INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
[Guest Diary] Exploring a Use Case of Artificial Intelligence Assistance with Understanding an Attack
Published: 2025-05-28
Last Updated: 2025-05-28 13:48:55 UTC
by Jennifer Wilson, SANS.edu BACS Student (Version: 1)
[This is a Guest Diary by Jennifer Wilson, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program.]
As part of my BACS internship with SANS, I setup and maintained a DShield honeypot instance using a physical Raspberry Pi device. As I was putting together each of my attack observations that were due, I started to wonder how helpful AI would be. One of the things I wanted to do when I started the internship was to step outside of my comfort zone. While I have read a lot about AI, I have only used it a handful of times. So, I wondered if it would lead me astray? Would it provide valid actionable data?
In this blog post, I will explore how accurate and helpful ChatGPT is with identifying one of the more unique attacks I say over the past few months.
To set the stage, I first noticed this attack after running the cowrieprocessor script on my honeypot. The attack occurred on 2025-04-20 and came from IP address ... . The total attack occurred over a duration of 62.83 seconds. According to AbuseIPDB, the IP has been reported 300 times, and it has been marked with a 100% confidence of abuse. This IP has been busy in the world. Along with this basic data, the following commands were captured being ran on the honeypot ...
Read the full entry: https://isc.sans.edu/diary/Guest+Diary+Exploring+a+Use+Case+of+Artificial+Intelligence+Assistance+with+Understanding+an+Attack/31980/
SVG Steganography
Published: 2025-05-26
Last Updated: 2025-05-26 16:31:33 UTC
by Johannes Ullrich (Version: 1)
Didier recently published several diaries related to steganography. I have to admit that steganography isn't exactly my favorite topic. It is one of those "neat" infosec toys, but its applicability is limited. Data exfiltration usually does not require proper steganography, but just appending data to an image will usually work just fine.
On the other hand, it looks like the kids still like and enjoy diaries about steganography. For one of my recent podcasts, a viewer left a message asking about the use of SVG images for steganography, to avoid some of the loss issues with compressed image formats. Image formats break down into two basic types: Bitmap and vector image formats. Most images you see are bitmap or pixel-based. These formats tend to be easier to create and display. However, they have the disadvantage of not being able to scale up, and the image size can become quite large, which in turn requires compression. While there are some commonly used lossless compression formats, many image formats accept some loss in detail to enhance compression. Steganography takes advantage of similar colors being indistinguishable from each other. However, the same issue is used by compression algorithms. Neighboring pixels with similar colors are often approximated by changing them all to the same color, simplifying compression.
The images below use JPEG compression. The "uncompressed" version on the left is 130kBytes, while the compressed version is around 23kBytes. For a quick glance, the images are identical, but if you zoom in a bit, you will probably see the "blockiness" of the compressed image caused by adjusting the colors. This compression would wipe out any steganography message ...
Read the full entry: https://isc.sans.edu/diary/SVG+Steganography/31978/
Securing Your SSH authorized_keys File
Published: 2025-05-27
Last Updated: 2025-05-27 15:44:43 UTC
by Johannes Ullrich (Version: 1)
This is nothing "amazingly new", but more of a reminder to secure your "authorized_keys" file for SSH. One of the first things I see even simple bots do to obtain persistent access to a UNIX system is to add a key to the authorized_keys file of whatever account they are compromising.
So here are a few things you can do to make your "authorized_keys" file more secure:
authorized_keys file location
The default location is .ssh/authorized_keys and .ssh/authorized_keys2. Make sure to specify a location (default is fine, but more later). One file is fine. the "authorized_keys2" file was used back in the day to retain backward compatibility with older SSH versions. Most importantly, you want to control the location of the file, and for the later discussion, we are going to assume the default location.
File Permissions
This is probably the easiest change you can make. By default, most systems set the permissions to "0600" and make the file owned by the user. This looks "ok" at first as only the user has read/write access. But in this case, we try to prevent someone who compromised the user's credentials from modifying the file. A better option is to make sure the file is owned by the root and set to read-only (0444). The user must still be able to read the file, so 0400 will not work if the file is owned by root. Next, you may also set the "immutable" flag. It does not offer a ton of extra security, as the attacker has to be root anyway, but it offers some more detection capabilities ...
Read the full entry: https://isc.sans.edu/diary/Securing+Your+SSH+authorizedkeys+File/31986/