Blog

Archive for January, 2021

YARA v4.0.4, (Sun, Jan 31st)

YARA version 4.0.4 was released (right after version 4.0.3).

These are bugfix versions for bugs in the dotnet and macho modules.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Wireshark 3.4.3 Released, (Sun, Jan 31st)

Wireshark version 3.4.3 was released.

For Windows users, Npcap 1.10 replaces version 1.00.

 

It has vulnerability and bug fixes, like a USB HID dissector crash & memory leak.

 

Didier Stevens

Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

PacketSifter as Network Parsing and Telemetry Tool, (Sat, Jan 30th)

I saw PacketSifter[1], a new package on Github and figure I would give it a try to test its functionality. It is described as “PacketSifter is a tool/script that is designed to aid analysts in sifting through a packet capture (pcap) to find noteworthy traffic. Packetsifter accepts a pcap as an argument and outputs several files.” It is less than a month old, initial release 31 Dec 2020 and last update 22 days ago.

What I found interesting about this tool is the fact that is uses various tshark filters to parse the information into various types of statistics (conversations & endpoints) such as IP, TCP, HTTP presenting the data in a way that can easily understood and easily search the data using various regex tools. I use Elasticsearch to collect, parse and analyze my logs but I also see PacketSifte as an alternative to quickly summarize packet data.

The result of the dns.pcap was a list of malformed DNS packets and the http.pcap was all the web traffic saved into a single file.

One of the requirements for this tool is you need to have tshark installed. My test was done with the latest version of CentOS 7.

Download the Tool from Github which also contains the VirusTotal Setup File. Ensure the system meets the following requirements:

  • Tshark[2] installed
  • VirusTotal[4] API key
  • curl (to make web requests) and jq

$ git clone https://github.com/packetsifter/packetsifterTool.git
$ cd packetsifterTool
$ chmod 555 packetsifter.sh
$ sh VTInitial.sh

Note: This file only contains web and DNS traffic

$./packetsifter.sh ../honeypot-2021-Jan-29-19-25-42.pcap

  • Would you like to resolve host names observed in pcap? This may take a long time depending on the pcap!!

<> This can result in DNS queries for attacker infrastructure. Proceed with caution!!
(Please supply Y for yes or N for no) N

http.pcap contains all conversations containing port 80,8080,8000
Running as user “root” and group “root”. This could be dangerous.

  • Would you like to export HTTP objects? The objects will be outputted to a tarball in the current directory titled: httpObjects.tar.gz

<> There could be a lot of HTTP objects and you can potentially extract malicious http objects depending on the pcap. Use with caution!!
(Please supply Y for yes or N for no) Y

  • Would you like to lookup exported HTTP objects using VirusTotal?

**Warning** You must have ran the VTinitial.sh script to initialize PacketSifter with your VirusTotal API Key.
(Please supply Y for yes or N for no) Y

################# SMB SIFTING #################

Stats on commands ran using smb or smb2 has been generated and is available in: SMBstatistics.txt

No SMB traffic found. Deleting arbitrary SMBstatistics.txt
smb.pcap contains all conversations categorized by tshark dissectors as NBSS, SMB, or SMB2
Running as user “root” and group “root”. This could be dangerous.

No SMB traffic found. Deleting arbitrary smb.pcap.

  • Would you like to export SMB objects? The objects will be outputted to a tarball in the current directory titled: smbObjects.tar.gz

<> There could be a lot of SMB objects and you can potentially extract malicious SMB objects depending on the pcap. Use with caution!!
(Please supply Y for yes or N for no) N

################# DNS SIFTING #################

dns.pcap contains all conversations categorized by tshark dissectors as DNS
Running as user “root” and group “root”. This could be dangerous.

DNS A query/responses have been outputted to dnsARecords.txt
No DNS A records found. Deleting arbitrary dnsARecords.txt

DNS TXT query/responses have been outputted to dnsTXTRecords.txt. DNS TXT records can be used for nefarious reasons and should be glanced over for any abnormalities.
No DNS TXT records found. Deleting arbitrary dnsTXTRecords.txt

################# FTP SIFTING #################
ftp.pcap contains all conversations categorized by tshark dissectors as FTP
Running as user “root” and group “root”. This could be dangerous.
No FTP traffic found. Deleting arbitrary ftp.pcap

Packet sifting complete! Thanks for using the tool.

After the tool completed its analysis, a total of 7 files are generated by the script: 2 pcap and 5 text

[[email protected] packetsifterTool]$ ls -1 *.txt && ls -1 *.pcap

  • errors.txt
  • http_info.txt
  • IOstatistics.txt
  • IPstatistics.txt
  • TCPstatistics.txt
  • dns.pcap
  • http.pcap

The script is using tshark to provide various statistics such as:

  • HTTP/Packet Counter

  • HTTP/Requests
  • HTTP/Load Distribution

  • HTTP Responses by Server Address
  • TCP Endpoint Statistics
  • IP Endpoint Statistics

It extract all the web object into this file: httpObjects.tar.gz
$ tar zxvf httpObjects.tar.gz
$ cd httpObjects

This script is fast going through the pcap file, however, there is a warning for “Would you like to resolve host names observed in pcap?“. The first time I said yes and that basically stopped the script while it was trying to resolve hostnames and eventually cancelled the script and re-ran without it.

Overall, this script is easy to use and another tool that can easily be used for analysis of pcap traffic for web, DNS and SMB objects which I didn’t have in this file.

Happy hunting!

[1] https://github.com/packetsifter/packetsifterTool.git
[2] https://www.wireshark.org
[3] https://tshark.dev/setup/install/
[4] https://www.virustotal.com/gui//
[5] https://www.elastic.co

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Sensitive Data Shared with Cloud Services, (Fri, Jan 29th)

Yesterday was the data protection day in Europe[1]. I was not on duty so I’m writing this quick diary a bit late. Back in 2020, the Nitro PDF service suffered from a data breach that impacted many companies around the world. This popular service allows you to create, edit and sign PDF documents. A few days ago, the database leak was released in the wild[2]:  14GB compressed, 77M credentials.

I had this opportunity to have a look at the data and it provides really interesting information. The archive contains dumps of SQL tables from a relational database. We have a file with the users’ data. The classic email addresses and passwords (hopefully hashed) are present but also a user ID. A second file is the dump of a SQL table containing information about documents processed with Nitro PDF. Because it’s a relational database, we can use the user’s ID to find who worked on which document(s) and when (because timestamps are also present). The information you have about documents is the title and a thumbnail reference (but not available hopefully). Example:

114193114       2013-10-28 21:46:21.765 2013-10-28 21:46:22.62  f       5430610411990818132     f       nitrocloud-prod|437b88f9-3f81-4952-9ec4-
97d8524a890e    Concept Note    N      f       f       N      114193118       N

“114193114” is the user ID, “Concept Note” is the document title.

I did some correlation searches for my customers and I was able to match which user was working on a specific document at a specific time.

From a broader point of view, can we guess the type of data that was exchanged via this cloud service? I extracted all the document titles, performed some cleanup, and extracted a word list to generate this word cloud:

As you can see, many words look “juicy” and are directly related to business activities! By linking document titles with email addresses we learn about potential victims who could be interesting targets for social engineering or phishing attacks! 

Always be aware that cloud services store a lot of information that you don’t really want to see out of your perimeter!

[1] https://www.coe.int/en/web/portal/28-january-data-protection-day
[2] https://www.bleepingcomputer.com/news/security/hacker-leaks-full-database-of-77-million-nitro-pdf-user-records/

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Data Privacy Day (2021): Commercial Businesses

January 28, 2021 is Data Privacy Day and CyberSafeNV is proud, as a Data Privacy Day Champion, to play a part in this international effort by growing awareness and providing tips and guidance to help people and organizations to protect their data.  We will share a series of articles designed to explain some of the nuances around what privacy means as well as resources focused on a variety of internet users so that you can take appropriate measures to safeguard your privacy.

This third article is for commercial businesses focusing on latest updates and resources.

2021 Privacy Updates and What It Means for Businesses

In commemoration of Privacy Day this year, we are going to talk about the latest news in privacy and share some tips and resources to help organizations keep current. A lot has happened last year and privacy risks continue to emerge for organizations. As global laws continue to evolve and the US laws play catch up, organizations are drawn to increasing their compliance efforts. 

Global Privacy Updates

Let’s talk about the elephant in the room, Brexit finally happened. The trade deal between Britain and the European Union has been approved and we are now in the interim “grace period” when data can continue to flow between the EU and the UK in the next four to six months.

To safeguard from data flow interruptions, the following are precautionary measures organization should consider: 

  • Standard Contractual Clauses (SCC) are reviewed and updated.
  • ICO may no longer be a part of GDPR’s One Stop Shop, review your interactions with data protection authorities.
  • Appoint EU and UK data protection representatives if necessary.
  • Update privacy notices, policies and DPIAs (Data Privacy Impact Assessment).

Meanwhile in the southern hemisphere, Brazil’s comprehensive privacy law went in effect last September 2020. It’s called Lei Geral de Proteção de Dados, or “LGPD”. Penalties will take effect in August 2021.

LGPD is heavily inspired by the GDPR and the following are key areas to pay attention to: 

  • LGDP protects every user in Brazil irrespective of the data subject’s nationality and regardless of where the processing agent’s company is based.
  • Individual rights are consistent with GDPR but in addition, LGPD also gives people a right to access information about those with whom an organization has shared the individual’s data.
  • Organizations may transfer personal data to other countries that provide an “adequate level of data protection.” Brazil has not yet identified which countries it considers as providing an adequate level of protection.

Domestic Privacy Updates

You may already be aware of the California Consumer Privacy Act (CCPA), a pivotal law put into effect last year as the first major privacy law to give American consumers control over their personal information.

Within months of CCPA going into effect, the California Privacy Rights and Enforcement Act (CPRA) was passed this past November and will replace the CCPA as of Jan 1, 2023 – giving businesses two years to revisit their privacy programs to be compliant.

There are key differences between the two – here is a snapshot of a handful of the most notable ones:

  • The definition of “business” is shifting and will change the types of business this law will be applicable to. One of these includes the threshold of customers, which will increase from 50,000 to 100,000. 
  • There is also a new type of personal information defined in the CPRA: Sensitive Personal Information, or SPI. This includes (but is not limited to) passport data, social security numbers, financial account information, race, ethnicity, health records, and union membership.
  • New rights will also be set in place, such as right to opt out of automated decision-making technology and right to restrict sensitive PI.

California’s privacy laws have not only impacted businesses everywhere. Many state legislatures around the country are looking to model a similar law as more consumers have demanded transparency over their PII.

The State of Washington, which has numerous times tried to pass a privacy act in the past, is working on a new version for 2021.

This proposal adds stricter protections for consumer data collected during public health emergencies, as well as introduces a private right to action which allows for civil lawsuits in cases for using personal data.

More information around this new Washington Privacy Act will be released as the year goes on, so stay tuned.

Additional Resources

How does one keep abreast of the ever changing regulations? We’ve listed out some resources you can subscribe and follow on.

Organizations should continue to monitor the development of LGPD, the privacy implications of Brexit, and the US State Privacy laws, and are encouraged the following:

  • Perform Data Privacy Impact Assessments (DPIA’s) regularly
  • Follow the strictest rule applicable to your organization
  • Adopt the Privacy By Design Principles (PbD)

If you haven’t already checked out these resources, here are some options to get more information on privacy standards.

Cited Sources:

https://www.dataguidance.com/sites/default/files/gdpr_lgpd_report.pdf

https://iapp.org/resources/article/state-comparison-table/

https://www.jdsupra.com/legalnews/third-time-could-be-the-charm-for-20529/

https://www.manatt.com/insights/newsletters/client-alert/the-california-privacy-rights-act-has-passed

Posted in: Uncategorized

Leave a Comment (0) →

Data Privacy Day (2021): Government Agencies

January 28, 2021 is Data Privacy Day and CyberSafeNV is proud, as a Data Privacy Day Champion, to play a part in this international effort by growing awareness and providing tips and guidance to help people and organizations to protect their data.  We will share a series of articles designed to explain some of the nuances around what privacy means as well as resources focused on a variety of internet users so that you can take appropriate measures to safeguard your privacy.

This second article is focused on the data privacy responsibilities of federal, state, and local governments. Millions of people in Nevada share their personal data with government organizations on a regular basis and may not know what steps those agencies are required to take to protect that data

 What data privacy rules do government agencies have to follow?

The Privacy Act of 1974, and the amendments applied to it over the years, provide explicit guidance on how federal agencies can collect, maintain, use, and disseminate information about individuals contained in any system of records they control. It also contains rules allowing individuals to access the data federal agencies collect and maintain on them and obtain a copy of the data or any portion of the data.  One of the most important elements of the Act is the rule for disclosing information about an individual to third parties.  The Act mandates that, with a limited number of exceptions, the data on an individual can only be disclosed to a third party with the written consent of the person to whom the record pertains.

You can read more on the Privacy Act of 1974 and its amendments on the U.S. Department of Justice website.  

The State of Nevada has similar legislation which applies to more than just State agencies.  Nevada Revised Statute 603A contains the rules government agencies, institutions of higher education, corporations, financial institutions, retail operators, or any other type of business entity or association must follow if they handle, collect, disseminate or otherwise deal with nonpublic personal information.  It contains requirements for how agencies must destroy records when they are no longer needed, steps agencies must take to protect data, and rules for disclosing a breach of the system of records maintained by the agency.

Your local city or county may have their own rules for protecting an individual’s private data. 

What do I need to do?

If you work for an agency that collects personal data on customers and you have access to that data:

  • KNOW YOUR RESPONSIBILITIES: Ask your employer what steps you are required to take when gathering, using, or disclosing personal data you access.  Familiarize yourself with your agency’s privacy policy, and be prepared to discuss it.  If your agency doesn’t have a privacy policy, ask them to create one.
  • INFORM YOUR CUSTOMERS: Whenever possible, let your customers know why you are collecting their information, how you are using it, and what steps they can take to ensure it is accurate and protected.  Usually, the best way to do that is to provide them a copy of, or link to, your agency’s privacy policy.

As a customer, there are some basic steps you can take to help safeguard your privacy:

  • DO YOUR RESEARCH: Know what laws protect your data when it’s in the hands of federal, state, local, or commercial agencies.   Find out how an agency meets the requirements of those laws before giving them your personal information.
  • LIMIT THE DATA ABOUT YOU:  Only provide agencies with the minimum amount of information about you they need to provide you the services you are requesting.  
  • READ THE PRIVACY POLICY:  Almost all organizations have a privacy policy (quite often a link near the bottom of their main web page).  Read it to understand what information they are collecting and how they will be using that information.

Take action:

Update the privacy settings on at least one of your online accounts this Data Privacy Day (January 28).  Check the privacy and security settings on web services and apps and set them to your comfort level for information sharing. Each device, application or browser you use will have different features to limit how and with whom you share information. Get started with NCSA’s Manage Your Privacy Settings page:  https://staysafeonline.org/stay-safe-online/managing-your-privacy/manage-privacy-settings/

Posted in: Uncategorized

Leave a Comment (0) →

Data Privacy Day (2021): Individuals

Data Privacy Day is an international effort to empower individuals and encourage businesses to respect privacy, safeguard data and enable trust.

January 28, 2021 is Data Privacy Day and CyberSafeNV is proud, as a Data Privacy Day Champion, to play a part in this international effort by growing awareness and providing tips and guidance to help people and organizations to protect their data.  We will share a series of articles designed to explain some of the nuances around what privacy means as well as resources focused on a variety of internet users so that you can take appropriate measures to safeguard your privacy.

This first article is focused on individuals, with subsequent articles focused on small business and large enterprises. Millions of people, worldwide, are using the Internet to share data including our banking credentials, personal photograph’s, and our geolocations.  Although cyberspace is an exciting environment with a myriad of benefits, opportunities, and conveniences, it is also an increasingly risky one, with numerous threats to our privacy.

 Why do you care?

Data about individuals can be and is used in a variety of ways.  Unfortunately, all too often, the manner in which the data is used is not known, expected, or even approved by you, the individual.  For example, when connecting to social media as well as mobile and smart devices (e.g. mobile phones, wearables, speakers, headsets, cameras, TVs, cars, toys and appliances), you are continuously generating information about your use, yourself, and others. This becomes an abundance of data that is very valuable to commercial entities and advisories.   Bad actors target those data sets to steal and use for larger campaigns or missions.  That’s why it is important to understand the value of your personal information and how to manage it.  Your personal information is like money! Value it. Protect it.

Please see this infographic from the National Cyber Security Alliance (NCSA) to help you gain a quick perspective.  

What is Privacy really?

It is important to note privacy and cyber security overlap – but is not one and the same.  There is a difference between privacy and security.  Cyber Security is necessary to protect data, but security alone is not sufficient to ensure privacy.  Privacy includes other aspects such as:

  • telling users what data is collected and how it will be used,
  • giving users a choice when their data will be used for purposes other than originally disclosed,
  • ensuring data is protected and can only be used for the purposes disclosed, and
  • ensuring data practices comply with federal, state, and international laws.

Sounds simple.  Don’t the companies and organizations need to take care of that?

As individuals, we need to share personal details and identifiable information (PII) in order to gain a service or conduct transactions.  However, we don’t want the information to be abused, lost, or used for purposes other than the reasons we shared the data.   This appears to be an easy ask but its not easy to achieve and meet because of conflicted local laws that requires public access.  

For example, court records must be made publicly available for public scrutiny and review to ensure citizen’s confidence in court ruling.  This need must be balanced with the need to ensure privacy of the litigants. However, it becomes very difficult to balance of the two objectives because most court cases, both civil and criminal, documentation until recent years includes personal information and some sensitives like individuals’ Social Security numbers and other sensitive data.

What do I need to do?

Here are some basic steps to help safeguard your privacy:

  • DO YOUR RESEARCH: Before connecting your smart device to the Internet, do some research.  Ideally, you would conduct this research before purchasing any new internet-connected device by checking out user reviews on the product, exploring whether there have been any security/privacy concerns, and understanding what security features or limitations that the device has. 
  • CONTROL YOUR ONLINE PRESENCE:   configure your privacy and security settings the moment you turn on a new smart device and are asked to sign-in, sign up for a new online account, or integrate an existing account from other platforms like Google, Facebook, etc.  Most devices and accounts default to the least secure settings, so take the time and moment to change those settings to be more secure.  For example, disable any features you don’t need, such as location tracking, (your Livingroom TV doesn’t need to track location); and update your software on those devices.  
  • LIMIT THE DATA ABOUT YOU:  It is best to limit what information you put online.  For example, when completing or integrating a profile for an account, you don’t have to fill in everything.  If you do need to answer every field, consider answering those fields with illegitimate answers about yourself.  It’s not against the law to do so; however, you may need to pick a date of birth that shows that you are over 18 years of age.  Just remember those responses in case you need recover you account.  If you find that a company does require truthful information about you, question whether you feel comfortable about providing it as well as understand what they do with that information.  Then reconsider creating a profile with that company.

Take action:

Update the privacy settings on at least one of your online accounts this Data Privacy Day (January 28). Here’s how: staysafeonline.org/stay-safe-online/managing-your-privacy/manage-privacy-settings/

Posted in: Uncategorized

Leave a Comment (0) →
Page 1 of 6 12345...»