For the last few years, October has been “Security Awareness Month”, with various organizations using it to promote security awareness. We have done a few “themed” diaries around security awareness in past years, but for the most part, there isn’t that much new to say for our core audience. Security awareness is however still a …
Read more “Security Awareness Month: How to Help Friends and Family, (Wed, Oct 4th)”
How do you get to your critical systems if the network is down? There are a number of different technologies that are used in this case. Often, they involve some kind of terminal server that is connected to the system via a serial terminal (yes… there are still some of them around), or via an …
Introduction On Monday 2017-10-02, I ran across malicious spam (malspam) pushing Formbook, an information stealer. Arbor Networks has a good article about Formbook here. Today’s diary examines the associated email, traffic, malware, and infected Windows host. The email The email is disguised as a FedEx delivery notice. It has a link to a compromised website …
Read more “Malspam pushing Formbook info stealer, (Tue, Oct 3rd)”
Sometimes when you need to investigate a security incident or to check for suspicious activity, you become frustrated because the online resource that you’re trying to reach has already been cleaned. We cannot blame system administrators and webmasters who are just doing their job. If some servers or websites remains compromised for weeks, others are very …
Read more “Investigating Security Incidents with Passive DNS, (Mon, Oct 2nd)”
There is a buzz that started to stir in the past few days with the rise of cryptocurrency miner javascript code showing up on various websites. In particular, it seems to be Coinhive’s miner javascript code. I do want to note that Coinhive specifically states: “While it’s possible to run the miner without informing your users, we strongly …
Read more “Who's Borrowing your Resources?, (Sat, Sep 30th)”
We had a reader send an email in a couple of weeks ago asking about understanding the flags field when looking at data in a report. He didn’t understand what the “flags” were referring to or what the actual flags mean. “They don’t appear related to TCP header flags like I’ve normally seen…S is …
Read more “Good Analysis = Understanding(tools + logs + normal), (Fri, Sep 29th)”
When you are investigating a security incident, there are chances that, at a certain point, you will have to dive into network traffic analysis. If you’re lucky, you’ll have access to a network capture. Approximatively one year ago, I wrote a quick diary[1] to explain how to implement a simple FPC or “Full Packet Capture” solution …
Read more “The easy way to analyze huge amounts of PCAP data, (Thu, Sep 28th)”
In this short series of diary entries, I show how I try to conclude that a PDF file (a resume) is not malicious, but benign. This is the last part. Thanks to Xavier for letting me post this during his shift. The PDF file itself is not large, in part 1 we were able to …
1. Introduction While hunting some phishing emails these days, I came across a malware campaign similar to EngineBox, a banker capable of stealing user credentials from multiple banks [1]. XPCTRA, as I call today’s variant, in addition to banking data, steals online digital wallet users’ credentials from services such as Blockchain.info and PerfectMoney. The malspams …
Read more “XPCTRA Malware Steals Banking and Digital Wallet User's Credentials, (Mon, Sep 25th)”
Back to Basics Back to Basics is a new series focusing on the boring stuff. Tweaking and tuning the things we already do. In these articles we will discuss things that have worked and tips to get them working. This diary will focus on change requests. (see, boring …) There are several great resources that …
Read more “Back to Basics: Writing Change Requests in Natural Language, (Mon, Sep 25th)”