Stuxnet is analyzed in detail, including its architecture, functionality, and propagation methods. It is described as a highly advanced persistent threat that targeted Iran's nuclear facilities. The document outlines how Stuxnet used zero-day exploits and a digital certificate to inject code into industrial control systems and spread via removable drives and network shares. Stuxnet's command and control infrastructure and ability to infect project files for industrial software are also summarized.
Stuxnet, Duqu, and Flame are sophisticated cyber weapons discovered between 2010-2012 that targeted industrial systems and stole information. Kaspersky Lab analysis found that a module from the early 2009 version of Stuxnet, known as "Resource 207", was actually a Flame plugin, indicating Flame existed prior to Stuxnet. This module was used by both Stuxnet and Flame to spread via USB drives using identical code. Stuxnet and Flame are believed to have been used by the U.S. to wage cyber warfare against Iran.
Is Troy Burning - An overview of targeted cyber attacksguest6f3af5
The use of trojans in targeted attacks has been known dating back to at least 2002. However, only since 2005 has their use and methodology become relatively widespread and better understood. Recently some of the more notorious attacks, especially those on governments, have been widely discussed in the media, but little technical information is available.
This presentation is based on private investigations of targeted attacks against various organizations, and provides a detailed view on the methodologies, both from a technical as a social engineering perspective, most popular in these attacks. In addition, it briefly touches on how effective today's protection mechanisms are and to what degree these attacks can be mitigated and detected.
This document provides an audit program to evaluate the effectiveness of Norton Antivirus 2005 software running on Windows XP. It begins with researching the software's results on third-party antivirus testing sites. The audit program then consists of 7 checklist items to test configurations like automatic definition updates, scanning of internet downloads, emails and attachments, all file types, and compressed files. Conducting this audit would verify Norton 2005 is properly configured and able to detect current viruses and malware.
Android forensics an Custom Recovery ImageMohamed Khaled
Mobile Forensic Process
Different Mobile Forensic Scenario
Acquisition Guide
Challenges of Android Forensics
How to Circumvent the Pass Code
Types Of Analyses(Logical analysis)
Types Of Analyses(Physical analysis)
Android Partition Layout
Custom Recovery Modifications
How Data are Stored In Android
Example of Useful Data extracted from Android Image
This document provides a briefing on cyberwarfare. It begins with definitions of cyber, warfare, and cyberwarfare. It then discusses three recent cyberwarfare events: 1) Russia attacking Georgia in 2008 through DDoS and hacking, 2) An unknown agency attacking US military networks in 2008 through an infected USB drive, and 3) An unknown attacker (allegedly Israel) targeting Iran's nuclear facilities in 2010 through the Stuxnet virus. It analyzes the impacts and countermeasures for each event. Finally, it concludes with questions around regulating cyber groups and establishing protocols for cyberweapons.
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
The APWG has been sharing threat data for over 12 years to help protect organizations and the all internet users against cyber threats. Initially founded to focus on the phishing, as the threat landscape on the internet has grown so has APWG. Today our vetted member community shares information to fight cybercrime and fraud not only on phishing but numerous other types of threat data including malicious IP addresses and ransomware information. This session will look at the history of sharing these types of data, how sharing has changed over the years and the necessity to automate these process.
This document discusses types of malicious software and network attacks. It describes viruses, worms, Trojan horses, and their goals of destroying, corrupting or shutting down data and systems. It also covers spyware, adware, denial of service attacks, and physical security vulnerabilities. The document emphasizes educating users to help protect against malware through training, antivirus software, firewalls, and intrusion detection systems.
Stuxnet, Duqu, and Flame are sophisticated cyber weapons discovered between 2010-2012 that targeted industrial systems and stole information. Kaspersky Lab analysis found that a module from the early 2009 version of Stuxnet, known as "Resource 207", was actually a Flame plugin, indicating Flame existed prior to Stuxnet. This module was used by both Stuxnet and Flame to spread via USB drives using identical code. Stuxnet and Flame are believed to have been used by the U.S. to wage cyber warfare against Iran.
Is Troy Burning - An overview of targeted cyber attacksguest6f3af5
The use of trojans in targeted attacks has been known dating back to at least 2002. However, only since 2005 has their use and methodology become relatively widespread and better understood. Recently some of the more notorious attacks, especially those on governments, have been widely discussed in the media, but little technical information is available.
This presentation is based on private investigations of targeted attacks against various organizations, and provides a detailed view on the methodologies, both from a technical as a social engineering perspective, most popular in these attacks. In addition, it briefly touches on how effective today's protection mechanisms are and to what degree these attacks can be mitigated and detected.
This document provides an audit program to evaluate the effectiveness of Norton Antivirus 2005 software running on Windows XP. It begins with researching the software's results on third-party antivirus testing sites. The audit program then consists of 7 checklist items to test configurations like automatic definition updates, scanning of internet downloads, emails and attachments, all file types, and compressed files. Conducting this audit would verify Norton 2005 is properly configured and able to detect current viruses and malware.
Android forensics an Custom Recovery ImageMohamed Khaled
Mobile Forensic Process
Different Mobile Forensic Scenario
Acquisition Guide
Challenges of Android Forensics
How to Circumvent the Pass Code
Types Of Analyses(Logical analysis)
Types Of Analyses(Physical analysis)
Android Partition Layout
Custom Recovery Modifications
How Data are Stored In Android
Example of Useful Data extracted from Android Image
This document provides a briefing on cyberwarfare. It begins with definitions of cyber, warfare, and cyberwarfare. It then discusses three recent cyberwarfare events: 1) Russia attacking Georgia in 2008 through DDoS and hacking, 2) An unknown agency attacking US military networks in 2008 through an infected USB drive, and 3) An unknown attacker (allegedly Israel) targeting Iran's nuclear facilities in 2010 through the Stuxnet virus. It analyzes the impacts and countermeasures for each event. Finally, it concludes with questions around regulating cyber groups and establishing protocols for cyberweapons.
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
The APWG has been sharing threat data for over 12 years to help protect organizations and the all internet users against cyber threats. Initially founded to focus on the phishing, as the threat landscape on the internet has grown so has APWG. Today our vetted member community shares information to fight cybercrime and fraud not only on phishing but numerous other types of threat data including malicious IP addresses and ransomware information. This session will look at the history of sharing these types of data, how sharing has changed over the years and the necessity to automate these process.
This document discusses types of malicious software and network attacks. It describes viruses, worms, Trojan horses, and their goals of destroying, corrupting or shutting down data and systems. It also covers spyware, adware, denial of service attacks, and physical security vulnerabilities. The document emphasizes educating users to help protect against malware through training, antivirus software, firewalls, and intrusion detection systems.
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
The document discusses the CryptoLocker ransomware threat and strategies to defend against it. CryptoLocker infects systems by tricking users into executing malicious files, then encrypts files using a randomly generated key. It threatens to delete the encryption key unless a ransom is paid. The best defenses include application whitelisting, limiting administrator privileges, firewalls, intrusion detection systems and keeping systems patched and backed up. In the event of infection, the affected machine should be isolated while restoring data from backups. Ongoing user education and security policies are also important to mitigate the ransomware risk.
Talk of the hour, the wanna crypt ransomwareshubaira
The document discusses the WannaCrypt ransomware attack that occurred in May 2017. It describes how WannaCrypt exploited a Windows vulnerability to spread, encrypted files on infected systems, and demanded ransom payments in Bitcoin. The document provides details on the malware components, infection cycle, indicators of infection, and recommendations for prevention and cleanup of infected systems. It also includes definitions of relevant cybersecurity terminology.
The document discusses targeted attacks on financial institutions. It provides information on:
1) Known targeted attackers like Cobalt, Corkow, and Anunak and their favorite targets like ATMs, card processing, and SWIFT systems.
2) Future targeted attackers that may go after financial networks.
3) The common targets of these attacks, which include corporate internet banking software, payment gateways, ATMs, trade terminals, and SWIFT/ARM CBR systems.
4) The malware delivery methods used by these groups, such as driveby downloads, pay-per-install, web hacks, phishing emails, and spear phishing.
This thesis analyzes the Rxbot malware. Rxbot is a win32 bot that belongs to the Agobot family. The analysis includes a static code analysis of Rxbot's source code to understand its modularity and configuration. A dynamic analysis examines Rxbot's process-level and network-level behaviors when built and executed. The analysis also describes tricks used by botmasters to evade detection. Finally, the thesis proposes future work analyzing botnets using honeypots.
Windows Vista contains many new security features to improve security over previous Windows versions. These include User Account Control, BitLocker Drive Encryption, Windows Defender, Address Space Layout Randomizer, Windows Firewall, USB Device Lockdown, and x64-specific security enhancements. Windows Vista also includes a Phishing Filter to help prevent users from falling victim to phishing attacks. Overall, Windows Vista represents a major security advance compared to previous versions of Windows like Windows XP.
The document discusses several pieces of malware including Stuxnet, Duqu, Flame, and Gauss. Stuxnet was the first malware discovered to target industrial control systems and included a PLC rootkit. Duqu shares code with Stuxnet and gathered intelligence. Flame was a large and complex malware that supported eliminating traces of its files. Gauss was designed to steal credentials from banking and social media accounts. All of the malware discussed exploited vulnerabilities and some signed with stolen certificates to propagate and communicate with command and control servers.
The document summarizes an empirical study of HTTP-based financial botnets. It discusses how botnets spread through phishing emails and drive-by downloads. It analyzes the top four financial botnets: Zeus, SpyEye, Carberp, and Citadel. The methodology section outlines how the researchers joined botnets to monitor behavior and conduct penetration testing. A comparative analysis is presented on the protocols, anti-sandbox techniques, exploitation methods, spreading mechanisms, remote management, and defensive mechanisms of different bots. Analytical observations note trends like botnets reusing code, increasing use of domain generation algorithms for command and control, and targeting browsers for information theft. Challenges in detecting unknown malware and protecting against man-in
The document is a survey of computer general awareness questions and answers that covers topics related to computer security, computer crimes, viruses, malware, and other cyber threats. Some key details include:
- 85% of over 500 companies and government agencies detected computer security breaches. These businesses lost more than $377 million due to security breaches.
- The typical computer criminal is a trusted employee with no criminal record, not a hacker. The majority of computer crimes are committed by insiders, not overseas criminals.
- Common computer crimes include identity theft, spoofing, and introducing malware like viruses, Trojan horses, and worms.
- Strong passwords, firewalls, encryption, antivirus software, and
A Fileless Ransomware is a new type of ransomware primarily follows the mechanism of both ransomware and fileless malware. Detecting and Defending these kinds of attacks becoming a great obstacle for IT firms. Cybercriminals found a new way of extorting ransom with vicious methods mainly from big organizations, government, Telecom Industry and many more. Traditional AV Engines are not able to defend Fileless Malware. This paper describes the mechanism of both ransomware and fileless malware, the working of fileless ransomware, what are the possible attack vectors of fileless ransomware, variations of fileless ransomware and their instances, Prevention methods and recommendation to defend against Fileless ransomware. Krishna B L "Comparative Study of Fileless Ransomware" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-3 , April 2020, URL: https://www.ijtsrd.com/papers/ijtsrd30600.pdf Paper Url :https://www.ijtsrd.com/engineering/computer-engineering/30600/comparative-study-of-fileless-ransomware/krishna-b-l
The document discusses how unprotected Windows file shares can expose systems to exploitation. Malicious software like the Klez worm, Nimda worm, and Sircam virus spread rapidly in 2001 by accessing unprotected shares. The document outlines techniques attackers use like scanning for systems with port 445 open and exploiting weak or null passwords. Examples of malware discussed are the W32/Deloder, GT-bot, and W32/Slackor worms which use these techniques to spread. The document recommends disabling unnecessary shares, using strong unique passwords, and keeping anti-virus software up to date to prevent exploitation.
The document discusses security challenges posed by modern malware and web-based attacks. It provides examples of next-generation malware that bypass antivirus detection using techniques like embedding malicious code in Office documents or PDF files. It also discusses how web-based malware has evolved from defacements and DDoS tools to more advanced drive-by download attacks using exploit kits. The document aims to demonstrate malware analysis techniques and how to detect web server backdoors through tools and manual source code reviews. It concludes with a challenge to practice security skills safely.
TRITON: The Next Generation of ICS MalwareThomas Roccia
This presentation is about the industrial malware dubbed Triton that targeted Safety Industrial System in a oil and gas plant in 2017. It was presented during the CNES COMET event about Industrial Threats.
This document provides definitions and context about cyberwarfare and the Stuxnet virus attack. It defines cyberwarfare as actions by a nation-state to penetrate another nation's computers or networks to cause damage or disruption. It then summarizes the Stuxnet virus, including that it targeted Iranian nuclear facilities, represented a new level of cyberthreat sophistication, and exposed vulnerabilities in critical infrastructure cybersecurity. Experts believe Stuxnet was part of a government-backed cyberattack but its origins remain uncertain.
A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document.
It infects other programs,
Alters Data
Transforms itself
Encrypts Itself
Corrupt files and Programs
Self Propagates
The document describes developing a hardened customized Linux operating system (HCLOS) by modifying the Linux kernel for increased security, implementing security measures throughout the OS, and evaluating HCLOS against other Linux distributions. Key aspects of developing HCLOS included compiling a secure Linux kernel, customizing it with security-focused modules, creating an encrypted filesystem, implementing strong network and system security, and developing tools to audit the system and manage security. The document then analyzes HCLOS in comparison to other distributions based on network scanning, auditing, and attacking the systems to evaluate their resistance to vulnerabilities.
The document discusses several guidelines for improving operating system security:
1) It provides tips for securing Windows systems such as enabling BitLocker, creating strong passwords, applying updates, and using the Windows firewall.
2) It explains how malware can propagate through email attachments, infected websites, USB drives and other methods.
3) Mac malware was previously rare but is becoming more common as the Mac market share increases, potentially validating a previous security prediction.
This document provides an overview of Android forensics. It discusses rooting Android devices to gain access for forensic imaging. The forensic process involves seizing the device and accessories, creating a bit-by-bit image of the memory card and device to preserve all data, recovering useful data from the image, analyzing the image by examining key locations like the SQLite database and searching for evidence, and maintaining a proper chain of custody. Indian laws like the IT Act 2000 cover digital crimes using computers as targets or weapons.
A week is a long time in computer ethicsUltraUploader
Over the course of a week, numerous news articles reported on various ethical issues arising from the use of technology. Issues discussed included intellectual property theft through peer-to-peer file sharing and concerns over globalization. Other topics included the growing problems of identity theft, computer viruses and hacking, junk mail and spam, censorship and surveillance. The week demonstrated the many challenges posed by technology and how each issue often has countervailing perspectives around issues like freedom of expression, prevention versus cure of computer misuse, and information access versus information control.
Accurately detecting source code of attacks that increase privilegeUltraUploader
The document discusses developing a system to detect source code for attacks that increase privilege before they are executed. The system separates incoming data into categories like C code or shell code. Features are extracted from each sample and used to estimate if it contains attack code. The system has been evaluated on large databases of normal and attack software written by many authors, with results showing accurate detection of attack code.
Kyozou is a hosted business solution which provides automation for on-line merchants to increase their sales while reducing the labor intensity of their processes. Successful merchants typically sell their products in multiple marketplaces such eBay, Amazon, Overstock, Bidtopia, and could also run their own ecommerce or marketplace website too
Cyber Intelligence Vision Information Sheet 20Nov2013Dave Eilken
Intelligence sharing has become the primary method of defending against cyber attacks. By sharing cyber security intelligence across organizations when one group experiences an incident, that information can benefit hundreds as actionable intelligence to increase the costs for malicious actors. Automating intelligence sharing through a federation of standards-based repositories that exchange information in real-time can help organizations achieve situational awareness across a community and jointly raise the cost of attacks while reducing the cost of proactive defense.
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
The document discusses the CryptoLocker ransomware threat and strategies to defend against it. CryptoLocker infects systems by tricking users into executing malicious files, then encrypts files using a randomly generated key. It threatens to delete the encryption key unless a ransom is paid. The best defenses include application whitelisting, limiting administrator privileges, firewalls, intrusion detection systems and keeping systems patched and backed up. In the event of infection, the affected machine should be isolated while restoring data from backups. Ongoing user education and security policies are also important to mitigate the ransomware risk.
Talk of the hour, the wanna crypt ransomwareshubaira
The document discusses the WannaCrypt ransomware attack that occurred in May 2017. It describes how WannaCrypt exploited a Windows vulnerability to spread, encrypted files on infected systems, and demanded ransom payments in Bitcoin. The document provides details on the malware components, infection cycle, indicators of infection, and recommendations for prevention and cleanup of infected systems. It also includes definitions of relevant cybersecurity terminology.
The document discusses targeted attacks on financial institutions. It provides information on:
1) Known targeted attackers like Cobalt, Corkow, and Anunak and their favorite targets like ATMs, card processing, and SWIFT systems.
2) Future targeted attackers that may go after financial networks.
3) The common targets of these attacks, which include corporate internet banking software, payment gateways, ATMs, trade terminals, and SWIFT/ARM CBR systems.
4) The malware delivery methods used by these groups, such as driveby downloads, pay-per-install, web hacks, phishing emails, and spear phishing.
This thesis analyzes the Rxbot malware. Rxbot is a win32 bot that belongs to the Agobot family. The analysis includes a static code analysis of Rxbot's source code to understand its modularity and configuration. A dynamic analysis examines Rxbot's process-level and network-level behaviors when built and executed. The analysis also describes tricks used by botmasters to evade detection. Finally, the thesis proposes future work analyzing botnets using honeypots.
Windows Vista contains many new security features to improve security over previous Windows versions. These include User Account Control, BitLocker Drive Encryption, Windows Defender, Address Space Layout Randomizer, Windows Firewall, USB Device Lockdown, and x64-specific security enhancements. Windows Vista also includes a Phishing Filter to help prevent users from falling victim to phishing attacks. Overall, Windows Vista represents a major security advance compared to previous versions of Windows like Windows XP.
The document discusses several pieces of malware including Stuxnet, Duqu, Flame, and Gauss. Stuxnet was the first malware discovered to target industrial control systems and included a PLC rootkit. Duqu shares code with Stuxnet and gathered intelligence. Flame was a large and complex malware that supported eliminating traces of its files. Gauss was designed to steal credentials from banking and social media accounts. All of the malware discussed exploited vulnerabilities and some signed with stolen certificates to propagate and communicate with command and control servers.
The document summarizes an empirical study of HTTP-based financial botnets. It discusses how botnets spread through phishing emails and drive-by downloads. It analyzes the top four financial botnets: Zeus, SpyEye, Carberp, and Citadel. The methodology section outlines how the researchers joined botnets to monitor behavior and conduct penetration testing. A comparative analysis is presented on the protocols, anti-sandbox techniques, exploitation methods, spreading mechanisms, remote management, and defensive mechanisms of different bots. Analytical observations note trends like botnets reusing code, increasing use of domain generation algorithms for command and control, and targeting browsers for information theft. Challenges in detecting unknown malware and protecting against man-in
The document is a survey of computer general awareness questions and answers that covers topics related to computer security, computer crimes, viruses, malware, and other cyber threats. Some key details include:
- 85% of over 500 companies and government agencies detected computer security breaches. These businesses lost more than $377 million due to security breaches.
- The typical computer criminal is a trusted employee with no criminal record, not a hacker. The majority of computer crimes are committed by insiders, not overseas criminals.
- Common computer crimes include identity theft, spoofing, and introducing malware like viruses, Trojan horses, and worms.
- Strong passwords, firewalls, encryption, antivirus software, and
A Fileless Ransomware is a new type of ransomware primarily follows the mechanism of both ransomware and fileless malware. Detecting and Defending these kinds of attacks becoming a great obstacle for IT firms. Cybercriminals found a new way of extorting ransom with vicious methods mainly from big organizations, government, Telecom Industry and many more. Traditional AV Engines are not able to defend Fileless Malware. This paper describes the mechanism of both ransomware and fileless malware, the working of fileless ransomware, what are the possible attack vectors of fileless ransomware, variations of fileless ransomware and their instances, Prevention methods and recommendation to defend against Fileless ransomware. Krishna B L "Comparative Study of Fileless Ransomware" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-3 , April 2020, URL: https://www.ijtsrd.com/papers/ijtsrd30600.pdf Paper Url :https://www.ijtsrd.com/engineering/computer-engineering/30600/comparative-study-of-fileless-ransomware/krishna-b-l
The document discusses how unprotected Windows file shares can expose systems to exploitation. Malicious software like the Klez worm, Nimda worm, and Sircam virus spread rapidly in 2001 by accessing unprotected shares. The document outlines techniques attackers use like scanning for systems with port 445 open and exploiting weak or null passwords. Examples of malware discussed are the W32/Deloder, GT-bot, and W32/Slackor worms which use these techniques to spread. The document recommends disabling unnecessary shares, using strong unique passwords, and keeping anti-virus software up to date to prevent exploitation.
The document discusses security challenges posed by modern malware and web-based attacks. It provides examples of next-generation malware that bypass antivirus detection using techniques like embedding malicious code in Office documents or PDF files. It also discusses how web-based malware has evolved from defacements and DDoS tools to more advanced drive-by download attacks using exploit kits. The document aims to demonstrate malware analysis techniques and how to detect web server backdoors through tools and manual source code reviews. It concludes with a challenge to practice security skills safely.
TRITON: The Next Generation of ICS MalwareThomas Roccia
This presentation is about the industrial malware dubbed Triton that targeted Safety Industrial System in a oil and gas plant in 2017. It was presented during the CNES COMET event about Industrial Threats.
This document provides definitions and context about cyberwarfare and the Stuxnet virus attack. It defines cyberwarfare as actions by a nation-state to penetrate another nation's computers or networks to cause damage or disruption. It then summarizes the Stuxnet virus, including that it targeted Iranian nuclear facilities, represented a new level of cyberthreat sophistication, and exposed vulnerabilities in critical infrastructure cybersecurity. Experts believe Stuxnet was part of a government-backed cyberattack but its origins remain uncertain.
A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document.
It infects other programs,
Alters Data
Transforms itself
Encrypts Itself
Corrupt files and Programs
Self Propagates
The document describes developing a hardened customized Linux operating system (HCLOS) by modifying the Linux kernel for increased security, implementing security measures throughout the OS, and evaluating HCLOS against other Linux distributions. Key aspects of developing HCLOS included compiling a secure Linux kernel, customizing it with security-focused modules, creating an encrypted filesystem, implementing strong network and system security, and developing tools to audit the system and manage security. The document then analyzes HCLOS in comparison to other distributions based on network scanning, auditing, and attacking the systems to evaluate their resistance to vulnerabilities.
The document discusses several guidelines for improving operating system security:
1) It provides tips for securing Windows systems such as enabling BitLocker, creating strong passwords, applying updates, and using the Windows firewall.
2) It explains how malware can propagate through email attachments, infected websites, USB drives and other methods.
3) Mac malware was previously rare but is becoming more common as the Mac market share increases, potentially validating a previous security prediction.
This document provides an overview of Android forensics. It discusses rooting Android devices to gain access for forensic imaging. The forensic process involves seizing the device and accessories, creating a bit-by-bit image of the memory card and device to preserve all data, recovering useful data from the image, analyzing the image by examining key locations like the SQLite database and searching for evidence, and maintaining a proper chain of custody. Indian laws like the IT Act 2000 cover digital crimes using computers as targets or weapons.
A week is a long time in computer ethicsUltraUploader
Over the course of a week, numerous news articles reported on various ethical issues arising from the use of technology. Issues discussed included intellectual property theft through peer-to-peer file sharing and concerns over globalization. Other topics included the growing problems of identity theft, computer viruses and hacking, junk mail and spam, censorship and surveillance. The week demonstrated the many challenges posed by technology and how each issue often has countervailing perspectives around issues like freedom of expression, prevention versus cure of computer misuse, and information access versus information control.
Accurately detecting source code of attacks that increase privilegeUltraUploader
The document discusses developing a system to detect source code for attacks that increase privilege before they are executed. The system separates incoming data into categories like C code or shell code. Features are extracted from each sample and used to estimate if it contains attack code. The system has been evaluated on large databases of normal and attack software written by many authors, with results showing accurate detection of attack code.
Kyozou is a hosted business solution which provides automation for on-line merchants to increase their sales while reducing the labor intensity of their processes. Successful merchants typically sell their products in multiple marketplaces such eBay, Amazon, Overstock, Bidtopia, and could also run their own ecommerce or marketplace website too
Cyber Intelligence Vision Information Sheet 20Nov2013Dave Eilken
Intelligence sharing has become the primary method of defending against cyber attacks. By sharing cyber security intelligence across organizations when one group experiences an incident, that information can benefit hundreds as actionable intelligence to increase the costs for malicious actors. Automating intelligence sharing through a federation of standards-based repositories that exchange information in real-time can help organizations achieve situational awareness across a community and jointly raise the cost of attacks while reducing the cost of proactive defense.
The EMSOC project is a 4-year interdisciplinary study between the Vrije Universiteit Brussel, Catholic University Leuven, and University of Ghent investigating how social media empowers or disempowers users in their everyday lives. The project aims to critically examine the implications of transparency and disclosure of personal information in social media culture. It involves departments and faculties focused on communication studies, law, and educational studies from the participating universities.
How an Attack by a Cyber-espionage Operator Bypassed Security ControlsVenafi
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive functioning. Exercise causes chemical changes in the brain that may help boost serotonin and endorphins, which can positively impact mood.
This document discusses how cyber intelligence can be used to combat advanced cyber adversaries. It notes that traditional computer network defense is no longer sufficient due to state-sponsored groups, hacktivists, and crime rings. Cyber intelligence involves fusing open source data, reports, and internal attack data to provide organizations threat profiles, attack timelines, and malware intelligence. This intelligence can be combined with network defense to give a broader view of adversaries and better arm organizations against advanced threats.
This document discusses cyber bullying and cyber threats. It defines cyber bullying as using electronic means to torment or harass others. It notes that cyber bullying often occurs off-campus but still impacts students on-campus. The document outlines types of cyber bullying like flaming, harassment, and impersonation. It warns that cyber bullying can have serious emotional and psychological impacts on victims and in some cases has led to suicide. It stresses the importance of educating students on responsible internet use and outlines actions teachers and parents can take to address cyber bullying issues.
Security Onion is a Linux distribution for intrusion detection, network security monitoring, and log management. It contains tools like Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, and NetworkMiner. It allows full packet capture, network and host intrusion detection, and log collection and management. Security Onion can be deployed in standalone, server-sensor, or hybrid configurations.
This document provides an overview of industrial automation systems. It defines automated systems as collections of devices working together to accomplish tasks or produce products. Automated systems examples provided include automobiles, which use sensors and computers to control engine operation and other functions, and home security systems, which sound alarms when doors or windows are opened. The document also describes the basic components of industrial automated systems, including production devices, support equipment, controllers, and feedback sensors. It provides details on robotic systems commonly used for repetitive tasks like moving, positioning, and assembling parts. The three main types of industrial robots are pneumatic, hydraulic, and electric. The document includes links to videos demonstrating incredibly fast robots.
Final Report (TCP/RLA/0069)
Development of Standards for the Construction and Inspection of Fishing Vessels
Final Report TCP/RLA/0069 http://www.slideshare.net/safetyforfishermen/final-report-of-project-57610513
Annex I http://www.slideshare.net/safetyforfishermen/annex-i-57610511
Annex II http://www.slideshare.net/safetyforfishermen/annex-ii-57610508
Annex III http://www.slideshare.net/safetyforfishermen/annex-iii
Annex IV http://www.slideshare.net/safetyforfishermen/annex-iv-57610500
Annex V http://www.slideshare.net/safetyforfishermen/annex-v-57610497
Annex VI http://www.slideshare.net/safetyforfishermen/annex-vi-57610495
Schedule 1 http://www.slideshare.net/safetyforfishermen/schedule-1-57610492
Schedule 2 http://www.slideshare.net/safetyforfishermen/schedule-2-57610486
Schedule 3 http://www.slideshare.net/safetyforfishermen/schedule-3-57610481
Schedule 4 http://www.slideshare.net/safetyforfishermen/schedule-4-57610477
Schedule 5 http://www.slideshare.net/safetyforfishermen/schedule-5-57610474
Schedule 6 http://www.slideshare.net/safetyforfishermen/schedule-6-57610470
Schedule 7 http://www.slideshare.net/safetyforfishermen/schedule-7-57610465
Schedule 8 http://www.slideshare.net/safetyforfishermen/schedule-8-57610456
Schedule 9 http://www.slideshare.net/safetyforfishermen/schedule-9-57610450
Schedule 10 http://www.slideshare.net/safetyforfishermen/schedule-10-57610439
Schedule 11 http://www.slideshare.net/safetyforfishermen/schedule-11-57610431
Annex VII http://www.slideshare.net/safetyforfishermen/annex-vii-57610416
Annex VIII http://www.slideshare.net/safetyforfishermen/annex-viii-57610410
Annex IX http://www.slideshare.net/safetyforfishermen/annex-ix-57610400
Annex X http://www.slideshare.net/safetyforfishermen/annex-x-57610393
Annex XI http://www.slideshare.net/safetyforfishermen/annex-xi-57610383
Web spoofing allows an attacker to create a fake version of the World Wide Web to trick victims. The attacker lures victims to their fake site, which looks identical to the real site. On the fake site, the attacker can observe any sensitive information entered by the victim. Current browsers are vulnerable to web spoofing attacks even on secure connections. Users should disable JavaScript, always check the URL bar, and be wary of any requests for sensitive information over email.
Targeting Your Users (Identifying Library Stakeholders)LIBER Europe
This presentation by Urban Rybrink, Head of Communications at the National Library of Sweden was delivered as part of a workshop at LIBER's 2013 conference. The workshop was: "The Interactive Library: Communicating Effectively With Your Stakeholders". Learn more about the National Library of Sweden at www.kb.se/english and about LIBER at www.libereurope.eu
This document provides an overview of Windows 8 forensics and anti-forensics techniques. It discusses new features in Windows 8 like pagefile and swapfile functions, Windows 8 to Go, Bitlocker updates, cloud integration, thumbnail caching, and PC refresh. It also covers Internet Explorer 10 changes and analyzes the pagefile, swapfile, thumbcache, file history artifacts, and new registry hives introduced in Windows 8. Anti-forensics techniques like encryption, time tampering, disk wiping, and disk destruction are also briefly mentioned. The document promotes an upcoming security conference and provides contact information for the author.
G3 Intelligence, through the cyber intelligence reports, provide unique insights and competitive advantages needed to development of complex business environment.
Network sniffers & injection tools
Network Threats Attack
Specific Attack Types
Network Sniffer
How does a Sniffer Work?
How can I detect a packet sniffer?
Packet Sniffer Mitigation
Injection Tools
Encryption, steganography, data hiding, artifact wiping, and trail obfuscation are anti-forensic techniques used to hide digital evidence and make forensic investigations difficult. These techniques aim to conceal criminal activity by hiding data in places that are hard to find and modify file metadata and attributes to cast doubt on evidence. While some argue these methods help improve forensic procedures, they are generally considered malicious since they are designed to cover up illegal acts and prevent authorities from proving criminal cases.
IP spoofing involves inserting false source IP addresses to disguise an attacker's identity. It can enable attacks like session hijacking and denial of service. The document outlines how IP spoofing works, examples like the Mitnick attack, and defenses like filtering and encryption/authentication. TCP and IP are the core protocols that enable spoofing if source addresses are not properly validated.
Data Protection (Download for slideshow)Andrew Sharpe
This document provides a summary of UK data protection laws and principles. It discusses key definitions like personal data, sensitive personal data, and data controllers. The 8 data protection principles are outlined, including requirements for fair and lawful processing, specified purposes, accuracy, retention, security, and international transfers. New enforcement powers for the UK Information Commissioner are described, such as monetary penalties and mandatory breach notification. Future developments around issues like breach notification and data sharing are also mentioned.
The document summarizes a presentation given by Tomer Teller about the Stuxnet malware. It describes how Stuxnet infected industrial control systems by exploiting Windows vulnerabilities, spreading on removable drives, and ultimately reprogramming PLCs to sabotage Iran's nuclear program. Key infection techniques discussed include exploiting LNK and Print Spooler vulnerabilities, using autorun.inf files and rootkit techniques to propagate, and replacing DLL files to monitor and inject commands to PLCs.
This article is all about "STUXNET", the first weapon built entirely out of code.
It gives a brief insight of what is it all about. A new world of computer programming where you can make deadly weapons with codes. Read the complete article to know more about it.
For my presentation on this article visit : http://www.slideshare.net/hardeep4u/stuxnet-more-then-a-virus
Cybersecurity concepts & Defense best practisesWAJAHAT IQBAL
This presentation is an attempt to present the complex Subject of Cybersecurity in a concise format with main focus to present the core of Cybersecurity and best practises and standards to protect an enterprise Network.Comments of readers welcomed.Thank You (Wajahat Iqbal)
Email: Wajahat_Iqbal@yahoo.com
The Hacker Secret #2: The Dynamite of Next Generation (Y) Attack focus on client-side exploitation with Software bugs, latest windows vulnerabilities, etc...
The document provides a detailed technical analysis of the Duqu 2.0 malware. It describes how the malware initially infects systems through spear-phishing emails containing exploits. It then uses lateral movement techniques like pass-the-hash and Windows Installer packages to spread within networks. The packages contain encrypted payloads that load additional modules when decrypted to perform functions like information harvesting. Analysis found the malware targeting systems related to nuclear negotiations with Iran and the liberation of Auschwitz.
Stuxnet is a complex malware that targeted industrial control systems in Iran. It used four zero-day exploits and spread through removable drives and local networks to find computers with Siemens Step 7 software to modify PLC code and sabotage industrial systems while avoiding detection. The malware infected over 100,000 hosts worldwide but about 60% were in Iran, its main target. It conducted five attack waves against Iranian organizations from 2009 to 2010.
This document summarizes a presentation on targeted trojan attacks and the related malware infrastructure. It describes how trojans are delivered through social engineering techniques, often using current events or topics of interest. Once installed, the malware establishes command and control channels using domain name parking and multiple control servers to evade detection. The attacks appear focused on intellectual property theft and espionage, especially targeting Japanese, Canadian and US government organizations.
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
This post contains detailed Mindmap related to Complex subject of Cyber security and address critical components summarized as below:
- Cyber Security standards
- SOC (Security Operation Center)
- Cybersecurity Lifecycle
- Hacker Kill Chain
- Malware (Types,Protection Mechanism)
- Cyber Architecture
- CSC (Critical Security Standards)
- Incident Management
- Network Perimeter best security practices
- Final Case Study
I hope the Technical post is appreciated and liked by Security Consultants and Subject Matter experts on Cybersecurity.Your criticals Inputs are appreciated.Thank you
- Wajahat Iqbal
(Wajahat_Iqbal@Yahoo.com)
Trends in network security feinstein - informatica64Chema Alonso
The document summarizes trends in network security seen in 2009, including increases in vulnerabilities in document readers/editors like PDFs that were exploited by "spear phishing" attacks. Malware became more sophisticated with user-friendly banking trojans and rootkits distributed on legitimate websites. The "Aurora" attacks targeted Google and other companies in 2009 using zero-day exploits. The takedown of the Mariposa botnet in late 2009 arrested three individuals operating a commercial botnet kit.
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3IJERA Editor
Linux Operating System is being reverenced by many professionals because of its versatile nature. As many network security professionals ,particularly those of ethical hackers use linux in an extensive way, did we ever observe how and why the number of hackers were enhancing day to day. Not only professionals ,every one are unleashing their hacking potentials with the help of Backtrack5R3 operating system which is a comprehensive tool kit for security auditing. This paper emphasizes on the so called SET (Social Engineering Toolkit).In a pen-testing scenario, alongside uncovering vulnerabilities in the hardware and software systems and exploiting them ,the most effective of all is penetrating the human mind to extract the desire information. Such devious technics are known as social engineering ,and computer based software tools to facilitate this form the basis of Social Engineering Toolkit
Stuxnet was a sophisticated cyber attack targeting Iran's nuclear facilities that changed perceptions of threats to critical infrastructure systems like SCADA. It exploited vulnerabilities in both Windows and Siemens control software to sabotage centrifuges without detection for nearly a year. This highlighted that SCADA/ICS are vulnerable targets due to their use of outdated protocols and legacy systems not originally designed with security in mind. Common security issues with SCADA include lack of access controls, unpatched systems, integration with corporate networks, and human/contractor oversight. Best practices like the NERC standards and updates to protocols like DNP3 can help mitigate risks if properly implemented throughout the SCADA lifecycle.
Stuxnet is the most complex computer worm ever discovered. It targets industrial control systems and has been infecting systems since 2008. Stuxnet spreads through vulnerabilities in Windows and infects Siemens Step 7 software to sabotage operations at places like nuclear power plants. The worm is very sophisticated with multiple zero-day exploits, driver-level rootkits, and peer-to-peer updates. While its origins remain unknown, it is speculated that the worm was created by a nation state to sabotage Iran's nuclear program through infecting their uranium enrichment centrifuges.
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...qqlan
The document analyzes vulnerabilities in industrial control systems (ICS) from 2005 to 2012. Some key findings include:
1. The number of detected vulnerabilities has increased 20-fold since 2010, with more found in the first 10 months of 2012 than in all previous years combined.
2. Most common vulnerabilities allow remote code execution and authentication/authorization bypass. Approximately 65% are considered high or critical severity.
3. While most vendors fix the majority of issues, some vulnerabilities remain unpatched for over 30 days. Over 40% of internet-accessible ICS systems have known vulnerabilities.
This document discusses using data visualization techniques to analyze network security data and detect cyber attacks. It provides examples of visualizing network traffic data from tcpdump files using Perl scripts and Grace to plot graphs. Specific examples include visualizing a port scan, vulnerability scanner, and wargame traffic to identify anomalous patterns compared to normal traffic baselines. Tools mentioned include tcpdump, Ethereal, EtherApe, and research on visualizing intrusion detection systems, routing anomalies, and worm propagation.
OrdersFishing Division Order FormCustomer NameFreight Customer Ty.docxaman341480
The document appears to be an order form template for a fishing division. It includes fields for customer information, ship to state, item numbers and descriptions, quantities, pricing, discounts, shipping costs, and a table of state abbreviations and regions. There are also references to item price schedules, soft bait packaging pricing, and shipping cost tables for regular and preferred customers based on region.
The stuxnet computer worm. harbinger of an emerging warfare capabilityYury Chemerkin
The document summarizes a Congressional Research Service report on the Stuxnet computer worm. It discusses how Stuxnet targeted Iranian nuclear facilities by infecting industrial control systems. It affected systems in several countries and demonstrated that cyber attacks could disrupt critical infrastructure. The report examines questions for Congress about national security, an international treaty on malicious software, and protecting critical infrastructure from cyber threats.
Ot ics cyberattaques dans les organisations industrielles Cisco Canada
Sylvain Denoncourt GSEC, CISSP presented on cyber attacks targeting industrial organizations at Cisco Connect Montreal in November 2017. He discussed how IT and OT networks are converging due to technology evolution and cost pressures, but have different cultures, skills, and objectives. OT networks prioritize resilience while IT focuses on meeting user expectations cost-effectively. Denoncourt reviewed major industrial cyber attacks from Stuxnet in 2010 to the 2015 Ukraine power grid hack. He emphasized that adversaries now have advanced capabilities and extensive knowledge of control systems. Industrial networks are increasingly vulnerable targets. Strong security architectures with network segmentation, access controls, threat detection, and device integrity are needed to protect against sophisticated threats targeting critical infrastructure.
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
The talk will show you the techical details of Stuxnet in their full glory and make you appreciate this work of engineering more. Based on a code-level analysis of the Stuxnet PLC payload, the presentation will explain techniques therein that can be used for industrial espionage and sabotage by copycat attackers against competitor's production facilities. Currently recommended defenses, their shortcomings and alternative approaches will also be discussed.
Bio: Felix 'FX' Lindner is founder and technical lead of the Recurity Labs GmbH consulting and research team. He is also the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. He looks back at 15+ years of (legal) hacking with only a couple Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road.
Similar to (120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet) (20)
This document discusses the $UsnJrnl journal file in NTFS file systems and its use for digital forensics investigations. The $UsnJrnl file records changes made to files and directories on the system. Tools are discussed for extracting and parsing the $UsnJrnl records to analyze file system activity and trace deleted files. The document also introduces NTFS Log Tracker v1.4, a tool that can carve $UsnJrnl records from unallocated space and perform keyword searches across recovered records.
This document discusses digital forensics analysis of call history and SMS data on Apple devices running OS X Yosemite. It provides information on the file paths and database formats used to store call history and SMS data, as well as the attributes that can be analyzed, such as sending/receiving dates, durations, and contact details. It also mentions that call history data may be encrypted and requires decryption to view contact details.
(140716) #fitalk digital evidence from android-based smartwatchINSIGHT FORENSIC
This document discusses extracting digital evidence from an Android-based Samsung Galaxy Gear smartwatch. It describes accessing the smartwatch by rooting it and then imaging the internal memory to extract potential digital evidence files. Four specific files are identified that could provide useful evidence, including Bluetooth pairing information, SMS/email sync data, find my device activity logs, and local weather information tied to location. The conclusion speculates that future work will focus on extracting evidence from newer Galaxy Gear models.
This document discusses SQLite record recovery from deleted areas of an SQLite database file. It begins with an introduction to SQLite and why it is useful for forensic analysis. It then covers the structure of SQLite database files including header pages, table B-trees, index B-trees, overflow pages, and free pages. The document simulates traversing and parsing the cells within a table B-tree to understand how records are stored and indexed. It aims to help analysts understand SQLite file structure to enable recovery of deleted records through analysis of unused areas.
This document discusses techniques for obfuscating URLs to hide malicious intent. It begins with an overview of URL shortening services that can be used to hide the destination of a link. Various methods for obfuscating URLs are then described, including encoding IP addresses in octal format, URL encoding, and tricks involving the URI structure. The document provides a challenge for safely deconstructing an obfuscated URL step-by-step either manually or automatically. It concludes with an explanation of how the challenge URL was obfuscated using chaining of different techniques.
The document discusses China's strategy of internet censorship and control. It mentions China's large number of internet users and rapid growth of mobile internet users. It then discusses China's strategy of "human-wave" attacks to overwhelm websites with traffic to enact censorship. Next, it discusses China's extensive censorship system called the "Great Firewall" and how it uses techniques like IP blocking and DNS filtering to control internet access and content. Finally, it briefly mentions the black market for DDoS attacks and real-money trading that has emerged from China's controls.
The document discusses several advanced persistent threats (APTs) that have targeted systems in Korea and other countries, including the LuckyCat, Heartbeat, and Flashback malware campaigns. It provides details on the attacks, malware components, command and control infrastructure, and technical analysis of the threats. The document aims to help the digital forensics community in Korea understand these sophisticated cyber espionage activities and improve defenses against similar attacks.
(130105) #fitalk trends in d forensics (dec, 2012)INSIGHT FORENSIC
This document summarizes trends in digital forensics from South Korea in December 2012. It discusses extracting malware from NTFS extended attributes, analyzing prefetch files, and trends for 2013 including growing mobile malware. It also summarizes testing of Windows 8 involving installing applications, connecting web accounts, and imaging a test laptop to analyze forensic artifacts.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Generative AI Deep Dive: Advancing from Proof of Concept to Production
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
1. FORENSICINSIGHT SEMINAR
The Era of Cyber Espionage & Cyber Warfare
(Case Study: Stuxnet)
2012.7 Forensic Insight
Kevin Koo
(kevinkoo001@gmail.com)
2. forensicinsight.org Page 2 / 44
개요
The Era of Cyber Espionage and Warfare
[TED] Cracking Stuxnet, a 21st-century cyber weapon
Demystifying Stuxnet
Overview
Brief Statistics
Architecture
Analysis in details
[TED] Fighting viruses, defending the net
Conclusion
3. forensicinsight.org Page 3 / 44
The Era of Cyber Espionage and Warfare
Voice of concerns
Forbes: The Flame Cyber Espionage Attack: Five Questions We Should Ask
http://www.forbes.com/sites/johnvillasenor/2012/06/04/the-flame-cyber-espionage-
attack-five-questions-we-should-ask/
What is the true scope of cyberattacks going on today?
Will infection with some form of malware soon become the rule rather
than the exception?
In the future, will nations outsource domestic espionage?
Is forging digital certificates fair game for nation states?
Is Flame one more reason to increase cybersecurity spending?
4. forensicinsight.org Page 4 / 44
[TED] Cracking Stuxnet, a 21st-century cyber weapon
Ralph Langner’s Speech: Cracking Stuxnet
German control system security consultant
http://www.langner.com/en/
http://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/
[2011.3] http://www.youtube.com/watch?v=CS01Hmjv1pQ (10m 40s)
6. forensicinsight.org Page 6 / 44
Demystifying Stuxnet
Overview: APT Attack
Highly Advanced Persistent Threat (지능형 지속가능 위협)
Large and complex chunk
Who did it? Or Who could do this?
Iran 핵발전소 겨냥하여 원심분리기 중단
목표 시스템은 독일의 지멘스(siemens) 사의 원심분리기
Five zero-day vulnerabilities and one known for Windows OS
Target이 없으면 동작하지 않도록 설계
최소 10개 이상의 팀이 수 개월~수 년간 치밀하게 준비 필요
자금확보는?
http://en.wikipedia.org/wiki/Stuxnet
Malware 종합세트(?)
Hooking, Injection, Rootkit, 0-day, Virus&Worm, C&C, Application Hacking, …
7. forensicinsight.org Page 7 / 44
Demystifying Stuxnet
Overview: WHO DID IT?
It turns out that the attack was led by the US, code-named “Olympic Games”
(2012.6.1) http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-
wave-of-cyberattacks-against-iran.html
Imagine what happened if:
Power grid were crashed
Air control system was compromised
National intelligence was taken over
Military weapon was manipulated: nuclear weapons, intercontinental missiles
8. forensicinsight.org Page 8 / 44
Demystifying Stuxnet
Overview: Relative Resources (1)
국제 원자력 기구(IAEA, International Atomic Energy Agency)
Implementation of the NPT Safeguards Agreement and relevant provisions of Security Council resolutions in
the Islamic Republic of Iran (2/9/2011)
지멘스사의 제어 시스템 (Siemens control solutions for utilities)
http://www.buildingtechnologies.siemens.com/bt/global/en/market-specific-solutions/utilities/control-
room/Pages/control-room.aspx
9. forensicinsight.org Page 9 / 44
Demystifying Stuxnet
Overview: Relative Resources (2)
Princeton 대학논문(2008.6)
Characteristics of the Gas Centrifuge for Uranium Enrichment and Their Relevance for Nuclear
Weapon Proliferation (우라늄 농축 가스 원심분리 특성과 핵무기 증설 관련성)
http://www.princeton.edu/sgs/publications/sgs/archive/16-1-Glaser.pdf
Cascade Interconnection with Partial Reconfiguration 부분 참조
Mosaic theory: 보안 분석에서 기업 정보를 수집하는 방식
http://securityaffairs.co/wordpress/566/cyber-crime/from-the-mosaic-theory-to-the-stuxnet-case.html
10. forensicinsight.org Page 10 / 44
Demystifying Stuxnet
Overview: Analysis
Target: a specific industrial control system (특정 산업 통제 시스템)
분석 보고서
[ESET]
http://go.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
[Symantec]
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Three Main Steps
(1) Windows Infection using zero-day vulnerabilities:
Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-067)
Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (MS10-046)
Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (MS10-061)
Microsoft Windows Win32k.sys Local Privilege Escalation vulnerability (MS10-073)
Microsoft Windows Task Scheduler Escalation of Privilege vulnerability (MS10-092)
(2) Step7 Software Infection: Siemens' WinCC/PCS 7 SCADA control software
(3) PLC(Programmable Logical Computer) infection
13. forensicinsight.org Page 13 / 44
Demystifying Stuxnet
Architecture
Overview
Exports & Resources
Techniques to use
14. forensicinsight.org Page 14 / 44
Demystifying Stuxnet
Architecture - Overview
* Stuxnet = a wrapper
stored in a stub section
Consists of
: large .dll file
: two encrypted configuration file
(1) A pointer to the original stub section is passed to exports as a parameter
(2) How to call exports in the main .dll file
Loading the .dll file into memory and calling an export directly
Reading an executable template from its own resources,
populate the template with appropriate data
16. forensicinsight.org Page 16 / 44
Demystifying Stuxnet
Architecture - Techniques to use: Hooking
* Bypassing behavior blocking when loading DLLs
Hooking ntdll.dll to monitor requests to load specially crafted file names
: KERNEL32.DLL.ASLR.[HEXADECIMAL] or SHELL32.DLL.ASLR.[HEXADECIMAL]
Hooked functions
17. forensicinsight.org Page 17 / 44
Demystifying Stuxnet
Architecture - Techniques to use: Process Injection
* Keep injected code in the trusted process
* Instruct the trusted process to inject the code into another currently running process
<Running trusted process>
<Registry>
<Potential Target Process>
Ref. Symantec W32.Stuxnet Dossier p.14
18. forensicinsight.org Page 18 / 44
Demystifying Stuxnet
Analysis in details
Installation: Preparation, Injection
Functionalities: Load point, C&C, Rootkit, Propagation
Techniques to use
19. forensicinsight.org Page 19 / 44
Demystifying Stuxnet
Analysis in details - Installation: Preparation
1) Windows Win32k.sys Local
Privilege Escalation
vulnerability (MS10-073)
2) Task Scheduler Escalation of
Privilege vulnerability (MS10-092)
1) http://technet.microsoft.com/en-us/security/bulletin/MS10-073
2) http://technet.microsoft.com/en-us/security/bulletin/MS10-092
Two privilege escalation (or Elevation of Privilege) vulnerabilities:
20. forensicinsight.org Page 20 / 44
Demystifying Stuxnet
Analysis in details - Installation: Infection routine flow (Export 16)
1) HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionMS-DOS Emulation
2) %SystemDrive%infmdmeric3.PNF, %SystemDrive%infmdmcpq3.PNF, %SystemDrive%infoem6C.PNF
3) %SystemDrive%driversMrxnet.sys, %SystemDrive%driversMrxcls.sys
4) Infecting newly connected removable drives and for starting the RPC server
5) Hooking APIs for Step 7 project file infections
1)
2) 3)
4)
5)
21. forensicinsight.org Page 21 / 44
Demystifying Stuxnet
Analysis in details - Functionality: Load Point
Drops Resource 242 MrxCls.sys via Export 16
The mrxcls.sys is a driver digitally signed with a compromised Realtek certificate.
(suddenly revoked on July 16, 2010 by Verisign)
File checksums
Purpose of the rootkit drivers
mrxnet.sys to hide the presence of the worm on removable drives
mrxcls.sys to inject the worm into “services.exe” and two processes specific to Siemens software
(Step7/S7 and WinCC)
The driver contains an encrypted data block.
services.exe — %Windir%infoem7A.PNF
S7tgtopx.exe — %Windir%infoem7A.PNF
CCProjectMgr.exe — %Windir%infoem7A.PNF
explorer.exe — %Windir%infoem7m.PNF
22. forensicinsight.org Page 22 / 44
Demystifying Stuxnet
Analysis in details - Functionality: Command and Control
System data is gathered via Export 28, and Export 29 send payload to a target server.
www[.]mypremierfutbol[.]com (Malaysia)
www[.]todaysfutbol[.]com (Denmark)
The flags at offset 11h have the 4th bit set if at least one of the two registry values is found:
HKEY_LOCAL_MACHINESoftwareSiemensStep7, value: STEP7_Version
HKEY_LOCAL_MACHINESoftwareSiemensWinCCSetup, value: Version
23. forensicinsight.org Page 23 / 44
Demystifying Stuxnet
Analysis in details - Functionality: Windows Rootkit
The ability to hide copies of its files copied to removable drives
Registered as a boot start service
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMRxCls”ImagePath” =
“%System%driversmrxcls.sys”
Digitally signed driver file with a legitimate digital certificate
Scans the filesystem driver objects:
The driver monitors “directory control” IRPs, in particular “directory query” notifications.
Two types of files filtered out
Files with a “.LNK” extension having a size of 4,171 bytes.
Files named “~WTR[FOUR NUMBERS].TMP”, whose size is between 4Kb and 8Mb;
the sum of the four numbers modulo 10 is null.
24. forensicinsight.org Page 24 / 44
Demystifying Stuxnet
Several questions about digital signatures (from SecureView Mags)
Digitally signed driver file with legitimate Realtek and JMicron digital certificates
* How did the attackers manage to obtain the private keys required to sign them?
* Were Realtek and JMicron involved in the operation and willingly sign the files?
* Since both companies have development offices in China, are the Chinese involved?
25. forensicinsight.org Page 25 / 44
Demystifying Stuxnet
Analysis in details - Functionality: Propagation Methods
Peer-to-Peer communication
Infecting WinCC computers
Through network shares
Removable drives
26. forensicinsight.org Page 26 / 44
Demystifying Stuxnet
Analysis in details - Functionality: Propagation Methods (P2P)
RPC Server offers the following routines.
0: Returns the version number of Stuxnet installed
1: Receive an .exe file and execute it (through injection)
2: Load module and executed export
3: Inject code into lsass.exe and run it
4: Builds the latest version of Stuxnet and sends to compromised computer
5: Create process
6: Read file
7: Drop file
8: Delete file
9: Write data records
27. forensicinsight.org Page 27 / 44
Demystifying Stuxnet
Analysis in details - Functionality: Propagation Methods
(Infecting WinCC computers)
Connects to a remote server running the WinCC database using a password
hardcoded within the WinCC software
Two actions when found:
sends malicious SQL code
modifies an existing view
Sends an SQL statement that creates a table and inserts a binary value into the table
28. forensicinsight.org Page 28 / 44
Demystifying Stuxnet
Analysis in details - Functionality: Propagation Methods
(Through network shares)
Through either a scheduled job or using Windows Management Instrumentation (WMI)
Enumerate all user accounts of the computer and the domain, and try all available
network resources either using the user’s credential token or using WMI operations
with the explorer.exe token in order to copy itself and execute on the remote share.
30. forensicinsight.org Page 30 / 44
Demystifying Stuxnet
Analysis in details - Functionality: Others (Removable drive)
Trick to enhance the chances to be executed
Real one: %Windir%System32shell32.dll,-8496
31. forensicinsight.org Page 31 / 44
Demystifying Stuxnet
Analysis in details - Step 7 Project File Infections
Export 16 (Installation) calls Export 2 to hook specific APIs in the s7tgtopx.exe
CreateFileA_hook to open S7P files for recording and infecting project folder
*.S7P files %Windir%infoem6c.pnf
*.MCP files oem6c.pnf
*.TMP files
32. forensicinsight.org Page 32 / 44
Demystifying Stuxnet
Analysis in details - Step 7 Project File Infections: S7P files
Step 7 Project file
A candidate for infection if:
Infection process consists of next steps:
33. forensicinsight.org Page 33 / 44
Demystifying Stuxnet
Analysis in details - Step 7 Project File Infections: MCP files
Created by WinCC
A candidate for infection if:
Infection process consists of next steps:
WinCC DB is also infected during this infection process
34. forensicinsight.org Page 34 / 44
Demystifying Stuxnet
Analysis in details - Step 7 Project File Infections: TMP files
Validated filename: ~WRabcde.tmp where (a+b+c+d+e) mod 16 = 0
Magic string (1st 8Bytes): LRW~LRW~
Export #9 takes a Step7 Project path as input, then build paths:
Export #31 takes a Step7 Project path as input, then build paths:
35. forensicinsight.org Page 35 / 44
Demystifying Stuxnet
Analysis in details - Modifying PLCs (Terms)
DB (Data Blocks):
program specific data
Ex) numbers, structures
SDB (System Data Blocks):
configuration info.
OB (Organization Blocks):
entry point of programs
OB1: main EP of the PLC
OB35: standard watchdog
FB (Function Blocks):
standard code blocks
36. forensicinsight.org Page 36 / 44
Demystifying Stuxnet
Analysis in details - Modifying PLCs (Infection)
Resource 208 is dropped by export #17
Replacement for Simatic’s s7otbxdx.dll file.
93 out of 109 exports 16 out of 109 exports
37. forensicinsight.org Page 37 / 44
Demystifying Stuxnet
Analysis in details - Modifying PLCs (Sequence Blocks)
Sequence A,B then C
Initial Infection
The infection threat, sequences A and B
Summary (key steps)
SDB Check
DP_RECV replacement
OB1/OB35 infection
38. forensicinsight.org Page 38 / 44
Demystifying Stuxnet
Analysis in details - Modifying PLCs (Sequence Blocks)
Connections Between Blocks, Sequences A and B (targeting S7-315)
Green: Stuxnet data blocks
Red: main blocks
White: standard Stuxnet blocks
Grey: system function blocks
InfectedOB1
InfectedOB35
39. forensicinsight.org Page 39 / 44
Demystifying Stuxnet
Analysis in details - Modifying PLCs (Sequence Blocks)
State machine path of execution
40. forensicinsight.org Page 40 / 44
Demystifying Stuxnet
Analysis in details - Modifying PLCs (Sequence Blocks)
Connections Between Blocks, Sequences C (targeting S7-417 PLCs)
41. forensicinsight.org Page 41 / 44
Demystifying Stuxnet
Analysis in details - Modifying PLCs (Sequence Blocks)
Eight states in sequence C
State 0: Wait
State 1: Recording
State 2-6: Sabotage
State 7: Reset
Never happened due to the
missing function in the DLL
164
total
110
affected
42. forensicinsight.org Page 42 / 44
[TED] Fighting viruses, defending the net
Mikko Hypponen’s Speech: Fighting viruses, defending the net
F-Secure CRO(Chief Research Officer)
http://mikko.hypponen.com/
[2011.7] http://www.youtube.com/watch?v=cf3zxHuSM2Y (17m 34s)
https://www.clarifiednetworks.com/Videos
43. forensicinsight.org Page 43 / 44
Conclusion
Lessons Learned
Cyber warfare has begun.
Stuxnet was a huge threat and very complicated, targeted and sophisticated.
It has started national support to attack against targeted enemy.
It is like a mission-impossible game.
Now is the time to foster cyber warriors with cyber weapons.
APT is evolving : Duqu (2011.10), Flame (2012.6)