The RSA keynotes: a cautionary tale
This week, RSA announced its 20 keynote speakers, and if you heard a weird noise coming from Twitter, that was the InfoSec community releasing an exasperated collective WTF. In a plot twist predicted by no one, three of RSA's coveted keynote spots have ...


A recently identified backdoor in hardware sold by security company Fortinet has been found in several new products, many that were running current software, the company warned this week.

The undocumented account with a hard-coded password came to light last week when attack code exploiting the backdoor was posted online. In response, Fortinet officials said it affected only older versions of Fortinet's FortiOS software. The company went on to say the undocumented method for logging into servers using the secure shell (SSH) protocol was a "remote management" feature that had been removed in July 2014.

In a blog post published this week, Fortinet revised the statement to say the backdoor was still active in several current company products, including some versions of its FortiSwitch, FortiAnalyzer, and FortiCache devices. The company said it made the discovery after conducting a review of its products. Company officials wrote:

Read 1 remaining paragraphs | Comments


(credit: Tor Project)

As a result of its recent crowdfunding campaign, the Tor Project announced Thursday that it had raised over $200,000 from more than 5,000 individuals over nearly two months.

The organization also released its 2014 Form 990, the financial document that all nonprofits must file with the IRS.

As of 2014, the organization took in about $2.5 million annually, roughly 75 percent of that coming from grants from US government institutions such as Radio Free Asia and the State Department.

Read 1 remaining paragraphs | Comments


Royal Caribbean Appoints Renee Guttman Chief Information Security Officer
SYS-CON Media (press release)
"Renee's role is paramount as Royal Caribbean continues to work in a global environment where information security is critical to the ongoing success of our Company," said Michael Giresi, Chief Information Officer, Royal Caribbean Cruises Ltd ...

and more »

Enlarge / KrebsOnSecurity published this photo in July 2013 after foiling a plot to frame him for purchasing heroin. (credit: KrebsOnSecurity)

A Ukrainian hacker accused of trying to frame security reporter Brian Krebs for heroin possession has pleaded guilty to credit card fraud and illegally accessing more than 13,000 computers.

Sergey Vovnenko, 29, entered guilty pleas earlier this week to charges of aggravated identity theft and conspiracy to commit wire fraud. He was accused of operating a botnet of more than 13,000 computers, which he used to harvest users' credit card data and other sensitive information. He used aliases including "Flycracker," "Centurion," and "Darklife."

In a blog post, KrebsOnSecurity's namesake wrote:

Read 3 remaining paragraphs | Comments


I have talked many times about memory forensics and how useful its. In this diary I am going to talk about how to extract a pcap file from a memory image using bulk_extractor.

Of course when we are extracting a pcap file from a memory image we are going to not have everything but there will be some remanence that can help in our investigation

bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results can be easily inspected, parsed, or processed with automated tools. bulk_extractor also creates a histograms of features that it finds, as features that are more common tend to be more important. The program can be used for law enforcement, defense, intelligence, and cyber-investigation applications.">

nc -l p 80


telnet 80

Then I captured the memory of my windows machine using Dumpit[2].

since I am interested in extracting the pcap from the memory image only ,I will disable all the scanners using x all option and enable the net scanner only using ">

bulk_extractor -x all -e net -o Win8bulk/ Win8-64bit.raw

-o specifies output directory.

Now let">

ls Win8bulk/

alerts.txt ether.txt ip.txt report.xml

ether_histogram.txt ip_histogram.txt packets.pcap

Here is a brief explanations of the above files

ether.txt -- Ethernet MAC addresses found through IP packet carving of swap files and compressed system hibernation files and file fragments.

ip.txt -- IP addresses found through IP packet carving.

ether_histogram. witll show the histogram of Ethernet Mac addresses

ip_histogram will show the histogram of the ip addresses.

packet.pcap is The file packets.pcap is a pcap file made from carved packet


tcpdump -nn -r Win8bulk/packets.pcap ip host and tcp


00:00:00.000000 IP Flags [.], ack 422809692, win 64, length 0

00:00:00.000000 IP Flags [P.], seq 0:1, ack 1, win 64, length 1

00:00:00.000000 IP Flags [P.], seq 1:2, ack 1, win 64, length 1

00:00:00.000000 IP Flags [P.], seq 2:3, ack 1, win 64, length 1

00:00:00.000000 IP Flags [P.], seq 3:4, ack 1, win 64, length 1

00:00:00.000000 IP Flags [P.], seq 4:5, ack 1, win 64, length 1

00:00:00.000000 IP Flags [P.], seq 5:6, ack 1, win 64, length 1

00:00:00.000000 IP Flags [P.], seq 6:7, ack 1, win 64, length 1

00:00:00.000000 IP Flags [P.], seq 7:8, ack 1, win 64, length 1

00:00:00.000000 IP Flags [S], seq 2574360603, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

" />

Now lets check what we can get with follow tcp stream" />

And thats what I have typed during the test connection

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


The Register

Bounty hunters won't blink until you dangle US$1500 bug reward
The Register
An organisation with basic security is one that regards infosec as a "necessary evil" with a chief information security officer in charge of a small and minimally-skilled security team that is "subservient to IT". Advanced organisations have their ...

Internet Storm Center Infocon Status