(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The National Institute of Standards and Technology (NIST) released a new version of guidance around Patch Management last week, NIST SP800-40.  The latest release takes a broader look at etnerprise patch management than the previous version, so well worth the read.  

Patch Management is clearly called out as a "Quick Win" in Critical Control #3 "Secure Configurations for Hardware and Software".  Additionally, Patch Management is something that is required by many of the cyber security standards currently in use, such as CIP and DIACAP, and is often a finding associated with audits of said standards.  The document not only talks about patch management in the enterprise, it also talks about risks associated with enterprise patching solutions being used today.

Section 3.3 is of particular interest to anyone who is faced with the challenges of unique environments which contain numerous non-standard deployments, such as out of office hosts, appliances, and virtualizations of systems.  Section 4 is an excellent summary of Enterprise Patch Management technologies, the approach for implementing this technology in the enterprise, and guidance for ongoing operations.

One comment that is constant throughout is testing.  It is quite clear that the authors intended to highlight the need for testing in all aspects of enterprise patch management.

tony d0t carothers --gmail

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple's first rule about enterprise features: 'You don't talk about enterprise features.' While you may not hear it from Cupertino, BYOD features abound in iOS 7 and, according to AirWatch's Blake Brannon, they are 'as innovative as we've seen from Apple.'
VMware's big splash in software-defined networking with its NSX network hypervisor comes with partnerships already in place to flesh out its virtual networks.
IBM for the first time revealed details on Monday of its 12-core Power8 chip, which is twice as fast as the Power7 chip used in the Watson supercomputer.
As of May, 70% of U.S. residents ages 18 and older access the Internet via high-speed broadband, although the rate of broadband adoption has been sluggish, according to survey results released Monday by the Pew Research Center's Internet and American Life Project.
A Bitcoin trade group met with representatives of several U.S government agencies Monday as regulators debate whether the online currency should comply with currency rules.
Dan Goodin

For the first time, the freely available password cracker ocl-Hashcat-plus is able to tackle passcodes with as many as 55 characters. It's an improvement that comes as more and more people are relying on long passcodes and phrases to protect their website accounts and other online assets.

Until now, ocl-Hashcat-plus, the Hashcat version that can use dozens of graphics cards to simultaneously crack huge numbers of cryptographic hashes, has limited guesses to 15 or fewer characters. (oclHashcat-lite and Hashcat have supported longer passwords, but these programs frequently take much longer to work.) Released over the weekend, ocl-Hashcat-plus version 0.15 can generally accommodate passwords with lengths of 55 characters. Depending on the hash that's being targeted and the types of cracking techniques being used, the maximum can grow as high as 64 characters or as low as 24. The long sought-after improvement targets one of the last remaining defenses people employ to make their passwords resistant to cracking.

"This was by far one of the most requested features," Jens Steube, the lead Hashcat developer who also goes by the handle Atom, wrote in the release notes for the new version. "We resisted adding this 'feature' as it would force us to remove several optimizations, resulting in a decrease in performance for most algorithms. The actual performance loss depends on several factors (GPU, attack mode, etc.), but typically averages around 15 percent."

Read 8 remaining paragraphs | Comments


PHP CVE-2011-4718 Session Fixation Vulnerability
Linux Kernel NULL Pointer Dereference Local Denial of Service Vulnerability
[SECURITY] [DSA 2742-1] php5 security update
Organizations handling protected health information have until Sept. 23 to comply with new security and privacy requirements that were included as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
VMware CEO Pat Gelsinger used his opening keynote speech at the company's annual VMworld conference to emphasize plans to virtualize networks with the aim of achieving the success in virtualizing servers.
Just because Microsoft doesn't plan on giving Windows XP patches to the public after April 8, 2014, doesn't mean it's going to stop making those patches.
Microsoft's upcoming Xbox One gaming console will contain a custom chip the company designed in conjunction with Advanced Micro Devices with the aim of delivering maximum graphics performance, presenters said Monday at Microsoft's Hot Chips conference.
MYREphp Vacation Rental Software Cross Site Scripting and SQL Injection Vulnerabilities
MYRE Realty Manager SQL Injection and Cross Site Scripting Vulnerabilities
Google Chrome CVE-2013-2887 Multiple Unspecified Security Vulnerabilities
mooSocial Multiple Input Validation Vulnerabilities
Feedly on Monday launched its paid RSS service, following up on a promise made three weeks ago when it announced a subscription option.
Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 8): execute everywhere!


This is a "guest diary" submitted by Tom Webb. We will gladly forward any responses or please use our comment/forum section to comment publically. Tom is currently enrolled in the SANS Masters Program.

Recently, a friend of mine had a USB drive "die on him" and he wanted me to look at it. He needed to recover PDF, DOC and PPT files on the drive.  Fortunately, this drive did not appear to be damaged and I was able to access the physical disk but not the partition.  

For a Linux forensics distro to complete the project below, the SANS SIFT works great http://computer-forensics.sans.org/community/downloads

1. Image the drive

When doing forensic drive analysis you should always make a copy of the drive before you start analysis on the disk image and not the original. Using dcfldd for Linux or FTK Imager Lite for Windows will do the trick.  Check the output of dmesg to determine the device ID when plugging in the USB to your Linux VM.

sd 32:33:0:0: [sdb] 4324088 512-byte hardware sectors (4043 MB)

Now that we have determined the physical device ID, lets output the file to /tmp/Broken-usb.001

#dcfldd bs=512 if=/dev/sdb of=/tmp/Broken-USB.001 conv=noerror,sync hash=md5 md5log=md5.txt

2. Troubleshoot the issue

Using the file command should show the partition information, but it does not.

# file Broken-USB.001
Broken-USB.001: data

MMLS results should also show us partition information, but again it doesn’t.

# mmls Broken-USB.001
Cannot determine partition type

Lets dump the start of the drive in hex and see if the drive is completely blank.

# xxd -l 1000 Broken-USB.001
0000000: 0600 0077 6562 6220 2020 2020 2020 2020  ..webb         
0000010: 2020 2020 2020 2020 2020 2020 2020 2020                  
0000020: 2020 2020 2020 2020 2020 2020 2020 2020                  
0000030: 2020 2020 2020 2006 0000 0000 0077 0065         ......w.e
0000040: 0062 0062 0020 0020 0020 0020 0020 0020  .b.b. . . . . . 


The drive does appear to have at least some data, but not a valid partition. It should be possible to pull files from the disk image. 

3. Determine what you want to recover

Many file types have specific headers and footers when the file is created. We can use this to our advantage and search for these specific hex values on disk.  Foremost is a tool that will use this technique for detecting file types. 

The command below takes the input file (USB.001) and outputs to (/tmp/dump). If you want to specify just a few file types use the –t option, if not default is all.

foremost -v -i Broken-USB.001 -o /tmp/dump

4. Review Files

Foremost will create a bunch of folders and each should contain files. Some file should be complete, but other will likely be partial or corrupted. 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Salesforce.com's next CRM (customer relationship management) software release will contain a slew of new features, with many focused on the Chatter collaboration and messaging tool as well as customer service, according to a set of official release notes.
At the kick-off of its annual VMworld user conference, being held this week in San Francisco, VMware will fill in more layers of its software stack for running its envisioned software defined data center (SDDC).
Microsoft and Motorola are expected to begin arguments on Monday in the second part of a court case regarding patent licensing fees.
Restlet Framework XML Deserialization Remote Code Execution Vulnerability
Real Networks RealPlayer CVE-2013-4973 Stack Based Buffer Overflow Vulnerability
WordPress VideoWhisper Live Streaming Integration Multiple Cross Site Scripting Vulnerabilities
Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 8): execute everywhere!
Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 8): execute everywhere!
DC4420 - London DEFCON - August Meet - Tuesday 27th August 2013
Internet communications are prey to surveillance, but you can better shield them.
Since its inception, the Apache Software Foundation has had a profound impact in shaping the open source movement and the tech industry at large.
Wordpress post-gallery Plugin Xss vulnerabilities
[SECURITY] [DSA 2741-1] chromium-browser security update
Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 8): execute everywhere!
Defense in depth -- the Microsoft way (part 8): execute everywhere!
Dell is giving a new identity to its Latitude laptops with the introduction of thinner and lighter models priced starting at $599 and running on Intel's Haswell processors.
LinuxSecurity.com: Several vulnerabilities have been discovered in the Chromium web browser. CVE-2013-2887 [More...]
LinuxSecurity.com: Multiple vulnerabilities have been found in Puppet, the worst of which could lead to execution of arbitrary code.
LinuxSecurity.com: Nick Brunn reported a possible cross-site scripting vulnerability in python-django, a high-level Python web development framework. The is_safe_url utility function used to validate that a used URL is on [More...]
LinuxSecurity.com: Updated libtiff packages fix security vulnerabilities: Pedro Ribeiro discovered a buffer overflow flaw in rgb2ycbcr, a tool to convert RGB color, greyscale, or bi-level TIFF images to YCbCr images, and multiple buffer overflow flaws in gif2tiff, a tool to convert GIF [More...]
LinuxSecurity.com: Updated python-django package fixes security vulnerability: The is_safe_url() function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS, to prevent cross-site scripting attacks through redirecting to other [More...]
libtiff <= 3.9.5 integer overflow bug
Executives at midsized industrial firms believe their data is at little or no risk, even though they hold valuable intellectual property and business process data sought by criminals, according to consulting firm McGladrey.
The U.S. National Security Agency reportedly cracked the encryption used by the video teleconferencing system at the United Nations headquarters in New York City.
Myrephp Business Directory SQL Injection and Cross Site Scripting Vulnerabilities
It was 22 years ago on Sunday that Linus Torvalds announced in a newsgroup posting that he was creating a free operating system, a message he echoed in his announcement Sunday of the latest Linux kernel release candidate.
China's Internet suffered a major distributed denial of service (DDoS) attack early Sunday that briefly disrupted and slowed access to sites in the .cn domain.
Eurocom rocked us with the most powerful per-pound choice in a notebook that we've seen to date. The Panther 5SE came with 4TB of storage, 64GB of DIMM3 memory and eight Xeon cores. You won't find the Panther at the big-box retailers a the version we tested runs $7,500. But we rate this device highly for its extreme flexibility and muscularity.
At a time of government cutbacks, public-sector CIOs are spending less time in their posts than their private-sector counterparts are. Insider (registration required)
An outsourced project to modernize Orange County, Calif.'s tax collection system that was supposed to take three years and cost just over $8 million was on track to cost twice that amount and take twice as long when officials pulled the plug.
BlackBerry explores the possibility of putting itself up for sale as even BlackBerry 10 can't stop its phones from slipping into fourth place in the mobile market.
It has stumbled under Tim Cook, and 2013 has been mighty thin in terms of product launches. Can it still do amazing things?
CEO Ed Coleman says a new software-focused data center strategy and powerful new security technology will enable Unisys to take up the attack in vital market segments and shake up customer views about the usually quiet company.
Edward Snowden's revelations about the U.S. government's data collection program could cause U.S. providers of cloud-based services to lose 10% to 20% of the foreign market to overseas rivals.
A survey puts QA in the No. 2 position when it comes to on-the-job contentment.
From mundane 2D devices, integrated cameras in laptops and tablets in the future will change into powerful 3D tools that can sense movement, track emotion, and even monitor reading habits of children, according to Intel.
Solid-state drive adoption will continue to grow and it will be more than 10 years before it is ultimately replaced by a new memory technology, experts said.
Intel is putting a sharp focus on expanding its custom processor and chip operations in response to a growing trend of companies building servers in-house to meet specific workloads or data center designs.

Security certificates 'an infosec weak spot'
Implicitly trusting all digital security potentially allows vast amounts of malware into corporate systems, warns enterprise key and certificate management solutions firm, Venafi. Venafi evangelist, Calum MacLeod, says malware with embedded digital ...

CFIA management claims meat merchandise in Canada are secure to eat and insists feces and intestine splatter ended up remaining caught. コーチ

Posted by InfoSec News on Aug 26


By Nate Anderson
Ars Technica
Aug 23 2013

This morning at 10am, Anonymous hacker/FBI informant Hector "Sabu"
Monsegur was scheduled to be sentenced in a New York federal court. But
when I called the judge's chambers this morning, I was told that the
sentencing had been adjourned—again. No explanation was given.


Posted by InfoSec News on Aug 26


The New York Times
August 22, 2013

SAN FRANCISCO -- In the ranks of technology incubator programs, there is
AngelPad here in San Francisco and Y Combinator about 40 miles south in
Mountain View. And then there is the Pentagon.

In the last year, former Department of Defense and intelligence agency
operatives have headed to Silicon Valley...

Posted by InfoSec News on Aug 26


By Peter Frost and Julie Wernau
Tribune reporters
August 23, 2013

Personal information for more than 4 million patients of Advocate Medical
Group may be at risk after four computers were stolen in a July 15
burglary of an administrative building in Park Ridge, Advocate said

The information includes names, addresses, Social Security...

Posted by InfoSec News on Aug 26


Jiji Press
August 24, 2013

Six police officers are taking part in a hacker competition, hoping to
learn more about technology useful for combating cybercrime.

The National Police Agency officers joined the qualifying round that began
Thursday in Yokohama for SECCON 2013, the nation’s largest hacker
competition. They are the first Japanese police officers to participate in
such an event....

Posted by InfoSec News on Aug 26


By Damon Lowney
Aug 25th 2013

Next time you walk by a parked Tesla and its sunroof is opening and
closing with nobody sitting inside or around it, you could be witnessing a
hacker moment. For all of its strengths as a car, the Model S reportedly
has a weak spot: the security of its API (application programming
interface) authentication, according to an article in...
Internet Storm Center Infocon Status