Baanboard.com

Go Back   Baanboard.com > News > RSS Newsfeeds > Categories

User login

Frontpage Sponsor

Main

Poll
For ERP LN feature pack upgrade, what method of install are you using?
Installation Wizard into existing VRC
28%
Installation Wizard into new VRC
44%
Manual into existing VRC
4%
Manual into new VRC
24%
Total votes: 25

Baanboard at LinkedIn


Reference Content

 
Security

Gunter Ollmann: Time to Squish SQL Injection

Security Focus - 50 sec ago
Time to Squish SQL Injection
Categories: Security

Mark Rasch: Lazy Workers May Be Deemed Hackers

Security Focus - 50 sec ago
Lazy Workers May Be Deemed Hackers

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909
Categories: Security

Adam O'Donnell: The Scale of Security

Security Focus - 50 sec ago
The Scale of Security
Categories: Security

Mark Rasch: Hacker-Tool Law Still Does Little

Security Focus - 50 sec ago
Hacker-Tool Law Still Does Little
Categories: Security

Infocus: Enterprise Intrusion Analysis, Part One

Security Focus - 50 sec ago
Enterprise Intrusion Analysis, Part One
Categories: Security

Infocus: Responding to a Brute Force SSH Attack

Security Focus - 50 sec ago
Responding to a Brute Force SSH Attack
Categories: Security

Infocus: Data Recovery on Linux and <i>ext3</i>

Security Focus - 50 sec ago
Data Recovery on Linux and <i>ext3</i>

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909
Categories: Security

Infocus: WiMax: Just Another Security Challenge?

Security Focus - 50 sec ago
WiMax: Just Another Security Challenge?
Categories: Security

More rss feeds from SecurityFocus

Security Focus - 50 sec ago
News, Infocus, Columns, Vulnerabilities, Bugtraq ...
Categories: Security

ISC Stormcast For Monday, July 24th 2017 https://isc.sans.edu/podcastdetail.html?id=5594, (Mon, Jul 24th)

SANS Internet Storm Center - 11 min 4 sec ago
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Another .lnk File, (Sun, Jul 23rd)

SANS Internet Storm Center - July 23, 2017 - 7:50pm

In diary entry Office maldoc + .lnk we analyzed a Windows shortcut file (.lnk) and looked for metadata, but it didn width:1037px" />

This time we have more metadata, under TrackerDataBlock we can find the machine name (frank), a VolumeID and a MAC address.

The MAC address starts with 00:0C:29, that range is assigned to VMware. So we are dealing with a virtual machine.

The target (cmd.exe) has size 301568: this is cmd.exe on Windows 7.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Black Hat is coming and with it a good reason to update your &quot;Broadcom-based&quot; devices, (Fri, Jul 21st)

SANS Internet Storm Center - July 22, 2017 - 1:19am

Black Hat US 2017 is debuting and with it a potential concern to most of us. It turns out that one of the conference presentations, entitledBROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOMS WI-FI CHIPSETS[1],will detail how Broadcom BCM43xx Wi-Fi chipsets can be exploited to achieve full code execution on the compromised device without user interaction.

An attacker within range may be able to execute arbitrary code on the Wi-Fi chip, says Apple about this vulnerability (CVE-20179417) in its latest security bulletin [2]. Google published the patch to fix the vulnerability on Android early this month [3].

Besides Apple, those chipsets are present on most smartphone devices like HTC, LG, Nexus and most Samsumg models as well. Make sure to have this vulnerability fixed in all your devices??especially if you are planning to be in Las Vegas next week.

References
[1]https://www.blackhat.com/us-17/briefings.html#broadpwn-remotely-compromising-android-and-ios-via-a-bug-in-broadcoms-wi-fi-chipsets
[2]https://support.apple.com/pt-br/HT207923
[3]https://source.android.com/security/bulletin/2017-07-01

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Malicious .iso Attachments, (Fri, Jul 21st)

SANS Internet Storm Center - July 21, 2017 - 11:23pm

We width:1067px" />

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Friday, July 21st 2017 https://isc.sans.edu/podcastdetail.html?id=5592, (Fri, Jul 21st)

SANS Internet Storm Center - July 21, 2017 - 1:15am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Thursday, July 20th 2017 https://isc.sans.edu/podcastdetail.html?id=5590, (Thu, Jul 20th)

SANS Internet Storm Center - July 20, 2017 - 1:05am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Bots Searching for Keys &amp; Config Files, (Wed, Jul 19th)

SANS Internet Storm Center - July 19, 2017 - 7:26am

If youdont know our 404project[1], I would definitively recommend having a look at it! The idea is to track HTTP 404 errors returned by your web servers. I like to compare the value of 404 errors found in web sites log files to dropped events in firewall logs. They can have a huge value to detect ongoing attacks or attackers performing some reconnaissance. Reviewing 404 errors is one task from my daily hunting-todo-list but it may quickly become unmanageable if you have a lot of websites or popular ones. The idea is to focus on rare events that could usually pass below the radar. Here is a Splunk query that I padding:5px 10px"> index=web sourcetype=access_combined status=404 | rex field=uri (?new_uri^\/{1}[a-zA-Z0-9_\-\~]+\.\w+$) | cluster showcount=true t=0.6 field=new_uri | table _time, cluster_count, cluster_label, new_uri | sort cluster_count

What does it do?

  • It searches for 404 errors in all the indexed Apache logs (access_combined)
  • It extracts interesting URIs. Im only interested in files from the root directory eg. GET /namedotextension
  • It creates clusters padding:5px 10px"> _time,cluster_count,cluster_label,new_uri 2017-07-18T13:42:15.000+0200,1,9,/xml.log 2017-07-18T13:18:51.000+0200,1,11,/rules.abe 2017-07-18T11:51:57.000+0200,1,17,/tmp2017.do 2017-07-18T11:51:56.000+0200,1,18,/tmp2017.action 2017-07-18T09:16:52.000+0200,1,23,/db_z.php 2017-07-18T07:28:29.000+0200,1,25,/readme.txt 2017-07-18T03:44:07.000+0200,1,27,/sloth_webmaster.php 2017-07-18T02:52:33.000+0200,1,28,/sitemap.xml 2017-07-18T00:10:57.000+0200,1,29,/license.php 2017-07-18T00:00:32.000+0200,1,30,/How_I_Met_Your_Pointer.pdf 2017-07-17T22:57:41.000+0200,1,31,/browserconfig.xml 2017-07-17T20:02:01.000+0200,1,76,/rootshellbe.zip 2017-07-17T20:01:00.000+0200,1,82,/htdocs.zip 2017-07-17T20:00:54.000+0200,1,83,/a.zip 2017-07-17T20:00:51.000+0200,1,84,/wwwroot1.zip 2017-07-17T20:00:50.000+0200,1,85,/wwwroot1.rar 2017-07-17T19:59:34.000+0200,1,98,/rootshell.zip 2017-07-17T19:59:27.000+0200,1,103,/blogrootshellbe.rar 2017-07-17T19:59:18.000+0200,1,104,/rootshellbe.rar

    Many tested files are basically backup files like I already mentioned in a previous diary[2], nothing changed. But yesterday, I found a bot searching for even more interesting files: configuration files from popular tools and website private keys. Indeed, file transfer tools are used by many webmasters to deploy files on web servers and they could theoretically padding:5px 10px"> /filezilla.xml /ws_ftp.ini /winscp.ini /backup.sql /sitename.key /key.pem /myserver.key /privatekey.key /server.key /journal.mdb /ftp.txt /rules.abe

    Each file was searched with a different combination of lower/upper case characters. Note the presence of rules.abe that is used by webmasters to specify specific rules for some web applications[3]. This file could contain references to hidden applications (This is interesting toknow for an attacker).

    So, keep an eye on your 404 errors and happy hunting!

    [1] https://isc.sans.edu/404project/
    [2]https://isc.sans.edu/forums/diary/Backup+Files+Are+Good+but+Can+Be+Evil/21935
    [3] https://noscript.net/abe/web-authors.html

    Xavier Mertens (@xme)
    ISC Handler - Freelance Security Consultant
    PGP Key

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Wednesday, July 19th 2017 https://isc.sans.edu/podcastdetail.html?id=5588, (Wed, Jul 19th)

SANS Internet Storm Center - July 19, 2017 - 1:15am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 4 ? Windows Thumbnail Cache, Registry, Prefetch Files, and Link Files artefacts), (Tue, Jul 18th)

SANS Internet Storm Center - July 18, 2017 - 8:39am

[This is fourth guest diary by Dr.Ali Dehghantanha. Previous diaries in the series are:

If you would like to propose a guest diary, please let us know]

Continuing earlier posts on investigation of BitTorrent Sync version 2.0, this post explains remaining artefacts of user activities from Thumbnail Cache, Registry, Prefetch Files, and Link Files.

Thumbnail cache

Analysis of the Windows thumbcache (stored under %AppData%\Local\Microsoft\Windows\Explorer) recovered copies of thumbnail images for the BitTorrent Sync client application and its download site (e.g., BitTorrent Sync logo and image icons), indicative of BitTorrent Sync usage. Examinations of the thumbnail cache from the file synchronisation only revealed copies of thumbnail images for the synced files from the Windows 8.1 and Mac OS VMs. We could discern the thumbnail cache from the folder table field (of the files table) which made reference to BitTorrent Sync see Figure 1) date of a sync file or folder. width:656px" />

Figure 1: Thumbnail information recovered from the index.sqlite database of Mac OS thumbcache folder.

Windows Registry

Analysis of the HKLM hive determined that the BitTorrent Sync installation could be detected from the presence of the HKLM\SOFTWARE\BitTorrent\Sync key, and the installation path could be discerned from the SyncPath subkey. In addition, the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrent Sync key could provide supporting information for installation such as the display icons path, display name, BitTorrent Sync version installed, installation and uninstaller paths, and other entries of relevance. Similar to any other Windows application, when the BitTorrent Sync client application is started, there are full path reference for the BitTorrent Sync executable file in HKU\SID\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache, indicative of recent BitTorrent Sync usage. Further evidence to indicate the client application usage could be ascertained from the occurrence of BitTorrent Sync: %Program Files%\BitTorrent Sync\BitTorrent Sync.exe, /MINIMIZED entry alongside the last executed time in Software\Microsoft\Windows\CurrentVersion\Run. Another registry key of forensic interest is the Software\Microsoft\Windows\CurrentVersion\Explorer\ComDig32, which keeps track of a list of filename references (e.g., filenames for the executable and synced files) associated with the BitTorrent Sync client application as well as the timestamp information during the last usage. According to Carvey (2014), the CIDSizeMRU (MRU is the abbreviation for Most-Recently-Used) subkey maintains a list of recently used applications, the OpenSaveMRU registry subkey records list of files that have been opened or saved within a Windows shell dialog box, and the LastVisitedMRU subkey is responsible for tracking specific executable files used by an application to open the files documented in the OpenSaveMRU subkey. Other evidence indicating the BitTorrent Sync client application usage includes the presence of entries referencing the link file as well as the last executed time in Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist.

Prefetch files

Examination of the prefetch files located two prefetch files for BitTorrent Sync, namely BITTORRENT_SYNC.EXE.pf and BITTORRENT SYNC.exe.pf. Amongst the information of forensic interest recoverable from these files include the executable path, the number of times the application has been loaded, as well as the last run time which are useful to supplement timeline analysis. However, no prefetch instance was located for the synced files in our experiments. The presence of the prefetch files after uninstallation implies that there will be BitTorrent Sync references remaining in the prefetch files to indicate its use on the client device.

Link files

Link (.lnk) files are shortcut metadata files used by Windows to maintain a list of linked paths relating to a file (commonly the paths where the original files are located), associated timestamps (created, written, and last accessed times), and file sizes (original and modified) which are useful to identify the origin of a file. An inspection of the directory listings located instances of link file for %Program Files (x86)%\BitTorrent Sync\BitTorrent Sync.exe at %Users%\Public\Desktop\BitTorrent Sync.lnk and %Program Data%\Microsoft\Windows\Start Menu\BitTorrent Sync.lnk, and its presence may be indicative of BitTorrent Sync installation.

--
Bojan
@bojanz

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Tuesday, July 18th 2017 https://isc.sans.edu/podcastdetail.html?id=5586, (Tue, Jul 18th)

SANS Internet Storm Center - July 18, 2017 - 1:50am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Monday, July 17th 2017 https://isc.sans.edu/podcastdetail.html?id=5584, (Mon, Jul 17th)

SANS Internet Storm Center - July 17, 2017 - 1:45am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

All times are GMT +2. The time now is 04:46.


©2001-2017 - Baanboard.com - Baanforums.com