Advanced Security Analytics

Screenshot 2016-04-30 23.45.50I recently attended the Business for Breakfast seminar, held in Geneva , co-hosting by Kudeslki Security and RSA   around the theme Advanced Security Analytics. In this blog post I’m going to summarize the two talks that I particularly enjoyed, as the atmosphere lent itself : Business for breakfast!

First of all , I want to describe the context to better understand  interest of both companies to host this conference:  March 2, 2016 – RSA, The Security Division of EMC and Kudelski Security, the cybersecurity division of the Kudelski Group announced that Kudelski Security is now a leading provider of RSA products and services. Through the agreement, RSA provides Kudelski Security    fully managed security and critical incident response services, leveraging RSA’s advanced, intelligence-driven Security Operations Center (SOC) capabilities to accelerate the detection, investigation, remediation, and management of security incidents and vulnerabilities, with the ability to build services around proven advanced security operations solutions including RSA Security Analytics, the RSA® Critical Incident Response Solution, RSA® Security Operations Management solution, RSA ECAT software, and RSA® Advanced Cyber Defense Practice.

To return to the seminar , the first presentation was by Robert Griffin , Chief Security Architect at RSA.He explains how to move forward using advanced security operations like intelligence driven security and how organizations can use it , include big data analysis to embrace opportunity , improve security and reduce the risk.  Mr Griffin argued that RSA is about delivering a trust World by applying RSA’s Intelligence driven Strategy.The following slides helps to understand How and Why RSA came to this Strategy.

  • Evolving IT Infrastructure : we can’t keep applying traditionnal security defense with the third platform IT infrastructure .Screenshot 2016-04-30 22.47.35
  • The changing Threat Landscape :   The new threats more and more strong challenge traditional security defense or technologies.                             Screenshot 2016-04-30 22.44.49
  • Intrusion Kill the chain : This model is a novel way to deal with intrusions by moving from the traditional reactive way to a more proactive system based on intelligence gathered trough indicators that are observed trough out the phases. Normally the incident response process starts after the exploit phase putting defenders in a disadvantage position. With this method defenders should be able to move their actions and analysis up to the kill chain and interfere with the attackers actions


  • Solution: Intelligence Driven Security , the challenge here is to manage the risk by monitor this cycle,  Visibility , Analytics and Action. Continuous monitoring , correlate risk signals and indicators.Screenshot 2016-04-30 23.00.36
  • Benefit of this Solution : With real-time intelligence , organization can dynamically manage cyber threats.Screenshot 2016-04-30 23.03.16

The second part of seminar was presented by Olivier Spielmann , Head of Cyber Fusion Center of  Kudelski Security. He demonstrated how Kudelski Security leveraged RSA analytics to build an advanced SOC and a multi-tenant security monitoring service.

src: KudelskiSecurity , RSA, 

KeRanger: First Ransomware to infect Mac Computers

Screenshot 2016-03-07 22.40.05

If you are a Mac user like me, loving to download torrents via the transmission software then you will receive this warning  message at the opening of Transmission !

KeRanger ?

KeRanger is a ransomware  that aims to encrypt the hard drive of the users and then ask them for money to decrypt it. If they do not pay, their data will be lost.

KeRanger has emerged with the application Transmission, the most popular client for download torrents on Mac. Version 2.90 has been infected with ransomware, some users have been affected without knowing .

Users likely to be victims of KeRanger are those who downloaded the version 2.90 of the Transmission software on the 4th or 5th of March.

Three days after infection, this is where KeRanger strike and demand a ransom from the user by encrypting the files from his computer to bar him access.

Once installed, KeRanger will search for approximately 300 different file types and encrypt any it finds. The malware will then display a ransom message, demanding that the victim pay 1 Bitcoin (approximately US$408). Payment is made using a website on the anonymous Tor network .

Apple announced to  be aware of ransomware and has already revoked the certificate from a legitimate developer who has allowed  installation of KeRanger on Mac.

How to Know your are infected ?

Open a Terminal or use the Finder to search /Applications/ or /Volumes/Transmission/ files. If present, the transmission application is infected and it is highly advisable to remove.

Screenshot 2016-03-07 22.45.06

Screenshot 2016-03-07 22.47.46

These are  the screenshots of my own Transmission . Since I used  Transmission 2.84 release , I’ m not infected,  For infected computers the file General.rtf must be present between these blue lines ! 

Are you infected ? Sure to download the 2.92 version that will remove the malware!

Screenshot 2016-03-07 22.41.27


Duqu 2.0 : Kaspersky Lab investigates hacker attack on its own network

images (3)Duqu is back. The Russian computer security company Kaspersky revealed to have detected in its own internal networks a program similar to malware that occurred in 2011. This new worm, dubbed “Duqu 2.0“, is considered the “most advanced in its category” by the anti-virus vendor. If Kaspersky is careful to identify a culprit, It believes that only a State Nation is able to design this software, It estimated at $ 50 million.

Attack’s discovery…

For Kaspersky, the people behind Duqu 2.0 were fully confident it would be impossible to have their clandestine activity exposed; however,they  did manage to detect it – with the alpha version of their  Anti-APT solution, designed to tackle even the most sophisticated targeted attacks.  The thinking behind it is a generation ahead of anything they had seen earlier – it uses a number of tricks that make it really difficult to detect and neutralize. Kaspersky’s Customers  have nothing to fear from a security point of view because this attack has been no incident on Kaspersky products and services.

Purpose of Attack …

The attackers were interested in learning about Kaspersky’s technologies, particularly:

The bad guys also wanted to find out about Kaspersky’s ongoing investigations and learn about Kaspersky’s detection methods and analysis capabilities. Since they are well known for successfully fighting sophisticated threats they sought this information to try stay under Kaspersky’s radar. According to Kaspersky ,  Attacker  now lost a very expensive technologically-advanced framework they had  been developing for years.

Who is behind the Attack ??? …

Kaspersky have found that the group behind Duqu 2.0 also spied on several prominent targets, including participants in the international negotiations on Iran’s nuclear program and in the 70th anniversary event of the liberation of Auschwitz. They are confident that the prevalence of this attack is much wider and has included more top ranking targets from various countries. The advantage is that They  will use this attack to improve their defensive technologies. Eugene Kaspersky confirm that, their  malware databases have not been affected, and that the attackers had no access to Kaspersky customers’ data.

Kaspersky don’t attribute attacks,  They claims to be  security experts and don’t have to involve in political way . However they think that Governments attacking IT security companies is simply outrageous: Governments and Company are supposed to be on the same side as responsible nations, sharing the common goal of a safe and secure cyberworld. If various murky groups – often government-linked – treat the Internet as a Wild West with no rules and run amok with impunity, it will put the sustainable global progress of information technologies at serious risk. Kaspersky once again call  on all responsible governments to come together and agree on such rules, and to fight against cybercrime and malware, not sponsor and promote it.

Several clues indicate the responsibility of Israel…

Athrought Israel denies its involvement , Nevertheless, several indicators suggest that it is involved in the design of Duqu 2.0. First, the first version of Duqu, dating from 2011, is itself a derivative of Stuxnet. The latter was developed by the United States in cooperation with Israel to attack Iran’s nuclear program, in particular centrifuges, to try to slow the efforts of Tehran, suspected of wanting to develop nuclear weapons.

In March, US officials claims  that Israel spied talks between the P5 + 1 and Iran in 2014, according to the Wall Street Journal. Israel has denied spying negotiations on the Iranian nuclear issue. “International news about Israel’s involvement in this affair are baseless,” said Israel . Austria and Switzerland, for their part, had already started investigations before the public revelations of Kaspersky.

images (5)

Why Duqu 2.0 ?  It Exploit three Zero-Day vulnerabilities …

Duqu is a sophisticated malware platform discovered by CrySyS Lab, and investigated by Kaspersky Lab in 2011. Its main purpose was to act as a backdoor into the system and facilitate the theft of private information. In 2011 Duqu was detected in Hungary, Austria, Indonesia, the UK, Sudan and Iran. There are clues that Duqu was used to spy on the Iran nuclear program and also to compromise Certificates Authorities to hijack digital certificates. These certificates were used to sign malicious files to evade security solutions.

Both discreet and versatile, it is composed of numerous modules, which enable it to collect a variety of information. It can for example operate microphones in hotel lifts that have them. . The worm exploits no less than three faults “zero-day”. These are flaws that are unknown and unprotected, in this case, in the Microsoft Windows operating system.

Scr : Kaspersky Lab

U.S. Blame China for Massiv Hack Attack

usa-versus-chinaFour million U.S. government workers hit by cyber breach. The information was revealed this Friday, June 5 by Washington. According to the Cybersecurity expert advising U.S. government this vast cyber-attack against the federal government appears designed to build a vast database in what could be preparation for future attacks by China against U.S.

The breach was initially thought to have affected the Office of Personnel Management and the Department of Interior, but government officials said hackers hit nearly every federal government agency. An assessment continues, and it is possible millions more government employees may be affected. The stolen information included Social Security numbers and performance evaluations.

Historically …

The detection of this “cyber-intrusion” dated April, but according to information obtained by the Washington Post to officials, who requested anonymity, the operation would have been fomented in December, just when the personnel management office was putting in place new safety procedures.

Failure to update software behind federal data breach…

The cybersecurity experts added that some government agencies have not been following the government’s own best practices for cybersecurity, such as updating operating systems with latest protections.

Security researchers have pointed to a cyber tool or family of malicious software called Derusbi that has been linked exclusively to Chinese actors.

Chinese Cyber espionage…

According to Analysts and Experts , other Chinese entities, including the military,may also be involved in the campaign, Chinese government hackers “are like a vacuum cleaner” in sucking up information electronically, “They’re becoming much more sophisticated in tying it all together. And they’re trying to harm us.”

China dismissed the allegation of hacking as “irresponsible and unscientific.” Chinese Foreign Ministry spokesman Hong Lei said Beijing wanted to cooperate with other nations to build a peaceful and secure cyberspace : “We wish the United States would not be full of suspicions, catching wind and shadows, but rather have a larger measure of trust and cooperation,”.

The big-data approach being taken by the Chinese might seem to mirror techniques used abroad by the NSA, which has come under scrutiny for its data-gathering practices under executive authority. But in China, the authorities do not tolerate public debate over the proper limits of large-scale spying in the digital age.

EINSTEIN Detection System…

Employees of the legislative and judicial branches and uniformed military personnel were not affected.

The federal personnel office learned of the data breach after it began to toughen its cybersecurity defense system. When it discovered malicious activity, authorities used a detection system called EINSTEIN to unearth the information breach in April, the Department of Homeland Security said. A month later, the federal agency learned sensitive data had been compromised.The FBI is investigating what led to the breach.

src: cnn, washingtonpost

Deep Web : Virtual to reality (Ross Ulbricht)


Ross Ulbricht, the founder of the Silk Road online site selling drugs was sentenced this Friday, May 29 to life imprisonment by a court in New York. He was known on Silk Road under the pseudonym “Dread Pirate Roberts” or “DPR” .According to FBI information, Ulbricht had moved to San Francisco. Graduated with a Masters degree in Materials Science at the University of Pennsylvania, the young man controlled the servers and infrastructure of the site, he managed a reduced  “customer service” , and ran a small team of administrators.

Silk Road …

“Great quality for heroin smashes”. This is the type of ad you could find on Silk Road. Specifically, Silk Road also called “drug’s ebay” was based on a great principle of anonymity. The site, hidden in the deep web was limited to users in the digital decentralized network that guarantees complete anonymity. Launched in 2011, Silk Road thus allowing its users to sell or buy any product, including drugs. Credit cards and Paypal accounts were obviously prohibited, to ensure user identities’s safety. To pay for purchases, users actually using the virtual currency “bitcoin” which guarantees confidentiality: transactions were anonymous , and the seller did not know the buyer. The only information revealed was the delivery address.

According to the FBI, between February 2011 and July 2013, the  website helped nearly 1.2 million transactions for a total of almost 9.5 million bitcoins,that is  according to calculations by the US authorities close to  1.2 billion. Silk Road levied a commission on each payment, assessed over the same period to 600,000 bitcoins, or 80 million. A sum that allowed to finance the operation of the website and the small team that managed it.

FBI Investigations  …

In July 2013, the FBI was able to identify a server located abroad, which hosted Silk Road. Through cooperation with local authorities, US investigators were able to get a clear picture of the server, and access private messages exchanged on the site. Then able to identify the creators of Silk Road, the FBI and other US security agencies have sought the first traces of online promotion of the site, including forums. It is through this,  that investigators found two messages of a certain “altoid” which allowed them then by cross-checking, finding traces of a blog on WordPress, linked to a Gmail address. This was one of William Ross Ulbricht, the website’s founder.

Bad Configuration – TOR‘s Mechanism…

To identify and locate Silk Road, FBI simply exploited a flaw in the configuration of the home page of Silk Road’s site. By connecting as a simple client, then analyzing traffic between FBI and  Silk Road’s  computers , Tarbell officer (FBI agent) noticed that one IP address sent by the server to validate the connection did not match any identified TOR relay. He then checked the location of the server with the IP address “ordinary” – a very simple operation – and discovered that it led to a commercial hoster installed in Iceland.

To prove the truth of his explanation, almost too simple, the Tarbell agent does not hesitate to refer to the user guide published by the designers of TOR. It explains that to “TOR-ify” an application (eg a retail site), follow a very strict procedure, otherwise the real IP address of the server would be visible, and the passage of data by the digital relays not conceal anything.

Subsequently, after entering the Ross Ulbricht’s private messages , the FBI discovered that he was aware of this flaw in his system. But apparently he had read the manual carefully as less Tarbell agent and had failed to correct it properly …

Once identified IP address, the US sent a request for legal assistance to the Icelandic authorities. Investigators of the Reykjavik police first noted that the target server was managing large volumes of traffic encrypted by TOR. Then she recovered the history of its connections and its entire contents, and transmitted at the FBI. The result was unequivocal: the IP address collected by the FBI was that of a server used by Silk Road to link buyers and drug dealers.

The use of TOR and Bitcoins guaranteed to silk road, a double sophisticated security system in deep web , however he has been unmasked because of a security flaws !

Deep Web the movie …

“Deep web” is the title of 90′ film documentary devoted to Ross Ulbricht and Silk Road. It’s broadcast on US TV Epix this May 31.


Deep Web gives the inside story of one of the the most important and riveting digital crime sagas of the century — the arrest of Ross William Ulbricht, the convicted 30-year-old entrepreneur accused to be ‘Dread Pirate Roberts,’ creator and operator of online black market Silk Road. The film explores how the brightest minds and thought leaders behind the Deep Web are now caught in the crosshairs of the battle for control of a future inextricably linked to technology, with our digital rights hanging in the balance.

 Deep Web features the core architects of the Deep Web; anarchistic cryptographers who developed the Deep Web’s tools for the military in the early 1990s; the dissident journalists and whistleblowers who immediately sought refuge in this seemingly secure environment; and the figures behind the rise of Silk Road, which combined the security of the Deep Web with the anonymity of cryptocurrency.

Kevin Mitnick to sell zero-day exploits

Kevin Mitnick
Kevin Mitnick

Convicted hacker turned penetration tester Kevin Mitnick has fashioned a new line of business at his security consultancy — selling zero-day exploits for upwards of $100,000, according to a recent Naked Securitybulletin.

Mitnick’s Absolute Zero Day Exploit Exchange will develop zero-day exploits and procure them from developers in an effort to sell them to corporations and governments with budgets big enough to foot the bill.

Mitnick is quoted in a Wired interview as saying he wasn’t aiming at aiding governments in spying on people, but the bulletin speculated as to whether Mitnick might count the National Security Agency among his customers.

The bulletin noted that the agency has drawn the scrutiny of the Electronic Frontier Foundation (EFF) and others for possibly “hoarding of zero days.” Mitnick did prison time for hacking into networks at companies like Motorola and IBM.

src: SCmagazine

Google’s Doubleclick ad servers exposed millions of computers to malware




Last night, researchers at Malwarebytes noticed strange behavior on sites like, The Times of Israel and TheJerusalem Post.

Ads on the sites were being unusually aggressive, setting off anti-virus warnings and raising flags in a number of Malwarebytes systems.

After some digging, researcher Jerome Segura realized the problem was coming from Google’s DoubleClick ad servers and the popular Zedo ad agency.

Together, they wereserving up malicious ads designed to spreadthe recently identified Zemot malware.


A Google representative has confirmed the breach, saying “our team isaware of this and has taken steps to shut this down.”


 src: theverge

Cyber attack on Japan Airlines

Japan-Airlines-Network-Breached-Info-Of-Up-To-750-000-Frequent-Flyers-StolenMajor Cyber Security breach on Japan Airlines  (JAL) impacts up to 750,000 customers !

A phishing attack may have resulted in the theft of personal information belonging to customers of Japan Airlines’s frequent flier club.

The data compromised includes names, addresses, genders and places of work of anywhere between 110,000 and 750,000 members of the program, according to the Japan Times.

The leak was due to an “unauthorized access” to JAL’s database by an external server, an airline official told the local news agency Kyodo . The airline claims that malware was installed on some of the airline’s computers causing the unauthorized access to the customers information

Following an investigation – which found that 23 computers contained malware – the airline determined that no credit card or financial information was impacted by the breach. The airline detected the intrusion on Friday and Monday, however, it believes the attacks have gone undetected for more than one month and were introduced to the airline’s network via a phishing email.

This incident follows a similar attack on the airline in February, in which hackers penetrated a different program Japan Airlines offers, which allows customers to trade in mileage points for gift coupons.

The airline said it has taken steps to block further unauthorized access to its database and has launched a full investigation.

Finland Victim of Hacking

images (8)Finland claims to be hack by many governments !

Unspecified foreign powers damaged Finland’s national interests by obtaining a vast quantity of Finland’s foreign policy documents through a sophisticated and long-term cyberespionage campaign, Finnish officials said Wednesday.

The Finnish Security Intelligence Service (FSIS) has detected and foiled two distinct penetrations of the Finnish foreign ministry’s computer network, the service’s chief, Antti Pelttari, said in a webcast news conference.

The ministry’s internal network was hacked with an information-gathering program which kept forwarding foreign ministry documents undetected to servers outside Finland for several years, Mr. Pelttari said.

Source: The Wall Street Journal

Am I infected ?

Cyberthreats Realtime Map is a  visual tool allows users to see what is going on in cybersecurity around the world in real time.

This wonderful tool is built by Kaspersky Network Security Lab . That prove that  malicious hackers are constantly attacking networks, companies and even individuals.

Real-time cyberthreat map exposes  global threat in real time that can be seen like that:


This is just a  short introduction post about this tool , we will come back soon.

Here is Kaspersky link to watch the realtime map.

Enjoy it !!! and catch a picture for your desired country .