Blocking phishing emails is part and parcel of now commonplace technology controls, supplied by a wide range of vendors and, depending on your viewpoint (or how many angry user phone calls received daily), they do a great, resonable or bad job of blocking this type of unsolicited email. Despite the technologies deployed, ultimately the human factor is at play .
Its surprising how many organizations dont plan well for change. Change Control is a well known process, one that is well defined in many different frameworks (ITIL and the ISO 27000 Series and NIST for starters). Yet many organizations plan changes over coffee and a napkin (or a visio on a good day). This almost always results in figuring out problems during the change (I dont know about you, but the less 1am thinking I need to do, the better off I am!), conflicting changes, or changes that just plain dont work, and need to be backed out in a panic.
Last month was Cyber-Security Awareness Month, and we had some fun presenting a different security standard each day. One of the standards we discussed was the ISO 27005 standard for Risk Assessment ( https://isc.sans.edu/diary.html?storyid=14332 ). So when the PCI Council released Risk Assessment Guideance this past week, it immediately caught my attention.
You can find the document here == https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf
NOTE: Several of these patches apply to Windows 8 and Windows RT that were just released last month.
Overview of the November 2012 Microsoft patches and their status.
Contra Indications - KB
Have you ever been in this situation? Someone calls you for help and tries to explain their problem. They do such a poor job of explaining what they are seeing that you arent even sure what OS they are using much less how to fix their problem. You wish you had some way of remotely seeing their desktop, but the user is incapable of following instructions required for you to remotely connect to and administer their machine. This is especially frustrating when you are in the identification or containment phase of an incident.
Next week Microsoft will release 6 new security bullitins. Of the six bulletins, five of them are critical and allow for remote execution of code. The pre-notification information indicates that the vulnerabilities are in Microsoft Office, Windows Server Platforms, the Desktop Platforms and Windows RT (Surface). It looks like next Tuesday will be interesting. Read more about it at the link below.
Metasploits Service Trusted Path Privilege Escalation exploit takes advantage of unquoted service paths vulnerability outline in CVE-2005-1185, CVE=2005-2938 and CVE-2000-1128. The vulnerability takes advantage of the way Windows parses directory paths to execute code. Consider the following command line.
Earlier today, ISC reader Travis noticed that his proxy server was blocking some images from BusinessWeek Business Exchange (bx.businessweek.com). On closer inspection of the blocked content, he found that some files indeed had peculiar contents:
A company from Italy that sells log cabins probably cannot afford to advertise for their services on Businessweek...
Yes, theres some irony to this diary entry. In the past, I have been suggesting repeatedly that organizations who do not have an all-out requirement to keep a Java JRE runtime installed, should get rid of it. Yet, here I was, a couple of days ago, reviewing some SIEM events at a Community College where I help out with IT Security, when something caught my eye (URLs defanged to keep you from clicking):
src=192.168.36.25 media-type=application/x-jar url=GET hxxp://outdrygodo.mine. nu/finance/etzko5.jar
Other Security: Cyber Security Awareness Month - Day 30 - DSD 35 mitigating controls, (Tue, Oct 30th)
Windows Security: Cyber Security Awareness Month - Day 23: Character Encoding Standards - ASCII and Successors, (Tue, Oct 23rd)
Over the years, I collected quite a number of standard connectors/cables and interfaces. This is certainly an area where standards seem to be proliferating quickly. To stick with our theme of security and security awareness, I would like to focus on a couple of popular standards and particular outline security aspects of the standard.
Windows Security: Cyber Security Awareness Month - Day 18 - Vendor Standards: The vSphere Hardening Guide, (Thu, Oct 18th)
Windows Security: Vuln: RETIRED: Microsoft October 2012 Advance Notification Multiple Vulnerabilities
Windows Security: Cyber Security Awareness Month - Day 14 - Poor Man's File Analysis System - Part 1, (Sun, Oct 14th)
Update: In an attempt to get the link for the first script, I mistakenly put the link for another script. Fixed now. Thanks Michael for the oops :)
Ok ok the System on the title may be a bit too much for what this diary will show, but it will give you a nice idea on how to start to build your own analysis system using open source and free tools.
For the first part of this Diary we will focus on PE files, using three different tools for Static Analysis:
1) Malware.py -http://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py