In a recent incident a school server (not an ISIS server) was compromised. PHP code was injected that listened to and executed commands passed through a POST request with ‘www’ user privileges. Some of the commands that were run include id, pwd as well as directory searches and wgets of various files. The compromised machine also served as a hop in a pharmacy ad delivery scheme. It redirected HTTP requests for medications to a possible ‘mothership’ server. There is evidence that links to our server were posted as ads on websites like MySpace.
Continue reading ‘Reverse Engineering a PHP “Virus”’
Seriously.
I had a very, very quick talk with someone at NYSec tonight and we highlighted the Social Responsibility panel at Shmoocon that wrapped it up as one of the biggest letdowns of the weekend. It’s a panel that should symbolize all the hopes and dreams our entire community wants to accomplish but instead time was wasted debating the meaning of the word ‘hacker’ and what constitutes “our” “community”. I think Toby summed it up best when he threw a Shmoo Ball and said (paraphrasing) “We’ve debated what the word hacker means for 20 years and we’ll do it 20 more. We need to move on to talk about more important topics.”
Toby is exactly right, but his comments didn’t prevent the conversation from getting derailed again just a few short minutes later…
Continue reading ‘NYSec > ShmooCon’
I just wanted to give a shout-out to some new friends that ISIS has made over the last few days through ShmooCon, NYSec, and elsewhere: Hello Matteo, AJ, Dino, Erik, Mike, Kees, and the NYCResistor Hacker Space! It was nice meeting all of you, keep in touch and call me if you want to grab a beer!
ShmooCon has taken a nosedive. I don’t know where it went wrong, maybe this year was just a horrendously bad year, but the presentations did not meet my expectations. I can’t wait for the videos to go online in 60 days so I can watch myself hitting Simple Nomad in the face with a Shmoo Ball and being the first one to call him out on the poor quality of his presentation or the small businesses talk where Strat and I took turns dismantling all the presenter’s points.
This is the second time I’ve felt like this (the last time was after HOPE). I can’t sit here and complain anymore. If I disliked the presentations so much at ShmooCon, then I should present something myself to make up for it.
Who’s with me? HOPE/ISIS Con ‘08!
At ShmooCon ‘08 Simple Nomad heavily advertised the cause of forensiclicensing.com. Unknown to me and many others, many states are requiring that all practitioners of computer forensics become licensed, in this case by becoming a licensed Private Investigator. Simple Nomad described this as one of the greatest threats currently facing our community, however, I contend that this is not necessarily such a bad thing.
Continue reading ‘Forensic licensing isn’t that bad’
I think it’s safe to say that 99% of the security community believes that developing exploits and then selling them to security vendors is a Bad Thing, yet, to me, no one seems concerned enough about this activity to develop a viable, alternative model. Application developers hate it when you won’t tell them what’s wrong with their product. Application users (ie. the general public) hate that they can’t fix their software even if they wanted to. Of course, every single user of technology on the planet could just subscribe to 15+ security vendors product lines to get notice of these things… The entire idea seems antithetical to our purpose for existence, if we had one, namely to help secure every technology on the planet so that people can extend and build new ones.
Continue reading ‘A manifesto for fixing vulnerability disclosure’
Here is a set of interesting references regarding Breach Laws in the United States. I especially like the interactive map that CSO Magazine made, but I can see where having a textual list might be more useful :-).
Breach Laws Charts (updated)
This might be good information for any of the students taking Information Security Management this semester to include in their work.
Jeremiah Grossman has posted his Top 10 Web Hacks of 2007 to his blog. It collects the state of the art in one short, simple blog post. Highly suggested reading if you’re into webapp-sec.
Many media companies are paying big money to try and stop file sharing of copyrighted material. While the material in question is being shared illegally, many of the techniques these companies employ effect everyone by generating much additional internet traffic. In this presentation I present research into some new techniques currently being used to attack BitTorrent swarms and the prevalence of these attacks.
BitTorrent Presentation
While I’ve been sitting at home, sick for the last few days, I’ve been trying to keep my mind at least somewhat sharp by watching some light videos here and there. The usual stuff, some TED, some 30 Rock, and I came across this gem I thought many people on this list might be interested in:
Crouching Powerpoint, Hidden Trojan: An analysis of targeted attacks from 2005 to 2007
Presented by Maarten Van Horenbeeck of the SANS ISC at the 24th Chaos Communication Congress
http://events.ccc.de/congress/2007/Fahrplan/events/2189.en.html
See the links at the bottom for presentation materials including a PDF, video, and analysis of actual targeted exploits. I highly recommend the video, the torrent was extremely fast.
Enjoy :-)
Q: What do you think of outsourced backup solutions? Are they secure? Would you use one? I want to backup my data but I’m not sure I can trust an outsourced backup provider.
Continue reading ‘Q&A with ISIS: Outsourced Backup’
Information security is about reducing risk. Therefore, risk management activities must be conducted to identify potential problems and prepare for them. Different security management tools exist to help us determine the risk of these systems. These tools can take data from various security tools such as Nessus and Snort, perform some form of analysis (trend analysis, risk calculations, etc) and generate reports. However, to full take advantage of these systems, they must be configured with the criticality values of the various systems.
Unfortunately, there does not seem to be any foolproof methods for calculating asset values.
My presentation provides a possible guideline to measure relative asset values. This will aid in prioritizing remediation.
Prioritizing Vulnerabilities for Remediation
More and more often we hear about botnets being responsible for a larger piece of Internet crime today. Botnets are complex systems and there are many different approaches to combating the problem. I decided to take a look at some of the more recent techniques to discover bot malware infection from network traffic. I came across two particularly interesting methods of identifying infected machines. One is to look at the most often used command and control technique - IRC channels - and try to determine ‘evil’ channels which provide commands for zombie machines. Another idea is to look for DNS Black List lookups, which may be performed by bots to test that an IP address is not listed before using it to send spam. Attached is a short presentation I gave for the ISIS computer lab.
Botnet Membership Detection within the Network
Upon finding out that I study information security, a question people often ask me is:
“Alright dude, so like, if all these terrorists go around posting stuff on the Internet, why can’t we just use their Internet posts to track them down?”
What annoys me is that I can think of several answers to this question but I do not know which one is in actuality most of the times true.
Continue reading ‘Terrorists on the Internet … Dude’
Adobe Tackles Photo Forgeries
Nasir Memon, the professor who oversees much of our lab, was quoted in the above article relating to Adobe’s decision to include forgery detection plugins with the next version of Photoshop. Among the areas of research currently ongoing in ISIS, multimedia forensics, watermarking, and stegonography are some of the top for PhDs.
Loading ...
Recent Comments