13 Feb 2019
By Devon

InfoSec News Nuggets – Feb 13, 2019

              February 13, 2019   Microsoft States Windows Update DNS Issues are Finally Fixed Starting in late January, Windows 10 users began reporting that when they tried to perform an update, Windows would state that it could not connect to the Windows Update service. At the time, Microsoft did not disclose the cause of the issue, but as users could fix the problem by changing their DNS servers, it was widely thought to be a…
Read More
12 Feb 2019
By Devon

InfoSec News Nuggets – February 12, 2019

Facebook 'youth team' to focus on Messenger Kids app for under-13s Facebook is restructuring its “youth team” with a greater focus on Messenger Kids, its instant-messaging app for under-13s, reports say. The team, a small group within the company responsible for getting children to use the social network, had previously been working on an experimental new feature called LOL, described by industry news site TechCrunch as a “cringey teen meme hub”. With categories such as…
Read More
11 Feb 2019
By Devon

InfoSec News Nuggets – February 11, 2019

Foreign VPN apps need a close look from DHS, senators say The Department of Homeland Security should assess the security threat posed by foreign VPN applications to U.S. government employees, a bipartisan pair of senators says. Some popular VPN apps send a phone’s web-browsing data to servers in countries interested in targeting federal personnel, raising “the risk that user data will be surveilled by those foreign governments,” Sens. Marco Rubio, R-Fla., and Ron Wyden, D-Ore.,…
Read More
07 Feb 2019
By Devon

InfoSec News Nuggets – February 6, 2019

Crooks Continue to Exploit GoDaddy Hole Godaddy.com, the world’s largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy’s fix hasn’t gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal. On January 22, KrebsOnSecurity published research showing that crooks behind a series of massive sextortion…
Read More
27 Jan 2019
By Devon

Catching Up

I took some time this weekend to catch-up a bit with AboutDFIR and add some of the content I've been too busy to share.  I've got tons more, so that will be coming as time allows.  I know Devon has stated it, but I'll reiterate, the links that we add often have context and so I've decided to take a few minutes to add some backstory around the new additions I've made this weekend. First,…
Read More
20 Jan 2019
By Devon

AboutDFIR.com updates across the board

Tons of updates across the website this weekend to include the new Tools section: Tools & Artifacts - Android Tools & Artifacts - File Systems Tools & Artifacts - Windows In addition, the existing Conferences page received a big update with the addition of CFP information.
Read More
13 Jan 2019
By Devon

Forensic Tools

Forensic tools, whether software or hardware, or just like traditional forensic science tools - they are designed by humans and typically meant to be used by trained users who understand both the artifacts they are processing as well as the results produced by the tool. Some tools are as simple as a USB write blocker - you plug one end into a computer, you plug a USB device into the other end, and it "just…
Read More
06 Jan 2019
By Devon

Episode 886: The Price Of A Hack

"The Price of a Hack" w/Chris DiIenno of Mullen Coughlin LLC law firm, experts in legal advice following or during a cyber security event, along w/Dina Temple-Raston of NPR. This piece was born out of a prior Kroll Cyber Risk digital forensics and incident response-related investigation, directed by legal counsel, to assist a client they was preyed upon via a Business Email Compromise-oriented targeting scheme. NPR Planet Money - Episode 886 "The Price Of A…
Read More
03 Jan 2019
By Devon

Android Nougat Image Available to the DFIR Community

Joshua Hickman has created, for the DFIR community, an image of Android 7.x (Nougat) populated with apps and test data for a wide range of usage - everything from testing tools to training to teaching. It was created using a stock Android image from Google.  Several popular applications (apps) were populated with user data utilizing the capabilities of each individual app.  The stock Android apps were also populated with user data. An LG Nexus 5x,…
Read More
02 Jan 2019
By Devon

InfoSec News Nuggets – January 2, 2019

Newspapers report suspected malware attack Staffers at some of America's best-known newspapers are wondering whether their systems were the victim of a foreign cyberattack. Several papers, including the Los Angeles Times and The San Diego Union-Tribune, suffered printing and distribution delays as a result of the incident. Some reporters chuckled at the irony of a digital bug interrupting printed papers. But there is also real concern about the effectiveness of the attack. Tribune Publishing said…
Read More
01 Jan 2019
By Devon

Threat Hunting for Non-Threat Hunters

Posted by MIKE ART REBULTAN at https://www.peerlyst.com/posts/threat-hunting-for-non-hunters-mike-art-rebultan-mit-ceh-ecsa. Threat hunting is a proactive task with an assumption that your organization has already been breached and you wanted to beat the average “dwell time” of 256 days; at least for me as a DFIR practitioner. And this is usually done with the help of different tools that we call “arsenals”; SIEM (security information and event management) and EDR (endpoint detection and response) mostly. However, security is not…
Read More
10 Dec 2018
By Devon

InfoSec News Nuggets – December 10, 2018

Amazon robot sets off bear repellant, putting 24 workers in hospital  Twenty-four employees at an Amazon warehouse inNew Jersey were taken to hospital after a robot accidentally punctured a can of bear repellant. The 255g can containing concentrated capsaicin, a compound in chilli peppers, was punctured by an automated machine after it fell off a shelf, according to local media. The incident happened on Wednesday at a warehouse in Robbinsville, New Jersey, on the outskirts…
Read More
27 Nov 2018
By Devon

InfoSec News Nuggets – 11/27/2018

City of Valdez, Alaska admits to paying off ransomware infection Officials from the city of Valdez, Alaska have admitted last week to paying $26,623.97 to hackers after the city's IT network was crippled by a ransomware infection in July. "Valdez Police Department[...] reached out through our law enforcement channels for assistance with addressing the ransom demand," said Bart Hinkle, Valdez police chief and operations section chief for the cyber incident response, in a press release…
Read More
20 Nov 2018
By Devon

InfoSec News Nuggets – November 20, 2018

Inside the Messy, Dark Side of Nintendo Switch Piracy The source of the leak had no chance of being traced. Someone, perhaps a professional games reviewer, had just helped dump a copy of Diablo III, a hotly anticipated Nintendo Switch game at least several days before its official launch date. The source had used a middleman who ultimately released the game for pirates to distribute among themselves.  This approach of disguising the original source of…
Read More
18 Nov 2018
By Devon

Office 365 DFIR

A planned methodology for developing and implementing a forensically sound incident response plan in Microsoft’s Office 365 cloud environment must be thoroughly researched and re-evaluated over time as the system evolves, new features are introduced, and older capabilities are deprecated. This presentation will walk through the numerous forensic, incident response, and evidentiary aspects of Office 365. The presentation is based on two years’ worth of collection of forensics and incident response data in Microsoft’s Office…
Read More
11 Oct 2018
By Devon

InfoSec News Nuggets – October 11, 2018

Over nine million cameras and DVRs open to APTs, botnet herders, and voyeurs Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today. All vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd. (Xiongmai hereinafter), a Chinese company based in the city of Hangzhou. But end users won't be able to tell that they're using a…
Read More
01 Oct 2018
By Devon

InfoSec News Nuggets – October 1, 2018

Facebook Security Breach Exposes Accounts of 50 Million Users Facebook, already facing scrutiny over how it handles the private information of its users, said on Friday that an attack on its computer network had exposed the personal information of nearly 50 million users. The breach, which was discovered this week, was the largest in the company’s 14-year history. The attackers exploited a feature in Facebook’s code to gain access to user accounts and potentially take…
Read More
26 Sep 2018
By Devon

InfoSec News Nuggets – September 26, 2018

Beware of Hurricane Florence Relief Scams If you’re thinking of donating money to help victims of Hurricane Florence, please do your research on the charitable entity before giving: A slew of new domains apparently related to Hurricane Florence relief efforts are now accepting donations on behalf of victims without much accountability for how the money will be spent. For the past two weeks, KrebsOnSecurity has been monitoring dozens of new domain name registrations that include…
Read More
25 Sep 2018
By Devon

InfoSec News Nuggets – September 25, 2018

Credit Freezes are Free: Let the Ice Age Begin A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any…
Read More
24 Sep 2018
By Devon

InfoSec News Nuggets – September 24, 2018

Google responds to lawmaker concerns over Gmail scanning In July, Senators John Thune (R-SD), Roger Wicker (R-MS) and Jerry Moran (R-KS) sent Google a letter that sought information on Google's practice of allowing third-party app developers access to its users' emails. While Google stopped scanning Gmail messages for ad-targeting purposes earlier this year, it still offers access to others if users give their consent. Now, Google has replied to the lawmakers' letter. In it, Susan…
Read More
11 Sep 2018
By Devon

InfoSec News Nuggets – September 11, 2018

US government releases post-mortem report on Equifax hack The Government Accountability Office (GAO) has published a report to detail how the Equifax hack went down and how the credit reporting company answered during and after the incident. The report comes a day before the one-year anniversary of the public announcement of the Equifax breach that exposed the personal details of 145.5 million Americans, but also of millions of British and Canadian citizens. Some of the…
Read More
10 Sep 2018
By Devon

InfoSec News Nuggets – September 10, 2018

How US authorities tracked down the North Korean hacker behind WannaCry The DOJ indictment, one of the largest of its kind in regards to the number of pages, lists a vast array of email addresses used to register domain names and buy hosting services used in all the hacks. It also includes IP addresses used to access malware command and control (C&C) servers, social media accounts, and hacked servers that hosted malware used in the…
Read More
05 Sep 2018
By Devon

InfoSec News Nuggets – September 5, 2018

Twitter testing new feature that reveals when you’re online The feature, revealed in a post from Twitter’s director of product management and shared more widely by Twitter CEO Jack Dorsey, reveals that the site is toying with the idea of displaying a green dot next to active, online users. What isn’t entirely clear, however, is whether Twitter plans to make the feature opt-in or opt-out when/if it eventually rolls out to the great unwashed masses.…
Read More
04 Sep 2018
By Devon

InfoSec News Nuggets – September 4, 2018

Bitfi finally gives up claim cryptocurrency wallet is unhackable Earlier this month, McAfee said that "maybe calling it [Bitfi] unhackable was unwise." The slew of attacks and vulnerability reports has now forced the company to backtrack on its previous claims. On Twitter, the company posted a statement which said the company had hired external help in the form of a "Security Manager" who is "confirming vulnerabilities that have been identified by researchers." "Effective immediately, we…
Read More
30 Aug 2018
By Devon

InfoSec News Nuggets – August 30, 2018

Voting machine maker claims vote machine hack-fests a 'green light' for foreign hackers Voting machine maker ES&S says it did not cooperate with the Voting Village at hacking conference DEF CON because it worried the event posed a national security risk. This is according to a letter the biz sent to four US senators in response to inquiries about why the manufacturer was dismissive of the show's village and its warnings of wobbly security in…
Read More
27 Aug 2018
By Devon

InfoSec News Nuggets – August 27, 2018

New facial recognition tech catches first impostor at D.C. airport Facial recognition technology caught an impostor trying to enter the U.S. on a fake passport that may have passed at face value with humans, federal officials said Thursday. And the groundbreaking arrest came on just the third day the biometric technology has been used at Washington Dulles International Airport. The 26-year-old man arrived Wednesday on a flight from Sao Paulo, Brazil, and presented a French…
Read More
22 Aug 2018
By Devon

InfoSec News Nuggets – August 22, 2018

Kaspersky Ban Draws Few Public Comments How concerned are government and industry about a new law requiring federal agencies and contractors to rid themselves of any trace of Kaspersky anti-virus software? Not very concerned, by the looks of two calls for public comments on implementing the law, which responds to intelligence community concerns that the Russian company’s software could be used as a Kremlin spying tool. The main call for comments on a joint rule…
Read More
21 Aug 2018
By Devon

InfoSec News Nuggets – August 21, 2018

Google: To be clear, this is how we track you even with Location History turned off Google has updated its help page about turning Location History on or off to more accurately reflect that it actually does sometimes store the places you go even with the setting toggled to off. Though Google originally said its help page was clear and correct, the updated page now clarifies that turning off the setting can still allow location…
Read More
09 Aug 2018
By Devon

InfoSec News Nuggets – August 9, 2018

EXTORTIONISTS INCREASINGLY USING RECIPIENTS' PERSONAL INFORMATION TO INTIMIDATE VICTIMS The Internet Crime Complaint Center (IC3) has recently received an increase in reports about extortion attempts received via e-mail and postal mail and using specific user information to add authenticity. While there are many variations in these extortion attempts, they often share certain commonalties. Extortion attempts vary widely, but there are a few common indicators of the scam. The following list of commonalities is not exhaustive,…
Read More
08 Aug 2018
By Devon

InfoSec News Nuggets – August 8, 2018

Ex-Tesla Worker Accused of Hacking Seeks $1M in Counterclaim A former Tesla Inc. employee at the electric car maker's battery plant in Nevada is seeking at least $1 million in defamation damages after it accused him of sabotage, hacking into computers and stealing confidential information leaked to the media. Lawyers for Martin Tripp filed a counterclaim in federal court this week alleging any damages Tesla incurred were caused or contributed to by Tesla's "own negligence,…
Read More
06 Aug 2018
By Devon

InfoSec News Nuggets – August 6, 2018

Pence Calls on Senate to Create New Cyber Agency at DHS Vice President Mike Pence told the DHS Cybersecurity Summit in New York on Tuesday that “this critical issue requires more than new funding.” “America also needs a central hub for cybersecurity,” he said. “And today we call on the United States Senate to follow the lead of the House of Representatives and, before the end of this year, enact legislation to create a new…
Read More
01 Aug 2018
By Devon

InfoSec News Nuggets – August 1, 2018

Steam game Abstractism pulled after cryptomining accusations Valve has pulled a game from its online Steam store after allegations were made that it was exploiting players’ computer resources to mine for cryptocurrency. Warning bells rang for players of the game, a simple and minimalist platformer called “Abstractism”, because it was consuming so much processing power from their CPUs and GPUs. When you see the very-basic game in action, it’s hard to believe that it could…
Read More
24 Jul 2018
By Devon

InfoSec News Nugget – July 24, 2018

Canada tackles malicious online advertising On July 11, 2018, the Canadian Radio-television and Telecommunications Commission (CRTC) imposed sanctions against the installation of malicious software through online advertising for the first time in its history. This decision was taken under the provisions of the Canadian Anti-Spam Legislation (CASL), which came into effect on July 1, 2014. The federal agency issued Notices of Violation to Datablocks and Sunlight Media, for allegedly facilitating the installation of malware through…
Read More
16 Jul 2018
By Devon

InfoSec News Nuggets – July 16, 2018

Engineer Found Guilty of Stealing Navy Secrets via Dropbox Account A jury trial found a former engineer at a Navy contractor guilty of stealing trade secrets regarding Navy projects by uploading the files to his personal Dropbox account. The man, Jared Dylan Sparks, 35, of Ardmore, Oklahoma, worked as an electrical engineer for LBI, Inc., a company authorized to build unmanned underwater vehicles (drones) for the US Navy's Office of Naval Research, and weather data-gathering…
Read More
12 Jul 2018
By Devon

InfoSec News Nuggets – July 12, 2018

Russian company had access to Facebook user data through apps A Russian internet company with links to the Kremlin was among the firms to which Facebook gave an extension which allowed them to collect data on unknowing users of the social network after a policy change supposedly stopped such collection. Facebook told CNN on Tuesday that apps developed by the Russian technology conglomerate Mail.Ru Group, were being looked at as part of the company's wider…
Read More
02 Jul 2018
By Devon

InfoSec News Nuggets – July 2, 2018

A massive cache of law enforcement personnel data has leaked A data breach at a federally funded active shooter training center has exposed the personal data of thousands of US law enforcement officials, ZDNet has learned. The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The backend database powers the website of Advanced Law…
Read More
28 Jun 2018
By Devon

InfoSec News Nuggets – June 28, 2018

Cyber Researchers Don’t Think Feds or Congress Can Protect Against Cyberattacks The federal government doesn’t understand cybersecurity and won’t be able to respond to a digital disaster such as a destructive hack aimed at the energy or financial sector, according to a survey of cybersecurity researchers released Tuesday. Only 13 percent of researchers “believe that Congress and the White House understand cyber threats and will take steps for future defenses,” according to the poll of…
Read More
27 Jun 2018
By Devon

InfoSec News Nuggets – June 27, 2018

FireEye Denies Hacking Back Against Chinese Cyberspies In his latest book, New York Times correspondent David Sanger describes how cybersecurity firm Mandiant hacked into the devices of Chinese cyberspies during its investigation into the threat group known as APT1. Mandiant, now owned by FireEye, published its famous report on APT1 back in 2013 when it was led by CEO Kevin Mandia. The company at the time released information apparently showing that the Chinese military had…
Read More
26 Jun 2018
By Devon

InfoSec News Nuggets – June 26, 2018

Android Gets New Anti-Spoofing Feature to Make Biometric Authentication Secure Google announced today a better model to improve biometric security, which will be available from Android P, allowing mobile app developers to integrate an enhanced mechanism within their apps to keep users’ data safe. Currently, the Android biometric authentication system uses two metrics—False Accept Rate (FAR) and False Reject Rate (FRR)—in combination with machine learning techniques to measure accuracy and precision of the user's input.…
Read More
25 Jun 2018
By Devon

InfoSec News Nuggets – June 25, 2018

NEW PHISHING SCAM REELS IN NETFLIX USERS TO TLS-CERTIFIED SITES Researchers are warning of a new Netflix phishing scam that leads victims to sites with valid Transport Layer Security (TLS) certificates. Johannes Ullrich, dean of research at the SANS Technology Institute, said Wednesday that there’s been an uptick in Netflix phishing mails using TLS-certified sites. The bad actors behind the attacks will take advantage of unpatched installs or plugins, or weak passwords, to compromise usual-suspect…
Read More
22 Jun 2018
By Devon

InfoSec News Nuggets – June 22, 2018

Senate to review fusion center plan to deter Russian cyberattacks Members of the Senate Intelligence Committee said Wednesday they would consider plans offered by a Obama administration official to fight back against Russian aggression in cyberspace. Victoria Nuland, a former U.S. ambassador to NATO, told lawmakers that it would be pragmatic for the country to consider a new “fusion center” to deter foreign election meddling similar to what occurred in 2016. The approach Nuland described…
Read More
21 Jun 2018
By Devon

InfoSec News Nuggets – June 21, 2018

IBM Warns That Spammers Once Again Taking Aim at FIFA World Cup Among the most popular sporting events in the world is the 2018 FIFA World Cup, which runs from June 14 to July 15 in Russia. The popularity of the World Cup has long been a magnet for spammers and so far the 2018 event is no exception. IBM's X-Force has been tracking the FIFA World Cup 2018 and has already seen multiple types…
Read More
20 Jun 2018
By Devon

InfoSec News Nuggets – June 20, 2018

Can a new DISA app help solve the security clearance dilemma? The federal government faces a substantial security clearance backlog, so the Defense Information Systems Agency has announced a potential solution. An electronic application, eApp, will be used to submit background security clearance investigation forms. The application debuted at the Armed Forces Communications and Electronics Association Defensive Cyber Operations Symposium in Baltimore in May. DISA’s eApp is designed to replace and improve upon the current…
Read More
19 Jun 2018
By Devon

InfoSec News Nuggets – June 19, 2018

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives Apple's macOS surreptitiously creates and caches thumbnails for images and other file types stored on password-protected / encrypted containers (hard drives, partitions), according to Wojciech Reguła and Patrick Wardle, two macOS security experts. The problem is that these cached thumbnails are stored on non-encrypted hard drives, in a known location and can be easily retrieved by malware or forensics tools, revealing some of the…
Read More
18 Jun 2018
By Devon

InfoSec News Nuggets – June 18, 2018

23,000 Individuals Affected in HealthEquity Breach A company that handles millions of health savings accounts (HSAs) has suffered a data breach in which the information of 23,000 was compromised.  On 11 April, the email account of a HealthEquity employee was accessed by an unauthorized person. Two days later, the malicious activity was discovered, at which point the Utah-based firm – a custodian of more than 3.4 million HSAs – expunged the mailbox and contacted a…
Read More
15 Jun 2018
By Devon

InfoSec News Nuggets – June 15, 2018

New Tesla update like being taught to drive by your dad An update to Tesla's Autopilot software earlier this month has caused headaches for drivers of its electric cars – with one user alleging he was almost driven off the road by the robotic assistant. The patch, 2018.21.9, contained a number of tweaks to address safety concerns with the Autopilot software, which Tesla trumpeted as the first step on the path to fully self-driving cars.…
Read More
14 Jun 2018
By Devon

InfoSec News Nuggets – June 14, 2018

Deepfake Videos Are Getting Impossibly Good As a newly revealed video-manipulation system shows, super-realistic fake videos are improving faster than some of us thought possible. The SIGGRAPH 2018 computer graphics and design conference is scheduled for August 12 to 16 in Vancouver, British Columbia, but we’re already getting a taste of the jaw-dropping technologies that are set to go on display. Zollhöfer’s new approach uses input video to create photorealistic re-animations of portrait videos. These…
Read More
13 Jun 2018
By Devon

InfoSec News Nuggets – June 13, 2018

Apple bans mining cryptocurrency on iPhones Apple has a clear message for cryptocurrency enthusiasts: Don't mine it on our devices. It's a new rule included in the latest version of Apple's App Store policies, released last week as part of the company's annual developer conference. The ban couldn't be clearer. From section 2.4.2, "hardware compatibility," emphasis ours: Design your app to use power efficiently. Apps should not rapidly drain battery, generate excessive heat, or put…
Read More
12 Jun 2018
By Devon

Infosec News Nuggets – June 12, 2018

Russia appears to be 'live testing' cyber attacks – Former UK spy boss Robert Hannigan Russia presents a greater threat in terms of sophistication and a greater overall danger – not least because it doesn't mind being destructive, Hannigan warned. The destructive element of attacks blamed on Russia includes NotPetya and attacks on the Ukrainian power grid. Attacks attributed back to Russia have become more sophisticated, brazen and even a little bit reckless. Russia appears…
Read More