Create an Army of Raspberry Pi Honeypots on a Budget

Posted on August 2, 2014 by mea

Organizations typically focus on monitoring inbound and outbound network traffic via firewalls, yet ignore internal network traffic due to the complexity involved. In the scenario above, a firewall will not protect or alert us.

By running honeypots on our internal network, we are able to detect anomalous events. We gain awareness and insight into our network when network hosts interact with a Raspberry Pi honeypot sensor. Since there isn’t a good reason to interact with it (since it doesn’t do anything), activity on the Raspberry Pi is usually indicative of something roaming around our network and a possible security breach.

via Create an Army of Raspberry Pi Honeypots on a Budget | ThreatStream.

A First Look at the Target Intrusion, Malware

Posted on January 17, 2014 by mea

Target has yet to honor a single request for comment from this publication, and the company has said nothing publicly about how this breach occurred. But according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.

via A First Look at the Target Intrusion, Malware — Krebs on Security.

Target says sorry again, offers 10% off and free credit monitoring

Posted on December 22, 2013 by mea

Steinhafel said “the issue has been identified and eliminated” and that shoppers’ PINs, birth dates, and Social Security numbers were not stolen.

via Target says sorry again, offers 10% off and free credit monitoring | Ars Technica.

How does Target get shopper’s SSNs?

5 Reasons Every Company Should Have A Honeypot

Posted on October 2, 2013 by mea

While honeypots have been used widely by researchers to study the methods of attackers, they can be very useful to defenders as well. Here are five advantages that the digital sandboxes can bring to companies.

via 5 Reasons Every Company Should Have A Honeypot — Dark Reading.

Honeypots fill the gap, because attackers have a much more difficult time predicting their use and countering the defenses, Strand says. Because production honeypots are machines that no legitimate user should be accessing, they also have a low false positive rate.

Time To Set Up That Honeypot

Posted on April 28, 2013 by mea

Still not sure where to start? Take a look at the Active Defense Harbinger Distribution (ADHD) project, which is part of the Samurai family of Linux-based LiveCD distributions. ADHD provides a bootable ISO that contains the two previously mentioned tools and many others that are specifically focused on providing early warning detection of attacker activity. Some of those are more geared toward alerting, because, technically, no computers should be communicating with the honeypot so all traffic has the potential to be considered malicious.

via Tech Insight: Time To Set Up That Honeypot — Dark Reading.

LivingSocial Hacked — More Than 50 Million Customers Impacted

Posted on April 27, 2013 by mea

The hack includes customer names, emails, birthdates and encrypted passwords.

via LivingSocial Hacked — More Than 50 Million Customers Impacted – Kara Swisher – Commerce – AllThingsD.

I’d like to read a post mortum on this. Knowing names and emails will allow for more precise phishing attacks against those 50 million customers. Hopefully people know to lie about their birthday and if this attack was caught fast enough the bad guys might not have had time to decrypt the encrypted passwords to exploit the accounts.

One positive note in a not-so-positive situation: The email sent to employees and customers noted that neither customer credit card nor merchant financial information was accessed in the cyber attack.

Don’t Use Linksys Routers

Posted on April 9, 2013 by mea

Today I am publishing 5 Linksys router vulnerabilities so that consumers may be aware of the risks.
linksys vulns.txt

via Don’t Use Linksys Routers « Superevr.

I run a WRT54GL in my network but installed tomato on it because I never liked the linksys GUI and wanted to try out tomato. Here’s his take on the WRT54GL:

1. Linksys WRT54GL Firmware Upload CSRF Vulnerability
I demonstrate Cross-Site File Upload in my BlackHat and AppSec USA talks. If you need more info on the vector itself, check out How to upload arbitrary file contents cross-domain by Kotowicz.

I suspect these kind of exploits exist in all consumer grade routers.

US National Vulnerability Database Down Following Malware Infestation

Posted on March 14, 2013 by mea

According to the email, some suspicious activity was detected by NIST firewalls following which steps were taken “to block the unusual traffic from reaching the Internet.”

via US National Vulnerability Database Down Following Malware Infestation – ParityNews.com: …Because Technology Matters.

Five Ways To Better Hunt The Zebras In Your Network

Posted on March 10, 2013 by mea

There are a lot of decent threat sources out there today, and inexpensive tools that can be used to combine them with firewall data, he says.

“For someone that is low on budget, you can perform this with existing log aggregation tools, but I would not try to do this by hand,” Brazil says, who is a big proponent of security information and event monitoring (SIEM) systems.

via Five Ways To Better Hunt The Zebras In Your Network – Dark Reading.

Attribution Is Much More Than A Source IP

Posted on February 20, 2013 by mea

What seems to be happening in many intrusion cases is that an IP located in China has been associated with the attack. The immediate assumption, often by inexperienced persons involved in the investigation, is that someone in China, most likely state-sponsored, targeted their incredibly important information.

via Tech Insight: Attribution Is Much More Than A Source IP – Dark Reading.

Bucktown Bell

Cut to the chase.

Tag Archives: network intrusion