Our company, Trend Micro is hosting a cybersecurity event called Threat Experts Summit for students!!! It will be this Friday, November 10, 2017 1:00 PM – 5:30 PM at the Hotel Novotel, Araneta Center, Cubao, Quezon City.
IT students, this is your chance to learn cybersecurity in-depth straight from the experts! We will be discussing cool topics like Cybersecurity, Machine Learning and lots of other infosec/geeky stuff so if you’re free, come and join our event!
Interested students can register HERE
For more details visit Trend Micro Pilipinas FB page (https://www.facebook.com/TrendMicroPH)
Before I end the post, the usual disclaimer/disclosure:
I work at Trend Micro. The information contained in this post is taken from Trend Micro Pilipinas Facebook Page.
That is what the orcs will shout (in their very unique husky and grunty voice) when the enemies attack their orc base in Warcraft 3.
That is also my topic of this post:
No I’m now screaming about the attack on my blog. I have this good mindset about threats and attacks: I don’t panic. I am also not feeling kawawa or wawa (poor victim in loose filipino translation) in this situation. I think I survived the onslaught of the attack and to spread some good vibes why not share some useful tips here at menardconnect.com 🙂 OK enough of the intro. Let’s get it on:
Late last month, this blog experienced some form of attack from malicious actors who-must-not-be-named. We all know I’m using WordPress, and some dudes out there are trying to login to this blog’s WordPress administration panel and do some brute force attack on guessing my password. Simply put, this means some bad guys (I will collectively call it hax0r) are trying to pretend to be me (me, the website blog admin) and try to get into the wordpress admin console so that they can control the website and blog. More basic info on brute force attacks here.
I will not delve into the technical details of the attack , but in tradition of my good old free six video and free six series, here are six easy to-do tips and tricks that users/admins can do to prevent or better prepare themselves (blog owners) against these WordPress WP-ADMIN Bruteforce attacks.
1. Update your WordPress core files as soon as possible
Just like any software, WordPress have its own security flaws and it needs to get updated from time to time. Admins are advised that they should always update WordPress to the latest version, for more info on this go here. When a new version of WordPress is available admins will receive an update message in your WordPress Admin consoles.
2. Update your WordPress plugins too
Just like the wordpress core files, plugins needs to get updated too. If your blog relies on many plugins, do not worry because when a new version of WordPress plugins are available you will also receive message in the WordPress Admin console that its time to update. There are also automated update settings if you want to try it out.
3. Do not use Admin as the username of the administrator account.
Yes the hax0rs are trying to login via the “admin” username, but as a basic security practice, I disabled it every time create a wordpress blog. I suggest the you be creative. Use NIMDA instead!
4. Do not use your name as the blog admin username account
This piece is quite a revealing one, the hax0rs are trying to get in via the username menard. My name is public info in this blog, so they are clever and they tried it too. But luckily I did not use that name so I avoided that loophole in this admin account issue.
5. Discard unused wordpress themes and plugins
If you are not using the wordpress themes and plugins, do not keep it. Delete it asap. This one caused me some issues several years ago, but my advise here is if you are not using any theme or plugin that theme or plugin should be deleted ASAP because these are like low hanging fruits for attackers.
6. Have good WordPress security plugins installed
Just like security softwares (antivirus, antimalware, anti-threat) for your PC, Macs, iPads, smartphones and other devices, wordpress blogs needs some security tools too. There are some good free wordpress security plugins that works well but I will try to share two: Login Lockdown and Sucuri .
Login lockdown locks the admin console after several failed attempts, a good old trusted plugin. A recent good addition to my security plugin arsenal is Sucuri Security- Auditing, Malware Scanner and Hardening, a free plugin and it has helped me detect this attack. How? See this…
So I’m giving the good folks at Sucuri some love link here in my blog. Kindly go visit them at Sucuri
That’s all for now, i will try to share other tips in the future. Hope you liked my free six tips and tricks to combat WordPress Admin Brute-force Attack
I recently attended an information security conference in San Francisco, CA, USA (hence some lull moments with the posting frequency for this blog late last month and early March). I was able to collect some insights and posted them in TrendLabs Security Intelligence Blog. TrendLabs posted it yesterday and so I am reposting it here at menardconnect.com:
RSA Conference 2014: The Way Forward
I attended the RSA 2014 Conference in San Francisco, which has held about two weeks ago. This year the conference offered new insights to today’s threat landscape, which will help us all plan for and protect users in 2014 and beyond.
Largest Security Conference of 2014
The attendance numbers for RSA are always impressive: this year had more than 25,000 attendees, 400+ sponsors and exhibitors, with more than 550 speakers. Such was the number of vendors that two large Exposition Halls – one each in the Moscone Center’s North and South buildings were used for vendor exhibits. The various sessions – including most of the technical track talks I attended – were in the Moscone West hall.
Earlier my colleague JM Hipolito shared her own thoughts about RSA; here is what I found most interesting there.
Opening Keynote: Finding a Path Forward in an Increasingly Conflicted Digital World
The Executive Chairman of RSA, Art Coviello, delivered the opening keynote. He gave his first public comment on the RSA and NSA controversy, as well as the need to separate the NSA’s offensive and defensive functions. But what I will remember most on his keynote is his call to governments and the security industry as a whole to adopt four guiding principles to help maintain a safer Internet for everyone:
Renounce the use of cyberweapons, and the use of the Internet for waging war
Cooperate internationally, in the investigation, apprehension and prosecution of cyber criminals
Ensure that economic activity on the Internet can proceed unfettered and that intellectual property rights are respected
Respect and ensure the privacy of all individuals
He also reiterated the need for the security industry and governments to work hand in hand to create a safer digital world that will benefit this and the generations to come. All of the guiding principles are all equally important, but I would like to highlight the first and second ones as being the most important.
The topic of cyberwar and cyberweapons is very sensitive, but I found the correlation between cyberweaponry and nuclear weapons compelling. I totally agree with Coviello’s statement that “we must have the same abhorrence to cyberwar as we do nuclear and chemical war.”
As for cooperation in prosecuting cybercrime, this is a topic where Trend Micro’s positions are well-known. We’ve frequently spoken about the need for researchers and law enforcement agencies to work together to prosecute the actual “threat actors”, as we believe that this is the most effective way to catch cybercriminals. These partnerships allow researchers and police to combine their strengths and ensure that Our efforts have netted effective results, most recently being the arrest of the creator of SpyEye.
Bitcoin Is Here: How to Become a Successful Bitcoin Thief
Uri Rivner of Biocatch and Etay Maor of Trusteer co-presented the one technical session at RSA dedicated to Bitcoins. They discussed the basics of cryptocurrency and how one can use it. They also discussed the usual use cases of Bitcoin: from creating a wallet and having your very own address, to filling the wallet with Bitcoins using an online Bitcoin exchange.
The highlight of the session for me was the a live demonstration of a hack using a SpyEye variant. In the demo, they performed a man-in-the-browser (MiTB) attack and stole the user’s Bitcoin from his wallet.
They also discussed the top cybercriminal activities that Bitcoin has been tied to. These include phishing attempts to steal Bitcoin-related website credentials, deploying RATs (Remote Access Trojans) to have direct access to desktop wallets, up to using botnets to mine Bitcoins (even though this is no longer particularly attractive).
They also explained why cybercriminals are interested in cryptocurrencies like Bitcoin. Because the cybercriminals believe that cryptocurrencies offers anonymity, they think that these will help in laundering money made from illegal activites. In addition, advanced services available in the cybecrime underground (like Bitcoin fogging services) may enable threat actors to further increase their anonymity tenfold.
In summary, the presenters said that Bitcoin is a new exciting frontier and encouraged everyone in the room to try and delve into it so that they understand its potential. They warned about the increasing phishing and malware attacks related to cryptocurrencies. They also pointed out that online Bitcoin exchanges and online wallets are low hanging fruit that may be a big opportunity for the cybercriminals. (The troubles of many online exchanges recently, including erstwhile leader Mt. Gox, have only reinforced this last point.)
The talk mirrored many of the points we have discussed. In December, we had discussed the possibility of Bitcoin’s then-record prices causing thefts of Bitcoin wallets. We had also earlier discussed how users can help secure their cryptocurrency. Overall, we share their sentiments: Bitcoin is the object of much potential, but is the subject of multiple threats as well.
Definitely I will do a follow up post/s with my other insights on RSA, the keynotes and on Bitcoin. But not yet sure if it will be for menardconnect.com or my other tech blog.
Like my previous posts on RSA, I would like to convey my thanks to Jonathan and JM for their assistance with the article.
And of course some shout-out to my RSA 2014 buddies (Jamz, Malen, JM and Ian) for their ideas and thoughts that kept me sane in RSA. Another special shout-out to other pinoy AV dudes I’ve met in SF.
Lastly some disclosure:
I work at Trend Micro. The views expressed in this blog post are mine and mine alone and do not necessarily represent my employer’s positions, strategies or opinions.
To know more about me (work and other stuff), kindly visit my about page.
To know more about my blogs full disclosure policy, kindly visit my disclosure page
I stumbled upon some announcement via Official Gazette. It’s some sort of preso from DOST-ICTO discussing compromised government websites and the need for secure web hosting (see quoted text below). As much as possible I avoid writing about politics here at menardconnect.com. But just like with the RA 10175: Philippines Cybercrime Prevention Act, I will take some exception and write about it here as this topic got multiple intersecting interests of mine (haxing, infosec, security, and philippine politics). Quoting Official Gazette:
DOST-ICTO: Hacked government websites highlight need for secure web hosting
From the Department of Science and Technology – Information and Communications Technology Office
Published: August 26, 2013. Latest update: August 26, 2013.
The hacking of at least thirty government websites of supposedly local hacker groups sympathetic to today’s pork barrel protest action highlights the need for secure web hosting for government agencies and services.
DOST – Information and Communications Technology Office Executive Director Louis Casambre mentioned that: “This recent spate of website defacements goes to shows the serious need for the Government Web Hosting Service (GWHS ) especially since gov’t websites will more and more be leveraged to deliver public services.”
Administrative Order 39 (AO39) was enacted on 12 July 2013 mandating all national government agencies, government financial institutions, and government-owned and controlled corporations to have their websites hosted under the new GWHS which will be provided by the DOST ICT Office. “GWHS development is progressing and will be online as scheduled as per AO39.” Usec. Casambre Added.
The webpage defacements are deemed to be a protest action supporting the Million People March in Luneta. “No critical online services were affected and it seems that it wasn’t the intention of the community to cripple critical information dissemination websites and services of the government. We would like to request our hacking community not to target such sites.” said Casambre.
The Information and Communications Technology Office of the Department of Science and Technology is the Philippine Government’s lead agency on ICT related matters. Its primary thrusts are in the ICT Industry Development, eGovernment, ICT policy development, Internet for all and Cybersecurity
Now my personal comments and insights:
1. First, this is good news. Any move improving the security posture of the government (and government websites) is welcome news for me and a lot of Filipinos out there. I just hope that your agency continue this with concrete actions.
Now on to more serious stuff…
2. As The Black Eyed Peas song goes… “I’m so three thousand and eight, You so two thousand and late.” Yes, this announcement is so 2000 and late!!! As I tweeted earlier in twitter (“Huli man daw at magaling. LATE PA RIN“). Nuff said on the timing.
3. Trigger for this PR: Hacking of at least 30 government websites in relation to the recent pork barrel/PDAF protest actions.
Why single out the recent 30-ish defacements? Are you DOST-ICTO folks doing some piggyback on the popularity of pork barrel/PDAF protests and issue?
Piggyback and Pork Barrel … Ang galing pala ng word-combo ko kaya ilalagay ko sa title yung PDAF/Pork Barrel Piggyback Conspiracy Theory!!!
4. Quote and quote “We would like to request our hacking community not to target such sites“, said Casambre.
To Usec. Casambre, are you really sure you are requesting for this??? Official statement at request nyo po ba talaga ito? Baka kase misquoted lang.
5. RE: <DOST-ICTO> is the Philippine Government’s lead agency on ICT related matters. Its primary thrusts are in the ICT Industry Development, eGovernment, ICT policy development, Internet for all and Cybersecurity.
I am amazed by the keywords and buzzwords for this government office. “lead agency” + “primary thrusts” + “Cybersecurity“. But given the technical depth and logical reasoning on this PR all I can say is “Oh my!!!”
Seriously, DOST-ICTO folks may need to rethink and re-strategize (and then synchronize the overall plan with the PR/Marketing machine). My 2 cents…
Before I end this post, some disclosure:
I work at Trend Micro. The views expressed in this blog post are my personal opinion and do not represent my employer’s positions, strategies or opinions.
To know more on what I do full-time kindly visit my linkedin page and my blogs about page.
To know more about my blog’s full disclosure policy, kindly visit my blog’s disclosure page.
As mentioned in my previous post, I recently attended a security conference in San Francisco. As a result of that trip I was able to collect some insights and posted an article for TrendLabs Security Intelligence Blog. I am reposting that article here at menardconnect.com:
RSA Conference 2013: On Security Awareness, Hacking Back and Going Offensive Legally
by Menard Osena (Solutions Product Manager)
Two weeks ago, I attended RSA 2013 Conference in San Francisco and was impressed by the number of participating security vendors. The addition of the Human Element and Breaking Research in the technical track sessions also provided a refreshing stroke to this year’s presentations.
Below are some of my experiences and insights on some noteworthy discussions involving security awareness, hacking back, and going offensive legally.
The 7 Highly Effective Habits of a Security Awareness Program
Samantha Manke and Ira Winkler of Secure Mentem discussed their views on the difference between security training and security awareness. They highlighted the importance of a security culture in companies in enabling employees to apply best computing practices on a daily basis, resulting to long-term security awareness within the organization.
They presented the results of their recent study conducted among Fortune 500 companies in the Health, Manufacturing, Food, Financial and Retail sectors. This study focuses on security awareness campaigns that companies implemented and how effective these were. They came up with key findings that lead them to create their 7 Highly Effective Habits of a Security Awareness Program, which are:
Create a Strong Foundation
(Have) Organizational Buy-in
(Encourage) Participative Learning
(Have) More Creative Endeavors
Partner with Key Departments
Be the Department of HOW
My key takeaway for this session is of course the last part. We, the information security professionals, should be the “Department of HOW” and not the “Department of NO”. We must focus on how to allow users to do what they want safely, not simply saying no to our own customers and further locking down systems.
While I understand the need to establish dos and don’ts in company security policies, we should raise the bar and let security be a key part of solving business challenges, not an obstacle to it.
On Hacking Back and Going Offensive Legally
During the conference, I attended several sessions discussing intriguing concepts like hacking back and going offensive legally. One of the sessions was Highway to the Danger Zone…Going Offensive…Legally presented by George Kurtz and Steven Chabinsky of CrowdStrike. The discussion focused on the idea of active defense as a form of offense against targeted attacks affecting companies. They clearly differentiated this concept from hacktivism and online vigilantism. However, Steven Chabinsky, being a lawyer, also expounded on its complexities like the differences of laws and legislation in different countries, making the concept difficult to define as of the moment.
Another session that covered very similar ground was Is it Whack to Hack Back a Persistent Attack?. Trend Micro’s Dave Asprey moderated this session. He was joined by Davi Ottenheimer of EMC Corporation, David Willson of Titan Info Security Group and again George Kurtz from CrowdStrike. The panelists discussed the active defense/ hacking back phenomenon and its legal, ethical and business liabilities and complexities when practiced over the Internet.
My personal key takeaway from these sessions is the active defense concept entails risks and complications that may spur more problems instead of solving the situation. Instead, organizations, in particular security administrators, should have the correct mindset when it comes to targeted attacks and deploying an inside-out protection.
For now, I would stick with law enforcement agencies and private sector partnership as the best (and safest) path to combat targeted attack, exemplified by the Rove Digital Takedown last year.
My special thanks to Jonathan, Gelo and Badette for their assistance with the article. Special mentions to my RSA 2013 session buddies (Benj, Cathy, Paul) their ideas and encouragement (they really kept me awake and sane during the RSA week)!!!
I miss my free six series so I will post more SF and RSA stuff here in menardconnect.com soon…
I’m always excited when I encounter some #security meets #gaming issue. So I’m eagerly re-posting my blog article published in the TrendLabs Malware Blog entitled World of Warcraft Scams: Mist of Pandaria, Free Mounts and Phishing Galore.
World of Warcraft: Mists of Pandaria is the fourth expansion for the massively multiplayer online role-playing game (MMORPG) World of Warcraft. It was first unveiled to the public last October 2011 during the BlizzCon 2011 conference in Anaheim, California.
TrendLabs researchers started seeing increased phishing activity inside World of Warcraft after Blizzard started the closed beta testing for Mists of Pandaria last March 2012.
In these new rounds of phishing attempts, scammers are trying to abuse the WoW’s in-game mail system. In this phishing attempt, the malicious URLs are sent via in-game mail and are received by players in their in-game mailboxes.
In this phishing try, the scammer entices would-be victims to join the Mist of Pandaria beta testing and win an exclusive in-game item, the Dragon Turtle Mount, by visiting and registering in their website. The Dragon Turtle Mount was previously announced by Blizzard as the racial mount for the Pandarens, the new additional playable character race available in the Mist of Pandaria expansion.
The phishing URL in the in-game email goes to a phishing website that closely resembles the actual Battle.net website. The phishing URL tried to add some credibility by adding the string Mist of Pandaria abbreviation (MOP) to the domain name.
If unsuspecting users input their Battle.net credentials it will definitely result to Battle.net account theft. Battle.net is the central account management for all Blizzard games like World of Warcraft, Starcraft 2, and Diablo III.
In contrast to what we discussed in our previous World of Warcraft post, we observed that recent scamming attempts seem to be targeted at low level characters and not high level or level-capped (Level 85) ones. This may be part of the scam detection avoidance strategy of the bad guys, as high level characters may have more awareness to this security issue as they have spent more time in the game.
We analyzed the malicious domain further and found some great discovery: The same server also hosts other phishing sites targeting World of Warcraft players:
The newly discovered malicious websites are using Mist of Pandaria, World of Warcraft, and their corresponding abbreviations in their URLs.
Trend Micro users need not worry about these threats, as they are protected from these World of Warcraft phishing attacks via the Trend Micro™ Smart Protection Network™, which blocks access to the phishing websites.
It is interesting to note that some of the phishing websites were registered just days after Blizzard announced that Mist of Pandaria will be the next World of Warcraft expansion. This clearly shows that the bad guys are up to date and are always in the lookout for events and opportunities to expand their nefarious schemes.
Blizzard on their part have stepped up their security measures. They have published a dedicated security page to help users understand their security commitment; raise awareness on different types of account thefts, highlight a gamer’s security checklist, and a step by step guide on what to do when users suspect that their account is being compromised.
Blizzard also promoted their authenticator (available as an app for iOS and Android devices, and as a keychain fob) by giving away an exclusive World of Warcraft Corehound pet to users availing the authentication services.
We also advice our readers, casual and hardcore gamers alike to view our latest Security and Gaming e-Guide to get helpful tips to help secure their online game experience.
Thanks to Paul Pajares for additional technical details.
I was checking my twitter feed last week and I read from Mikko Hypponen (F-Secure) feed some interesting story about Blizzard and Diablo 3password security.
The link points to Battle.net forum discussion about Diablo 3 password being not case sensitive. It was a good read and I was intrigued by the reply of the Blizzard QA. And so what would I do next? What else but to try it out too…
password1234 => OK
PASSword1234 => OK
PassWORD1234 => OK
PaSsWoRd1234 => OK
Sad but true! Yes, Blizzard’s Battle.Net passwords are NOT Case-sensitive. And after X number of years, it just that day I’ve known about it 🙂
The Battle.net forum post has some interesting discussion. I’m really amazed on how the Blizzard dude replied to the issue and his/her explanation (I agree its worthy of the Post/Reply of the Year). Good #gaming and #security read too on the technical details on the combinations (and how hard to hack them), the use of the authenticator and other related stuff.
I guess this will really boil down into striking a balance between a lot of factors including security and user experience.
Twitter announced yesterday that HTTPS will be turned on by default for all Twitter.com users.
image credit: twitter.com and wikipedia.org
Quoting the Official Twitter Blog post:
Now, HTTPS will be on by default for all users, whenever you sign in to Twitter.com. If you prefer not use it, you can turn it off on your Account Settings page. HTTPS is one of the best ways to keep your account safe and it will only get better as we continue to improve HTTPS support on our web and mobile clients.
In my opinion this is really a good security move from Twitter as HTTPS is more secure than plain HTTP.
Yes, I understand that HTTPS is not foolproof but at least it will provide some layer of protection for twitter.com web and mobile web users.
I did some comparison before and noted that Twitter and Facebook both provides HTTPS as an opt-in security option while Google+ have it as default. Not sure if this is still the case for Facebook and Google+.
Kudos to the Twitter Team for making this commendable security move!
The most common scam in WoW that Trend Micro has seen uses the in-game chat/whisper system.
An unsuspecting player will receive an in-game chat/whisper from an unknown player offering free gifts (usually in-game pets, riding mounts, and vehicles) that they can avail of by registering at the website that is included in the chat message.
The website included is, of course, a phishing site that will gather the user’s Battle.net account name and password.
However, we have seen a new approach recently—the use of WoW’s postal system, more commonly known as the in-game mail system. In this new trickery, the phishing URLs are sent via WoW in-game mail and is received by players in their in-game mailboxes.
The mail message is full of a mix of surprises. It combines several elements from other Blizzard games. Wings of Liberty refers to Starcraft 2, which was launched in July 2010. “Deathy” refers to “Black Dragon Aspect Deathwing,” the major antagonist in the upcoming WoW expansion game, Cataclysm.
To add to its credibility, the phishing URL contains the string worldofwarcraft and an abbreviation of Cataclysm. It is also interesting to mention that the website domain is registered and hosted in China.
We also noted that WoW online scammers have raised the bar by pretending to be figures of authority, something seen in spam attacks outside the online gaming industry.
The scam perpetrator poses as a Blizzard employee with a name that contains a string similar to Blizzard. The attacker threatens to suspend the player’s account if he/she does not register at the website included in the chat message.
As in the attack mentioned earlier, the link goes to a phishing site that tries to steal the user’s Battle.net credentials. The phishing site very closely resembles the actual site in terms of layout. At first glance, the user may be led to believe that the URL is related to the WoW Armory, an official site containing information on in-game characters, guilds, and items.
To protect its customers, Blizzard has intensified its information campaign on Battle.net’s security page. It also provided very accessible means within the game to report users who are abusing its chat and mail systems.