Saturday, January 13, 2018

Holiday blog dfir wish list - and upcoming "Unauthentic" OSX Malware

I had a list of projects which a nice, long European holiday vacation was sure to inspire, this is what it consisted of.  We enjoyed the wonders of the season.. a few short-lived visitors, and a lot of 'new family' fun (way, way, way.... more than expected); followed by a week or so of hard work, and a few more days off.  It is now just a wish-list of which ideas are still to come.  As far as other, planned blog posts, as time allows, there is a whole notebook full of that, as well!


-Setup Roblox and play that with junior cherokeejb, including some packet-fun (complete, and analysis in progress). I was really amazed about the breadth of attacks out there also regarding the game; there was some write-ups about hijacking the related chat application, and even some network anaylsis projects in progress on github.

-Setup 2 new Internet Storm Center honeypots (* we did also start at least, this!)

-share the audio ("nice background study/hack music") from the lounges which I streamed and dumped live during the 34c3 last week (need to check around the community to see if a good free host, e.g. on the hackint.org or one of the chaos locals' websites); otherwise include this on the BSides Soundcloud project, started with Springfield, but is soon spreading to all the conferences.

-post a walkthrough of the old SANS network forensics poster excersizes

-finish and share the remaining videos from BSides Springfield (did make some progress on this as well, and many of the videos are finished, just waiting for the correct release order) - note to self next year make sure to have a video mixer

-setup github and publish some small OSX production scripts and link to other projects I am using to improve skills, done

-post initial thoughts of completing "Cyber Operations... building, defending, and attacking modern computer networks" by Mike O'Leary, and on the initial skim of "blue team field manual" .  We are reading "Cyber..." in our book club, and David even had the author in to the main/USA conference call.  I highly recommend this book, and it sounds like the cyber defense program at Townsend is also off the charts.

-post at least one of the disk forensics write-ups I'd already been working on (did start even more, made a friend friends happy... zero write ups :) * note to self, just write in real time on each study night from here on.  Similarly, Bryan shared today a great write-up regarding foremost, as well, this post is from Raj Chandel.

-finish the first round of setup of "infosecfeeds.org" planet website for infosec podcasat, this keeps always getting pushed to the side, but if I had time would be  fun to use to play more with AWS as well as xml formatting (to rss, atom, etc.)

-do a simple osx disk forensics, "recovery" for the average user blog (*a certain friend of mine would also be very happy about this!) - did not do yet

-Share the research so far on the mysterious "Unauthentic" OSX (malware?) that I was discussing on the BrakeSec Slack #Malware channel (* this will for sure be the next post after Roblox networking monitoring post ...look for it!).  I had some amazing support on the malware channel regarding this post.  I did make some packet captures, and review some data from prior captures; and found some really interesting stuff, that may be partially related.  I was really amazed at how it may have came from the so-called Hola VPN / Zon networks /luminetti (p2p malware essentially), here is an amazing write-up by Vectra labs. I also dove into the "Mac Defender" family of malware and Proton family malware because of this.  Such interesting work...



...well, with a new baby in the house, priorities shifted a bit, but I did have a ton of fun, and at least we did setup Roblox (packet snorting and all), and that is a fun, on-going family project, look for a post on that soon as well.  I caught a few episodes of the American tv show "scorpion".  I must say, just when you think you're starting to learn a few things... there's always someone out there with more blinky blinky on their computer screens!  just kiddng ,well... at least we got our priorities straight!

*Happy Holidays everyone*

No comments:

Post a Comment

The new "LinkedInSecureMessage"​ ?

With all the talk of secure messenger applications lately, I bet you’d like to have just one more, right? In the past few weeks, we’ve noti...

Follow by RSS