FreshRSS

πŸ”’
❌ About FreshRSS
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Computer viruses are celebrating their 40th birthday (well, 54th, really), (Tue, Feb 6th)

Although "cyber security" is a relatively new field, it already has quite an interesting history, and it is worthwhile to look back at it from time to time. One historical event, that took place in February of the Orwellian year 1984, and which – therefore – celebrates its 40th anniversary this month, was publishing of Federic Cohen’s paper entitled "Computer viruses: Theory and experiments"[1], which is often cited as the origin of the term "computer virus".
  • February 6th 2024 at 20:40
  • β†—

Public Information and Email Spam, (Mon, Feb 5th)

Many organizations publicly list contact informationΒ to help consumers reach out for help when needed. This may be general contact information or a full public directory of staff. It seems obvious that having any kind of publicly available information will increase the liklihood that these accounts will receive spam or phishing emails. To help understand a bit of this, I set up a brand new domain with a very basic website and collected email using Amazon SES [1] for a couple of weeks. The website contained email addresses in a variety of formats:
  • February 5th 2024 at 16:05
  • β†—

DShield Sensor Log Collection with Elasticsearch, (Sat, Feb 3rd)

This is fork from the original work byΒ Scott Jensen [1][2] originally published here as guest diary part of the SANS.edu BACS program. ThisΒ update has a number of new features now available in Github [4].Β 
  • February 3rd 2024 at 15:44
  • β†—

What is a "Top Level Domain"?, (Thu, Feb 1st)

In yesterday's diary, I discussed a new proposed top-level domain, ".internal". This reminded me to talk a bit about what a top-level domain is all about, and some different ways to look at the definition of a top-level domain.
  • February 1st 2024 at 14:16
  • β†—

The Fun and Dangers of Top Level Domains (TLDs), (Wed, Jan 31st)

In the beginning, life was easy. We had a very limited set of top-level domains: .com, .edu, .gov, ..int, org, .mil, .net, .org, .edu. In addition, we had .arpa for infrastructure use and various two letter country level domains.
  • January 31st 2024 at 16:55
  • β†—

Shipping to Elasticsearch Microsoft DNS Logs, (Sat, Sep 11th)

This parser takes the logs from a Windows 2012R2 and/or 2019 server (C:\DNSLogs\windns.log) and parses them into usable metatada which can be monitored and queried via an ELK dashboard. The logs have been mapped using DNS ECS field meta here [1].
  • September 11th 2021 at 12:04
  • β†—

Updates to Our Datafeeds/API, (Thu, Sep 9th)

Most of the data we are collecting is freely available via our API. For quick documentation, see https://isc.sans.edu/api. One particular popular feed is our list of "Researcher IPs." These are IP addresses connected to commercial and academic projects that scan the internet. These scans can account for a large percentage of your unsolicited inbound activity. One use of this feed is to add "color to your logs" by enriching your log data from this feed.Β 
  • September 9th 2021 at 14:07
  • β†—

Microsoft Offers Workaround for 0-Day Office Vulnerability (CVE-2021-40444), (Wed, Sep 8th)

Microsoft today published an advisory with a workaround to mitigate an unpatched vulnerability in Microsoft Office. This vulnerability is currently used in targeted attacks.
  • September 8th 2021 at 00:20
  • β†—

Why I Gave Up on IPv6. And no, it is not because of security issues., (Tue, Sep 7th)

IPv6 adoption is growing. Around 30% of the Alexa Top 1000 websites support IPv6. Comcast, the ISP I am using, rolled out IPv6 to every customer, and according to some statistics, around 70% are actually using it [1]. About 35% of traffic reaching Google uses IPv6 [2]. I have been using IPv6 myself for probably over a decade by now. Initially via Hurricane Electric tunnels, and later as Comcast made IPv6 available, I used the allocation provided by Comcast. So why stop using it now?
  • September 7th 2021 at 12:26
  • β†—

Attackers Will Always Abuse Major Events in our Lifes, (Thu, Sep 2nd)

All major events in our daily life are potential sources of revenue for attackers. When elections or major sports events are organized, attackers will surfΒ on these waves and try to make some profit or collect interesting data (credentials). It's the same with majorΒ meteorological phenomena. The hurricane "Ida" was the second most intense hurricane to hit the state of Louisiana on record, only behind "Katrina"[1].
  • September 2nd 2021 at 07:12
  • β†—

BrakTooth: Impacts, Implications and Next Steps, (Tue, Aug 31st)

In a previous diary entry, I had written about the increasing trend of Bluetooth vulnerabilities being reported in the recent years [1]. Today, the Automated Systems SEcuriTy (ASSET) Research Group from the Singapore University of Technology and Design (SUTD) revealed the BrakTooth family of vulnerabilities in commercial Bluetooth (BT) Classic stacks for various System-on-Chips (SoC) [2]. In this diary, I will be giving a brief background on BrakTooth, highlight affected products and also discuss next steps affected users/vendors could consider.
  • August 31st 2021 at 12:10
  • β†—

Cryptocurrency Clipboard Swapper Delivered With Love , (Mon, Aug 30th)

Be careful if you're a user of cryptocurrencies. My goal is not to re-open a debate about them and their associated financial risks. No, I'm talking here about technical risk.Β Wallet addresses are long strings of characters that are pretty impossible to use manually. It means that you'll use your clipboard to copy/paste your wallets to perform payments. But some malware monitorsΒ your clipboard for "interesting data" (like wallet addresses) and tries to replace it with another one. If you perform a payment operation, it means that you will transfer some BTC or XMR to the wrong wallet, owned by the attacker.
  • August 30th 2021 at 08:32
  • β†—

Filter JSON Data by Value with Linux jq, (Sun, Aug 29th)

Since JSON has become more prevalent as a data service, unfortunately, it isn't at all BASH friendly and manipulating JSON data at the command line with REGEX (i.e. sed, grep, etc.) is cumbersome and difficult to get the output I want.
  • August 29th 2021 at 12:16
  • β†—

There may be (many) more SPF records than we might expect, (Wed, Aug 25th)

Update/errata 9/7/2021: Though there are indeed many domains with an SPF record in the CZ ccTLD, the numbers mentioned bellow turned out to be incorrect, due to a calculation error on the part of my source, which only came to light late last night. It turns out that at the time of the scan, there were approximately 1.1 million domains without an SPF record, and only about 300k had the record set (i.e. the ratio was reversed). These numbers are still interesting, though much less optimistic than the originally reported ones...
  • September 7th 2021 at 05:48
  • β†—

Attackers Hunting For Twilio Credentials, (Tue, Aug 24th)

One up and coming request I recently noticed in our honeypots was pretty simple:
  • August 24th 2021 at 08:52
  • β†—

Out of Band Phishing. Using SMS messages to Evade Network Detection, (Thu, Aug 19th)

Many companies have extensive security tools to monitor employee computers. But these precautions often fail for "out of band" access that uses cellular networks instead of Ethernet/WiFi networks. Our reader Isabella sent us this phishing email that they received:
  • August 23rd 2021 at 07:04
  • β†—

.docx With Embedded EXE, (Sun, Aug 22nd)

I received a malicious document sample, a .docx file: c977b861b887a09979d4e1ef03d5f975f297882c30be38aba59251f1b46c2aa8.
  • August 22nd 2021 at 11:36
  • β†—

New Versions Of Sysinternals Tools, (Sat, Aug 21st)

A new version was released for the following Sysinternals tools:
  • August 21st 2021 at 09:06
  • β†—

Waiting for the C2 to Show Up, (Fri, Aug 20th)

Keep this in mind:Β "Patience is key".Β Sometimes when you are working on a malware sample, you depend on online resources. I'm working on a classic case: a Powershell script decodes then injects a shellcode into a process. There are plenty of tools that help you to have a good idea of a shellcode behavior (like scdbg[1]):
  • August 20th 2021 at 06:42
  • β†—

When Lightning Strikes. What works and doesn't work., (Thu, Aug 19th)

Living in Florida, afternoon thunderstorms are a regular occurrence with Florida having the highest lightning density of any state in the US [1]. In my time in Florida, I had close or direct strikes damage equipment twice. The most recent incident was about a month ago. So I am sharing here some of the things that work and don't work.
  • August 19th 2021 at 11:13
  • β†—

5 Things to Consider Before Moving Back to the Office, (Wed, Aug 18th)

Many readers will likely continue to enjoy working from home. Having not worked out of an office for about 20 years myself, I can certainly understand the appeal of working from home. But for some, this isn't an option and probably not even the preferred way to work. Having likely worked from home for over a year now, there are some things that you need to "readjust" as you are moving back.
  • August 18th 2021 at 08:36
  • β†—

Laravel (<=v8.4.2) exploit attempts for CVE-2021-3129 (debug mode: Remote code execution), (Tue, Aug 17th)

Debugging a live site can be a necessary evil. Having a bug that can't be reproduced in development or debugging behavior requiring specific dependencies (e.g., external services or specific backend database) that are hard to replicate in development can make debugging a live site in development as standard operating procedures want you to.
  • August 17th 2021 at 09:05
  • β†—

Extra Tip For Triage Of MALWARE Bazaar's Daily Malware Batches, (Mon, Aug 16th)

Here's an extra tip to my diary entry "Simple Tips For Triage Of MALWARE Bazaar's Daily Malware Batches".
  • August 16th 2021 at 10:28
  • β†—

Microsoft August 2021 Patch Tuesday, (Tue, Aug 10th)

This month we got patches for 51 vulnerabilities. Of these, 7 are critical, 2 were previously disclosed and 1 is being exploited according to Microsoft.
  • August 10th 2021 at 17:48
  • β†—
❌