search menu icon-carat-right cmu-wordmark

Archive: 2018

DGA Domains with SSL Certificates?  Why?

DGA Domains with SSL Certificates? Why?

• CERT/CC Blog
Leigh Metcalf

CertStream is a free service for getting information from the Certificate Transparency Log Network. I decided to investigate the presence of domains generated by Domain Generation Algorithms (DGA) in this stream and I found some intersting phenomena....

Read More
Towards Improving CVSS

Towards Improving CVSS

• CERT/CC Blog
Deana Shick

If you are a software vendor, IT administrator, or CSIRT team, you are probably using the Common Vulnerability Scoring System (CVSS) in one way or another. The CERT/CC recently published a white paper entitled Towards Improving CVSS that outlines what we consider to be major challenges with the standard and discusses some ways forward. This post is a summary of that paper; if you are interested, please review the full paper for an elaboration of...

Read More
New SEI CERT Tool Extracts Artifacts from Free Text for Incident Report Analysis

New SEI CERT Tool Extracts Artifacts from Free Text for Incident Report Analysis

• CERT/CC Blog
Matthew Sisk

This post is co-authored with Sam Perl. The CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University recently released the Cyobstract Python library as an open source tool. You can use it to quickly and efficiently extract artifacts from free text in a single report, from a collection of incident reports, from threat assessment summaries, or any other textual source....

Read More
Life Beyond Microsoft EMET

Life Beyond Microsoft EMET

• CERT/CC Blog
Will Dormann

Approximately eight years ago (September 2010), Microsoft released EMET (Enhanced Mitigation Experience Toolkit) 2.0. In the world of software defenders, there was much rejoicing. EMET allows users to not be at the mercy of their software vendors when it comes to opting in to vulnerability exploit mitigations. As we fast-forward to November 2016, Microsoft released a blog post called Moving Beyond EMET, which announced the end-of-life (EOL) date of EMET and explained why Windows 10...

Read More
When

When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults

• CERT/CC Blog
Will Dormann

As a vulnerability analyst at the CERT Coordination Center, I am interested not only in software vulnerabilities themselves, but also exploits and exploit mitigations. Working in this field, it doesn't take too long to realize that there will never be an end to software vulnerabilities. That is to say, software defects are not going away. For this reason, software exploit mitigations are usually much more valuable than individual software fixes. Being able to mitigate entire...

Read More
Cache Poisoning of Mail Handling Domains Revisited

Cache Poisoning of Mail Handling Domains Revisited

• CERT/CC Blog
Leigh Metcalf

In 2014 we investigated cache poisoning and found some in some damaging places, like mail-handling domains. It can't be assumed behaviors on the internet continue unchanged, so I wanted to repeat the measurement. I used our same passive DNS data source and the same method, but now four years later, to investigate this question....

Read More
ACM Digital Threats: Research and Practice... and Columns!

ACM Digital Threats: Research and Practice... and Columns!

• CERT/CC Blog
Leigh Metcalf

We at CERT are very proud of our collaboration with ACM to create the journal ACM Digital Threats: Research and Practice. One of the goals of the journal is to facilitate the communication between researchers and practitioners in the field of Cybersecurity. We have two columns to aid us in achieving this goal....

Read More
Announcing CERT Tapioca 2.0 for Network Traffic Analysis

Announcing CERT Tapioca 2.0 for Network Traffic Analysis

• CERT/CC Blog
Will Dormann

A few years ago, I announced the release of CERT Tapioca for MITM Analysis. This virtual machine was created for the purpose of analyzing Android applications to find apps that don't validate SSL certificates. Since the original release of Tapioca, we have received a request to make it easier to use and add some additional features. The new version of CERT Tapioca improves on the original in multiple ways in that it offers the following:...

Read More
Automatically Stealing Password Hashes with Microsoft Outlook and OLE

Automatically Stealing Password Hashes with Microsoft Outlook and OLE

• CERT/CC Blog
Will Dormann

Back in 2016, a coworker of mine was using CERT BFF, and he asked how he could turn a seemingly exploitable crash in Microsoft Office into a proof-of-concept exploit that runs calc.exe. Given Address Space Layout Randomization (ASLR) on modern Windows platforms, this isn't as easy as it used to be. One strategy to bypass ASLR that is possible in some cases is to leverage a memory leak to disclose memory addresses. Another strategy that...

Read More
The Curious Case of the Bouncy Castle BKS Passwords

The Curious Case of the Bouncy Castle BKS Passwords

• CERT/CC Blog
Will Dormann

While investigating BKS files, the path I went down led me to an interesting discovery: BKS-V1 files will accept any number of passwords to reveal information about potentially sensitive contents! In preparation for my BSidesSF talk, I've been looking at a lot of key files. One file type that caught my interest is the Bouncy Castle BKS (version 1) file format. Like password-protected PKCS12 and JKS keystore files, BKS keystore files protect their contents from...

Read More
Declaring War on Cyber Terrorism...or Something Like That

Declaring War on Cyber Terrorism...or Something Like That

• CERT/CC Blog
Leigh Metcalf

This post is co-authored by Deana Shick, Eric Hatleback and Leigh Metcalf Buzzwords are a mainstay in our field, and "cyberterrorism" currently is one of the hottest. We understand that terrorism is an idea, a tactic for actor groups to execute their own operations. Terrorists are known to operate in the physical world, mostly by spreading fear with traditional and non-traditional weaponry. As information security analysts, we also see products where "terrorists" are ranked in...

Read More