CASP Domain 3: Research and Analysis

Research and analysis makes up the third domain of CompTIA Advanced Security Practitioner (CASP, version CAS-002) exam objectives and contributes 18% to the overall exam. CASPs must learn the following vital concepts regarding this domain to take the exam. What Research Methods Do I Need to Know for CASP? As a CASP student, you will […]

The post CASP Domain 3: Research and Analysis appeared first on InfoSec Resources.

CASP Domain 3: Research and Analysis was first posted on March 16, 2018 at 5:16 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at

CASP Domain 2: Risk Management and Incident Response

Risk Management and Incident Response falls under the second domain of the CompTIA Advanced Security Practitioner (CASP, edition CAS-002) exam and contributes 20% to the exam objectives. Before taking the CASP exam, you will need to understand the following concepts about risk management and incident response. What Business and Industry Related Risks Do I Need […]

The post CASP Domain 2: Risk Management and Incident Response appeared first on InfoSec Resources.

CASP Domain 2: Risk Management and Incident Response was first posted on March 16, 2018 at 5:04 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at

CASP Domain 1: Enterprise Security

Enterprise Security falls under the first domain of the CompTIA Advanced Security Practitioner (CASP) exam, version CAS-002, and contributes 30% to the overall percentage of the exam. Below is the comprehensive description of essential Enterprise Security concepts for CASP candidates. What Do I Need to Know About Cryptographic Concepts and Techniques for CASP? The underlying […]

The post CASP Domain 1: Enterprise Security appeared first on InfoSec Resources.

CASP Domain 1: Enterprise Security was first posted on March 16, 2018 at 4:38 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at

Hackers can elevate privileges by hacking into popular text editors

Following recent string of attacks that exploit flawed plugins, researchers at SafeBreach examined 6 popular extensible text editors for unix systems.

Most of the modern text editors allow users to extend their functionalities by using third-party plugins, in this way they are enlarging their attack surface.

Third-party plugins could be affected by vulnerabilities that could be exploited by hackers to target our systems.

The situation is particularly severe in case the flaw affects a plugin for popular software such as WordPress or Windows’ extensions for Chrome, Firefox or Photoshop.

Dor Azouri, a researcher at SafeBreach, has analyzed several popular extensible text editors for both Unix and Linux systems discovered that except for pico/nano all of them are affected by a critical privilege escalation flaw.

“We examined several popular editors for unix environments. Our research shows how these text editors with third-party plugins can be used as another way to gain privilege escalation on a machine. This method succeeds regardless of the file being opened in the editor, so even limitations commonly applied on sudo commands might not protect from it.” states the blog post published by SafeBreach.

“The set of editors that were put to the test include: Sublime, Vim, Emacs, Gedit, pico/nano.”

Emacs text editors

An attacker can exploit the flaw to run malicious code on a victims’ machines running the vulnerable text editor.

“This method succeeds regardless of the file being opened in the editor, so even limitations commonly applied on sudo commands might not protect from it,” reads the paper published by the company. 

“Technical users will occasionally need to edit root-owned files, and for that purpose they will open their editor with elevated privileges, using ‘sudo.’ There are many valid reasons to elevate the privileges of an editor.”

The vulnerability ties the way these text editors load plugins because they don’t properly separate regular and elevated modes when loading plugins.

Attackers with regular user permissions can access the folder permissions to elevate their privileges and execute arbitrary code on the user’s machine.

Azouri suggests Unix users use an open-source host-based intrusion detection system called OSSEC. Of course, users should avoid loading 3rd-party plugins when the editor is elevated and also deny write permissions for non-elevated users.

Below the full list of mitigations provided by the experts:

  • implement OSEC monitoring rules
  • deny write permisions for non-elevated users
  • change folders and file permission models to ensure separation between regular and elevated modes.
  • Prevent loading of 3rd party plugins when an editor is elevated.
  • Provide a manual interface to approve the elevated loading of plugins.

Pierluigi Paganini

(Security Affairs – Text Editors, hacking)

The post Hackers can elevate privileges by hacking into popular text editors appeared first on Security Affairs.

Ex-Hacker Adrian Lamo Dies at Age 37

Adrian Lamo, the hacker who tipped off the FBI about Wikileaks whistleblower Chelsea Manning, dies at the age of 37, according to a Facebook post by his father Mario Lamo-Jiménez. "With great sadness and a broken heart I have to let know all of Adrian's friends and acquaintances that he is dead. A bright mind and compassionate soul is gone, he was my beloved son..."  he posted. At this moment

GandCrab ransomware evolves thanks to an AGILE development process

According to Check Point report, the authors of the prolific GandCrab ransomware are continuously improving their malware by adopting the AGILE development process.

Early February experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web.

GandCrab raas

The GandCrab was advertised in Russian hacking communities, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

Partners are prohibited from targeting countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine). Security experts believes that the hackers behind the ransomware are likely Russia-based.

It has been estimated that the GandCrab ransomware has managed to infect approximately 50,000 computers, most of them in Europe, in less than a month asking from each victim for ransoms of $400 to $700,000 in DASH cryptocurrency.

Earlier March, a joint operation conducted by Romanian Police and Europol allowed to identify and seize the command-and-control servers tied to the GandCrab ransomware campaigns.

The Romanian Police (IGPR) under the supervision of the General Prosecutor’s Office (DIICOT) and in collaboration with the internet security company Bitdefender and Europol released the GandCrab ransomware decryptor.

Even after the success of the operation conducted by law enforcement, crooks behind the GandCrab ransomware are still active.

According to experts at Check Point security firm, the gang has already infected over 50,000 victims mostly in the U.S., U.K. and Scandinavia. It has been estimated that the revenues in two months have reached $600,000.

GandCrab is the most prominent ransomware of 2018. By the numbers this ransomware is huge,” explained Yaniv Balmas, security research at Check Point. 

Balmas compares the ransomware to the Cerber malware, the expert also added that GandCrab authors are adopting an agile malware development approach, and this is the first time for a malware development.

“For those behind GandCrab, staying profitable and staying one-step ahead of white hats means adopting a never-before-seen agile malware development approach, said Check Point.reported Threat Post.

“Check Point made the assessment after reviewing early incarnations of the GandCrab ransomware (1.0) and later versions (2.0).”

Researchers have analyzed both GandCrab ransomware (1.0) and later versions (2.0) and have deduced that vxers are continuously improving the malicious code adopting an Agile approach.

“The authors started by publishing the least well-built malware that could possibly work, and improved it as they went along. Given this, and given that this newest version was released within the week, the bottom line seems to be: It’s the year 2018, even ransomware is agile,” reads an upcoming report to be released by Check Point.

The code for early versions of the GandCrab ransomware was affected by numerous bugs, but the development team has fixed them.

According to the researchers, the authors of the GandCrab ransomware doesn’t conduct any campaign, instead they are focused on the development of their malware.

“They have been diligent about fixing issues as they pop up. They are clearly doing their own code review and fixing bugs reported in real-time, but also fixing unreported bugs in a very efficient manner.” explained Michael Kajiloti, team leader, malware research at Check Point.

The researchers believe that future versions will address several major bugs that currently allowed experts to decrypt the files locked by the ransomware.

GandCrab itself is an under-engineered ransomware that manages to still be effective. For example, until recently, the malware accidentally kept local copies of its RSA private decryption key – the essential ingredient of the extortion – on the victim’s machine. This is the ransomware equivalent of someone locking you out of your own apartment and yet leaving a duplicate of the key for you under the doormat,” continues Check Point.

“If you monitor your internet traffic while you are infected for the private key, this means you can easily decrypt your files,” Balmas said. “The private key is encrypted in transit. But it is encrypted using the same password every time. And the password is embedded in the malware code.”

The developers also focused on improving evasion capabilities, a continuous development process like the one used in Agile allows the GandCrab to easily bypass signature-based AV engines.

“Cosmetics and incremental code changes keep the core of the malware behavior essentially the same. This comes to show the core differentiator of dynamic analysis and heuristic-based detection, which is signature-less,” states Check Point report.

“With agile development and the infection rate and affiliates, GandCrab will keep making money,”

Only monitoring the evolution of the threat, we can prevent infections.


Pierluigi Paganini

(Security Affairs – GandCrab RaaS, cybercrime)

The post GandCrab ransomware evolves thanks to an AGILE development process appeared first on Security Affairs.

Who Is Afraid of More Spams and Scams?

Security researchers who rely on data included in Web site domain name records to combat spammers and scammers will likely lose access to that information for at least six months starting at the end of May 2018, under a new proposal that seeks to bring the system in line with new European privacy laws. The result, some experts warn, will likely mean more spams and scams landing in your inbox.

On May 25, the General Data Protection Regulation (GDPR) takes effect. The law, enacted by the European Parliament, requires companies to get affirmative consent for any personal information they collect on people within the European Union. Organizations that violate the GDPR could face fines of up to four percent of global annual revenues.

In response, the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit entity that manages the global domain name system — has proposed redacting key bits of personal data from WHOIS, the system for querying databases that store the registered users of domain names and blocks of Internet address ranges (IP addresses).

Under current ICANN rules, domain name registrars should collect and display a variety of data points when someone performs a WHOIS lookup on a given domain, such as the registrant’s name, address, email address and phone number. Most registrars offer a privacy protection service that shields this information from public WHOIS lookups; some registrars charge a nominal fee for this service, while others offer it for free.

But in a bid to help registrars comply with the GDPR, ICANN is moving forward on a plan to remove critical data elements from all public WHOIS records. Under the new system, registrars would collect all the same data points about their customers, yet limit how much of that information is made available via public WHOIS lookups.

The data to be redacted includes the name of the person who registered the domain, as well as their phone number, physical address and email address. The new rules would apply to all domain name registrars globally.

ICANN has proposed creating an “accreditation system” that would vet access to personal data in WHOIS records for several groups, including journalists, security researchers, and law enforcement officials, as well as intellectual property rights holders who routinely use WHOIS records to combat piracy and trademark abuse.

But at an ICANN meeting in San Juan, Puerto Rico on Thursday, ICANN representatives conceded that a proposal for how such a vetting system might work probably would not be ready until December 2018. Assuming ICANN meets that deadline, it could be many months after that before the hundreds of domain registrars around the world take steps to adopt the new measures.

Gregory Mounier, head of outreach at EUROPOL‘s European Cybercrime Center and member of ICANN’s Public Safety Working Group, said the new WHOIS plan could leave security researchers in the lurch — at least in the short run.

“If you don’t have an accreditation system by 25 May then there’s no means for cybersecurity folks to get access to this information,” Mounier told KrebsOnSecurity. “Let’s say you’re monitoring a botnet and have 10.000 domains connected to that and you want to find information about them in the WHOIS records, you won’t be able to do that anymore. It probably won’t be implemented before December 2018 or January 2019, and that may mean security gaps for many months.”

Rod Rasmussen, chair of ICANN’s Security and Stability Advisory Committee, said ICANN does not have a history of getting things done before or on set deadlines, meaning it may be well more than six months before researchers and others can get vetted to access personal information in WHOIS data.

Asked for his take on the chances that ICANN and the registrar community might still be designing the vetting system this time next year, Rasmussen said “100 percent.”

“A lot of people who are using this data won’t be able to get access to it, and it’s not going to be pretty,” Rasmussen said. “Once things start going dark it will have a cascading effect. Email deliverability is going to be one issue, and the amount of spam that shows up in peoples’ inboxes will be climbing rapidly because a lot of anti-spam technologies rely on WHOIS for their algorithms.”

As I noted in last month’s story on this topic, WHOIS is probably the single most useful tool we have right now for tracking down cybercrooks and/or for disrupting their operations. On any given day I probably perform 20-30 different WHOIS queries; on days I’ve set aside for deep-dive research, I may run hundreds of WHOIS searches.

WHOIS records are a key way that researchers reach out to Web site owners when their sites are hacked to host phishing pages or to foist malware on visitors. These records also are indispensable for tracking down cybercrime victims, sources and the cybercrooks themselves. I remain extremely concerned about the potential impact of WHOIS records going dark across the board.

There is one last possible “out” that could help registrars temporarily sidestep the new privacy regulations: ICANN board members told attendees at Thursday’s gathering in Puerto Rico that they had asked European regulators for a “forbearance” — basically, permission to be temporarily exempted from the new privacy regulations during the time it takes to draw up and implement a WHOIS accreditation system.

But so far there has been no reply, and several attendees at ICANN’s meeting Thursday observed that European regulators rarely grant such requests.

Some registrars are already moving forward with their own plans on WHOIS privacy. GoDaddy, one of the world’s largest domain registrars, recently began redacting most registrant data from WHOIS records for domains that are queried via third-party tools. And experts say it seems likely that other registrars will follow GoDaddy’s lead before the May 25 GDPR implementation date, if they haven’t already.

Mossack Fonseca law firm shuts down operations 2 years after Panama Papers

News of the day is that the Mossack Fonseca law firm would shut down operations due to the reputational damage caused by the Panama Papers security breach.

The Panama Papers is a huge trove of strictly confidential documents from the Panamanian law firm Mossack Fonseca that was leaked online on April 3, 2016.

The Panama Leaks were acquired from a confidential resource by the German paper Süddeutsche Zeitung, which discussed them with the International Consortium of Investigative Reporters (ICIJ). The ICIJ after that discussed them with a huge network of worldwide companions, consisting of the Guardian as well as the BBC.

The entire archive of the firm contains more than 11.5 Million files including 2.6 Terabytes of data related the activities of offshore shell companies used by the most powerful people around the world, including 72 current and former heads of state.

Law enforcement worldwide launched investigations into possible tax evasion and money laundering that might have involved their citizens.

“Last month, Panamanian prosecutors raided the offices of Mossack Fonseca, seeking possible links to Brazilian engineering company Odebrecht. The Brazilian construction firm has admitted to bribing officials in Panama and other countries to obtain contracts in the region between 2010 and 2014.reported CNBC.

“Ramon Fonseca, a partner at Mossack Fonseca, denied last month that his firm had a connection to Odebrecht, while accusing Panamanian President Juan Carlos Varela of directly receiving money from Odebrecht, Latin America’s largest engineering company.”

News of the day is that the company would shut down operations due to the reputational damage caused by the security breach.

“Reputational deterioration, the media campaign, the financial consequences and irregular actions by some Panamanian authorities have caused irreparable damage, resulting in the total ceasing of public operations at the end of this month,” Mossack Fonseca said in a statement.

The company will maintain a smaller group of employees to address requests from authorities and other public and private groups.

As consequence of the incident, the firm had closed most of its offices abroad, but the security breach has also a severe impact on some illustrious customers of the firm.

The Panama Papers case exposed the offshore activities of hundreds of politicians and public figures around the world, including Vladimir Putin and Iceland’s prime minister David Gunnlaugsson.  Gunnlaugsson was forced to resign after it was revealed his family had offshore accounts.

The former Pakistani prime minister Nawaz Sharif was disqualified for life from office for similar reasons.

Panama Papers


Pierluigi Paganini

(Security Affairs – Panama Papers, data breach)

The post Mossack Fonseca law firm shuts down operations 2 years after Panama Papers appeared first on Security Affairs.

Plugins for Popular Text Editors Could Help Hackers Gain Elevated Privileges

Whether you're a developer, designer or a writer, a good text editor always help you save time and make you work more efficiently. For example, I use Sublime a lot while programming because it includes some useful tools like 'syntax highlighting' and 'autocomplete' that every advanced text editor should have. Moreover, these advanced text editors also offer users extensibility, allowing

Warning – 3 Popular VPN Services Are Leaking Your IP Address

Researchers found critical vulnerabilities in three popular VPN services that could leak users' real IP addresses and other sensitive data. VPN, or Virtual Private Network, is a great way to protect your daily online activities that work by encrypting your data and boosting security, as well as useful to obscure your actual IP address. While some choose VPN services for online anonymity and