Recently, NTT Security discovered a phishing email containing malware. The email had a Microsoft Word document attached with a malicious embedded macro. Macros are an effective infection vector and have been steadily gaining popularity in the last several years. Microsoft Office macros are a series of instructions run together as a single command. Microsoft extended macro capabilities to include Visual Basic for Applications (VBA) run inside of a Microsoft Office application (Access, Word, Outlook, Excel, and Power Point). The takeaway is that macros could be, and probably are, malicious code when coming from an unknown source.The Document
Below in figure 1 is a screen shot of the document we discovered embedded in the email. As you can see, the document is well formatted, and looks very legitimate. It also gives step-by-step instructions, requesting the user to enable content so the... read more >
When “catch them all” isn’t just Pokémon Go’s catch phrase
Let me start off by saying that I have not played a Pokémon game since Pokémon Snap back in ‘99. When I heard there was going to be an augmented reality Pokémon game for mobile, my inner child fanboyed. I made sure to download it as soon as it hit the app store, and had the fever to “catch them all.” I quickly found out, however, that Pokémon were not the only thing people were catching.
The best way to catch a Pokémon is to go out to a public area. The game shows you a virtual map of the area (it’s connected to Google maps, so is a real map). As you explore, Pokémon “spawn,” or show up, on the app for you to catch. The first place that popped into my mind as a good place to catch Pokémon was the park. So I packed up my stuff, got my daughter ready to go, and off we went.
I started to catch Pokémon, and even gave my daughter a few tries. With both of us using the app, we... read more >
#WarStoryWednesday: so many hosts, so little time
Every now and then, while performing a penetration assessment, we’ll get a large set of hosts considered in scope. This is often a nice change of pace from the compliance-based penetration assessment where the scope is smaller and more focused on the Cardholder Data Environment (CDE). With the larger scope, we can come a bit closer to simulating an actual attacker from the perspective of the internal network. I say closer because as security consultants we are still limited by time, often only having a week to perform an assessment. If the scope is big enough, we will typically send two or more consultants. This blog will detail just one of those assessments and will hopefully give insight into effective time management for large scopes that offer more than one method of compromise.Background
Let me set up the scenario a bit. My co-worker Adam Steffes and I were tasked with performing an assessment with... read more >
A while ago someone referred me to this post on reddit labeled, “The boss has malware, again….” It is an entertaining story from a help desk employee at a large corporation who discovered that an e-cigarette belonging to one of their executives had malware hardcoded into the charger. When the charger was plugged into a systems USB port, it would phone home to a server to download malware on the unsuspecting users system. Stories such as this are more common than you may think. In the past, many consumer devices have been discovered to contain embedded malware directly from the manufacturer. There have been many historical incidents of infected digital picture frames, MP3 players and other devices having been unwittingly sold and distributed by big box stores and small retailers alike. Most recently, a large quantity of... read more >
You are only as good as your toolset!
In my last blog I asked the question, “Have you ever tried to chop down a tree with a fork?” and told you about an incident response process that was made difficult by the lack of adequate tools. This is a common problem in the field of incident response and security as a whole, and shouldn’t exist. Unfortunately, however, many system administrators, network administrators and help desk personnel assume they can handle an incident, when in reality it is far more complex than they are aware.
A basic introduction to incident response is beyond the scope of this blog, but I do want to introduce the reader to the “Order of Volatility.” This is a common methodology that is taught across the security spectrum. It provides the responder with the ability to gather evidence from the more volatile to the less. This is extremely important when responding to breaches or malware infections. So, let us review the... read more >
As a Security Consultant for NTT Security (US), Inc. Professional Security Services, I have the privilege of witnessing many application security programs. I see programs that work great, are healthy, and handle risk management very well. Then there are programs that have either missed the mark completely, or are healthy but have some maturing to do.
In this blog I’ll be focusing on organizations or development teams that use a more traditional “waterfall” style approach to application development. I’ll attempt to identify traits of a healthy application security program in order to provide ideas for programs that could use some maturing. If your organization uses a more modern “agile,” “iterative,” or “kanban” style of development we will address those specific challenges in Part 2 of the series.
I’m sure many of us have heard that successful... read more >
Building a PCAP Record Extractor Using Python
About three years ago I wrote an article about building your own packet analyzer in Python. Today we are going to continue down a very similar but different path, this time building a tool that provides another service.
Occasionally, I find myself needing to extract an entire packet from a packet capture (PCAP). The reasoning varies between testing a custom decoder or parser I have written, or including the data in a report, or sometimes just wanting to visualize or structure the data in another way. Packet extraction can be done using Tshark extracting field by field, then reassembling the individual components. The process can be tedious, and probably has a higher error and frustration rate. So whatever can we do; who or what will save the day? Dun dun dun, Python sweeps in over the horizon, wind blowing in its hair, Michael Bolton theme song blasting in the background, swoops to the rescue (dramatic pause), fade to... read more >