Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Friday Digest - 27 MAR 2015 SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Friday Digest - 27 MAR 2015

JS Malware uptick

We've been seeing an uptick in JS malware (TrojanDownloader:JS/Nemucod.K) loosely disguised as .doc files. The JavaScript is reasonably obfuscated but if executed does result in a trojan'd system. Payloads have been delivered as resumes, invoices, or shipping notices. You'll note payloads given nomenclature such as payload.doc.js.
Feel free to let us know if you've noticed similar, and send along samples via the diary submittal form for comparison (best submitted a password protected zip).

VirusTotal sample data:
1081e3e1ef855b011eaadfeea5f9e9c1
3a155fd510f16efc4104022e228de88d

Security Weekly

I was interviewed for Episode 411 of Paul Asadoorian's Security Weekly. While I had to often speak in sadly generic and vague terms, a few key takeaways popped out in the conversation.
We all largely agreed that the best tooling and datasets mean nothing when protecting organzations without applied context.
Consider the fact that one of the best ways for a security team to properly design and implement tooling and monitoring is to leverage the network architect to better understand design and layout. This allows goals to be established. Rather than a mission that is based on implementing a tool, the mission should be goal based. What are you trying to protect, not what are trying to install. The premise of operational threat modeling really factors here too. The practice can help prioritize area of importance (avoid boiling the ocean) and allow better goals determination.
Great talking with Paul and team, I appreciate the opportunity.

On a related note, check out Episode 409 with Keren Elazari, go watch her TED talk, then get a copy of this month's Scientific American which includes her article, How To Survive Cyberwar.

Book offering

Wiley is offering a free download (for a limited time) of The Database Hacker's Handbook: Defending Database Servers http://bit.ly/HackersHandbook

GitHub DDoS

GitHub has been under a brutal DDoS attack for 24 hours +.
https://github.com/blog/1981-large-scale-ddos-attack-on-github-com
Keep an eye on https://twitter.com/githubstatus for updates.

Doh!

Overheard by a pentester after a recent pentest:
Passwords.doc is a bad idea :-)

Have a great weekend!

Russ McRee | @holisticinfosec

Russ McRee

184 Posts
ISC Handler
Book Offering
=============

I downloaded the "The Database Hacker's Handbook" but it is very OUT-OF-DATE.

The PDF says that the book was published in 2005.

Is the link wrong or have Wiley provided the WRONG pdf file to Download???


Simon Basterfield
Anonymous
Passwords.doc is indeed the height of stoopidness if it is a file containing passwords. Security people, however, do appreciate rainbow tables. Also, if Passwords.doc is a treatise on how to formulate good and secure passwords, then itis an excellent idea. ;-)
Moriah

133 Posts
Once again: to protect yourself and/or your (unprivileged) users against (not only) *.JS[E] from untrusted sources turn on 'Software Restriction Policies' alias SAFER: see <https://technet.microsoft.com/library/cc507878.aspx>

For instructions and ready-to-use scripts see for example <http://mechbgon.com/srp> or <http://schneegans.de/computer/safer>
Anonymous
Book Offering
=============

I downloaded "The Database Hacker's Handbook" PDF but it is dated 2005. It's 10 years old.
The PDF makes reference to the upcoming: Microsoft SQL Server 2005.

Is the link correct or did Wiley provide the wrong PDF???
Anonymous
Thanks for these links.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!