Information Security News
The National Institute of Standards and Technology (NIST) released a new version of guidance around Patch Management last week, NIST SP800-40. The latest release takes a broader look at etnerprise patch management than the previous version, so well worth the read.
Patch Management is clearly called out as a "Quick Win" in Critical Control #3 "Secure Configurations for Hardware and Software". Additionally, Patch Management is something that is required by many of the cyber security standards currently in use, such as CIP and DIACAP, and is often a finding associated with audits of said standards. The document not only talks about patch management in the enterprise, it also talks about risks associated with enterprise patching solutions being used today.
Section 3.3 is of particular interest to anyone who is faced with the challenges of unique environments which contain numerous non-standard deployments, such as out of office hosts, appliances, and virtualizations of systems. Section 4 is an excellent summary of Enterprise Patch Management technologies, the approach for implementing this technology in the enterprise, and guidance for ongoing operations.
One comment that is constant throughout is testing. It is quite clear that the authors intended to highlight the need for testing in all aspects of enterprise patch management.
tony d0t carothers --gmail
For the first time, the freely available password cracker ocl-Hashcat-plus is able to tackle passcodes with as many as 55 characters. It's an improvement that comes as more and more people are relying on long passcodes and phrases to protect their website accounts and other online assets.
Until now, ocl-Hashcat-plus, the Hashcat version that can use dozens of graphics cards to simultaneously crack huge numbers of cryptographic hashes, has limited guesses to 15 or fewer characters. (oclHashcat-lite and Hashcat have supported longer passwords, but these programs frequently take much longer to work.) Released over the weekend, ocl-Hashcat-plus version 0.15 can generally accommodate passwords with lengths of 55 characters. Depending on the hash that's being targeted and the types of cracking techniques being used, the maximum can grow as high as 64 characters or as low as 24. The long sought-after improvement targets one of the last remaining defenses people employ to make their passwords resistant to cracking.
"This was by far one of the most requested features," Jens Steube, the lead Hashcat developer who also goes by the handle Atom, wrote in the release notes for the new version. "We resisted adding this 'feature' as it would force us to remove several optimizations, resulting in a decrease in performance for most algorithms. The actual performance loss depends on several factors (GPU, attack mode, etc.), but typically averages around 15 percent."
Recently, a friend of mine had a USB drive "die on him" and he wanted me to look at it. He needed to recover PDF, DOC and PPT files on the drive. Fortunately, this drive did not appear to be damaged and I was able to access the physical disk but not the partition.
For a Linux forensics distro to complete the project below, the SANS SIFT works great http://computer-forensics.sans.org/community/downloads.
1. Image the drive
When doing forensic drive analysis you should always make a copy of the drive before you start analysis on the disk image and not the original. Using dcfldd for Linux or FTK Imager Lite for Windows will do the trick. Check the output of dmesg to determine the device ID when plugging in the USB to your Linux VM.
#dmesg sd 32:33:0:0: [sdb] 4324088 512-byte hardware sectors (4043 MB)
Now that we have determined the physical device ID, lets output the file to /tmp/Broken-usb.001
#dcfldd bs=512 if=/dev/sdb of=/tmp/Broken-USB.001 conv=noerror,sync hash=md5 md5log=md5.txt
2. Troubleshoot the issue
Using the file command should show the partition information, but it does not.
# file Broken-USB.001 Broken-USB.001: data
MMLS results should also show us partition information, but again it doesn’t.
# mmls Broken-USB.001 Cannot determine partition type
Lets dump the start of the drive in hex and see if the drive is completely blank.
# xxd -l 1000 Broken-USB.001 0000000: 0600 0077 6562 6220 2020 2020 2020 2020 ..webb 0000010: 2020 2020 2020 2020 2020 2020 2020 2020 0000020: 2020 2020 2020 2020 2020 2020 2020 2020 0000030: 2020 2020 2020 2006 0000 0000 0077 0065 ......w.e 0000040: 0062 0062 0020 0020 0020 0020 0020 0020 .b.b. . . . . .
The drive does appear to have at least some data, but not a valid partition. It should be possible to pull files from the disk image.
3. Determine what you want to recover
Many file types have specific headers and footers when the file is created. We can use this to our advantage and search for these specific hex values on disk. Foremost is a tool that will use this technique for detecting file types.
The command below takes the input file (USB.001) and outputs to (/tmp/dump). If you want to specify just a few file types use the –t option, if not default is all.
foremost -v -i Broken-USB.001 -o /tmp/dump
4. Review Files
Foremost will create a bunch of folders and each should contain files. Some file should be complete, but other will likely be partial or corrupted.
Security certificates 'an infosec weak spot'
Implicitly trusting all digital security potentially allows vast amounts of malware into corporate systems, warns enterprise key and certificate management solutions firm, Venafi. Venafi evangelist, Calum MacLeod, says malware with embedded digital ...
Posted by InfoSec News on Aug 26http://arstechnica.com/tech-policy/2013/08/fbi-still-needs-hector-sabu-monsegur-sentencing-delayed-again/
Posted by InfoSec News on Aug 26http://www.nytimes.com/2013/08/23/technology/the-pentagon-as-start-up-incubator.html
Posted by InfoSec News on Aug 26http://www.chicagotribune.com/business/breaking/chi-advocate-health-break-in-20130823,0,3858565.story
Posted by InfoSec News on Aug 26http://the-japan-news.com/news/article/0000488688
Posted by InfoSec News on Aug 26http://www.autoblog.com/2013/08/25/tesla-model-s-vulnerable-hackers/