Inside Security | Inside

[ Inside Security ]

David Strom's in-depth cybersecurity news and analysis

I have put together my top ten recent stories (in order from my most to least favorite) about various tools that defenders can use to protect their networks and endpoints. All of the tools mentioned here are free or minimal cost. Some of these posts are a sequence of articles, so there is a lot to review and learn from here. Don’t worry, there are plenty of exploits to cover and I will do so in tomorrow’s newsletter.

-- David Strom, Editor of Inside Security

Here are an excellent series of posts from Varonis on various ways to detect hidden malware. The author calls it Living off the Land, in which hackers reuse less well-known Windows utilities to hide script payloads and cloak other activities. It now has three articles: First is an intro to Regsvr32, which allows for JScript or VBScript to be injected into DLLs. Part 2 covers MS HTA, which began life many years ago as a useful development tool that allowed IT people to leverage HTML and JavaScript or VBScript to create webby apps. Now it still lies in the Windows/System32 folder and hackers have been taking advantage of it. Part 3 covers Certutil, another Windows utility that is used to display CA info but also can be exploited.

2. Here is a collection of tools that can be used to understand the internal workings of .NET, such as PerfView and SharpView. While not strictly security tools, they can all help you debug your code and find vulnerabilities. – MATT WARREN BLOG

Subscribe to Inside Security

Many thanks to Inside Security's corporate supporters.  Please go check them out!


Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more


Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more


We are trying out a new format, presenting our news items in a “Top 10” format, let us know what you think.

I have been writing about SQL injection longer than some of the hackers who are using this exploit, and recently came across this explainer piece in CSOonline about its history. The article shows you exactly how it is accomplished. If you still are in the dark, it is worth reading. Finally, speaking about CSOonline, I have written a story for them this week about cloud access security brokers: what they are, why you would want to use them, and how to choose them.

-- David Strom, editor of Inside Security

1. Researchers have found more than 43M email addresses which have been leaked from a botnet that distributed both the GranCrab and Trik malware. Many of these email addresses are old ones from AOL and Yahoo accounts, and one of them was my own, according to Troy Hunt, who was helping in the effort. Trik is a classic Trojan, and GranCrab is using the latest version of this ransomware attack. – BLEEPING COMPUTER

2. HealthEquity manages more than 3.4M health savings accounts for thousands of companies. The Utah-based company has had a data breach last month after one employee’s email account was accessed by an unauthorized person. Information from more than 23,000 individual HSAs were leaked, including Social Security numbers. The breach was discovered and acknowledged in two days. – HEALTH DATA MANAGEMENT

3. Here are some tips on how to improve your web app security from a developer’s perspective. While many developers claim that security can make apps harder to use and to test, that isn’t the case. The author suggests starting from a position of understanding how much effort is going into stopping an intruder and then drawing an appropriate line in the sand, or the code, as the case may be. – DZONE

4. Only half of devops teams integrate application security testing elements in their workflows, according to a new survey. Respondents cited a lack of automated security testing tools, lots of false positives to track down, and other excuses. The post talks about how IT can approach secure devops and invest in more and better security practices. – SECURITY INTELLIGENCE BLOG (IBM)

5. If you were a fan of the Renesys-based Internet Intelligence Map, Oracle has purchased its assets and will continue the practice. You can read my 2014 review of the service in Network World here. The map offers data about ISP outages around the world, showing where potential trouble spots are happening. It has two sections: Country Statistics and Traffic Shifts. – ORACLE BLOG

6.  Here is another series of posts about understanding malicious PowerShell scripting techniques that are often used by hackers. The first blog post walked through how to find malicious PowerShell scripts in the System event log, and the various steps to decode them. The second post discusses how the Windows Registry can be another location where malicious PowerShell scripts might be hiding. Both are from Mari DeGrazia’s Another Forensics blog.

7. Bro is extremely powerful network traffic analyzer because it captures network metadata and provides a scriptable programming language that can be used to interpret behavioral networks signs of interest. It is available via open source, too. This blog post describes its many uses, and you can download the code here. It was originally developed by Vern Paxson and has academic researchers in Berkeley and Urbana that contribute to its code.

8. Last week we had two funding announcements: Monarx got a $3.4M seed round, led by Pelion Ventures. It is based in Salt Lake City and has an open source CMS attack prevention tool. Its CEO is Matt Hoffman. And FairWarning received a $60M round led by Mainsail Partners. It is based in Clearwater, Fla. and Kurt Long is its CEO. The company sells a sensitive data platform for health, financial and other sectors.

We also had one acquisition: F-Secure is acquiring MWR InfoSecurity,  a private MSP headquartered in the UK with more than 400 employees. It has a threat hunting platform called Countercept along with managed anti-phishing services. The purchase price is the equivalent of $106M.  – HELP NET SECURITY

9. If you are interested in taking any of the online white-hat hacking certification courses, act now and save a bunch of money. Five of the classes, which normally cost $300 each, are on sale for the next two days for $49 total. These are prep classes towards CISM, CISA and other exams. A more complete description of the courses can be found here. – TECH SPOT STORE

10. An analysis of nine years of research into reporting and fixing various vulnerabilities is presented in this whitepaper. Only a quarter of those reported are likely to have been fixed. Many of those fixed took months to do so. – NCC GROUP BLOG

3. Researchers have uncovered an espionage campaign active since last year that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks. They believe malicious scripts were inserted into various government websites. They attribute the attack to the LuckyMouse group that compromised this Ukrainian router shown here. The group has been active since at least 2010 and was behind many previous attack campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors. – SECURELIST BLOG (KASPERSKY)

4. If you use the Chrome browser, there will be some changes that will hopefully make it more secure. The changes affect how extensions are installed through the Chrome Web Store, and will be gradually rolled out over the next several months. Google has gotten numerous complaints because of confusing or deceptive uses of inline installation on websites, which will be eventually eliminated. – CHROMIUM BLOG

5. British retailer Dixons Carphone has leaked 5.9M users’ payment card data, along with another collection of more than a million users, according to reports. The first set was leaked from Currys PC World and Dixons Travel stores almost a year ago, but most of these have chip and PIN protection. The firm had another breach three years ago when the credit card details of 90,000 Dixons Carphone customers was leaked. The company knowledged the leak here but didn’t state why it took so long to do so. – BBC NEWS

6. A bug in Apple’s code signing algorithm has been found by a security researcher. He documents the exploit with how Apple handles its certificates in this post and shows who is affected. If you have written software using the code signing APIs you should update your code. – OKTA BLOG

7. Hidden cryptomining software has been embedded into a series of Docker VMs that have been downloaded frequently and have remained on Docker Hub for more than a year. The net result is a $90,000 payout for some criminal. The research shows how they operated. – KROMTECH BLOG

8. After this week’s summit, it is worthwhile to review how North Korea has become a leader in cybercriminal activity. This post quotes several security experts and summarizes some of their hacking accomplishments over the recent past. Other than its nukes, “cyber is the crown jewel of the North Korean intelligence/military apparatus,” as one expert says in the post. – IDG CONNECT

load more stories