2018 ISACA LA Spring Conference

Hello All. I couldn’t recommend an event more than ISACA Los Angeles’ Spring Conference. This year it is being held from April 14-18, 2018 at the Hilton Universal City. It is truly a great event. Great speakers, great people, great food, etc. I will be teaching a 2 day pre-conference workshop on blue teaming, threat hunting, etc. I hope to see everyone there. Much more fun than boring RSA!!!

Visit ISACA Los Angeles’ conference site for more information on the event and more importantly to register!

If you’re in the DNSAdmin group…. you’re golden!

Hello All. Great new Windows bug….no wait, feature. So we all know Microsoft has their own DNS server. Mainly to support the Active Directory. We also know that by default, domain controllers are also DNS servers; DNS servers need to be reachable and usable by mostly every domain user. Essentially dns.exe runs as SYSTEM. Therefore due to a management flaw, if you are in the DNSAdmin group, you could load arbitrary DLLs.

Good write-up – https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83

Meltdown Anyone?!

OK….so that is melted cheese…got your attention though. Who doesn’t love melted cheese.  Although we can talk about warm cheddar until the cows come home, the post is about the Meltdown and Spectre exploits and their impact on Intel, ARM, and AMD processors.

As per Windows Central – Security researchers have disclosed two new exploits that can be executed against modern processors. Dubbed Meltdown and Spectre, the exploits use similar methods to impact processors from Intel, AMD, and ARM across PCs, mobile devices, and in the cloud. The researchers explain:

“Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”

Meltdown, the researchers say, has only been assessed to impact Intel processors. However, the range of potentially affected processors is vast.

“More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.”

Spectre, on the other hand, appears to have a much wider reach. According to researchers, nearly every type of device is affected by Spectre; it has been verified to work across Intel, AMD, and ARM processors. Spectre is harder to exploit than Meltdown, but researchers caution that it is also harder to guard against.

Fixes are being released as we speak. Apple has already released “mitigations” for iOS and macOS – https://support.apple.com/en-us/HT208394

DHS Subject to Insider Breach

As per the US DHS Office of Inspector General (OIG), in what they are referring to as a “privacy incident” identified in May, 2017 have been hit with an insider breach which has resulted in the data leak of approximately 247,167 current and former DHS employees. It also included an unspecified number of subjects, witnesses, and complainants associated with DHS OIG investigations from 2002 through 2014. The data was found on the home computers of one of the three identified insiders.

The data included:

  • Names, Social Security numbers, dates of birth, positions, grades, and duty stations of the employees, and
  • Names, Social Security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, and addresses of individuals associated with investigations, as well as any personal information they provided in interviews with DHS OIG investigative agents.

According to the OIG, “the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized transfer of data.”

The folks at DHS have noted that they did not send out the notices before December 2017 because “the investigation was complex given its close connection to an ongoing criminal investigation.” Essentially, it took them until November to finish the forensic analysis of the compromised data an assess the risk to affected individuals.