Lessons in website security anti-patterns by Tesco Update, 14 Feb 2014: A year and a half on from writing this, Tesco has indeed suffered a serious security incident almost certainly as a result of some of the risks originally detailed here. Read more about it in The Tesco hack – here’s how it (probably) happened. Let me set the scene for this post by sharing a simple tweet from last night: Ok then, that’s about as many security misdemeanours as I reckon you can fit in 140 chars! For those wondering, yes, this is actually a verified account and it really is Tesco responding to me.
The War On Cyber CyberTerrorists - The War On Cyber: CyberTerrorists - The War On Cyber Join us now to get access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, and so, so much more. Subscribe to topics and forums to get automatic updates Google's Safe Browsing Diagnostic Tool A week ago Google announced the release of a safe browsing diagnostic tool. To use the tool, just append a URL to the end of For example, to test this site, you would enter Google will then return four sets of security information about that page. (1) The current listing status of a site and also information on how often a site or parts of it were listed in the past. (2) The last time Google analyzed the page, when it was last malicious, what kind of malware Google encountered and so fourth. (3) Did the site facilitated the distribution of malicious software in the past?
Malware Malware Characteristics Initial Infection Vector How did the malware initially get on the system? Some malware may be a secondary or tertiary download, so the IIV may not appear to be related. IIVs can include USB devices, malicious JavaScript in HTML pages, a SQL injection attack, email attachment, etc. Propagation Mechanism How does the malware move about and get on other systems? For secondary and tertiary infections, this may appear to be the IIV. Some means may be USB devices, the use of psexec.exe (or similar code), etc.
0Day Remote Password Reset Vulnerability in MSN Hotmail patched Microsoft’s MSN Hotmail (Live) email service currently hosts over 350 million unique users. A Vulnerability Laboratory senior researcher, Benjamin Kunz Mejri, identified a critical security vulnerability in Microsoft’s official MSN Hotmail (Live) service. A critical vulnerability was found in the password reset functionality of Microsoft’s official MSN Hotmail service. The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). Snort Documentation Download The official documentation produced by the Snort team at Sourcefire Snort Setup Guides The following setup guides have been contributed by members of the Snort Community for your use. Comments and questions on these documents should be submitted directly to the author. Authors who want comments and feedback may be emailed by clicking on their names below. If you have a document you’d like to contribute to the Snort community contact us at snort-team@sourcefire.com.
Yogesh Khatri's forensic blog: Tracking USB First insertion in Event logs The tracking of USB removable disks has been discussed and analyzed in detail with the usual methods of looking at the windows registry for plugged in devices (USBSTOR keys), registry shell bags, SetupApi logs, etc. A while back researching something else I happened to hit upon an artifact not known for this purpose, the 'Windows Event Log'. The first time a USB device is inserted into your windows PC, it is logged in a little obscure log which is maintained for the 'ReadyBoost' functionality. This is only true for Windows Vista and above, as XP did not have ReadyBoost. Windows Registry The GUI control panel is a long-standing feature of Microsoft Windows, facilitating granular changes to a vast collection of system features. It can be disabled via Group Policy but is largely available to most user accounts (administrative permissions are required for some changes). From a forensic perspective, we can audit control panel usage to identify a wide range of user activity:
Chasing APT Author: Joe Stewart, Dell SecureWorks Counter Threat Unit™ Threat IntelligenceDate: 23 July 2012URL: Summary Since February 2011, members of the Dell SecureWorks Counter Threat Unit(TM) (CTU) have been engaged in a project to uncover and track as many elements as possible of the so-called "Advanced Persistent Threat" (APT), the term commonly used to refer to cyber-espionage activity carried out against governments, activists, and industry. "Elements" can be anything that provides a point of information — malware, command and control (C2) domains, hostnames, IP addresses, actors, exploits, targets, tools, tactics, and so on. Even though this project is not (and probably never will be) complete, CTU researchers have learned a great deal about the scope and scale of the threat so far, and the insights have been disturbing. The scale of cyber-espionage