Cyberwatch: Comparing the affects of your security picture to your stock price

Ever consider the affect your security threat landscape might have on your company's stock price?

Need information to show your Board, CEO, or CFO why you need additional security funding?

Want to monitor the threat profile of your supply chain? 

Introducing Wapack Labs Cyberwatch(R). 

We took a chance, and started monitoring chatter in a ton of primary sourced intelligence locations. What's primary sourced? It means that it's not being reported elsewhere or in social media.  When we see a Red Sky member, or Wapack Labs subscriber, we notify them. Because it's in intelligence space and not open source, it's often times early warning... sometimes not, but often is. 

At the same time, we thought we'd try something different. If we count the number of times we see our members names, IP addresses, etc., in that intelligence space, and plot that number on a moving timeline, what would it look like? And then, we plotted the company's stock price on the same moving timeline. Wow. The results were amazing. I can guarantee that we've not gotten this 100% right, but it's pretty darn cool. We call it "Cyber Threat Index(R)" and we've been showing early users how to use it to track portfolios of supply chain customers. 

The current site shows one company --the domain you log in with, plus it's stock price. Compare your Cyber Threat Index(R) to those of the Dow, or S&P 500. You can also search by industry or geography  by clicking on "RedXRay" on the bottom left menu.  Subscribers can click through the Cyber Threat Index graph to get the indicators of the day --those things you should monitor and/or block before you have your first coffee in the morning. Red Sky members receive these twice daily today. 

The site's not fully integrated. This is version .03, but we wanted to get it out there and get some feedback. We demo'd this at RSA one night until my phone gave out.

We'll be adding features and cleaning up documentation (i.e.: FAQ page) as we go along. We're intel people not UX developers, but we're getting better. 

Have a look.  It takes about an hour to pull your IP addresses, domains, etc. Log in, enter your stuff, and confirm your email account, then stop back later today. Hopefully you won't have any findings, but if you do, at least you'll know. 

I'd love to hear your thoughts. 

Thanks!

Have a great weekend!

Jeff

(Cyberwatch and Cyber Threat Intelligence are registered trademarks of Wapack Labs. Processes associated with the Cyber Threat Index is patent pending with the USPTO.)

Introduction to Wapack Labs' Threat Recon Indicator Database

Wapack Labs has been populating this database for about a year. It's essentially the indicators taken from our own analysis, and then grown.

Every day we get asked "Why buy another feed?"  This is a bit different. If I'm a bad guy and I have one domain registered for a C2 node, there's a good chance my other domains are also used for C2 nodes. We try and find all of them, starting from the one we know, and then provide them all to our subscribers... and they're in Threat Recon.

Sign up for your free API key. Every user gets 20 queries and 1000 free indicators per month. Plug in your search and off you go. Threat Recon runs from the web interface, or machine to machine.

Enjoy.
Jeff

Converged Maritime and Port Security…So What?

March 12, 2016: Chuck Nettleship

I attend a series of meetings last week with a partner company regarding converged maritime and port security.  Converged meaning both physical and cyber aspects related to assessments, maturity models, risk management, and internal/external threats related to financial and insurance implications.

To my astonishment, many maritime and port entities – both public and private – are of the group think mindset of “So what?” regarding converged security risks.  Many within the maritime and port community “check the block” using open source intelligence (OSINT) threat assessments – very few consider OSINT combined with real-time cyber threat intelligence (CYINT).  Many view cyber security as a “known unknown” risk versus return on investment.  Another operational cost burden in a low margin business.  Think again!

Let’s look at an under reported area impacting the maritime and port “converged security” area overlooked from a cyber perspective.  It is understandable within an industry culture of tangible “hands-on” equipment, that cyber “1’s and 0’s” is neglected: ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition).  ICS-SCADA is a general term describing industrial automation systems responsible for data acquisition, visualization and control of industrial processes, often found in various industrial sectors and Critical Infrastructures – including maritime and port infrastructure. ICS play a critical role in maintaining the continuity of industrial maritime processes ensuring functional and technical safety, preventing large industrial accidents, environmental disasters and financial ruin.

The criticality of control systems in the maritime and port sectors due to the high impact in case of disruption, makes ICS a major target for malicious activities. Based on the ICS-CERT Monitor (part of U.S. Department of Homeland Security), between 2009 and 2014 the number of reported cyber security incidents in the ICS-SCADA area increased more than 27 times. This does not take into account global maritime and port operations impacted by cyber security incidents.  At the same time more than half of the incidents (59% in 2013) were aimed at the energy and critical manufacturing sectors and around 55% involved advanced persistent threats (APT). Most ICS-SCADA cyber security incidents stay undetected or unreported.

Getting back to the “So what?” think of the undetected and unknown cyber ICS vulnerabilities within the maritime industry occurring DAILY:

• Compromised ERP (Enterprise Resource Planning hardware/software and cloud system
• Financial data theft and manipulation
• Equipment failure (vessel and port) including GPS, computers and ICS/SCADA
• Falsified manifests and documentation – high and low value cargo theft
• Insurance claims, false resupply claims, market manipulation, environmental issues
• Drugs, smuggling and terrorism threat on the supply chain/cargo
• Physical security breaches (security cameras, security equipment, security access control points)
• Compromised employees and Insider threats

Wapack Labs has discovered numerous ports, vessels and maritime “systems” compromised with malware and key-loggers that are “owned” by the cyber underground in our “Daily Show” reports.  Most of the cyber threats are related to financial gain and market (oil/gas) manipulation.

If you or your peers in the maritime/port, transportation, supply chain and energy infrastructure sectors want to change your view from “So what?” to “So how can Wapack Labs help!” give us a call or email to enlighten through our Daily Show reports, Cyberwatch® and Cyber threat Index® to keep your organization financially sound through our Red Sky Alliance Member Information Sharing Portal.

DROWN (Decrypting RSA with Obsolete and Weakened eNcryption)

03-04-2016. Joseph M Gant.

SSL and TLS servers have fallen prey to a newly developed attack. Though SSLv2 has been considered obsolete for some time, it still exists on many servers. This is due mostly to poorly maintained systems or older servers that still make their connections via SSLv2, either by default or due to poor configuration.

DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) steals information through VPN connections made to web and mail servers that use SSLv2. Even systems using a more modern encryption method are prone to this exploit if they connect to systems which still employ the obsolete SSLv2. Thirty-three percent of browser-trusted HTTPS sites are in fact vulnerable to DROWN attacks. This is because faults in SSLv2 are used by DROWN to exploit TLS connections when these protocols communicate with each other. It is a serious, cross-platform threat.

To counter DROWN, one should ensure that SSLv2 is disabled on their systems and prevent the sharing of private keys to servers that use the protocol. There is no need to reissue certificates. And as always, be sure that one's crypo packages are up to date. Tools like public_drown_scanner and drowncheck are hosted on Github and are recommended if one fears that a compromise has occurred. OpenSSL released a patch last Tuesday to address this threat.

Focused on antivirus evasion, the Veil Framework is a suite of security implementations geared toward detection evasion: Veil-Evasion uses a variety of techniques to generate antivirus-evasion. Veil-PowerView is a powershell tool used to gain network access in Windows machines. Veil-Catapult is a psexec-type of system that works with Veil-Evasion, and Veil-Pillage is a post-exploitation integration of Veil-Evasion. The recently updated Veil Framework is aimed at pentesters, but is likewise a threat to be aware of.

The glibc DNS client, libresolv, has had a vulnerability exposed which makes it susceptible to stack overflow attacks. This allows for remote execution of code including ssh, php, sudo, as well as others. Under prime conditions for attack, a discrepancy in the stack buffer, generated by larger than normal DNS requests, creates a stack buffer overflow. Most exploitable fronts are protected by technologies like ASLR and stack-overflow-protection which can be built into the software when compiling applications locally. Information on building software with a hardened toolchain  can be read here Hardened Gentoo.

Linset is an 'evil twin' bash script circulating through darknet circles. 'Linset' is a recursive acronym-- 'Linset Is Not A Social Engineering Tool.' Linset performs the following:

• Scan networks
• Capture handshakes
• Mounts FakeAP
• Serves DHCP on FakeAP
• Creates DNS server to redirect traffic from the host
• Deauthenticates users on the network in order to connect to  FakeAP and introduce passwords
• The validity of introduced passwords is checked
• The attack ends upon successful, authenticated, password capture

Linset is simply a bash script implementing a number of applications such as aircrack-ng, dhcpcd, and hostapd to name a few. Most of these tools are found on any Linux distribution that ships a full suite of applications, and the well known pentester distro, Kali Linux contains all of these tools and more to round out Linset as a threat. Linset ships in Spanish and in the hands of any scrip kiddie with a working knowledge of Espanol and a keyboard, can be dangerous. While its unlikely Linset will be able to hijack an enterprise server, the cyber vandalism it can cause is troublesome to repair.

Sources:

http://76qugh5bey5gum7l.onion

http://thenextweb.com

http://www.veil-framework

http://7pd3134noxnxokha.onion

http://wiki.gentoo.org.wiki/Hardened/Toolchain

http://darknet.org.uk

http://www.darkreading.com

Joseph Gant is a guess blogger, a security junky and a glassblower by trade. Though he holds degrees a degree in Scientific Glass technology, his life's study encompasses many variables --a long-time student of Tibetan region and culture, science, music, and a lover of literature.