Blogs
SUBSCRIBE TO FREE
DFI News EMAIL NEWSLETTER
Mandiant Exposes APT1
February 19, 2013 7:00 pm | CommentsThe Mandiant Intelligence Center released an unprecedented report exposing APT1's multi-year, enterprise-scale computer espionage campaign. APT1 is one of dozens of threat groups Mandiant tracks around the world and we consider it to be one of the most prolific in terms of the sheer quantity of information it has stolen. ...
Links for Toolz
February 18, 2013 7:00 pm | CommentsThe Linkz for various tools have been piling up in the hopper. For some too much time has passed and others have already done an adequate job talking about them. In this long overdue Linkz post I’m trying to touch on a few links and tools people may not be too familiar with. Just read the headings to get a feel for if any of the linkz apply to the work you do. ...
Threat Analysis: Understanding the Basics
February 18, 2013 7:00 pm | CommentsIt is becoming more and more apparent that Incident Responders cannot rely on static evidence (i.e. strings) to drive their investigation. Today answering the big question “Is it malware?” isn’t enough. Gone are the days of “Virus?! Did you remove it?!” as we welcome in an era of “Virus?! What kind? What does it do? What machines are infected? What was stolen? Who wrote it? Where did it come from? How...
Using a Custom VDB Debugger for Exploit Analysis
February 14, 2013 7:00 pm | CommentsAnalyzing an exploit and understanding exactly how the exploit lands can take a long time due to inadequate analysis tools. One way to speed up understanding how an exploit behaves is to use Vtrace and VDB. In this post I explain how to create a custom VDB debugger in order to detect, analyze and prevent execution of an exploit payload. ...
Exploit Sat on LA Times Website for 6 Weeks
February 14, 2013 7:00 pm | CommentsThe Los Angeles Times has scrubbed its website of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks. On Feb. 7, KrebsOnSecurity heard from two different readers that a subdomain of the LA Times’ news site (offersanddeals.latimes.com) was silently redirecting visitors to a third-party website retrofitted with the Blackhole exploit kit. I promptly asked my...
Siri Forensics
February 13, 2013 7:00 pm | CommentsWell the first few weeks of this project isn't going as well as planned – but, does it ever? At least I get to play with an iPhone 5. That is the only iOS device I have been using in this project so far. I started by doing everything that Siri can do at least once, everything from setting reminders to searching the web for things. I also did a few web searches in the web browser because I was really hoping I could tell what search...
NoMoreXOR
February 13, 2013 7:00 pm | CommentsHave you ever been faced with a file that was XOR'ed with a 256 byte key? While it may not be the most common length for an XOR key, it's still something that has popped up enough over the last few months to make it on my to-do list. If you take a look at first the two links mentioned above you'll see they both include some in-house tool(s) which do some magic and provide you with the XOR key. Even though they both state that at some ...
Configuring SET to Bypass Outbound Filters and Own the Day
February 13, 2013 8:41 am | CommentsThe Social Engineering Toolkit (SET) is a great, easy to use tool for combining social engineering attacks with Metasploit’s extensive framework. However, SET doesn’t always work right out of the box for all networks. Depending on the target, you may need to tweak SET’s code and configuration to work a little better. In this article we’ll walkthrough a real world attack scenario and talk about some tweaks that wi...
Report #1 from ABA Midyear on Cybersecurity
February 12, 2013 7:00 pm | CommentsI think I’m going to have to split this report into two parts: So let’s start with Part I – an excellent presentation on Active Cyber Defense: Emerging Legal Dialogue. The panelists were Stewart Baker (Partner, Steptoe & Johnson and former General Counsel of the National Security Agency), Steve Chabinsky (Senior Vice President of Legal Affairs for Crowdstrike) and Emily Frye (Principal Engineer at The MITRE Corporation...
DHS: Border Device Search Policy Does Not Violate Fourth Amendment
February 12, 2013 10:59 am | CommentsThe Department of Homeland Security’s Office for Civil Rights and Civil Liberties (CLCR) has determined that the DHS’s warrantless, and often suspicion-less, search and seizure of electronics devices at U.S. borders does not violate the Fourth Amendment protection against unreasonable search or seizure. by Brian Donohue...
Jake Williams' Tips on Malware Analysis and Reverse-engineering - Part 2
February 12, 2013 10:54 am | CommentsI spoke with Jake Williams, an incident responder extraordinaire, who teaches SANS' FOR610: Reverse-Engineering Malware course. In the second part of the interview, Jake shared advice on acting upon the findings produced by the malware analyst. He also clarified the role of indicators of compromise (IOCs) in the incident response effort. (See Part 1 if you missed it.) ...
MFT vs Super Timeline
February 11, 2013 11:08 am | CommentsNow, Tom requested some posting about Super Timeline as he learned about it in FOR508. Well I actually covered Super Timeline back in 2011, but while I read my old posts a new idea came to me. The last time I did full on disk acquisition was maybe 6 months ago. Its an issue now with disk sizes becoming quite massive in size. Obviously though, having a disk image has its advantages. You can extract any and all files, and of course ... ti...
The End Game
February 11, 2013 10:51 am | CommentsLast week, I posted about some of the reconnaissance tools that attackers are using against E-Commerce sites, then about what some of the evidence looks like in the logs. Now I want to go over what they are doing with their ill-gotten access. Attackers aren't just in it for the fun anymore. While we still see our share of political defacement's and attacks that are pulled off just to prove a point, most of the cases that forensics firms...
Does the IRS Really Know Who You are?
February 7, 2013 7:00 pm | CommentsThe IRS touts electronic filing as the safest way to file tax returns, but it is impossible to say just how safe it is. There are hints in a recent report from the Treasury Department’s Inspector General for Tax Administration that online filing might be making things safer, but the title of the report highlights the broader problem: “There are Billions of Dollars in Undetected Tax Refunds Resulting from Identity Theft.&rdq...
New Cybersecurity Bills to be Introduced to the House & Senate
February 7, 2013 7:00 pm | CommentsRep. Mike Rogers (R-Mich.), the chair of the US House Intelligence Committee, intends to reintroduce H.R. 3523, the Cyber Intelligence Sharing and Protection Act ("CISPA"), which would provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities. Although this initiative has apparently not yet been reported in the news, I was given the privilege t...
