Introduction Many security professionals often review malicious spam (malspam) as part of their daily work. If you fall in this category, every once in a while you run across an email so obviously malicious, you wonder how people could be fooled by it. I saw one such email on Tuesday 2017-08-08. The link in this …
When Microsoft changed its update process a few months ago, we were initially no longer able to quickly produce our usual assessment of Microsofts patches. Finally, I think we have a way to get at least some of it back, and this is our first take on it. Please let me know if I should …
Read more “Microsoft Patch Tuesday August 2017, (Tue, Aug 8th)”
PMA (or phpMyAdmin) is a well-known MySQL front-end written in PHP that brings MySQL to the web as stated on the web site[1]. The tool is very popularamongst web developers because it helps to maintain databases just by using a web browser. This also means that the front-end might be publicly exposed! It is a …
Whenever a link is posted to Facebook or other social media sites, the site will likely scan the destination page for Open Graph tags [1]. These tags may provide a link to an image to be displayed, or alternate URLs to be displayed and other meta tags. (URLs obfuscated to protect the click-happy) For example, …
Read more “Use of the Open Graph Protocol to Disguise Malicious Facebook Links, (Fri, Aug 4th)”
We have been working for a while now on a honeypot based on a Raspberry Pi. Thanks to our volunteers, we now have a version of the honeypot that provides us not just with the firewall data that we usually collect, but also with data about telnet/ssh and webattacks. Traditionally, we have focused on firewall …
Read more “Using a Raspberry Pi honeypot to contribute data to DShield/ISC, (Thu, Aug 3rd)”
Last week I was lucky enough to attend SANSFIRE, which is one of the biggest SANS events (I attended the SEC660 course by Tim Medin and just as my personal opinion: this is probably the best course I have ever attended). I also held a presentation about attacking NoSQL applications, which was based partially on …
Read more “Attacking NoSQL applications (part 2), (Wed, Aug 2nd)”
Ive had a number of people ask how they can find services on their network that still support SMBv1. In an AD Domain you can generally have good control of patching and the required registry keys to disable SMBv1. However, for non-domain members thats tougher. width:701px” /> Dialects versions are outlined here: https://msdn.microsoft.com/en-us/library/cc246492.aspx Essentially they …
Read more “Rooting Out Hosts that Support Older Samba Versions, (Tue, Aug 1st)”
Over the past few days I have been getting a few phone text scams that kind of look realistic except for certain flaws that are fairly easy to pick out, however this is where it is important to read the whole URL. First, if you dont have a banking account with the bank that appears …
———– Guy Bruneau IPSS Inc. Twitter: GuyBruneau gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
While studying the infamous EternalBlue exploit about 2 months ago, researchers Sean Dillon (zerosum0x0) and Zach Harding (Aleph-Naught-) found a new flaw in the Server Message Block (SMB) protocol that could allow an adversary to interrupt the service by depleting the memory and CPU resources of the targeted machine on a Denial of Service (DoS) …