From the Duo security blog: The Latest Phishing Attacks Target Gmail, Microsoft Word & Android Apps
The ‘Windows Logging Cheat Sheet’, ‘Windows File Auditing Cheat Sheet’ and ‘Registry Auditing Cheat Sheet’ have been updated for 2016. The cheat sheets have been updated in part due to auditing improvments[sic] added by the ‘Windows 10 Anniversary Update’ released earlier this year. We also took the opportunity to do some cleanup and add more autorun keys to the registry auditing cheat sheet. Updates are easy to spot, just look for ‘new‘.
Go get ’em and watch for the updated Log-MD!
This is a very interesting discussion with H.D. Moore, the founder of the Metasploit Project and now angel investor, with guidance on getting your security start-up established and funded.
Richard Bejtlich writes:
You may have seen in my LinkedIn profile that I’m advising a security startup called Critical Stack. If you use Security Onion or run the Bro network security monitoring platform (NSM), you’re ready to try the Critical Stack Intel Client.
Bro is not strictly an intrusion detection system that generates alerts, like Snort. Rather, Bro generates a range of NSM data, including session data, transaction data, extracted content data, statistical data, and even alerts — if you want them.
Read the full article and give it a try! Initial feedback is good.
From the SANS InfoSec Handlers Diary Blog, how to disable SSLv3 for various Linux webservers, mailservers, and the big three Internet browsers.
Happily, the attack can apparently be deterred by having a strong unlock passcode, which you already have set, right?
Owners of Mac and iOS devices have found their iPhones and iPads held for ransom through a hack that targets the Find My iPhone and Find My Mac features on these devices to trigger a remote lock of the device.
The Find My iPhone feature is meant to allow users to track missing devices on a map, remotely lock the phone in the event that the device is lost or stolen and display a message so that those who find it will see that custom message. First surfacing in numerous reports in Australia yesterday, this attack claims through the custom message to be perpetrated by an Oleg Pliss, likely a pseudonym given that the most visible person by that name is a software engineer at Oracle. The malicious hacker responsible asks through the displayed message for users to pay $100 through PayPal for the privilege of unlocking their phones.
I wasn’t aware that only a handful of companies were notified of the vulnerability before it was published. That is not best practice.
NEWS ANALYSIS: The decade’s most serious security issue was packaged and branded, but many server administrators and service providers were left in the dark.
Google and cloud security vendor CloudFlare were among a very small group that somehow got early access to the flaw and were able to be patched on April 7 prior to the public advisory from OpenSSL.
CloudFlare CEO Matthew Prince told eWEEK that his firm was in fact notified early last week by researchers involved in discovering the bug. Other vendors and Web services, including cloud vendors, however, did not apparently get the same message. Cloud services vendor DigitalOcean is among those that was left scrambling on April 7 to patch servers.
Tripwire has a free tool to scan your environment for Heartbleed-vulnerable devices and apps. Find it here, and good luck!
Patch quickly, patch often.
What’s missing from much of the discussion about the NSA’s activities is what they’re doing with all of this surveillance data. The newspapers focus on what’s being collected, not on how it’s being analyzed — with the singular exception of the Washington Post story on cell phone location collection. By their nature, cell phones are tracking devices. For a network to connect calls, it needs to know which cell the phone is located in. In an urban area, this narrows a phone’s location to a few blocks. GPS data, transmitted across the network by far too many apps, locates a phone even more precisely. Collecting this data in bulk, which is what the NSA does, effectively puts everyone under physical surveillance.
This is new. Police could always tail a suspect, but now they can tail everyone – suspect or not. And once they’re able to do that, they can perform analyses that weren’t otherwise possible. The Washington Post reported two examples. One, you can look for pairs of phones that move toward each other, turn off for an hour or so, and then turn themselves back on while moving away from each other. In other words, you can look for secret meetings. Two, you can locate specific phones of interest and then look for other phones that move geographically in synch with those phones. In other words, you can look for someone physically tailing someone else. I’m sure there are dozens of other clever analyses you can perform with a database like this. We need more researchers thinking about the possibilities. I can assure you that the world’s intelligence agencies are conducting this research.
When the government patiently reassures you that the data they are collecting is completely worthless and uninteresting, we should become very interested in finding out why they want it and what they are doing with it.
iPhoneDevSDK—the site apparently responsible for the hacks at Facebook, Apple, and Twitter—says it was not aware it was being used to attack visitors until it read press reports this week. In a news post do not click if you’re wary of security breaches on Wednesday, site admins said they had no knowledge of the breach and were not contacted by any of the affected companies. Though, iPhoneDevSDK is now working with Facebook’s security team in order to share information about what happened.
Also, this is a great reminder to log and monitor, or SIEM. An admin’s account was compromised, then their website was hacked.
Tripwire would have caught the changes, and login auditing would have caught the hacker/admin’s actions.