″, this means Security folks have to get their mobile device strategy up to speed quickly, if you are not doing so already.

#4 There will be more videos streamed and watched on the Internet (this may mean many other things for media companies) But we are focused on Security here:  What does this mean for Security? It means you have to detect the bad guys’ activity within a lot of other good traffic, specifically streaming video, sort of like we have to have voice over IP(VOIP) now. (not a show stopper)

Testing Cloud services

Since we advocate testing your IT services and devices, what if your organization has cloud services?

How about Amazon EC2?  AWS compliance  keep this in mind.

It is as Amazon AWS(Amazon Web Services) says it is a shared responsibility.

Rackspace has a security page – Rackspace Security   rackspace says it is a shared responsibility as well.

There are different cloud providers with specific missions and infrastructure services.


Let’s say you need PCI compliance completed for your website. That is on a cloud provider.

Rackspace has scanning rootkits among other links in a search.

As a computer professional in the Security field, one cannot just scan or perform penetration tests on any computer on the Internet, in fact we must get written approval to perform a scan on a computer.

Why? How about this example:

Internet Storm Center example

“However, their implementation of SSL is fragile enough that scanning them for the Heartbleed vulnerability will render them inoperable.  This affects Proliants from G1 all the way up to G6, as well as many of the HP Bladesystems.”

So when scanning for heartbleed on HP Proliant hardware iLO cards have a problem:

An iLO card allows a specific system administration remote ability:

“Before using an ILO card you must plug an Ethernet cable in to the server’s ILO Ethernet jack. Once the ILO card is connected to the Internet, you must set up an ILO user account and IP network address in the server’s BIOS menu”

This capability of the iLO card has a drawback, its software actually caused the server to crash, with a hard boot to recover (must press the power button). This side effect of a heartbleed scan is a disaster to many cloud providers. As a reboot of a hypervisor server may cause a loss of service in 10-30 minutes or more if the system has to be manually reset in some way by a technician.
All Certified Ethical Hackers must be aware of the problems  that can arise.
we must test for compliance and to uncover vulnerabilities, but it must be done in a way that does not affect services if at all possible.



National Institute of Standards and Technology (NIST) has new standards

NIST has a computer Security division and they have revamped their

The On-line Database: Access and Control policy and procedures

There are many good areas to review in this website, including:

Don’t forget the home workers:

An important part of telework and remote access security is applying security measures to the personal computers (PC) and consumer devices using the same wired and wireless home networks to which the telework device normally connects. If any of these other devices become infected with malware or are otherwise compromised, they could attack the telework device or eavesdrop on its communications. Teleworkers should also be cautious about allowing others to place devices on the teleworkers’ home networks, in case one of these devices is compromised.

Teleworkers should also apply security measures to the home networks to which their telework devices normally connect. One example of a security measure is using a broadband router or firewall appliance to prevent computers outside the home network from initiating communications with telework devices on the home network. Another example is ensuring that sensitive information transmitted over a wireless home network is adequately protected through strong encryption
Anybody that connects to your network can cause unforeseen mayhem.
In Computer Security  there is a method we use to get better security.
After a security policy or method is instituted it must be tested using an independent thought (red team- versus blue team). This methodology is used to create a stronger and more effective defense of network assets.
Contact Us to discuss this in depth. is a website.

Experian – one of the credit reporting agencies was duped

KrebsonSecurity  has the story (a good security blog)

a 24 year old Viet-Nam (Ngo) national helped create a situation where data from Experian was sold to online identity theft rings.

The company Court Ventures helped cause the situation.

but this is the important sentence: ” According to a transcript of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity, Ngo’s ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data.”


This is how it works, once your data is online and in digital format, it is easy for people to steal/borrow/buy it and then sell it on the open market.


SQL Injection is a common hacker method to attack

As noted by  there are many methods of taking advantage of SQL injection opening in a website.

The real problem is when companies don’t admit to the breaches occuring.

At Security magazine they did a survey189,650 respondents:

15% of respondents said that there was a data breach, and 20% from servers.


15% of 189650 = 28447 breaches.

So there were plenty of problems in corporate America in the security area. and 89% think they have handled the issue.


Obviously there is a disconnect. this is assuming the other 160,000 are being truthful. will help you cover your Data and help you secure your IT infrastructure through testing which is difficult-tedius-manual work.

National Vulnerability Database (NVD)

NVD  or at the


NIST is the National Institute of Standards and Technology.

NVD contains:

As you can see the patching and protecting of your computers has to be automated, because it can get out of hand very quickly

Drupal vulnerability – patch your software

yes Drupal version 7.x – 3.5 now has a remote command injection vulnerability.  Packetstormsecurity has a page on it.

patch to the latest software (May 3rd or newer) to prevent this.


Drupal is a popular Content management System software for websites.  The newest version 8 is coming soon. but until then please update and patch.