Menu

Internet Storm Center

Traffic

News Feeds (RSS) Internet Storm Center

Thu, 18 Jan 2018 14:34:28 -0700

Comment your Packet Captures!

Thu, 18 Jan 2018 12:28:43 -0700

When you are investigating a security incident, a key element is to take notes and to document as much as possible. There is no “best” way to take notes, some people use electronic solutions while others are using good old paper and pencil. Just keep in mind: it must be properly performed if your notes will be used as evidence later… With investigations, there are also chances to you will have to deal with packet captures. Many security tools can record samples of network traffic or you can maybe need a full-packet capture[1]. Some tools, like Moloch, allow you to “tag” some conversations. Later, you can search for them to find back interesting traffic:

Thu, 18 Jan 2018 02:30:06 -0700

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Wed, 17 Jan 2018 22:51:54 -0700

Introduction

Wed, 17 Jan 2018 11:40:05 -0700

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Tue, 16 Jan 2018 17:13:57 -0700

For a number of years, I&#;x26;#;39;ve had a personal blog that for the last 2 or 3 years has been pretty much dormant. A few years ago, I found a deal for a VPS instance for $5/month and decided to host my blog there using WordPress. One of the nice feature of this particular VPS setup is that it has good IPv6 connectivity, so I registered the IPv6 address in DNS. I use fail2ban to protect ssh against brute forcing, but I wanted to also protect my WordPress site, so I configured it to log all authentication attempts so that I could have fail2ban watch that log. For much of the last year, I&#;x26;#;39;ve noticed something really odd. The vast majority of attempts against my WordPress site have come over IPv6. Here is a typical summary from the log (thank you logwatch, note, the IPs have NOT been changed to protect the guilty).

Tue, 16 Jan 2018 04:20:05 -0700

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Mon, 15 Jan 2018 23:12:33 -0700

Sometimes malicious documents are encrypted, like PDFs. If you know the user password, you can use a tool like QPDF to decrypt it. If it&#;x26;#;39;s encypted for DRM (with an owner password), QPDF can decrypt it without you knowing the owner password.

Mon, 15 Jan 2018 02:30:05 -0700

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Sun, 14 Jan 2018 21:42:50 -0700

Since late 2014, malicious Office documents with macros appeared in the wild again. Malware authors don&#;x26;#;39;t always rely on VBA macros to execute their payload, exploits and feature abuse are part of their bag of tricks too.

Sat, 13 Jan 2018 03:11:20 -0700

It has been a rough week for Intel. Several media outlets are are reporting that researchers at F-Secure hav&#;x26;#;xc2;&#;x26;#;xa0;discovered a flaw in Intel&#;x26;#;39;s Active Management Technology (AMT) which is in most&#;x26;#;xc2;&#;x26;#;xa0;business laptops. AMT is the technology which is used by corporations to remotely manage their&#;x26;#;xc2;&#;x26;#;xa0; deployed laptops.