Jacob Williams says “... I predict that Meltdown is being actively exploited in the wild. It's trivial to leak kernel memory which likely contains sensitive data...”
http://searchsecurity.techtarget.com/news/252434059/Microsoft-rushes-Spectre-patch-to-disable-Intels-broken-update
Wednesday, January 31, 2018
Tuesday, January 30, 2018
Infosec quotes - patch Cisco vpn
Patch you Cisco VPN
@gossithedog says “... CVSS 10 unauthenticated remote code execution bug if you run VPN interface to internet with Cisco ASA (aka Cisco Anyconnect). It’s one of the bigger bugs...”
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
Sunday, January 28, 2018
Infosec quotes - Eric Cole admin rights
Dr Eric Cole said “...users should never login as administrators and never have administrator rights for thier systems...”
Infosec quotes - OneDrive sharing
Allowing Cloud file storage can lead to incidents like this.
“... former employee of Emory Healthcare (EHC) has been found to have obtained the protected health information of 24,000 EHC patients and shared the data to a Microsoft Office 365 OneDrive account, from where it could possibly be downloaded by other people...”
https://www.compliancejunction.com/emory-healthcare-data-breach-impacts-24000-patients/
Infosec quotes - Risks five years old
You should go beyond identifying Risks. You should actually outline remediation and mitigation plans for each Risk found and set some goals/target dates for when they’ll be resolved. Some progress is better than no progress.
“... is still vulnerable to hackers — in part because gaps they identified five years ago remain...”
https://www.databreaches.net/university-of-baltimore-exposed-student-identity-information-for-more-than-three-years-auditors/
Infosec quotes - ceo to HR
Your HR should be aware of these scams as they are soooo common nowadays.
“... someone pretending to be the CEO sent a staff member for employee W2s. The recipient responded, and gave it away, including employee names, Social Security numbers, where they live and how much they make....”
http://www.wsoctv.com/news/local/charlotte-housing-authority-hacked-current-former-employees-impacted/689911291
Saturday, January 27, 2018
Infosec quotes - admin rights or toast
@combat_penguin says “...Defenders, if you're not limiting user rights then you're toast...”
https://twitter.com/combat_penguin/status/957285901654200320
Infosec quotes - google drive links
Links to Google drive != safe.
“... The link appears to lead to a Google Drive account and even includes HTTPS and the word secure. Once the URL is clicked a malicious file labeled Lebalcopy.exe is downloaded...”
https://www.scmagazine.com/new-phishing-scam-combines-fedex-and-google-drive-to-lure-victims/article/739575/
Infosec quotes - applocker whitelist
Sans advisory board says “... Applocker is a great starting venture into whitelisting. Doubly important is running it in audit mode before going full production with it. You will miss things because two users will have a program you weren’t aware of and they only use it once every two months, and it’ll save your helpdesk a headache later....”
Infosec quotes - admin accounts
Avecto LinkedIn page says “With #cyberattacks now seeking out local administrators to gain access to the operating system, even a small number of admin accounts can open the door to a host of vulnerabilities.“
Friday, January 26, 2018
Infosec quotes - proactive steps should happen
@gossithedog says “... If you take almost any incident which made press, they have themes. Carphone Warehouse - 6 year old unpatched Wordpress with credit cards in database, no PCI etc. TalkTalk - webapp with SQLi vuln older than teenager who did it. Democratic party - phishing... NHS WannaCry - lack of patching, firewalls with any/any rules. Parliament email - single factor auth. Even the people moving laterally inside networks are largely off the shelf tools, e.g. psexec from Microsoft. Breaches, of course, happen. So should proactive steps...”
https://twitter.com/gossithedog/status/956933029632593920
Infosec quotes - here is the mop
@swiftonsecurity says “...Focus on patching, administration, and backups instead of Chinese PLA 0days. Your CFO’s executive assistant has Adobe Acrobat 9. Finance is using Firefox 3.6. There are hotel kiosks in Moldova more hardened than your domain controllers. Welcome to being an adult, here’s the mop...”
https://twitter.com/swiftonsecurity/status/956247007835906048
Infosec quotes - make them sweat
@x0rz says “... Make sure your adversaries actually *deserve* to get your data - like it costs them to get it, they had to invest into it.
You can’t build a 100% secure corporate environment, at least make them sweat...”
https://twitter.com/x0rz/status/956583551495032832
Infosec quotes - simple security steps
“...Organisations would be better served in spending time and resources in simple security steps such as backing up their data, ensuring appropriate access controls are in place, that systems are patched with the latest updates, and that effective anti-virus software is installed...”
https://www.helpnetsecurity.com/2018/01/26/cyber-attacks-2017/
https://www.helpnetsecurity.com/2018/01/26/cyber-attacks-2017/
Infosec quotes - YouTube miners
Bitcoin miners are even on YouTube ads now.
https://arstechnica.com/information-technology/2018/01/now-even-youtube-serves-ads-with-cpu-draining-cryptocurrency-miners/
Infosec quotes - $530 million
When security fails, crazy things can happen.
“... According to major Japanese cryptocurrency exchange CoinCheck executives, more than $530 million worth of NEM has been stolen from the trading platform...”
Infosec quotes - hardcoded passwords
Developers. If you see hardcoded password in your code, alert somebody ! Fix it! Put in checks to make sure it never happens again.
“... Among the glaring flaws cited: a hardcoded password. In the fingerprint scanner. To log into the computer...”
Infosec quotes - fake ads
"Crooks Created 28 Fake Ad Agencies to Disguise Massive Malvertising Campaign"
Infosec quotes - bits parser
BITS is like wget for Windows. Creates remnant queue files. ANSSI researchers created a tool to parse them. The tool is called bits_parser.
Infosec quotes - internet accessible devices
Good example why your team should engage IT when setting up any electronic device. Vendors are many times very happy to make insecure installation decisions for these devices just to get the sale.
“... Part of the issue is that many of these systems are outside of the usual domain of IT departments...”
Thursday, January 25, 2018
Infosec quotes - binary vs code
@cigitalgem says
“... having binary is just as good as having source. The myth that releasing source is somehow more dangerous is just that...a myth....”
https://twitter.com/cigitalgem/status/956577298517495809
Infosec quotes - data not protected
This why it's important to secure and apply access control even to your internal org file shares and productivity sites like sharepoint.
“...records were found in open view, unsecured and accessible to anyone in the residence, including persons who had no legitimate business reason to access the personal information ...”
https://healthitsecurity.com/news/ks-healthcare-organization-fined-over-unsecured-patient-data
Infosec quotes - more insecure buckets
Dejavu - it's easy to misconfigure cloud storage and it won't end pretty.
“... s3 Amazon bucket hosted at a publicly accessible domain was open for anybody to access ... several plain text API keys ... scripts for accessing HBO modules ...”
https://mackeepersecurity.com/post/hbo-database-exposure
Infosec quotes - word docs
Yes opening a Microsoft Word document can lead to this...
“... downloads a Remote Access Trojan (RAT), which can log keystrokes, take screenshots, record audio and video from a webcam or microphone, and install and uninstall programs and manage files...”
https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/
Infosec quotes - fonts
If your browser says a font is missing , think twice before clicking. It could be a RAT (Remote Access Trojan).
http://www.broadanalysis.com/2018/01/25/eitest-campaign-hoefler-text-pop-up-delivers-netsupport-manager-rat-2/
Infosec quotes - iis http modules
Check your windows web servers under IIS HttpModules , there could be a hidden backdoor installed there.
https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/?utm_content=buffer1f7f7&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
Infosec quotes - social media
It is a risk to allow users to use social media while on a company asset.
“... Dark Caracal hackers do not rely on any zero-day exploits to distribute its malware; instead, it uses basic social engineering via posts on Facebook groups and WhatsApp messages,..”
Infosec quotes - Wordpress plugin security
The all too real and common Wordpress plug-in Security issue.
“... developers, seeking to please their client, mess with a plugin and then either leave, or don’t want to tell the client it’s going to cost more each time WP and the plugin need updating. The site is now vulnerable...”
Infosec quotes - reinstall entire infrastructure
Could your company recover from this? Lessons learned include: “Take security seriously” and “practice your Incident Response plan”
"...we basically found that we had to reinstall an entire infrastructure ... We had to install 4,000 new servers, 45,000 new PCs, 2,500 applications."
Wednesday, January 24, 2018
Infosec quotes - undermine security
"Obviously, allowing users to run as administrators would undermine any security policy or enforcement you have put in place. So we turn that off. Our users do not have administrator access to their devices." - @ncsc #cybersecurity #AdminRights
Tuesday, January 23, 2018
Infosec quotes - lose your paycheck over a hack
“...So then they were reporting that there was several hundred thousand dollars potential of theft from the employees and from the company itself, that their bank accounts had been compromised ... Police say the vulnerability was a known issue and the company failed to install a security patch. That patch had been made available in October of 2017...”
http://www.wbay.com/content/news/Local-companys-system-hacked-employee-info-stolen-470702403.html
Infosec quotes - baked in
“... security needs to be baked into the entire development process from the second you begin creating code, all the way through deployment and beyond...”
Infosec quotes - innovating faster
“... Criminals - increasing organized and offering wide-ranging services on the dark web - are ultimately innovating faster than security defenses can keep up...”
Infosec quotes - cyber crime infancy
“... All indications are that cyber-crime is in its infancy, a phenomenon that will only intensify...”
Monday, January 22, 2018
Infosec quotes - miners
Bitcoin miners are more prevalent than anything else right now per @bad_packets and I agree.
“... JS/Coinminer is listed as @ESET's number one threat. The insanely high prevalence level is due to the ubiquity of #Coinhive and other #cryptojacking malware...”
https://twitter.com/bad_packets/status/955586741590568962
Infosec quotes - gaming
Good example of why your org needs a policy against gaming on company assets and it needs to be monitored and enforced.
“... Video games are becoming a serious attack vector. They are 1) widespread 2) prone to bad vulnerabilities 3) bad at incident handling...”
https://twitter.com/x0rz/status/955552657749544960
Themida packing
This sample on Hybrid Analysis
https://www.reverse.it/sample/90f22eada562c8d124211faa33337b5f8e8a43235605b8e8f12dab55f5962d3f?environmentId=100
but if you open it in IDA or x32dbg it's very difficult to analyze, it appears packed in some manner.
When viewing the memory strings in Process Hacker while it's running I saw this
It says Themida, which when I googled is
https://www.oreans.com/themida.php
Software protectors where created to keep an attacker from directly inspecting or modifying a compiled application. A software protector is like a shield that keeps an application encrypted and protected against possible attacks
So the attacker is using this legit packing software to hide his code from us malware analysts.
Of course, I'm new at this so if you have any corrections or tips for me, let me know. Thanks!
https://www.reverse.it/sample/90f22eada562c8d124211faa33337b5f8e8a43235605b8e8f12dab55f5962d3f?environmentId=100
but if you open it in IDA or x32dbg it's very difficult to analyze, it appears packed in some manner.
When viewing the memory strings in Process Hacker while it's running I saw this
It says Themida, which when I googled is
https://www.oreans.com/themida.php
Software protectors where created to keep an attacker from directly inspecting or modifying a compiled application. A software protector is like a shield that keeps an application encrypted and protected against possible attacks
So the attacker is using this legit packing software to hide his code from us malware analysts.
Of course, I'm new at this so if you have any corrections or tips for me, let me know. Thanks!
A Malware analysis wiki
A Malware analysis wiki
https://www.peerlyst.com/posts/a-malware-analysis-wiki-peerlyst?utm_source=LinkedIn&utm_medium=Application_Share&utm_content=peerlyst_post&utm_campaign=peerlyst_shared_post
Sunday, January 21, 2018
Infosec quotes - disable it all
NO, business app vendor. "Disable your firewall and antivirus and UAC" so that your sloppy code will work is NOT a solution!
https://twitter.com/p3isys/status/664479534398353408
https://twitter.com/p3isys/status/664479534398353408
infosec quotes - the basics
“... It's not about buying the latest cool tech. Security is about fundamentals, plain and simple...” says CISO of Lyft
Saturday, January 20, 2018
Infosec quotes - script kiddie botnet
Crazy that almost anybody nowadays can do this with very little technical skill requires.
“... Alex Bessell, 21 ... was convicted ... police raided his home and found that Bessell had seized remote control of at least 9,083 computers, without their owner's permission, to create a massive botnet...”
https://www.scmagazine.com/british-hacker-arrested-for-selling-malware-and-launching-cyberattacks-against-pokemon-google-and-skype/article/738288/
Infosec quotes - remote portal
Having 2FA is important on remote portals!
“... gained access to hospital systems by logging in with a third-party vendor's credentials into the Hancock Hospital remote access portal...”
http://www.zdnet.com/article/us-hospital-pays-55000-to-ransomware-operators/
Infosec quotes - let the business manage users
@lorettodave Says “...Today, managers approve access requests, and IT implements them without knowing *why* a user needs access. The approach outlined here would help transfer risk ownership back to data/asset owners (and away from IT/InfoSec)...”
https://twitter.com/swiftonsecurity/status/954442160333557762
Infosec quotes - termed employee access
How confident are you that your termed employee’s accounts are actually disabled ?
“... an ex-employee is suspected of viewing data of 52 New York students from Dec. 30 to Jan. 2...”
http://www.wtva.com/content/news/Breach-at-testing-vendor-exposes-Mississippi-students-data-470207903.html
Infosec quotes - PoS hunting
Seems like PoS businesses should find ways to be a bit more pro-active hunting and find the intrusions instead of getting told about them.
“... Cybercriminals successfully install RAM-scraping malware onto one or more point-of-sale devices ... The breached business discovers the intrusion only after card issuers spot patterns of payment fraud that traced back to their organization...”
https://www.bankinfosecurity.com/blogs/jasons-deli-hackers-dine-out-on-2-million-payment-cards-p-2584
Infosec quotes - hacked by Wordpress
Should the Wordpress admin page have been accessible to the world ? Should there have been 2FA ? Was the password guessable ?
“... Cyberattackers used valid login details to access Carphone Warehouse's system through an out-of-date version of content platform Wordpress...”
https://www.reuters.com/article/us-britain-carphonewarehouse-fine/britain-fines-carphone-warehouse-400000-pounds-over-data-breach-idUSKBN1EZ11G
Infosec quotes - dotted IP
“... the PowerShell script connects to a dotless IP address (example: hxxp://3627732942) to download the final payload.
What is Dotless IP Address? referred as 'Decimal Address,' the decimal values of IPv4 addresses... Almost all modern web browsers resolve decimal IP address to its equivalent IPV4 address...”
https://thehackernews.com/2018/01/microsoft-office-malware.html
Infosec quotes - termed
Your termed employee process is very important per @fouroctets
Infosec quotes - oneplus
“... OnePlus determined hackers had broken into its website server and installed malicious JavaScript code that would grab credit card data once it was entered...”
http://www.forbes.com/sites/thomasbrewster/2018/01/19/oneplus-hacked-40000-credit-card-data-theft/
Friday, January 19, 2018
Infosec quotes - PUP
Good example of why you should take alerts for PUP, PUA, and Adware seriously at your org. Whitelist your software.
“... drops 2 password stealer components: WebBrowserPassView and Email Password-Recovery. Both of these components are actually legitimate password finding utilities from Nirsoft. Many Nirsoft products do get detected by antiviruses as potentially malicious or potentially unwanted programs...”
Infosec quotes - dust off IR plan
“... By dusting off that Incident Response plan and evolving to incident readiness and response, there’s a lot that business leaders can do to proactively mitigate cyber risk...”
Infosec quotes - detect and respond
“... cyber-attacks will happen, therefore we can no longer only focus on building walls but also become able to detect and responds breaches quickly..”
Infosec quotes - endpoint logging
“.. roadblock lies in the fact that many organizations are diligent about recording the Windows Domain Controller logs, however, they do not store the logs coming from desktops and laptops ... to detect the lateral movement, a stitching is necessary between the Domain Controller logs and the endpoint logs...”
Infosec quotes - remove safety logic
“... Trisis was likely removing safety logic from the controller instead of simply crashing the system...”
Infosec quotes - Cnc whitelisting
“... the CnC server has implemented a domain whitelist and it allows to download the malware only by the IPs it sent the phishing campaign. If someone tries to get the zip file connecting from other IPs, the site would return a xml empty page...”
Infosec quotes - pose as a utility
“... pose as utility (flashlight, QR code scanner, compass) and device performance-boosting apps (file transfer, cleaner), and more notably, social media video downloaders...”
Infosec quotes - chrome extensions
“... malicious extensions also impacted employees of major organizations, potentially allowing attackers to gain access to corporate networks...”
Infosec quotes - security focus
“...Until we collectively shift our focus to the information assets at risk and away from the noisiest vulnerabilities, we will continue to expose the most valuable data...”
Infosec quotes - threat Intel value
“...Threat intelligence should be looking at the thousands of threats and telling their employers which ones are most likely to be used against them. Instead, they usually act as megaphones replaying the global hype...”
Infosec quotes - mobile
"...Dark Caracal is part of a trend we've seen mounting over the past year whereby traditional advanced persistent threat actors are moving toward using mobile as a primary target platform...”
Infosec quotes - supply chain attacks
“... While internal IT and security departments might have strong security practices ... third-party collaborators might not adhere to the same culture. Consequently, programs for vetting vendors need to be in place before fully integrating them into internal infrastructures...”
Infosec quotes - malware scanning
“... The malware is capable of scanning and mapping an industrial network to provide reconnaissance and can also give hackers remote control over those systems, the advisory says...”
Infosec quotes - prioritize projects
Harry Poster says “When prioritizing security projects, have you considered that if your end users still have admin rights, controls you may choose to put in place first could be shut off? ”
Infosec quotes - mcafee creds
@malwrhunterteam Says “It's still absolutely normal to find McAfee credentials in logs of skids' company victims...(In this case CVE-2017-11882 exploit was used to download Agent Tesla...)”
Infosec quotes - Oracle patching
@MalwareJake says “Quarterly patches is why I don't usually recommend VirtualBox for malware analysis. Oracle sucks at patching.”
Infosec quotes - report a phish
@nyxgeek says “If you fall for a phish, don’t lie about it. Everybody makes mistakes. Own it, report it.”
Infosec quotes - more Oracle
Oracle Database, eBusiness Suite, and more among the 237 security patches from Oracle
Infosec quotes - avecto
What's kept your organization from fully removing Local Admin Privileges? Cultural kickback? Legacy apps? Large Dev/Engineering teams? Here's an easy way to shatter those roadblocks:
Infosec quotes - win at security
Dr. Eric Cole says “If you want to win at security, always ask the following questions:
1) What is your critical data?
2) Where is it located?
3) Who has access to the information?
4) Who should have access to the information?”
Infosec quotes - culture culture culture
@gossithedog says “... The full report is here, they got fined £400k ($540k) for having web shells on a 6 year old webapp built on 5 year old WordPress install hosting customer payment info in plain text ... It's critically important that if you're running InfoSec or IT in a company and you know if staff are seeing stuff like that you know SOMEBODY in the department will speak up ... Culture culture culture + everything else. ...”
Infosec quotes - fake form overlays
“... Once the DLL is properly injected to svchost.exe it starts to monitor the user's activity to see if they try to access Brazilian banks. Once a user visits the online banking sites, it will overlay the screen with a fake form that enable the attackers to retrieve the user's PIN codes...”
Infosec quotes - benign emails
“... they test the waters by sending out a benign email to someone at your organization who then clicks on the link inside of that email, this tells them that this is a good target who is asleep at the switch.... hackers set up a dummy site which they are absolutely monitoring to see who is clicking on it...”
Infosec quotes - impersonating
“... Process Doppelgänging ... Impersonating legitimate process .... technique bypasses most popular Antivirus, NGFW and EDR solutions present in the market”
Infosec quotes - unprotected systems
“... Among the victims ... were many systems that were completely unprotected ... just because no one thought they had to be ... But in those cases, the attackers did not choose their targets; they infected everything they could. The damage was significant. Reinstalling operating systems on those noncritical machines was and continues to be a costly time-sink... Lesson 2: Protect all elements of your information infrastructure...”
Infosec quotes - dwell time
“... The latest research indicates that controlling the dwell time of malware and APTs is the key to dramatically reducing business impact. By accepting you will be breached and putting proactive hunt solutions in place you will be able to detect and neutralize threats before they can cause damage...”
Infosec quotes - fileless malware
“... Of those successful attacks, 77 percent involved fileless techniques designed to evade detection by abusing legitimate system tools or launching malicious code from memory...”
Infosec quotes - anti ad blockers
“... retaliate against adblockers by employing anti-adblockers which can detect and stop adblock users...”
Infosec quotes - support scam
“... rather than cold calling potential victims, most scammers use exploit kits and malvertising to give the victim the impression that there is a serious problem with their computer, after which they may call the phone number that is, conveniently, displayed on the screen...”
Infosec quotes - WiFi bitcoin miner
“... man-in-the-middle attack that involved redirecting all customers through his proxy by performing an ARP-spoofing attack, then injecting a single line of code into visited HTML pages that calls the cryptocurrency miner in the victim’s browser...”
Infosec quotes - User should not install
If you train your users that they should not install their own software but instead ask their IT support for it, then this type of attack is less likely to succeed.
“... The victims are made to believe that the only thing that they are downloading is authentic software from adobe .com. Unfortunately, nothing could be further from the truth...”
Infosec quotes - bitcoin miner threat
“... For end users, the threat of a coin miner infection may seem less impactful than, say, a banking Trojan, but perhaps that is only true in the short term. Not only can existing malware download additional payloads over the course of time, but the illicit gains from cryptomining contribute to financing the criminal ecosystem, costing billions of dollars in losses...”
Infosec quotes - Ask IT
One way to reduce risk at your company is to teach IT support that if a user asks to install or update software, the correct answer is to help them perform that action ... the answer is NOT to help the user submit a request for Admin rights.
Infosec quotes - back to security basics
“... Spending more time on maturing and measuring fundamental security controls might have helped prevent many of the breaches ... Equifax was compromised by a Web application vulnerability that had an available patch, which the company failed to employ. Too often companies underestimate basic security measures...”
Infosec quotes - Oracle bitcoin miner
Bitcoin mining attackers are even going after your Oracle Servers. Patching is important!
“... Enterprises that failed to install Oracle's critical WebLogic patch last October could find their PeopleSoft and cloud-based servers churning out cryptocurrency, a new discovery shows...”
Infosec quotes - Cisco ios
PoC for CVE-2017-6736 snmp Cisco IOS remote code execution. Patching is a good idea.
Advisory
https://lnkd.in/eTm-9Dt
PoC
https://lnkd.in/eC5qcXA
Infosec quotes - windows updates register
Per @gossithedog “... Microsoft have added the following text to their KB article to clarify that unless the AV compatibility registry key is set, Windows Update will not delivery January's *or all future* security updates...”
Infosec quotes - phish alert
“... Install a ... Phish Alert button in Outlook, so users can simply click on that, delete the email and forward it to your Incident Response team...”
Infosec quotes - word persistence
“... executes at the next start of the Word application which provides a great method of persistence...”
%APPDATA%\Microsoft\word\startup\
Infosec quotes - ROR
“... new metric: reduction of risk (ROR). This addresses the true function of incident response and security tools...”
Infosec quotes - lock down Powershell
Good reason your IT Team should lock down and harden Powershell such as enabling logging, restricting it’s internet access, preventing who can use it, etc.
“...A user receives a typical spam email ... clicks the link ... website then loads Flash which opens Windows PowerShell in memory ... PowerShell downloads and executes a script ... PowerShell locates and sends the user’s data to the attacker...”
Infosec quotes - encrypt thumb drive
Good example of why you should encrypt laptop hard drives and thumb drives, no exceptions!
“... A non-encrypted Penn Medicine laptop with personal information of about 1,000 patients was stolen on Nov. 30...”
Infosec quotes - network segmentation
Companies that don’t have the basics in place like network segmentation and patching should make those their top priority.
“... Kitchen said a problem for many companies is that their internal networks are not properly segmented, and lack firewalls, software updates and other precautions to safeguard computers ...”
Infosec quotes - cloud storage
Cloud file storage puts companies at risk.
“... former EHC physician ... uploaded PHI to a University of Arizona College of Medicine Microsoft Office 365 OneDrive account...”
Infosec quotes - Powershell meltdown
Microsoft released a PowerShell Script to verify if systems are protected from Spectre/Meltdown.
Infosec quotes - nutanix cve
@ secguru_otx says “... Nutanix has also released update packages to address CVE-2017-5715, 5753 and 5754. My advice is to update your Hypervisors and your Nutanix appliances as soon as possible...”
Infosec quotes - rename Powershell
“... PowerShell ... version 6.0 ... executable is changing names from powershell.exe to pwsh.exe...”
Infosec quotes - insider risk AV
Could an insider risk use your AV to collect all sensitive documents ? Apparently so.
Infosec quotes - meltdown register
Note from @gossithedog “...with Microsoft Meltdown patches - Customers will not receive these security updates and will not be protected from security vulnerabilities unless their anti-virus software vendor sets the following registry key...because certain AV hook the kernel in a bad way...”
Infosec quotes - chrome meltdown
The new CPU attacks (spectrum and meltdown) also impact Chrome. Watch for the patch to come.
“... Chrome's JavaScript engine, V8, will include mitigations starting with Chrome 64, which will be released on or around January 23rd 2018...”
Infosec quotes - Firefox meltdown
The new CPU attacks (spectrum and meltdown) you read about in the news apparently can be launched from browsers. Patch for Firefox.
Infosec quotes - Powershell Security
Simple initial steps to Securing Powershell
Tip 1
setup host based firewall to prevent powershell from accessing the internet / proxy, will prevent a lot of common 2nd stage droppers or persistence
Tip 2
Use applocker to prevent your general users from running powershel.exe. You can create a very permissive ruleset which allows admins, service accounts etc to run powershell but your general user population from using it.
Credit the SANS advisory board
Infosec quotes - security first
“... Businesses need to think security first...Whether that’s in designing new products and services, signing partnership agreements, in hiring new employees, or anything else...”
Infosec quotes - RODCs
“... Don’t add ‘Authenticated Users’ or ‘Domain Users’ to have their passwords cached on RODCs. If this is truly required, these RODCs should be viewed and protected in a similar manner to writable Domain Controllers...”
Infosec quotes - army philosophy
“... This philosophy will allow the Army to do iterative development within the technology space ... where solutions and capabilities are continuously changing...”
Infosec quotes - fake software updates
Let your IT staff install & update your software. If you get a popup or website that tells you to perform an update, don’t do it without first contacting your IT support. You may install malware instead.
“... fake update screens that appear during the infection chain, inviting the user to open the downloaded file...”
Infosec quotes - web dev OWASP
If you are working with a web developer on a project and they are not familiar with the OWASP Top 10 and how to prevent them, then you should consider pausing your project and not coding any more until proper security training has been completed.
Infosec quotes - weakest link
Remember your network is only as secure as your weakest link. For example don’t ignore the security hardening of printers or it could end up costing you.
“... printer was configured to scan and save documents to the single WORKGROUP computer on the network... captured a hash from the printer for my target host... able to crack it and access the machine...”
Infosec quotes - Russia phishing
Like it or not attackers still choose the sending emails as the way to hack into your company. Think before you click.
“... techniques have remained largely unchanged ... still relies heavily on the use of ... phishing emails to try and get targets to click on links that lead to malicious domains or to download malware...”
Infosec quotes - Oracle web logic
If you support Oracle Weblogic you should’ve already patched this one in October.
@hkashfi says “... Oracle WebLogic ... CVE-2017-10271 & CVE-2017-3506…It's already being exploited in the wild....”
Subscribe to:
Posts (Atom)