Sunday, December 30, 2012

Want to Play Cyber?

The rules of the game are rapidly shifting and changing, and as a result an organization’s leadership and security professionals need to practice and refine their set of “cyber security oriented skills” in order to be on the top of a cyber event.
For this reason Comsec has launched the ComSimulator, a Cyber Simulation & Training System which features an innovative virtual environment and platform that provides organizations with the ability to practice real-time crisis management situations and business continuity scenarios in the field of cyber security.
Below you can see few picture of the ComSimulator dashboard:

Monday, November 19, 2012

PCI Risk Asses. Guideline

The PCI SSC has formally released one of 3 SIGs (Special Interest Groups) to be published in 2012 – the Risk Assessment Guidelines.

Until now, Risk Assessment has been one of the most obscured requirements, with no detail other than just "doing the RA". This SIG addresses just that and provides a much needed guidance about how to perform risk assessment as part of PCI compliance, what is the scope for the assessment, the relation to the card holder data environment, recommended methodologies, etc.
The final version of the document is included here:

Sunday, October 14, 2012

Zscaler Future Shock: How mobility is forcing enterprises to completely rethink security

Future Shock: How mobility is forcing enterprises to completely rethink security
No single change in enterprise computing will have a greater impact on end-user security than the rapid adoption of mobile devices. Users are increasingly working outside of the office, doing so on smartphones and tablets. Despite this fact, the majority of enterprises continue to employ traditional security solutions that rely on appliances or host based software - solutions that cannot consistently inspect mobile traffic and are often not permitted to run on mobile ecosystems. Enterprises need to completely rethink their approach to end user security in this new paradigm.
At the same time, we are experiencing an explosion in mobile app development that is eclipsing even the extraordinary growth seen for web applications during the Internet boom. Just as we then faced many 'low hanging fruit' vulnerabilities in web applications, we are now witnessing many hastily developed mobile apps without sufficient QA, that are exposing users to security and privacy risks. This is especially concerning given the distribution model for mobile apps where 'app store gatekeepers' could play a crucial role in filtering out risky apps but are falling well short in their efforts to do so.

Zscaler ThreatLabZ has spent considerable time researching security and privacy risks in mobile applications. That research recently culminated in the release of ZAP (Zscaler Application Profiler), a web based tool designed to empower users to identify mobile apps exposing them to security and privacy risks. In this talk, we'll detail ZAP, reveal our findings and share our thoughts on how enterprises should rethink security in this new paradigm.

Want to hear more? Join us at Comsec annual event, October 24th, 2012 @ Hotel Crown Plaza Azrieli Tel-Aviv, Israel.

Thursday, September 20, 2012

PCI Council releases Security Guidlines for Mobile Payments Acceptance applications

Fresh from the oven -- "PCI Mobile Payment Acceptance Security Guidelines" – released last week, is the first outcome of the PCI council "Mobile taskforce" which was established late last year, in order to handle the rapidly evolving and spreading (yet lacking security best practices) mobile payment acceptance solutions.

This first of a kind formal guidance regarding cardholder data security and PCI compliance in payment acceptance mobile applications (such as mobile POS), provides an extensive (while not exhaustive and not without its limitations) guide for both traditional and less conventional mechanisms to isolate account data and protect it from exposure in mobile payment acceptance solutions/applications.

Most importantly, this release somewhat eases the conclusive tone towards the P2PE standard as the only way to gain compliance with PCI DSS in mobile payment acceptance solutions, and serves as a more practical way in terms of PCI DSS and specific mobile security guidelines.

Sunday, September 2, 2012

Much Ado Over JAVA

Earlier this week, FireEye released an article mentioning a new breed of an attack that involves zero-day exploit directed at JAVA® 7 (JRE1.7), the exploit (that was later revealed to contain 2 different attacks simultaneously) was mentioned as being used as an attack vector for malware spreading.

It wasn't 24 hours until the exploit code was tracked down by several sources, which probably focused their malware tracking beams by FireEye's article, and was pasted on sites such as and similar, for all to see and research. It took merely several hours for Rapid7 to pick it up from there and turn it into a fully automatic Metasploit exploit module. By releasing such a dangerous exploit into a publicly available exploit kit such as Metasploit, the story hit its climax and there was much debating on Rapid7's team part on giving such a devious device that probably fell to the hands of wrongdoers and security researchers alike.

Up until this very morning there was no public acknowledgement on Oracle's side (the latest owners of JAVA® codebase), but the fiasco apparently got a happy ending by this morning's patch from them.

Consider testing and implementing the latest patch from Oracle on your systems that involve JAVA 7 in any constellation.

Sunday, August 12, 2012

GAUSS – Flame's cousin combined with an e-banking credential stealer

Kaspersky Labs announced on finding a new family of malware which they named Gauss.

The discovered code is similar to flame by many means, most importantly by using modular execution scheme which is much uncommon for a standard virus. Furthermore, they pointed out similarities in code and general behaiour such as encryption type.
As its predecessor, it has several functionalities or modules which was named by its creators after famous mathematicians: Guass, Lagrange, Godel and several others. A difference in behavior is the fact that apperantley, its code is not achieving persistence (adding itself to windows startup and do not propogate throughout the network), and as expected – it is configured to contact C&C servers and feeding them with the collected information on the machine and connected network.
A new record for such a malware is the addition of e-banking credential sniffer, directed on several Lebanease banks and some major retail and e-commerce sites. The sniffing is implemented via browser injection and cookie stealing.
Some important portions of its functionality is still uncharted – the first example is a TrueType font file named Palida Narrow which is added to the attacked system without any apparent reason and another is a large chunk of code that is encrypted and Kaspersky Labs have pleaded for external help on cracking it. Those obscurities have already sparked a wide debate in the appropriate circles.