Category Archives: Security

Malware Archaeology Updates Windows Logging Cheat-Sheets

The ‘Windows Logging Cheat Sheet’, ‘Windows File Auditing Cheat Sheet’ and ‘Registry Auditing Cheat Sheet’ have been updated for 2016.  The cheat sheets have been updated in part due to auditing improvments[sic] added by the ‘Windows 10 Anniversary Update’ released earlier this year.  We also took the opportunity to do some cleanup and add more autorun keys to the registry auditing cheat sheet.  Updates are easy to spot, just look for ‘new‘.

Go get ’em and watch for the updated Log-MD!

Try the Critical Stack Intel Client

Richard Bejtlich writes:

You may have seen in my LinkedIn profile that I’m advising a security startup called Critical Stack. If you use Security Onion or run the Bro network security monitoring platform (NSM), you’re ready to try the Critical Stack Intel Client.

Bro is not strictly an intrusion detection system that generates alerts, like Snort. Rather, Bro generates a range of NSM data, including session data, transaction data, extracted content data, statistical data, and even alerts — if you want them.

Read the full article and give it a try!  Initial feedback is good.

Apple Users Fend Off Ransom Attacks Against iPhones & Macs

Happily, the attack can apparently be deterred by having a strong unlock passcode, which you already have set, right?

Owners of Mac and iOS devices have found their iPhones and iPads held for ransom through a hack that targets the Find My iPhone and Find My Mac features on these devices to trigger a remote lock of the device.

The Find My iPhone feature is meant to allow users to track missing devices on a map, remotely lock the phone in the event that the device is lost or stolen and display a message so that those who find it will see that custom message. First surfacing in numerous reports in Australia yesterday, this attack claims through the custom message to be perpetrated by an Oleg Pliss, likely a pseudonym given that the most visible person by that name is a software engineer at Oracle. The malicious hacker responsible asks through the displayed message for users to pay $100 through PayPal for the privilege of unlocking their phones.

via Apple Users Fend Off Ransom Attacks Against iPhones & Macs.

Heartbleed SSL Flaw Angst Aggravated by Broken Disclosure Process

I wasn’t aware that only a handful of companies were notified of the vulnerability before it was published.  That is not best practice.

Via Heartbleed SSL Flaw Angst Aggravated by Broken Disclosure Process:

NEWS ANALYSIS: The decade’s most serious security issue was packaged and branded, but many server administrators and service providers were left in the dark.


Google and cloud security vendor CloudFlare were among a very small group that somehow got early access to the flaw and were able to be patched on April 7 prior to the public advisory from OpenSSL.

CloudFlare CEO Matthew Prince told eWEEK that his firm was in fact notified early last week by researchers involved in discovering the bug. Other vendors and Web services, including cloud vendors, however, did not apparently get the same message. Cloud services vendor DigitalOcean is among those that was left scrambling on April 7 to patch servers.

Tripwire has a free tool to scan your environment for Heartbleed-vulnerable devices and apps.  Find it here, and good luck!

Patch quickly, patch often.

Reminder: You’re more likely to catch a hack from a legit site

iPhoneDevSDK—the site apparently responsible for the hacks at Facebook, Apple, and Twitter—says it was not aware it was being used to attack visitors until it read press reports this week. In a news post do not click if you’re wary of security breaches on Wednesday, site admins said they had no knowledge of the breach and were not contacted by any of the affected companies. Though, iPhoneDevSDK is now working with Facebook’s security team in order to share information about what happened.

Also, this is a great reminder to log and monitor, or SIEM.  An admin’s account was compromised, then their website was hacked.

Tripwire would have caught the changes, and login auditing would have caught the hacker/admin’s actions.

via Dev site behind Apple, Facebook hacks didn’t know it was booby-trapped | Ars Technica.