Saturday, April 16, 2016

Things You Should Never Do While Using TOR

1. Do not use Windows!
If privacy is your main concern while using TOR then it is advisable that you do not bundle it with Windows. Always use Linux based systems like Tails, or Whonix in order to remain completely anonymous. The problem with Windows is that it contains several vulnerabilities and bugs which could have a devastating effect on your online privacy.

2. Disable JavaScript, Flash, and Java
Binary applications such as JavaScript, Flash, and Java are capable of accessing and sharing your data since they operate with your user account’s privileges. Almost every website uses JavaScript to track its users. Whereas Java and Flash are capable of bypassing TOR’s protection by ignoring the proxy settings on your device. And even TOR is incapable of protecting your online anonymity when such agents are capable of interacting with the web directly without being routed through TOR.

3. Never use P2P
The TOR network was never intended to be used for P2P sharing. Downloading torrents over TOR network slows down the browsing of other networks. Apart from this, if you’re adamant on downloading files over P2P then beware! This might compromise with your online anonymity. If you’re using BitTorrent clients with TOR then you’re allowing such clients to send your IP address to other peers as well as the trackers, directly.  And once such a communication is made, your online identity is exposed to anyone in charge of such traffic.

4. Delete your Cookies and Local Data
Although, TOR may direct your data through a series of relays in order to hide your online identity. But it is possible that the websites can use cookies, local data, and other network packets for tracking your online activities. You’re not completely anonymous on the TOR network unless you delete your cookies and local data at regular intervals.

5. Do not ‘Google’
Popular search engines like Google are notorious for storing your browsing information and search data while you’re looking up for something on the internet. This enables them to show personalized ads onto the user’s device. Thus, it is advisable that you should not ‘Google’ something while using TOR. Instead of Google, you could use DuckDuckGo or Startpage to the same effect. These search engines do not keep a log of your IP or stores cookies onto your computer. Thus, while using TOR, use such alternatives to keep your anonymity intact.

6. Never send unencrypted data over TOR
TOR only encrypts your connection and not the data that you send over it. This makes anyone who is in control of the exit nodes, access such sensitive information. Thus, it is highly advisable that you must always send encrypted data over the TOR network to keep your privacy concerns at bay.

Yes, TOR has helped us to browse the internet in the most secure way possible. However, there have been instances where people have been busted mainly because they have been careless on the network. We have enumerated such situations, where your anonymity might be compromised with. Just keep the points mentioned above in mind to avoid a situation where your online identity could be exposed even while you’re using TOR.

Wednesday, April 15, 2015

“Cyber Threat Intelligence” What Is Needed For Identification and Response?

“Cyber Threat Intelligence”
What Is Needed For Identification and Response?

What is cyber threat intelligence?
CTI “Cyber Threat Intelligence “is a term used to address any information which can be used to protect your organization IT assets against an attacker.

This IT (Threat Intelligence) can be of many forms like internet bases IP addresses, Attacker geolocations TTP’s (Tools , Tactics and Procedures ), which would work as an indicator OR early warnings of attacks or an attempt to harm the IT Infrastructure in turn harming business.

There are number vendors on the globe who give TI feeds which can be integrated with your security controls like SIEM, GRC tool and other correlation engines.

This is an attempt to identify the information which is needed as actionable TI which can used to defend your organization.

1.       Drivers
a.       These are conditions of the attacks like a Zero Day, Business related breaking news/ announcements for the organization.
2.       Prerequisites
a.       What would the attacker need to generate and trigger an attack on your organization e.g.:  Type of security controls on your perimeter, network and endpoints. Type of devices (endpoints, internet facing web servers, routers firewalls etc.  ) which are exposed to the internet.   
3.       Capabilities
a.       Capabilities of the attacker and the attack itself e.g.: The script Kidde’s would be able to generate an attacks but then would not possess the capability of post attack activity. OR a professional attacker would have the capabilities of generating an attack but the defense mechanism would be able to partially stop the attack where the attack would not get the attacker the intended results.  
4.       Components
a.       Attacking component TTP’s (Tools, Tactics and Procedures) which are used in past attacks conducted by the attacker. This would help us with indicators for defending the attack.
5.       Measurement
a.       This component is important as the measurement of the attack in terms of number and type of security events generated pre- attack condition.
6.       What is the threat?
a.       Measurements the threat of the past attack would help us in mapping the threat findings with our organization
7.       What are the threat vectors,
a.       These vectors would be more of a “type of attacks” which would be seen in the attack phase.
8.       Where else the threat vector seen on the globe?
a.       Historical threat vectors used by the attacker in past should be a part of the TI information.
9.       What was the threat impact?
a.       Historical threat impact on the victims would help to measure the attackers TTP’s
10.   What were the parameters of compromise?
a.       What would be the needed condition and parameters for a successful compromise to be conducted? 
11.   What could be the early warnings?
a.       Early warnings and indicators of past attacks conducted by the attacker.
12.   What would be a practical and approachable defense mechanism?  
a.       Historical data in terms of approach taken by the defender to defend the attacks.
13.   What would be the business impact?
a.       What was the business impact on victims in terms of data theft, ransomware and business dis-continuity  
14.   What type of IT for Zero Days?
a.       What information would the TI share in terms of Zero Days in terms of IP addresses, Geolocations, Domains names, ISP information, file names, MD5 hashes etc.?
15.   Pattern of attacks in past
a.       What patterns where generated by the attackers OR what type of internet traffic (Inbound/Outbound) per-attack conditions
16.   Attack timelines before a successful compromise.
a.       These timelines would help us to understand the skills of the attacker and allow us the decide max time frame to respond against a business accepted condition of a known vulnerability
17.   Zero Day detection and patterns based on packet, ports and geolocations.
a.       What type of traffic patterns are generated in case of Zero Days for a pre-compromise conditions
18.   What and how security controls where bypassed?
a.       The historical data of the TTP’s for bypassing of the security controls is very important as this would give us pinpointed information which would help us to defend such attacks.
19.   Post compromise (Forensics Investigation) information.               
a.       Post compromise information like...
                                                               i.      File names
                                                             ii.      MD5 hashes    
                                                            iii.      Inbound and Outbound Traffic
                                                           iv.      Internal traffic patterns
                                                             v.      Detection by internal security controls
                                                           vi.      Auto-defense OR events generated by security controls
                                                          vii.      OS and application level errors generated by the attack vector

The above are few indicators which a TI tool vendor should provide. I strongly believe that if the above information is provided by the vendors, we can surely respond and try to defend attacks.

Comments and inputs are most welcome.   

Friday, June 27, 2014

StealthWalker The Swiss army knife of privacy application

StealthWalker The Swiss army knife of privacy version 2.5.3 released. It is more stable you also have a global system key to renew TOR IP. Get your full functional copy today :)

Wednesday, December 18, 2013

Cyber Threat Protection for Executives to be Included in 2014 Business Plans

Most high profile executives can be easier targets as they are usually absent from routine security training which now exists in most firms. Over 80% of breaches or threats result from common sense security protocols not being implemented by the executive or his/her immediate staff.

These can include:
  • Not doing routine upgrades on personal machines
  • Accepting or using random memory drives
  • Not having apps verified by IT/security departments before installing on phones, tablets or computers
  • Leaving an office unlocked or making it accessible
  • Taking sensitive work home
  • Using generic email addresses (gmail, hotmail etc) for work
  • Not having the latest anti-virus or internet security software installed
  • Giving low level IT staff access to Super Admin on company servers
  • Not having a security filter installed on company emails
  • Lack of proactive cyber scanning for threat chatter or discussion relating to the executive
  • Using unverified cloud backup services
  • Not using a shredder (old school trash digging is still done by serious adversaries)
  • Using public wifi
  • Never changing passwords or using passwords which are weak
  • Not doing due diligence on vendors and giving them access
  • Randomly clicking links on “alarming emails” or alerts (designed to make you click)
(This is by no means a complete list)

Wednesday, October 16, 2013

Things You Should Never Assume When it Comes to Network Security

Things You Should Never Assume When it Comes to Network Security

  • The security systems we have are good enough.
  • Our security architecture is so complex no attacker will be able to get into our network.
  • We only REALLY need to worry about inbound firewall policies. The danger is out there! (not in the network).
  • We're up to date on patching our vulnerabilities so we are in the clear.
  • The firewall configuration is secure because it’s managed by an outside firm.
  • If no one is screaming about an outage or a virus then everything is hunky dory.
  • Network operations and application owners understand security.
  • Security is more important than business operations.
  • The security processes we have are good enough – they are written down on paper.
  • Employees will follow most if not all of the security policies.
  • It’s much more secure if we virtualize it.

Thursday, August 29, 2013

17 Security Related Phrases We Are Sick of Hearing...

  1. “What is the key to our wireless again?”
  2. “I downloaded something and now my computer is acting all weird”
  3. “Why do I need to use the VPN all the time?”
  4. “How come I have to apply updates all the time?”
  5. “At home I run macs because they don’t get viruses and malware”
  6. “Hey, can you teach me how to hack?”
  7. “Is there any way to get around me having to type my password over and over again?”
  8. “I clicked on it because it totally looked like it was from my bank”
  9. ”Should I get my CISSP?”
  10. “Is it safe to click on this self-signed cert?”
  11. “I have no idea how that pornography got on my computer?”
  12.  “The webpage said that this cloud services was 100% secure?”
  13. “I locked myself out of my account again, can you reset it?”
  14.  “I think I may have just lost a bunch of important files, what do I do?”
  15. “Can I get root access on this server?”
  16. “We will get back to you on those security-related changes you recommend”

Wednesday, May 15, 2013

3 Big Mistakes In Incident Responce - Must Read