Security Posts

Infocon: green

Introduction to analysing Go binaries
Categories: Security Posts

Monitoring performance where the action is: on the network edge

BreakingPoint Labs Blog - 3 hours 41 min ago
Intelligence is spreading out in organizations--moving closer to the customer, closer to customer-…
Categories: Security Posts

Lightwave Innovation Reviews Honors Ixia AresONE 400GE Test Platform

BreakingPoint Labs Blog - 3 hours 41 min ago
At Ixia, we were delighted to see one of our most exciting new products, AresONE, be recognized by…
Categories: Security Posts

Give Your Network An Unfair Advantage Against Hidden Malware

BreakingPoint Labs Blog - 3 hours 41 min ago
The IT role is extremely hard today. Whether you are part of the DevOps or SecOps team makes no…
Categories: Security Posts

You Can't Manage What You Can't Measure - an RSA 2019 Retrospective

BreakingPoint Labs Blog - 3 hours 41 min ago
This week, I had the privilege of enjoying an enlightening and broad-ranging panel discussion…
Categories: Security Posts

48V Automotive - Electric Compressors and Superchargers

BreakingPoint Labs Blog - 3 hours 41 min ago
48V Electric Compressors - Bet you never expected your mild hybrid to feel like this!  Last year I…
Categories: Security Posts

In-band Network Telemetry - More Insight into the Network

BreakingPoint Labs Blog - 3 hours 41 min ago
Overview In an information- and service-based economy, the demand for “always accessible services…
Categories: Security Posts

Visibility at the Edge: Introducing Vision Edge 1S

BreakingPoint Labs Blog - 3 hours 41 min ago
The age of the edgeless enterprise is upon us. And whether your network is already employing a…
Categories: Security Posts

Three ways to improve hybrid cloud management

BreakingPoint Labs Blog - 3 hours 41 min ago
Hybrid cloud is a common IT strategy, but still maturing in terms of management and monitoring. A…
Categories: Security Posts

An Inline Security Primer

BreakingPoint Labs Blog - 3 hours 41 min ago
Anyone in network security knows that it is a complicated and involved process. The clear goal is…
Categories: Security Posts

How big is your datacenter?

BreakingPoint Labs Blog - 3 hours 41 min ago
Today, there are over 1.9 billion websites, and it’s growing by the second!  That’s a lot of…
Categories: Security Posts

Kushner Used WhatsApp, a Very Bad Database Leak, and More Security News This Week

Wired: Security - 8 hours 27 min ago
Jared and Ivanka used private messaging against the rules, and more security news this week.
Categories: Security Posts

Quickpost: PDF Tools Download Feature

Didier Stevens - 11 hours 53 min ago
When I’m asked to perform a quick check of an online PDF document, that I expect to be benign, I will just point my PDF tools to the online document. When you provide an URL argument to pdf-parser, it will download the document and perform the analysis (without writing it to disk). Quickpost info  
Categories: Security Posts

Y esta semana toca... @0xWord @luca_d3 @elevenpaths

Un informático en el lado del mal - 13 hours 29 min ago
Como dicta la rutina que he tomado, os dejo un sábado más la lista de eventos, cursos, conferencias, charlas, y demás citas a tener en cuenta de las que realizamos nosotros. Yo estaré de viaje por Argentina que tengo que ir a Córdoba a asistir y tener una pequeña participación en el VIII Congreso Internacional de la Lengua Española.

Figura 1: Y esta semana toca...
A mi vuelta, ya sabéis, estaré en la RootedCON 2019 en Madrid con una ponencia el viernes por la tarde y firmando libros de 0xWord. Con eso tengo la semana echada por mi parte, que los vuelos al otro lado del Atlántico y el cambio horario se llevarán parte de mi tiempo útil. Pero la semana tiene muchas más cosas que merece la pena que tengáis en el radar, así que os las traigo por aquí para que las tengáis controladas.
25 de Marzo: Curso Profesional de Auditorías Móviles [Online]
Si eres un profesional de la informática y quieres adentrarte en el hacking o quieres mejorar tus aspectos profesionales en el mundo de la seguridad informática, o simplemente sientes curiosidad por el hacking, puedes apuntarte a este curso que permite estudiar cuándo, cómo y dónde quieras. Con este curso conocerás las últimas y más eficientes técnicas de pruebas de hacking ético a dispositivos móviles con sistemas operativos Android e iOS
Figura 2: Curso Online de Auditorías Móviles
Esta es una formación que te permitirá, posteriormente, realizar auditorías de pentesting a dichos dispositivos móviles de manera profesional. Con 120 horas de formación que abarcan un temario que va desde la auditoría de aplicaciones móviles hasta el análisis forense de los dispositivos completos. Tienes el temario completo en la web de esta formación.
Figura 3: Libro de Hacking iOS: iPhone & iPad (2ª Edición)
Además, se entrega como complemento a la formación el libro que escribimos entre varios profesionales centrada en la auditoría, el hacking y el análisis forense de dispositivos de Apple de 0xWord titulado "Hacking iOS: iPhone & iPad (2ª Edición)". 
25 de Marzo: Experto en red TOR y Deep Web [Málaga]


Formación de 16 horas que comienza el día 25 de Marzo en Málaga en horario de tarde. Este curso se ha desarrollado para dotar al alumno de los conocimientos en el uso de tecnologías que proporcionan privacidad y anonimato al usuario. 
Figura 4: Curso experto en la red TOR y Deep Web Málaga
Se abordaran distintas temáticas tales como el uso de Proxys, VPN y red TOR, pros y contras de cada una de ellas, comparativas entre las distintas tecnologías y como pueden se pueden usar de forma combinada para proporcionar un mayor nivel de privacidad y anonimato. 


Figura 5: Libro Deep Web: Tor, FreeNET & I2P
La formación constará de una parte teórica y una parte práctica para poder sacar el máximo provecho a este taller. Los alumnos recibirán como material de apoyo el libro de 0xWord de "Deep Web: TOR, FreeNet, I2P. Privacidad y Anonimato". Tienes toda la información sobre esta formación en la web de Comunix dedicada al curso: Experto en red TOR y Deep Web.

26 y 27 de Marzo: FutureNET World [Londres]

FutureNet World es un evento anual para compartir los desafíos más difíciles de las operadoras, enfocándose en los últimos avances tecnológicos, con un análisis visionario de los servicios que los clientes están demandando en el mundo digital.



Figura 6: FutureNET World
El Dr. Richard Benjamins, Big Data & AI Ambassador en LUCA, participará en la ponencia “Examinando cómo la automatización de la red y la IA están habilitando nuevos modelos y servicios de negocios digitales mediante el uso de datos”.

27 de Marzo: Datanomics [Madrid]

Una de las mayores expertas de nuestro país en identidad digital y aspectos legales de la tecnología, Paloma Llaneza, estará en nuestro auditorio realizando un didáctico repaso a las implicaciones legales y sociales que puede tener en nuestra vida cuando pulsamos el botón “Acepto la política de privacidad y términos de uso”. Paloma Llaneza conversará con el escritor Pepe de la Peña.



Figura 7: Evento Datanomics en el Espacio de la Fundación Telefónica

El último ensayo de Llaneza, Datanomics, editado por Deusto, supone un demoledor y brillante repaso a todas las consecuencias que preferimos obviar cuando aceptamos que las grandes compañías tecnológicas comercien con nuestros datos personales.

Estos datos reflejan comportamientos y pensamientos profundos perfectamente identificados e individualizados, que facilitan a las empresas y a los Estados la toma de decisiones sobre nosotros, pues así saben lo que vamos a hacer en cada momento. Y como nos conocen más que nosotros mismos, nos dirigen hacia una toma de decisión u otra. 

28 a 30 de Marzo: RootedCON 2019 [Madrid]

Como ya os había dicho, durante estas fechas tiene lugar la RootedCON Madrid. Tres días de charlas, formaciones, hacking y networking en el sector de la seguridad informática. Yo estaré el viernes, y durante los tres días habrá muchos compañeros de 0xWord, ElevenPaths y Telefónica. Tienes la lista de todas las charlas en la web del congreso.



View this post on Instagram

Daré mi charla en RootedCON Madrid el día 29 de Marzo por la tarde. 10 años después aún continúa creciendo esta CON en Madrid }:)A post shared by Chema Alonso (@chemaalonso) on Mar 20, 2019 at 5:35am PDT
29 de Marzo: RITSI 2019 [Albacete]

Este año la X Edición del RITSI tiene lugar en Albacete, y aunque yo he intentado poder estar de forma presencial allí, mi viaje a Argentina no me lo ha permitido, por lo que estaremos colaborando con un stand de 0xWord donde podrás adquirir nuestros libros. Si quieres que alguno de los autores - incluido yo mismo - te firme el libro, puedes pedirlo por anticipado a info@0xWord.com y lo recoges allí mismo. Tienes toda la info de la jornada en esta web.

Figura 9: X Congreso RITSI en Albacete
Y esto es todo, pero para completar el post os dejo la última entrevista que me hicieron vía teléfono tras mi participación en la Campus Party Punta del Este en Uruguay.


Figura 10: Entrevista radiofónica para En Perspectiva
Espero que estos eventos tengan alguna actividad que os sea interesante en la que participar. Nos vemos en el post de mañana que me toca hacer un poco de deporte.

Saludos Malignos!
Sigue Un informático en el lado del mal - Google+ RSS 0xWord
Categories: Security Posts

FEMA Leaked Data From 2.3 Million Disaster Survivors

Wired: Security - 21 hours 16 min ago
The Homeland Security Department inspector general released a damning report about FEMA's inability to safeguard the personal info of the people it helped.
Categories: Security Posts

The Mueller Report Is Here, Apple's Big Event, and More News

Wired: Security - Sat, 2019/03/23 - 00:36
Catch up on the most important news today in 2 minutes or less.
Categories: Security Posts

The Mueller Report Is Done. Now Comes the Hard Part

Wired: Security - Sat, 2019/03/23 - 00:10
Special counsel Robert Mueller finished his investigation into the 2016 presidential election Friday.
Categories: Security Posts

Things I hearted this week, 22 March 2019

AlienVault Blogs - Fri, 2019/03/22 - 15:00
RSA has come and gone, and things are settling down into a normal routine. I did write a post-RSA blog which covered the highlights and trends I observed. Because of RSA and the subsequent week of getting through the backlog of emails and work, the news list has piled up with over 141 separate news items lined up in my list. But don’t worry, I’ll only share the ones I truly hearted. Device and account security checklist Bob Lord has put together a great resource to help people and companies better secure themselves and their organisations. Even if you’re a security expert, it’s worth checking out and sharing the checklist with friends and family. The Citrix data breach On March 6, 2019, the FBI contacted Citrix with the news that international cyber criminals had likely gained access to the internal Citrix network. The firm says in a statement that it has taken action to contain this incident. “We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI,” says Stan Black, Citrix CISO. Related New phishing campaigns target real estate agents Actors have been launching phishing campaigns that abuse several brands of well-known real estate franchises with the intent of capturing targeted real estate agents' email credentials. While this type of targeting in the real estate sector is not new, this post highlights the in-depth tactics, techniques, and procedures (TTPs) used. The TTPs and imagery used in the PDF are used to lure people in. Credential harvesting websites can be used for situational awareness to defend against these attacks. Pros-for-hire no better at writing secure code than compsci beginners Freelance developers hired to implement password-based security systems do so about as effectively as computer science students, which is to say not very well at all. Boffins at the University of Bonn in Germany set out to expand on research in 2017 and 2018 that found computer science students asked to implement a user registration system didn't do so securely unless asked, and even then didn't always get it right. Do a good deed, get met by lawyers SEDC is an Atlanta-based company that provides back-ends for utility companies; a security researcher discovered that the company stored his password in the clear. The company's products have more than 15,000,000 users, whose logins and passwords are potentially also stored in plaintext. When the researcher alerted the company about this, the company ignored them, then denied that there was any problem, then demanded that the researcher not communicate about this except to SEDC's general counsel. Average DDoS attack sizes decrease 85% due to FBI’s shutdown of DDoS-for-hire websites The FBI’s shutdown of the 15 largest distributed denial-of-service (DDoS) for hire vendors (booters) reduced the overall number of attacks worldwide by nearly 11 percent compared to the same period last year. Along with the fewer total attacks, the average size decreased by 85 percent as did the maximum attack size by 24 percent, indicating the FBI crackdown was effective in reducing the global impact of DDoS attacks. PewDiePie fans keep making junk ransomware For some misguided reason, PewDiePie fans seem to believe that making and releasing ransomware is a proper and acceptable method of supporting their idol. Other stories I hearted
Categories: Security Posts

Hack of the day #1: Decompiling selected functions

Hex blog - Wed, 2019/02/27 - 17:52
Intended audience IDA 7.2 users, who have experience with IDAPython and/or the decompiler. The problem As you may already know, the decompilers allow not only decompiling the current function (shortcut F5) but also all the functions in the database (shortcut Ctrl+F5). A somewhat less-well known feature of the “multiple” decompilation, is that if a range … Continue reading Hack of the day #1: Decompiling selected functions
Categories: Security Posts

Identifying Cobalt Strike team servers in the wild

Fox-IT - Tue, 2019/02/26 - 15:22
How an anomalous space led to fingerprinting Summary On the 2nd of January 2019 Cobalt Strike version 3.13 was released, which contained a fix for an “extraneous space”. This uncommon whitespace in its server responses represents one of the characteristics Fox-IT has been leveraging to identify Cobalt Strike Servers, with high confidence, for the past one and a half year. In this blog we will publish a full list of servers for readers to check against the logging and security controls of their infrastructure. Cobalt Strike is a framework designed for adversary simulation. It is commonly used by penetration testers and red teamers to test an organization’s resilience against targeted attacks, but has been adopted by an ever increasing number of malicious threat actors. Subtle anomalies like these should not be underestimated by blue teams when it comes to combating malicious activity. About Cobalt Strike Cobalt Strike is a framework designed for adversary simulation. It is commonly used by penetration testers and red teamers to test an organization’s resilience against targeted attacks. It can be configured using Malleable C&C profiles which can be used to customize the behavior of its beacon, giving users the ability to emulate the TTP’s of in the wild threat actors. The framework is commercially and publicly available, which has also led to pirated/cracked versions of the software. Though Cobalt Strike is designed for adversary simulation, somewhat ironically the framework has been adopted by an ever increasing number of malicious threat actors: from financially motivated criminals such as Navigator/FIN7, to state-affiliated groups motivated by political espionage such as APT29. In recent years, both red teams and threat actors have increasingly made use of publicly and commercially available hacking tools. A major reason for this is likely their ease of use and scalability. This two-sided element of pentesting suites makes it a critical avenue for threat research. Cobalt Strike Team Servers While the implant component of Cobalt Strike is called the “beacon”, the server component is referred to as the “team server”. The server is written in Java and operators can connect to it to manage and interact with the Cobalt Strike beacons using a GUI. On top of collaboration, the team server also acts as a webserver where the beacons connect to for Command & Control, but it can also be configured to serve the beacon payload, landing pages and arbitrary files. Communication to these servers can be fingerprinted with the use of Intrusion Detection System (IDS) signatures such as Snort, but with enough customization of the beacon, and/or usage of a custom TLS certificate, this becomes troublesome. However, by applying other fingerprinting techniques (as described in the next section) a more accurate picture of the Cobalt Strike team servers that are publicly reachable can be painted. Identifying Cobalt Strike Team Servers One of Fox-IT’s InTELL analysts, with a trained eye for HTTP header anomalies, spotted an unusual space in the response of a Cobalt Strike team server in one of our global investigations into malicious activity. Though this might seem irrelevant to a casual observer, details such as these can make a substantial difference in combating malicious activity, and warranted additional research into the set-up of the team servers. This ultimately led to Fox-IT being able to better protect our clients from actors using Cobalt Strike. The webserver of the team server in Cobalt Strike is based on NanoHTTPD, an opensource webserver written in Java. However this webserver unintendedly returns a surplus whitespace in all its HTTP responses. It is difficult to see at first glance, but the whitespace is there in all the HTTP responses from the Cobalt Strike webserver: Using this knowledge it is possible to identify NanoHTTPD servers, including possible Cobalt Strike team servers. We found out that public NanoHTTPD servers are less common than team servers. Even when the team server uses a Malleable C2 Profile, it is still possible to identify the server due to the “extraneous space”. The “extraneous space” was fixed in Cobalt Strike 3.13, released on January 2nd of 2019. This means that this characteristic was in Cobalt Strike for almost 7 years, assuming it used NanoHTTPD since the first version, released in 2012. If you look carefully, you can also spot the space in some of the author’s original YouTube videos, dating back to 2014. The fact that the removal of this space is documented in the change log leads us to believe that the Cobalt Strike developers have become aware of the implications of such a space in the server response, and its potential value to blue teams. The change log entry highlighted above refers to the removed space being “extraneous”, in a literal sense meaning not pertinent or irrelevant. Due to its demonstrated significance as fingerprinting mechanism, this description is contested here. Scanning and results By utilizing public scan data, such as Rapid7 Labs Open Data, and the knowledge of how to fingerprint NanoHTTPD servers, we can historically identify the state of publicly reachable team servers on the Internet. The graphs shows a steady growth of Cobalt Strike (NanoHTTPD) webservers on port 80 and 443 which is a good indication of the increasing popularity of this framework. The decline since the start of 2019 is most likely due to the “extraneous space” fix, thus not showing up in the scan data when applying the fingerprint. In total Fox-IT has observed 7718 unique Cobalt Strike team server or NanoHTTPD hosts between the period of 2015-01 and 2019-02, when based on the current data (as of 26 Feb 2019) from Rapid7 Labs HTTP and HTTPS Sonar datasets. The table below contains several examples of Cobalt Strike team servers, used by malicious threat actors: IP Address First seen Last seen Actor 95.128.168.227 2018/04/24 2018/05/22 APT10 185.82.202.214 2018/04/24 2018/09/11 Bokbot 206.189.144.129 2018/06/05 2018/07/03 Cobalt Group The full list of Cobalt Strike team servers identified using this method can be found on the following Fox-IT GitHub Repository. Do note that possible legitimate NanoHTTPD servers are listed here and that some IP addresses may have been rotated and reused swiftly, for example due to being part of Amazon or Azure cloud infrastructure.
Therefore we recommend to investigate connections to these IP addresses within the corresponding time ranges. A starting point is to verify whether requested URI matches a Cobalt Strike beacon checksum, or by using historical DNS data using passive DNS. Going beyond this can be done in various ways and we challenge readers to use their investigative creativity. Please also note that this list contains servers of both legitimate and illegitimate operations, since these cannot be distinguished easily. Fox-IT recognizes the merit of building and distributing offensive tooling, particularly for security testing purposes. In our opinion the benefits of publishing this list (allowing everyone to detect unwanted attacks retroactively) outweigh the downsides, which could include potentially affecting ongoing red team operations. We believe that we all have an interest in raising the bar of security operations, and therefore increasing visibility across the board will inform a higher level of operational security and awareness on all sides. Network IDS Signatures Fox-IT developed a Snort rule for network detection. The rule checks for the “extraneous space” in the HTTP header. Please note that this detection rule only works to detect plaintext HTTP traffic to and from Cobalt Strike Team servers with the Cobalt Strike version up until release 3.13. Nevertheless, this is still a valuable detection rule, considering threat actors tend to use pirated and cracked- and therefore inherently unsupported- versions. Conclusion
  • Organizations are encouraged to use the published list with Cobalt Strike team servers IP addresses to retroactively verify whether they have been targeted with this tooling by either a red team or an adversary in the recent past. The IP addresses can be checked with e.g. firewall and proxy logs, or on aggregate against SIEM data. To minimize the amount of false positives, the reader is urged to take the corresponding first and last seen dates into consideration.
  • For the ‘red team readers’ of this blog looking for ways to avoid their Cobalt Strike team server being both publicly available and easy to fingerprint, see the Cobalt Strike Team Server Population Study blog for a detailed set of mitigations. Furthermore, Red Teams are encouraged to critically examine their toolsets in use or rely on their Blue Team, for potential tell-tales and determine the appropriate way to apply and mitigate such findings for both Red and Blue team purposes.
Watch this space (pun intended) for further analysis on this subject.
Categories: Security Posts
Syndicate content