I published an article on IBM Security Intelligence on Simplifying Risk Management.
What is Shodan telling us about ICS in Belgium?
I have been using Shodan, “the world’s first search engine for Internet-connected devices”, since a long time. Recently I switched my free account to a membership account. A membership account allows you to do API queries with additional query filters (for example restricting search results to specific countries).
In this post I describe the results of querying the Shodan API for ICS (or related) devices in Belgium. These results are entirely based on what is … Read more.
Hack of Polish Financial Supervision Authority and Polish banks
A couple of days back the financial sector in Poland was shocked by the news that the Polish financial supervision authority was hacked and was used as an attack vector to get access to other (mostly Polish) banks.
This is a very short summary with some IOCs (Indicator of Compromise) that you can use to check your logs and verify if you are affected.
Note that most of this information is composed from information found … Read more.
Calendar invite spam
I received some unusual calendar invite spam. In total in consisted of 4 messages :
a calendar invite quickly followed by the cancellation of the invite a new calendar invite the cancellation of the last invite
Calendar invite spam isn’t that uncommon but compared to the total amount of spam the amount of calendar invite spam is still fairly low.
In this case I found the series of messages (invite – cancel … Read more.
Don’t Let Remote Management Software Contribute to Building Botnets
I published an article on IBM Security Intelligence on Don’t Let Remote Management Software Contribute to Building Botnets.
MISP EcoSystem : Threat Intelligence, VMRay and MISP
I made a slide-deck on integrating MISP and VMRay in your incident management workflow.
MISP EcoSystem – Threat Intelligence, VMRay, MISP from Koen Van Impe
Submit malware samples to VMRay via MISP
I’m a happy user of MISP, Malware Information Sharing Platform & Threat Sharing. MISP core already contains a lot of features to satisfy your needs when it concerns threat and information sharing. But there’s always room for improvement. If you submit a feature request, MISP can be extended with your request. However changing the core is not always desirable. Also sometimes you want some feature to work just the way you want it, this doesn’t … Read more.
The Krebs Attack: Sign Of A Game Changer
I published an article on The Krebs Attack: Sign Of A Game Changer on the Ipswitch blog.
This article lists the new wave of large scale DDoS attacks against KrebsOnSecurity and OVH and how the release of the Mirai botnet source code can leverage new attacks. I describe how this influences the risks you have to take into account when protecting your infrastructure.
Mail image trap
For a recent engagement I had to check if an e-mail was opened (or viewed) by a user. The idea was to get a notification if an e-mail was read, without having access to the e-mail infrastructure.
There are different ways and tools to do this. The available time was limited and because the target environment has HTML e-mail set as default I choose a very straightforward approach : “include a 1 pixel image with … Read more.
Proxy server logs for incident response
When you do incident response having access to detailed logs is crucial. One of those treasure troves are proxy server logs.
Proxy server logs contain the requests made by users and applications on your network. This does not only include the most obvious part : web site request by users but also application or service requests made to the internet (for example application updates).
Ideally you have a transparent proxy, meaning that all outgoing requests … Read more.
