Cyber Security News: April 2017

Sunday, April 30, 2017

Bug Bounties: An Overview of Their Past, Present, and Future

Bug bounties, security acknowledgements, and reward programs all have strong ties to IT security today. But that wasn’t always the case. In the past, public penetration testers and security researchers mostly looked out for their personal benefit without recognizing their own responsibility to the security community. The reason? In a lot of cases, the consultants […]… Read More

The post Bug Bounties: An Overview of Their Past, Present, and Future appeared first on The State of Security.

from Bug Bounties: An Overview of Their Past, Present, and Future

4 Things Birdwatching Can Teach About Security Awareness

Sometimes you find inspiration in unlikely places. Never did I think, for example, that I would be able to connect my day job as a writer in the security awareness field with a burgeoning hobby of mine: birdwatching. But the more I “bird,” the more what I learn about birdwatching—both in the field and from […]… Read More

The post 4 Things Birdwatching Can Teach About Security Awareness appeared first on The State of Security.

from 4 Things Birdwatching Can Teach About Security Awareness

Information Security Events For May

Here are information security events in North America this month: IEEE International Symposium on Hardware Oriented Security and Trust (HOST 2017) : May 1 to 5 in McLean, VA, USA BigSecurity 2017 : May 1 to 4 in Atlanta, GA, USA CSO50 Security Confab 2017 : May 1 to 3 in Scottsdale, [...]

The post Information Security Events For May appeared first on Infosec Events.

from Information Security Events For May

Week 17 In Review – 2017

Resources Probable-Wordlists - github.com Wordlists sorted by probability originally created for password generation and testing VM escape - QEMU Case Study - www.phrack.org Virtual machines are nowadays heavily deployed for personal use or within the enterprise segment. Network security vendors use for instance different VMs to analyze malwares in a controlled and confined environment. Vulnerabilities [...]

The post Week 17 In Review – 2017 appeared first on Infosec Events.

from Week 17 In Review – 2017

Netflix and Orange is the New Black Are Being Held for Ransom

Netflix has been asked to pay an unspecified amount in ransom. Un-aired episodes of the show, Orange is the New Black (OTNB) is the hostage. This time it’s personal: I wait months for the new season and I don’t want any spoilers. I met Jenji Kohan’s husband, Chris Noxon, years ago at a marketing conference […]

The post Netflix and Orange is the New Black Are Being Held for Ransom appeared first on Bromium.

from Netflix and Orange is the New Black Are Being Held for Ransom

Book Review: Bitcoin and other virtual currencies for the 21st Century by J. Anthony Malone

A very handy book to approach Bitcoin.Let me try to share with you the main learning points I collected from this book. As always, here it goes my personal disclaimer: the reading of this very personal and non-comprehensive summary by no means replaces...

from Book Review: Bitcoin and other virtual currencies for the 21st Century by J. Anthony Malone

R⁶ — Using pandoc from R + A Neat Package For Reading Subtitles

Once I realized that my planned, larger post would not come to fruition today I took the R⁶ post (i.e. “minimal expository, keen focus) route, prompted by a Twitter discussion with some R mates who needed to convert “lightly formatted” Microsoft Word (docx) documents to markdown. Something like this: to: This is definitely a job... Continue reading →

from R⁶ — Using pandoc from R + A Neat Package For Reading Subtitles

Can Blockchain Technology Secure Your Vote?

Saturday, April 29, 2017

Hacker holds Netflix to ransom over ‘Orange is the New Black’

A hacker claims to have released the new series of the hit prison TV show “Orange is the New Black” onto the internet, after Netflix failed to agree to pay an undisclosed ransom.

Read more in my article on the We Live Security blog.

from Hacker holds Netflix to ransom over ‘Orange is the New Black’

ShadowBrokers Leak: A Machine Learning Approach

During the past few weeks I read a lot of great papers, blog posts and full magazine articles on the ShadowBrokers Leak (free public repositories: here and here) released by WikiLeaks Vault7. Many of them described the amazing power of such a too...

from ShadowBrokers Leak: A Machine Learning Approach

KNOW before NO

I recently posted the below on the SANS Internet Storm Center.

A good friend told me that an engaged information security professional is one who leads with the KNOW instead of the NO. This comment struck me and has resonated well for the last several years. It has encouraged me to better understand the desires of the business areas in an attempt to avoid the perception of being the "no police”.

We are each able to recognize the value in sprinkling in the information security concepts early and often into software development projects. This approach saves each of the stakeholders a great deal of time and frustration. Especially when compared to the very opposite approach that often causes the information security team to learn at the very last minute of a new high profile project that is about to launch without the proper level of information security engagement.

There are certainly projects and initiatives that may very well still warrant a “no” from an information security perspective. Before we go there by default, I respectfully invite us all to KNOW before we NO. I truly believe that each of us can all improve the level of engagement with our respective business areas by considering this approach. In what areas can you KNOW before you NO next week?

Please leave what works in the comments section below.

Russell Eubanks

from KNOW before NO

Friday Squid Blogging: Live Squid Washes up on North Carolina Beach

A "mysterious squid" -- big and red -- washed up on a beach in Carteret County, North Carolina. Someone found it, still alive, and set it back in the water after taking some photos of it. Squid scientists later decided it was a diamondback squid. So, you think that O'Shea might know the identity of the squid Carey Walker found...

from Friday Squid Blogging: Live Squid Washes up on North Carolina Beach

FTC Says Identity Theft Victims Don’t Always Need a Police Report

Victims of identity theft don’t always need to file a police report, explains the Federal Trade Commission (FTC) in an alert. In an effort to help simplify the recovery process for identity theft victims, the FTC has created a government portal at IdentityTheft.gov. Victims just need to register with this page and answer some questions. […]… Read More

The post FTC Says Identity Theft Victims Don’t Always Need a Police Report appeared first on The State of Security.

from FTC Says Identity Theft Victims Don’t Always Need a Police Report

Working with Autism in Application Security

Gender disparities in STEM fields are a widespread and persistent problem. Last month, some of my female coworkers hosted a webinar and sparked some discussion about these issues in application security. It coincided with a great article in The Atlantic about the same thing, so it’s good that the community is devoting attention to diversity […]

The post Working with Autism in Application Security appeared first on WhiteHat Security.

from Working with Autism in Application Security

Working with Autism in Application Security

The post Working with Autism in Application Security appeared first on WhiteHat Security.

from Working with Autism in Application Security

Threat Round-up for Apr 21 – Apr 28

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 21 and April 28. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Doc.Macro.MaliciousHeuristic-6298845-0
Office Macro
Office macro code is used to further compromise a target system. Macros can leverage external system binaries to execute other binaries to further compromise the system. This signature looks for code associated with hiding the core functionality by including junk code.
Win.Dropper.DarkComet-6301230-0
Trojan/RAT dropper
This is a malware dropper. It currently drops the DarkComet RAT. The file is a slightly modified version of wextract.exe, a legitimate Windows tool to unpack archives. The malware payload is stored in the resource section of the binary. The dropper binary is actually a multi-format file, and can be interpreted both as a PE executable as well as a cab archive. The modified Windows binary will extract the payload binary from itself and run the extracted file.
Win.Trojan.ServStart
Trojan
ServStart is a trojan that installs a persistent service on the victim’s machine. The service exfiltrates information about the infected computer including machine name, username, keyboard language, and computer performance specifications. The malware server can respond with commands to download and execute files, or execute shell commands. ServStart has been observed using multiple dynamic DNS providers for its command and control infrastructure.
Win.Trojan.Agent-6298180-0
Trojan (credential stealer)
This sample attempts to collect stored credentials from a number of installed applications and then attempts to transmit those credentials back to a PHP application on a possibly compromised server.
Win.Trojan.PWS-6299789-0
Password stealer, injector
PWS (also known as Fareit or Chisburg) is a credential & sensitive information harvester. Select information such as banking credentials or web browser password databases are queried for on the infected host. Any discovered data is propagated to a C2. These recent samples are protected with the Armadillo packer & rely on both code injections & dropped VBScript code.
Win.Dropper.Emotet-6301061-0
Dropper
This dropper is delivered through different mechanism, most of the time the victims is redirected to a website to get it through malicious pdf, http iframe injected. Once running on the computer the binary is gathering details on volume disk drive and other details, injecting process, dropping itself and contacting internet to execute more. Websites observed delivering ransomware and trojan banker.

Threats

Doc.Macro.MaliciousHeuristic-6298845-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

storefronts[.]pl

File Hashes

23b90b1c55fdbbd371655da0ccf359e891deb51ed5bbc0ac772c5d572f4b3a42
2471636a92daa0a54095aa66b55ad2fea5fd5d6372b0be9d65d1d1e2cef31bd5
2b24221aabc8cd18e756a579b29a005fc9c33213f5ec963b9b6ccf4e6187b23b
4b781b8370f973b9204b44c8ce3615692fc66c1613967a44924984d35fba7bc4
4ee6b9bb8e903bed9a82c7dad6d62163e3a4f759ade5f5f8fcf899945bfd9264
564c37dcd8322bd6e8cabc788f982a35f7d3e335c3d736ce544fc17a6b090183
59b54e7c4e052adbc1d64dc61623af6f55db1a8692b373cb6ca871ba087feaac
6930d456c506c94b9e19a08659181b7d376254dca652d0e56c305764867578d2
6a0eae0addd6ce84966ac1bd006e9582036eaaa1011a38190f700871cc37de24
7045d8f339cab73cf0ec7f31a7b3a31a84057f0b275f789f4bfed9dffee35564
7638745d08de218fa16e9c0828ed0a1139223d3ebddf4bb528bc3ae185cea90e
81cdded9aa21513ad9c6ae04455a7fce68129135f3358b9c5e28a80139e78f21
93472e054b4b4fcc54a71a32b6275f8b35c8ef84490248d21c094f19a537c773
a0bfeb90468ddf50a3c85d5074e002b1d89995d6377eceeb0781ba5292facbcc
b3dfdfcfea160ed34eb69da55909294f78d2b5a6320cbf5151a3da01c6449631
c185559d0a38e782167beacff78a7a72544d82890b5e5723e6a25a70e6e16d59
d2c1b89129e3e26544bfbef3fac4567c3629817a98ded9ce5c7dee485d0364a9
f2e4fe273c4a8cc1cd7799d5558c58b8a08dfe160235dfa2eb2a8bad9bba40aa
02481825e922c38ba797ebc18d5a8273ede8c5a4d52eecd2f58eb569533d780b
06736e5f3127a54bbe6bb25f4a82ca95371e5cc8654a893c02d3d4e677e0b916
21b039f3171f26911290dad3e1ce0da6d6d3545e11f9a119408922ac2ae06db6
2643f9f8dce45983eac80feeebd16adbd498e3a644ef8b05bc40448be9342ddf
2ac6b5487c69427476b48bcbbddd7646842e02363a0d4ebe1b1998da6d1f55a8
2dad87b69ee91bfa71d911b791e5468efb6ce689ccc4cde3e91626cbfcfc14ab
2f4853b54c36adf9ca9fbb163dacedee78b6b027fac3c24c72120e9d8cc6f01e

Coverage

Detection Screenshots

AMP

ThreatGrid

Umbrella

Malware