Archive for January 20, 2014

KAPTOXA POS and the PCI-DSS Recipe for Target Breach

You might not know KAPTOXA (KAR-TOE-SHA) According to an article in Business Insider there is belief that the recent breaches that have occurred for Target, Neimen Marcus and a host of other retail service stores is based on the work of a teenager from Russia. Intel Crawler an intelligence aggregator and cyber security firm. Pulled data from multiple underground and networked security contacts to create the picture. According to their findings the toolkit is more than 40 builds deep. What this effectively means to the community at large is that there are 40 variations of the tool in existence today. Unlike normal software development where software is revised according to quality of service improvements. Malicious code creators make their revision as they tailor the toolset to a specific target. No pun intended.

Additionally there are some key indicators that are coming about as part of this discovery. As always, the low hanging fruit for mitigation can be blocking of domains associated as part of the callbacks for the malware. Callbacks can be explained as the command and control location where either data is wrapped and sent back for external use, and also the C2 is the sites that may be created to established communications for future efforts of data manipulation.
Initial reverse engineering analysis of the malware indicates that at least one of the variants being used has the capability to run on standalone systems. Although, nobody is pointing any fingers out loud at this time tools that are run on standalone systems are often injected in 1 of two ways 1. Malicious Insider Threat, Or 2. Stupid Users. However, the complexity of the file and its intent would leave me not believing this is accidental.
My additional cyber insight is the belief that the compliance measures that have been made over the last 8 years may have also been a very crucial piece as to why these breaches were so successful. Having been a Policy writer for some time now I know there are key missing links between Information Assurance and ICT security. Further, it has to be understood that written policy sometimes becomes the reversal recipe that an actor will use to employ their circumventing mechanisms. In addition, the actors will often only employ the “one up method” as is the case specifically with the payment card industry’s security guidance PCI-DSS .  A few examples that were revealed rather quickly. 1. The requirement not to use vendor supplied password such as the password POS, or vendor system name.. and the organizations used POS1, and vendor name1.  Another requirement was to encrypt transmission of cardholder data across open, public networks…. But that doesn’t mean the network inside my WAN.. or does it? and one final one that continues to be the the demise of proactive security and defense is the requirement to maintain a policy that addresses information security for employees and contractors. This is not CND this is CYA, and it will fail you. It is time the retail industry starts participating in FS-ISAC exercises and not only installing sensors, but monitor those sensors.

Link Details:


Web Defacement & Gang Graffiti

As an instructor for Iowa Central Community College’s Criminal Justice Program, Joey Hernandez worked to develop future Law Enforcement personnel by integrating their background in standard law enforcement to  criminal activity on the web. Hernandez strived to make all lesson interactive.

Follow along in the podcast and presentation to see how the inter-workings of Gang Graffiti & Web Defacement are directly integrated.

View the presentation: Web Defacement & Gang Graffiti

Search These Terms To Interact   (At Your Own Risk):

/#Own3d By <<Root.Dark.Team>>

Text Snippet Example:

• @xllLinuxeroDeatllx
• @Mantr@x
• @Br4nd
• @Pr4X!
• @ThopJuliet(Cloud)
• @Shell|Black
• @Maximus Well
• @NodSprut
Notice the common members throughout and with
each of defacement an additional member is added.


Typosquatting – Cyber Squatting (PDF and Podcast Available)

Follow Along Briefing With Podcast  TYPOSQUATTING_Joey_Hernandez

Similar To Domain Squatting
–Targets BRAND NAME domains
–Relies on typographical errors made by direct input URLs
–Often involved with illegal activity
–Also used for FINANCIAL gain
• According to Brandjacking Index, the risk of brand misuse worldwide is the highest in US, Germany and UK.
–59%+ all websites using brand names for illegal purposes originate from these three countries.
• Organization Focused on defeating these efforts

•Condition: Users continue to manually type URLs
•The possibility of suffering “harm” is HIGH
•Consequences: Cisco Global Threat Report 4Q10
–The rate of web malware encounters peaked in October 2010, at 250 average encounters per enterprise for the month
–Web malware grew by 139 percent in 2010 compared to 2009
–Malware continues to evolve
–Economic Hardship brings out “The Best”
–Users: “They Still Fall For Phishing Email”
–Cyber Espionage
–Mobile Devices “Those keys are too Small”

Defense Mitigation Against The Cyber Kill CHain

Joey Hernandez perspective on Mitigation Against Cyber Kill Chain

Joey Hernandez perspective on Mitigation Against Cyber Kill Chain

As we continue to develop capabilities within organizations providing Defensive Cyber Operations it is critical to develop organizational maturity. Current methodologies although effective are unsustainable do to the rapid evolvement of cyber threat.
A organizational level approach can be made by adopting some of the following objectives:
1. Increase the pay scale for “qualified” CND Analysts – CIRT staff are often the lowest paid tier of Incident Response personnel.
2. Hire “Analytical” people – A Great Sys Admin does not a Great System Defender Guarantee. “Better analytical capability makes up for a lot of memorized technical knowledge. Having both makes you a god.”
3. Function Rotation – Although specialization is a critical capability, functional rotations assists in creating analytical thought by adding perspective and insight to all aspects of DCO.
4. Teach analyst how to communicate – share your best business practices what’s worked and not worked. Not only with internal teams, but with colleagues in industry. It is terrible to have great analysts that nobody wants to work with..
5. Hire passionate team players – I can send you to all the certification training in infosec the world has to offer but if you aren’t doing this because you live it…. We are both wasting our time.
6. Employ – “better leadership to foster Passion”
7. Start utilizing the sensors and systems in place to their capacity/capability – Too many times systems are not employed fully whether lack of system training or misunderstood vendor support agreements. Garbage in garbage out.. Nothing in nothing out
8. Require training and certification – Ensure a common baseline for both the technical and communication side (GCIH, CISM, Project Management, MBCI) the management piece is to ensure analysts can write and follow from beginning to the end and understand the operational impact of incidents. Although this seems obvious take a look around
9. Exercise your capabilities – through, xnet or similar means to make teams operate together
10. Audit and assess – internally often, (show me, tell me, provide me documentation) to ensure organizational maturity. The team will have a vested interest.
Proactive efforts to accomplish specific steps will assist in maturing the DCO craft.

A passion for this work helps people dig for root cause, and gets people looking for the needles in needle stacks, fixing the broke, and documenting processes to help build the whole team rather than oneself.
Special Thanks To Kevin Partridge! For helping me see the light on the need for great leadership to foster the passion (6) the quote on (2), and elevating my maturity focus from a team to an organization on (10) – All Through a G+ posting Cyberspace Operations

Joey Hernandez CISM C|CISO CISSP Introduction

Joey Hernandez makes a quick cast concerning his background to get this Cyber Security Podcast series kicked off. The very first