Archive for 2021
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Reposted from SANS. View original.
Posted in: SANS
Leave a Comment (0) →As Dean of Research for our graduate school (sans.edu), I often assist students in developing their research ideas. The research conducted by our students is valuable and important to defend our networks against highly organized and well-funded threat actors. Any restriction on our student’s ability to conduct their research, and sharing their results freely, only adds additional unnecessary burdens on us as network defenders. With that, I am happy that I was able to co-sign the attached statement by the Electronic Frontier Foundation (EFF) on behalf of the SANS Technology Institute. Legal threats against good faith security researchers only discourage the open exchange of ideas. If we hope to have a chance to defend, we will have to keep exchanging these ideas, learn and we need to continue to be curious hackers exploring the technologies that are the foundation of our everyday living.
—
We the undersigned write to caution against use of Section 1201 of the Digital Millennium Copyright Act (DMCA) to suppress software and tools used for good faith cybersecurity research. Security and encryption researchers help build a safer future for all of us by identifying vulnerabilities in digital technologies and raising awareness so those vulnerabilities can be mitigated. Indeed, some of the most critical cybersecurity flaws of the last decade, like Heartbleed, Shellshock, and DROWN, have been discovered by independent security researchers.
However, too many legitimate researchers face serious legal challenges that prevent or inhibit their work. One of these critical legal challenges comes from provisions of the DMCA that prohibit providing technologies, tools, or services to the public that circumvent technological protection measures (such as bypassing shared default credentials, weak encryption, etc.) to access copyrighted software without the permission of the software owner. 17 USC 1201(a)(2), (b). This creates a risk of private lawsuits and criminal penalties for independent organizations that provide technologies to researchers that can help strengthen software security and protect users. Security research on devices, which is vital to increasing the safety and security of people around the world, often requires these technologies to be effective.
Good faith security researchers depend on these tools to test security flaws and vulnerabilities in software, not to infringe on copyright. While Sec. 1201(j) purports to provide an exemption for good faith security testing, including using technological means, the exemption is both too narrow and too vague. Most critically, 1201(j)’s accommodation for using, developing or sharing security testing tools is similarly confined; the tool must be for the “sole purpose” of security testing, and not otherwise violate the DMCA’s prohibition against providing circumvention tools.
If security researchers must obtain permission from the software vendor to use third-party security tools, this significantly hinders the independence and ability of researchers to test the security of software without any conflict of interest. In addition, it would be unrealistic, burdensome, and risky to require each security researcher to create their own bespoke security testing technologies.
We, the undersigned, believe that legal threats against the creation of tools that let people conduct security research actively harm our cybersecurity. DMCA Section 1201 should be used in such circumstances with great caution and in consideration of broader security concerns, not just for competitive economic advantage. We urge policymakers and legislators to reform Section 1201 to allow security research tools to be provided and used for good faith security research In addition, we urge companies and prosecutors to refrain from using Section 1201 to unnecessarily target tools used for security research.
Bishop Fox
Bitwatcher
Black Hills Information Security
Bugcrowd
Cybereason
Cybersecurity Coalition
Digital Ocean
disclose.io
Electronic Frontier Foundation
Grand Idea Studio
GRIMM
HackerOne
Hex-Rays
iFixIt
Luta Security
McAfee
NCC Group
NowSecure
Rapid7
Red Siege
SANS Technology Institute
SCYTHE
Social Exploits LLC
see https://www.eff.org/deeplinks/2021/06/dmca-security-researcher-statement
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Reposted from SANS. View original.
Posted in: SANS
Leave a Comment (0) →(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Reposted from SANS. View original.
Posted in: SANS
Leave a Comment (0) →It can be a little disheartening to deal with well-prepared phishing attacks every day, since one can easily see how even users who are fully “security-aware” could fall for some them. The messages don’t even have to be too complex to be believable. For example, a message containing seemingly innocuous text and a link that points to legitimate, well-known domain hosting an application that is affected by open redirect vulnerability (I’m looking at you, Google[1], though – to be fair – you’re hardly alone[2]) can look quite trustworthy, if no obvious red flags are present.
Fortunately, most phishing messages in the wild are easy to spot, even if anti-spam and anti-phishing filters on e-mail gateways don’t stop them. We usually tend not to give these run of the mill messages a second look, since they are not too dangerous under most circumstances. However, if we do, some of them might prove to be at least somewhat interesting, even if it is only due to a mistake on the part of their author. One such easy to spot message that made me smile was forwarded to me this week by one of my Hungarian colleagues, but before we get to it, however, let’s set the stage a little.
It is not unusual for phishing authors to use lures along the lines of “if you believe that this message was sent to you in error, please let us know by clicking here”, “if you were not the one to request the transfer of funds, you may cancel it on this link” or “if you believe that your account was used in a fraudulent operation, let us know immediately”, as the following example shows.
It is quite out of the ordinary to find the complete opposite of these sentiments – i.e. “do not report abuse” – in a phishing e-mail. This was, however, indeed the case with the message I was sent…
As you may see, it is in Hungarian, and according to a translation by Google Translate, it basically says “you need to run a check on your e-mail using this link to be able to receive further messages”. This would be hardly unusual, however the last sentence next to the copyright comes down to “Your system administrator has advised you not to report abuse”.
I don’t dare guess whether this less than usual instruction was the result of an error in automatic translation from another language, an unsuccessful attempt at making the message appear more trustworthy or whether the author of the e-mail included it in the hope that users really wouldn’t report the phishing, if they saw through it… In either case, it certainly wouldn’t add to the credibility of the message, even if the link didn’t lead to a very generic page containing a form requesting e-mail, username and password.
As this message shows, even looking at some of the less-than-stellar phishing attempts can sometimes be interesting… and after dealing with more sophisticated attacks, it can be good for morale as well.
[1] https://isc.sans.edu/forums/diary/Open+redirects+and+why+Phishers+love+them/27542/
[2] https://isc.sans.edu/forums/diary/Guest+Diary+Open+Redirect+A+Small+But+Very+Common+Vulnerability/25276/
———–
Jan Kopriva
@jk0pr
Alef Nula
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Reposted from SANS. View original.
Posted in: SANS
Leave a Comment (0) →(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Reposted from SANS. View original.
Posted in: SANS
Leave a Comment (0) →If you are involved in the security industry you are at least somewhat familiar with the Mitre ATT&CK framework, the very useful, community driven, knowledgebase of attack threat models and methodologies which can be used to emulate adversary behavior to test security controls. However fewer are aware of a lesser known Mitre project, Common Weakness Enumeration (CWE).
CWE is a community developed list of common software and hardware weaknesses which serves as a common language which can be used as an input to security processes. One way I have commonly used the CWE is to aid in creation of Request for Proposals (RFP) for security products, but it can also be used as input to penetration tests, security assessments, product testing and many other use cases.
At the present time the CWE contains 918 documented weaknesses, but the CWE contributors have organized those weaknesses into useful groupings, or views, which make the CWE applicable to many different usages. One of the most popular views is the CWE Top 25 Most Dangerous Software Weaknesses, which can be used as a starting point to securing software applications. There is also a view which maps weaknesses to the OWASP Top 10 as well as many other views into the CWE data.
The CWE Project as well as ATT&CK are always looking for contributors. Getting involved in projects like these are an excellent way to network in the security industry as well as an excellent place to develop security skills. For those of you who are new to the security industry, active participation in projects like these can look very good on your resume. Please consider contributing if you have the time.
— Rick Wanner MSISE – rwanner at isc dot sans dot edu – Twitter:namedeplume (Protected)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Reposted from SANS. View original.
Posted in: SANS
Leave a Comment (0) →— Rick Wanner MSISE – rwanner at isc dot sans dot edu – Twitter:namedeplume (Protected)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Reposted from SANS. View original.
Posted in: SANS
Leave a Comment (0) →(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Reposted from SANS. View original.
Posted in: SANS
Leave a Comment (0) →I did create a SANS cheat sheet for oledump.py.
Here is a short video where I go over the cheat sheet and give some simple demos:
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Reposted from SANS. View original.
Posted in: SANS
Leave a Comment (0) →When you’re facing some suspicious files while performing forensic investigations or analyzing malware components, it’s always interesting to know these files are legit or malicious/modified. One of the key sources to verify hashes is provided by NIST and is called the NSLR project (“National Software Reference Library”)[1]. They build “Reference Data Set” (RDS) of information that can be queried to verify a file hash. These RDS are available to download[2] but, as you may expect, there are huge (they are provided as ISO files between 500MB to 4GB!)
CIRCL[3], the Luxembourg CERT, has a good reputation to offer/participate in services like MISP, a passive DNS service, etc. They are now offering an API to query the NIST RDS via HTTP or DNS requests!
How does it work? You can use the FQDN hashlookup.circl.lu like this:
PS C:Usersxavie> curl.exe -X GET https://hashlookup.circl.lu/lookup/md5/8ED4B4ED952526D89899E723F3488DE4 -H 'Accept: application/json'
{
"CRC32": "7A5407CA",
"FileName": "wow64_microsoft-windows-i..timezones.resources_31bf3856ad364e35_10.0.16299.579_de-de_f24979c73226184d.manifest",
"FileSize": "2520",
"MD5": "8ED4B4ED952526D89899E723F3488DE4",
"OpSystemCode": {"MfgCode": "1006", "OpSystemCode": "362", "OpSystemName": "TBD", "OpSystemVersion": "none"},
"ProductCode": {
"ApplicationType": "Security",
"Language": "Multilanguage",
"MfgCode": "608",
"OpSystemCode": "868",
"ProductCode": "190742",
"ProductName": "Cumulative Update for Windows Server 2016 for x64 (KB4338817)",
"ProductVersion": "1709"
},
"SHA-1": "00000079FD7AAC9B2F9C988C50750E1F50B27EB5", "SpecialCode": ""
}
You can also query the database via a DNS request (my preferred method!):
[email protected]:/# dig +short -t TXT 8ED4B4ED952526D89899E723F3488DE4.dns.hashlookup.circl.lu | jq -r . | jq . { "CRC32": "7A5407CA", "FileName": "wow64_microsoft-windows-i..timezones.resources_31bf3856ad364e35_10.0.16299.579_de-de_f24979c73226184d.manifest", "FileSize": "2520", "MD5": "8ED4B4ED952526D89899E723F3488DE4", "OpSystemCode": {"MfgCode": "1006", "OpSystemCode": "362", "OpSystemName": "TBD", "OpSystemVersion": "none"}, "ProductCode": { "ApplicationType": "Security", "Language": "Multilanguage", "MfgCode": "608", "OpSystemCode": "868", "ProductCode": "190742", "ProductName": "Cumulative Update for Windows Server 2016 for x64 (KB4338817)", "ProductVersion": "1709" }, "SHA-1": "00000079FD7AAC9B2F9C988C50750E1F50B27EB5", "SpecialCode": "" }
SHA1 and MD5 hashes are supported and you can also submit bulk requests. More documentation is available here[4].
If you need to scan a complete filesystem, my recommendation is of course to use your own local copy of the NIST databases! Many forensic tools allow you to compare hashes against a local database. But when you quickly need to check a single file or a restricted set of files, this service is perfect! Thank you to CIRCL for providing this to the community! The website says also that more databases will be added in the future!
[1] https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl
[2] https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl/nsrl-download/current-rds
[3] https://circl.lu
[4] https://gist.github.com/adulau/4191d44e30fc01df38f1d5fe605fa920#file-hashlookup-circl-lu-md
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Reposted from SANS. View original.
Posted in: SANS
Leave a Comment (0) →A big "thank you" to our major sponsors...
