Leonard Nelson http://www.leonelson.com Personal blog of Leonard Nelson talking about technology, education, customer relationship management, customer service and Africa. Sun, 17 Apr 2016 13:46:13 +0000 en-US hourly 1 Inspecting a PDF File http://www.leonelson.com/2016/04/15/inspecting-pdf-file/ http://www.leonelson.com/2016/04/15/inspecting-pdf-file/#respond Fri, 15 Apr 2016 11:02:00 +0000 http://www.leonelson.com/?p=2690 I recently had to complete some work with inspecting a PDF file for malicious content. This was an interesting experience so I thought I’d share the approach I took to review the file from a sandboxed environment:

1. Start with using a service such as virustotal.com, scanii.com, metadefender.com to scan the file

2. Use Adobe Acrobat to browse the internal PDF structure. Launch the PreFlight Tool (Print Production > Preflight) and then under Options select Browse Internal PDF Structure.

3. Use an Adobe PDF meta data application to inspect the file. Here are some I used that were quite helpful:

peepdf.py – PeePDF is a Python based tool to explore PDF files

pdfid.py – PDFID is a Python based tool to scan the file looking for certain PDF keywords. For e.g., does the file contain JavaScript or execute an action when opened

pdf-parser.py – PDF-Parser is a Python based tool to parse a PDF document and identify the fundamental elements used in the file.

Additional Reading:

  1. Checking a PDF for exploits
  2. Viewing PDF objects
  3. PDF Tools from Didier Stevens
  4. Best tool tool for inspecting PDF files?
  5. PDF malware analysis

Additional Tools:

  1. GhostScript
  2. GSView
  3. PDF Validator Online Tool
http://www.leonelson.com/2016/04/15/inspecting-pdf-file/feed/ 0
Care http://www.leonelson.com/2016/04/08/care/ http://www.leonelson.com/2016/04/08/care/#respond Sat, 09 Apr 2016 01:52:02 +0000 http://www.leonelson.com/?p=2687

Your circumstances can lead you to believe God doesn’t care but your history will prove that he does

– Pete Wilson

http://www.leonelson.com/2016/04/08/care/feed/ 0
Information Security Primer for Evaluating Software http://www.leonelson.com/2016/04/08/information-security-primer-for-evaluating-software/ http://www.leonelson.com/2016/04/08/information-security-primer-for-evaluating-software/#respond Fri, 08 Apr 2016 11:07:49 +0000 http://www.leonelson.com/?p=2685

Common Sense Graphite is a site by teachers, for teachers that helps you find the best educational technology resources and learn the best practices for implementing them in your classroom. Brought to you by Common Sense Media: Empowering kids to thrive in a world of media and technology.

Source: Information Security Primer for Evaluating Educational Software

http://www.leonelson.com/2016/04/08/information-security-primer-for-evaluating-software/feed/ 0
Vendor Security Assessment Questionnaires http://www.leonelson.com/2016/03/18/vendor-security-assessment-questionnaires/ http://www.leonelson.com/2016/03/18/vendor-security-assessment-questionnaires/#respond Fri, 18 Mar 2016 13:19:52 +0000 http://www.leonelson.com/?p=2676 When sharing data with a vendor, it is important to ensure that the vendor will handle your data with the same level of care and protection that your organization expects or requires.

Google has just released an interactive questionnaire application to help support these security reviews by facilitating not only the collection of information, but also the redisplay of collected data in templated form.

You can test the Google Vendor Security Assessment Questionnaire or contribute and setup your own questionnaire using the source. Specific questionnaires are available below:

http://www.leonelson.com/2016/03/18/vendor-security-assessment-questionnaires/feed/ 0
Censys Search Shortcuts http://www.leonelson.com/2016/03/16/censys-search-shortcuts/ http://www.leonelson.com/2016/03/16/censys-search-shortcuts/#respond Thu, 17 Mar 2016 03:13:52 +0000 http://www.leonelson.com/?p=2661 Use Censys to discover which of your devices are connected to the Internet, where they are located and who is using them.

Censys supports both full-text searches and structured queries. The search Dell will find any hosts where the word Dell appears. However, you can also compose more complex queries. For example, the query ip: AND metadata.manufacturer:”Dell” will find any Dell devices in the specified network.

Boolean Logic
You can compose multiple statements using AND, OR, NOT, and parentheses. For example, (“Schneider Electric” OR Dell) AND ip: By default, all terms are optional (e.g., executed as an or statement) unless specified otherwise.

You can search for ranges of numbers using [ and ] for inclusive ranges and { and } for exclusive ranges. For example, 80.http.get.status_code:[200 TO 300]. You can search for IP addresses using CIDR notation, e.g., ip: Timestamps should be queried using the following syntax: [2012-01-01 TO 2012-12-31].

By default, Censys will search for complete words. In other words, the search Del will not return results with the word Dell. If you want to search for words that start with Del, you would search for Del*. You can also search for D?ll.

DNS Queries
You can perform inline DNS A and MX queries using the following syntax: a:facebook.com and mx:gmail.com.
Regular Expressions
You can also search using regular expressions, e.g., metadata.manufacturer:/De[ll]/. Full syntax is available here.

The boost operator (^) can be used to make one term more relevant than another. For example, metadata.manufacturer: Dell^2 OR Schneider Electric puts more preference on the Dell keyword.

Reserved Characters
The following characters must be escaped with a backslash: + – = && || > < ! ( ) { } [ ] ^ ” ~ * ? : \ /

http://www.leonelson.com/2016/03/16/censys-search-shortcuts/feed/ 0
Symantec Endpoint Protection Versions http://www.leonelson.com/2016/03/05/symantec-endpoint-protection-versions/ http://www.leonelson.com/2016/03/05/symantec-endpoint-protection-versions/#respond Sat, 05 Mar 2016 14:32:34 +0000 http://www.leonelson.com/?p=2659 Symantec has a full list of Symantec Product Versions and release dates at Symantec Endpoint Protection, however, the Symantec Endpoint Protection Wikipedia page appears to be maintained more frequently.

RTM – Release To Manufacturing

MR – Maintenance Release (replaced by RU)

RU – Release Update

MP – Maintenance Patch

PP – Point Patch

Source: Symantec Endpoint Protection

http://www.leonelson.com/2016/03/05/symantec-endpoint-protection-versions/feed/ 0
Malware detection and tracking of new autoruns using PowerShell http://www.leonelson.com/2016/02/24/malware-detection-and-tracking-of-new-autoruns-using-powershell/ http://www.leonelson.com/2016/02/24/malware-detection-and-tracking-of-new-autoruns-using-powershell/#respond Wed, 24 Feb 2016 14:41:30 +0000 http://www.leonelson.com/?p=2656 PowerShell script to scan autoruns and validate if the executables are signed or not.

Source: PowerShell: Malware detection and tracking of new autoruns

http://www.leonelson.com/2016/02/24/malware-detection-and-tracking-of-new-autoruns-using-powershell/feed/ 0
Business Email Compromise http://www.leonelson.com/2016/02/16/business-email-compromise/ http://www.leonelson.com/2016/02/16/business-email-compromise/#respond Tue, 16 Feb 2016 14:59:24 +0000 http://www.leonelson.com/?p=2637 Add one more email scam reference to your lexicon. Business E-mail Compromise (BEC) scams, also known as CEO fraud, usually involve spoofing an executive’s email address and/or gaining access to that executive’s inbox through a phishing scam. Once access is obtained or the executive’s email address is spoofed, specific individuals are targeted in the organization for fraudulent wire transfers.

The Business E-mail Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. Formerly known as the Man-in-the-E-mail Scam, the BEC was renamed to focus on the “business angle” of this scam and to avoid confusion with another unrelated scam. The fraudulent wire transfer payments sent to foreign banks may be transferred several times but are quickly dispersed. Asian banks, located in China and Hong Kong, are the most commonly reported ending destination for these fraudulent transfers.

Source: Business Email Compromise

http://www.leonelson.com/2016/02/16/business-email-compromise/feed/ 0
GIF Screenshot Creator http://www.leonelson.com/2016/02/13/gif-screenshot-creator/ http://www.leonelson.com/2016/02/13/gif-screenshot-creator/#respond Sun, 14 Feb 2016 03:24:28 +0000 http://www.leonelson.com/?p=2693 Giffing Tool is simply put: The fastest creator of high quality captioned Gifs available. Simply drag across your screen to record movies, YouTube videos, and more.

http://www.leonelson.com/2016/02/13/gif-screenshot-creator/feed/ 0
Privacy Definition http://www.leonelson.com/2016/01/25/privacy-definition/ http://www.leonelson.com/2016/01/25/privacy-definition/#respond Tue, 26 Jan 2016 03:17:01 +0000 http://www.leonelson.com/?p=2608 An excellent definition of privacy in the context of autonomy and security:

  • Autonomy Privacy is an individual’s ability to conduct activities without concern of or actual observation (i.e., surveillance).
  • Information Security is the protection of information resources from unauthorized access, which could compromise their confidentiality, integrity, and availability.  This includes, but is not limited to networks, hardware, software and information (some of which is confidential).
  • Information Privacy is the intersection of autonomy privacy and information security — it is the appropriate protection, use, and dissemination of information about individuals

Source: Autonomy Privacy, Information Privacy and Information Security

http://www.leonelson.com/2016/01/25/privacy-definition/feed/ 0