Sunday, December 30, 2012

Want to Play Cyber?

The rules of the game are rapidly shifting and changing, and as a result an organization’s leadership and security professionals need to practice and refine their set of “cyber security oriented skills” in order to be on the top of a cyber event.
For this reason Comsec has launched the ComSimulator, a Cyber Simulation & Training System which features an innovative virtual environment and platform that provides organizations with the ability to practice real-time crisis management situations and business continuity scenarios in the field of cyber security.
Below you can see few picture of the ComSimulator dashboard:

Monday, November 19, 2012

PCI Risk Asses. Guideline

The PCI SSC has formally released one of 3 SIGs (Special Interest Groups) to be published in 2012 – the Risk Assessment Guidelines.

Until now, Risk Assessment has been one of the most obscured requirements, with no detail other than just "doing the RA". This SIG addresses just that and provides a much needed guidance about how to perform risk assessment as part of PCI compliance, what is the scope for the assessment, the relation to the card holder data environment, recommended methodologies, etc.
The final version of the document is included here:

Sunday, October 14, 2012

Zscaler Future Shock: How mobility is forcing enterprises to completely rethink security

Future Shock: How mobility is forcing enterprises to completely rethink security
No single change in enterprise computing will have a greater impact on end-user security than the rapid adoption of mobile devices. Users are increasingly working outside of the office, doing so on smartphones and tablets. Despite this fact, the majority of enterprises continue to employ traditional security solutions that rely on appliances or host based software - solutions that cannot consistently inspect mobile traffic and are often not permitted to run on mobile ecosystems. Enterprises need to completely rethink their approach to end user security in this new paradigm.
At the same time, we are experiencing an explosion in mobile app development that is eclipsing even the extraordinary growth seen for web applications during the Internet boom. Just as we then faced many 'low hanging fruit' vulnerabilities in web applications, we are now witnessing many hastily developed mobile apps without sufficient QA, that are exposing users to security and privacy risks. This is especially concerning given the distribution model for mobile apps where 'app store gatekeepers' could play a crucial role in filtering out risky apps but are falling well short in their efforts to do so.

Zscaler ThreatLabZ has spent considerable time researching security and privacy risks in mobile applications. That research recently culminated in the release of ZAP (Zscaler Application Profiler), a web based tool designed to empower users to identify mobile apps exposing them to security and privacy risks. In this talk, we'll detail ZAP, reveal our findings and share our thoughts on how enterprises should rethink security in this new paradigm.

Want to hear more? Join us at Comsec annual event, October 24th, 2012 @ Hotel Crown Plaza Azrieli Tel-Aviv, Israel.

Thursday, September 20, 2012

PCI Council releases Security Guidlines for Mobile Payments Acceptance applications

Fresh from the oven -- "PCI Mobile Payment Acceptance Security Guidelines" – released last week, is the first outcome of the PCI council "Mobile taskforce" which was established late last year, in order to handle the rapidly evolving and spreading (yet lacking security best practices) mobile payment acceptance solutions.

This first of a kind formal guidance regarding cardholder data security and PCI compliance in payment acceptance mobile applications (such as mobile POS), provides an extensive (while not exhaustive and not without its limitations) guide for both traditional and less conventional mechanisms to isolate account data and protect it from exposure in mobile payment acceptance solutions/applications.

Most importantly, this release somewhat eases the conclusive tone towards the P2PE standard as the only way to gain compliance with PCI DSS in mobile payment acceptance solutions, and serves as a more practical way in terms of PCI DSS and specific mobile security guidelines.

Sunday, September 2, 2012

Much Ado Over JAVA

Earlier this week, FireEye released an article mentioning a new breed of an attack that involves zero-day exploit directed at JAVA® 7 (JRE1.7), the exploit (that was later revealed to contain 2 different attacks simultaneously) was mentioned as being used as an attack vector for malware spreading.

It wasn't 24 hours until the exploit code was tracked down by several sources, which probably focused their malware tracking beams by FireEye's article, and was pasted on sites such as and similar, for all to see and research. It took merely several hours for Rapid7 to pick it up from there and turn it into a fully automatic Metasploit exploit module. By releasing such a dangerous exploit into a publicly available exploit kit such as Metasploit, the story hit its climax and there was much debating on Rapid7's team part on giving such a devious device that probably fell to the hands of wrongdoers and security researchers alike.

Up until this very morning there was no public acknowledgement on Oracle's side (the latest owners of JAVA® codebase), but the fiasco apparently got a happy ending by this morning's patch from them.

Consider testing and implementing the latest patch from Oracle on your systems that involve JAVA 7 in any constellation.

Sunday, August 12, 2012

GAUSS – Flame's cousin combined with an e-banking credential stealer

Kaspersky Labs announced on finding a new family of malware which they named Gauss.

The discovered code is similar to flame by many means, most importantly by using modular execution scheme which is much uncommon for a standard virus. Furthermore, they pointed out similarities in code and general behaiour such as encryption type.
As its predecessor, it has several functionalities or modules which was named by its creators after famous mathematicians: Guass, Lagrange, Godel and several others. A difference in behavior is the fact that apperantley, its code is not achieving persistence (adding itself to windows startup and do not propogate throughout the network), and as expected – it is configured to contact C&C servers and feeding them with the collected information on the machine and connected network.
A new record for such a malware is the addition of e-banking credential sniffer, directed on several Lebanease banks and some major retail and e-commerce sites. The sniffing is implemented via browser injection and cookie stealing.
Some important portions of its functionality is still uncharted – the first example is a TrueType font file named Palida Narrow which is added to the attacked system without any apparent reason and another is a large chunk of code that is encrypted and Kaspersky Labs have pleaded for external help on cracking it. Those obscurities have already sparked a wide debate in the appropriate circles.

Blizzard's gaming server has been hacked

Blizzard, the dominant role in on-line gaming, known for World of Warcraft franchise, amongst others, announced today that they gaming servers - has been compromised, no further details are released on the matter at the moment.

[QUOTE from]

Some data was illegally accessed, including a list of email addresses for global users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to accounts.

Rough estimation of total users affected: more than 12 Million.

Wednesday, June 27, 2012

McAfee Reveals Details of Global Financial Fraud Ring - Operation High Roller

McAfee Reveals Details of Global Financial Fraud Ring - Operation High Roller

This fraud empire, dubbed Operation High Roller, has reached banking systems worldwide, and is comprised of at least a dozen groups that use active and passive automated transfer systems to steal high value transactions from high balance accounts. The Operation High Roller attacks have impacted thousands of every class of financial institution: credit union, large global bank and regional bank, using smaller and less detectable automated transactions (PRWIRE)

Thursday, June 21, 2012

Syrian Activists Targeted with BlackShades Spy Software

Syrian Activists Targeted with BlackShades Spy Software

Thursday, June 14, 2012

Comsec detects security bug in one of Check Point's main security product

Comsec detects security bug in one of Check Point's main security product

Comsec Consulting has detected a security bug in Check Point's Endpoint Connect.  

‘Endpoint Connect’ unifies the protection of the user end-station under a single security management console. The product can be found in use across all sectors.

According to Moshe Ishai, CEO of Comsec Consulting, "the discovery was of a vulnerability, which could lead (if abused) to gaining control over any workstation the product is installed on. This vulnerability provides the attacker with potential to perform malicious activities, ranging from sniffing for information, to causing actual damage."

Moshe Ishai further added that, "Check Point is considered one of the leading security product companies on the market, offering high quality security solutions. It is possible to discover bugs in any products (software or hardware), and Check Point should be credited, as they immediately took all efforts to offer its customers an immediate fix. Check Point ensured a rapid remediation, which makes the product even more resilient than before. "

The bug was discovered by Comsec several weeks ago, but was kept secret and reported only to the product manufacturer. From this time, Check Point has worked vigorously in order to release an improved version which includes a fix for the risk identified by Comsec.

The affected product versions include: E75, E80.20, E80.30, R73 - (customers who update the version of their product will not be exposed to the aforementioned vulnerability).  

The Hot Fix for the bug can be downloaded from Check Point's website