UnixBox is a vendor-independent security consulting firm that helps companies secure electronic, physical, intellectual and financial assets through a unique blend of assessment, testing, and coaching. We are committed to identifying the key assets of your unique business and creating a customized strategy to protect you in today’s volatile business environment and beyond. The team is comprised of an extensively trained and highly experienced information security professionals who are dedicated to providing a comprehensive approach to organizational information security. Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (C|EH).
Coming back to the Memphis area after 10 years of being in NYC and Chicago has been eye opening.
I have yet to find a local IT company that exceeds in IT security. Because of this we have started UnixBox to help with the security gap in this area.”
Our approach allows our clients to make informed decisions about their information security programs and effectively “protect what matters most”. To stay ahead of the curve of threats and provide the highest level of service to our customers, all our engineers are required to meet baseline standards of performing work in the information security field for more then 8 years before joining the team. In addition, all members of the staff hold active certifications as well as many others listed below.
Certified Information Systems Security Professional (CISSP)
Certified Information Security Auditor (CISA)
BS7799 Lead Auditor Accreditation (BS7799)*Applies for auditing to ISO 17799 and 27001/2 standards
Armed police at Merseyside school after FBI warning
St Aelred’s sign Armed police were called to the technology college on Friday afternoon
Police mounted a major operation to protect pupils at a Merseyside school after they were alerted by the FBI.
Armed police were called to St Aelred’s Catholic Technology College in Newton-le-Willows on Friday after reports someone had made threats to kill there.
The United States’ Federal Bureau of Investigation raised the alarm after picking up a threat posted on social networking site Facebook.
A 19-year-old man was arrested and later released on bail.
More than 1,000 students, some of them taking their GCSEs, were in the Birley Street school at the time of the alert.
All entrances and exits were sealed while police investigated.
‘Leaving this world’
The school said it was the FBI who raised the alarm after internet scanning software picked up a suspicious combination of words.
It picked up a posting showing a picture of a gun being held above a scrawled note, which read “tomorrow – last day of school” and went on to mention bullies and “leaving this world”.
Headteacher Edward Marr has now written to parents explaining how the situation came about.
He wrote: “Police officers attended school at 0800 am on Friday morning. They had a photograph from the internet and asked if I could identify a person on it.
“It emerged that a threat had been made against the school which had been picked up by the FBI in America and passed eventually, as the school was identified, to Merseyside Police.
Continue reading the main story
We were able to deal with the threat well away from the school premises
Ch Supt Chris Armitt Merseyside Police
“Staff at the school were able to suggest the identity of the man on the photograph and an arrest was made.”
Some parents have criticised police over why their children were allowed into classes while officers were investigating a possible armed threat.
Ch Supt Chris Armitt, from Merseyside Police, denied suggestions that officers could have closed the school as soon as they were aware of the threat.
He said: “We received some information between 1am and 2am, that information was imprecise and what we had to do was clarify what the information meant and what it related to.
“Once we were able to identify that school as potentially being at risk, we took steps quickly to get with the school staff.”
He added: “They were able to help us identify the possible threats that we faced and we were then able to deal with that well away from the school premises.”
You get a quick message from a friend on Facebook, click on the link and absentmindedly log in to a website pretending to be Facebook. This is what happened last week, when scammers unleashed a new attack on Facebook, collecting users’ log-in information and passwords and pilfering victims’ “friends” lists to target the next dopes. Listen up, people: Although Facebook has a reputation for Internet security — it identified the scam within hours, and the ripple effects only lasted for a couple days — at 200 million members and counting, the size and popularity of the social-networking site has made it the object of increasing attention from hackers and spammers. And if last week is any indication, it’s only going to get worse.
“In the ’90s, scammers used e-mail,” says Michael Argast, a security analyst at Sophos, an antivirus software company. “Today, it’s social networking.” Argast explains that although people have been trained not to click on suspicious e-mails, they don’t operate with the same sense of caution when presented with a link on Facebook or Twitter. Maybe that’s why the number of phishing attacks on these kinds of sites — in which people are fishing for account information, as opposed to infecting your computer with a virus — has skyrocketed recently, from 4,600 attacks in 2007 to 11,000 in 2008. This year doesn’t look any better, with 6,400 attacks in the first three months of 2009. (Read “How Not to Be Hated on Facebook: 10 More Rules.”)
Like anything on the Internet, Facebook has never been completely scam-free, but its privacy settings may create a false sense of security: most users can’t interact with one another unless they are “friends” or belong to the same general network. The site at first glance would also seem less of a gold mine for swindlers since unlike financial websites, which offer access to victims’ bank accounts, there is no direct financial gain from hacking into a Facebook account. But the bad guys know that many of us are lazy or forgetful and use the same password on multiple sites. In early 2008, Facebook noticed a marked increase in the number of scams. “We’re the most effective distribution platform on the Internet,” says Ryan McGeehan, the company’s incidence-response manager. “The level of person-to-person connection doesn’t exist anywhere else. And as we get bigger, we become a bigger target.”
Facebook monitors users’ activity, and when someone goes from a few wall posts a week to hundreds of messages within a few minutes, the security team can logically assume that the account has been hacked. They’ll notify the user, reset the password, and the whole issue is usually resolved within a few hours. But when thousands of users are hacked at once — and then their friends are hacked, and their friends’ friends are hacked — it can take a few days for Facebook to fix the problem. That’s what happened on April 29 and 30, when users found themselves accidentally logging in to a website called FBAction.net. Designed to look exactly like Facebook, the evil doppelgänger took their info and hacked their accounts.
When MarkMonitor, an outside security company employed by Facebook, shut down the fake website, the scam popped up again on a different site, FBStarter.com. (It too has since been disabled.) “My guess is this was a pretty organized group of people,” says Fred Felman, MarkMonitor’s chief marketing officer. Felman says the phishers, whoever they were (Internet scammers almost never get caught), were not using the most up-to-date technology, but their creativity and speed makes him think that they have experience and will probably do it again.
A similar phishing scam established a toehold on the website in January. And last year hackers broke into accounts by convincing people to click on links posted on their profile walls. Another common Facebook scam is to hack someone’s account and then send messages to friends asking for money (like the old Nigerian businessman scam, but with a hey-it’s-your-old-pal twist).
Facebook won’t say how many accounts were compromised last week, but a rep notes that the site has never had a scammer hack more than a small fraction of its accounts, adding that the company’s security team — which has more than 100 analysts, engineers and programmers — can handle whatever comes their way. “We’re going to be attacked again in the future,” says McGeehan, “and my role is to be prepared when it happens.”
The Koobface Web site offers a video posted by ‘SantA’. The usual ruse of requiring a codec to watch the video is used, to encourage the user to install and run a file called setup.exe (SHA1:a2046fc88ab82abec89e150b915ab4b332af924a). This file is currently detected by 16 out of 41 antivirus products according to VirusTotal.
On the compromised Facebook page the user is presented with a link to ch[removed]cher.ch which is a compromised site in Switzerland. The user is redirected to one of several Koobface Web sites through a malicious Flash movie file hosted on the compromised site. If the user runs the infected file, the worm will automatically login to their Facebook, Myspace, and several other social networking sites and send messages to all their friends.
Anybody want to know Trend Micro’s top secret internal strategic plans for our upcoming projects? How about our financial returns for the next quarter?
Well, sorry, obviously we are not going to give that sort of information out publically—we’d need to be crazy to do something like that.
… On the other hand if you want a heads up on Microsoft’s upcoming Windows 8 and Windows 9 operating systems (128bit, apparently) just wander over to the LinkedIn social networking site.
PC Pro has published a short piece on how a certain key Microsoft employee’s LinkedIn profile described his job description as:
Working in high security department for research and development involving strategic planning for medium and longterm projects. Research & Development projects including 128bit architecture compatibility with the Windows 8 kernel and Windows 9 project plan. Forming relationships with major partners: Intel, AMD, HP and IBM.
Ouch.
This is yet another example of very sensitive company data being accidently posted to a social networking site, an all too common occurence. Social networking sites are also invaluable as sources of reconnaissance for hackers targeting a specific company, whether it’s an IT admin on LinkedIn mentioning “managing Checkpoint Firewalls” in his job description, or an employee tweeting that they are going on their way to a “merger meeting with company X”—employees are quite often unaware of the sensitive information they are publically disclosing.
Don’t get me wrong, I like social networks. I even have a LinkedIn profile of my own, but I don’t put any data there that people would not already know.
If you are worried about this sort of data leak occuring in your own company, I’d fully recommend reading my colleague David Sancho’s paper “A Security Guide to Social Networks“.
Perhaps Microsoft might like to print out a copy for all of their own employees.
GENEVA — The attacks and scams that have been affecting users of Facebook, Twitter and other popular social networking sites are continuing to evolve and improve, as the attackers learn more about their victims and refine their tactics, experts say.
The poster child for these attacks has been the Koobface worm, which has been circulating on Facebook and various other sites for several months. However, the term worm is something of a misnomer in this case, experts say, as Koobface in fact comprises a number of different components. In addition to the social networking propagation components, Koobface also now includes a network of malicious Web servers, URL checkers, a CAPTCHA breaker, a rogue antivirus program, data stealers and search-result hijackers, said Ivan Macalintal, a senior threat analyst at Trend Micro, in a presentation at Virus Bulletin 2009 here Thursday.
And that litany of capabilities doesn’t even include the botnet and associated command and control structure that Koobface has built. The botnet control is done over HTTP, and the updates that the Koobface authors make to the program, which sometimes happen as frequently as once a day, usually change the C&C structure, as well.
“It’s an unfinished product at this point and it’s in perpetual beta,” Macalintal said.
In June, Koobface still had just two main C&C servers controlling the botnet. A month later, after continued efforts from researchers to disrupt the botnet, the Koobface authors updated the infrastructure, adding a layer of proxies and making it more difficult to identify the specific servers controlling the bots.
Koobface also is now using blogs that are set up automatically, usually centered on a major news event and filled with entries with malicious links. The links lead to phishing sites or sites that host the Koobface malware itself.
And it’s not just Facebook that’s taking the hit. Twitter also has emerged a major target for attackers looking for phishing victims, personal information on potential victims and anything else that could be of use. There have been some incidents of botmasters using Twitter as a command mechanism, although experts say this is not of much use.
“It’s not the best means of command and control, because it’s easily blocked after detection,” said Costin Raiu, (above, right) a security researcher at Kaspersky Lab, who gave a joint presentation with Morton Swimmer (above, left) of Trend Micro, on Twitter attacks.
Raiu and Swimmer are working on separate projects analyzing the volume and nature of threats and attacks on Twitter by pulling tweets from the site’s public timeline and putting them through a variety of automated analyses. Much of the activity right now consists of spam from automated Twitter accounts, malicious URLs leading to phishing sites and porn.
September 14, 2009 — CSO — While incidents of identity theft, phishing attacks and other schemes that take place on Facebook have been well documented (See: Five Facebook, Twitter Scams to Avoid and 5 More Facebook, Twitter Scams to Avoid), it turns out the latest scam simply uses the popular social networking site as a scapegoat while leading users to outside malicious sites. Last week, rumors swirled around Facebook that a new application known as “Fan Check” was infecting users with a virus. The story spread as many users updated their status to read: “The FAN CHECK Application is a VIRUS that takes 48 hours to kick in. Even if you are tagged in a photo the virus still attacks you. Please inform all you friends and remove/delete the applications ASAP. Copy and paste this as your status so word gets around quickly.”
However, according to several security firms, including U.K.-based Sophos, it’s not the Fan Check application that is the problem, it’s the so-called “removal kits” that are being hocked by hackers that are the real danger. As rumor of the alleged Fan Check virus made the rounds, the term skyrocketed in popularity on Google and other search engines. As Sophos’ Graham Cluley blogs, hackers have set up several malicious sites that prompt users to purchase fake anti-virus software. The sites, which users get to through their search engines results, “display bogus warnings about the security of your computer in an attempt to get you to install fraudulent software and cough-up your credit card details,” according to Cluley.
The developers of the Fan Check application have already posted details about the rumors and are refuting the virus claims on the discussions page hosted on the Fan Check Facebook page. In a post from the developers, they assure users the bug does not exist and that Fan Check is a legitimate application that allows Facebook members to rank friends based on how often they interact with a user’s Facebook wall. Fan Check claimed to have 2,762,455 fans on Monday afternoon.
We were asked to check the integrity of a larger financial firm located in Canada. We had a couple of meetings about where the important information was most vulnerable. After great debate, we decided that the HR department would be our target. They held a lot of SSN and PMI information. As a team we looked into when the best time would be to test this target and figured out that most, if not all of the department would be recruiting at an MIT function. Because I set up a fake linkedin account as one of the upper management employees, I noticed that many of the employees including the VP of HR made reservations to MIT using Tripit via linkedin. It was quite amazing how many requests I got out of the HR department to be linkedin without verifying the my account.
While planing our attack, we started following many of the employees on FB, Myspace and Twitter. Nothing really special came out of our monitoring, until the weekend before our attack. The VP started twittering about a trip to Chicago. She was tweeting about the flight, the airline losing her luggage and how nice the weather was when she landed. Next she twittered for recommendations on where to get a new cell card for her laptop because the other one was in her lost luggage. She also started tweeting about a great sub shop called Jimmy Johns. The twitter was basically in these words, “I have fallen in love with a sandwich across the street from Best Buy. While waiting for them to install my cell card I ordered the gargantuan.” Well because twitter is in real time, I knew this would be a great opportunity for a social engineering attack. I google mapped all the Best Buy stores and street viewed to see which had a Jimmy Johns across the street. It was actually down a couple blocks..but I found it.
Calling the store, I asked for the technician working on her machine. Thanked him for helping us out with her laptop and asked if he needed anything like an Administrator password? The technician said, “No, she already gave us the 2 passwords, xxxxx and xxxxxx.” I said, “Great! What card and firmware are you installing?” The technician answered the questions after 15 minutes of trying to find it on the CD. “Version 2.1.1″ Finally, I asked if he could do a huge favor, because we knew of a bug that would cause problems for her connecting to our VPN with that particular firmware, could he install an update? I will email you a 2.1.2_firmware.exe file, if you will install it then she will be all set and not call me later. The technician sympathized and agreed to help me out. We now had a back door to the HR department and I freed up a weekend from testing.
Moral of the story? Information security is just that…keeping your information secure. If your policy is to allow employees to use social media sites then treat them as, yet, another system and find a way to monitor the information. Just like you should be testing phishing attacks you should be testing social networking attacks. If you have a policy against employees using social media then find ways to enforce the policy.
