How To: Mitigating Web Session Replay Information Leakage

Background There has been a lot of talk in the news lately about security issues surrounding web-based session replay. The issue is a simple one: many popular websites are now running scripts that record every keystroke and every mouse movement, allowing them to replay your entire visit to their website, as though they’re looking over your shoulder. However, that data’s being collected and retained by third parties, not the websites themselves.…more

How To: Mitigating The New Intel Management Engine Vulnerability

Background On November 20, 2017, Intel published INTEL-SA-00086, a security advisory detailing local and remote exploits in the Intel Management Engine. The Intel Management Engine (ME) has three vulnerable modules in this advisory: The Active Management (AMT) module The Trusted Execution Engine (TXE) module The Server Platform Services (SPS) module The only module of the three that can be exploited remotely is the AMT module. Interestingly, this same module was the subject of a May 1, 2017 advisory for INTEL-SA-00075 as well.…more

One Second Analysis Followup: Credentials Posted to Pastebin

As a followup to last week’s post regarding the number of stolen account credentials that show up on Pastebin daily, I’ve collected enough data to get a more accurate picture of the posting rate. As a reminder, here was the first day’s data: Start time: 20171113 2100UTC Credentials parsed to date: 792,488 Clean (unproblematic) credentials: 734,807 Unique clean credentials: 475,653 Credentials parsed to date: I’ve had a homebrew pastebin scraper analyzing new pastes, watching for email addresses, for a while now.…more

How To: Building A Dark Web Scraper

In a previous post, I demonstrated a way to run Linux command-line tools through Tor. Let’s take it a step further, and come up with a way to scrape sites on the dark web. This will allow us to hunt for mentions of various pieces of information we may want to be alerted to, such as the presence of company names, email addresses, etc. We’re going to need some code. Let’s start with importing all the modules we’ll need, and grabbing a URL from the command line:…more

How To: Get Started In Cybersecurity

Cybersecurity is a broad field that encompasses many disciplines. So broad, in fact, that no one person can master everything. Where do you start? Where to start First and foremost, you’ll need a solid understanding of computer and network fundamentals. However, even that is a multi-faceted statement. You’ll need to understand the various components of a computer, and how they all work together at a low level: how the CPU, memory, storage, peripherals, and network connectivity all function as an interconnected whole.…more

How To: Using Tor From The Command Line

If you’re going to be doing work in the “dark web”, it’ll be useful to understand how to quickly and easily run commands via Tor. First, assuming you’re using Linux, install Tor: sudo apt install tor Next, edit /etc/tor/torrc: sudo vi /etc/tor/torrc Find the line containing the following: #ControlPort 9051 …and uncomment it. Next, find the following line: #CookieAuthentication 1 Uncomment it, and change 1 to 0. Finally, restart the tor service:…more

Amazon AWS Insecure S3 Buckets Redux

In a previous post, I discussed the problems with insecure Amazon AWS S3 buckets, and introduced a simple Python program to hunt for them. Since that time about two months ago, there have been numerous other breaches, including DoD’s CENTCOM and its social media spying program OUTPOST. So, I’ve updated the code in the Github repository above to do slightly more thorough scanning, including patterns matching the bucket names used in recent breaches.…more

DIY Threat Intel: Mining Spam For Malware

If you use email, you already have a wonderful resource available to you for doing some quick and dirty threat intelligence work: your spam folder. Every day, people receive anywhere from dozens to hundreds of spam emails, ranging from plain vanilla unsolicited emails, to unwanted content, to phishing attempts and malware. There’s a wealth of information to be mined from your spam folder. Right now, we’ll focus on extracting URLs and attachments from your spam emails and automatically analyzing them.…more

One Second Analysis: Credentials Posted to Pastebin

Super-quick analysis of account credentials (username/password pairs, in various forms) posted to Pastebin over roughly a day: Start time: 20171113 2100UTC Credentials parsed to date: 792,488 Clean (unproblematic) credentials: 734,807 Unique clean credentials: 475,653 Credentials parsed to date: I’ve had a homebrew pastebin scraper analyzing new pastes, watching for email addresses, for a while now. This is where the number of credentials extracted stood as of Start time. Clean (unproblematic) credentials: I wrote a somewhat lazy parser that attempts to help me identify patterns in the extracted paste bodies so I can more effectively grab credentials pasted in a variety of formats.…more

DIY Threat Intel: Building A Pastebin Scraper

There are many things to be found on Pastebin, as demonstrated by Jordan Wright’s dumpmon (on Twitter as @dumpmon). Things like: Private SSH keys Login credentials for various services and devices Database dumps Lists of compromised systems Lists of compromised accounts Lots of threat intelligence services offer to monitor the “dark web” for you, to watch for any mention of your credentials and/or intellectual property. Almost invariably, one component of these services is monitoring Pastebin and similar paste sites.…more