(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
APPLE-SA-2016-09-20-6 tvOS 10
 
APPLE-SA-2016-09-20-5 watchOS 3
 

Researchers from Tencent's Keen Security Labs totally hack the Tesla S over Wi-Fi.

Security researchers at the Chinese Internet company Tencent's Keen Security Lab privately revealed a security bug in Tesla Model S cars that allowed an attacker to achieve remote access to a vehicle's Controller Area Network (CAN) and take over functions of the vehicle while parked or moving. The Keen researchers were able to remotely open the doors and trunk of an unmodified Model S, and they were also able to take control of its display. Perhaps most notably, the researchers remotely activated the brakes of a moving Model S wirelessly once the car had been breached by an attack on the car's built-in Web browser.

Tesla has already issued an over-the-air firmware patch to fix the situation.

Previous hacks of Tesla vehicles have required physical access to the car. The Keen attack exploited a bug in Tesla's Web browser, which required the vehicle to be connected to a malicious Wi-Fi hotspot. This allowed the attackers to stage a "man-in-the-middle" attack, according to researchers. In a statement on the vulnerability, a Tesla spokesman said, "our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly." After Keen brought the vulnerability to Bugcrowd, the company managing Tesla's bug bounty program, it took just 10 days for Tesla to generate a fix.

Read 1 remaining paragraphs | Comments

 
Apple iOS/tvOS/MacOS/watchOS Multiple Security Vulnerabilities
 
APPLE-SA-2016-09-20-4 macOS Server 5.2
 
APPLE-SA-2016-09-20-3 iOS 10
 
APPLE-SA-2016-09-20-2 Safari 10
 
IBM WebSphere Application Server CVE-2016-0377 Information Disclosure Vulnerability
 

In a previous diary[i] I talked about Windows Events and I gave some examples about some of the most useful events for Forensics/IR. In this diary I will talk about how to use Windows PowerShell to search for events

Get-WinEvent

The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).[ii]

">

Get-winevent -logname System

This command would show everything that in the System events which might be very large and it will show many things that might be not important to our case.

The best way to filter events in get-winevent cmdlet is filterhashtable parameter, Suppose that you are interested only to see the events that">

Get-WinEvent -FilterHashtable @{logname=system id=7045} | format-list

">

TimeCreated : 9/16/2016 12:57:58 AM

ProviderName : Service Control Manager

Id : 7045

Message : A service was installed in the system.

Service Name: Meterpreter

Service File Name: C:\Windows\TEMP\hXdIEXeEbqqzDy\metsvc.exe service

Service Type: user mode service

Service Start Type: auto start

Service Account: LocalSystem

TimeCreated : 9/16/2016 12:56:46 AM

ProviderName : Service Control Manager

Id : 7045

Message : A service was installed in the system.

Service Name: vvgQjBPVHmgKnFfH

Service File Name: %SYSTEMROOT%\AmEAdtHt.exe

Service Type: user mode service

Service Start Type: demand start

Service Account: LocalSystem

TimeCreated : 9/16/2016 12:54:14 AM

ProviderName : Service Control Manager

Id : 7045

Message : A service was installed in the system.

Service Name: jJZzbNmqBqTeqzsU

Service File Name: %SYSTEMROOT%\bFZwMEQv.exe

Service Type: user mode service

Service Start Type: demand start

Service Account: LocalSystem

TimeCreated : 9/16/2016 12:39:34 AM

ProviderName : Service Control Manager

Id : 7045

Message : A service was installed in the system.

Service Name: zNvHlQahvTqmPpVS

Service File Name: %SYSTEMROOT%\cEYBVJNP.exe

Service Type: user mode service

Service Start Type: demand start

Service Account: LocalSystem

TimeCreated : 9/15/2016 9:09:40 PM

ProviderName : Service Control Manager

Id : 7045

Message : A service was installed in the system.

Service Name: vJcYxfCDYUgOZiVb

Service File Name: %SYSTEMROOT%\TifTyNVa.exe

Service Type: user mode service

Service Start Type: demand start

Service Account: LocalSystem

">

Get-WinEvent -FilterHashtable @{logname=securitystarttime= 9/15/2016 9:00:00 PM endtime= 9/15/2016 9:09:40 PM} |

">

TimeCreated : 9/15/2016 9:09:39 PM

ProviderName : Microsoft-Windows-Security-Auditing

Id : 4624

Message : An account was successfully logged on.

Subject:

Security ID: S-1-0-0

Account Name: -

Account Domain: -

Logon ID: 0x0

Logon Type: 3

New Logon:

Security ID: S-1-5-21-574956201-2274518538-2668157362-1004

Account Name: test

Account Domain: WIN-CAR8AFQU4IJ

Logon ID: 0x112fd1

Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:

Process ID: 0x0

Process Name: -

Network Information:

Workstation Name: BH5vQpSXNj4EBCBk

Source Network Address: 10.10.75.1

Source Port: 55165

Detailed Authentication Information:

Logon Process: NtLmSsp

Authentication Package: NTLM

Transited Services: -

Package Name (NTLM only): NTLM V2

Key Length: 0

From the above output we find out that , there was a user name test was logged on at : 9/15/2016 9:09:39 PM via network (Logon Type : 3) and from the IP address 10.10.75.1 .

Now lets find out when the user test">

Get-WinEvent -FilterHashtable @{logname=Security ID=4720} | where {$_.message -match test} | fl

And here is the output

">

TimeCreated : 8/12/2016 10:06:33 PM

ProviderName : Microsoft-Windows-Security-Auditing

Id : 4720

Message : A user account was created.

Subject:

Security ID: S-1-5-21-574956201-2274518538-2668157362-1000

Account Name: Victim

Account Domain: WIN-CAR8AFQU4IJ

Logon ID: 0x275eb2

New Account:

Security ID: S-1-5-21-574956201-2274518538-2668157362-1004

Account Name: test

Account Domain: WIN-CAR8AFQU4IJ

Attributes:

SAM Account Name: test

Display Name:

User Principal Name: -

Home Directory:

Home Drive:

Script Path:

Profile Path:

User Workstations:

Password Last Set:

Account Expires:

Primary Group ID: 513

Allowed To Delegate To: -

Old UAC Value: 0x0

New UAC Value: 0x15

User Account Control:

Account Disabled

Password Not Required - Enabled

Normal Account - Enabled

User Parameters:

SID History: -

Logon Hours: All

Additional Information:

Privileges -

">

Get-EventLog -LogName security | where {$_.eventid -eq 4624} | where {$_.replacementstrings[8] -eq 3} | select timegenerated ,@{Name=AccountNameExpression={$_.replacementstrings[5]}},@{Name=IP Address">

Get-EventLog -LogName security | where {$_.EventID -eq 4624} | Group-Object {$_.Replacementstrings[8]} | select name,count

">

Name Count

--------- ---------

7 2

5 210

2 29


[i] https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
ESA-2016-093: RSA® Adaptive Authentication (On-Premise) Cross-Site Scripting Vulnerability
 
Microsoft Internet Explorer and Edge CVE-2016-3295 Remote Memory Corruption Vulnerability
 

Enlarge (credit: Sergei Skorobogatov/YouTube)

Passcodes on iPhones can be hacked using store-bought electronic components worth less than $100 (£77), according to one Cambridge computer scientist.

Sergei Skorobogatov has demonstrated that NAND mirroring—the technique dismissed by James Comey, the director of the FBI, as unworkable—is actually a viable means of bypassing passcode entry limits on an Apple iPhone 5C. What's more, the technique, which involves soldering off the phone's flash memory chip, can be used on any model of iPhone up to the iPhone 6 Plus, which use the same type of LGA60 NAND chip. Later models, however, will require "more sophisticated equipment and FPGA test boards."

In a paper he wrote on the subject, Skorobogatov, a Russian senior research associate at the Cambridge Computer Laboratory's security group, confirmed that "any attacker with sufficient technical skills could repeat the experiment," and while the technique he used is quite fiddly, it should not present too much of an obstacle for a well-resourced branch of law enforcement.

Read 13 remaining paragraphs | Comments

 
Microsoft Internet Explorer CVE-2016-3292 Remote Privilege Escalation Vulnerability
 
Microsoft Edge CVE-2016-3294 Remote Memory Corruption Vulnerability
 
Microsoft Office CVE-2016-3365 Memory Corruption Vulnerability
 
Microsoft Windows Graphics Component CVE-2016-3354 Information Disclosure Vulnerability
 

Enlarge (credit: The Dark Knight, Warner Bros.)

Finance messaging giant SWIFT plans new measures to help banks combat fraud, after a gang broke into Bangladesh's central bank in February and stole £57 million pounds—and were only caught because one of them made a typo in a £15 million transfer.

The banking communications network, which allows financial institutions across the world to send each other secure messages about their transactions, is introducing "Daily Validation Reports," which it bills as a mechanism to help customers detect unusual patterns in their message flows, and give them more of a chance "to identify possible fraud attempts and improving the likelihood they can cancel any fraudulent transfers."

The heist, which could have cost almost £700 million but for the typo—which spelled the name of a Sri Lankan NGO called the "Shalika Foundation" as the "Shalika Fandation"—which raised red flags at Deutsche Bank, who warned the Bangladeshis, allowing them to cancel most of the rest of the transactions. Worse still, the Shalika Foundation appears not even to exist, Reuters reported.

Read 7 remaining paragraphs | Comments

 
Money Forward Apps for Android CVE-2016-4838 Security Bypass Vulnerability
 
QEMU 'hw/usb/hcd-xhci.c' Information Disclosure Vulnerability
 
Internet Storm Center Infocon Status