Month: November 2015

Cyber domain black swans

Posted on

What are black swans? In defence, a black swan is a way someone has passed all your defences, although you thought you covered all the attacking vectors.

A black swan is an incident that you didn’t participate. It’s a sign for the irrational way of human thinking. When you see only white swans, you don’t think there is a black one. In the cyber domain, there are black swans in defence and offence.

In defence, a black swan is a way someone has passed all your defences, although you thought you covered all the attacking vectors. Edward Snowden is a good example. Other examples are Angler Exploit Kit, Taomike SDK or the latest ransomware that would publish your files if you don’t pay.

In offence, a black swan is a way that a hacker has been caught in a way he didn’t predict. It could be a trap or another mechanism that exposed him before he got what he wanted. Worst, it could be a way that the defender applied to attribute the attack to him.

To make the discussion clearer, let’s look at basic assumptions in both offence or defence. The defender assumes that the attacker is already in his network. From the defence perspective, the operating space is divided to perimeter and the internal network.


Tools like Firewalls, IDS/IPS and Anti-DDoS are examples to perimeter defence. Behavioural analytics solutions are the most common for the internal network. The defender is looking to create black swans in the attack vector path that would expose/block the attack in the external/internal domains.

A hacker assumes that the attacking vector will be exposed by the defender. From the offence perspective, there are no external/internal domains. the hacker has a goal, collect information or cause a damage. to do it, all options are on the table, including HUMINT and digital methods.

When I talked to Israeli hackers about their definition for a black swan, the most common answer is an exposure they didn’t predict.

“When you plan an attack, you should think for every move that you will be exposed. the question is what do you do then [What-If scenario]”, Said a well known Israeli hacker.”In some scenarios, the defender will get an alert in the SIEM, but will dismiss it as not important. In others, you will be exposed inside the defender network, and a decision should be taken – to abort or use deception. In some cases, a black swan can be a backup procedure you didn’t predict up front”.

As mentioned before, a black swan is something that you can’t predict. if, for example, the hacker is bribing or blackmailing some of your information security stuff in advanced, that’s a black swan for you.

If the attacker is implementing a malicious electronic chip in the network equipment that you bought from a known manufacturer [As did the NSA with Cisco equipment], that’s a black swan for you. If your CEO of is hiring a “Cyber mercenary” from the darknet to hack your company, that’s a black swan for you. Another could be a mini computer with Kali Linux hidden in your network pretending to be a legitimate network entity.

A recent black swan scenario happened at DISA [Defense Information Systems Agency] by the contractor that hired Russian programmes. They implemented a code that apparently led to the presence of viruses in the U.S. military’s communications systems.

There is no doubt that in today’s cyber domain, it’s all about black swans. The defender wants to surprise the hacker and vice versa. that’s the reason why defence solutions companies are looking for hackers, and hackers are looking for experience in defence procedure   – it’s take one to know one.  Writing code is not enough. If you don’t think as a hacker [or defender], you won’t be able to see your black swans.


Military Contractors That Used Russian Programmers for DoD Software Get Fined by US Govt

Posted on

Two US military contractors have agreed to pay substantial fines for employing the services of Russian programmers for software that was delivered and installed on the computer network of the US Department of Defense.

According to a statement issued by the U.S. Attorney’s Office, District of Columbia, the two companies are NetCracker Technology Corp. headquartered in Waltham, Mass., and Computer Sciences Corp. (CSC) headquartered in Falls Church, Va.

Back in 2008, CSC, an information technology services company, won a DoD contract for building communications software for DOD’s DISA (Defense Information Systems Agency).

From 2008 to 2013, CSC subcontracted some of their work to NetCracker, a company specialized in telecom software and services.

To keep costs down and provide the software under the deadline, NetCracker used individuals without security clearances, living outside the US.

While the U.S. Attorney’s Office declined to name their nationality, a complaint from 2013 by John Kingsley, a former NetCracker manager, said the programmers the company hired were living in and nearby Moscow, Russia, as SC Magazine is reporting.

Military Contractors That Used Russian Programmers for DoD Software Get Fined by US Govt

Unlike Snowden, “whistleblower” Kinglsey will receive $2 million

Mr. Kingsley made his complaint under the whistleblower provision of the False Claims Act. This provision allowed him to file a complaint on behalf of the US government against the two companies.

For this breach of contract clauses and national security, NetCracker agreed to pay $11.4 million while CSC agreed on $1.35 million.

The same provision that allowed Mr. Kingsley to break his confidentiality clause and report his company also warrants he’ll receive a portion of the damages. According to official documents, Mr. Kingsley will collect $2,358,750.

The two companies resolved their lawsuit by reaching an out-of-court settlement that also guarantees that no legal liability was determined, which means that nobody has to go to jail.

US officials did not provide details on the status of the “corrupt” software installed on DoD computers, but common sense points us to believe it was removed back in 2013.


You gambled recently in Michigan? (And by that we don’t mean driving through Detroit)

Posted on

Bank card slurping malware discovered in casino chain’s tills.

A casino owner in Michigan is warning its players after detecting bank-card-stealing malware in its payment systems.

The Four Winds Casino Resort, which operates three casinos and a service station on tribal lands in the state, said it found the software nasty after banks alerted it to fraudulent transactions.

According to Four Winds, the malware specifically sought out payment card data including cardholder name, number, expiration date, and verification numbers. The data would have been collected from cards swiped at sales terminals at the various resorts.

“It is possible that any card that was used in person at the Four Winds casino properties in New Buffalo, Hartford, or Dowagiac, or the Bent Tree Market service station on the Dowagiac property, between October 2014 and October 21, 2015, could have been copied by the program,” Four Winds said.

You gambled recently in Michigan? (And by that we don't mean driving through Detroit)

“We do not have sufficient information to identify the name and address of individuals who swiped their payment card at our properties during this time frame.”

Four Winds said it is working with the cops to investigate the security breach, and a third-party infosec biz has been brought in to check its networks and prevent any further infection. The company has alsoset up a site for customers who were possibly exposed in the breach.

Anyone who visited the casinos in the last year or so is being advised to keep a close eye on their bank statements and credit monitors for any suspicious or unauthorized activity. The resort has yet to say whether it will be offering affected customers a credit monitoring service.

The Four Winds resort company is one of several to have fallen victim to point of sale (POS) malware infections aimed at collecting payment card information. Big names including Hilton, Mandarin Oriental, and Trump have fallen prey to malware infections that harvest card data from cash registers and point of sale (POS) terminals. The stolen card data is typically sold off and used for fraudulent charges.


XSS vuln found in Cisco’s social support software

Posted on

SocialMiner doesn’t play nice with China’s popular WeChat.

Mining social media to protect your brand is a great idea, unless the tool you use becomes an attack vector.

That’s the slightly embarrassing bug Cisco’s just reported in its SocialMiner 10.0(1) product: its WeChat page is open to cross-site scripting.

It means some unfortunate support staffer who’s not paying close attention to what they’re receiving could get tricked into clicking a malicious link.

XSS vuln found in Cisco's social support software

SocialMiner is yet-another “brand management for social media” application – in other words, if Foobar Inc sees unfavourable mentions or a call for help on a social network, the software will tell someone to respond. Preferably before anything looks like going viral.

Cisco’s advisory states: “The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by convincing the user of the affected device to follow a malicious link or visit an attacker-controlled website.

“An exploit could allow the attacker to submit arbitrary requests to the affected device via the affected web browser with the privileges of the user.”

While it only has a relatively low CVSS score of 4.3, there’s no fix as yet, nor are there workarounds.

However, it’s probably not a wonderful look in China, where WeChat has about half a billion users under its “Weixin” brand, and in addition to its Twitter-like micro-messaging, the app is used for payments, video-messaging, taxi bookings and other things.