Is back up and flowing, after about a month of silence the anonmoyuSabu twitter account is alive again. A lot of the posts are mostly about the presents in Wall Street. There is talk about operations on going but I did not find anything specific. I have not seen anything mentioning if this is the same as some of the other accounts where there was two people operating one alias. This could be the second person coming on, Sabu seemed pretty intent to disappear before.
I am sure there will be public analysis of the style of writing as there was with the others.
A few more people have been picked up on Thursday connected to lulzsec and Anon. The article raises a good point about the amount of publicity the received and the fact that they might have let a little too much slip.
Unfortunately the individuals that are the best at his kind of thing are the ones you don’t hear about, it’s kinda cliche, but it’s true. Doing that kind of damage and publishing it, will gather you a lot of attention. Then put you on a short list, especially if you live in country with legal cooperation agreements.
I often wonder if this will be a shift in the way law enforcement reacts to these types of attacks, or if this is an anomaly because of the amount of attention it received.
Best one I have found yet, I won’t even waste time trying to paraphrase it.
Just give it a read.
This case a few good items from a incident handling side and a few more bad things.
This group used physical break and enters along with wireless penetration to get in to company’s to mess with the payroll. Once in the system they stole identities, setup more back accounts with the employee’s and then gave raises.
They were even in a position to monitor the response to the incident in at least one of the company’s including phone calls to authorities.
A couple good incident handling ideas from all this.
- Use out of band communication, cell’s. Using a VOIP phone on an unknown network may be bad.
- Auditing systems is a must, things like changes to a payroll DB are a good example.
- Logging is great for coming out of an issue, you can use them to try and track them around the network.
Good info about what can and will be done in the current state of things and what is capable of running what version of TLS.
The basic premise of the attack that BEAST will preform is a chosen plain text attack. A chosen plain text is a type of crypto attack that the attacker is in a position to feed text in to the cypher then analyze the output. This allows the attacker to gain a good understanding of the crypto system and even deduce the key.
Everything I have found says that this has been in TLS since it’s initial release, but was considered too difficult. Also It does not exist in the later releases.
The best advice I can give is for everyone to move off of it.
A working tool to exploit TLS v1 will be release this Friday (Sept 23rd). Major browser vendors have been warned already. I have done some spot checking and found a few secure sites I use are on v1 still.
I am still looking for more details, but I think this may have had something to do with the vulnerability that was one of my first blog posts way back when.
If I find more I will post it.
I got a new cert last week, which is the explanation for my lack of posting so far this month.
I am now a GIAC GCFA, http://www.giac.org/certification/certified-forensic-analyst-gcfa .
The course with the cert is the FOR508. The material covered was excellent, and the hands on was very valuable. There was several forensics challenges throughout the course that were really well done and covered the material well.
I did well on the exam, not as well as I wanted to but I found some of the material challenging. The 508.5 book is all law and international law as it relates to digital forensics and evidence. I was not as prepared for those questions as I was the technical ones in relation to the file systems.
But I am still happy with the end result.
The guys that created PirateBay are in the midst of creating a new site called BayFiles. It appears the site will operate like Megaupload and Rapidshare allowing users to upload content from the browser. It has a cost model that limits the free users to 250 MB, the also controls the amount of files you can download per hour.
It also does not have a search feature, so you need the link created when the file is uploaded to have access.
It also appears that they are going to “respect copyrights” now. Many analysts don’t seem to share that opinion.
There is a lot of speculation on that China has been a hot bed for cyber attacks against various targets around the world.
Apparently there is a “smoking gun” floating around that proves this program.
There story is being updated, currently I am on the fence. It’s been a week and the fallout is less then what I would expect if this was true, rather then a misinterpretation of the screen. It does seem pretty strait forward, a US IP and a button that says “Attack” ( not that I can read that part ).