Two security vendors have released temporary fixes for a flaw in some Samsung Android phones that could allow an attacker to bypass a locked screen.
A group of U.S. senators has offered a nonbinding amendment to a fiscal year 2014 budget resolution allowing states to collect sales taxes on Internet sales and end the tax-free shopping that many shoppers enjoy online.
Bing is incorporating more information from outside social networks such as Facebook and Twitter into how it displays search results involving people.
Exploring methods of computing without silicon, IBM has found a way to make transistors that could be fashioned into virtual circuitry that mimics how the human brain operates.

This is my fourth post in a series called Wipe the Drive Malware persistence techniques . The goal is to demonstrate obscure configuration changes that malware or an attacker on your computer can leave behind to allow them to reinfect your machine. We will pick up the conversation with techniques #7 and #8. If you missed the first six techniques you can read about those here:




TECHNIQUE #7 - Winlogon Events

Most versions of Windows will allow an application inside a DLL to register events that are triggered by WinLogon. Once that occurs he application will be launched when ever that event occurs. One of those events is the shutdown event. By registering the shutdown event a, malicious DLL will be given a chance to execute every time the machine shuts down. During the shutdown process, the malware will be given a chance to execute commands on the target host. This allows the malware to lie dormant during the incident response process. When the machine is shutdown the malware is loaded into memory. Then it downloads the primary malware and reinfects the machine. This can make your incident response and containment phases very difficult. For memory forensics to see this malware reinfecting your machine you would have to capture memory during the shutdown process. That is not typically how memory captures are done.


To check to see if any malware has registered for login events check the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

If the subkey doesnt exist you are in good shape. If a subkey with any name exists and it has a shutdown value then the dll in the DLLName key will be launched during the shutdown process. Check that DLL to see what it does. You should expect that it does very little beyond loading another payload from somewhere else on the hard drive. Here is an example of a registry key registering scard32.dll or shutdown events.


Technique #8 - Wipe the DOMAIN? Fun with Scheduled Tasks

This last technique is pretty simple, but it illustrates an important point. Throughout this series Ive been saying that if an attacker owns your computer then wipe the computer. But what happens when the attacker owns your domain admin accounts? Do you need to wipe the domain? Talk about downtime and expenses! I dont know if I am ready to say wipe the domain, but this technique is one of many that should give systems administrators reason to pause and make sure they understand exactly what the attackers did on their network.

As you probably know scheduled tasks allows you to schedule events that will occur on a predefined date and time. You may also know that you can schedule events based upon events in the event log. You can get very specific about the types of events that will trigger the execution of code. Microsoft supports limited XPATH filtering on scheduled tasks that allows you to peer into the data element of an event. (http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml- filtering-in-the-windows-event-viewer.aspx) This enables some interesting scenarios.

Imagine that an attacker creates a schedule task on one of your domain controllers that is monitoring for a failed logins by the account that is associated with your Backup Softwares Service account. Normaly, that password is hardcoded on servers across your enterprise and no one uses that password interactively. That means under normal circomstances it never has a failed login. But an attacker with domain admin has created a task on your domain controller that will create a new domain admin account when that backup account has a failed login. Months later, they connect to a public RDP server or Outlook Web Mail server and enter the backup accounts username and an incorrect password. The scheduled task fires and the back dorr domain admin account is created.

This is only one of many evil things an attacker could do on your domain. Group policies are complex and offer a creative attacker many places to hide. So do you wipe the domain? I think the right answer is to have a vigilant monitoring and instruction detection system in place. Have incident response plans that will mitigate the threat before they get domain admin.


Event based tasks are plentiful on the typical machine. This is to the attackers advantage. Distinguishing good from evil is much easier if you have a baseline of what is supposed to be on your machine. You can capture a baseline of the currently scheduled event based tasks with the following command.

schtasks /query /FO CSV /V | findstr /i when an event occurs


Some people are of the opinion that people who wipe the drive when they are infected with malware lack the technical expertise and knowledge that is required to remove the malware. Id argue that the opposite is true. It is the difference between unconscious incompetence and conscious incompetence. There, I said it. I am incompetent when it comes to finding everywhere malware could have hidden on a machine. Given enough time and energy I MIGHT find it all, but is that good enough? If that isnt good enough then do as I do and just wipe the drive.

Special thanks to Jake Williams (Twitter @malwarejake). Jake presented these concepts with me at Shmoocon last month. Jake is an extremely talented malware researcher. That video is now online and can be viewed here: http://www.youtube.com/watch?v=R16DmDMvPeI

Follow me on twitter : @MarkBaggett

Here is an AWESOME DEAL on some SANS training. Join Justin Searle and I for SANS new SEC573 Python for Penetration Testers course at SANSFire June 17-21. It is a BETA so the course is 50% off! Sign up today!


There are two opprotunities to join Jake Williams for FOR610 Reverse Engineering Malware. Join him on vLive with Lenny Zeltser or at the Digital Forensics Incident Response Summit in Austin.

vLive with Jake and Lenny begins March 28th, 2013:


Jake at DFIR Austin Texas July 11-15, 2013:

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
FCC Chairman Julius Genachowski reportedly plans to resign, ending a four-year term marked by significant efforts to expand wired and wireless broadband services across the U.S.

More details of the cyberattack on multiple banks and media companies in South Korea on Wednesday have emerged, suggesting that at least part of the attack was launched through a phishing campaign against employees of the companies. According to a report from Trend Micro's security lab, the "wiper" malware that struck at least six different companies was delivered disguised as a document in an e-mail.

The attachment was first noticed by e-mail scanners on March 18, the day before the attack was triggered. The e-mail was purportedly from a bank; Trend Micro's Deep Discovery threat scanning software recognized the message as coming from a host that had been used to distribute malware in the past.

The attachment, disguised as a document, was actually the installer for the "wiper" malware. It also carried PuTTY SSH and SCP clients, and a bash script designed to be used in an attack against Unix servers that the target machines had connection profiles for. When activated, the dropper attempted to create SSH sessions to Unix hosts with root privileges and erase key directories, as Ars reported yesterday.

Read 1 remaining paragraphs | Comments

With Michael Dell still battling to get his US$24.4 billion buyout deal approved by shareholders, his company needs to avoid a long, drawn-out battle that could erode customer confidence.

Apple has finally responded to increasing online security threats by introducing two-step authentication for iCloud. Like Google and other companies that already employ two-step authentication, Apple's system would provide an extra layer of security on top of the existing iCloud passwords when users try to access their accounts from unrecognized devices. iCloud users can set up two-step authentication on Apple IDs today by going to the Apple ID website and clicking the "Password and Security" tab.

Apple walks you through the process on its Apple ID management site.

For Apple, this means an authentication code is either sent via SMS to a phone number or found within the Find My iPhone app (if you have it installed) whenever you try to log in from somewhere new. This means that a potential attacker will have a harder time getting into your iCloud account without having physical access to your "trusted" device receiving the code. (Users are prompted to set up at least one trusted device when they turn on two-step authentication, though you can have more than one if you like.) Currently, two-step authentication is available to iCloud users in the US, UK, Australia, Ireland, and New Zealand.

One of the benefits to setting this up on your iCloud account is that you'll no longer have to rely on security questions—which are inherently insecure—in order to gain access to your account if you lose your password. The downside (if you consider it that) is that once you set up two-step authentication, Apple will no longer be able to reset your password for you should you lose or forget it. This is what ended up biting Wired editor Mat Honan in the behind when his various accounts were compromised—hackers were able to gather enough personal information from Honan's e-mail and Amazon accounts to trick Apple support into resetting his iCloud password, giving them free reign to remotely wipe his iPhone, iPad, and MacBook.

Read 1 remaining paragraphs | Comments

Seven years ago today, Twitter was born when the first tweet was sent out, marking the arrival of a new way to communicate online. As long as you did so in less than 140 characters.
Evernote who? Google is taking on the perennial digital note-taking favorite with Google Keep, a service that lets you store quick notes, checklists, Web links, and photos for things you need to remember or keep track of.
Which is the better value, an Office desktop license that's good 'forever' or an annual cloud subscription? The answer is: It depends on your situation. Our interactive calculator will show you the price for each to help you make the best choice.
Google filed a patent application for technology that will enable Google Glass to control everyday devices such as coffee makers, home alarm systems and garage doors.
Huawei security issues threating national security are 'rumors' lacking supporting evidence, a Huawei France executive tells LeMagIT.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A group of U.S. lawmakers has introduced legislation that would require law enforcement agencies to get court-ordered search warrants before obtaining a suspect's mobile phone location or GPS data, instead of using prosecution-issued subpoenas.
BlackBerry's new operating system faces its first big test in the U.S. Friday when the first phone based on BlackBerry 10 goes on sale.
Following similar disclosures from companies like Google and Twitter, Microsoft has for the first time released statistics about requests it has received from law enforcement agencies for data about its users, and the criteria it employs to decide how it will respond.
Unlike Unicast-based networks, Anycast systems use dozens of individual data centers to dilute the effects of distributed denial-of-service attacks.

As an international organization that disrupts spam operators, the Spamhaus Project has made its share of enemies. Many of those enemies possess the Internet equivalent of millions of water cannons that can be turned on in an instant to flood targets with more traffic than they can possibly stand.

On Tuesday, Spamhaus came under a torrential deluge—75 gigabits of junk data every second—making it impossible for anyone to access the group's website (the real-time blacklists that ISPs use to filter billions of spam messages were never effected). Spamhaus quickly turned to CloudFlare, a company that secures websites and helps mitigate the effects of distributed denial-of-service attacks.

This is a story about how the attackers were able to flood a single site with so much traffic, and the way CloudFlare blocked it using a routing methodology known as Anycast.

Read 8 remaining paragraphs | Comments

Newer and older versions of Android on Samsung devices apparently have serious vulnerabilities - which Samsung does not seem in a rush to fix. Any patches first have to be approved by the network carriers

[SECURITY] [DSA 2651-1] smokeping security update
Although Google Chairman Eric Schmidt said this week that Chrome OS and Android will remain separate operating systems "for a very, very long time," one analyst still thinks the two will merge.
The Planck space mission has given scientists new information about the age, content and origin of the universe.
Intel aims to deliver more targeted packages of TV and Internet content at different price points through its upcoming TV set-top box, which will better address user needs than bundles offered by cable TV and satellite companies.
The French Jewish Students' Union has filed a lawsuit seeking 38.5 million euros (US$50 million) in criminal damages from Twitter and its CEO Dick Costolo over the company's failure to identify those responsible for a series of anti-semitic posts last October. Twitter retorted that the union was "grandstanding."
Apple's hiring of Adobe's former CTO Kevin Lynch opens some intriguing possibilities for the company's future moves, analysts said today.
Apple is dominating the cloud storage wars, followed by Dropbox, Amazon and Google according to Strategy Analytics "Cloud Media Services" survey.
CyaSSL CVE-2013-1623 Information Disclosure Vulnerability
Cisco has issued a security advisory after Hashcat researchers disclosed a password flaw in IOS and IOS XE devices that enable brute-force attacks.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Today were bringing you another guest diary, this one by Matthew Newton on some of his experiences when he first turned up a novel service on World IPv6 Day in 2011.


The 8th June 2011 - World IPv6 Day - will always be a significant day in the history of the Internet when networks and content providers from all over the globe took part in a collective test of IPv6 to raise awareness, test what worked and what didnt, and of course tease out some of the issues facing future IPv6 adoption...

I was taking part in my ISPs (Plusnet) native-IPv6 trial and took the opportunity to release to the world my IPv6-enabled Internet Cat Feeder (http://www.newtonnet.co.uk/catfeeder). Okay, so it admittedly wasnt quite the IPv6 killer app that everyone has been waiting for but it did represent an example of the so-called Internet of Things that IPv6 will inevitably underpin and enable.

Normally the cat feeder is secured through an authentication mechanism such that only I can view/control it however on World IPv6 Day I opened the doors to the proverbial world and his dog... as long as they were connecting over IPv6 of course.

Doing something like this was always going to attract some unwanted attention and it was barely a few minutes after midnight when I started to see connections being made that werent quite in the spirit of the day. I was using parameters specified in the URL to pass control variables to the underlying PHP script and so naturally some users started to handcraft their own to see what damage they could do. Id anticipated this and made sure that the scripts wouldnt respond outside of their intended usage envelopes however what I hadnt anticipated was how futile my attempts would be to manually block persistent offenders.

In IPv4 - with a relatively static addressing model - it is very easy, and relative effective, to blacklist particular (ab)users IP addresses and this can usually be done with minimal collateral damage. However, with IPv6 this wasnt quite so straightforward because no sooner would I blacklist an individual /128 address when the miscreant would hop over to another address to continue their attack. It became something of a game a Whack-A-Mole and I was inevitably always one step behind. In an attempt to keep the feeder up and running I ended up resorting to a broadbrush strategy of widening the blacklisting scope up to the point of blocking entire /32s. Thats a whole lot of potential users being tarred by the same brush.

Whilst in this scenario the collateral damage was likely minimal it did bring to the fore the fact that not all security strategies from IPv4 are equally applicable to IPv6. The one user, many addresses principle of IPv6 is very much a double edged sword as whilst the benefits are plentiful there are also drawbacks.

Still, overall the day was a success for IPv6, and the cat feeder too. To help quantify this, prior to the day the cats were fed twice a day over IPv4. Over the 24hr period on the 8th June 2011 with IPv6 they received 168 meals so unless there-)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Chrome OS and Android will remain as separate operating systems, each addressing specific requirements, Google's executive chairman said Thursday.

Have you begun noticing unexpected ads appearing on unlikely websites while browsing on your Mac? If so, it's possible you've been infected with Trojan.Yontoo.1, which has been identified by Russian anti-virus firm Doctor Web as a malware variant affecting OS X users. No infection numbers were provided and Doctor Web is currently the only company reporting the threat, indicating that it has been fairly limited thus far. Still, its existence shows how Mac users continue to be targeted by malware writers and how easy it is to trick some users into installing it.

Here's how Trojan.Yontoo.1 works. An installer is presented to users as a browser plugin—usually on specially crafted webpages claiming to show movie trailers—but may also present itself as a media player, download accelerator, or "a video quality enhancement program." The installer asks the user if he or she wants to install an app called Free Twit Tube; at that point, the installer downloads the trojan from the Internet, which installs a plugin for all available browsers, including Safari, Firefox, and Chrome.

From there, the Yontoo trojan monitors your Web browsing and, according to Doctor Web, transmits information about what pages you visit to a remote server. It then injects ads into those pages using third-party code, allowing the attackers to collect unauthorized ad views on nearly any website they please. And yes, that includes Apple's own website.

Read 1 remaining paragraphs | Comments

[SECURITY] [DSA 2641-2] libapache2-mod-perl2 update related to DSA 2641-1
Chrome and Android will remain as separate OSes, each addressing specific requirements, Google's executive chairman said Thursday.
Security researchers have uncovered yet another ongoing cyberespionage operation targeting political and human rights activists, government agencies, research organizations and industrial manufacturers primarily from Eastern European countries and former Soviet Union states.
QLogic's technology for clustered cache storage on SAN adapters will hit the market this month in the form of adapters with integrated 200GB or 400GB flash cards.
A U.S. Department of Defense spokesman on Thursday said a report suggesting the defense agency is dumping BlackBerry devices was inaccurate, and that BlackBerry is still part of ongoing DoD mobile device deployment plans.
Oracle suffered the most as growth in the storage market continued to slow during the end of 2012. Hewlett-Packard, Dell and IBM also struggled while EMC emerged as the big winner.
NVIDIA Graphics Driver for Windows CVE-2013-0111 Local Privilege Escalation Vulnerability
NVIDIA Graphics Driver for Windows CVE-2013-0110 Local Privilege Escalation Vulnerability
Expect enterprises to start instituting stricter policies to make BYOD a more secure and cost-effective policy.
Canon will soon launch what it is calling the world's smallest digital single-lens camera, with a body that weighs just over 370 grams and featuring an 18-megapixel image sensor.
Eleven complainants sent an open letter to European Union's Competition Commissioner JoaquAn Almunia urging him to formally charge Google with breaching competition law.
Business intelligence software provider Tableau Software has updated its namesake software with additional tools for connecting to the sources of data in the cloud.
LinuxSecurity.com: Under certain configurations, Keystone would allow unintended access overthe network.
LinuxSecurity.com: Two security issues were fixed in Nova.
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Several security issues were fixed in ClamAV.
LinuxSecurity.com: A cross-site scripting vulnerability was discovered in smokeping, a latency logging and graphing system. Input passed to the "displaymode" parameter was not properly sanitized. An attacker could use this flaw to execute arbitrary HTML and script code in a user's browser session in [More...]
Cisco's attempt to improve password security in its IOS operating system went somewhat awry when none of the improvements were actually implemented. The new scheme turns out to be weaker than its predecessor

NVIDIA Graphics Driver for Windows CVE-2013-0109 Local Privilege Escalation Vulnerability
Rack Multiple Denial of Service Vulnerabilities
Defense Distributed, the pro-gun nonprofit working to make 3D-printable gun designs freely available to everyone on the Internet, recently inched one step closer toward achieving that goal. The Austin, Texas-based group last week was granted a federal firearms license from the Bureau of Alcohol, Tobacco, Firearms and Explosives.
A sophisticated botnet clicks itself through internet advertising by simulating human clicking behaviour. This has caused the advertising industry damage running into millions

The latest iOS update contains a hole that presents another opportunity to bypass the passcode lock and access the telephone app including the user's address book – but only if voice dialling is enabled

Security vendors analyzing the code used in the cyberattacks against South Korea are finding nasty components designed to wreck infected computers.
Chinese cyberattacks targeting Taiwan are moving beyond stealing sensitive information, and could be capable of crippling the island's transportation and financial systems, a top security official claimed on Wednesday.
The website of a U.S. group focused on human rights in North Korea was hacked at the same time as a cyberattack on South Korean targets on Wednesday.
A group led by Amazon's CEO has recovered from deep in the Atlantic Ocean rocket engines that powered the NASA Apollo moon missions in the 1960s and 1970s.
Former Tribune Company employee Matthew Keys has denied giving a username and password to anyone, or conspiring to cause damage to a protected computer.
Music fans and major recording artists are adopting lossless audio file formats to keep copies of their music that are as close to master recordings as possible, leading to multi-terabyte-sized home music storage systems.
Some sellers have raised the price of Office 2010's lowest-cost multi-license package after Microsoft discontinued retail sales of the suite.
RubyGems 'command_wrap' Remote Command Execution Vulnerability

Posted by InfoSec News on Mar 20


By Dan Goodin
Ars Technica
March 20 2013

In one of the more audacious and ethically questionable research
projects in recent memory, an anonymous hacker built a botnet of more
than 420,000 Internet-connected devices and used it to perform one of
the most comprehensive surveys ever to measure the insecurity of the
global network....

Posted by InfoSec News on Mar 20


By Lucian Constantin
IDG News Service
March 20, 2013

The password encryption algorithm used in some recent versions of the Cisco IOS
operating system is weaker than the algorithm it was designed to replace, Cisco
revealed earlier this week.

The new encryption algorithm is called Type 4 and was supposed to increase the...

Posted by InfoSec News on Mar 20


By Kelly Jackson Higgins
Dark Reading
March 20, 2013

A wave of cyberattacks that targeted South Korean banks and media networks
today employed destructive malware that wiped the hard drives and attached
drives of infected machines, crippling the organizations for hours as data...
Internet Storm Center Infocon Status