InfoSec News Nuggets – June 15, 2018

InfoSec News Nuggets
New Tesla update like being taught to drive by your dad An update to Tesla's Autopilot software earlier this month has caused headaches for drivers of its electric cars – with one user alleging he was almost driven off the road by the robotic assistant. The patch, 2018.21.9, contained a number of tweaks to address safety concerns with the Autopilot software, which Tesla trumpeted as the first step on the path to fully self-driving cars. Users, unfortunately, have often bought into the dream a little too wholeheartedly and failed to read the small print. Drivers should keep their hands on the wheel and eyes on the road – because Autopilot isn't an actual autopilot. It's more of a jumped-up cruise control at this stage. Due in part to some high-profile…
Read More

InfoSec News Nuggets – June 14, 2018

InfoSec News Nuggets
Deepfake Videos Are Getting Impossibly Good As a newly revealed video-manipulation system shows, super-realistic fake videos are improving faster than some of us thought possible. The SIGGRAPH 2018 computer graphics and design conference is scheduled for August 12 to 16 in Vancouver, British Columbia, but we’re already getting a taste of the jaw-dropping technologies that are set to go on display. Zollhöfer’s new approach uses input video to create photorealistic re-animations of portrait videos. These input videos are created by a source actor, the data from which is used to manipulate the portrait video of a target actor. So for example, anyone can serve as the source actor and have their facial expressions transferred to video of, say, Barack Obama or Vladimir Putin. Trik Spam Botnet Leaks 43 Million Email…
Read More

InfoSec News Nuggets – June 13, 2018

InfoSec News Nuggets
Apple bans mining cryptocurrency on iPhones Apple has a clear message for cryptocurrency enthusiasts: Don't mine it on our devices. It's a new rule included in the latest version of Apple's App Store policies, released last week as part of the company's annual developer conference. The ban couldn't be clearer. From section 2.4.2, "hardware compatibility," emphasis ours: Design your app to use power efficiently. Apps should not rapidly drain battery, generate excessive heat, or put unnecessary strain on device resources. Apps, including any third party advertisements displayed within them, may not run unrelated background processes, such as cryptocurrency mining. Palmer Luckey’s border control tech has already caught dozens of people During a news cycle where headline after headline covers the political, social, and emotional turmoil at the United States-Mexico border,…
Read More

Infosec News Nuggets – June 12, 2018

InfoSec News Nuggets
Russia appears to be 'live testing' cyber attacks – Former UK spy boss Robert Hannigan Russia presents a greater threat in terms of sophistication and a greater overall danger – not least because it doesn't mind being destructive, Hannigan warned. The destructive element of attacks blamed on Russia includes NotPetya and attacks on the Ukrainian power grid. Attacks attributed back to Russia have become more sophisticated, brazen and even a little bit reckless. Russia appears to be live-testing cyberattacks – as has been speculated about the recent planting of the VPNFilter backdoor on routers – although the intent is unknown. "It's unclear if that was a mistake or an experiment," Hannigan said. "Russia seems to be live testing things in cyber, as it has been [on the ground] in Syria,…
Read More

Forensic 4:cast 2018

Uncategorized
This year, I have been nominated by the #DFIR industry for two categories of the Forensic 4:Cast awards (https://forensic4cast.com/). Please vote for Devon Ackerman as "Digital Forensic Investigator of the Year" and vote for this website, AboutDFIR.com, for "Digital Forensic Resource of the Year" for 2018. Regardless of who you cast your Forensic 4:cast 2018 votes for, please consider joining Mary Ellen and I in Austin, Texas at the SANS conference to celebrate no matter who wins!  See you there.
Read More

AMD and Intel Chipset Vulnerabilities & Exploits: March 2018 Update

Hardware
Author: ShadowSherlock Editor: Devon Ackerman UPDATE: March 2018 It seems we are nearing the end of the Spectre/Meltdown issues from a patch availability stand point. INTEL Patches for older versions of Intel Chipsets has been released - Haswell (4th-generation) and Broadwell (5th-generation). The performance hit will be about 10% to 20% for real world applications. Intel has also promised updates for the last generation of Core2 Duo chipsets. All microcode updates are now being deployed by Windows updates, so as long as they are performing Windows patching this should not be too big of an issue. https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates Hardware changes to “fix” the vulnerability will first appear in the Cascade Lake processors which will start shipping in Q3 ’18. https://newsroom.intel.com/editorials/advancing-security-silicon-level/ AMD Specifically to address Spectre/Meltdown, Microsoft will also be issuing them…
Read More

Rick Kiper’s Research Project

Forensic Thoughts
A personal friend and FBI colleague of mine, Rick Kiper, has a research project that he is currently working on for Forensics.  The next phase of his research study is to develop a digital forensics tool typology. Basically, the goal is to identify the most important characteristics of digital forensics tools, so that a forensic examiner may be able to quickly assess and select a digital forensics tool appropriate for a particular task.  The goal is to improve upon existing typologies, such as the NIST tool catalog.  In this phase of the research, Rick is asking the community of digital forensic examiners to complete a short anonymous survey that is literally two screens long. The first section helps us whittle down the list of the most important tool characteristics, and…
Read More

Digital Forensics & CPUs

Hardware
Reprinted with permission as originally written by Mark Vogel of F.A.S.T Forensics.   Kind of a book here but there's a LOT going on in the processor market right now between Intel & AMD, so there's a ton of information and considerations between the two now.   I have done a couple Ryzen builds since the release of the Ryzen 7 CPUs earlier this year to test out.  The chipsets for this platform seem to have finally matured as the most recent BIOS updates resolved a long ongoing issue with properly clocking faster RAM models to their factory spec for speeds of 2666MHz and higher.  This is actually important for Ryzen as the CPU does benefit more from faster memory than most Intel platforms, so running DDR4 3200 memory does…
Read More

Yandex.ru and Intrusion Investigations

Forensic Thoughts
Quite often I notice that unauthorized actors who compromise RDP access will execute a native web browsing application and navigate to a website such as whoer.net to enumerate browser header information, IP address, ISP, and a smattering of other host identification information.  In reviewing these cases with forensic tools, I would also quite often see a hit for https://mc.yandex.ru/metrika/watch.js.  Observing a .ru domain hit usually raises my suspicion level a bit, but I could not understand the context because there are not normally other .ru domains found during my investigation.  A little commonsense and research confirmed that “metrika” is Russian for “metric” and that examination of watch.js appears to reveal a web metric monitoring/tracking capability similar to Google’s Analytics reports offered to webmasters via its tracking code (https://support.google.com/analytics/answer/1032385?hl=en).   I…
Read More

Petya Ransomware Recap

Malware, Ransomware
Twitter, news media, and malware researchers were busy the past 30 hours as news of a ransomware variant being identified as Petya (NotPetya) was leveraging ETERNALBLUE to spread similar to how WannaCry ransomware had spread back in May 2017.  While variants of Petya have been seen going back a few months to include code similarities shared with Petrwrap and GoldenEye/Mischa ransomware strains, this quickly spreading variant leveraged a different attack than WannaCry in that it didn't just attack files based on their extension, but rather attacked the Master File Table (MFT) of the infected system.  Petya works by rebooting the system after its infected it and then encrypts the MFT and overwrites the Master Boot Record (MBR) causing a static ransom message to be displayed against a black backdrop starting…
Read More