Analysts that perform macOS forensics have had few, if any, artifacts of program execution to rely on during investigations — until now. In macOS 10.13 (High Sierra), Apple introduced CoreAnalytics, which is a system diagnostics mechanism that maintains a record of Mach-O programs that have executed on a system over approximately one month. CoreAnalytics can serve a number of valuable analytical purposes for both insider threat investigations and incident response.[…]
Tag: crowdstrike
CrowdStrike seeks UEFI/hypervisor researcher
Researcher – Strategic Research Initiatives (SRI):
As the core research and development arm of the CrowdStrike Falcon product, the Strategic Research Initiatives (SRI) Team is at the forefront of cutting-edge research into security-related systems and techniques. The team strives to deliver cross-platform features for mid to long-term, visionary projects that expand the capabilities of Falcon Sensor. New EDR techniques and data sources, UEFI/Hypervisor capability, PnP and network stack visibility, containerization, scripting engine introspection, and emulation/sandboxing are just a few examples of SRI projects.[…]
https://jobs.jobvite.com/careers/crowdstrike/job/oAlo4fw7?__jvst=Job%20Board
CrowdStrike on building secure burner laptops
Morgan Marquis-Boire posted a pointer to this advise from CrowdStrike on how to build a ‘burner laptop’, for hostile environments. The Arch Linux-based system uses a very interesting configuration, such as embedding GRUB onto the SPI FLash, for the root of trust.
Excerpt from introduction of readme:
A Reasonably Secure Travel Laptop Setup
This repository contains auxiliary scripts and configurations around building a reasonably secure travel laptop using coreboot with a GRUB2 payload. The scripts and configurations have been tested with an ArchLinux setup but should be adaptable to other distributions easily. A reasonably secure travel laptop following the approach laid out here will boot only a signed kernel and initrd and assure user-space integrity with a dm-verity protected root filesystem. If you require confidentiality, it is additionally recommended encrypted the entire filesystem or use a separate, encrypted /home partition. Building coreboot and GRUB2 for your target laptop and flashing the appropriate image is out of the scope of this repository’s contents and documentation. You can find more information on the coreboot Wiki.
[…]
Full article:
https://github.com/CrowdStrike/travel-laptop
CrowdStrike announces Venom vulnerability
As reported by Robert Hackett at Fortune, Crowdstrike has research on a new vulnerability that impacts virtualization. Venom stands for “virtualized environment neglected operations manipulation”. It impacts QEMU, Xen, KVM, and VirtualBox, among others.
(It must be a big deal, as it already has an icon. I think Heartbleed took longer for it’s icon.)
More information:
http://venom.crowdstrike.com/
http://fortune.com/2015/05/13/venom-vulnerability/
Firmware Security 