Svensk släppt i Syrien SvD Utrikes(cached at May 15, 2014, 11:33 pm)

En svensk finns med bland de fem kidnappade från Läkare utan gränser som har frigetts i Syrien, bekräftar organisationen för TT.
Svensk släppt i Syrien SvD Utrikes(cached at May 15, 2014, 11:33 pm)

En svensk finns med bland de fem kidnappade från Läkare utan gränser som har frigetts i Syrien, bekräftar organisationen för TT.
FLASH:Svensk släppt i Syrien SvD Utrikes(cached at May 15, 2014, 11:33 pm)

En svensk finns med bland de fem kidnappade från Läkare utan gränser som har frigetts i Syrien, bekräftar organisationen för TT.
FLASH:Svensk släppt i Syrien SvD Utrikes(cached at May 15, 2014, 11:33 pm)

En svensk finns med bland de fem kidnappade från Läkare utan gränser som har frigetts i Syrien, bekräftar organisationen för TT.
CVE-2014-1603 (Natl. Vulnerability Database) SANS ISC SecNewsFeed(cached at May 15, 2014, 11:30 pm)

CVE-2014-1603 (Natl. Vulnerability Database) SANS ISC SecNewsFeed(cached at May 15, 2014, 11:30 pm)

Collecting Workstation / Software Inventory Several Ways, (Thu, May 15th) SANS Internet Storm Center, InfoCON: green(cached at May 15, 2014, 11:30 pm)

One of the "prepare for a zero day" steps that I highlighted in my story last week was to inventory your network statuons, and know what's running on them.  In short, the first 2 points in the SANS 20 Critical Security Controls.  This can mean lots of things depending on hour point of view.

Nmap can make an educated guess on the existence of hosts, their OS and active services:
nmap -p0-65535 -O -sV x.x.x.0/24
Good information, but not "take it to the bank" accuracy.  It'll also take a LONG time to run, you might want to trim down the number of ports being evaluated (or not).  Even if you don't take this info as gospel, it's still good supplemental info, for stations that are not in your domain.  You can kick this up a notch with Nessus (Nessus will also login to stations and enumerate software if you have credentials)

If you're running active directory, you can get a list of hosts using netdom, and a list of apps on each host using WMIC:
netdom.exe query /domain:domainname.com workstation | find /v "List of Workstations" >stations.out

(if you use "server" instead of "workstation", you'll get the server list instead)

and for each station:
wmic product list brief

But having run exactly this recently, this can take a LONG time in a larger domain.  How can we speed this up?  In a word, Powershell.
To inventory a domain:
import-module ActiveDirectory
Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion


To inventory the software on a remote workstation:
Get-WmiObject -Class Win32_Product -computername stationnamegoeshere | Select-Object -Property Name

( see here for more info: http://technet.microsoft.com/en-us/library/ee176860.aspx)

I collected this information first using the netdom/wmic way (hours), then using powershell (minutes).  Guess which way I'd recommend?

OK, now we've got what can easily be Megabytes of text.  How do we find out who needs some TLC?  Who's running old or unpatched software?

As an example - who has or does NOT have EMET 4.1 installed?

To check this with WMIC:

"go.cmd" (for some reason all my parent scripts are called "go")  might look like:
@echo off
for /f %%G in (stations.out) do call emetchk.cmd

and emetchk.cmd might look like:
@echo off
echo %1  >> inventory.txt
wmic /node:%1 product where "name like 'EMET%%'" get name, identifyingnumber, InstallDate >> inventory.txt
echo.


Or with powershell, the domain enumeration would look like:
import-module ActiveDirectory
Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion  > stations.out

Then, to enumerate the actual applications (for each station in stations.out), you could either use the emetchk.cmd script above, or re-do the thing in powershell (I haven't gotten that far yet, but if any of our readers want to add a script in the comments, I'm sure folks would love to see it!) - in this example the

Get-WmiObject -Class Win32_Product -computername stationname | Select-Object -Property Name > stationname.txt

Done!

If you run this periodically, you can "diff" the results between runs to see what's changed.  Diff is standard in linux, is part of Windows these days also if you install the SFU (services for unix), or you can get a nice diff report in powershell with :

Compare-Object -ReferenceObject (Get-Content c:\path\file01.txt) -DifferenceObject (Get-Content c:\path\file02.txt)

But what about the stations who aren't in our corporate domain?  Even if your domain inventory is solid, you still must sniff network traffic using tools like PVS (from Tenable) or P0F (open source, from http://lcamtuf.coredump.cx/p0f3/) to identify folks who are running old versions of java, flash, air, IE, Firefox (pre-auto update versions mostly) and so on, that aren't in your domain so might get missed in your "traditional" data collection.  Normally these sniffer stations monitor traffic in and out of choke points in the network like firewalls or routers.  We covered this earlier this year here: https://isc.sans.edu/diary.html?date=2013-12-19

I hope this outlines free or close to free solutions to get these tasks done for you.  If you've found other (or better) ways to collect this info without a large cash outlay and/or a multi-week project, please share using our comment form.

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Collecting Workstation / Software Inventory Several Ways, (Thu, May 15th) SANS Internet Storm Center, InfoCON: green(cached at May 15, 2014, 11:30 pm)

One of the "prepare for a zero day" steps that I highlighted in my story last week was to inventory your network statuons, and know what's running on them.  In short, the first 2 points in the SANS 20 Critical Security Controls.  This can mean lots of things depending on hour point of view.

Nmap can make an educated guess on the existence of hosts, their OS and active services:
nmap -p0-65535 -O -sV x.x.x.0/24
Good information, but not "take it to the bank" accuracy.  It'll also take a LONG time to run, you might want to trim down the number of ports being evaluated (or not).  Even if you don't take this info as gospel, it's still good supplemental info, for stations that are not in your domain.  You can kick this up a notch with Nessus (Nessus will also login to stations and enumerate software if you have credentials)

If you're running active directory, you can get a list of hosts using netdom, and a list of apps on each host using WMIC:
netdom.exe query /domain:domainname.com workstation | find /v "List of Workstations" >stations.out

(if you use "server" instead of "workstation", you'll get the server list instead)

and for each station:
wmic product list brief

But having run exactly this recently, this can take a LONG time in a larger domain.  How can we speed this up?  In a word, Powershell.
To inventory a domain:
import-module ActiveDirectory
Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion


To inventory the software on a remote workstation:
Get-WmiObject -Class Win32_Product -computername stationnamegoeshere | Select-Object -Property Name

( see here for more info: http://technet.microsoft.com/en-us/library/ee176860.aspx)

I collected this information first using the netdom/wmic way (hours), then using powershell (minutes).  Guess which way I'd recommend?

OK, now we've got what can easily be Megabytes of text.  How do we find out who needs some TLC?  Who's running old or unpatched software?

As an example - who has or does NOT have EMET 4.1 installed?

To check this with WMIC:

"go.cmd" (for some reason all my parent scripts are called "go")  might look like:
@echo off
for /f %%G in (stations.out) do call emetchk.cmd

and emetchk.cmd might look like:
@echo off
echo %1  >> inventory.txt
wmic /node:%1 product where "name like 'EMET%%'" get name, identifyingnumber, InstallDate >> inventory.txt
echo.


Or with powershell, the domain enumeration would look like:
import-module ActiveDirectory
Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion  > stations.out

Then, to enumerate the actual applications (for each station in stations.out), you could either use the emetchk.cmd script above, or re-do the thing in powershell (I haven't gotten that far yet, but if any of our readers want to add a script in the comments, I'm sure folks would love to see it!) - in this example the

Get-WmiObject -Class Win32_Product -computername stationname | Select-Object -Property Name > stationname.txt

Done!

If you run this periodically, you can "diff" the results between runs to see what's changed.  Diff is standard in linux, is part of Windows these days also if you install the SFU (services for unix), or you can get a nice diff report in powershell with :

Compare-Object -ReferenceObject (Get-Content c:\path\file01.txt) -DifferenceObject (Get-Content c:\path\file02.txt)

But what about the stations who aren't in our corporate domain?  Even if your domain inventory is solid, you still must sniff network traffic using tools like PVS (from Tenable) or P0F (open source, from http://lcamtuf.coredump.cx/p0f3/) to identify folks who are running old versions of java, flash, air, IE, Firefox (pre-auto update versions mostly) and so on, that aren't in your domain so might get missed in your "traditional" data collection.  Normally these sniffer stations monitor traffic in and out of choke points in the network like firewalls or routers.  We covered this earlier this year here: https://isc.sans.edu/diary.html?date=2013-12-19

I hope this outlines free or close to free solutions to get these tasks done for you.  If you've found other (or better) ways to collect this info without a large cash outlay and/or a multi-week project, please share using our comment form.

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
FN-chefen varnar för främlingsfientlighet SvD Utrikes(cached at May 15, 2014, 11:03 pm)

Migration är inte ett hot utan en möjlighet. Migranterna tar inte inhemska jobb, utan gör ofta jobb som lokalbefolkningen inte vill göra. Det säger FN:s generalsekreterare i en exklusiv SvD-intervju. ”Men se upp för opportunister som använder migranter som syndabockar för politiska vinster”, säger han.
Dödläge efter förhandlingar SvD Utrikes(cached at May 15, 2014, 11:03 pm)

Ukrainas regering räcker ut en hand till separatisterna om de lägger ner sina vapen - som kräver att ukrainska styrkor måste lämna regionen. Samtidigt säger Carl Bildt att hela landet inte behöver delta i presidentvalet.
Gisslan frigiven i Syrien SvD Utrikes(cached at May 15, 2014, 11:03 pm)

De fem medarbetare från Läkare utan gränser som tillfångatogs i Syrien den 2 januari är nu frigivna, uppgav organisationen på torsdagskvällen. Tre släpptes den 4 april och två på onsdagen. En av dem är dansk.
Svensk död i trafikolycka i Nepal SvD Inrikes(cached at May 15, 2014, 11:03 pm)

En svensk man omkom på torsdagen i Nepal när bilen han färdades i körde av vägen.
OCZ RevoDrive 350 PCIe SSD Hits 1.8GB/sec With Standard Toshiba MLC NAND Slashdotby timothy on storage at January 1, 1970, 1:00 am (cached at May 15, 2014, 11:02 pm)

MojoKid (1002251) writes "OCZ was recently acquired by Toshiba and has been going through its product stack, revamping its SSD portfolio with fresh re-designs based on Toshiba NAND Flash memory for not only increased performance but better cost structure as well. OCZ has now replaced their RevoDrive family of PCIe SSD cards with an almost complete re-designed of the product. The RevoDrive 350 is based on the same OCZ VCA 2.0 (Virtualized Controller Architecture) technology as the previous generation but is now enabled with a PCI Express X8 card interface and up to 4 LSI SandForce SD-2282 SSD processors, along with 19nm Toshiba NAND Flash. The good news is, not only is the new RevoDrive 350 faster at 1.8GB/sec claimed bandwidth for sequential reads and 1.7GB/sec for sequential writes, but it's also significantly more affordable, at literally half the price of the previous gen RevoDrive 3 when it first launched. In the benchmarks, the new PCIe card excels at read throughput, regularly hitting its 1.8GB/sec claimed bandwidth, especially with sequential workloads. Write performance is solid as well and the drive competes with the likes of some higher-end and more expensive SLC NAND-based PCIe cards like LSI's WarpDrive and Intel's SSD 910."

Read more of this story at Slashdot.








US says Nigeria 'too slow' in kidnap response AL JAZEERA ENGLISH (AJE)(cached at May 15, 2014, 11:00 pm)

Defence official says Nigeria's reluctance to accept assistance in fighting Boko Haram has complicated search for girls.
US says Nigeria 'too slow' in kidnap response AL JAZEERA ENGLISH (AJE)(cached at May 15, 2014, 11:00 pm)

Defence official says Nigeria's reluctance to accept assistance in fighting Boko Haram has complicated search for girls.