FreshRSS

πŸ”’
β–³ πŸ”ƒ
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Computer viruses are celebrating their 40th birthday (well, 54th, really), (Tue, Feb 6th)

February 6th 2024 at 20:40
Although "cyber security" is a relatively new field, it already has quite an interesting history, and it is worthwhile to look back at it from time to time. One historical event, that took place in February of the Orwellian year 1984, and which – therefore – celebrates its 40th anniversary this month, was publishing of Federic Cohen’s paper entitled "Computer viruses: Theory and experiments"[1], which is often cited as the origin of the term "computer virus".
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Public Information and Email Spam, (Mon, Feb 5th)

February 5th 2024 at 16:05
Many organizations publicly list contact informationΒ to help consumers reach out for help when needed. This may be general contact information or a full public directory of staff. It seems obvious that having any kind of publicly available information will increase the liklihood that these accounts will receive spam or phishing emails. To help understand a bit of this, I set up a brand new domain with a very basic website and collected email using Amazon SES [1] for a couple of weeks. The website contained email addresses in a variety of formats:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

DShield Sensor Log Collection with Elasticsearch, (Sat, Feb 3rd)

February 3rd 2024 at 15:44
This is fork from the original work byΒ Scott Jensen [1][2] originally published here as guest diary part of the SANS.edu BACS program. ThisΒ update has a number of new features now available in Github [4].Β 
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

What is a "Top Level Domain"?, (Thu, Feb 1st)

February 1st 2024 at 14:16
In yesterday's diary, I discussed a new proposed top-level domain, ".internal". This reminded me to talk a bit about what a top-level domain is all about, and some different ways to look at the definition of a top-level domain.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

The Fun and Dangers of Top Level Domains (TLDs), (Wed, Jan 31st)

January 31st 2024 at 16:55
In the beginning, life was easy. We had a very limited set of top-level domains: .com, .edu, .gov, ..int, org, .mil, .net, .org, .edu. In addition, we had .arpa for infrastructure use and various two letter country level domains.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Shipping to Elasticsearch Microsoft DNS Logs, (Sat, Sep 11th)

September 11th 2021 at 12:04
This parser takes the logs from a Windows 2012R2 and/or 2019 server (C:\DNSLogs\windns.log) and parses them into usable metatada which can be monitored and queried via an ELK dashboard. The logs have been mapped using DNS ECS field meta here [1].
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Updates to Our Datafeeds/API, (Thu, Sep 9th)

September 9th 2021 at 14:07
Most of the data we are collecting is freely available via our API. For quick documentation, see https://isc.sans.edu/api. One particular popular feed is our list of "Researcher IPs." These are IP addresses connected to commercial and academic projects that scan the internet. These scans can account for a large percentage of your unsolicited inbound activity. One use of this feed is to add "color to your logs" by enriching your log data from this feed.Β 
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Microsoft Offers Workaround for 0-Day Office Vulnerability (CVE-2021-40444), (Wed, Sep 8th)

September 8th 2021 at 00:20
Microsoft today published an advisory with a workaround to mitigate an unpatched vulnerability in Microsoft Office. This vulnerability is currently used in targeted attacks.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Why I Gave Up on IPv6. And no, it is not because of security issues., (Tue, Sep 7th)

September 7th 2021 at 12:26
IPv6 adoption is growing. Around 30% of the Alexa Top 1000 websites support IPv6. Comcast, the ISP I am using, rolled out IPv6 to every customer, and according to some statistics, around 70% are actually using it [1]. About 35% of traffic reaching Google uses IPv6 [2]. I have been using IPv6 myself for probably over a decade by now. Initially via Hurricane Electric tunnels, and later as Comcast made IPv6 available, I used the allocation provided by Comcast. So why stop using it now?
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Attackers Will Always Abuse Major Events in our Lifes, (Thu, Sep 2nd)

September 2nd 2021 at 07:12
All major events in our daily life are potential sources of revenue for attackers. When elections or major sports events are organized, attackers will surfΒ on these waves and try to make some profit or collect interesting data (credentials). It's the same with majorΒ meteorological phenomena. The hurricane "Ida" was the second most intense hurricane to hit the state of Louisiana on record, only behind "Katrina"[1].
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

BrakTooth: Impacts, Implications and Next Steps, (Tue, Aug 31st)

August 31st 2021 at 12:10
In a previous diary entry, I had written about the increasing trend of Bluetooth vulnerabilities being reported in the recent years [1]. Today, the Automated Systems SEcuriTy (ASSET) Research Group from the Singapore University of Technology and Design (SUTD) revealed the BrakTooth family of vulnerabilities in commercial Bluetooth (BT) Classic stacks for various System-on-Chips (SoC) [2]. In this diary, I will be giving a brief background on BrakTooth, highlight affected products and also discuss next steps affected users/vendors could consider.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Cryptocurrency Clipboard Swapper Delivered With Love , (Mon, Aug 30th)

August 30th 2021 at 08:32
Be careful if you're a user of cryptocurrencies. My goal is not to re-open a debate about them and their associated financial risks. No, I'm talking here about technical risk.Β Wallet addresses are long strings of characters that are pretty impossible to use manually. It means that you'll use your clipboard to copy/paste your wallets to perform payments. But some malware monitorsΒ your clipboard for "interesting data" (like wallet addresses) and tries to replace it with another one. If you perform a payment operation, it means that you will transfer some BTC or XMR to the wrong wallet, owned by the attacker.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Filter JSON Data by Value with Linux jq, (Sun, Aug 29th)

August 29th 2021 at 12:16
Since JSON has become more prevalent as a data service, unfortunately, it isn't at all BASH friendly and manipulating JSON data at the command line with REGEX (i.e. sed, grep, etc.) is cumbersome and difficult to get the output I want.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

There may be (many) more SPF records than we might expect, (Wed, Aug 25th)

September 7th 2021 at 05:48
Update/errata 9/7/2021: Though there are indeed many domains with an SPF record in the CZ ccTLD, the numbers mentioned bellow turned out to be incorrect, due to a calculation error on the part of my source, which only came to light late last night. It turns out that at the time of the scan, there were approximately 1.1 million domains without an SPF record, and only about 300k had the record set (i.e. the ratio was reversed). These numbers are still interesting, though much less optimistic than the originally reported ones...
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Attackers Hunting For Twilio Credentials, (Tue, Aug 24th)

August 24th 2021 at 08:52
One up and coming request I recently noticed in our honeypots was pretty simple:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Out of Band Phishing. Using SMS messages to Evade Network Detection, (Thu, Aug 19th)

August 23rd 2021 at 07:04
Many companies have extensive security tools to monitor employee computers. But these precautions often fail for "out of band" access that uses cellular networks instead of Ethernet/WiFi networks. Our reader Isabella sent us this phishing email that they received:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

.docx With Embedded EXE, (Sun, Aug 22nd)

August 22nd 2021 at 11:36
I received a malicious document sample, a .docx file: c977b861b887a09979d4e1ef03d5f975f297882c30be38aba59251f1b46c2aa8.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

New Versions Of Sysinternals Tools, (Sat, Aug 21st)

August 21st 2021 at 09:06
A new version was released for the following Sysinternals tools:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Waiting for the C2 to Show Up, (Fri, Aug 20th)

August 20th 2021 at 06:42
Keep this in mind:Β "Patience is key".Β Sometimes when you are working on a malware sample, you depend on online resources. I'm working on a classic case: a Powershell script decodes then injects a shellcode into a process. There are plenty of tools that help you to have a good idea of a shellcode behavior (like scdbg[1]):
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

When Lightning Strikes. What works and doesn't work., (Thu, Aug 19th)

August 19th 2021 at 11:13
Living in Florida, afternoon thunderstorms are a regular occurrence with Florida having the highest lightning density of any state in the US [1]. In my time in Florida, I had close or direct strikes damage equipment twice. The most recent incident was about a month ago. So I am sharing here some of the things that work and don't work.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

5 Things to Consider Before Moving Back to the Office, (Wed, Aug 18th)

August 18th 2021 at 08:36
Many readers will likely continue to enjoy working from home. Having not worked out of an office for about 20 years myself, I can certainly understand the appeal of working from home. But for some, this isn't an option and probably not even the preferred way to work. Having likely worked from home for over a year now, there are some things that you need to "readjust" as you are moving back.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Laravel (<=v8.4.2) exploit attempts for CVE-2021-3129 (debug mode: Remote code execution), (Tue, Aug 17th)

August 17th 2021 at 09:05
Debugging a live site can be a necessary evil. Having a bug that can't be reproduced in development or debugging behavior requiring specific dependencies (e.g., external services or specific backend database) that are hard to replicate in development can make debugging a live site in development as standard operating procedures want you to.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Extra Tip For Triage Of MALWARE Bazaar's Daily Malware Batches, (Mon, Aug 16th)

August 16th 2021 at 10:28
Here's an extra tip to my diary entry "Simple Tips For Triage Of MALWARE Bazaar's Daily Malware Batches".
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Simple Tips For Triage Of MALWARE Bazaar's Daily Malware Batches, (Sun, Aug 15th)

August 15th 2021 at 21:35
I was asked for tips to triage MALWARE Bazaar's daily malware batches.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Microsoft August 2021 Patch Tuesday, (Tue, Aug 10th)

August 10th 2021 at 17:48
This month we got patches for 51 vulnerabilities. Of these, 7 are critical, 2 were previously disclosed and 1 is being exploited according to Microsoft.
❌