Create an Army of Raspberry Pi Honeypots on a Budget

Organizations typically focus on monitoring inbound and outbound network traffic via firewalls, yet ignore internal network traffic due to the complexity involved. In the scenario above, a firewall will not protect or alert us.

By running honeypots on our internal network, we are able to detect anomalous events. We gain awareness and insight into our network when network hosts interact with a Raspberry Pi honeypot sensor. Since there isn’t a good reason to interact with it (since it doesn’t do anything), activity on the Raspberry Pi is usually indicative of something roaming around our network and a possible security breach.

via Create an Army of Raspberry Pi Honeypots on a Budget | ThreatStream.

A First Look at the Target Intrusion, Malware

Target has yet to honor a single request for comment from this publication, and the company has said nothing publicly about how this breach occurred. But according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.

via A First Look at the Target Intrusion, Malware — Krebs on Security.

5 Reasons Every Company Should Have A Honeypot

While honeypots have been used widely by researchers to study the methods of attackers, they can be very useful to defenders as well. Here are five advantages that the digital sandboxes can bring to companies.

via 5 Reasons Every Company Should Have A Honeypot — Dark Reading.

Honeypots fill the gap, because attackers have a much more difficult time predicting their use and countering the defenses, Strand says. Because production honeypots are machines that no legitimate user should be accessing, they also have a low false positive rate.

Time To Set Up That Honeypot

Still not sure where to start? Take a look at the Active Defense Harbinger Distribution (ADHD) project, which is part of the Samurai family of Linux-based LiveCD distributions. ADHD provides a bootable ISO that contains the two previously mentioned tools and many others that are specifically focused on providing early warning detection of attacker activity. Some of those are more geared toward alerting, because, technically, no computers should be communicating with the honeypot so all traffic has the potential to be considered malicious.

via Tech Insight: Time To Set Up That Honeypot — Dark Reading.

LivingSocial Hacked — More Than 50 Million Customers Impacted

The hack includes customer names, emails, birthdates and encrypted passwords.

via LivingSocial Hacked — More Than 50 Million Customers Impacted – Kara Swisher – Commerce – AllThingsD.

I’d like to read a post mortum on this.  Knowing names and emails will allow for more precise phishing attacks against those 50 million customers.  Hopefully people know to lie about their birthday and if this attack was caught fast enough the bad guys might not have had time to decrypt the encrypted passwords to exploit the accounts.

One positive note in a not-so-positive situation: The email sent to employees and customers noted that neither customer credit card nor merchant financial information was accessed in the cyber attack.

Don’t Use Linksys Routers

Today I am publishing 5 Linksys router vulnerabilities so that consumers may be aware of the risks.
linksys vulns.txt

via Don’t Use Linksys Routers « Superevr.

I run a WRT54GL in my network but installed tomato on it because I never liked the linksys GUI and wanted to try out tomato.  Here’s his take on the WRT54GL:

1. Linksys WRT54GL Firmware Upload CSRF Vulnerability
I demonstrate Cross-Site File Upload in my BlackHat and AppSec USA talks. If you need more info on the vector itself, check out How to upload arbitrary file contents cross-domain by Kotowicz.

I suspect these kind of exploits exist in all consumer grade routers.

Five Ways To Better Hunt The Zebras In Your Network

There are a lot of decent threat sources out there today, and inexpensive tools that can be used to combine them with firewall data, he says.

“For someone that is low on budget, you can perform this with existing log aggregation tools, but I would not try to do this by hand,” Brazil says, who is a big proponent of security information and event monitoring (SIEM) systems.

via Five Ways To Better Hunt The Zebras In Your Network – Dark Reading.

Attribution Is Much More Than A Source IP

What seems to be happening in many intrusion cases is that an IP located in China has been associated with the attack. The immediate assumption, often by inexperienced persons involved in the investigation, is that someone in China, most likely state-sponsored, targeted their incredibly important information.

via Tech Insight: Attribution Is Much More Than A Source IP – Dark Reading.