Information Security Daily News

While a co-worker basks in sunny Hawaii, I've taken over his task of sending out a short email with information security news. Never one to waste keystrokes, thought I'd post the briefings here as well.Information Security News for January 25, 2018ADOBE PATCHES FLASH PLAYER, 56 BUGS IN READER AND ACROBAThttps://threatpost.com/adobe-patches-flash-player-56-bugs-in-reader-and-acrobat/128876/INTEL HALTS SPECTRE/MELTDOWN PATCHING FOR BROADWELL AND HASWELL SYSTEMShttps://threatpost.com/intel-halts-spectre-meltdown-patching-for-broadwell-and-haswell-systems/129615/Skype, Slack, other apps inherit Electron vulnhttps://www.theregister.co.uk/2018/01/24/skype_signal_slack_nherit_electron_vuln/Microsoft’s Jan. 2018 Patch Tuesday Lowdownhttps://krebsonsecurity.com/2018/01/microsofts-jan-2018-patch-tuesday-lowdown/Google X Is Launching a Cybersecurity Company Called Chroniclehttps://tech.slashdot.org/story/18/01/24/2255224/google-x-is-launching-a-cybersecurity-company-called-chronicleGartner: Worldwide information security spending to hit $93B in 2018https://www.csoonline.com/article/3219165/it-careers/gartner-worldwide-information-security-spending-to-hit-93b-in-2018.htmlCybersecurity labor crunch to hit 3.5 million unfilled jobs by 2021https://www.csoonline.com/article/3200024/security/cybersecurity-labor-crunch-to-hit-35-million-unfilled-jobs-by-2021.htmlRecently Discovered Vulnerabilities:Mozilla Firefox MFSA2018-02 Multiple Security Vulnerabilitieshttps://www.securityfocus.com/bid/102786Apple macOS APPLE-SA-2018-1-23-2 Multiple Security Vulnerabilitieshttps://www.securityfocus.com/bid/102785Apple iOS/WatchOS/tvOS/macOS Multiple Security Vulnerabilitieshttps://www.securityfocus.com/bid/102782Mozilla Firefox and Firefox ESR Multiple Security Vulnerabilitieshttps://www.securityfocus.com/bid/102783
Read more

Transitioning from Blue Team to Red Team

I moved from Desktop Supervisor to Network Security in 2000. I did Blue Team for two companies from 2000 until early this year. At that point I was given an opportunity to move to Red Team as the company's in-house penetration tester. Starting in a new discipline in Network Security is a daunting task after spending so many years in another area, but a couple of things already were in my favor. I had taken two Red Team oriented SANS courses and certified in both and I had been doing deep dive intrusion analysis for all those years. I was exposed to a lot of methodologies and exploits.But defending isn't attacking, and the learning curve was (is) still very wide. Fortunately, there are shared areas of knowledge between being an intrusion analyst and a pen tester. If you're just breaking into network security, those areas will serve you well regardless of what direction you go (or change to in the future).1. LinuxLinux is the operating system of choice for the majority of tools for both pen testing and intrusion analysis. There are some exceptions, tools you can only run on Windows, but that's a very small subset. The more...
Read more

Making a simple network traffic graph with tshark and afterglow

Outputting a pcap file for CSV format for using afterglow. pl and neato (Graphviz) to create a graphTo make a simple source and destination graph..First make the capture file using tcpdumptcpdump -nn -i -qThen use tshark to extract the source and destination IP address and output to a comma separated filetshark -T fields -nn -r capture.pcap -E separator=, -e ip.src -e ip.dst > output.txtSort and remove duplicatescat output.txt | sort | uniq > output.csvor just sort to see all connectionscat output.txt | sort > output.csvEdit file to remove any lines with incorrect data (like just a comma)Process the file through afterglow to format in dot graph format that Graphviz can usecat output.csv | afterglow/afterglow.pl -t > output.dotCreate your graph in .png formatcat output.dot | neato -Tpng > output.png
Read more

DerbyCon 7 Live Stream

If you weren't fortunate to get a ticket to DerbyCon this year, the conference will once again be live streaming talks. More information will be available closer to the conference at www.derbycon.com.But did you know every talk (almost) is also available for viewing after the conference is over? You can find past Derbycon presentations here as well as dozens of other conferences, or on IronGeek's YouTube channel here. Not as interesting or as much fun as being there, but if you're looking for good presentations to learn pen testing or blue teaming tactics, it's a great resource.
Read more

Simple Username Harvesting (from SANS SEC542)

Go to a web site that requires a login. Put in any username with any password. Did the page come back with both the User and Password fields blank? Now put YOUR username in, but with some password you make up. Does the form come back with your username in the User field and nothing in the Password field? If so, here's what you just discovered. The developer is making his form more efficient by not hashing and testing the password to see if it's correct unless the username is valid. If the username IS valid, he populates the User field with it and checks the password. If the password is incorrect, he only clears the Password field so you can retry your password. You just discovered a crude form of username harvesting. Try different usernames and if they remain in the User field, that's a valid account on the server. I know, that would take a lot of time to do it that way. That's why hackers write automated tools.
Read more

Using Wildcards To Change the Functionality of Search

In the packet capture framework Moloch, there are a large variety of keywords you can use to grep through packets, such as http.uri. An http.uri query would look something like this:http.uri == "misc.php?v=4112&js=js" That's a powerful tool, but what if you wanted to just see all packets with an URI in the last hour? http.uri and other search fields require a boolean, (==, >=) and then a search string. The simple way to change the functionality of the search is just to wildcard the search string.http.uri == * will show you all the packets that contain an URI in the timeframe specified. Easy way to expand the functionality of the search when you're not sure exactly what you're searching for.
Read more

msfrpcd

Did you forget the PostgresSQLcredentials to start msfrpcd in your Metasploit instance? There's a quick way to recover that username and password. Open up msfconsole, and run the command "load msgrpc". You'll get output like this:msf > load msgrpc MSGRPC Service:  127.0.0.1:55552 MSGRPC Username: msf MSGRPC Password: aKCU4AgT Successfully loaded plugin: msgrpcmsf >Now start msfrpcd with -P and you're set. Reference https://help.rapid7.com/metasploit/Content/framework/msf-rpc-service.html for more info.
Read more

PacketTotal

The SANS Storm Center did a diary article on PacketTotal, which you can find here. PacketTotal is a (free) site where you upload a pcap (up to 50 Mb) and the site will analyze it and give you an console view that includes malicious or suspicious activity as well as a break out of http, dns and other protocols. It will also give you a nice timeline graph showing the packets as they interact, which is really nice.  Lastly, you get an analytics page if you like graphs showing the breakout of stats on the traffic. You can find it at, yes, packettotal.com.
Read more
Page 1 of 3123