Irregular Expressions

February 19, 2013  10:20 PM

Unit 61398 – Part 2

Posted by: Dan O'Connor

The first thing to review is the video, having the visual is a great place to start.

One of the key pieces we get as the public is the phone number that ‘dota’ uses to register. The number is 159 2193 7229. Here is the significance of this number, taken directly from the report.

“Telephone numbers in China are organized into a hierarchy containing an area code, prefix, and line number similar to phone numbers in the United States, with the addition that a few area codes are allocated for use by mobile phone providers. The phone number “159-2193-7229” breaks down into the “159” area code, which indicates a mobile phone provided by China Mobile, and the prefix “2193”, which indicates a Shanghai mobile number. This means at the very least that the number was initially allocated by China Mobile for use in Shanghai. The speed of DOTA’s response also indicates that he had the phone with him at the time.”

I think it is safe to say that this is / was a disposable cell or this could have been the shortest directive case ever. I am not sure if the telecom company is state owned but that could also hamper investigation.

February 19, 2013  9:45 PM

Unit 61398 – Part 1

Posted by: Dan O'Connor

This to me is the biggest technology story of the year, I can hardly think of anything that could top this.

Mandiant has released a surprising amount data in regards to a group they have dubbed APT1. Some of the most surprising stats of APT1;

- APT1 maintained access to victim networks for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.

- Among other large-scale thefts of intellectual property, we have observed APT1 stealing 6.5 terabytes of compressed data from a single organization over a ten-month time period.

The list goes on and on from there.

There is a brief video you can watch ( less then five minutes ) if you are pressed for time.

You can read the full report here.

I will go through it in more detail in part two and try to highlight some of the key things.

January 31, 2013  4:29 PM

Symantec Single Sign-On

Posted by: Dan O'Connor

This is news to me, I had no idea that they were working on something like this.

I like and dislike single sign-on. For end users I think it’s great, not having to remember so many passwords is a big win for them. Spending time working instead of spending it trying to work will always pay off. I also do not like the fact that with one authentication point you can gain access to a large amount of data, segregation is always a good thing with your data. But combining this with two-factor auth (which this can use) and maybe keeping your most sensitive systems away from it, I think you can get to a happy medium.

January 31, 2013  4:23 PM


Posted by: Dan O'Connor

Apparently this is happing and it is increasing.

There is a large disparity between the case mentioned and the others referenced at the end as other examples. But it could be that this person just got in to more accounts then the others. Another reason to be weary of what you capture and store, just because it is private today does not mean the same for tomorrow.

This makes me wonder if there will be an increase in sophistication of these types of attacks. What about malware looking specifically for these kinds of images and stealing them. On the other hand I think it would net someone more money if they went for banking information and left the naughty pictures alone.

January 31, 2013  12:15 AM

Ticketmaster Captcha No More

Posted by: Dan O'Connor

Ticketmaster is dropping the dreaded Captcha, the one thing that really makes getting those perfect seats stressful.

Don’t get too happy, they are replacing it with another similar system, but this one is not as difficult for people to solve. You can get a demo of it here.

It makes me feel like my Amazon Kindle is annoying me all over the web instead of just at the lock screen.

January 30, 2013  11:58 PM

Information Regarding A Significant Foreign Breach In To A US News Network – Part 2

Posted by: Dan O'Connor

The last thing I wanted to mention about this is that I am excited (I don’t know if that is entirely the correct word to use) to see times publicly reporting this information. Breaches of this scale are not uncommon but what is uncommon is them being published. Most companies will decide not release this type of information. The individuals that penetrated the network are not going to publish it anywhere. It is usually viewed that they could lose the reputation of the business if this kind of information is release.

That can be correct in many cases, especially if you are a bank or a security consulting company.

January 30, 2013  11:41 PM

Information Regarding A Significant Foreign Breach In To A US News Network

Posted by: Dan O'Connor

This is a good highlight on if someone gets in to your network and has a specific target it can be infuriatingly difficult to remove them.

With the amount of access that was gained significant damage could have been done to their internal infrastructure. Instead they had specific targets in mind. The information in the article is very good, but I can give the executive version.

1) Access was gained to the network through a suspected phishing attack.
2) A foothold was gained on at least three computers.
3) Hashes were stolen from the domain controller. (The way that this is worded it sounds like they stole every single hash, and that it very possible)
4) A rainbow table was most likely used to crack the hashes and gain access to those accounts.
5) Routines were setup to search for documents and mail associated with specific users.
6) 45 pieces of custom Malware was installed during the time on the network. Of these only a single sample was detected by their AV vendor Symantec. I don’t think you should take this as a total negative against Symantec. The attackers would have know that it was the AV being used and would have crafted their tools to avoid detection by it.

January 30, 2013  11:20 PM

Cyber Defense Initiatives

Posted by: Dan O'Connor

More then a few countries are in the process of improving their cyber defense stance this year.

The UK is planning a ‘cyber reserve‘ force. This is a pretty good idea, I don’t think something like this should be temporary either. It is always going to be a challenge to get the needed skills on staff and the number you are going to need when things really go south. A reserve force that you could pull in from the national community of trained people is something that can be established quickly as regulars are brought in and trained.

The US Cyber Army Command is looking to increase it’s numbers to just under 5,000. Right now there just is not that many people with these skills waiting around to get a job. A more sophisticated and higher output training program is needed for this. Also pulling fresh eager tech savvy people is great but there is a significant amount of training and experience they will need to collect before they are going to be ready.

Don’t forget about Canada, the CCIRC is looking to increase it’s numbers to 30 moving towards a 24 hour desk.

Here is a list of the CERT’s around the world.

January 30, 2013  1:31 AM

2013 A Good Year For Two Factor Auth

Posted by: Dan O'Connor

If you could do something this year that I think would have the most impact for your users especially if you are a company that offers services requiring web authentication. Two factor authentication will have a dramatic effect on your posture. I am not saying that it is new, but I think it is coming to the point that it should be the norm. If it is some sort of device with a rolling number, token or even some sort of one time pad.

Something this size I think is an excellent choice. Just have it on your key chain, pop it in the USB port like a car key and be logged in to your web services. Something you know, your password and something you have, your usb key. There is still multiple ways that you can attack a system like this to do some bad, like piggy backing on the already authenticated session to do what you need like transferring money out of an account. This still would make standard key loggers pretty much useless in stealing data alone.

January 30, 2013  1:00 AM

Java zeroday early numbers

Posted by: Dan O'Connor

I have been searching for sometime to see if I could find anything to put a number of the number of infections this has created.

The best I can get so far is that it is in the thousands. How many thousands? I am not sure. Ten’s, hundred’s? The majority of the infections are where I would expect them in the RU and US regions. Those are already a couple of weeks old so I would think there is even more now. I am hoping there will be more detailed information in the next few weeks.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: