Monthly Archives: June 2014

CISPA, SOPA, PIPA, CIPA

CIPA is the new iteration of the internet censor bill floating around. In politics, if you cannot pass a corporate empowering bill, you keep changing the names and hope no one notices it being passed.

No commercials and plenty of content is what many know Netflix for. No wonder the RIAA and MPAA (Music and Movie industries) hate them so much. As for this bill, let us not forget the vaguely worded context and clauses to relay information to federal agencies.

Also relevant, The Internet’s Own Boy The Story of Aaron Swartz 2014 is out to watch.

InfoStuffs 2014-06-27

The topic name format will likely change, but yeah. Computers are a common part of many people’s lives these days, yet there are many gaping issues that are finally coming to more minds as valid concerns. Especially the pocket computers, AKA Smartphones.

Spying is a concern for some folks, since it used to only be suspected criminals, now a days, it is quite literally entire populations, if not the entire world. On that note, why is the ex-NSA General Keith Alexander running a 1 million per month security firm?. Personally I get a very Haliburton / Blackwater / Academi vibe. Call me paranoid.

Also in the Gov’t sector, the US Marshals Service is auctioning ~29600 bitcoins. Roughly worth $17.5 million USD. Flashback being Silk Road was the online drug retailer taken down by law enforcement sometime in 2013. Also of note, is when the BCC for all buyers turned into a reply-all and that list was leaked. Oops.

Cryptome.org was temporarily taken offline for a ‘malware issue’ by their host provider. Cyptome has been disclosing leaked documents since June 1996.

In entertaining news, World Cup Wif-Fi password for the security center was disclosed in a press article. If you are taking photos in a security center, check those screens for info you would rather not publicize.

A 16 year old crafted a browser plugin that shows the financial contributions to politicians.

You know mobile phones have been backdoored to spy on people, right? Well some good people are reverse-engineering those spy tools to try and defeat the methods used, and to further disclose their operations.

Speaking of Spying, USA politics continues to be largely theatrical in restricting the bulk surveillance of persons around the world. Since the House of Representatives was called out for being really weak on their stance, they are apparently looking to cut NSA funding. If you are not concerned about spying yet, I really advise you to see what organizations are involved with NSA compliance. When software and hardware is deliberately weakened, these agencies are not the only ones with access.

Then get into the vast amount of spying 3rd parties do under contracts, with an addition of Stingray (cell phone interception spying by false cellular tower) surveillance by local police departments (Guardian write-up). Thanks for reading this current events in security post. :)

Forum Intro (Security Events)

Think of this sub-forum as the Summer (in)security thread, but as this forum will display newest posts 1st, it will be vastly easier to keep on current dialog, without jumping through prior posts to current.

I have been a fan of combing information security news and rss feeds for years. Largely because if a flaw is unknown then it gets a published release, you can bet it will be more commonly used against that package or program. Keeping up on things helps prevent intrusions and unscheduled downtime, as that is my intent to avoid dealing with both issues. As usual I will add some dialog and overview to the articles, to save you time reading them all, and possibly getting a chuckle out in the process.

Port Listing and MMC commands (Windows)

Bonus Port and Service info by command.

Thanks to Vas.com for this syntax, you can get what ports are running and what those services and applications are.

netstat -a -n -b -p TCP

Running an Nmap will likely show the ports 49152 – 49159 running on a Windows system. On your scan (with -A scanning option) they will list as [Version]Microsoft Windows RPC and a [Service]msrpc. The details on what is actually running on these ports, is provided via the above netstat command.

As described in the above link, these are Event Log and other remote services & domain related items. As with most all of the .MMC options, you can execute them to load remote servers. I do this often in administration.

compmgmt.msc /computer:"IP or MachineName"

Chain these in a batch file if you have multiple machines to audit. Closing the MMC will open the next one in your batch list. For a list of .mmc objects you can invoke by command line, this list should do you justice.

Botnet infection sample and removal

Botnet Removal Overview

This thread is an overview on how to detect, identify and remove a botnet infection. This is merely one example of such an infection. Honestly the main reason I was able to detect it (before it was added to malware definition databases), is because of it’s aggressive processor use. Bitcoin miners are extremely intense processes, to 98% CPU usage stood out like a sore thumb.

This will be a 5-step & thread process on how I went about checking around and figuring out how this bitcoin miner was operating. There are various ways to go about the same methods, but I am sharing mine, in hopes it helps someone remove similar trash in the future. I will make a post in this thread for each process, to help describe the methods used, and hopefully do so in a clear manner.

Steps used:

As for any infection, you have to be formidably sure you completely removed the infection, otherwise you are waiting for more damage down the road. Do you wish to reinstall the OS, or do you feel confident the exploit has been removed? This question is especially relevant in the business environment. Luckily I saw this on my personal machine, so I could afford more time to debug what was happening and log it.

The attached picture should make more sense as you read each progressive step.

Attached Thumbnails

  • Anon-Pic0o-BingoInfection.png