Baanboard.com

Go Back   Baanboard.com > News > RSS Newsfeeds > Categories

User login

Frontpage Sponsor

Main

Poll
For ERP LN feature pack upgrade, what method of install are you using?
Installation Wizard into existing VRC
28%
Installation Wizard into new VRC
44%
Manual into existing VRC
4%
Manual into new VRC
24%
Total votes: 25

Baanboard at LinkedIn


Reference Content

 
Security

Gunter Ollmann: Time to Squish SQL Injection

Security Focus - 8 min 51 sec ago
Time to Squish SQL Injection
Categories: Security

Mark Rasch: Lazy Workers May Be Deemed Hackers

Security Focus - 8 min 51 sec ago
Lazy Workers May Be Deemed Hackers

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909
Categories: Security

Adam O'Donnell: The Scale of Security

Security Focus - 8 min 51 sec ago
The Scale of Security
Categories: Security

Mark Rasch: Hacker-Tool Law Still Does Little

Security Focus - 8 min 51 sec ago
Hacker-Tool Law Still Does Little
Categories: Security

Infocus: Enterprise Intrusion Analysis, Part One

Security Focus - 8 min 51 sec ago
Enterprise Intrusion Analysis, Part One
Categories: Security

Infocus: Responding to a Brute Force SSH Attack

Security Focus - 8 min 51 sec ago
Responding to a Brute Force SSH Attack
Categories: Security

Infocus: Data Recovery on Linux and <i>ext3</i>

Security Focus - 8 min 51 sec ago
Data Recovery on Linux and <i>ext3</i>

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909
Categories: Security

Infocus: WiMax: Just Another Security Challenge?

Security Focus - 8 min 51 sec ago
WiMax: Just Another Security Challenge?
Categories: Security

More rss feeds from SecurityFocus

Security Focus - 8 min 51 sec ago
News, Infocus, Columns, Vulnerabilities, Bugtraq ...
Categories: Security

Black Hat is coming and with it a good reason to update your &quot;Broadcom-based&quot; devices, (Fri, Jul 21st)

SANS Internet Storm Center - 2 hours 34 min ago

Black Hat US 2017 is debuting and with it a potential concern to most of us. It turns out that one of the conference presentations, entitledBROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOMS WI-FI CHIPSETS[1],will detail how Broadcom BCM43xx Wi-Fi chipsets can be exploited to achieve full code execution on the compromised device without user interaction.

An attacker within range may be able to execute arbitrary code on the Wi-Fi chip, says Apple about this vulnerability (CVE-20179417) in its latest security bulletin [2]. Google published the patch to fix the vulnerability on Android early this month [3].

Besides Apple, those chipsets are present on most smartphone devices like HTC, LG, Nexus and most Samsumg models as well. Make sure to have this vulnerability fixed in all your devices??especially if you are planning to be in Las Vegas next week.

References
[1]https://www.blackhat.com/us-17/briefings.html#broadpwn-remotely-compromising-android-and-ios-via-a-bug-in-broadcoms-wi-fi-chipsets
[2]https://support.apple.com/pt-br/HT207923
[3]https://source.android.com/security/bulletin/2017-07-01

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Malicious .iso Attachments, (Fri, Jul 21st)

SANS Internet Storm Center - 4 hours 30 min ago

We width:1067px" />

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Friday, July 21st 2017 https://isc.sans.edu/podcastdetail.html?id=5592, (Fri, Jul 21st)

SANS Internet Storm Center - July 21, 2017 - 1:15am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Thursday, July 20th 2017 https://isc.sans.edu/podcastdetail.html?id=5590, (Thu, Jul 20th)

SANS Internet Storm Center - July 20, 2017 - 1:05am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Bots Searching for Keys &amp; Config Files, (Wed, Jul 19th)

SANS Internet Storm Center - July 19, 2017 - 7:26am

If youdont know our 404project[1], I would definitively recommend having a look at it! The idea is to track HTTP 404 errors returned by your web servers. I like to compare the value of 404 errors found in web sites log files to dropped events in firewall logs. They can have a huge value to detect ongoing attacks or attackers performing some reconnaissance. Reviewing 404 errors is one task from my daily hunting-todo-list but it may quickly become unmanageable if you have a lot of websites or popular ones. The idea is to focus on rare events that could usually pass below the radar. Here is a Splunk query that I padding:5px 10px"> index=web sourcetype=access_combined status=404 | rex field=uri (?new_uri^\/{1}[a-zA-Z0-9_\-\~]+\.\w+$) | cluster showcount=true t=0.6 field=new_uri | table _time, cluster_count, cluster_label, new_uri | sort cluster_count

What does it do?

  • It searches for 404 errors in all the indexed Apache logs (access_combined)
  • It extracts interesting URIs. Im only interested in files from the root directory eg. GET /namedotextension
  • It creates clusters padding:5px 10px"> _time,cluster_count,cluster_label,new_uri 2017-07-18T13:42:15.000+0200,1,9,/xml.log 2017-07-18T13:18:51.000+0200,1,11,/rules.abe 2017-07-18T11:51:57.000+0200,1,17,/tmp2017.do 2017-07-18T11:51:56.000+0200,1,18,/tmp2017.action 2017-07-18T09:16:52.000+0200,1,23,/db_z.php 2017-07-18T07:28:29.000+0200,1,25,/readme.txt 2017-07-18T03:44:07.000+0200,1,27,/sloth_webmaster.php 2017-07-18T02:52:33.000+0200,1,28,/sitemap.xml 2017-07-18T00:10:57.000+0200,1,29,/license.php 2017-07-18T00:00:32.000+0200,1,30,/How_I_Met_Your_Pointer.pdf 2017-07-17T22:57:41.000+0200,1,31,/browserconfig.xml 2017-07-17T20:02:01.000+0200,1,76,/rootshellbe.zip 2017-07-17T20:01:00.000+0200,1,82,/htdocs.zip 2017-07-17T20:00:54.000+0200,1,83,/a.zip 2017-07-17T20:00:51.000+0200,1,84,/wwwroot1.zip 2017-07-17T20:00:50.000+0200,1,85,/wwwroot1.rar 2017-07-17T19:59:34.000+0200,1,98,/rootshell.zip 2017-07-17T19:59:27.000+0200,1,103,/blogrootshellbe.rar 2017-07-17T19:59:18.000+0200,1,104,/rootshellbe.rar

    Many tested files are basically backup files like I already mentioned in a previous diary[2], nothing changed. But yesterday, I found a bot searching for even more interesting files: configuration files from popular tools and website private keys. Indeed, file transfer tools are used by many webmasters to deploy files on web servers and they could theoretically padding:5px 10px"> /filezilla.xml /ws_ftp.ini /winscp.ini /backup.sql /sitename.key /key.pem /myserver.key /privatekey.key /server.key /journal.mdb /ftp.txt /rules.abe

    Each file was searched with a different combination of lower/upper case characters. Note the presence of rules.abe that is used by webmasters to specify specific rules for some web applications[3]. This file could contain references to hidden applications (This is interesting toknow for an attacker).

    So, keep an eye on your 404 errors and happy hunting!

    [1] https://isc.sans.edu/404project/
    [2]https://isc.sans.edu/forums/diary/Backup+Files+Are+Good+but+Can+Be+Evil/21935
    [3] https://noscript.net/abe/web-authors.html

    Xavier Mertens (@xme)
    ISC Handler - Freelance Security Consultant
    PGP Key

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Wednesday, July 19th 2017 https://isc.sans.edu/podcastdetail.html?id=5588, (Wed, Jul 19th)

SANS Internet Storm Center - July 19, 2017 - 1:15am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 4 ? Windows Thumbnail Cache, Registry, Prefetch Files, and Link Files artefacts), (Tue, Jul 18th)

SANS Internet Storm Center - July 18, 2017 - 8:39am

[This is fourth guest diary by Dr.Ali Dehghantanha. Previous diaries in the series are:

If you would like to propose a guest diary, please let us know]

Continuing earlier posts on investigation of BitTorrent Sync version 2.0, this post explains remaining artefacts of user activities from Thumbnail Cache, Registry, Prefetch Files, and Link Files.

Thumbnail cache

Analysis of the Windows thumbcache (stored under %AppData%\Local\Microsoft\Windows\Explorer) recovered copies of thumbnail images for the BitTorrent Sync client application and its download site (e.g., BitTorrent Sync logo and image icons), indicative of BitTorrent Sync usage. Examinations of the thumbnail cache from the file synchronisation only revealed copies of thumbnail images for the synced files from the Windows 8.1 and Mac OS VMs. We could discern the thumbnail cache from the folder table field (of the files table) which made reference to BitTorrent Sync see Figure 1) date of a sync file or folder. width:656px" />

Figure 1: Thumbnail information recovered from the index.sqlite database of Mac OS thumbcache folder.

Windows Registry

Analysis of the HKLM hive determined that the BitTorrent Sync installation could be detected from the presence of the HKLM\SOFTWARE\BitTorrent\Sync key, and the installation path could be discerned from the SyncPath subkey. In addition, the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrent Sync key could provide supporting information for installation such as the display icons path, display name, BitTorrent Sync version installed, installation and uninstaller paths, and other entries of relevance. Similar to any other Windows application, when the BitTorrent Sync client application is started, there are full path reference for the BitTorrent Sync executable file in HKU\SID\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache, indicative of recent BitTorrent Sync usage. Further evidence to indicate the client application usage could be ascertained from the occurrence of BitTorrent Sync: %Program Files%\BitTorrent Sync\BitTorrent Sync.exe, /MINIMIZED entry alongside the last executed time in Software\Microsoft\Windows\CurrentVersion\Run. Another registry key of forensic interest is the Software\Microsoft\Windows\CurrentVersion\Explorer\ComDig32, which keeps track of a list of filename references (e.g., filenames for the executable and synced files) associated with the BitTorrent Sync client application as well as the timestamp information during the last usage. According to Carvey (2014), the CIDSizeMRU (MRU is the abbreviation for Most-Recently-Used) subkey maintains a list of recently used applications, the OpenSaveMRU registry subkey records list of files that have been opened or saved within a Windows shell dialog box, and the LastVisitedMRU subkey is responsible for tracking specific executable files used by an application to open the files documented in the OpenSaveMRU subkey. Other evidence indicating the BitTorrent Sync client application usage includes the presence of entries referencing the link file as well as the last executed time in Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist.

Prefetch files

Examination of the prefetch files located two prefetch files for BitTorrent Sync, namely BITTORRENT_SYNC.EXE.pf and BITTORRENT SYNC.exe.pf. Amongst the information of forensic interest recoverable from these files include the executable path, the number of times the application has been loaded, as well as the last run time which are useful to supplement timeline analysis. However, no prefetch instance was located for the synced files in our experiments. The presence of the prefetch files after uninstallation implies that there will be BitTorrent Sync references remaining in the prefetch files to indicate its use on the client device.

Link files

Link (.lnk) files are shortcut metadata files used by Windows to maintain a list of linked paths relating to a file (commonly the paths where the original files are located), associated timestamps (created, written, and last accessed times), and file sizes (original and modified) which are useful to identify the origin of a file. An inspection of the directory listings located instances of link file for %Program Files (x86)%\BitTorrent Sync\BitTorrent Sync.exe at %Users%\Public\Desktop\BitTorrent Sync.lnk and %Program Data%\Microsoft\Windows\Start Menu\BitTorrent Sync.lnk, and its presence may be indicative of BitTorrent Sync installation.

--
Bojan
@bojanz

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Tuesday, July 18th 2017 https://isc.sans.edu/podcastdetail.html?id=5586, (Tue, Jul 18th)

SANS Internet Storm Center - July 18, 2017 - 1:50am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Monday, July 17th 2017 https://isc.sans.edu/podcastdetail.html?id=5584, (Mon, Jul 17th)

SANS Internet Storm Center - July 17, 2017 - 1:45am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

SMS Phishing induces victims to photograph its own token card, (Sun, Jul 16th)

SANS Internet Storm Center - July 17, 2017 - 1:16am

Introduction

Today I faced quite an unusual SMS phishing campaign here in Brazil. A friend of mine received a SMS message supposedly sent from his bank asking him to update his registration data through the given URL. Otherwise, he could have his account blocked, as seen in Figure 1.

width:250px" />

Figure 1 SMS message received

Telling you the truth, my friend doesnt have any account on the informed bank and, even so, we know that those kinds of message are hardly ever sent by banks and are, most of the time, related to malware propagation and information stealing. However, instead of discarding the message, we decided to give it a try and the results, as you are going to read in this diary, surprised us. This campaign involves no malware propagation - just creativity in favor of evil.

SMS Phishing analysis

The link in the message aims to take the victim to a fake and very simplistic mobile version of a well-known bank website. First, it asks for the CPF (a kind of social security card number) and a password, as seen in Figure 2.

width:280px" />

Figure 2 Fake bank website asking for CPF and password

It is interesting noting that there is a data input validation. The user must obey to the CPF number composition rules otherwise he can width:580px" />

Figure 3 CPF validation rules

This kind of validation is certainly used to give a bit of legitimacy to the fake website and, perhaps, to do not overload crooks with much data-mining work.

In the next page, the fake website informs that the device used on that connection needs to be authorized, as seen in Figure 4.

width:280px" />

Figure 4 Fake website: user must authorize the device

By clinking on Habilitar Aparelho which means enable device, a new page is shown asking for the victim to inform the 4-digit password, as seen in Figure 5.

width:280px" />

Figure 5 Fake website asking for the 4-digit password

Again, there is a minimum validation to avoid the user trying very simple passwords like 1234 width:580px" />

Figure 6 4-digit password validation width:280px" />

Figure 7 Asking for the token card picture

By clicking on Finalizar Habilitao which means proceed with the device authorization, the victims smartphone will prompt the user to select a picture from its library or take a new one width:280px" />

Figure 8 Taking the token card picture

Once the victim ends up the whole process, including the token card picture, the criminals will have all the information needed to make fraudulent transactions on the compromised bank account and the user is forwarded to the real bank login page.

Final words

Using victims smartphone to take pictures to steal information or, who knows,things, scares me a little bit. I can explain. Earlier this month, reading Bruce Schneiers blog I saw a post entitled Now Its Easier than Ever to Steal Someones Keys [1] which says, The website key.me will make a duplicate key from a digital photo..

While writing this diary, I was reported about similar SMS Phishing campaigns targeting other banks costumers here in Brazil. Stay tuned.

References

[1] https://www.schneier.com/blog/archives/2017/07/now_its_easier_.html

--
Renato Marinho
Morphus Labs | LinkedIn |Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Office maldoc + .lnk, (Sat, Jul 15th)

SANS Internet Storm Center - July 15, 2017 - 9:38pm

Reader nik submitted a malicious document. It width:867px" />

It width:852px" />

And then we can use Woanware width:829px" />

Unfortunately, the .lnk file does not contain interesting metadata. But we can see that it uses PowerShell to download an executable from Dropbox.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

All times are GMT +2. The time now is 04:54.


©2001-2017 - Baanboard.com - Baanforums.com