MasterCard Global Risk Management Conference in Ireland

I was very excited to be invited by MasterCard EU (@MasterCardEU) to participate in a discussion panel during the Global Risk Management Conference #GlobalRisk [1] which took place in Ireland this year. Sysnet (@Sysnetgs) published an article regarding the event [2] on their blog. 

A variety of talks and presentations about the security of transactions, fraud, micro-payments, biometrics and trends in CyberCrime made the conference extremely interesting. MasterCard wanted to explore the increasing scope, scale, and complexity of cyber crime impacting the industry. After the recent events regarding breaches, the latest trends, and new attack vectors that criminals are employing, it is an opportunity to discuss and share lessons learned and best practices to impede Cyber Crime.

Using On-line Services for Reconnaissance

Ever wanted to use only existing online services to do reconnaissance without having to install or use any other tools. Well, the following URLs will give you a nice starting point. This list is to be expanded and updated with more links. If you believe you know of an online service which can be useful for this purpose do not hesitate to share it with the rest of us. Let me know and I will add it to the list! :)

Bash-ing (Bash Bug, Shell Shock) - All the information you need

The Bash Bug is a severe vulnerability discovered by by Stephane Chazelas of Akamai, who most probably deserves a pwnie award [1]. 
The discovery of this particular vulnerability is a serious risk, similar (maybe proven to be a lot bigger) to the Heartbleed bug [2]. Mostly because Linux not only runs the majority of the servers but also in a large number of embedded devices. Keep in mind that there are approximately about 25 years’ worth of Bash versions! Effectively, Mac OS X [11] and Android devices may also be running the vulnerable version of bash. 
Also, for Windows systems, msysgit contains a vulnerable version of bash (by Joshua McKinney) [12]. Which means, we are going to have more of these popping up very soon under the Windows platform as well.
Just to give you a hint about the severity of this vulnerability, NIST Vulnerability DataBase rated this with "10 out of 10". [3]

44CON 2014

It was really nice catching up with many friends from the industry at 44CON [1] (#44CON) this year in London. 

Also, a new 44Con Cyber Security was announced which will take place at some point next year. 

This year, there were 3 tracks running and a workshop. A number of interesting talks and a variety of subject to choose from. The stages were really nice and you should look for the DVD when it is out! It is very difficult to choose which talk(s) was/were the best. The main reason is because so many things happening at the same time it is hard to tell. So, it is best to assume that all were great. 

[1] http://44con.com

Disconnect Mobile

Finally an App for non-routed/jail-broken mobile devices that will allow you to control your privacy and security. Disconnect Mobile is a privacy and security app. The app actively blocks the biggest mobile trackers and thousands of malware threats when you use an app or browse the web using 3G, 4G, LTE or Wi-Fi. Optionally includes ad filtering and malware protection which you have to pay in order to activate them. 

Why the big fuss? Well, last week, Google kicked Disconnect Mobile out of the Play store. It even made the Wall Street Journal [1]. As always this post is not about promoting this specific app but on the fact that it blocks mobile trackers and that it was kicked from Play store. What has changed and Google finally allowed the app to be on the store?  Google kicked this app because it violated a policy prohibiting software that interferes with other apps. However, interference was precisely the point of Disconnect Mobile, a privacy tool aimed at stopping other apps from collecting data on users. In the six days it was available in Google’s store, it was downloaded more than 5,000 times.