Critical Start Blog
The SSL protocol was originally developed by Netscape. Version 1.0 was never publicly released; version 2.0 was released in February 1995 but contained a number of security flaws which ultimately led to the design of SSL version 3.0 in 1996. Transport Layer Security (TLS) has replaced SSL and has several different versions (1.0, 1.1, and 1.2). SSL/TLS provides [...]Read More..
This post is primarily for customers of RSA NetWitness (Security Analytics), although it may be interesting to security practitioners that conduct security investigations. We describe how to use the Critical Start Threat Analytics Chrome Extension (http://www.criticalstart.com/2013/01/threat-analytics-search-extension-for-chrome/) to open a NetWitness Investigator drill from a Chrome browser. Many of our customers use security tools that have [...]Read More..
Earlier in 2012 the US Cyber Emergency Response Team (US-CERT) warned many oil, gas, and energy companies about targeted attacks against organizations with industrial control systems (ICS): Sophisticated and targeted cyber intrusions against owners and operators of industrial control systems across multiple critical infrastructure sectors have increased in recent months. With all the noise about [...]Read More..
Oracle released an emergency patch for Java, but security experts warn the patch doesn’t fix all critical vulnerabilities. Not counting future Java exploits, the current Java bugs may take 2 years to correct. The US-CERT advises, “Unless it is absolutely necessary to run Java in web browsers, disable it, even after updating to 7u11.” There [...]Read More..
Threat Analytics is focused on using information to make decisions about events that impact the information assets of the organization. In other words, how can we transform the deluge of security data into actionable intelligence. During our work with customers, our analysts often use the same websites repeatedly to gather information about IP addresses, , [...]Read More..
Back in February, Oracle released their Critical Patch update that included 14 security fixes for Oracle Java SE (http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html). To quote Oracle: This Critical Patch Update contains 14 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need [...]Read More..
This post is a quick look at an incident that occurred at one of our clients. This certainly isn’t an advanced threat but is an excellent example of the type of malware targeted at individuals. In this incident the user contacted the help desk, although the malware had already been detected by dynamic malware analysis. [...]Read More..
At Critical Start we try to ensure that customers improve in several key areas while working with us: Attack Phase Maturity Security Efficiency One of the best approaches to better security that doesn’t cost any money is securing local administrator accounts for your users (and domain administrator accounts, but that’s a separate topic). This can [...]Read More..
What can you do that will actually improve security (not compliance) over time? This requires your organization to build capabilities in the different attack phases: Initial Compromise Lateral Movement Mitigation Data Exfiltration/Illicit transaction Incident detection, response, and eradication Active Directory (and Domain Controllers) are one of the most common targets for advanced attackers. Regretfully, the [...]Read More..
The numbers of news articles about organizations getting compromised continues to increase. Our engagements with customers matches information from the 2012 Verizon Data Breach Investigations Report that 92% of organizations never realize they have been compromised. As a minimum this illustrates the number of large companies with incidents that remain undetected. Why is this? When [...]Read More..
These 3 steps will prevent all malware infections: Disconnect from all wired and wireless networks (Ethernet, Bluetooth, Infrared, etc.) Remove your CD/DVD-ROM drive Glue shut all other connectors While these controls are effective, the impacts to the user and business are a little extreme! On a more serious note, what are some realistic options? My [...]Read More..
When discussing how to protect corporate networks, we often get asked about advice for home networks. The NSA has a good guide that can be found at http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf. However, they don’t give any real product information – this post will address that deficiency (for at least Windows operating systems). 1) DNS is a good place to [...]Read More..
Earlier this year RuggedCom confirmed the existence of a backdoor in several of their products. RuggedCom has also disclosed additional security vulnerabilities around Private Key security for HTTPS/SSL and SSH that is discussed in a US-CERT Alert at http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-234-01.pdf. The new vulnerability is conceptually similar to the old vulnerability, which shows how few vendors (even security [...]Read More..
Exploit kits are doing a very robust business these days. In fact, the recent Java 7 vulnerability (CVE 2012-4681 ) is already included in the Blackhole exploit kit. Allegedly Oracle knew about the security flaws in April 2012, but that is a another story! A very common technique we are seeing is: Compromise of a trusted website (or a [...]Read More..
CNBC is premiering an hour long show on 7/9/12 about the cyber espionage threat to American business from China. The preview of the show can be seen at http://www.cnbc.com/id/15840232?video=3000100683&play=1. If you are a security professional, then the show should be interesting versus educational. However, we would recommend forwarding the information to your IT and business executives [...]Read More..
Bit9 has seen a 150 percent year-over-year increase in the number of attacks on domain controllers. Attackers, largely nation states and cyber criminals, are after corporate intellectual property (IP)—everything from chemical formulas and vaccines to military data and source code—all valuable competitive information. Rather than attacking directly the servers that house such information, advanced [...]Read More..
Traditional security (firewalls, anti-virus, intrusion detection, etc.) is based on the concept of identifying and stopping the known bad. Intrusion detection (IDS/IPS) and anti-virus (AV) are primarily based on being able to detect the known bad based on a blacklist (signatures) of previously identified malware. So much new malware is being created everyday and so [...]Read More..
Passwords are like a lot of security technologies – the people and process aspects are even more important than the technology or product. LinkedIn made three extremely serious mistakes: The first mistake was a very careless implementation of how the passwords were stored: LinkedIn stored the passwords using the SHA-1 hash algorithm. This is a [...]Read More..
PKI and digital certificates generate the largest false sense of security of any technology I know. The Flame malware is just the latest example of how configuration mistakes and personnel errors can render any technology control ineffective. The picture above is a screen capture of one of the Microsft Certificates that was revoked recently by [...]Read More..
Unless you live in a cave, Flame (or Flamer or SKyWIper – the industry can’t agree on the name) is the latest APT threat to gain notoriety. The hype and response to the Flame malware only confuses most customers in our opinion. A great example of a misguided response can be seen in this comment from SC [...]Read More..