What’s Your Computer Thinking About? Examining Random Access Memory (RAM)
December 28, 2016, Robert Meekins, Director, Forensics, Coalfire
How valuable would it be to be able to read another person’s mind? To know what they’re thinking or planning to do would be invaluable. Or, how valuable would it be to know what they have done in the recent past, especially if you believed they were involved in some criminal activity? Who they were talking to, or what they said. If you could recreate the events and determine the timeline of activity, information like this could help you in solving plenty of mysteries.
Ghosts in the Bank
October 27, 2016, John Skipper, Associate Security Consultant, Coalfire Labs
It was a dark night. A car pulled up in the parking space next to me and quickly extinguished his lights. I looked out the my window and saw the driver. He gave me a quick nod and we exited our cars. Opening the trunk I pulled out my tools for the night. A backpack full of trash bags, a flash light, gloves, a tarp and oily rags taken from the garage. We walked in the warm summer air up a hill and to the street corner where the target was finally in view. There was the bank. Tonight was just recon, getting a lay of the land and some dumpster diving. We approached the bank and made a quick walk around the block identifying windows, entries and exits and connecting the dots of what I found on Google Maps. By the cover of trees we started down an embankment towards the dumpster, but we spotted a police car. Trying not to cause any suspicion, we quickly made our way back to the sidewalk and walked away from the bank. My heart was racing. I didn't want to fail even before we started.
To [Hell] Shell and Back
October 27, 2016, Justin Berry, Security Consultant, Coalfire Labs
My initial thought was it has to be the firewall keeping my reverse shell from getting out of their environment. So, leveraging the command execution vulnerability, I started testing outbound internet access from the vulnerable server to my server on the internet, only to find that the port I had been using all along in the initial Metasploit attempt was allowed out. This left me with a sense of disappointed optimism because the firewall isn’t blocking it, but for some reason it isn’t working. “Maybe it’s getting caught by Anti-Virus”, I thought. I used the command execution to generate and execute an FTP script that would download a payload from my server. The logs on my server showed an active download from the target companies network. “.. Excellent..”, I mischievously muttered to myself in my best Mr. Burns impression.
What does the FBI have to say about ransomware
October 03, 2016, Tom Glaser, Healthcare Solutions Architect, Coalfire
The FBI provided guidance on ransomware at a recent FBI/US Secret Service/ISAC event. They defined ransomware as a type of malware that is commonly transmitted through malicious email, which is disguised to look normal. Once the email link has been clicked on, or an email attachment has been opened, the malware installs on the computer. After installation is completed, files on the computer become locked using encryption and cannot be opened without the key. A ransom message is then displayed with information on how to pay the ransom.
Thoughts on BSides Las Vegas 2016
August 22, 2016, John Skipper, Associate Security Consultant, Coalfire Labs
I recently attended “Infosec Week” in Vegas - Black Hat, BSides and DEFCON. BSides is a high point every year. This smaller Con has a plethora of perks which make it a “must attended” and also offers many of the same benefits or advantages or opportunities as Black Hat and DEFCON.