Organizations typically focus on monitoring inbound and outbound network traffic via firewalls, yet ignore internal network traffic due to the complexity involved. In the scenario above, a firewall will not protect or alert us.
By running honeypots on our internal network, we are able to detect anomalous events. We gain awareness and insight into our network when network hosts interact with a Raspberry Pi honeypot sensor. Since there isn’t a good reason to interact with it (since it doesn’t do anything), activity on the Raspberry Pi is usually indicative of something roaming around our network and a possible security breach.
Target has yet to honor a single request for comment from this publication, and the company has said nothing publicly about how this breach occurred. But according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.
Steinhafel said “the issue has been identified and eliminated” and that shoppers’ PINs, birth dates, and Social Security numbers were not stolen.
How does Target get shopper’s SSNs?
While honeypots have been used widely by researchers to study the methods of attackers, they can be very useful to defenders as well. Here are five advantages that the digital sandboxes can bring to companies.
Honeypots fill the gap, because attackers have a much more difficult time predicting their use and countering the defenses, Strand says. Because production honeypots are machines that no legitimate user should be accessing, they also have a low false positive rate.
Still not sure where to start? Take a look at the Active Defense Harbinger Distribution (ADHD) project, which is part of the Samurai family of Linux-based LiveCD distributions. ADHD provides a bootable ISO that contains the two previously mentioned tools and many others that are specifically focused on providing early warning detection of attacker activity. Some of those are more geared toward alerting, because, technically, no computers should be communicating with the honeypot so all traffic has the potential to be considered malicious.
The hack includes customer names, emails, birthdates and encrypted passwords.
I’d like to read a post mortum on this. Knowing names and emails will allow for more precise phishing attacks against those 50 million customers. Hopefully people know to lie about their birthday and if this attack was caught fast enough the bad guys might not have had time to decrypt the encrypted passwords to exploit the accounts.
One positive note in a not-so-positive situation: The email sent to employees and customers noted that neither customer credit card nor merchant financial information was accessed in the cyber attack.
Today I am publishing 5 Linksys router vulnerabilities so that consumers may be aware of the risks.
I run a WRT54GL in my network but installed tomato on it because I never liked the linksys GUI and wanted to try out tomato. Here’s his take on the WRT54GL:
1. Linksys WRT54GL Firmware Upload CSRF Vulnerability
I demonstrate Cross-Site File Upload in my BlackHat and AppSec USA talks. If you need more info on the vector itself, check out How to upload arbitrary file contents cross-domain by Kotowicz.
I suspect these kind of exploits exist in all consumer grade routers.
According to the email, some suspicious activity was detected by NIST firewalls following which steps were taken “to block the unusual traffic from reaching the Internet.”
There are a lot of decent threat sources out there today, and inexpensive tools that can be used to combine them with firewall data, he says.
“For someone that is low on budget, you can perform this with existing log aggregation tools, but I would not try to do this by hand,” Brazil says, who is a big proponent of security information and event monitoring (SIEM) systems.
What seems to be happening in many intrusion cases is that an IP located in China has been associated with the attack. The immediate assumption, often by inexperienced persons involved in the investigation, is that someone in China, most likely state-sponsored, targeted their incredibly important information.