The question of issuing an advisory : Magento CVSS

Check Point recently released an analysis of a critical RCE (remote code execution) vulnerability in the Magento web e-commerce platform that can lead to the complete compromise of any Magento-based store, including credit card information as well as other financial and personal data, affecting nearly two hundred thousand online shops.

Magento already released a patch (SUPEE-5344) on February 9, 2015 (you have to get an account to download the patch, I added it to theRead more.

Defining IOCs with online malware analyser tools

A couple of weeks back I wrote a post about how to use CryptoLocker to train your incident response team. I waited for another interesting mail and malware sample to arrive to combine the ideas of that post with my post on using different public online malware analyser tools for defining IOCs with online malware analyser tools.

On Wednesday 15-April I received what looked like an interesting mail and attachment to process and analyse.

Read more.

Using different public online malware analyser tools

Analyzing malware and extracting useful detection indicators (Indicators of Compromise, IOCs) for protecting your customers is a recurrent task if you do incident response. If you have your own malware analysis environment and you receive a suspected malicious file then uploading the file for processing and waiting for the analysis is one of the first steps in this process. However sometimes you have to rely on using different public online malware analyser tool for gettingRead more.

Yahoo Transparency Report – All Requests from Belgium rejected

Yahoo released its Transparency report covering the number of government requests for user data.

In 2014 the Belgian government requested 5 times user data from Yahoo for 17 accounts. All these requests were rejected by Yahoo.

5 “Government Data Request”, meaning a government agency seeking information about Yahoo accounts. These are generally made in connection with criminal investigations. 17 “Government Specified Accounts”, meaning the number of Yahoo accounts, users, or other unique identifiers. Yahoo “Rejected”Read more.

How to share malware with a security team?

With the recent increase of notifications of cryptolocker malware I was wondering if this dropped malware was always the same version or if the attackers used different versions. I was also curious if the delivery path (e-mail route or otherwise) was different. This raised the question : “How to share malware with a security team?”.

Some teams have a service where you can upload samples. If they do not have an upload service then youRead more.

VMRay automated malware analysis for CERTs

CERTs have to provide their constituency early warnings and alerts about new threats.

A typical example is a new form of malware being distributed by e-mail. It takes a while before anti-virus vendors include the new signature to recognise the malware. This means that there’s a time window where the malware is not filtered and users in your constituency can get infected.

To protect your constituency you can provide them your own signature with indicatorsRead more.

Getting started with MISP, Malware Information Sharing Platform & Threat Sharing – part 2

My first post on MISP described how to get MISP installed and get it up and running. This post describes how you can use MISP to your benefit to share threat information with your community.

The basic features of MISP are described in detail in the documentation at INSTALL/documentation.pdf. I’ll describe the steps needed to create an event and add some useful data.

You can add an event under Event actions, Add event. You’ll haveRead more.

Getting started with MISP, Malware Information Sharing Platform & Threat Sharing – part 1

MISP or Malware Information Sharing Platform & Threat Sharing is an open source tool for sharing malware and threat information with the security community. It is available on Github and is used by a large number of CERTs and security teams.

This first post describes how to get MISP installed and get it up and running. The next post describes how you can use MISP to your benefit to share threat information with yourRead more.

Recursive curl with Tor on Apple OSX

The Tor Apple OSX Tor Bundle is a stripped Firefox browser that uses a local SOCKS proxy to anonymize the requests.

The SOCKS proxy that is used is tor.real, located at /Applications//TorBrowser.app/TorBrowser/Tor/tor.real.

Anonymous browsing is good but I needed a command line tool to fetch a web page or web site. More specific, I want to recursively download a website from the command line. Ideally you use wget for this. Unfortunately wget does notRead more.

Use CryptoLocker to train your incident response team (part 3)

This is the third part in a post describing how to train your team for incident response and incident investigations.

The first part for training incident response and incident investigations covered how to analyze the e-mail headers and information in a suspicious e-mail. The second part analyzed the attachment which turned out to be a CryptoLocker.F variant.

The last step of my analysis involved executing the CryptoLocker virus in a fully networked VM. After resettingRead more.