Trends Over Time

Published: 2017-07-24
Last Updated: 2017-07-25 09:56:59 UTC
by Russell Eubanks (Version: 1)
8 comment(s)

The business goal of Critical Security Control #9: Limitation and Control of Network Ports is “To limit potential vulnerabilities on systems by limiting unauthorized ports, protocols, & services on systems”. Sounds totally reasonable and something everyone should systematically monitor in their respective environments. How can this be accomplished, especially if this has not been an area of focus?

 

One strategy is capturing data about the network traffic in order to develop and maintain a rolling trend over time. A specific area to focus on is the Top Ports that were targeted on a daily basis. This data will readily highlight trends that can be investigated and help detect changes in traffic that may or many not be “normal". This daily baseline, when added to the last 30 days worth of the same data can easily be to highlight and compare traffic patterns. What could this look like for your network? As a practical example, below is a visualization of data that has been sent to the Internet Storm Center. 

 

 

What have you found effective in your quest to actively monitor the Trends over Time in your environment? Please leave what works for you in our comments section below.

 

Russell Eubanks

ISC Handler

SANS Instructor

@russelleubanks

8 comment(s)

Uber drivers new threat: the "passenger"

Published: 2017-07-24
Last Updated: 2017-07-24 17:57:00 UTC
by Renato Marinho (Version: 1)
2 comment(s)

This week I was told about a scam that surprised me due to the criminals’ creativity. A New York City Uber driver had his Uber account and day’s income was stolen by someone who was supposed to be his next passenger. 
 
While driving towards the passenger’s address, the Uber driver received a phone call from someone pretending to be from Uber. He told the driver that he knew he was on his way to get a passenger but it was necessary for the driver to stop and update his account data. Additionally, the driver should not worry about that run. Uber would compensate him and send another driver to pick up that passenger.

As the phone call came through the Uber app, the driver believed it to really came from Uber. The person on the other end of the call continued: “Please, I have to confirm your identity. Give me your e-mail address and phone number. Next, I’ll send you an SMS message and you’ll tell me the content.”. As expected, the Uber driver received the message and passed on the content.

It turns out that the message was sent by Google as part of the Uber driver's Gmail password recovery procedure. “Ok Sir, thank you for validating your identity. I’ve just updated your registration. Have a nice day.”—said the crook.

Now the criminals proceeded to reset that driver’s Gmail account and Uber password. The reason for that? Uber drivers that reach a certain earnings threshold for a day may ask Uber to transfer that day’s incomings to a pre-paid card number. That was exactly what the fake passenger did.

The crook’s social engineering approach is very cunning in the way that he/she created the privileged information used to entice the victim’s trust. In the end, that is just another way to exploit password recovery or two-factor authentication through SMS messages. Stay tuned.

--
Renato Marinho
Morphus Labs | LinkedInTwitter

Keywords: uber scam sms
2 comment(s)
ISC Stormcast For Monday, July 24th 2017 https://isc.sans.edu/podcastdetail.html?id=5594

Comments


Diary Archives