ISC StormCast for Tuesday, September 1st 2015 http://isc.sans.edu/podcastdetail.html?id=4637, (Tue, Sep 1st)

 SANS Internet Storm Center, Security Alerts  Comments Off on ISC StormCast for Tuesday, September 1st 2015 http://isc.sans.edu/podcastdetail.html?id=4637, (Tue, Sep 1st)
Aug 312015
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Encryption of "data at rest" in servers, (Tue, Sep 1st)

 SANS Internet Storm Center, Security Alerts  Comments Off on Encryption of "data at rest" in servers, (Tue, Sep 1st)
Aug 312015
 

Over in the SANS ISC discussion forum, a couple of readers have started a good discussion https://isc.sans.edu/forums/Encryption+at+rest+what+am+I+missing/959 about which threats we actually aim to mitigate if we follow the HIPAA/HITECH (and other) recommendations to encrypt data at rest that is stored on a server in a data center. Yes, it helps against outright theft of the physical server, but - like many recent prominent data breaches suggest - it doesnt help all that much if the attacker comes in over the network and has acquired admin privileges, or if the attack exploits a SQL injection vulnerability in a web application.

There are types of encryption (mainly field or file level) that also can help against these eventualities, but they are usually more complicated and expensive, and not often applied. If you are interested in data at rest encryption for servers, please join the mentioned discussion in the Forum.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Gift card from Marriott?, (Tue, Sep 1st)

 SANS Internet Storm Center, Security Alerts  Comments Off on Gift card from Marriott?, (Tue, Sep 1st)
Aug 312015
 

Always nice when the spammers are so forthcoming to send their latest crud directly to our SANS ISC honeypot account. The current incarnation

Subject: Re: Your complimentary 3-night stay giftcard (Expires 09
From: Marriott Gift Card [email protected]

came from

Received: from summerallstar.review (50.22.145.13-static.reverse.softlayer.com [50.22.145.13])

which kinda figures, Softlayer is among the cloud computing providers whose get a virtual server FREE for one month is an offering that scammers cant resist. The Marriott email said:

Marriott Special Gift Card:
=======================================================
Expires 09/15/15
Notification: #2595319
=======================================================

ALERT: Your Marriott-Gift Card will expire 09/15/15.

Please claim your gift-card at the link below:
http://seespecial.summerallstar[dot]review

This gift-card is only good for one-person to claim
at once with participation required. Please respect the
rules of the special-giftpromo.

=======================================================
Expires 09/15/15
Notification: #2595319
=======================================================

End-GiftCard Notification


.review ? How lovely! Lets use the opportunity to again *thank* ICANN for their moronic money grab, and all the shiny new useless top level domains that honest users and corporations now have to avoid and block. The lesson learned a couple years ago, when .biz and .info came online, should have been enough to know that the new cyber real estate would primarily get occupied by crooks. But here we are. I guess ICANN and most domain name pimps don" />

It doesn" />

Somewhere along the way, it seems like the connection to Marriott got lost. Which is maybe all the better...

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Detecting file changes on Microsoft systems with FCIV, (Mon, Aug 31st)

 SANS Internet Storm Center, Security Alerts  Comments Off on Detecting file changes on Microsoft systems with FCIV, (Mon, Aug 31st)
Aug 312015
 

Microsoft releases often interesting tools to help systemadministratorsand incident handlers to investigate suspicious activities on Windows systems. In 2012, they released a free tool called FCIV(File Checksum Integrity Verifier)(1). It is a stand alone executable which does not require any DLL or other resources. Just launch it from any location.Its goal is to browsea file systemor some directories recursivelyand togenerate MD5/SHA1 hashes of all the files found. The results are saved in a XMLdatabase. FCIVisused in proactive and reactive ways. The first step is tobuild a database of hashes on a clean computer (proactive). Thenthe generated database is re-used to verify a potentially compromised system (reactive)

Most big organizations work today with system images. The idea is to scan anunusedclean system(but which will of course receives patches and software updates with a system like WSUS)and to generate a baseline of">PS: C:">.job -type *.jar

This command will search recursivelyfor specified file types onthe C: drive and store both hashes in the specificed XML file.A smallPowerShell script(2) will do the job: it generates a database uniquename (based on the current date - yyyymmdd) and, at the end, compute also the SHA1 hash of thisdatabase. FCIV">PS D:bin fciv.exe -xml d:hashdb-20150830.xml -v -bp C:

The database being a XML file, its tempting to have a look at it and reuse the content with other investigation or monitoring tools. Howeverits unusablein its default formatbecause Microsoft writes all the data on a single line andthe hashes are stored in raw Base64. So, they must be first Base64 decoded then encoded in hex to be recognizedas regularMD5 or SHA1 hashes. They can be achieved very easily with a few lines of Python. Here is a smallscript(3) that will parse a FCIV database and generate a CVS file with 3 columns: the full path of the file, the MD5 and SHA1 hashes.

A last tip: execute a scheduled task every night on a standard computer image from a USB stick and store the generated XML database (and its .sha1sum) to a remote system. Youllhave a good starting point to investigate a compromised computer.

(1)http://www.microsoft.com/en-us/download/details.aspx?id=11533
(2)https://github.com/xme/powershell_scripts/blob/master/fciv.ps1
(3) https://github.com/xme/powershell_scripts/blob/master/hashparser.py

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

%d bloggers like this: