[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Security

25K

Solutions

24K

Contributors

Security is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide. Computer systems now include a very wide variety of "smart" devices, including smartphones, televisions and tiny devices as part of the Internet of Things -– and networks include not only the Internet and private data networks, but also Bluetooth, Wi-Fi and other wireless networks.

Share tech news, updates, or what's on your mind.

Sign up to Post

One of the monthly IT Security metrics in my previous place is
to show  # of 'High' DDoS alerts for the month (leaving out the
Med & Low ones), extracted from Arbor Peakflow of cleanpipe.

Attached is how one such extraction looks like: basically we'll
count the # of 'High' alerts.

In new place, question was raised how this data can be useful
as IT Security metric.

My guess is Audit wants to see a trend (of 6-12 months) of the
# of 'High' alerts for DDoS: if it's always about the same, no
alarm but, say for a particular month, it triples, it's a concern?

Anyone has any clue how this data (or any other Peakflows'
data) could be useful for presentation to serve as IT Security
metrics?

Anyone has any Application DDoS security metrics that could
be useful as IT Security metrics?
DDoS.jpg
1
Powerful Yet Easy-to-Use Network Monitoring
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Has anyone had any luck with removing/recovering from nozelesn ransomware?
0
Q1:
I'm trying to establish if my Officescan  has Officescan's Ransomware protection below :

Ransomware Protection Enhancements in OfficeScan 11.0 SP1 Critical Patch 6054
Detection details of the OSCE 11.0 SP1 Critical Patch 6054 Ransomware Prevention Summary widget

Above 2 lines are extracted from link below:
https://success.trendmicro.com/solution/1111377-enabling-the-ransomware-protection-feature-in-officescan-osce


Q2:
Last screen in the attached shows  Scheduled Scan is disabled : is it a good idea to enable it
& I thought to have it enabled either during lunch hours (for users who bring home their
laptops) or in the night (for users who leave their PCs/laptops powered on in the office at night):
I've heard many recommendations that on-demand scheduled scan is quite essential too.
Just that it's hard to determine which laptops are being brought home

attachment is what's shown on my laptop
TMofficescanver.docx
0
a couple of years back, Trendmicro's  .DAT file can be searched using (find or grep command) for
certain malware names.

I'm now using OfficeScan V12.0.1352 & I think the signature file is VsapiNT.sys

I'm trying to track if  globeimposter  ransomware is in our current officescan signature &
the 2 links below seems to say that TM has documented them quite some time ago:
 https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-4th-2017-globeimposter-notpetya-and-more/
 https://www.trendmicro.com/vinfo/in/security/news/cybercrime-and-digital-threats/ransomware-recap-crypshed-spoofs-amazon-in-ransomware-campaign

but when I searched for "glob"  (I suppose FakeGlobal as it's known to Trendmicro) would have it
listed in the latest VsapiNT.sys signature but it's not there:
appreciate steps on how to list the malwares covered by Officescan's signature file:

C:\foren>find/i "glob" *.sys |more

---------- TMPREFLT.SYS

---------- TMXPFLT.SYS

---------- VSAPINT.SYS
GlobalAddAtomA
GlobalAddAtomW
GlobalAlloc
GlobalCompact
GlobalDeleteAtom
GlobalFindAtomA
GlobalFindAtomW
GlobalFix
GlobalFlags
GlobalFree
GlobalGetAtomNameA
GlobalGetAtomNameW
GlobalHandle
GlobalLock
GlobalMemoryStatus
GlobalReAlloc
GlobalSize
GlobalUnWire
GlobalUnfix
GlobalUnlock
GlobalWire
MakeCriticalSectionGlobal
JungUm Global
Corel Global Macro(GMS)
GLOBAL:
GLOBALNE:
GLOBALDOTPROMPT
GLOBAL
GLOBAL.DOT:
GLOBAL:
ExecuteGlobal
Global
0
I have a wildcard security certificate i.e. *.domainame.com which is currently on a server.
i am moving my website on Azure platfrom. when i ran the PCI scan on a test.domainname.com site on Azure, the PCI scan reported failuer saying

Title: SSL Certificate with Wrong Hostname

Synopsis: The SSL certificate for this service is for a different host.

Impact: The 'commonName' (CN) attribute of the SSL certificate presented for this service is for a different machine.

Resolution: Purchase or generate a proper certificate for this service.

Data Received: The identities known by SecurityMetrics are : waws-prod-XXX-XXX.api.azurewebsites.windows.net
waws-prod-cw1-005.state.azurewebsites.windows.net
mtest.domianname.com

The Common Name in the certificate is : waws-prod-XXX-XXX.publish.azurewebsites.windows.net

The Subject Alternate Names in the certificate are : waws-prod-cw1-005.ftp.azurewebsites.windows.net
waws-prod-XXX-XXX.publish.azurewebsites.windows.net

Can any one help there. The certificate i have is a wildcard certificate and the test.domainname.com runs ok on browser
0
Security Badge (HID) Card won't work. We are having an unusual issue with HID enable security card. We have been using a fob (dongle) for many years and we are now changing it to the card that we print pictures on it.  With the new card, it works after activated but it won't respond after two or times of time! It acted as the card is not there. it is not like the card has wrong permission. The card simply won't do anything. no beep no led indicate. We thought the printer that prints the pictures on the card, but it wasn't. it worked before print it and after print it.  What could that be?
0
Accessing C$ on the network:

I have various reasons for needing to do this.  
One has to do with testing / confirming / troubleshooting access from monitoring "server workstations" using things like EventLog Analyzer and GFI Languard.

Here is the situation:
Each computer is on a peer-to-peer network and has a common Admin1 User/Password.  The server workstation is logged in with that User.
Using UAC \\[target_ipaddress]\C$ from the server workstation generally works.
But, on some target workstations it does not.
So, the task is to resolve the failures and turn them into successes.

Since all of these workstations have been treated fairly equally regarding file sharing, firewall settings, services, etc. it's surprising when failures occur. and I'm hard pressed to find a solution.  
I keep asking myself "what's different?"  and, while willing,  end up searching rather involved descriptions of things that I probably don't need to investigate in such detail.  

There are other aspects but to be fair to the Experts, I'll ask them separately.
But, in this case I'll add that the workstations are in 3 subnets each in workgroups named identically WORKGROUP - routed together with no NetBIOS traffic allowed; there is no inter-subnet name service.
Yet, the services I'm trying to troubleshoot DO work across all 3 subnets - just not in every target computer.
(In some cases I'm sure that the checklist of things to "fix" to get the monitoring to work is bigger than it …
0
are there any tools that can run on windows 7 which will capture which specific event logs or files such as log files / files in general , are updated as a result of certain user actions (e.g. opening certain file types, running applications, plugging in devices etc).
0
MBAM premium and ESET nod32  real time  protection clash .
We  currently  have  ESET nod 32  in our  computers and we plan on adding Malwarebytes Anti-malware Premium for additional protection , aside from performance does turning  on real time protection on both of them a good idea ?
0
I see several references for best practices on managing NTFS permissions and FIle Shares that states:

"Create a Global Deny group so that when employees leave the company, you can quickly remove all their file server access by making them members of that group."

Makes sense, but I'm curious what others think of this. It seems that if it where at the point that we needed to remove a users file server access and thus access to all of the shares that that have, it would be a simple matter of disabling the account.    What advantage would it be to put the user in this group to remove access over just disabling the account?
0
Acronis True Image 2019 just released!
LVL 1
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

If the last security policy in a zone pair on a Juniper SRX is a permit - is traffic between those zones still DENIED by default?
e.g. if the policy below was the last and only policy for the zone-pair - would all other traffic between those zones get denied?
-
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match source-address td-edgenode01
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match destination-address felinni01
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match application tcp-21300
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match application tcp-22217
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 then permit
0
If a user plugs into a windows 7 machine a smartphone or USB device via USB and views an image on the external device, apart from areas like lnk files and jump lists (and presumably certain registry entries) which will show a file name of the image opened, does windows create any sort of thumbnail on the PC's local drive of the image, or is the best you would ever get the date stamp and file name of the image opened, and not an actual thumbnail of the image itself. The filename in itself isn't of much use, but even a thumbnail of the image would be useful. I am just unsure where exactly on the drive that thumbnail may reside once opened.
0
https://www.rackaid.com/blog/email-blacklists/

Refer to above link: it's said Barracuda has a list of bad IP : how can we download it?
I would also like to download for SpamHaus & CBL & any other if possible?
0
Hello,

I'm setting Netwrix Auditor for track mailbox access events.
I did launch data collection but always received the Status completed with warning or errors "The user name or password is incorrect"
[img]http://imageshack.com/a/img921/6075/7wRWWe.jpg[/img]- With the same way i could get data collection for others object as like AD, Group Policy, Inactive User Tracking.
- Default Data Processing Account is Domain Administrator.

My Enviroment:
Windows 2012 std, Exchange srv 2016, Netwrix 6.5

Anyone can guide me ?
Thank you !
0
We are considering Splunk, ELK or Apache Metro Hadoop  for SIEM.

Q1:
I've encountered nightmares with a top-end SIEM in the past when
querying/retrieving data : takes days & even crash : which of the
above has excellent super-speed log management & querying?

Q2:
I was told by an ex-colleague that Arcsight/Splunk requires CEF
(Common Event Format or syslog format) to be piped to them
as they can't accept any other format.  A vendor using QRadar
told me QRadar requires syslog/CEF format inputs too.
I've SNMP traps / MIBS events (eg: from Cisco & proprietary
devices) that my ex-colleague told me can't be accepted by
Splunk/Arcsight, so would like to know if any of the 3 above
tools are more readily able to accept other SNMP/other
event formats

Q3:
Heard that ELK lacks policies which in the long run will be
costlier if we get consultants to customize : do the other
2 products have this concern.  
Also, Splunk Enterprise goes by amount of logs & we're
concerned that too much logs (can be 500MB/month)
 will make the cost high:  weighing between customization
/set-up PS efforts & licensing costs based on amount of
logs (which I guess we can archive off older logs to reduce
the license cost), which of the 3 are more cost-effective?
0
Does MariaDB & MongoDB (I mean the Enterprise Edition) have
commercial support (just like RedHat Linux has while CentOS
is user-community support only)?

Concern is if there are security vulnerabilities (which may result
in data leaks) or DB corruption/integrity.  I've heard of banks
using MariaDB but I'm not sure if they house critical data but
I certainly would not want to house critical data on databases
that are non-commercially supported or even if it's commercially
supported by vendors with low track record (I deem Oracle &
MS as good-track record DB vendors).

I think MongoDB is a non-relational (ie network) DB.

Concern is if a database is hosting critical data, user-community
support is not non-committal & patches are not released as
regularly as commercially-supported softwares, though it's
noted MS release patches monthly, much more than any other
commercial vendors
0
error messageI am trying to replace a batch file that runs an automated upload process with a PowerShell script that provides better security. Currently, the executable in the batch file is run with credentials that are displayed in clear text as part of a switch. I am new to PowerShell and am having difficulty understanding how to call these credentials and apply them to the executable file I am trying to run. There seem to be a lot of posts about applying saved credentials to cmdlets, but little about working with executables. Below is a copy of my current script.
$username = "xxxxxxxx@xx.xxxx.xx.xx"
$password = "Get-Content D:\temp\axupload.txt | ConvertTo-SecureString"
$mycred = "New-Object System.Management.Automation.PSCredential -ArgumentList $username,$password"
$securepassword = "$mycred.GetNetworkCredential().Password"
$exe = "D:\Program Files (x86)\XtenderSolutions\Content Management\IndexImageImport.exe"
$appname = "HR_PERSONNEL_OPTION1"
$specname = "HR_PERSONNEL"
$filename = "\\xxxxxxx\aximport\HR\Weekly_Upload\WCHR10B.AppXtender.20181001.txt"
& $exe /U $username /W $securepassword /A $appname /S $specname /F $filename

Attached is the error message returned by the application.  So it does not appear to be getting the needed credentials.
I am trying to understand the correct method to pass user credentials to an older exe application without having theses credentials in plain text.  I already tried a version of the script using -credential, …
0
Exchange 2010 / Outlook 2010 environment.  We applied updates to Exchange over the weekend, and now clients seem to be getting security certificate errors because of it.  it my only be coincidental with an expiration date as well - can't be sure.  But what we are seeing is a similar issue both with Outlook clients, as well as iPhone Exchange Active Sync devices.  The Outlook client shows an error saying "The security certificate has expired or is not yet valid".  The Iphones give 2 different messages, depending on the person.  One message is "Server is not trusted due to invalid certificate" and then allows the user to select "Continue" or "Trust" and they work fine after that.  Others, however, do not get that option and say something to the affect of "Certificate has expired" and they aren't presented an option to continue or trust the server, and they're stuck.  So - is this an issue on the client side, on the server side, where I need to recreate the expired certificate?  And if I do that, I assume it will upset the 90% of the users that are working.  Thanks for your help.
0
My Small Business Server 2011 clients have started getting an error "Your computer can't connect to the remote computer because a security package error occurred in the transport layer.  Retry the connection or contact your network administrator for assistance."  Is this a client PC issue, firewall/router or RDS(Terminal Server) issue?
Both client devices are less than one year old Lenovo notebooks running Windows 10 Pro 1803.  They have Symantec Cloud Security protection.  The firewall/router/UTP is a pfSense that us current with all release. The RDS server is a Windows Server 2008R2.  Both devices worked fine until last Friday,
RDS-security-package-error.png
0
Newly released Acronis True Image 2019
LVL 1
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

2FA enabled, password already changed and I didn't receive any security alert which Gmail sent me whenever I logon to new devices to check the activity.

Received the below message in my personal Gmail account.

-------------------------------------

Hello!
I'm a member of an international hacker group.

As you could probably have guessed, your account XXXXX@gmail.com was hacked, because I sent message you from your account.

Now I have access to all your accounts!
For example, your password for XXXXX@gmail.com: PASSWORD

Within a period from July 31, 2018 to October 3, 2018, you were infected by the virus we've created, through an adult website you've visited.
So far, we have access to your messages, social media accounts, and messengers.
Moreover, we've gotten full damps of these data.

We are aware of your little and big secrets...yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives, and your intimate one...

Transfer $800 to our Bitcoin wallet: 1F5csJmyf3yJs5s25tZmYKoFXznR452er9
If you don't know about Bitcoin please input in Google "buy BTC". It's really easy.

I guarantee that after that, we'll erase all your "data" :)

A timer will start once you read this message. You have 48 hours to pay the …
1
Dear all,

I  cannot lopen 7zip file because I  forget the password.

Pls help
0
Windows Authentication in Chrome does not works as expected from AD/Domain environment.

It works perfect in Firefox after adding the http://app.domain.local to network.automatic-ntlm-auth.trusted-uris

It works also good in Edge and Internet Explorer after adding the URL in Local Intranet - Sites.

I expect it to work in Chrome too. But I am always being promted. Any ideas?

I have tried with or without Negotiate security method for Windows Authentification. I am currently using only NTLM.

Chrome version 69.0.3497.100 64 bit.
IIS 8 and MVC (Webform) (newer version) ASP.Net app
0
Seeing sporadic attempts at different intervals on users passwords but Event 4740 - Caller Computer Name is blank or labeled with MSTSC.  Need to find out which pc is being targeted or where it's coming from.  

What I know is;
MSTSC is not a PC name in our network, it is however the command for Remote Desktop but not a pc name.
There are three types of usernames the attack is targeting.  Some of the attempts are on defaulted AD users; administrator and backupuser
Other attempts are on non defaulted AD users like ITtech, itsupport, etc.
Only one non IT or defaulted AD user name is appearing in the lockouts which I'm tracking down to see where this person was and what device they are using.

My environment is I have a few PC's exposed to the internet for RDP sessions.  I've changed all the defaulted RDP port to a custom port along with port forwarding to match the connection i.e. 1.1.1.1:5001 for pc1, :5002 for pc2 etc.  I know its a very bad setup but we are moving away from it very soon.  I believe these attacks are coming from these edge devices but I can't find a way to correlate the info I have to the device being used for the attacks.  If I can find the device I can try to apply another security around it to buy some time, and frankly I would like to know why the caller computer name is blank or saying mstsc for my own information.  At the minimal I Just need to find which entry point the attack is coming from.

Any suggestions?
0
In my NET USER overview I see  an admin account, a guest account and a Wdagutilityaccount. According to the settings in Control panel I am a user, even an Admin, but NET USER doesnt see me. I can login with my user name. I understand that this WDAGutilityaccount has to do with Windows Defender and has to do with W10 Enterprise or the Insider program. Neither applies to me. I am on W10 Pro.

I have many problems, particularly with situations where an admin permission is required. The Command Run as admin doesnt function, also not when I login as an Admin.

I want to export the contents of my PC to another PC, but that fails time and again for reasons I think have to do with this.
0
Dear all,

Some students use face facebook ID to abuse others.  Is there a way to find that person>
I am a director of IT, who has access to all traffic coming in and going out through the campus.  My question is,  can I find the identity of an individual using face Facebook account at the university through the IP address of the device.  

I can see the facebook links accessed by each individual user, but I don't know how to catch someone using fake Facebook ID through our local IP address.
1

Security

25K

Solutions

24K

Contributors

Security is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide. Computer systems now include a very wide variety of "smart" devices, including smartphones, televisions and tiny devices as part of the Internet of Things -– and networks include not only the Internet and private data networks, but also Bluetooth, Wi-Fi and other wireless networks.