Resources

  • Verizon Data Breach Investigations Report – verizonenterprise.com
    The 2014 Data Breach Investigations Report (DBIR) casts new light on threats — taking 10 years of forensic data and finding that 92% of these can be categorized into nine basic attack patterns. This approach also helps identify primary threats to your industry, which you can analyze to reinforce your defenses.

    • Stolen Passwords Used In Most Data Breaches – darkreading.com
      Findings from the new and much-anticipated 2014 Verizon Data Breach Investigations Report (DBIR) show that two out of three breaches involved attackers using stolen or misused credentials.
    • DBIR: Point-of-Sale Breaches Trending Downward – threatpost.com
      The DBIR, points out that point-of-sale intrusions were a declining threat among the 1,367 breach investigations conducted by Verizon and data submitted by 50 global law enforcement and private organizations. While retailers and small enterprises were still a prime target for cybercrime, point-of-sale attacks accounted for 14 percent of the breaches in the report, down from a high of more than 30 percent in 2011 and 2012./li>
  • Kansa: Get-Started – trustedsignal.blogspot.com
    Last week davehull posted an introduction to Kansa, the modular, Powershell live response tool He’s been working on in preparation for his presentation at the SANS DFIR Summit. The post was a high level overview. This one will dive in.

Tools

  • DIBF Tool Suite – isecpartners.github.io
    Introducing iSEC Partners’ Windows driver testing suite. The source, binaries and example output are available here under the GPLv2 license. Currently three tools are included.
  • Kautilya 0.4.5 – Reboot Persistence, DNS TXT exfiltration and more – labofapenetrationtester.com
    This update of Kautilya introduces reboot persistence for HTTP Backdoor, DNS TXT Backdoor and Keylogger. The payloads for Windows have been rearranged in five categories making the menu clearer.
  • oclHashcat v1.20 – hashcat.net
    Latest version of oclHashcat is available now. Download it from here.

Techniques

Vendor/Software patches

  • Struts2 zero day in the wild – www3.hp.com
    Several months ago the Struts2 team announced security vulnerability S2-020 that allowed ClassLoader manipulation resulting in Remote Code Execution on certain application servers like Tomcat 8. The fix for this vulnerability was to disallow the use of the following regex in the action parameters.

    • Announcements -struts.apache.org
      The Apache Struts group is pleased to announce that Struts 2.3.16.2 is available as a “General Availability” release.

Vulnerabilities

  • OpenSSL code beyond repair, claims creator of “LibreSSL” fork – arstechnica.com
    OpenBSD developers removed half of the OpenSSL source tree in a week. OpenBSD founder Theo de Raadt has created a fork of OpenSSL, the widely used open source cryptographic software library that contained the notorious Heartbleed security vulnerability.
  • ssl-hearbleed.nse mod – blog.didierstevens.com
    This modification is not necessary. You can force a script to run on all open ports, regardless of the result of the portrule function, by prefixing the scriptname with a +.
  • Privilege Escalation Vulnerability in Cisco ASA’s SSL VPN – blog.spiderlabs.com
    Trustwave SpiderLabs security researcher Jonathan Claudius has discovered a privilege escalation vulnerability in Cisco ASA’s SSL VPN service. This vulnerability allows any user with an established VPN to gain full administrative access to the ASA device.
  • Microsoft discloses zero day in all versions of Internet Explorer – www.zdnet.com
    Late Saturday Microsoft revealed a vulnerability in all versions of Internet Explorer that is being used in “limited, targeted attacks.” They are investigating the vulnerability and exploit and have not yet determined what action they will take in response or when.