Free - Powershell,bash and python command line posters from SANS (useful for pentesters)

Get it here:


https://pen-testing.sans.org/blog/2017/02/07/command-line-kung-fu-penetration-testing-desktop-wallpapers

FREE - New Windows Forensics Analysis Poster from SANS

Get it Here:

https://digital-forensics.sans.org/media/Poster_Windows_Forensics_2018_WEB.pdf

Free tool - GeoLogonalyzer - From FireEye - Helps to weed out hackers exploiting stolen credentials to log into their targets.

Remember, this is NOT a replacement for best practices or existing protection.


Stolen enterprise user credentials are all the rage among hackers these days, but spotting the bad guys among legitimate users logging in remotely can be difficult

FireEye recommends several best practices for thwarting remote access hacks in addition to deploying GeoLogonalyzer,

• Including limiting remote access from the Internet to sensitive data 
• Instituting multi factor authentication using one-time tokens
• Whitelisting legit IP address ranges for remote access users, 

among other steps.

Pointers  that can help you in your decision making

1. Three things to know at any given point of time:
2. What are you trying to protect
3. What is the cost of  failure (to protect)
4. Who is is your enymy
5. What is the simplest and transparent way to protect
6. What is the cost (money / time / resources)
7. How do I monitor and generate valuable metrics

https://www.darkreading.com/analytics/fireeye-offers-free-tool-to-detect-malicious-remote-logins/d/d-id/1331923

FYI - Google has released 34 new updates for Chrome

• Includes mitigation for Spectre
• Site isolation 
• Added support for the credential management API called WebAuth.

https://threatpost.com/google-patches-34-browser-bugs-in-chrome-67-adds-spectre-fixes/132370/

Watchout Football (Soccer) fans - Next wave of Scams/Phishing emails will be about "FIFA 2018". (free ticket, win a trip of fake ticket, sale sites to steal your information)

To lull their victims into a false sense of security criminals are buying inexpensive SSL certificates and registering URL that upon a quick glance look legit, such as russia2018, russiaworldcup.com.

Those searching for tickets on sale have to be aware of where they make their purchase. Kaspersky has spotted several sites selling fake tickets

Scammers are also creating fake FIFA and sponsor sites designed to extract personal and financial data.

https://www.scmagazine.com/scammers-using-fifa-world-cup-as-a-lure/article/769110/

We know employees are the weakest link in the security chain, what about your connected vendors? 56% of organizations say they had experienced a data breach stemming from a third-party security failure.More than 42% of the respondents say that attacks on their third parties resulted in a misuse of their organization's data and 75% believe that risks from third parties is increasing.

1. IAM - Most common ways in which attackers have broken into target networks is by stealing and misusing third-party access credentials.
2. DR - One of the most troublesome weaknesses in vendor environments and one with the greatest potential greatest impact to clients is the vendors’ susceptibility to disruption that renders data or services unavailable to client
3. Breach Notification - Slowness on your third-party vendor's part to disclose an incident involving client data and systems can have a direct impact on you.
4. System misconfiguration - Bad things can happen when a business partner or other third-party stores your sensitive data on incorrectly setup IT systems. 
5. Inadequate Vulnerability Management Practices - Credit monitoring giant Equifax' failure to properly address a known vulnerability in one of its software components led to arguably one of the biggest breaches ever involving sensitive data. 
6. Third-party software tools - Can also introduce a lot of vulnerabilities in your software if you are not careful. Considering that 50% to 75%--and sometimes even 95%--of executing digital code in an organization is from third-party vendors, the risks posed by vulnerable components is especially high

https://www.darkreading.com/cloud/6-ways-third-parties-can-trip-up-your-security/d/d-id/1331911

Why go through all the trouble to download Malware, why not just get it pre-installed. More than 100 different low-cost Android models from manufacturers such as ZTE, Archos, and myPhone ship with malware pre-installed.

Avast has found that many low-cost, non-Google-certifed Android  phones shipped with a strain of malware built in that could send users to download apps they didn’t intend to access. The malware, called called Cosiloon, overlays advertisements over the operating system in order to promote apps or even trick users into downloading apps

The app consists of a dropper and a payload. “The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under ‘settings.’ We have seen the dropper with two different names, ‘CrashService’ and ‘ImeMess,'” wrote Avast. The dropper then connects with a website to grab the payloads that the hackers wish to install on the phone.


https://techcrunch.com/2018/05/24/some-low-cost-android-phones-shipped-with-malware-built-in/

New PowerShell v4 Cheat Sheet from SANS

Get it here

https://blogs.sans.org/pen-testing/files/2016/05/PowerShellCheatSheet_v41.pdf

Did you know Amazon alexa can send voice mails (I am being sarcastic here). It can send your private conversation , without your knowledge, and to a random contact). - Woman says her Amazon device recorded private conversation, sent it out to random contact

But Danielle said two weeks ago their love for Alexa changed with an alarming phone call. "The person on the other line said, 'unplug your Alexa devices right now,'" she said. "'You're being hacked.'"

he proceeded to tell us that he had received audio files of recordings from inside our house," she said. "At first, my husband was, like, 'no you didn't!' And the (recipient of the message) said 'You sat there talking about hardwood floors.' And we said, 'oh gosh, you really did hear us.'"

"They (Amazon )said 'our engineers went through your logs, and they saw exactly what you told us, they saw exactly what you said happened, and we're sorry.' He apologized like 15 times in a matter of 30 minutes and he said we really appreciate you bringing this to our attention, this is something we need to fix!"



https://www.kiro7.com/news/local/woman-says-her-amazon-device-recorded-private-conversation-sent-it-out-to-random-contact/755507974

Mozilla has added 2FA for Firefox Account and supports services, such as Authy, Duo, Google Authenticator (No SMS)

If you are saving passwords in your browser and syncing it then you should take advantage of this feature.


users can enable it right now by accessing:

https://accounts.firefox.com/settings?showTwoStepAuthentication=true

When they turn on two-step authentication support, they'll also be provided with a set of recovery codes in case they lose access to the TOTP service.
Users should save these codes in a safe spot (online or offline)


https://www.bleepingcomputer.com/news/security/mozilla-adds-2fa-support-for-firefox-accounts/

Difference between a threat intelligence feed and a threat intelligence platform.

Threat intelligence feed -
It is an ongoing, third-party stream of information, or "feed," about current or potential threats to a company in a particular category.
Example - A feed can solely focus on domains, hashes, or IPs known to be associated with malicious activity, for example

There are six main sources of threat intelligence feeds, which are all valuable: 

1. Open source
2. Customer telemetry 
3. Honeypots and darknets 
4. Scanning and crawling 
5. Malware processing 
6. Human intelligence

• Paid feeds may provide high-quality data, you will need to monitor their relevance closely
• For every threat intelligence feed you add, the more data you need to analyze, and the higher the chance you'll encounter false positives. 
• Additionally, none of these feeds come with context, which is crucial in determining whether or not you should act upon their alerts

Threat intelligence platforms -
 "collect, correlate, categorize, share and integrate security threat data in real time to support the prioritization of actions and aid in attack prevention, detection and response.

Current threat intelligence solutions are most useful for large, sophisticated cybersecurity outfits

BTW - Threat intelligence - Seventy percent of the security industry professionals surveyed said they believe threat intelligence is either too complex or cumbersome to provide usable insights.


https://www.darkreading.com/threat-intelligence/is-threat-intelligence-garbage/a/d-id/1331862

FREE SANS Cheat Sheet for Python 2.7 and 3

You can get it here:


https://blogs.sans.org/pen-testing/files/2018/05/Python3-Cheat-Sheet.pdf

https://blogs.sans.org/pen-testing/files/2018/05/Python2-Cheat-Sheet.pdf

Are you storing your passwords in Google Chrome or Firefox? - "Vega Stealer’ can steal any credit card details, passwords or files you have stored

Via, phishing email that tends to have a subject line such as ‘Online store developer required’, and contains a malicious attachment called ‘brief.doc.'

If you open the attachment, it takes you to a fairly innocent looking document - however, in the process you’ll also unwittingly download the Vega Stealer malware.

And once the malware has infected your computer, it can steal your auto-fill details stored on Google Chrome, as well as documents stored on your machine.

https://www.mirror.co.uk/tech/google-chrome-users-beware-malicious-12575800

Your cloud security is directly proportional to you admin's security knowledge and mindset. For example, unauthenticated adversaries can extract user credentials from misconfigured reverse proxy servers in order to delete, manipulate or extract data from websites and applications.

Researchers have created a proof-of-concept attack that allows unauthenticated adversaries to extract user credentials from misconfigured reverse proxy servers in order to delete, manipulate or extract data from websites and applications

The PoC targets APIs that provide access to the metadata associated with identity services such AWS’ Identity and Access Management (IAM), Microsoft’s Azure Managed Service Identity (MSI), and Google’s Cloud Cloud IAM.

In its PoC attack, researchers created a typical configuration for a web server or application server using a reverse proxy server running a default NGINX installation. NGINX is web server software that can also be used as a reverse proxy. A reverse proxy server is a type of server that retrieves resources on behalf of a client from one or more servers.

https://threatpost.com/misconfigured-reverse-proxy-servers-spill-credentials/132085/

Protect against "Roaming Mantis" Malware - Disable your router's remote administration feature and hardcode a trusted DNS server into the operating system network settings (NOT rocket science, plain common sense)

Roaming Mantis -  Steals sensitive information from Android and iOS devices and  Roaming Mantis injects a browser-based cryptocurrency mining script

Since the hacking campaign is using attacker-controlled DNS servers to spoof legitimate domains and redirect users to malicious download files, you are advised to make sure the sites you are visiting has HTTPS enabled.


To check if your Wi-Fi router is already compromised, review your DNS settings and check the DNS server address. If it does not match the one issued by your provider, change it back to the right one. Also change all your account passwords immediately.



https://thehackernews.com/2018/05/routers-dns-hijacking.html

Are you aware that Microsoft's has added OpenSSH in Windows 10 Fall Creators Update

Detailed steps are in the blog below

https://blogs.msdn.microsoft.com/powershell/2017/12/15/using-the-openssh-beta-in-windows-10-fall-creators-update-and-windows-server-1709/

New ransomware (actually a wiper) called StalinLocker

The malware infects targeted devices and gives victims 10 minutes to enter the unlock code "1922.12.30" (Date represents the foundation of the USSR). If the code is not entered, wiper attempts to erase all files on the device.

StalinLocker has been developed only to damage user data since once the victim enters the code, the wiper frees files without any problem.

Previously, a similar ransomware campaign was forcing users to play PlayerUnknown’s Battlegrounds (PUBG) game for one hour in order to get their files unlocked. The only and big difference was that it did not delete user data upon failure to play the game but rather gave them the restoration code for free.


https://www.hackread.com/stalinlocker-ransomware-unlock-code-deletes-data/

Heard of "Voice Squatting"? - Closely mimic legitimate voice commands in order to carry out nefarious actions using smart-home assistants Amazon Alexa and Google Home

An adversary can create a new, malicious skill that is specifically built to open when the user says certain phrases. Those phrases are designed to be similar, if not nearly identical, to phrases used to open legitimate apps. So, the device would hear the approximate phrase and may open the rogue app instead of the legitimate one, thus hijacking the connection.


https://threatpost.com/voice-squatting-turns-alexa-google-home-into-silent-spies/132068/

LocationSmart (not so smart when it comes to security) - Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site

This company  that acts as an aggregator of real-time data about the precise location of mobile phone devices, has been leaking this information to anyone via a buggy component of its Web site — without the need for any password or other form of authentication or authorization


https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/

We might be patching windows regularly but, Are we patching Adobe (47 patches released this week Sev 2 and Sev 1) and something we miss, are we using the supported version of their product?

A week after issuing updates on Patch Tuesday, Adobe has posted patches for a second slew of 24 critical vulnerabilities, which have a higher risk of being exploited.

This week’s crop of vulnerabilities, of which there were 47 overall, impact versions of Adobe’s Acrobat DC Acrobat Reader DC, and Photoshop CC, all for both Windows and MacOS.

While last week’s fixes were assigned a severity rating of priority 2, this week’s patches have been assigned a priority 1 rating


https://threatpost.com/adobe-doles-out-second-round-of-higher-priority-patches/131967/

Difference between Disaster Recovery Plan and Security Recovery Plan

https://www.csoonline.com/article/3218083/disaster-recovery/disaster-recovery-vs-security-recovery-plans-why-you-need-separate-strategies.html

Vega Stealer - Malware that is said to have been created in order to harvest financial information from the saved credentials of Google Chrome and Mozilla Firefox browsers.

At the point when the Firefox browser is in utilization, the malware assembles particular documents having different passwords and keys, for example, "key3.db" "key4.db", "logins.json", and "cookies.sqlite". 

Other than this, the malware likewise takes a screenshot of the infected machine and scans for any records on the framework finishing off with .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for exfiltration.

Vega Stealer isn't the most complex malware in use today

http://www.ehackingnews.com/2018/05/new-malware-variant-designed-to-swindle.html

New DDos Attack based on UPnP

The attack mechanism is a UPnP router that is happy to forward requests from one external source to another (in violation of UPnP behavior rules). Using the UPnP router returns the data on an unexpected UDP port from a spoofed IP address, making it more difficult to take simple action to shut down the traffic flood.

https://www.darkreading.com/new-ddos-attack-method-leverages-upnp/d/d-id/1331799

Own an apple product? then, watchout for this phishing scam - The email notifies victims that their Apple account has been “limited” due to unusual activity and urges them to update their payment details via a link

It attempts to trick victims into updating their profiles under the guise it’s a part of proactive security hardening prepping for the introduction of General Data Protection Regulation (GDPR)

From there, users were prompted enter their Apple IDs and passwords. When users put in their information, the website offers a standard message telling them their account has been locked, and offering a button to unlock it.

The “Unlock Account Now” button is linked to a malicious site that collects user data. This site asks for a slew of personal information like name, date of birth, address, and credit card details.

https://threatpost.com/gdpr-phishing-scam-targets-apple-accounts-financial-data/131915/

Common Sense - Proper implemention any security technology/product will provide the expected results AND more importantly eliminate the "false sense of security".

Here is an example of incorrect implementation that lead to eFail vulnerabilities - These vulnerabilities could allow potential attackers to decrypt the content of your end-to-end encrypted emails in plaintext, even for messages sent in the past. 

The flaw doesn't reside in the email encryption standards itself; instead, it affects a few email clients/plugins that incorrectly implemented the technologies.

https://thehackernews.com/2018/05/efail-pgp-email-encryption.html

Security trumps Convenience? (very rare) - IBM has decided that removable storage devices are just too risky to use, so they've been banned

IBM wants everyone using the cloud and more specifically, IBM's own File Sync and Share service, which it also offers to enterprise customers.

Naidoo explains, "the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised."



https://www.pcmag.com/news/361098/ibm-employees-cant-use-removable-storage-anymore

Firefox 60 - Supports password-free logins

(if websites using Web Authentication API)

"This resolves significant security problems related to phishing, data breaches, and attacks against SMS texts or other second-factor authentication methods while at the same time significantly increasing ease of use." Mozilla wrote.

Some are saying that this will replace passwords entirely, but for now it is being used as an extra layer of protection for users.

“Your credentials could be stored on a device like your phone, laptop, or security key, and services could use WebAuthn to sign in to your account after you scan your fingerprint or input a PIN on the device,” wrote Dropbox programmer Brad Girardeau



http://www.ehackingnews.com/2018/05/firefox-60-worlds-first-browser-to-go.html

Free PenTester WhiteBoard (PDF) from SANS

Get it here

https://blogs.sans.org/pen-testing/files/2018/01/PENT-PSTR-WHITEBOARD-V3-0118_web.pdf

BitKangoroo deletes files every 60 minutes but , A decryptor is already available

This particular ransomware is developed by a real scumbag who intends to delete a victims files if they do not pay fast enough.

This ransomware will encrypt a victim's files using AES-256 encryption and append the .bitkangoroo extension to encrypted files. It will then display a 60 minute countdown that when reached will cause the ransomware to delete one encrypted file. Once it deletes a file, it will reset the timer back to 60 minutes


Most importantly, this ransomware can be decrypted for free using Michael Gillespie's BitKangarooDecrypter."
https://www.bleepingcomputer.com/download/bitkangaroodecrypter/



https://blog.knowbe4.com/breaking-new-bitkangoroo-ransomware-deletes-your-files-if-you-do-not-pay

US consumers - Freezing your credit files DOES NOT HELP if you have not heard of NCTUE? Here is the bonus, NCTUE is also tied to Equifax. You may have to add NCTUE to the list of orgs to request credit freeze.

Mobile phone merchants do not ask any of the four credit bureaus, they are making credit queries with this organization. 

There are four “exchanges” that feed into the NCTUE’s system: the NCTUE itself; something called “Centralized Credit Check Systems“; the New York Data Exchange; and the California Utility Exchange.

The NYDE is operated by Equifax Credit Information Services Inc. (yes, that Equifax). Verizon is one of many telecom providers that use the NYDE (and recall that AT&T was the founder of NCTUE).

Many people who have succeeded in freezing their credit files with Equifax have nonetheless had their identities stolen and new accounts opened in their names thanks to a lesser-known credit bureau that seems to rely entirely on credit checking entities operated by Equifax.

NCTUE makes it fairly easy to obtain any records they may have on Americans.  Simply phone them up (1-866-349-5185) and provide your Social Security number and the numeric portion of your registered street address.

you can place a freeze on your NCTUE report by calling their 800-number — 1-866-349-5355.


https://krebsonsecurity.com/2018/05/another-credit-freeze-target-nctue-com/

where would you want to spend your security dollars based on the following:

The Wandera’s Phishing Report 2018 shows 
(1) iOS users are 18x more likely to be phished than to download malware,
(2) 4000 new mobile phishing websites are launched every day.
(3) 57% of all Internet traffic coming from mobile devices.
(4) 170% increase of SMS phishing
      and
       A 102% increase in social app phishing from 2017 to 2018.
(5) The average iOS user has 14 different accounts on their work phone.
(6) 90% of cyberattacks start with a phishing attack
(7) Users are 3x more likely to fall for phishing on mobile than desktop.





Applications where mobile phishing attacks originate

• Messaging (17.3%)
• Social media (16.4%)
• Dating (6.2%)
• Gaming (11.3%)
• Email (15.4%)

Top 5 apps for messenger phishing
1. Messenger (inbuilt iOS/Android)
2. WhatsApp
3. Facebook Messenger
4. LINE
5. Viber

Top 10 brands targeted by phishing attacks

1. Facebook
2. Apple
3. Google
4. Amazon
5. Paypal
6. Government sites
7. Microsoft
8. Fox News
9. Dropbox
10. Whatsapp.

Top 5 TLDs that host phishing attacks

• .com
• .ga
• .tk
• .ml
• .cf

https://www.helpnetsecurity.com/2018/05/08/ios-phishing-malware/

Message bomb for Android Phones

 Involves sending and receiving a specially crafted (whatsapp) message with hidden symbols in-between spaces. Tapping on a portion of the text will basically make the app 'expand' the hidden symbols, potentially overloading the app and even the OS

A bug is being forwarded via WhatsApp messages which when tapped, could send not just the Android app crashing but possibly even the entire Android device as well



Another "message bomb" which is causing the messaging platform to crash is more "nefarious, looks too innocent" and does not come with a warning. The message includes special characters followed by an emoji that do not display visibly but are used to change text behaviour. The message, containing the text "This is very interesting!" is followed by a crying laughing emoji at the end. As per a Reddit user, the message is so heavy that it is crashing the smartphone upon copying and pasting on another chat box. The string of characters, leading to the enormous size of the message is what is expected to be crashing the app.


http://www.ehackingnews.com/2018/05/new-whatsapp-message-can-crash-your-app.html

On your smartphone, Is it possible to deliver Malware via your browser without downloading an app? - Yes using an old technique called "row hammering" ,the researchers call it "Glitch" attack.

Greatly simplified, row hammering means reading the same DRAM memory addresses over and over again

Aim: pull off a row hammering attack in the browser, using nothing more than JavaScript served up in a web page.

They figured out how to align their “hammerable row” with a JavaScript array in such a way that random bit flips in the array might, with a bit of luck, give them read and write access to memory in ways that JavaScript is supposed to prevent.

That means not only data leakage by reading from memory that’s supposed to be private, but also the possibility of remote code execution (RCE) by poking machine code into protected memory and then running it. 


https://nakedsecurity.sophos.com/2018/05/05/serious-security-the-glitch-row-hammering-attack/

Process Doppelganging - If you are worried about Ransomware then you should be aware of it (SynAck ransomware is using it already using this technique)

fileless evasion technique for bypassing real-time file scanning by most AV software and next generation AV tools for all versions of Windows since Windows Vista. Unlike malware that has to be written to disk or run completely from memory, with Process Doppelganging, threat actors can build malware that can run from what appears to be a completely legitimate-looking file

By manipulating how Windows handles file transactions, attackers can pass off malicious actions as harmless, legitimate processes, even if they are using known malicious code


SynAck's latest version also can detect whether it's being launched from an automated sandbox: if so, it will promptly exit the sandbox. Before it actually begins to encrypt files, SynAck also checks the hashes of all processes that are running on the compromised machine, and tries to kill any processes that match a list of processes hard-coded into the malware.

Processes that SynAck is designed to kill include virtual machines, database applications, backup systems, and gaming applications in what appears to be a bid to make it easier to seize high-value files which may otherwise be tied to a running process,

https://www.darkreading.com/attacks-breaches/synack-ransomware-gets-dangerous-doppleganging-feature/d/d-id/1331736?_mc=KJH-Twitter-2018-05

"Alexa, are you spying on me?" — aaaa.....mmmm.....hmmm.....maybe!!!

Amazon  allows developers to build custom 'skills,' applications for Alexa, which is the brain behind millions of voice-activated smart devices including Amazon Echo Show, Echo Dot, and Amazon Tap.

Security researchers have developed a new malicious 'skill' for Amazon's popular voice assistant Alexa that can turn your Amazon Echo into a full-fledged spying device.




Luckily, you can still spot the spy red handed if you notice the blue light on your Echo device activated for a longer period, especially when you are not chit-chatting with it


https://thehackernews.com/2018/04/amazon-alexa-hacking-skill.html

For some, this could be a very useful infographic. World's best hangover cure

https://informationisbeautiful.net/visualizations/worlds-best-hangover-cure/