Tuesday, September 26, 2017

Anti-forensics Thought: Recovery Partition

I was just listening to a speaker talk about disk forensics. He mentioned how we can just skip over the "recovery partition" on the disk we're examining since, "That's not usually interesting to us."

Hmmmmmmmmmmmm.......     Got me thinking.

I wonder if any bad guys have ever tried using that partition as a place to hide bad things?

A quick Google search reveals little speculation or discussion on the topic.

Tuesday, January 31, 2017

Weekly Infosec News Brief


Picture
New Version of Shamoon 2 PC-Destroying Malware Used in Attacks on Organizations in Saudi Arabia
The Shamoon malware family has been seen in the past in attacks on Saudi Aramco, and a variant was used in the attack on Sony Pictures in 2014. This malware is very unusual in that it is designed to attack an infected PC and to destroy not just the data on the PC but also the hard drive itself, rendering the PC essentially unusable by destroying the master boot record. Ransomware has also been repurposed to similar effect recently, simply to render data inaccessible rather than demanding a ransom. These incidents highlight the differing tactics that can be used by attackers with different purposes or goals, and the need to ensure that organizational data is securely backed up on systems otherwise inaccessible from the main network.
http://www.reuters.com/article/us-saudi-cyber-idUSKBN1571ZR
https://www.infosecurity-magazine.com/news/saudi-arabia-issues-shamoon-2-alert/

Gmail to Start Blocking Javascript Attachments
In the ongoing cat-and-mouse game of malware, javascript files have become a popular method of delivering malware attachments in emails, mostly because they are executed by default on common computing platforms and are not blocked by many email systems. The notice states that .js files will be blocked whether attached on their own or inside of a zip file. What file extensions are blocked by your email system? What else are you doing to prevent the accidental execution of undesirable files?
http://computerworld.com/article/3161898/security/gmail-will-block-javascript-attachments-a-common-source-of-malware.html
New York Times and BBC Twitter Accounts Hijacked to Tweet "Fake News"
Last week Twitter accounts belonging to the NY Times and BBC were taken over by hackers and used to tweet false news stories. The group apparently responsible is known as OurMine and has previously taken over the accounts of many prominent figures and organizations, including Twitter's own CEO Jack Dorsey. What would be the fallout if your organization's Twitter account were abused in this way? How does your organization control access to corporate Twitter, Facebook, etc., accounts? Tight tracking of who has access is recommended, along with the strict requirement to use multi-factor authentication on all social media accounts.
https://www.infosecurity-magazine.com/news/ourmine-hacks-new-york-times-to/
http://www.huffingtonpost.co.uk/entry/bbc-northampton-twitter-account-donald-trump_uk_588340fae4b0f94bb303e768
Picture
Mozilla Issues New Firefox Version to Fix 33 Security Issues, Five of Them Critical
Last week Mozilla released a new version of the Firefox browser, Firefox 51. The update fixes five critical vulnerability (as well as some lesser issues), all of which could possibly enable an attacker to trigger code execution via a vulnerable browser. Three of the issues are memory corruption issues which could cause a crash and subsequent execution of attacker-provided code. If you support Firefox in your environment, it is vital to ensure that all installations are updated. Anchor recommends employing the enterprise browser management features of Firefox to ensure your organization can keep Firefox up to date and enforce configuration settings.
https://www.scmagazine.com/mozilla-issues-five-critical-patches-for-firefox-and-firefox-esr/article/633852/

WebEx Browser Plugin Vulnerability Found; Cisco Rolling Out Patches
A very dangerous vulnerability was disclosed last week in Cisco's WebEx browser extension. The vulnerability allows any website to run arbitrary code on a machine with the vulnerable extension installed, if they can get the user to visit their malicious site (typically via spearphishing, etc.) Cisco has an updated extension for Chrome available, and is working on updated extension for IE, Firefox, etc. This is a VERY widely installed browser extension used to enable interactive videoconferencing from your desktop or laptop, so most organizations probably have this installed on a large share of their workstations. Anchor recommends ensuring that the update for Chrome is installed and blocking the WebEx plugin on unpatched workstations. The larger question raised by this issue is, are you monitoring not just the browsers installed in your organization, but also the plugins, extensions, apps, and other add-ons enabled in modern browsers? Do you have the ability to block the use of insecure browser plugins/extensions?
https://arstechnica.com/security/2017/01/ciscos-webex-chrome-plugin-opens-20-million-users-to-drive-by-attacks/
http://www.csoonline.com/article/3162349/security/cisco-starts-patching-critical-flaw-in-webex-browser-extension.html