Wednesday, November 29, 2017

Some Sites where you can get great Security Information


FBI InfaGard a connection between the Public and private sectors to share information, Chapter are all over the USA go to here  for More information

DNSstuff performs forensic analysis of name and email servers, path analysis, authenticate and locate domains.. Go here

 Internet Storm Center great information about current issues go here
 
Verizon Data Breach Investigations report – go here  

Cisco Threat Research Blog go here

FireEye lots of information about security issues go here  

Microsoft Security Blog go here

Microsoft Security Intelligence Report (SIR), great read on state of security go here
 
NCI Sector-based Information Sharing and Analysis Centers (ISACs) collaborate and coordinate with each other via the National Council of ISACs (NCI). Formed in 2003, the NCI today comprises 24 organizations designated by their sectors as their

MacOS 10.13.1 - Root vulnerability allows new ADMIN account without password


Apple is in process of building an emergency patch to lock down the “root” account where a preset password does not exist.  In certain settings, the "MacOS 10.13.1 Root vulnerability" allows a missing password challenge to be fully worked around.  That allows user accounts to be reset, allowing full compromise of vulnerable systems.  This bug is serious and believe Apple with quickly rectify with an expedient “patch now” update  


The hack is easy to pull off. It can be triggered through the Mac’s System Preferences application when “Users & Groups” is selected, and the lock icon on the window is clicked. After that, a new login window will appear. Anyone who types “root” as the username, leaves the password field empty, and clicks unlock (once or twice) is on their way to a new account that has system admin privileges to the computer.

 

Amit Serper, a security researcher with Cybereason, replicated the result and said the bug “is as serious as it gets.”  Hackers are always crafting malware that can gain greater system privileges into a computer. Now they have a new way, which can also be triggered via a Mac’s command line function. Imagine a piece of malicious code designed to attack Macs using the same flaw. Users wouldn’t even know they were compromised, Serper said.

 

WORKAROUND – Allocate & preset “ROOT” account to password ahead of time instead of leaving unset as null value


 

Tuesday, November 28, 2017

IcedID: A Hot New Item


 
In September of 2017 X-Force researchers from IBM discovered a new banking Trojan called IcedID. IcedID primarily targets financial institutions such as banks, payment card providers, and e-commerce sites. IcedID utilizes Emotet for delivery to target hosts.
 
Emotet is most commonly linked to small cybercrime organizations in Eastern Europe targeting western countries
and is known as a successor of the Dridex malware that was designed to amass and maintain botnets. Emotet itself is most often delivered by opening a macro-enabled malicious file usually delivered by spam mail. Once executed, the malware embeds itself within normal machine processes, connects home, and installs additional modular components as directed. Of the components installed consists of spamming modules, network worm modules, and data stealers.
 
The main known tactics and techniques of IcedID consist of common network propagation, victim monitoring, and web URL tampering. More specifically the malware leverages a local web proxy which listens to web traffic and based on what it sees can unknowingly redirect or inject parameters to the victim which causes them to browse to malicious web content controlled by the attacker instead of the original content they wanted to see. Reverse engineering of the malware revealed a PropagationThroughNetwork function, which enumerated the network propagation module that allows the malware to affect local, or remote connected end points as a way of spreading to other systems. Additionally, IcedID can query LDAP looking for other users to attack and can look for other important information to send back to the command and control server.
 
As a way of hiding itself IcedID utilizes a full reboot after storing start up files to the Windows %LocalAppData% folder to evade sandboxes and other defenses on victim hosts. Additionally, the malware uses SSL to communicate home and launch its attacks to avoid intrusion detection systems planted within the victim infrastructure. The malware also uses a random value as the RunKey to establish persistence on the target host. As an example, the startup file would be “C:\Users\User\AppData\Local\ewonlia rl\ewonliarl.exe” and the Runkey would be at “HKCU\Software\Microsoft\Windows\C urrentVersion\Run\ewonliarl”. IcedID listens on local network port 49157 and exfiltrates victim information of its choosing to its command and control server. Interestingly enough IcedID can still be identified by its original process IcedID which continues to run even after reboot which researchers think will likely change in the future.
Sources:
 
Thanks to  Peraton  and their Cyber Intelligence Program (CIP) for this information.
 

 
 

 

Almost 200.000 Cisco switches exposed to malicious attacks

here information from Talos http://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html

Cisco Coverage for Smart Install Client Protocol Abuse
Summary

Talos has become aware of active scanning against customer infrastructure with the intent of finding Cisco Smart Install clients. Cisco Smart Install is one component of the Cisco Smart Operations solution that facilitates the management of LAN switches. Research has indicated that malicious actors may be leveraging detailed knowledge of the Smart Install Protocol to obtain copies of customer configurations from affected devices. The attack leverages a known issue with the Smart Install protocol. Cisco PSIRT has published a security response to this activity. Abuse of the Smart Install protocol can lead to modification of the TFTP server setting, exfiltration of configuration files via TFTP, replacement of IOS image and potentially execution of IOS commands.

We are aware that a tool to scan for affected systems, called the Smart Install Exploitation Tool (SIET), has been publicly released and is available here. This tool may be being used in these attacks.
Protection
 
To assist customers in understanding their exposure to this issue, we have released our own scanning tool as well as preliminary Snort rules which can be used to identify affected systems and detect SIET activity.

Talos Scanning Utility


Talos has produced a scanning utility which all users can run against their infrastructure to determine if they could be affected by abuse of the Smart Install Client Protocol. This tool can be found here.


Coverage


Snort Rules


Talos has created coverage for this issue in the form of sids 41722-41725. These rules are being provided immediately as part of the community rule set and can be downloaded here:

Cisco FirePOWER and Snort Subscriber Rule Set customers should ensure they are running the latest rule update in order to receive coverage. 

Additionally, generic TFTP activity rules sid:518 and sid:1444 are available but these are not issue specific and must be explicitly enabled.


Further Information


Cisco PSIRT has published a blog post related to the issue here:

Further guidance on Smart Install security practices here:

Additional third-party research about Smart Install is available here:

Talos encourages all partners to quickly take steps to protect their systems in accordance with the published security guidelines. 

If you have a network security emergency, contact the Cisco Technical Assistance Center (TAC) at the following phone numbers:
Inside the United States or Canada: +1 800 553-2447
Outside the United States: Worldwide Contacts

Cisco responds quickly to attacks in progress and works with your staff to develop an incident response plan that minimizes the effect of current and future attacks.

Security Warning OFFICE 365 Bogus Bill

I have started seeing this kind of attack.

Look at the email address !! Be careful on any of you emails and think before you click because the link sends you to  a bogus site.

Here some new Technology that i have come across


PuriFile


PuriFile’s software suite provides market-leading inspection and sanitization of digital files, preventing the loss of critical data and ensuring business continuity for government and commercial customers. Built to protect your inbox and halt release of sensitive information, PuriFile inherently understands your email, Microsoft Word, PowerPoint, Excel, PDF, and image files, so it can provide thorough email and file inspection and sanitization while maintaining the integrity of your network and information.

Microsoft Exchange Server (MXS) is a collaborative enterprise server application designed by Microsoft to run on Windows Servers. MXS supports organizational email, contacts and tasks, calendar, data storage and web based and mobile information access. By residing on an organizational endpoint - the Exchange Server, PuriFile can provide email security through identification and remediation of content entering and exiting through your organizations communication lifeline, provide Data Loss Prevention and mitigate Zero-Day attacks.

How it Works


Exchange Server Plugins - Microsoft provides an Application Programming Interface (API), as well as information and resources to extend Microsoft Exchange Server allowing for the customization of a unique customer focused email environment.

PuriFile Exchange Plugin - Using the Exchange Server API, the PuriFile plugin provides Data Loss Prevention, limits Zero-Day attacks and controls content leaving an organization.  Highly configurable, PuriFile is capable of identifying content within email and attachments based on well-defined policies and takes corrective action to alert the recipient and sender to remediate violations.

Message Scanning – Residing on a corporate exchange server, PuriFile is capable of scanning incoming and outgoing email to identify suspect content based on an organizational policy. When an individual receives an email or attempts to send email to a recipient, the PuriFile engine scans the content and attachments checking for violations. In the event a violation is detected, the recipient/sender is alerted and is able to take corrective action to accept or modify the content prior to it being received or sent to the recipient:


Figure 1: Scan Mode
Removing Attachments – In addition to the normal email message scanning, PuriFile is able to provide scanning and insight into content residing in email attachments. When an individual receives or completes an email and attempts to send it to the recipient, PuriFile scans the message along with any attachments and checks for violations. In the event of a violation in the attachment, the PuriFile engine replaces the content with a text file identifying the violations. A return notification is sent back to the sender along with the text file of violations.  The user will then be given an opportunity to review the violations and address as appropriate. Once all violations are addressed, the email is reprocessed for reading or sent on to the recipient:



Figure 2: Attachment Mode

 Message Cleansing – The Message Cleansing mode is similar to Replacing Attachments mode. Rather than alerting the recipient/sender of content in violation, the Message Cleansing capability cleanses the offending content from the document. When an individual receives or completes an email and attempts to send it to the recipient, PuriFile scans the message along with any attachments and checks for violations. In the event of a violation in the attachment, the PuriFile engine removes the content from the file prior to reading or sending the offending file.



Figure 3 - Cleanse Mode

 

The added effect of the cleansing operation removes any malicious content, effectively halting in excess of 90% of zero-day attacks. Combined with an effective Anti-Virus/Anti-Malware solution organizations will have gained the upper hand on virulent viruses and malware.
 
Here is a cool offer if you interested  in testing this let me know i will forward you info to the Beta test team. They are offering   to get the software for 12 months (plus support) for doing the beta test for us.
 
Send email to Jferron @ Interactive Security Training.com (NO spaces)

 

 

Free eBooks from Microsoft Press


Free Microsoft eBooks are available in PDF, EPUB and Mobi for Kindle formats.

Find more training eBooks & books at The Microsoft Press Store.

 You can go here
 

Also check one a week Microsoft offers deals on selected eBook Deal of the Week go here

Windows 10 Version 1709 and Hyper-v Issue

Hyper-V virtual machines don't start after you upgrade to Windows 10 Version 1709
This is a know issue that is caused  by Antivirus programs.
Bellow is the Microsoft Solution and article.

Symptoms


Consider the following scenario:
  • You have a Windows 10-based computer that has the Hyper-V role installed.
  • You upgrade the computer to Windows 10 Version 1709.
In this scenario, you cannot start virtual machines. Also, you receive the following error message:

Additionally, you see the following entry in the System log:

And you see the following entry in the Application log:
 

Cause

This issue occurs because Windows 10 Version 1709 enforces a policy that configures Vmcompute.exe not to allow any non-Microsoft DLL files to be loaded.

Resolution

To fix this issue, check whether you have a non-Microsoft DLL file loaded in the Vmcompute.exe process. One possible cause of this issue is your antivirus software.
 
 

Saturday, July 8, 2017

Call for Speakers for the New York Metro Joint Cyber Security Conferance

As the co-chair of this event I am letting you all know you have the opportunity to propose a topic to present at this event.

 
You are invited to the Capital of the World, New York City for the 4rd Annual Joint Cyber Security Conference on October 5th 2017.  The event will be feature internationally recognized  presentations delivered by security researchers, industry leaders and officials in Time Square!
Showcase your security expertise and share your knowledge - October 5th, 2017 in New York City for the 4th Annual Joint Cyber Security Conference.  This is an excellent opportunity to take advantage of unparalleled networking opportunities with other information security professionals, industry experts, and thought leaders from around the world, and get the exposure and recognition you deserve.

Please submit your proposal by 11:59 pm on August 7th, 2017 EDT.

Looking for proposals from security practitioners who want to have real conversations about security: security analysts, engineers, and administrators, developers, testers, results-focused QA researchers of all kinds, chief security officers, leaders in risk and audit, and security data scientists. If you’re on the front lines of defense with stories of great success and worthy failure, especially if they provide clear ideas for what to do next, let us hear from you. And while people need a sense of what’s possible, bring concrete technical solutions above all else.

Note: Names and company affiliations will not be considered by the program committee during the first round of review.

Eligible Topics


We would like to cover all Security-related disciplines, including:

·        Analysis
·        Education
·        Engineering
·        Forensic
·        Governance
·        Network
·        Operational
·        Physical
·        Policy
·        Social
·        Technical

Submission Process & Requirements


·        The original author(s) of a presentation must submit for the Call for Presentation. Third parties such as PR firms or speaker representatives may not submit materials on behalf of a potential speaker or speaking team.

·        New York Metro Joint Cyber Security Conference (NYMJCSC) does not accept product or vendor-related pitches. .

·        Each submission must be completed in its entirety the first time.

·        New York Metro Joint Cyber Security Conference (NYMJCSC) selection process is very competitive. Members of the NYMJCSC Review Board score each submission as a group.  Submissions should clearly detail the concepts, ideas, findings, and solutions a researcher or speaking team plans to present.

·        Submissions that highlight new research, tools, vulnerabilities, etc. are highly recommended and will be given priority.

·        Submissions that include Handouts and Live Demos will also be given priority.

·        Speakers may submit more than one proposal but each proposal must be submitted via a separate submission form.

·        Each submission must include detailed bibliographies acknowledging prior work in the space, distinguishing or highlighting how your presentation is different.

·        Individuals submitting a proposal will receive a “Your submission for New York Metro Joint Cyber Security Conference 2017 has been received”. After selections have been completed, all submitters will receive an email confirmation of acceptance or rejection.

·        Speakers will be contacted directly if Review Board members have any questions about a submission.

Review Board & Content Selection


The speaker selection committee is comprised of association volunteers in various areas of the information security community. The Review Board advises the conference on its strategic direction, reviewing, and programming conference content and providing unparalleled insight into the attendees.

Each presentation will be reviewed using a basic point system, each reviewer will be responsible for scoring the talk submission and picking the best candidates for limited spots.

·        1-3 Points – Creative and catchy title

·        1-3 Points – Clear and detailed learning abstract/objectives/sources. This will be used by the speaker selection committee and viewed by the attendee as to why to attend this talk, the more complete the better.

·        1-3 Points – NYMJCSC Association Topic (Core body of work/project from a member association)

* Speakers will be picked on these criteria regardless of sponsorship if applicable

Required Information


You’ll be asked to include the following information for your proposal. Proposed title

·        Description of the presentation

·        Suggested main topic

·        Audience information:

o   Who is the presentation is for?

o   What will they be able to take away?

o   What prerequisite knowledge do they need?

·        For tutorial proposals: hardware installation, materials, and/or downloads attendees will need in advance

·        Speaker(s): biography and hi-res headshot (minimum 1400 pixels wide; required)

Tips for Submitting a Successful Proposal


Help us understand why your presentation is the right one for this conference. Please keep in mind that this event is by and for professionals. All presentations and supporting materials must be respectful, inclusive, and adhere to our Code of Conduct.

·        Give your proposal a simple and straightforward title.

·        Include as much detail about the presentation as possible.

·        Keep proposals free of marketing and sales, including buzzword-heavy jargon and FUD

·        Keep the audience in mind: they’re professional, and already pretty smart.

·        Explain why people will want to attend and what they’ll take away from it.

·        Pick the right topic for your talk to be sure it gets in front of the right program committee members.

·        Be authentic. Your peers need original ideas in real-world scenarios, relevant examples, and knowledge transfer.
To submit your Proposal go here  http://nymjcsc.org/cfp-open/

Sunday, May 21, 2017

Security Impact of Social Engineering - SECON 2017


Thursday, May 25, 2017 - 8:30 AM–5:30 PM
New Jersey City University
2039 John F. Kennedy Boulevard, Jersey City, NJ 07305

Attend a one day event sponsored by the NJ Chapter of (ISC)2, friends, and sponsoring NY/NJ/CT Metro area associations. Leaders in the industry are excited to present leading edge insights, discussion and exchange of innovative, future focused ideas and solutions to address technical and business related social engineering. Highlights include: Learning about CEO Fraud/Whaling (non-technical Social Engineering), Ransomware, Interactive Social Engineering sessions, Social Engineering Video Contest, Social Engineering Toolkits, IoT, Fraud, legal and compliance, SE perpetrated against individuals, higher education CISO panel and a CISO panel discussing impacts of SE on corporations.

For details on the Program Agenda, Speakers, and to Register for the event, please click the link here

Saturday, May 6, 2017

2016 New York Metro Joint Cyber Security Conference Update


As some of you know I help run a day Security conference in NYC. The event is made up of Security groups in the New York Metro area

MYMJCSC: Who We Are
The New York Metro Joint Cyber Security Conference is a collaborative event cooperatively developed, organized and sponsored by the leading information security industry organizations and chapters.
  • InfraGard (New York Metro)
  • ISACA (New York Metro, New Jersey and Greater Hartford Connecticut)
  • (ISC)2 (New Jersey)
  • ISSA (New York)
  • OWASP (New York Metro, Long Island, Brooklyn)

Driven by the collaboration between members of this coalition, the strength of organizational membership, the provision of desirable CPE credits and the concurrence of National Cyber Security Awareness Month, the NYMJCSC promises -- once again -- to be a well-attended by members of the information technology, information security, audit, academic, and business communities.

As part of our educational mission as a coalition of non-profit organizations, registration fees are only to cover the costs of the facility, food and refreshments.

Here are the Videos from last year talks

https://livestream.com/internetsociety/nymjcsc/videos/138075583
We are ramping up again for Oct 5,  2017 and a call for speaker will be going out shortly


The Dark Web - DarkNet —A Threat to Your Business? 


I did a webcast for ISACA on The Dark Web, DarkNet —A Threat to Your Business?  
The original talk was on  Thursday, 20 April 2017, the talk was 1 hour and is good for 1 CPE

The DarkNet is the World Wide Web content that exists on DarkNet, overlay networks which use the public Internet but require specific anonymizing software, configurations or authorization to access. It’s a secretive place where dissidents can hide their digital tracks, a place where whistleblowers can reach out safely to scoop-seeking media outlets and where you can buy PII and sensitive information. Having an integrated understanding of the DarkNet is important.
During this webinar, you will learn:
  • How the DarkNet works
  • What is Tor and how to set it up
  • How to reduce risks, search and explore the DarkNet
You can see the recording at

http://www.isaca.org/Education/Online-Learning/Pages/Webinar-The-Dark-Web-a-Threat-to-Your-Business.aspx

There also is blog article that gives addition information. you can see the blog at