Category Archive
for: ‘Uncategorized’

How to Track Lost Android Phone and Tablet

Your Android gadgets are the most important things in your life. It contains all your important contacts and information. If you lose your equipment, you will be losing all those sweet memories with the photos and video. But there is some good news to …

Read More

MS13-023 – Critical : Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2801261) – Version: 1.2

Severity Rating: Critical
Revision Note: V1.2 (September 18, 2013): Corrected language in the vulnerability FAQ, How could an attacker exploit the vulnerability? This is an informational change only.
Summary: This sec…

Read More

MS13-072 – Important : Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2845537) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (September 13, 2013): Revised bulletin to announce detection changes for the Microsoft Office 2007 update (2760411) and the Microsoft Word 2010 update (2767913). These are detectio…

Read More

MS13-074 – Important : Vulnerabilities in Microsoft Access Could Allow Remote Code Execution (2848637) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (September 13, 2013): Revised bulletin to announce a detection change for the Microsoft Access 2013 (64-bit editions) update (2810009). This is a detection change only. There were …

Read More

MS13-073 – Important : Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (September 13, 2013): Revised bulletin to announce detection changes for the Microsoft Excel 2003 update (2810048), Microsoft Excel 2007 update (2760583), Microsoft Excel Viewer up…

Read More

MS13-063 – Important : Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2859537) – Version: 1.2

Severity Rating: Important
Revision Note: V1.2 (September 13, 2013): Corrected update replacement for all affected software excluding Windows XP and Windows 8. This is an informational change only.
Summary: This secur…

Read More

Bejtlich Teaching at Black Hat West Coast Trainings

I’m pleased to announce that I will be teaching at Black Hat West Coast Trainings 9-10 December 2013 in Seattle, Washington. This is a brand new class, only offered thus far in Las Vegas in July 2013. I posted Feedback from Network Security Monitoring 101 Classes last month as a sample of the student feedback I received.
Several students asked for a more complete class outline. So, in addition to the outline posted currently by Black Hat, I present the following that shows what sort of material I cover in my new class.
Please note that discounted registration ends 11:59 pm EDT October 24th. You can register here. I have only one session available in Seattle and fewer seats than in Las Vegas, so please plan accordingly. Thank you.

Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you are a beginner, and need answers to these questions, Network Security Monitoring 101 (NSM101) is the newest Black Hat course for you. This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students the investigative mindset not found in classes that focus solely on tools. NSM101 is hands-on, lab-centric, and grounded in the latest strategies and tactics that work against adversaries like organized criminals, opportunistic intruders, and advanced persistent threats. Best of all, this class is designed *for beginners*: all you need is a desire to learn and a laptop ready to run a virtual machine. Instructor Richard Bejtlich has taught over 1,000 Black Hat students since 2002, and this brand new, 101-level course will guide you into the world of Network Security Monitoring.


Day One


·         Introduction

·         Enterprise Security Cycle

·         State of South Carolina case study

·         Difference between NSM and Continuous Monitoring

·         Blocking, filtering, and denying mechanisms

·         Why does NSM work?

·         When NSM won’t work

·         Is NSM legal?

·         How does one protect privacy during NSM operations?

·         NSM data types

·         Where can I buy NSM?


·         Break


·         SPAN ports and taps

·         Making visibility decisions

·         Traffic flow

·         Lab 1: Visibility in ten sample networks

·         Security Onion introduction

·         Stand-alone vs server plus sensors

·         Core Security Onion tools

·         Lab 2: Security Onion installation


·         Lunch


·         Guided review of Capinfos, Tcpdump, Tshark, and Argus

·         Lab 3: Using Capinfos, Tcpdump, Tshark, and Argus


·         Break


·         Guided review of Wireshark, Bro, and Snort

·         Lab 4: Using Wireshark, Bro, and Snort

·         Using Tcpreplay with NSM consoles

·         Guided review of process management, key directories, and disk usage

·         Lab 5: Process management, key directories, and disk usage

Day Two


·         Computer incident detection and response process

·         Intrusion Kill Chain

·         Incident categories

·         CIRT roles

·         Communication

·         Containment techniques

·         Waves and campaigns

·         Remediation

·         Server-side attack pattern

·         Client-side attack pattern


·         Break


·         Guided review of Sguil

·         Lab 6: Using Sguil

·         Guided review of ELSA

·         Lab 7: Using ELSA


·         Lunch


·         Lab 8. Intrusion Part 1 Forensic Analysis

·         Lab 9. Intrusion Part 1 Console Analysis


·         Break


·         Lab 10. Intrusion Part 2 Forensic Analysis

·         Lab 11. Intrusion Part 2 Console Analysis


Students must be comfortable using command line tools in a non-Windows environment such as Linux or FreeBSD. Basic familiarity with TCP/IP networking and packet analysis is a plus.


NSM101 is a LAB-DRIVEN course. Students MUST bring a laptop with at least 8 GB RAM and at least 20 GB free on the hard drive. The laptop MUST be able to run a virtualization product that can CREATE VMs from an .iso, such as VMware Workstation (minimum version 8, 9 is preferred); VMware Player (minimum version 5 — older versions do not support VM creation); VMware Fusion (minimum version 5, for Mac); or Oracle VM VirtualBox (minimum version 4.2). A laptop with access to an internal or external DVD drive is preferred, but not mandatory.

Students SHOULD test the open source Security Onion ( NSM distro prior to class. The students should try booting the latest version of the 12.04 64 bit Security Onion distribution into live mode. Students MUST ensure their laptops can run a 64 bit virtual machine. For help with this requirement, see the VMware knowledgebase article “Ensuring Virtualization Technology is enabled on your VMware host (1003944)” ( Students MUST have the BIOS password for their laptop in the event that they need to enable virtualization support in class. Students MUST also have administrator-level access to their laptop to install software, in the event they need to reconfigure their laptop in class.


Students will receive a paper class handbook with printed slides, a lab workbook, and the teacher’s guide for the lab questions. Students will also receive a DVD with a recent version of the Security Onion NSM distribution.


Richard Bejtlich is Chief Security Officer at MANDIANT. He was previously Director of Incident Response for General Electric, where he built and led the 40-member GE Computer Incident Response Team (GE-CIRT). Prior to GE, he operated TaoSecurity LLC as an independent consultant, protected national security interests for ManTech Corporation’s Computer Forensics and Intrusion Analysis division, investigated intrusions as part of Foundstone’s incident response team, and monitored client networks for Ball Corporation.  Richard began his digital security career as a military intelligence officer in 1997 at the Air  Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA).  Richard is a graduate of Harvard University and the United States Air Force Academy.  He wrote “The Tao of Network Security Monitoring” and “Extrusion Detection,” and co-authored “Real Digital Forensics.”  His latest book is “The Practice of Network Security Monitoring” ( He also writes for his blog ( and Twitter (@taosecurity), and teaches for Black Hat.


Copyright 2003-2012 Richard Bejtlich and TaoSecurity ( and
Read More

Kimsuky APT: Operation’s possible North Korean links uncovered

For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers.

However, there were a few things that attracted our attention:

  • The public e-mail server in question was Bulgarian –
  • The compilation path string contained Korean hieroglyphs.

The complete path found in the malware presents some of the Korean strings:


The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:


We managed to identify several targets. Here are some of the organizations that the attackers were interested in targeting:

The Sejong Institute
                               The Sejong Institute is a non-profit private organization for public interest and a leading think tank in South Korea, conducting research on national security strategy, unification strategy, regional issues, and international political economy.                               
Read More

MS13-077 – Important : Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (September 11, 2013): Updated the Known Issues entry in the Knowledge Base Article section from “None” to “Yes”.
Summary: This security update resolves a privately report…

Read More

Microsoft Updates September 2013 – Critical Server and Client Side RCE Vulnerabilities in IE, Outlook, Built-in Windows Components and Sharepoint

Microsoft releases a long list of security bulletins this month on the server and client side, patching a longer list of vulnerabilities in this month’s array of technologies. Only four of the bulletins are rated “critical” this month: Internet Explor…

Read More