The mass slaughter of rhinos increases for a sixth consecutive year, despite a drive to fight poachers by various means.

The mass slaughter of rhinos increases for a sixth consecutive year, despite a drive to fight poachers by various means.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Google is releasing Android N Preview to developers today. The early release is meant to collect feedback sooner than usual, and even includes a new way to download the update. Instead of installing a drive image, you can participate in an Android Beta Program that installs pre-release versions over the air (as long as you have a relatively recent Nexus device or the Pixel C). The biggest attraction, by far, is a new multi-window mode, which lets you use split-screen modes on phones and tablets, and even specify minimum allowable dimensions. There's even a picture-in-picture video mode, too, so you can keep watching YouTube while you message your friends. Other improvements in the preview include direct reply notifications that let you reply to a message right from an alert, iOS-style. Also, Android N optionally bundles notifications from the same app so that they don't clutter your view. Marshmallow's Doze feature has been improved to save battery life whenever the screen turns off, and coders can take advantage of Java 8 features. Google is also working to reduce the memory needs of Android via Project Svelte, allowing the Android OS to run smoothly on lower specced devices.

Read more of this story at Slashdot.

< !doctype html>

Containers for poets

davewiner

User provides credit card info, chooses my app, clicks a button and a few seconds later they get the URL of their app.

From there they can download whatever software the app wants to put on the device, computer -- or nothing, it could just be the website where they write or collaborate or share stuff.

When this gets to be as easy as setting up an Amazon account, there will be an explosion of new software, and it will create serious competition for the silos.

Controversial programme separates prisoners deemed to hold "radical" views from other inmates.

Controversial programme separates prisoners deemed to hold "radical" views from other inmates.

An anonymous reader writes: Ubuntu 16.04 LTS and newer will no longer be supporting AMD's widely-used Catalyst Linux (fglrx) driver. AMD has dropped support for this proprietary AMD driver in favor of encouraging users to use the open-source AMDGPU/Radeon drivers. While the fglrx/Catalyst driver is notorious among Linux gamers, this will represent a regression for many AMD Linux users due to the open-source driver only having OpenGL 4.1 support compared to OpenGL 4.5 in Catalyst, lower performance in common gaming workloads, incomplete OpenCL compute support, no CrossFire multi-GPU support, and other missing features. Much of the missing functionality will end up being implemented by AMD's new AMDGPU driver stack but that is still months away from being truly ready and will only benefit the very latest Radeon GPUs while the fglrx-free Ubuntu 16.04 is set to ship in April.

Read more of this story at Slashdot.

Is the region an easy target for ISIL and could international intervention deter the armed group's expansion?

Is the region an easy target for ISIL and could international intervention deter the armed group's expansion?

ISC Reader Eric Volking submitted a very nice sample of some Powershell based malware. Lets take a look! The malware starts inthe traditional way, by launching itself with an autorun registry key. The">C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp HKCU:\Software\Classes\UBZZXDJZAOGD

Upon startup this will launch Powershell and execute the Base64 (UTF-16LE) encoded script stored in the registry path"> in the keyXLQWFZRMYEZV. That script, when decoded contains something that looks like the block of code below. For readability, Ive removed a large blob of text from the script and collapsed the twofunctions that the malware uses to decrypt and extract" />

This script decodes a big blob of Base64 encoded data that is stored in thevariable$eOIzeGbcRBwsK. It decrypts it with the key stored in variable$DUUZTJAPEMZand inflates the gzip encoded data. Windows Powershell ISE makes getting to the decrypteddata painless. On my malware analysis VM,I go to the Powershell_ISE Right click on line 43 and select Toggle Break Point. Line 43 assigns the decrypted payload to variable">$eOIzeGbcRBwsK. I execute the script and the ISE breakpoint dutifully stops on the selected line. My Poweshell prompt changes to [DBG]: PS C:\Users\mark letting me know I am in the middle of debugging the script. I can use my Powershell prompt to inspect or change variables. I can alsoexport the contents of that variable to another file. I go to the bottom of the ISE and type $eOIzeGbcRBwsK | out-file -FilePath .\decoded.ps1. " />

Now I can open up the file decoded.ps1and see the unencryptedpayload. In decoded.ps1 we find a modified version of Invoke-ReflectedPEInjection. The malware authorshave obviously used part of thePowersploit framework in their attack. Powersploit is a very useful framework to penetration testers and network defenders alike so it doesnt surprise me that bad actors find value in it also. Invoke-ReflectedPEInjection will load a Windows EXE into memory and launch it without it ever writing to the hard drive. So where does the script get its EXE? ">if ([IntPtr]::Size -eq 8) {

}else{

}

The script is checkingthe size of an Integer to determine if the victim is a 32 bit or a 64 bit system. Depending upon the architecture it extracts a 32 bit or 64 bit version of the malware from the registry and launches it usingInvoke-ReflectedPEInjection.

By using Powershell the attackers have been able to put malware that might other wise be detected on a hard drive into the Windows Registry. (Dear Trolls, Yes, I know the registry is technically on the hard drive.) As network defenders we should familiarize ourselves with these techniques and how to use Powershell_ISE to examine the scripts.

Thanks for the submission Eric!

Check out SEC573at one of our upcoming events! https://www.sans.org/course/python-for-pen-testers Already know Python?? Prove it! http://www.giac.org/certification/python-coder-gpyc

Follow me on twitterhttps://twitter.com/markbaggett

Mark Baggett

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

ISC Reader Eric Volking submitted a very nice sample of some Powershell based malware. Lets take a look! The malware starts inthe traditional way, by launching itself with an autorun registry key. The">C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp HKCU:\Software\Classes\UBZZXDJZAOGD

Upon startup this will launch Powershell and execute the Base64 (UTF-16LE) encoded script stored in the registry path"> in the keyXLQWFZRMYEZV. That script, when decoded contains something that looks like the block of code below. For readability, Ive removed a large blob of text from the script and collapsed the twofunctions that the malware uses to decrypt and extract" />

This script decodes a big blob of Base64 encoded data that is stored in thevariable$eOIzeGbcRBwsK. It decrypts it with the key stored in variable$DUUZTJAPEMZand inflates the gzip encoded data. Windows Powershell ISE makes getting to the decrypteddata painless. On my malware analysis VM,I go to the Powershell_ISE Right click on line 43 and select Toggle Break Point. Line 43 assigns the decrypted payload to variable">$eOIzeGbcRBwsK. I execute the script and the ISE breakpoint dutifully stops on the selected line. My Poweshell prompt changes to [DBG]: PS C:\Users\mark letting me know I am in the middle of debugging the script. I can use my Powershell prompt to inspect or change variables. I can alsoexport the contents of that variable to another file. I go to the bottom of the ISE and type $eOIzeGbcRBwsK | out-file -FilePath .\decoded.ps1. " />

Now I can open up the file decoded.ps1and see the unencryptedpayload. In decoded.ps1 we find a modified version of Invoke-ReflectedPEInjection. The malware authorshave obviously used part of thePowersploit framework in their attack. Powersploit is a very useful framework to penetration testers and network defenders alike so it doesnt surprise me that bad actors find value in it also. Invoke-ReflectedPEInjection will load a Windows EXE into memory and launch it without it ever writing to the hard drive. So where does the script get its EXE? ">if ([IntPtr]::Size -eq 8) {

}else{

}

The script is checkingthe size of an Integer to determine if the victim is a 32 bit or a 64 bit system. Depending upon the architecture it extracts a 32 bit or 64 bit version of the malware from the registry and launches it usingInvoke-ReflectedPEInjection.

By using Powershell the attackers have been able to put malware that might other wise be detected on a hard drive into the Windows Registry. (Dear Trolls, Yes, I know the registry is technically on the hard drive.) As network defenders we should familiarize ourselves with these techniques and how to use Powershell_ISE to examine the scripts.

Thanks for the submission Eric!

Check out SEC573at one of our upcoming events! https://www.sans.org/course/python-for-pen-testers Already know Python?? Prove it! http://www.giac.org/certification/python-coder-gpyc

Follow me on twitterhttps://twitter.com/markbaggett

Mark Baggett

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.