/. Recently published a post covering a draft NIST Standard that is in review [1]. This handler thought it would cause a disturbance in the force, but so far no one is discussing it. One of the big stand out changes is no more periodic password changes [2]. There are several others as well, and …
Read more “Wait What? We don?t have to change passwords every 90 days?, (Wed, May 17th)”
In God we trust. All others must bring data ~Bob Rudis With endless amounts of data, technical detail, and insights on WannaCrypt/WannaCry, and even more FUD, speculation, and even downright trolling, herein is a proposal for you to do your own data-driven security analysis. My favorite book to help you scratch that itch? Data Driven …
Read more “WannaCry? Do your own data analysis., (Tue, May 16th)”
The ransomware was first noticed on Fridayand spread very quickly through many large organizations worldwide [verge]. Unlike prior ransomware, this sample used the SMBv1 ETERNALBLUE exploit to spread. ETERNALBLUE became public about a month ago when it was published as part of the Shadowbroker archive of NSA hacking tools [shadow]. A month prior to the …
Read more “WannaCry/WannaCrypt Ransomware Summary, (Mon, May 15th)”
Microsoft released information what can be done to protect against WannaCry[1] which includes deploying MS17-010 if not already done (March patch release)[2], update Windows Defender (updated 12 May)[3] and if not using SMBv1 to disable it available here. Microsoft has provided a security update for all customers to protect Windows platforms that are in custom …
Read more “Microsoft Released Guidance for WannaCrypt , (Sat, May 13th)”
———– Guy Bruneau IPSS Inc. Twitter: GuyBruneau gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
For a few hours, bad news are spreading quickly about a massive wave of infections by a new ransomware called WannaCry width:600px” /> (Source: MalwareTech) Big targets have been telecom operators (ex: Telefonica in Spain) and hospitals in UK. Once the malware has infected a computer, it spreads across the network looking for new victims …
Read more “Massive wave of ransomware ongoing, (Fri, May 12th)”
A few months ago, I wrote a diary about webshells[1] and the numerous interesting features they offer. Theyre plenty of web shells available, there are easy to find and install. They are usually delivered as one big obfuscated (read: Base64, ROT13 encoded and gzip width:801px” /> Im pretty sure that some people are using web …
Read more “When Bad Guys are Pwning Bad Guys…, (Fri, May 12th)”
Introduction On Wednesday 2017-05-10, @thlnk3r tweeted about Rig exploit kit (EK) activity. @DynamicAnalysis has already posted an analysis of this traffic on malwarebreakdown.com (always a good read), but Ive also looked into it. Today border-width:2px” /> Shown above: Tweet about this Rig EK activity from @thlnk3r (link). Details This is not one of the campaigns …
Read more “Seamless Campaign using Rig Exploit Kit to send Ramnit Trojan, (Thu, May 11th)”
I love it when people write tools to pull data from this site, and we try to accommodateautomated tools like this with our API. but sometimes, scripts go bad and we keep having cases were scripts pull the same data several times a second. I would love to let the owner of the script know, …
Read more “Read This If You Are Using a Script to Pull Data From This Site, (Wed, May 10th)”
After Bojans recent story on the short-lived Google Docs OAuth issues last week (https://isc.sans.edu/forums/diary/OAUTH+phishing+against+Google+Docs+beware/22372/), I got to thinking. The compromise didnt affect too many people, but it got me thinking about OAuth. The piece of OAuth that I focused on is the series of permisssions and tokens that allow interaction between applications, which is what …