Information Security News
IPS Web-hosting Provider Saved from Systems Hack
SPAMfighter News (press release)
A systems hijack was averted at Invision Power Services a provider of web-hosting facility, this April 2016, and so clients potentially saved from destruction, after security investigators collated intelligence about a cyber-criminal conspiracy which ...
Microsoft's Windows Defender Advanced Threat Hunting team works to track down and identify hacking groups that perpetrate attacks. The focus is on the groups that are most selective about their targets and that work hardest to stay undetected. The company wrote today about one particular group that it has named PLATINUM.
The unknown group has been attacking targets in South East Asia since at least 2009, with Malaysia being its biggest victim with just over half the attacks, and Indonesia in second place. Almost half of the attacks were aimed at government organizations of some kind, including intelligence and defense agencies, and a further quarter of the attacks were aimed at ISPs. The goal of these attacks does not appear to have been immediate financial gain—these hackers weren't after credit cards and banking details—but rather broader economic espionage using stolen information.
Microsoft doesn't appear to know a great deal about the team doing the hacking. They have often used spear-phishing to initially penetrate target networks and seem to have taken great pains to hide their attacks. For example, they've used self-deleting malware to cover their tracks, customized malware to evade anti-virus detection, and malware that limits its network activity to only be active during business hours, so its traffic is harder to notice. Redmond suggests that the adversary is likely a government organization of some kind, due to its organization and the kinds of data it has sought to steal.
We have mentioned Kippo a lot on the site, but a nice fork is a program called cowrie. (hxxps://github.com/micheloosterhof/cowrie). It has some nice new features including built-in support for Dshield! Since the install is the same as Kippo, Ill skip that and point you to cowrie install guide for the basics (hxxps://github.com/micheloosterhof/cowrie/blob/master/INSTALL.md).
To setup Dshield logs on Ubuntu, you">sudo apt-get install python-dateutil
Then we need to enable the Dshield portion. You need to remove # from the part starting with the plugin name. Youll also need your account info. Once logged into ISC, go to My Accounts - My reports. Select Update info and youll see your auth_key.
">batch_size = 100
Once you have this setup, switch to the cowrie user and restart the service.To troubleshoot setup issues, look in /home/cowrie/log/cowrie.log
">fgrep dshield /home/cowrie/cowrie.log
">2016-04-27 00:46:26+0000 [-] Loaded output engine: dshield
To protect the OS, its good to put some additional security controls around it. My honeypot is running on Ubuntu, so I chose apparmor. You can access my cowrie profile on my github at hxxps://goo.gl/6F5FdG. While I could lock it down a bit more, it seems to work well.
Once you downloaded the file, you need to copy it to the AppArmor folder. ">sudo cp /home/user/download/home.cowrie.start.sh /etc/apparmor.d/
"docs-internal-guid-daacb6a0-5565-fde4-b075-9f3fcc58ad25">sudo aa-enforce /etc/apparmor.d/home.cowrie.start.sh
Now restart the cowrie service. Then check to see if it">aa-status
"docs-internal-guid-daacb6a0-5565-fde4-b075-9f3fcc58ad25">">">">">">">">0 processes are unconfined but have a profile defined.
uid-daacb6a0-5565-fde4-b075-9f3fcc58ad25">To get a better understanding of what the actual profile is allowing check out hxxp://wiki.apparmor.net/index.php/QuickProfileLanguage.
I run my honeypots on very lean VMs (512mb RAM), so they will not run with MYSQL on them, but to get similar power cowrie has support for sqlite3!
">db_file = /home/cowrie/cowrie.db
Once you have restarted the service, everything should be ready to go. If you are new to SQLite a few useful commands to get you started are below.
r">To access the database and get querying.
Ive enjoyed using cowrie on my latest setup with sqlite3. Its been solid over the last week and have not ran into any issues.
Tom Webb(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Unfortunately when its come to the memory forensics Mac in environment doesnt have the luxury that we have in the Windows environment.
The first step of the memory forensics is capturing the memory, while in Windows we have many tools to achieve this, in Mac we have very few options.
OSXPmem is the only available option for memory capturing that support El Capitan,
chown -R root:wheel MacPmem.kext/
./osxpmem c none -o mem.dump
bulk_extractor -o bulkdir/ mem.dump
ls lS bulkdir/
-rw-r--r-- 1 root staff 398534 Apr 26 15:49 zip.txt
-rw-r--r-- 1 root staff 202338 Apr 26 15:49 url.txt
-rw-r--r-- 1 root staff 104701 Apr 26 15:49 domain.txt
-rw-r--r-- 1 root staff 32010 Apr 26 15:49 report.xml
-rw-r--r-- 1 root staff 1680 Apr 26 15:49 exif.txt
-rw-r--r-- 1 root staff 1030 Apr 26 15:49 url_histogram.txt
-rw-r--r-- 1 root staff 878 Apr 26 15:49 rfc822.txt
-rw-r--r-- 1 root staff 493 Apr 26 15:49 email.txt
-rw-r--r-- 1 root staff 427 Apr 26 15:49 domain_histogram.txt
-rw-r--r-- 1 root staff 350 Apr 26 15:49 url_services.txt
-rw-r--r-- 1 root staff 205 Apr 26 15:49 email_histogram.txt
-rw-r--r-- 1 root staff 191 Apr 26 15:49 email_domain_histogram.txt
-rw-r--r-- 1 root staff 0 Apr 26 15:48 aes_keys.txt
-rw-r--r-- 1 root staff 0 Apr 26 15:48 alerts.txt
# BANNER FILE NOT PROVIDED (-b option)
# BULK_EXTRACTOR-Version: 1.5.0 ($Rev: 10844 $)
# Feature-Recorder: domain
# Filename: mem.dump
# Histogram-File-Version: 1.1
720717488 192.168.1.3 struct ip L (src) cksum-ok
720717488 192.168.1.5 struct ip R (dst) cksum-ok
720719296 192.168.1.3 struct ip L (src) cksum-ok
720719296 192.168.1.5 struct ip R (dst) cksum-ok
720719536 192.168.1.3 struct ip L (src) cksum-ok
720719536 192.168.1.5 struct ip R (dst) cksum-ok
720720304 192.168.1.3 struct ip L (src) cksum-ok
720720304 192.168.1.5 struct ip R (dst) cksum-ok
720721832 192.168.1.3 struct ip L (src) cksum-ok
720721832 192.168.1.5 struct ip R (dst) cksum-ok
720722352 192.168.1.3 struct ip L (src) cksum-ok
720722352 192.168.1.5 struct ip R (dst) cksum-ok
720723112 192.168.1.3 struct ip L (src) cksum-ok
720723112 192.168.1.5 struct ip R (dst) cksum-ok
720727976 192.168.1.3 struct ip L (src) cksum-ok
720727976 192.168.1.5 struct ip R (dst) cksum-ok(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
SANS and NinjaJobs Partner to Grow Cyber Talent Pipeline
SYS-CON Media (press release)
BETHESDA, Md., April 26, 2016 /PRNewswire-USNewswire/ -- The critical need for cyber talent has prompted the SANS Institute, the world's largest information security training and certification organization, to announce a partnership with NinjaJobs, ...
Waterbury Republican American
That USB drive you found has more than just spring break photos
Waterbury Republican American
... has more than just spring break photos. By Ally Marotti TRIBUNE NEWS SERVICE ... Jack Koziol, president and founder of InfoSec Institute, an Elmwood Park-based information security training company, agreed. "I don't think most people realize that ...