Investigation and Solution | Vtiger Vulnerability (Elastix) | Infosecwithme Blog

8:38 PM

Investigation and Solution | Vtiger Vulnerability (Elastix) | Blackhattrick


As a part of SOC team, we observed attacker (someone) from outside tried to exploit Vtiger vulnerability by exploiting one of the vulnerability invented in mid of 2012.

Actually he is trying to access one file i.e. Amportal.conf, this file consist of all passwords information and probably be used to view most any file on the system        
Here is brief explanation:
About Vtiger:-

I. BACKGROUND

Vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal
for small and medium businesses, with low-cost product support available
to production users that need reliable support.

II. DESCRIPTION
Multiple Vulnerabilities exist in Vtiger CRM software.

III. ANALYSIS
Summary:
 A) Remote Code Execution (RCE) Vulnerability
 B) Local File Inclusion (LFI) Vulnerability (pre-auth)
 C) Cross Site Scripting (XSS) Vulnerabilities (pre-auth, reflected)
 D) Cross Site Scripting (XSS) Vulnerabilities (post-auth, reflected)

 Code we observed:

https://myipadddress/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..//etc/amportal.conf

When user browses this URL the amportal.conf was displayed, including all passwords therein.
Obviously the sortfieldsjson.php file is being used to access amportal.conf and can probably be used to view most any file on the system        
Disclosure Date : 2012-03-21
Exploit Publish Date : 2012-03-21

Description:
Vtiger CRM contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the sortfieldsjson.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g. /../) supplied via the 'module_name' parameter. This directory traversal attack would allow the attacker to read arbitrary files.

Recommendation:
Ø  Kindly check the version of Vtiger they are using and update or patch it.
Ø  I strongly recommend that if you run Elastix (which includes Vtiger even if you don’t use it) that you either -

Limit access to the web interface of your server to only specific IP addresses.
If you don’t use Vtiger then disable access to the interface by running.
Upgrading Elastix? Read this FAQ Now!!
elx.ec/upgfaq

Elastix Docs : 
elx.ec/elastixtutorials
www.elastixconnection.com

Elastix Fault Finding Guide
elx.ec/faultfind


Root Cause Analysis :
After proper investigation we observed that attacker exploited the vulnerability as shown above in Linux Platform and we are using Windows based OS  then we got confirmation that we are not using Vtiger on our environment. Also I personally did investigation of that particular server.

Share Your Knowledge................................by comment

Investigation and Solution | Vtiger Vulnerability (Elastix) | Infosecwithme Blog Investigation and Solution | Vtiger Vulnerability (Elastix) | Infosecwithme Blog Reviewed by BlackHat on 8:38 PM Rating: 5

List of HTTP status codes/IIS error Codes | Infosecwithme Blog

8:37 PM

Blackhattrick.com | List of HTTP status codes/IIS error Codes


Very much important while Analyzing Hacking attempt/incident related to Web server.


when you move to raw event below codes will exist in Raw event, it will help you to analyze the incident in a better way.


The following is a list of Hypertext Transfer Protocol (HTTP) response status codes. The first digit of the status code specifies one of five classes of response; the bare minimum for an HTTP client is that it recognises these five classes. The phrases used are the standard examples, but any human-readable alternative can be provided. Unless otherwise stated, the status code is part of the HTTP/1.1 standard


The Internet Assigned Numbers Authority (IANA) maintains the official registry of HTTP status codes.


Microsoft IIS sometimes uses additional decimal sub-codes to provide more specific information,[1] but these are not listed here.


Contents:-


1 1xx Informational
2 2xx Success
3 3xx Redirection
4 4xx Client Error
5 5xx Server Error
6 See also
7 References
8 External links 


4xx Client Error

The 4xx class of status code is intended for cases in which the client seems to have erred. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition. These status codes are applicable to any request method

400 Bad Request
The request cannot be fulfilled due to bad syntax.


401 Unauthorized 
Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource. See Basic access authentication and Digest access authentication. 


402 Payment Required
Reserved for future use.The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, but that has not happened, and this code is not usually used. As an example of its use, however, Apple's MobileMe service generates a 402 error if the MobileMe account is delinquent.[citation needed] In addition, YouTube uses this status if a particular IP address has made excessive requests, and requires the person to enter a CAPTCHA. 


403 Forbidden 
The request was a valid request, but the server is refusing to respond to it.Unlike a 401 Unauthorized response, authenticating will make no difference.On servers where authentication is required, this commonly means that the provided credentials were successfully authenticated but that the credentials still do not grant the client permission to access the resource (e.g. a recognized user attempting to access restricted content). 


404 Not Found
The requested resource could not be found but may be available again in the future.Subsequent requests by the client are permissible. 


405 Method Not Allowed 
A request was made of a resource using a request method not supported by that resource;for example, using GET on a form which requires data to be presented via POST, or using PUT on a read-only resource. 


406 Not Acceptable
The requested resource is only capable of generating content not acceptable according to the Accept headers sent in the request.

If you need to know more about error codes please refer below link

Reference Link:



Share Your Knowledge................................by comment
List of HTTP status codes/IIS error Codes | Infosecwithme Blog List of HTTP status codes/IIS error Codes | Infosecwithme Blog Reviewed by BlackHat on 8:37 PM Rating: 5

Firewall Event analysis : Teardown TCP connection | Infosecwithme Blog

8:36 PM

Firewall Event analysis : Teardown TCP connection | Infosecwithme Blog


 I have analysed the normalized rule: Teardown TCP connection & observed every time event subtype: ‘STOP’ triggering from this alert. It means the TCP connection was dropped as per expert advice.

Log Details:
E.g.
<166>May 03 2015 14:23:38: %ASA-6-302014: Teardown TCP connection 858001055 for DMZ:10.10.10.2/80 to Trust:190.76.49.144/36706 duration 0:00:00 bytes 526 TCP FINs
<166>May 03 2015 14:23:38: %25ASA-6-302014: Teardown TCP connection 858001181 for DMZ:10.10.10.6/20411 to Trust:105.70.81.170/445 duration 0:00:00 bytes 1571 TCP Reset-O

Q. When the alert trigger?

Whenever there is request for connection/communication at firewall, it generate the event “Built inbound/outbound TCP connection” with event subtype: ‘START’. Firewall process this request and proceed as per ACL/Policy applied on it.
1.  If the request is valid then it Allow the request.
2.  If the request is invalid then it Denied/reject/STOP it.
2.1  Once it STOPPED, refer below TCP Termination Reasons to find out the issue.

Advantage : - 

1. As an SOC Monitoring & Analyst perspective it is important to refer STOP event if built in connection observed.
        At initial stage, it will give idea whether connection is allowed or not.
2. Helpful in creation of correlation rule e.g. Dos attempt etc.



Your Good comments Encourages me to keep posting Nice Articles so keep Commenting & Sharing
Firewall Event analysis : Teardown TCP connection | Infosecwithme Blog Firewall Event analysis : Teardown TCP connection | Infosecwithme Blog Reviewed by BlackHat on 8:36 PM Rating: 5

Top 15 Indicators Of Compromise | Infosecwithme Blog

8:34 PM
Top 15 Indicators Of Compromise

Unusual account behaviours, strange network patterns, unexplained configuration changes, and odd files on systems can all point to a potential breach

In the quest to detect data breaches more quickly, indicators of compromise can act as important breadcrumbs for security pros watching their IT environments. Unusual activity on the network or odd clues on systems can frequently help organizations spot attacker activity on systems more quickly so that they can either prevent an eventual breach from happening -- or at least stop it in its earliest stages.
According to the experts, here are some key indicators of compromise to monitor (in no particular order):
1. Unusual Outbound Network Traffic
Perhaps one of the biggest telltale signs that something is amiss is when IT spots unusual traffic patterns leaving the network.
"A common misperception is that traffic inside the network is secure," says Sam Erdheim, senior security strategist for AlgoSec. "Look for suspicious traffic leaving the network. It's not just about what comes into your network; it's about outbound traffic as well."
Considering that the chances of keeping an attacker out of a network are difficult in the face of modern attacks, outbound indicators may be much easier to monitor, says Geoff Webb, director of solution strategy for NetIQ.
"So the best approach is to watch for activity within the network and to look for traffic leaving your perimeter," he says. "Compromised systems will often call home to command-and-control servers, and this traffic may be visible before any real damage is done."
2. Anomalies In Privileged User Account Activity
The name of the game for a well-orchestrated attack is for attackers to either escalate privileges of accounts they've already compromised or to use that compromise to leapfrog into other accounts with higher privileges. Keeping tabs on unusual account behavior from privileged accounts not only watches out for insider attacks, but also account takeover.
"Changes in the behavior of privileged users can indicate that the user account in question is being used by someone else to establish a beachhead in your network," Webb says. "Watching for changes -- such as time of activity, systems accessed, type or volume of information accessed -- will provide early indication of a breach."
3. Geographical Irregularities
Whether through a privileged account or not, geographical irregularities in log-ins and access patterns can provide good evidence that attackers are pulling strings from far away. For example, traffic between countries that a company doesn't do business with offers reason for pause.
"Connections to countries that a company would normally not be conducting business with [indicates] sensitive data could be siphoned to another country," says Dodi Glenn, director of security content management for ThreatTrack Security.
Similarly, when one account logs in within a short period of time from different IPs around the world, that's a good indication of trouble.
"As to data-breach clues, one of the most useful bits I've found is logs showing an account logging in from multiple IPs in a short time period, particularly when paired with geolocation tagging," says Benjamin Caudill, principal consultant for Rhino Security. "More often than not, this is a symptom of an attacker using a compromised set of credentials to log into confidential systems."
4. Other Log-In Red Flags
Log-in irregularities and failures can provide excellent clues of network and system probing by attackers.
"Check for failed logins using user accounts that don't exist -- these often indicate someone is trying to guess a user's account credentials and gain authorization," says Scott Pierson, product specialist for Beachhead Solutions, explaining that unusual numbers of failed log-ins for existing accounts should also be a red flag.
Similarly, attempted and successful log-in activity after hours can provide clues that it isn't really an employee who is accessing data.
"If you see John in accounting logging onto the system after work hours and trying to access files for which he is not authorized, this bears investigation," says A.N. Ananth, CEO of EventTracker.
5. Swells In Database Read Volume 
Once an attacker has made it into the crown jewels and seeks to exfiltrate information, there will be signs that someone has been mucking about data stores. One of them is a spike in database read volume, says Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks.
"When the attacker attempts to extract the full credit card database, it will generate an enormous amount of read volume, which will be way higher than you would normally see for reads on the credit card tables," he says.
6. HTML Response Sizes
Adams also says that if attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request.
"For example, if the attacker extracts the full credit card database, then a single response for that attacker might be 20 to 50 MB, where a normal response is only 200 KB," he says.
7. Large Numbers Of Requests For The Same File
It takes a lot of trial and error to compromise a site -- attackers have to keep trying different exploits to find ones that stick. And when they find signs that an exploit might be successful, they'll frequently use different permutations to launch it.
"So while the URL they are attacking will change on each request, the actual filename portion will probably stay the same," Adams says. "So you might see a single user or IP making 500 requests for 'join.php,' when normally a single IP or user would only request that page a few times max."
8. Mismatched Port-Application Traffic
Attackers often take advantage of obscure ports to get around more simple Web filtering techniques. So if an application is using an unusual port, it could be sign of command-and-control traffic masquerading as "normal" application behavior.
"We have noticed several instances of infected hosts sending C&C communications masked as DNS requests over port 80," says Tom Gorup, SOC analyst for Rook Consulting. "At first glance, these requests may appear to be standard DNS queries; however, it is not until you actually look at those queries that you see the traffic going across a nonstandard port. "
9. Suspicious Registry Or System File Changes
One of the ways malware writers establish persistence within an infected host is through registry changes.
"Creating a baseline is the most important part when dealing with registry-based IOCs," Gorup says. "Defining what a clean registry is supposed to contain essentially creates the filter against which you will compare your hosts. Monitoring and alerting on changes that deviate outside the bounds of the clean 'template' can drastically increase security team response time."
Similarly, many attackers will leave behind signs that they've tampered with a host in system files and configurations, says Webb, who has seen organizations more quickly identify compromised systems by looking for these kinds of changes.
"What can happen is that the attacker will install packet-sniffing software to harvest credit card data as it moves around the network," he says. "The attacker targets a system that can watch the network traffic, then installs the harvesting tool. While the chances of catching the specific harvesting tool are slim -- because they will be targeted and probably not seen before -- there is a good chance to catch the changes to the system that houses the harvesting tool."
10. DNS Request Anomalies
According to Wade Williamson, senior security analyst for Palo Alto Networks, one of the most effective red flags an organization can look for are telltale patterns left by malicious DNS queries.
"Command-and-control traffic is often the most important traffic to an attacker because it allows them ongoing management of the attack and it needs to be secure so that security professionals can't easily take it over," he says. "The unique patterns of this traffic can be recognized and is a very standard approach to identifying a compromise."
Gorup agrees that DNS exfiltration can be "extremely loud."
"Seeing a large spike in DNS requests from a specific host can serve as a good indicator of potentially suspect activity," he says. "Watching for patterns of DNS requests to external hosts, compared against geoIP and reputation data, and implementing appropriate filtering can help mitigate C&C over DNS."
11. Unexpected Patching Of Systems
Patching is generally a good thing, but if a system is inexplicably patched without reason, that could be the sign that an attacker is locking down a system so that other bad guys can't use it for other criminal activity.
"Most attackers are in the business of making money from your data -- they certainly don't want to share the profits with anyone else," Webb says. "It sometimes does pay to look security gift horses in the mouth."
12. Mobile Device Profile Changes
As attackers migrate to mobile platforms, enterprises should keep an eye on unusual changes to mobile users' device settings. They also should watch for replacement of normal apps with hostile ones that can carry out man-in-the-middle attacks or trick users into giving up their enterprise credentials.
"If a managed mobile device gains a new configuration profile that was not provided by the enterprise, this may indicate a compromise of the user's device and, from there, their enterprise credentials," says Dave Jevans, founder and CTO of Marble Security. "These hostile profiles can be installed on a device through a phishing or spear-phishing attack."
13. Bundles Of Data In The Wrong Places
According to EventTracker's Ananth, attackers frequently aggregate data at collection points in a system before attempting exfiltration.
"If you suddenly see large gigabytes of information and data where they should not exist, particularly compressed in archive formats your company doesn't' use, this is a telltale sign of an attack," he says.
In general, files sitting around in unusual locations should be scrutinized because they can point to an impending breach, says Matthew Standart, director of threat intelligence at HBGary.
"Files in odd places, like the root folder of the recycle bin, are hard to find looking through Windows, but easy and quick to find with a properly crafted Indicator of Compromise [search]," Standart says. "Executable files in the temp folder is another one, often used during privilege escalation, which rarely has a legitimate existence outside of attacker activity."
14. Web Traffic With Unhuman Behavior
Web traffic that doesn't match up with normal human behavior shouldn't pass the sniff test, says Andrew Brandt, director of threat research for Blue Coat.
"How often do you open 20 or 30 browser windows to different sites simultaneously? Computers infected with a number of different click-fraud malware families may generate noisy volumes of Web traffic in short bursts," he says." Or, for instance, on a corporate network with a locked-down software policy, where everyone is supposed to be using one type of browser, an analyst might see a Web session in which the user-agent string which identifies the browser to the Web server indicates the use of a browser that's far removed from the standard corporate image, or maybe a version that doesn't even exist."
15. Signs Of DDoS Activity
Distributed denial-of-service attacks (DDoS) are frequently used as smokescreens to camouflage other more pernicious attacks. If an organization experiences signs of DDoS, such as slow network performance, unavailability of websites, firewall failover, or back-end systems working at max capacity for unknown reasons, they shouldn't just worry about those immediate problems.
"In addition to overloading mainstream services, it is not unusual for DDoS attacks to overwhelm security reporting systems, such as IPS/IDS or SIEM solutions," says Ashley Stephenson, CEO at Corero Network Security. "This presents new opportunities for cybercriminals to plant malware or steal sensitive data. As a result, any DDoS attack should also be reviewed for related data breach activity."
Reference:
http://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise/d/d-id/1140647?page_number=1
Your Good comments Encourages me to keep posting Nice Articles so keep Commenting & Sharing
Top 15 Indicators Of Compromise | Infosecwithme Blog Top 15 Indicators Of Compromise | Infosecwithme Blog Reviewed by BlackHat on 8:34 PM Rating: 5

Trick to Identify the Malware Infection on Windows System | Infosecwithme Blog

8:33 PM
These articles provide the basis information about how to identify the infection on the systems at first level. There are some basic levels IOC (Indicators of compromise) which can help to confirm malware infection.

 Below are the methods/ways which help us to proceed for confirmation.
          1)Manual Method
  2)Using Sysinternals
3)Using Redline Tools (Mandiant)

Manual Method: 
  • In manual Method, we will use inbuilt utilities to confirm the status of infection like foreign connection from base OS, Unknown Processes running, system boot processes and application details from Msconfig and regedit. Learn step by step.
  • Before Proceeding important note: Malware/Trojan/Virus/Worm Developer write a code in such a way that they always tried to evade detection from anti-virus.
  • Initially they tried to hide once it dumped into the OS.
Unhide hidden files/Folders/Drives:

 To view the hidden malicious binary kindly go open Windows Explorer  Tools Folder Options –Go to View Tab (refer below snap)
I.Uncheck below highlighted options to view hidden files/folders.
a.Hide empty drives in the Computer Folder
b.Hide Extensions for known file types
c.Hide protected operating system files (Recommended)
II.Select the “Show Hidden files, folders and drives” options.


1. Using Netstat:

 Netstat is a common command line TCP/IP networking utility available in most versions of Windows, Linux, UNIX and other operating systems.
This command is useful to see the currently established connection with foreign IPs with port & protocol wise details.

 State Details: 
  • ESTABLISHED: Indicate that Still connection/communication is live.

 C:\>netstat –ano | findstr ESTABLISHED
  TCP    172.16.174.228:59011    172.129.4.10:443            ESTABLISHED     8116
  TCP    172.16.174.228:59025    172.66.15.20:39331       ESTABLISHED     8116
  TCP    172.16.174.228:59065    172.128.30.85:8000       ESTABLISHED     452
  TCP    172.16.174.228:59102    172.128.27.42:10123     ESTABLISHED     4892
  TCP    172.16.174.228:59158    172.77.4.16:58734          ESTABLISHED     160
  TCP    172.16.174.228:59179    172.137.12.41:445          ESTABLISHED     4
  TCP    172.16.174.228:59723    172.135.128.228:8080   ESTABLISHED     2220
  TCP    172.16.174.228:59736    172.66.24.17:443            ESTABLISHED     8116
  TCP    127.0.0.1:6129                  127.0.0.1:53398              ESTABLISHED     1532
  TCP    127.0.0.1:53398               127.0.0.1:6129                 ESTABLISHED     4064
  • LISTENING: Indicate that some service is running on listening ports or port may be opened for listening. This may ready to connect to the Server who hit on listening port.

 C:\>netstat –ano | findstr LISTENING
  TCP    0.0.0.0:135           0.0.0.0:0              LISTENING       1056
  TCP    0.0.0.0:443             0.0.0.0:0              LISTENING       4080
  TCP    0.0.0.0:445             0.0.0.0:0              LISTENING       4
  TCP    172.16.77.174.228:139   0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:8307                  0.0.0.0:0              LISTENING       4080
  TCP    127.0.0.1:53507                0.0.0.0:0              LISTENING       6904
  TCP    192.168.56.1:139              0.0.0.0:0              LISTENING       4
  
          Here we will get information about current foreign connection. Help to analyse the incident.
I recommend you to use this commend first while analysing the incidents because, we can filter out the query for live traffic as per our requirement like live port communication/foreign IP communication/State/PID Value and Protocol

2.Tasklist:
  • This command is useful to see currently running processes on the server or remote server.

 Syntax: TASKLIST [/S system [/U username [/P [password]]]] [/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]
(For GUI: use task manager)



  • It will give you details about the currently running application/services so easy to track unknown processes. 

 Note: You may require the basic knowledge about system running default processes + whitelisted application processes.

3.Task Manager:
  • It provides limited information about computer performance and running applications, processes and CPU usage, commit charge and memory information, network activity and statistics, logged-in users, and system services. The Task Manager can also be used to set process priorities, processor affinity, forcibly terminate processes, and shut down, restart, hibernate or log off from Windows.

  • The task list was capable of listing currently running processes and killing them, or creating a new process. 



4.Msconfig:
  • This utility we can use to see whether any unknown application is stucked at Start-up with Manufacturer details, command with full path of application, registry path.
  • If we observed unknown application directly uncheck it & go to folder path, try to remove the file manually (use AV scan to validate/remove it). 
  • Go to registry path to remove the entry of application or use Ccleaner application to clear unwanted Data from registry.

  • Advantage of this utility is to check the unknown process/services running.

           Tick the “HIDE ALL MICROSOFT SERVICES” SO ALL MS services will get hide. Analyse the remaining services are related to whitelisted application or not and trace the unknown process/Application running the services and uninstall it asap.
We can validate which service is required to run on system start-up.

5.Registry:

 Easiest way to identify is to use registry path:
HKLM\Software\Microsoft\Windows NT\current Version\Run & \Runonce
Here you will get details about the application which are set to run itself when OS boot.

6.Common Path to Dump The Binary Files:
  • Whenever system get infected malicious binary file dump itself in windows file system. There is some common path where you can check for the same.

 Like: %temp%, %Appdata%, system32 etc & Documents Folder.
          You may confirm the binary files is suspicious or not by uploading the same file on Virustotal.com /metascan.com site to confirm the status.

 7.Scan With Anti-Virus: 
  • Kindly update the Av version and scan whole drive using FULL scan method.
  • It is recommended to use Full Version of AV, mostly tried to avoid cracked version as there is chances of infection from cracked version. Most of the hacker use this technique to infect the user systems.

 8.Use Virus Total / Metascan:
     This is simplest and fast method to detect the binary files malicious status.
You may scan files (upload limit: Max 128 MB size)/URLs/IPs and HASH to check the status. Security Analyst using this site for first level analysis.
9.Use Sandboxie:
      Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.
  • It is useful when we find the file and need to understand the functionality or infection level, this tool is useful.
  • Most of the analyst use sandboxie to check the behaviour of malicious binary files.

 Download URL: http://www.sandboxie.com/SandboxieInstall.exe

Using Sysinternals utility: 

 10.Using Process Explorer to Identify Malware:

       Process Explorer is a free 1.47 MB download from the Windows Sysinternals web page on the TechNet site. Tool 
List: https://technet.microsoft.com/en-us/sysinternals/bb545027.aspx

 Useful Links:
Hunt Down and Kill Malware with Sysinternals Tools (Part 1)
Hunt Down and Kill Malware with Sysinternals Tools (Part 2)
Hunt Down and Kill Malware with Sysinternals Tools (Part 3)
Video Demonstration: Malware Hunting with the Sysinternals Tools https://www.youtube.com/watch?v=Wuy_Pm3KaV8

Using Redline Tools (Mandiant):

           MANDIANT transforms how organizations detect, respond to, and contain security breaches. Through our commercial and free products, we equip front-line incident investigators with superlative tools and technologies that support them in providing a quick and effective response when organizations need it the most. 
Redline is MANDIANT’s free tool for investigating hosts for signs of malicious activity through memory and file analysis, and subsequently developing a threat assessment profile.
User Guide: https://dl.mandiant.com/EE/library/Redline1.11.1_UserGuide.pdf

 Redline Features:
Rapid Triage
Reveals Hidden Malware
Guided Analysis

 With Redline you can: 
  • Collect run processes, files, registry data, and memory images. 
  • View imported data, including narrowing and filtering results around a given timeframe using Redline’s TimeWrinkle™ and TimeCrunch™ features. 
  • Identify processes more likely worth investigating based on their Redline Malware Risk Index (MRI) score. 
  • Perform Indicators of Compromise (IOC) analysis. 
  • Use whitelists to filter out known valid data based on MD5 hash values.

 Your Good comments Encourages me to keep posting Nice Articles so keep Commenting & Sharing

Trick to Identify the Malware Infection on Windows System | Infosecwithme Blog Trick to Identify the Malware Infection on Windows System | Infosecwithme Blog Reviewed by BlackHat on 8:33 PM Rating: 5

Email Security TIPS For Internet Users | Infosecwithme Blog

8:32 PM
Hello Guys, Here some TIPS Points On Email Security Topic:


1. Enable two step verification for your email accounts
  • It will beneficial to you even your credentials has been compromised by Key      logger/trojan/malware etc.
  • Be careful to handle your cell phone carefully.

 2. Enable Login-notification for you email and get notification in your mobile whenever you login.
3. Set a strong password with a mix of alphabets, numbers and special characters.



4. For Your Facebook Accounts Enable login- notification to prevent unauthorised access.
5. Enable HTTPS in your facebook as well as on Email account settings.
6. Never share your password with anyone. if shared in bad situation kindly change it asap.
7. Set Up a recovery question which can not be guessable to your Security question
8. Never click on any links sent through mail or chat. It may be a link which can steal your cookie or inject any viruses.
9. Always check your address bar for proper website address before logging in. (be aware of Phishing Attack Method while performing Financial transactions).

Your Good comments Encourages me to keep posting Nice Articles so keep Commenting & Sharing
Email Security TIPS For Internet Users | Infosecwithme Blog Email Security TIPS For Internet Users | Infosecwithme Blog Reviewed by BlackHat on 8:32 PM Rating: 5
Subscribe to: Posts ( Atom )


SastiPrice.com Store | India's One of Best Affiliate Store



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Cyber Security Learning E-Books



Powered by Blogger.