Hackin9
Art Coviello, RSA executive chairman, discussed his view of big data in the security industry with SearchSecurity.com. Coviello stressed that the shortcomings of current mainstream security products are part of what's driving enterprises interest in big data.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Facebook is buying Microsoft's Atlas Advertiser Suite, an ad analysis platform, in a move that should increase its advertising revenue and give marketers better information about their campaigns across the social network, on both desktop and mobile.
 
Ruby on Rails 'select_tag()' Method CVE-2012-3463 Cross Site Scripting Vulnerability
 
Ruby on Rails 'strip_tags()' CVE-2012-3465 Cross Site Scripting Vulnerability
 
The Mobile World Congress exhibition in Barcelona closed its doors on Thursday, with a sudden rain shower sending the last attendees scurrying off to their hotels. It's been a gargantuan affair that saw pretty much everyone who is anything in the mobile phone industry (minus Apple) make some sort of announcement. Following are a few side notes that probably didn't make the headlines, from IDG News Service reporters:
 
SAP customers have made it no secret they believe the vendor's software licensing and pricing is too complex, and a top company leader recently made a public pledge that things are changing for the better. But a recently created internal SAP document obtained by IDG News Service suggests that the company has its work cut out for it.
 
Before Pope Benedict XVI left the Vatican for retirement today, he offered a farewell tweet. Shortly after he stepped down, all of his tweets were deleted.
 
So-called patent trolls force tech companies to spend money on lawyers instead of innovation, and the U.S. Congress needs to discourage infringement lawsuits from patent-collecting companies, a group of tech and business representatives said.
 
PHEARCON Call For Papers
 
Libxml2 Entity Expansion Multiple Denial of Service Vulnerabilities
 
Fileutils ruby gem possible remote command execution and insecure file handling in /tmp
 
The second U.S. commercial space flight to resupply the International Space Station is set for launch Friday morning.
 
The idea that the technology behind search is a done deal is far from the truth, according to Google, as the company appears to still have plenty of tricks up its sleeve to improve it.
 
European antitrust regulators will slap Microsoft with a fine before the end of March for failing to offer customers a browser choice screen, according to a report today by the Reuters news service.
 
Gibbs analyzes the results of his "How do you manage your social networks?" survey
 
Apple's U.S. retail Mac sales were up for the first month of the quarter, but not to the extent recently claimed by a Wall Street analyst, the NPD Group said today.
 
There has to be a sea change in how mobile operators build their networks and implement new services, and virtualization will make it possible, carriers and equipment vendors say.
 
This year's MWC may have been lacking in high-end smartphone launches, but the "W" stands for "world" and lower-cost models shown this week are needed to open up the mobile-phone market to more people globally.
 
Cisco Security Advisory: Cisco Prime Central for Hosted Collaboration Solution Assurance Excessive CPU Utilization Vulnerability
 
[ MDVSA-2013:016 ] php
 
[waraxe-2013-SA#097] - Multiple Vulnerabilities in PHP-Fusion 7.02.05
 
Cisco Security Advisory: Cisco Unified Communications Manager Multiple Denial of Service Vulnerabilities
 
Video: Robert Hinden of Check Point discusses the state of smart grid security and why it's so important to keep the critical infrastructure running.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Before Pope Benedict XVI left the Vatican for retirement today, he offered a farewell tweet.
 
Sergey Brin, Google co-founder and head of the company's Glass project, said the computerized eyeglasses are more masculine than smartphones.
 
Linux Kernel CVE-2012-4542 Remote Security Bypass Vulnerability
 
Hackers broke into cPanel.net's systems and used its technical support department as a entry point for installing trojanised OpenSSH and libkeyutils files on customers' systems. cPanel is offering instructions how to check for infection


 
Virus researchers at Sophos have discovered a specially prepared RTF document that sneaks a legitimate tool signed by NVIDIA onto computers and uses that to load a malicious DLL


 
Poppler Multiple Denial of Service and Memory Corruption Vulnerabilities
 
Drupal Professional Theme HTML Injection Vulnerability
 
Drupal Clean Theme Slide Gallery HTML Injection Vulnerability
 
Drupal Company Theme Slide Gallery HTML Injection Vulnerability
 
A security researcher poisoned the communication channels of the Kelihos Viagra spam botnet and effectively switched off the zombie network during a live presentation


 

Latest (ISC)2 Workforce Study Shows Lack of Skilled Infosec Professionals and ...
Infosecurity Magazine
It's no secret that with the ever-rising tide of cyber threats there comes a need for additional security expertise to adequately combat the scope of attacks. Many IT departments suffer from a human capital resource issue, and it's not always funding ...

 
European privacy authorities approved a plan to come up with measures to curb Google's collection, combination and storage of its users' personal information before the summer.
 
Microsoft's new version of Windows written for ARM processors may not be an unqualified success, but ARM CEO Warren East said the software maker will learn from its mistakes with Windows RT and come back with a better product.
 
Apache HTTP Server Multiple Cross Site Scripting Vulnerabilities
 
RETIRED: IBM HTTP Server Multiple Modules Cross Site Scripting Vulnerabilities
 
XFree86 x11perf CVE-2011-2504 Local Privilege Escalation Vulnerability
 
Todd Miller Sudo CVE-2013-1775 Local Authentication Bypass Vulnerability
 
Todd Miller Sudo CVE-2013-1776 Local Security Bypass Vulnerability
 
The largest bitcoin exchange in the world will have a presence in the U.S. starting next month, a move intended to make it easier for people in the U.S. and Canada to buy the virtual currency.
 
A Tokyo court ruled Thursday that Apple did not infringe a Samsung patent, a small win for Apple in the continuing legal wrangling between the two companies.
 
General Dynamics is looking to bring U.S. government-level security to consumer smartphones, allowing organizations to benefit from the type of strong data protection only available on expensive and clunky mobile terminals.
 
A PayPal alliance with Coinstar is being expanded to some parts of the U.S., allowing customers to deposit, withdraw and transfer funds to PayPal accounts through Coinstar kiosks.
 
The launch of new and revised Office 365 software-by-subscription plans for businesses shows that Microsoft realizes its current licensing revenue is threatened by cost-cutting customers, an analyst said yesterday.
 
A version of LTE that could give consumers more mobile bandwidth for downloading content or apps is moving from the margins to the mainstream at Mobile World Congress this week.
 
Big-name companies including General Electric and Best Western are maturing their social marketing programs and integrating social metrics with back-end systems.
 
Sony, striving for its first annual profit in five years, said Thursday it sold a Tokyo office complex for about $1.2 billion.
 
Samsung Electronics has rejected allegations that underage workers are assembling its products after three NGOs filed a complaint with a French prosecutor's office claiming that the tech company was violating labor regulations in China.
 
The MiniDuke trojan has exploited a PDF hole to launch targeted attacks on the computers of companies and government organisations


 

Recently, while chasing a malware, I wanted to review the local security log of a third party server to which I didnt have direct access. The administrator was willing to provide a limited export for my offline analysis.

Newer Windows versions nicely enough provide more than one option to accomplish this.

1. You can use the graphical event viewer GUI, and Save-as, to export the file in EVTX, XML, TXT or CSV Format.

2. You can use wevtutil.exe at the command line to accomplish pretty much the same, but in a scriptable fashion. Wevtutil.exe can export the entire log. It also supports an XPath filter that allows to query and export only certain log lines and attributes. Unfortunately, the syntax of these filters

wevtutil qe Security /q:*[System[Provider[@Name=Microsoft-Windows-Security-Auditing] and (EventID=4624)]]

is a mess, and not easy to stomach for someone more used to the pristine beauty of egrep and regexps :).

3. A third option is to make use of Powershell and the get-winevent or get-eventlog cmdlet

get-eventlog -logname security -newest 10000 | Export-clixml seclog.xml

is a pretty quick way to get the latest 10000 records out of the security log. This is the option I chose, because I (somewhat naively) figured that this would be the fastest way to get a quick look. Not surprisingly, the export-xml command left me with an XML file, which is again not easy to stomach for someone more used to the pristine beauty of egrep and syslog :). But Powershell isnt bad, either. On the analysis workstation, you can stuff the entire log into a variable, thusly:

PS C:\TEMP $seclog = Import-Clixml seclog.xml

and then use the power of Powershell to get a rapid tally:

PS C:\TEMP $seclog | group eventid -noelement | sort count

Count Name

----- ----

1 4662

1 5058

1 5061

1 4904

2 4648

2 5140

5 4611

6 6144

6 4735

12 4985

17 4634

19 4672

20 4674

20 4624

128 4663

175 4673

KB947226 helps to translate the EventIDs into readable information. Once we know which events are of interest, we can then extract them:

PS C:\TEMP $seclog | ? { $_.eventid -match 5140 } | fl *

[...]

Message : A network share object was accessed.

Subject:

Security ID: S-1-5-21-394181-2045529214-8259512215-1280

Account Name: TRA29C

Account Domain: AMER

Logon ID: 0x311a28b

Network Information:

Object Type: File

Source Address: 10.11.192.16

Source Port: 6539

Share Information:

Share Name: \\*\C$

Share Path: \??\C:\

[...]



All the Powershell formatting and querying and pattern match functions can now be used to cut and dice the information to find the haystalk in the cow pie.

If you have any clever Powershell Jiu-Jitsu up your sleeve to deal with unwieldy event logs, please let us know, or share in the comments below.


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Applying big data approaches to information security can help enterprises build better situational awareness capabilities, but implementation could prove to be a major challenge, security experts said at the RSA Conference 2013 being held here this week.
 
nss-pam-ldapd 'FD_SET()' Function Stack Buffer Overflow Vulnerability
 

Help Net Security

3 out of 4 infosec pros unsure they would spot a breach
Help Net Security
3 out of 4 infosec pros unsure they would spot a breach. Posted on 28 February 2013. Bookmark and Share. LogRhythm announced the results of its 2nd Annual Cyber Threat Readiness Survey of 150 IT security professionals on their organizations' ...

and more »
 
Mozilla Network Security Services CVE-2013-1620 Information Disclosure Vulnerability
 
 
Cisco Unified Communications Manager (CUCM) CVE-2013-1134 Denial of Service Vulnerability
 
Cisco Unified Communications Manager (CUCM) CVE-2013-1133 Denial of Service Vulnerability
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status