|
A vulnerability in SSL 3 was found last week and vendors are recommending you turn it off in any browser. https://zmap.io/sslv3/browsers.html http://arstechnica.com/security/2014/10/ssl-broken-again-in-poodle-attack/ Basically, it sounds like SSL 3 is very much dead (even more so than it used to be) at this point.
|
# ? Oct 24, 2014 14:55 |
|
|
# ? Jun 7, 2024 02:25 |
|
So i've had two customers this week, both with logmein (the only variable i can find they share) who have had new user accounts created on their machines and new data copied to them, like family pictures and poo poo). Anyone else?
|
# ? Oct 24, 2014 18:33 |
|
Don Lapre posted:So i've had two customers this week, both with logmein (the only variable i can find they share) who have had new user accounts created on their machines and new data copied to them, like family pictures and poo poo). Anyone else? Maybe the logmein equivalent of scanning for port 3389 and trying the hidden administrator account (blank password)? Would seem plausible if an exhaustive look for malware has turned up nothing.
|
# ? Oct 25, 2014 12:34 |
|
In-laws just dropped off their laptop claiming it has a virus. What's the latest way to safely figure this out without spending any money? My current thinking is: - Turn off wireless via hardware - Safe boot (its Vista) - Create a USB with another computer with Malwarebytes portable, and some other portable AV. I think it has Norton on it from 3-4 years ago when I helped them buy it. Thank you in advance for any advice.figure
|
# ? Oct 26, 2014 22:09 |
|
Yeah, I would do any bootable media (Linux, whatever). If you have an External HDD enclosure (I got one off of newegg for $15 or some such) you can hook it up to an external computer. Another way to test is just boot it up and see how it's acting. I've had people claim viruses only to have minor crap and a lot of bloatware where they just installed whatever (and somehow avoided all the really bad crap).
|
# ? Oct 26, 2014 22:45 |
|
A "virus" I had to recently clean up again - actually a few times - and that is probably not know at all in the not-german speaking countries of the world is the State-Trojan (I know the translation is a bit wonky.) What it does is basically puts a picture over your entire PC when you boot up, acting like it is official state sofware and child porn has been found on your PC. Either pay with ukash or paysafe codes or your computer will never be unlocked. It is a hilariously bad virus, but for novices it is of course a shock. There are some nastier altenratives that encrypt your entire HDD, which can be a bit more of a hassle to remove. But the normal version is just live CD and virus program and you are done. Here is how it looks. All it says is you did a bad thing and the police demands a fine now.
|
# ? Oct 27, 2014 10:40 |
|
There are pretty similar ones for many countries, taking the guise of the local law enforcement agency - it's commonly seen with the FBI logo, for example.
|
# ? Oct 27, 2014 11:50 |
|
Venusy posted:There are pretty similar ones for many countries, taking the guise of the local law enforcement agency - it's commonly seen with the FBI logo, for example. I particularly like the variant that takes a snapshot with the webcam and presents it as evidence that investigators are monitoring you.
|
# ? Oct 27, 2014 11:53 |
|
ALL OF YOUR FILES HAVE ALREADY BEEN UPLOADED TO FBI SERVERS JUST OPEN WINDOWS EXPLORER AND NAVIGATE TO THE WEBSITE \\127.0.0.1\C$ FOR PROOF
|
# ? Oct 27, 2014 18:33 |
|
Bitdefender free edition is being a piece of poo poo and logging me in for about 3 seconds before it logs me out again. Is there any way I can fix this, or should I just be looking for another antivirus?
|
# ? Oct 27, 2014 22:35 |
|
22 Eargesplitten posted:Bitdefender free edition is being a piece of poo poo and logging me in for about 3 seconds before it logs me out again. Is there any way I can fix this, or should I just be looking for another antivirus?
|
# ? Oct 28, 2014 10:32 |
|
So it looks like someone's setting up a new botnet, I've been seeing infections all over our client base of this thing that calls a bunch of dllhost.exe (in 32bit mode) and basically eats up all the ram and tries to contact a bunch of outside servers, none of our traditional tools remove it completely (Combofix, MBAM, MBAR, TDSSKiller, ESET online scanner, widnows defender offline, other random poo poo I tried), and roughly 50% of recent threats on bleepingcomputer forums and mbam forums are about this thing, for now we just flatten and reinstall when we see it but depending on the client and the user that can be a ton of trouble. Anyone see this yet? Able to clean it up? it even launches itself in safe mode which is something I've pretty much never seen a virus do. Suddenly I really miss those PC OPTIMIZER PRO or whatever "viruses" that you can basically just uninstall.
|
# ? Nov 6, 2014 01:28 |
|
I just got a W7 machine with that yesterday. It's being called Poweliks in the scans that returned. FRST was able to identify the reg key calling it (even after offline scans of MSE/MBAM/SAS using a bench machine found little to nothing). Combofix seems to have mopped up those keys that I could not change permissions on and remove.
|
# ? Nov 6, 2014 03:38 |
|
https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html Kind of surprising nothing notably damaging has taken advantage of windows' irregular character display difficulties until now.
|
# ? Nov 6, 2014 04:03 |
|
Why the gently caress does regedit still not handle Unicode? At least just replace it with "<unknown>" or something so you can actually delete it. E: For that matter, why the gently caress does PowerShell allow you to compile/run code with [DllImport]s? Double Punctuation fucked around with this message at 07:22 on Nov 6, 2014 |
# ? Nov 6, 2014 07:04 |
|
dpbjinc posted:Why the gently caress does regedit still not handle Unicode? At least just replace it with "<unknown>" or something so you can actually delete it. I can create Unicode keys without issues. I guess that specific character is causing problems somehow. dpbjinc posted:E: For that matter, why the gently caress does PowerShell allow you to compile/run code with [DllImport]s? Because it would be much more useless otherwise?
|
# ? Nov 6, 2014 07:50 |
|
I dealt with Poweliks last week. I ran Roguekiller in safe mode and that did the trick. http://www.adlice.com/poweliks-removal-with-roguekiller/ Roguekiller is a loving bro. Cactus Jack fucked around with this message at 10:49 on Nov 6, 2014 |
# ? Nov 6, 2014 10:46 |
|
Brut posted:So it looks like someone's setting up a new botnet, I've been seeing infections all over our client base of this thing that calls a bunch of dllhost.exe (in 32bit mode) and basically eats up all the ram and tries to contact a bunch of outside servers, none of our traditional tools remove it completely (Combofix, MBAM, MBAR, TDSSKiller, ESET online scanner, widnows defender offline, other random poo poo I tried), and roughly 50% of recent threats on bleepingcomputer forums and mbam forums are about this thing, for now we just flatten and reinstall when we see it but depending on the client and the user that can be a ton of trouble. I had a user get this, and it only ran when he was logged in, but it didn't manage to do much except be annoying. Restoring to a known-good restore point wiped it out, but nothing I tried would detect it either.
|
# ? Nov 6, 2014 16:58 |
Goddamn, I've been fighting with a computer that has that all week. I'll give roguekiller a shot, and if that doesn't work I might have to flatten the goddamn thing. e: Roguekiller looks like it did it, thank christ. President Ark fucked around with this message at 17:34 on Nov 6, 2014 |
|
# ? Nov 6, 2014 17:00 |
|
Cactus Jack posted:I dealt with Poweliks last week. I ran Roguekiller in safe mode and that did the trick. Norton Power Eraser wiped it off a machine I was dealing with yesterday. Combofix got the registry entry, but the infection returned. NPE found some additional drivers and .DLLs.
|
# ? Nov 6, 2014 18:05 |
|
Does anyone know if Fiddler is used in some types of malware? Someone at a remote office was complaining about getting certificate errors when browsing the web and I found Fiddler certs installed on the computer. The office is about an hour away so for now I had them pull the network cable. The thing is we've been having some, uh, issues at this location and I'm not sure if it was installed intentionally by someone on site or it's just some malware.
|
# ? Nov 7, 2014 13:35 |
|
Crossbar posted:Does anyone know if Fiddler is used in some types of malware? Someone at a remote office was complaining about getting certificate errors when browsing the web and I found Fiddler certs installed on the computer. The office is about an hour away so for now I had them pull the network cable. I'd proceed on the assumption it was intentionally installed, unless you find overwhelming evidence to the contrary.
|
# ? Nov 7, 2014 15:56 |
|
Crossbar posted:Does anyone know if Fiddler is used in some types of malware? Someone at a remote office was complaining about getting certificate errors when browsing the web and I found Fiddler certs installed on the computer. The office is about an hour away so for now I had them pull the network cable. I've found that 99% of certificate errors are due to bad date/time on the computer. If it is this fiddler, it sounds like someone was trying to self-diagnose something.
|
# ? Nov 7, 2014 17:21 |
|
OpenDNS has/had a feature where if you used their service they would scan your traffic to detect any markers of typical malicious activity (botnets, spam, etc.). I felt this was extremely useful to get an early warning that something had gotten into our small-office network. My problem is that we are not in the US, so using OpenDNS meant a significant latency increase in day-to-day browsing, since most of our requests first had to OpenDNS's US servers, then back to us, then finally to the target website. Is there any equivalent service that I can use at a local network level or that doesn't involve using a third-party DNS? Our network structure is basically Modem -> Router -> 5 PCs, all running Windows 7-8.
|
# ? Nov 7, 2014 17:39 |
|
Crossbar posted:Does anyone know if Fiddler is used in some types of malware? Someone at a remote office was complaining about getting certificate errors when browsing the web and I found Fiddler certs installed on the computer. The office is about an hour away so for now I had them pull the network cable. I know that WINPcap and Wireshark are included as installs for some baddies, but I've never heard of Fiddler getting misused. That said, unless someone was sniffing headers, pulling JSON off the wire, or developing an API interface I don't see why you'd have it.
|
# ? Nov 7, 2014 19:52 |
|
Scaramouche posted:I know that WINPcap and Wireshark are included as installs for some baddies Can you link me to articles about this please?
|
# ? Nov 8, 2014 06:26 |
|
tadashi posted:A vulnerability in SSL 3 was found last week and vendors are recommending you turn it off in any browser. I tried to fix Chrome the way the top link said, but it told me the name in the target box is not valid. I can't make it change. I did everything right but the machine won't recognize it. Help please? Astrofig fucked around with this message at 15:04 on Nov 8, 2014 |
# ? Nov 8, 2014 14:51 |
|
internet jerk posted:Can you link me to articles about this please? Sorry this fell off the first page and I lost track of it. I don't have any specific examples, but way back in the day (like 2007-8) I used to work for an anti-spyware company and I'd review the new detections and that was stuff that would show up. I actually got some guys shut down because they were bundling WinPCap with their 'app' without using the GPL/attribution. Sorry, it was kind off the cuff and I have no idea that's still true today.
|
# ? Nov 14, 2014 01:26 |
|
http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance This just hit my radar for some apparent reason. Should we be donning our tinfoil hats?
|
# ? Nov 25, 2014 03:28 |
|
I think everyone who even remotely suspected they might need a tinfoil hat pretty much got vindicated with the whole snowden / nsa thing. the question isn't 'should we don our tinfoil hats', but rather 'given tinfoil hats don't work, what should we do to protect our privacy'. the only answer I can think of is not to digitize anything truly sensitive. if a digital record of something exists, it can be copied - and for security's sake you should just assume it will be copied. an alternative is to have a machine with no network interfaces, which probably would be secure enough for most normal folks purposes, but honestly that sounds like a huge pain in the rear end to me, and you'd just get lazy I'm sure. Also hacking airgapped machines has been demonstrated (c.f. badbios last year, and more recent research http://www.wired.com/2014/11/airhopper-hack/ ) - and I'd just assume that if there's some master covert government malware, a framework for infecting airgapped machines is already in place. I mean I'd do it if I were them, so I'm assuming it has already been done. ohwell! we're all hosed, welcome to the digital age.
|
# ? Nov 25, 2014 07:15 |
|
mindphlux posted:
Stuxnet was designed to hit an Iranian airgapped network. If they want to get you, they will.
|
# ? Nov 25, 2014 12:13 |
|
Eh, that's all rather speculative. Stuxnet was reported to jump airgaps, only until it was revealed the workers were plugging in unauthorized USB devices, and by their nature the control hardware can't be airgapped anyway - the best you can hope to do is control all access to any control machines. Badbios never existed. Why the guy made it up is anyone's guess, but it's been a whole year and so far the only evidence it ever existed is a researcher going "no i have this virus and it adapts and does magic things like a holographic enemy in Star Trek. Also I can't prove it because reasons nor will I prove it exists in any form whatsoever because more reasons". I still suspect that he made it up to watch tech blogs stumble over each other reporting nonsense, because only one or two reported it as anything other than "this is a thing that actually happened". Airhopper looks interesting if it exists, though it's Bond-film-style "just attach this transceiver to their computer in this highly guarded security compound" - at which point I would wonder whether you could call a computer with an attached transceiver "air-gapped".
|
# ? Nov 25, 2014 15:55 |
|
Khablam posted:Eh, that's all rather speculative. Stuxnet was reported to jump airgaps, only until it was revealed the workers were plugging in unauthorized USB devices, and by their nature the control hardware can't be airgapped anyway - the best you can hope to do is control all access to any control machines. quote:Airhopper looks interesting if it exists, though it's Bond-film-style "just attach this transceiver to their computer in this highly guarded security compound" - at which point I would wonder whether you could call a computer with an attached transceiver "air-gapped". The NSA routinely intercepts hardware shipments to embed malicious components inside of them, so I'm guessing this program makes use of it.
|
# ? Nov 25, 2014 16:26 |
|
I don't think any terminal that had a dirty external USB stick from parts unknown plugged into it still really qualifies as "gapped"
|
# ? Nov 25, 2014 18:23 |
|
I don't think many of you have ever worked in a high-security environment either.
|
# ? Nov 25, 2014 18:27 |
|
OSI bean dip posted:I don't think many of you have ever worked in a high-security environment either. We take security very seriously around here. *fills USB ports with hot glue*
|
# ? Nov 25, 2014 18:29 |
|
uncurable mlady posted:We take security very seriously around here. *fills USB ports with hot glue* That's all fine and dandy, but wait until you see this novel method I have created to send data to the USB port by oscillating the hot glue wad at a specific frequency.
|
# ? Nov 25, 2014 19:41 |
|
psydude posted:It still crossed the airgap by making use of a zero day exploit to bypass the normal autorun exploit. The PLCs were programmed by engineers on the development network, who then transported the instruction sets to the actual production PLCs on the airgapped network. The designers knew this, and designed the malware to take advantage of this aspect. Disabling autorun isn't "airgapping" - in fact, the literal use of airgapping is specifically to prevent precisely what happened; that something (anything) can be used against you if you allow any contact. The term is completely meaningless if you use it to mean "any attempt to improve security by policy". OSI bean dip posted:I don't think many of you have ever worked in a high-security environment either.
|
# ? Nov 25, 2014 20:04 |
|
Airgap the cloud
|
# ? Nov 25, 2014 20:33 |
|
|
# ? Jun 7, 2024 02:25 |
|
Airgap anyone posting here
|
# ? Nov 25, 2014 20:36 |