This document discusses modern document exploit techniques used in targeted attacks. It begins with background on advanced persistent threats (APTs) and the common use of document exploits in targeted attacks. Recent attacks are described that use hybrid document exploits embedding Flash exploits in Office files. The document outlines future techniques attackers may use, including advanced fuzzing focused on ActionScript Virtual Machine (AVM) instructions, improved just-in-time (JIT) spraying to bypass exploit mitigation technologies, exploiting Flash sandbox policies to leak information, and defeating behavior-based protections by leveraging Windows Management Instrumentation (WMI) and COM objects.
The (Memory) Safety Dance - SAS 2017 keynoteMarkDowd13
This presentation discusses defensive mitigations that have been introduced over the last several years and their effectiveness, and what it means for offensive research.
The (Memory) Safety Dance - SAS 2017 keynoteMarkDowd13
This presentation discusses defensive mitigations that have been introduced over the last several years and their effectiveness, and what it means for offensive research.
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
OWASP DC - November 2015 Talk
Abstract:
This presentation will start with an overview of CERT’s view of the tools, technologies and processes for building secure software from requirements to operational deployment, including architecture, design, coding and testing. After providing the context for building secure software, the discussion will focus on the current state of the CERT Coding Standards: what is available, how the rules evolve and how the rules are put into practice.
Bio:
Dr. Mark Sherman is the Technical Director of the Cyber Security Foundations group at CERT within CMU’s Software Engineering Institute. His team focuses on foundational research on the life cycle for building secure software and on data-driven analysis of cyber security. Before coming to CERT, Dr. Sherman was at IBM and various startups, working on a mobile systems, integrated hardware-software appliances, transaction processing, languages and compilers, virtualization, network protocols and databases. He has published over 50 papers on various topics in computer science.
National software testing conference 2016 fergal hynesFergal Hynes
Solid test automation framework architecture is a key aspect in delivering successful test execution. Organisations must invest time in developing appropriate automation frameworks if they expect robust test execution. Once the framework architecture is right, there are a number of reasons why deploying the framework on the cloud may be appropriate. This presentation
will outline real world experiences of deploying and using enterprise level functional and non-functional test execution frameworks on the cloud and covers the main business, technical and cultural advantages and disadvantages.
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
OWASP DC - November 2015 Talk
Abstract:
This presentation will start with an overview of CERT’s view of the tools, technologies and processes for building secure software from requirements to operational deployment, including architecture, design, coding and testing. After providing the context for building secure software, the discussion will focus on the current state of the CERT Coding Standards: what is available, how the rules evolve and how the rules are put into practice.
Bio:
Dr. Mark Sherman is the Technical Director of the Cyber Security Foundations group at CERT within CMU’s Software Engineering Institute. His team focuses on foundational research on the life cycle for building secure software and on data-driven analysis of cyber security. Before coming to CERT, Dr. Sherman was at IBM and various startups, working on a mobile systems, integrated hardware-software appliances, transaction processing, languages and compilers, virtualization, network protocols and databases. He has published over 50 papers on various topics in computer science.
National software testing conference 2016 fergal hynesFergal Hynes
Solid test automation framework architecture is a key aspect in delivering successful test execution. Organisations must invest time in developing appropriate automation frameworks if they expect robust test execution. Once the framework architecture is right, there are a number of reasons why deploying the framework on the cloud may be appropriate. This presentation
will outline real world experiences of deploying and using enterprise level functional and non-functional test execution frameworks on the cloud and covers the main business, technical and cultural advantages and disadvantages.
From Scrappy to Scale: Crafting Early-Stage Communities for Culture and GrowthEmily Castor
In this presentation given at True University, hosted by True Ventures, I draw from my experiences at Lyft's founding community manager to describe a framework for building a strong and scalable community culture at early stages of a company's growth.
Lyft in a New Era of Technology-Enabled Mobility: Implications for Policy and...Emily Castor
Over the last two and a half years, Lyft has achieved mass adoption extremely quickly, heralding a new era of consumer transportation behavior based on smartphones and “access over ownership.” Now, as Lyft begins to mature, it is reaching the density necessary to achieve real-time dynamic carpooling, with major implications for congestion reduction and environmental benefit.
This presentation provides insight into the development of this new industry, how it will impact mobility and consumer behavior, and the implications for transportation planners and policymakers as Lyft continues to evolve.
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESIJNSA Journal
The purpose of this paper is to present a comprehensive budget conscious security plan for smaller enterprises that lacksecurity guidelines.The authors believethis paper will assist users to write an individualized security plan. In addition to providing the top ten free or affordable tools get some sort of semblance of security implemented, the paper also provides best practices on the topics of Authentication, Authorization, Auditing, Firewall, Intrusion Detection & Monitoring, and Prevention. The methods employed have been implemented at Company XYZ referenced throughout.
Chapter 5Overview of SecurityTechnologiesWe can’t hWilheminaRossi174
Chapter 5
Overview of Security
Technologies
“We can’t help everyone, but everyone can help someone.” —Ronald Reagan
This chapter discusses the use of technologies that have evolved to support and enhance
network security. Many of these technologies are used today without the user under-
standing when or where they operate. After reading this chapter, you will understand the
benefits of these technologies, where they operate, and some of the operational risks
associated with them. By the end of this chapter, you should know and be able to explain
the following:
■ How you can employ packet filtering to reduce threats to a network
■ Understand precisely what stateful packet inspection is, and why its important for
firewalls to use this technique
■ The role and placement of a proxy technology within a secure network
■ Network Address Translation (NAT) and how you can use it to allow the Internet to
continue to grow in IPv4
■ How Public Key Infrastructure (PKI) has the potential to protect the flow of informa-
tion in a global manner
Answering these key questions and understand the concepts behind them will enable you
to understand the overall characteristics and importance of the security technologies cov-
ered in this chapter. By the time you finish this book, you will have a solid appreciation for
network security, its issues, how it works, and why it is important.
So far, this book has painted in broad strokes the steps an attacker could possibly take to
gain access to sensitive resources. The first step in protecting these assets is the global
security policy created by combining the many aspects discussed in Chapter 2, “Security
Policies.” This chapter introduces some of the more broadly used security technologies.
Each of these technologies contains a concept or specific role that increases the security
of your network when designed and implemented in a layered design.
128 Network Security First-Step
Security First Design Concepts
Network security can be a hydra (many-headed beast) with regard to potential attacks and
threats against the network. The resources and opinions on this subject are incredible, and
opinions vary greatly depending on whom you ask. For example, in 2004 when I wrote the
first edition of this book, a simple Google search on “designing a secure network”
returned almost half a million results. In 2012, that same search string returns more than
five and a quarter million hits. It is no wonder that conflicting security concepts bombard
people, causing a great deal of confusion. To be honest, if you were to look up network
security books, any bookstore also reveals almost as many!
The point is that experts in each area of network design have written so much on design-
ing secure network architecture that to try to do the subject justice here is beyond the
scope of this book. Books and websites deal with every aspect of network security, server
security, application security, and so forth. We endeavor to prov ...
Sec 572 Effective Communication - tutorialrank.comBartholomew99
For more course tutorials visit
www.tutorialrank.com
SEC 572 Week 1 iLab Denial of Service Attacks
In this lab, you will discover and analyze one of two different real network attacks. This will give you insight into the motivation, vulnerabilities, threats, and countermeasures associated with your selected network attack.
There are two categories of network attacks you will be concerned with this week. The first is a network denial of service (DoS) attack, and the second is a targeted attack on a networ
Attack Simulation And Threat Modeling -Olu AkindeindeBipin Upadhyay
Released by Olu Akindeinde under GNU Free Documentation license: http://old.nabble.com/Attack-Simulation-and-Threat-Modeling-book-to27540377.html#a27540377
Intro:
Attack Simulation and Threat Modeling is a book that explores the abundant resources available in advanced security data collection, classification, processing and mining. It attempts to give insight into a number of alternative methods of security and attack analytics that leverage methodologies adopted from various other disciplines in extracting valuable data to support security research work and chart a course for enterprise security decision making.
Synopsis
Threat Vectors and Attack Signatures
Attack Virtualization and Behavioural analysis
Security Event Correlation and Pattern Recognition
Exploratory Security Analytics and Threat Hypothesis
Machine Learning Algorithms
It is released under the GNU FDL v1.3 License.
SEC 572 Week 1 iLab Denial of Service Attacks
In this lab, you will discover and analyze one of two different real network attacks. This will give you insight into the motivation, vulnerabilities, threats, and countermeasures associated with your selected network attack.
There are two categories of network attacks you will be concerned with this week. The first is a network denial of service (DoS) attack, and the second is a targeted attack on a network device connected to the network. You will also discover the distributed denial of service (DDoS) attack and you may use that one as well. The key difference between a DoS and a DDoS attack is that the DDoS attack is launched towards the target from numerous source locations. A botnet attack is an example of a DDoS attack.
Your goal is to select a specific instance of one type of attack and provide a managerial-style awareness document. Assume that you are delivering your analysis to business or government managers who have a general understanding of network communications.
For more classes visit
www.snaptutorial.com
SEC 572 Week 1 iLab Denial of Service Attacks
In this lab, you will discover and analyze one of two different real network attacks. This will give you insight into the motivation, vulnerabilities, threats, and countermeasures associated with your selected network attack.
Running Head MALWARE1MALWARE2MalwareName.docxcowinhelen
Running Head: MALWARE 1
MALWARE 2
Malware
Name
Institution
Course
Date
Malware Attacks
Potential Malicious Attracts Against the Network Organization
In the world of technology, everything can just happen. Information can pass from one region to another with ease meaning that everything has been simplified. However, the information technology has also been affected by a few challenges that seem to recur from time to time. They include;
Trojan horse virus- Typically, a computer virus has been a challenge for most organizations, but the most common especially in such a company is the Trojan horse virus. The virus is not self-replicating like the majority of others, but it has terrible consequences if it affects the network server of an organization (Durairajan, Saravanan, & Chakkaravarthy, 2016). Apparently, the virus is used by hackers to get access to data from a specified user illegally. With the installation of the video game, other competitor servers can access such kind of data and reproduce a copy even before the initially programmed game gets into the market.
Effects of Trojan horse virus
The data within a user’s computer can be deleted or be modified by the hacker. With new businesses cropping out day in day out, the problem may affect the video game company. A hacker may eliminate valuable data from the program and install a fake one which will, in turn, nullify the whole project. The virus can also be used to steal valuable information from a company that is supposed to be classified.
Computer worms- The worst thing about computer worms is that they are self-replicating. Apparently, they utilize the space in the computer network and dispatch it there where they replicate. The copies of the worms are multiplied and therefore displace the data that was there. Additionally, computer worms don’t need to be attached to the case of Trojan horse virus, but they develop from the network of equipment bit by bit (Anwar, Bakhtiari, Zainal, Abdullah, & Qureshi, 2015). The video game is a program that is used by a lot of people, and there is a high possibility that some computer worms begin to develop slowly.
Impact of computer worms
One of the major troubles with the computer worms is that they replicate themselves on the host server and hence, eliminate valuable files. They apparently take the place of a file which will automatically cause a breakdown in the network system of a company. For instance, the video game has been programmed and is made of various files. If a computer worm takes the place of one of the critical files, it would be nearly impossible for the program to function normally.
Blended threat-The case happens when both the Trojan horse and the computer worms all attack at the same time. The attack by both can have very grave consequences as they require no human efforts. Apparently, the threat uses the internet vulnerabilities and the user to initiate and spread an attack within the system. Importantly, the attack is a ...
For more course tutorials visit
www.tutorialrank.com
SEC 572 Week 1 iLab Denial of Service Attacks
In this lab, you will discover and analyze one of two different real network attacks. This will give you insight into the motivation, vulnerabilities, threats, and countermeasures associated with your selected network attack.
For more classes visit
www.snaptutorial.com
SEC 572 Week 1 iLab Denial of Service Attacks
In this lab, you will discover and analyze one of two different real network attacks. This will give you insight into the motivation, vulnerabilities, threats, and countermeasures associated with your selected network attack.
There are two categories of network attacks you will be concerned with this week. The first is a network denial of service (DoS) attack, and the second is a
Complete network security protection for sme's within limited resourcesIJNSA Journal
The purpose of this paper is to present a comprehensive budget conscious security plan for smaller
enterprises that lacksecurity guidelines.The authors believethis paper will assist users to write an
individualized security plan. In addition to providing the top ten free or affordable tools get some sort of
semblance of security implemented, the paper also provides best practices on the topics of Authentication,
Authorization, Auditing, Firewall, Intrusion Detection & Monitoring, and Prevention. The methods
employed have been implemented at Company XYZ referenced throughout.
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...IJCNCJournal
Although there have been many solutions applied, the safety challenges related to the password security mechanism are not reduced. The reason for this is that while the means and tools to support password attacks are becoming more and more abundant, the number of transaction systems through the Internet is increasing, and new services systems appear. For example, IoT also uses password-based authentication.
In this context, consolidating password-based authentication mechanisms is critical, but monitoring measures for timely detection of attacks also play an important role in this battle. The password attack detection solutions being used need to be supplemented and improved to meet the new situation. In this
paper we propose a solution that automatically detects online password attacks in a way that is based solely on the network, using unsupervised learning techniques and protected application orientation. Our solution therefore minimizes dependence on the factors encountered by host-based or supervised learning solutions. The certainty of the solution comes from using the results of in-depth analysis of attack
characteristics to build the detection capacity of the mechanism. The solution was implemented experimentally on the real system and gave positive results.
Meltdown and Spectre Haunt the World’s Computers”In early Janua.docxroushhsiu
“Meltdown and Spectre Haunt the World’s Computers”
In early January 2018, computer users all over the world were shocked to learn that nearly every computer chip manufactured in the last 20 years contained fundamental security flaws that make it possible for attackers to obtain access to data that were thought to be completely protected. Security researchers had discovered the flaws in late 2017. The flaws arise from features built into the chips that help them run faster. The vulnerability enables a malicious program to gain access to data it should never be able to see.
There are two specific variations of these flaws, called Meltdown and Spectre. Meltdown was so named because it “melts” security boundaries normally enforced by hardware. By exploiting Meltdown, an attacker can use a program running on a computer to gain access to data from all over that machine that the program shouldn’t normally be able to see, including data belonging to other programs and data to which only administrators should have access. (A system administrator is responsible for the upkeep, configuration, and reliable operation of computer systems.) Meltdown only affects specific kinds of Intel chips produced since 1995.
Spectre is not manufacturer-specific and affects nearly all modern processors. It requires more intimate knowledge of the victim program’s inner workings. Spectre’s name comes from speculative execution, in which a chip is able to start work on predicted future operations in order to work faster. In this case, the system is tricked into incorrectly anticipating application behavior. The name also suggests that Spectre will be much more difficult to neutralize. Other attacks in the same family will no doubt be discovered, and Spectre will be haunting us for some time.
With both Meltdown and Spectre, an attacker can make a program reveal some of its own data that should have been kept secret. For example, Spectre could harness JavaScript code on a website to trick a web browser into revealing user and password information. Meltdown could be exploited to view data owned by other users and also virtual servers hosted on the same hardware, which is especially dangerous for cloud computing host computers. The most worrisome aspect of Meltdown and Spectre is that security vulnerabilities are not from flawed software but from the fundamental design of hardware platforms beneath the software.
There is no evidence that Spectre and Meltdown have been exploited, but this would be difficult to detect. Moreover, the security flaws are so fundamental and widespread that they could become catastrophic, especially for cloud computing services where many users share machines. According to researchers at global security software firm McAfee, these vulnerabilities are especially attractive to malicious actors because the attack surface is so unprecedented and the impacts of leaking highly sensitive data are so harmful. According to Forester, performance of laptops, des.
CIS502 discussion post responses.Respond to the colleagues posts.docxmccormicknadine86
CIS502 discussion post responses.
Respond to the colleagues posts regarding:
Access Control Models
If you were going to design an access system that would control people getting into your favorite or most valued items (e.g., financial records, health records, or other sensitive files), what things would you consider based on your readings from Chapter 14? Make sure you address all the possible avenues of attack that could be exploited. Remember, security measures are designed to slow and draw attention to attackers. No system can completely prevent a successful attack.
KF’s post states the following:Top of Form
Access Control Models
If you were going to design an access system that would control people getting into your favorite or most valued items (e.g., financial records, health records, or other sensitive files), what things would you consider based on your readings from Chapter 14? Make sure you address all the possible avenues of attack that could be exploited. Remember, security measures are designed to slow and draw attention to attackers. No system can completely prevent a successful attack.
First of all we need to decide what exactly our defense mechanism is going to protect. There are cloud defense mechanisms, network defense, and application defenses to name a few (I’m using all three for my MOST FAVORITE ITEM!). As many students have discussed the defense in depth approach is great. The layered security measures are an excellent way to acknowledge security within an enterprise environment. I would like to get more into that layered approach and the different layers of the “castle” if you will. Regarding access systems and the defense in depth approach, physical, technical, and administrative controls need to be implemented.
Physical DiD: Locked doors, security cameras to organizational assets, barriers to prevent collisions, proper lighting within areas that should be lighted.
Hacking Physical DiD: Locked doors <brute force: through wall> were breaking in so screw it! Security cameras can be accessed remotely prior to hacking the system or accessed within the LAN after jacking into the source. Barriers can be bypassed with the right mapping, and lighting, again, if connected on a server can be bypassed with jacking in and the proper scripting.
Technical DiD: As we all have learned AV software, IDS, IPS, SIEM’s, Logging and Monitoring would all be considered Technical DiD aspects.
Hacking DiD: AV software can be manipulated with Advanced Evasion Tactics (AET). IDS and IPS are useless once inside of the LAN, were jacked in hard already so were fine there. SIEM’s can be tricky, but the right script will erase all logs so we were technically never even there (locally or remotely).
Administrative DiD: Administrative DiD would consist of access controls for users, privilege settings,super userconfigurations, what programs can be executed/read/write/run. File access, server access, server access locations, file access locat ...
Similar to Bh us 11_tsai_pan_weapons_targeted_attack_wp (20)
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Leading Change strategies and insights for effective change management pdf 1.pdf
Bh us 11_tsai_pan_weapons_targeted_attack_wp
1. Weapons of
Targeted Attack
Modern Document Exploit Techniques
Ming-chieh Pan
Sung-ting Tsai
<naninb@gmail.com>
<ttsecurity@gmail.com>
Black Hat USA 2011
2. Abstract
The most common and effective way is using document exploit in the targeted attack. Due to
the political issue, we have had opportunities to observe APT (advanced persistent threat)
attacks in Taiwan since 2004. Therefore we have studied and researched malicious document
for a long period of time.
Recently, we found APT attacks (e.g. RSA) used the same technique as we disclosed last year,
e.g. embedding flash exploit in an excel document. In order to protect users against malicious
document and targeted attacks, we would like to discuss the past, present, and future of
document exploit from technical perspective, and predict possible techniques could be used in
a malicious document in the future by demonstrating "proof of concept" exploits.
The presentation will cover four major types of document attacks:
Advanced fuzzing techniques.
Techniques to against exploit mitigation technologies (DEP/ASLR).
Techniques to bypass sandbox and policy control.
Techniques to defeat behavior based protection, such as host IPS.
3. Contents
Abstract ........................................................................................................................................... 1
1.
Introduction ............................................................................................................................. 3
1.1.
1.2.
Targeted Attack and Document Exploit ........................................................................... 3
1.3.
Cat and Mouse Game ....................................................................................................... 3
1.4.
2.
Background....................................................................................................................... 3
Contents of the Paper ...................................................................................................... 3
Recent Document Exploit Attacks ........................................................................................... 4
2.1.
2.2.
Incomplete Protection ..................................................................................................... 5
2.3.
Advanced Memory Attack Techniques ............................................................................ 5
2.4.
Vendor Responses ............................................................................................................ 5
2.5.
3.
Hybrid Document Exploit ................................................................................................. 4
Our Finding in Real Attacks .............................................................................................. 5
Future Document Exploit Attacks ............................................................................................ 6
3.1.
3.2.
Techniques to Against Exploit Mitigation Technologies .................................................. 6
3.3.
Techniques to Bypass Sandbox / Policy / Access control............................................... 10
3.4.
4.
Advanced Fuzzing Techniques ......................................................................................... 6
Techniques to defeat behavior based protection and automatic analyzing sandbox ... 13
Conclusion ............................................................................................................................. 15
Reference ...................................................................................................................................... 17
4. 1. Introduction
1.1.Background
APT (Advanced Persistent Threat) has become very popular in 2011. Actually we have already
known this kind of attack since 2004. Due to the political issue, Government units and large
enterprises in Taiwan has been targeted for many years. They have kept receiving purposemade e-mails and malwares (exploits), never stopped. Thus we have chances to observe the
attack trend and we also spent a lot of time on document exploit research.
Nowadays, not only in Taiwan, this kind of silent threat are attacking whole world, e.g. Google
Aurora attack and recent RSA attack. Unlike normal cyber-criminals, they are hacking for the
information, not for profit. And unfortunately, most of security software couldn’t protect
effectively.
We are going to discuss document exploit from technical perspective, introduce attack
techniques that might be used in future. We wish application and security vendors could be
aware of the attack and have new approaches to protect people.
1.2.Targeted Attack and Document Exploit
Attacker sends an e-mail with specific content and document exploit (antivirus couldn’t detect)
to his targets. After open the document, attacker could take control of the victim’s system. It is
the most common way and not easy to be aware of. The malicious document usually includes
malicious web page (attacking browsers), office document, PDF, and Flash.
Document exploit is actually the weapon of targeted attack.
1.3.Cat and Mouse Game
Exploit attack and defense is like a cat and mouse game. Vendors keep patching application and
inventing new technologies to prevent attack, however attackers always can find ways to
defeat those protections. So if we could be ahead of attackers by guessing their next tricks, we
might have better protections for people.
1.4.Contents of the Paper
In this paper we will discuss document exploit from technical perspective. Recent document
exploit techniques will be introduced in chapter 2.
5. Chapter 3 will cover four major types of new document attacks, including our latest findings:
Advanced fuzzing techniques: our flash AVM fuzzing technique will be introduced.
Techniques to against exploit mitigation technologies: our new JIT spraying techniques
will be introduced.
Techniques to bypass sandbox and policy control: a flash vulnerability will be introduced
as an example.
Techniques to defeat behavior based protection: new approaches to write a document
exploit. This will make security vendors headache.
2. Recent Document Exploit Attacks
2.1.Hybrid Document Exploit
If you have installed all Microsoft office patches, and there is no 0-day vulnerability and exploit.
Will it be 100% safe to open a word or excel document? The answer is no. Modern document
application is very complicated. Most of them could embed document objects of other
applications. For example, the Excel could embed an Adobe flash object. In this case, even your
Excel is up to date, it is still not 100% safe when you open an Excel document which includes a
flash object and your flash application is vulnerable.
Most of people know browser could include a lot of document objects, such as PDF, flash, and
other multimedia files. So they are cautious when they open web page. However, when they
open a document in the e-mail, they would not be aware of the danger.
This kind of attack is very popular recently. A flash vulnerability could be repacked as a
malicious web page, a PDF exploit, or even an office document exploit.
6. 2.2.Incomplete Protection
Application vendors delivered new technologies to make their application safer. Especially the
exploit mitigation techniques could do really good jobs to avoid execution of exploits, e.g. DEP
and ASLR.
However, it is very difficult to do protections completely. Because application is very
complicated as well as the environment of operating system, it is not possible to update every
component, every tool to adopt the protection technologies. And you don’t need to think that
you could ask all users to install updates or manually enable protections.
For example, even you have adopted DEP and ASLR, there are always some researchers could
find some modules are not protected by ASLR, and they could use the module to do ROP
(return-oriented programming) and make effective exploits.
2.3.Advanced Memory Attack Techniques
Researchers are also finding some new approaches to bypass DEP and ASLR. Flash JIT spraying
techniques has been introduced in BHDC2010. Flash JIT could bypass DEP, and the spraying
technique could defeat ASLR. This technique could exploit the newest Office 2010 and Internet
Explorer.
2.4.Vendor Responses
Vendors have been working hard to patch vulnerabilities and adopt new protections in
applications. Flash has started to encode/encrypt AVM code area since version 10.1, and the
memory area has become non-executable. Also it has better ASLR to arrange its memory
sections. These new techniques effectively mitigate JIT spraying exploit.
And Microsoft released Enhanced Mitigation Experience Toolkit 2.0 in Blue Hat v10. The EMET
tool could provide a lot of memory protections for applications. It could effectively defeat most
of exploits with ROP techniques.
2.5.Our Finding in Real Attacks
Recently we found exploit is using the same trick as we disclosed in Syscan 10’. Do you know
why attackers don’t include a flash exploit in web page or PDF file, and they only use Excel to
spread malicious e-mails. The reason is Excel will turn off DEP when a flash object is embedded.
It is much easier for attackers to write exploits.
7. 3. Future Document Exploit Attacks
3.1.Advanced Fuzzing Techniques
File format fuzzing is the most common way to discover a vulnerability of document application.
We believe most of document vulnerability discovers (including vendors) are keeping improving
their fuzzing tools. We are going to introduce our Flash AVM fuzzing techniques.
Focus on AVM instructions. Take the CVE-2010-1297 as example. Traditional one-byte fuzzing
technique modifies each byte of the sample file with 256 values. We found we can focus on the
AVM (action script) part, the method_body of code area. And we also found there are only
around 170 AVM instructions. So our fuzzing tool could only try the AVM part with 170 values.
It reduces the testing range and save a lot of time, and we could still find similar vulnerabilities.
We use the approach to fuzz the CVE-2010-1297, and we also discovered APSB11-12 before it
was disclosed. (By inserting a Setlocal_1 (0xd5) in code area)
Furthermore, we accidently found the JIT spraying technique could still work during the
automatic fuzzing process.
3.2.Techniques to Against Exploit Mitigation Technologies
Many researchers are looking for new techniques to bypass DEP and ASLR. We are the same. In
this chapter we are going to explain how we bring JIT spraying back, and our JIT spraying
improvements.
The magic B4 (IN) instruction:
8. The original JIT spraying is use ’35 90 90 90 3C’ to fill up the code area. By our fuzzing technique,
we found if we replace the first XOR(AA) with IN(B4), the AVM code area will not be encoded in
memory, and memory section will become executable (like before).
Old trick (the XOR trick) could be used again. However, the improved ASLR reduced the success
rate. We need some other techniques.
Continuity of sprayed area:
Original trick used a loop to load the spraying file a lot of times to do JIT spraying. However, this
approach has bad continuity in new version of Flash.
In order to have better continuity, instead of reloading another swf file, we make a lot of
method_body in a swf file directly. This approach has much better result.
In our testing, we have around 10000 method_body in the sample file and each method_body
(function) includes 2048 XOR instructions. Yes, this technique produces a huge file (58.7MB).
Zlib could help us to solve the problem. After compression, the sample file size is 268k bytes.
Following picture shows content of the swf file:
9. Use OR:
Instead of XOR instruction, we found a better solution. We use OR(A9) instead of XOR(AA) to
spray the memory. Instead of ’35 90 90 90 3C’, the content in memory will be ‘0D 0D 0D 0D 0C’.
This technique makes it easier to jump into our sprayed area when trigger the vulnerability.
We use MS11-050 as the example:
While the vulnerability is being triggered, you can see the EDX value is important. The value of
EDX would be the value of [EAX+70]. In this case, it is actually [0x0c0c0c0c+70]. If we still use
XOR trick, the value of EDX would be one of DWORD value of ‘35 90 90 90 3C’ sprayed area.
If we use the OR instruction, it would be easier to spray the possible destination addresses (the
value of EDX).
10. It works everywhere.
Our approach can defeat DEP and ASLR effectively, even the EMET all functions are enabled.
Protection
Office2000 ~Office 2010 (DEP AlwaysOn, ASLR)
Internet Explorer (DEP AlwaysOn, ASLR)
Adobe PDF (DEP AlwaysOn, ASLR)
EMET v2.1 (Enabled all functions)
New JIT Spraying with
Flash Player 10.3.181.34
(Released 6/28/2011)
works
works
works
works
When EMET is adopted, the sprayed memory layout would be like:
11. We can see that EMET would skip the sensitive address range, e.g. 0x0c0c0c0c or 0x0d0d0d0d.
However, if the vulnerability is the traditional stack overflow, like CVE-2010-3333, we can still
control EIP, so we can fill 0x0c0d0c0d to enter the sprayed area.
There is one thing we would like to mention: when you are writing shellcode, you need some
efforts to bypass EAF protection. You need to look for functions in DLLs to access Export
Address Table. (ref: http://skypher.com/index.php/2010/11/17/bypassing-eaf/)
3.3.Techniques to Bypass Sandbox / Policy / Access control
Except for memory exploitation, the attack to design of security policy and resource access
control will be another topic for document exploit researchers.
12. In order to provide secure execution environment for clients and users, vendors are starting to
adopt sandbox technologies to their applications. The sandbox usually has complicated policy
and permission control to isolate access to each resource. There might be some logic design
flaws in applications.
Flash Sandbox Problem
We take a policy design flaw that we found in Flash as the example. There are 4 types of
properties in Flash Security.SandboxType: Security.REMOTE,Security.LOCAL_WITH_FILE,
Security.LOCAL_WITH_NETWORK, and Security.LOCAL_TRUSTED. The basic idea is if
you can access network, you can’t access local resource, vice versa. The flaw
is in its ‘url protocol’ design.
We embed a Flash object in an Office document. This flash object is allowed to access local files,
and not allowed to access internet. However there is a problem when handling the ‘mms’
protocol. When the flash object opens an mms link, IE will be launched, and then media player
will also be launched (by IE) as well. The media player will connect to the link.
13. Using this flaw, we could retrieve user information, and use mms protocol to send information
to internet. For example, we might steal user’s cookie, user’s saved password, etc. And we
could use this technique to probe user environment.
It is not allowed to directly identify a file existing or not. However, we may use
‘addEventListener’ to monitor the IOErrorEvent.IO_ERROR event if file doesn’t exist. And
Event.COMPLETE could help us to know the file loading action has been completed.
There is still a problem that we need to know where user’s home path is, for example, user’s
cookie or saved password. Actually there are many log files that show this information. In our
approach, we use setupapi.app.log. (Windows 7: ‘C:Windowsinfsetupapi.app.log’, Windows
XP: ‘C:WINDOWSsetupapi.log’)
var uname = "mms://x.x.x.x:1755/"+secret.contents+".asx";
var req = new URLRequest(uname);
navigateToURL(req,"_blank");
In case of IE6 or IE7, as you can see, the code launches IE and media player automatically. The
information would be transferred out. However, there will be a pop-up warning message
before opening media player when you are using IE8 and IE9. For this situation, we may use
14. some tricks to interact with users, for example we can create some animation with links. I think
most of users would still click ‘Yes’ to allow the connection.
3.4.Techniques to defeat behavior based protection and automatic analyzing
sandbox
In case of exploit is launched, traditional signature based malware protection is useless,
because the exploit or malware is usually 'customized'. Users can only rely on behavior based
protection. For example, the HIPS could block your connection to Internet, block file dropping
to system folders, and block access to sensitive registries. Therefore defeating HIPS will become
exploit writer's next major task.
Inline Hook Bypassing
Many HIPS use inline hook to intercept API and monitor behaviors. Most of them are using
Microsoft Detour library or Detour-like approach. Bypassing this kind of API hooking, we many
just skip a few begging bytes.
Address 0x7C82D146
API is hooked by
Detours
CreateProcessInternalW
Push 0x608 Detours _ jmp functon
push offset stru_7C82D450
call __SEH_prolog
mov eax, dword_7C88B7B0
mov [ebp+var_1C], eax
Calling an API
Bypass call
(Create the same value in stack)
Jmp 0x7C82D146+5
15. WMI and COM Objects
The HIPS usually does hook to observe malicious behaviors (No matter in ring0 or ring3). Once it
detects a suspicious behavior, it would check ‘who’ is doing this by identifying the process. If
the process is not in its legitimate (white) process list, it could block the action.
Try to imagine, if legitimate process could do things for us, the HIPS would become useless. Do
injection to those system (legitimate) processes? No, the injection could be blocked.
We noticed that Microsoft has already provided complete solutions – the WMI and many useful
COM objects. By leveraging the technologies, system process could do everything for us,
including connecting to Internet, access files/registries, and even installing a MSI file.
Not only defeating HIPS, the approach could also defeat automation analyzing sandbox system.
The malware ‘process’ actually does nothing directly. The sandbox could record nothing if the
sandbox only tracks malware process.
16. NET
COM
Process
COM
Malware COM
REG
COM
FILE
WMI / COM Shellcode
Writing shellcode to use WMI, we need to include some functions in ole32.dll: CoUninitialize(),
CoInitializeSecurity(), CoInitializeEx(), CoCreateInstance(), CoSetProxyBlanket().
Get instance via CLSID_WbemLocato(), and connect ROOTCIMV2. GetObject can get
‘Win32_Process’, and GetMethod can have ‘Create’. Then use ExecMethod to launch
notepad.exe.
4. Conclusion
We have discussed complete solutions to make a weapon of targeted attack with many new
techniques:
How to find vulnerabilities: AVM fuzzing technique.
How to defeat exploit mitigation technologies: new JIT spraying.
How to make an exploit without memory hard work: attack policy flaw.
How to defeat desktop protection and analyzing system: WMI and COM.
17. We believe attackers are working hard on these topics. We wish security vendors could address
these problems to come out solutions ahead of attackers.
Probe victim's
environment
and collect
information.
(embed swf in
office)
Use New JIT
techniques with
browser, PDF,
Office
vulnerabilities.
Future APT
attack?
Use COM
technique to
bypass HIPS
18. Reference
Office is Still Yummy
Ming-chieh Pan and Sungting Tsai,
2010.
as3compile.exe
Adobe Virtual Machine 2 (AVM2)
INTERPRETER EXPLOITATION:
POINTER INFERENCE AND JIT
SPRAYING
Writing JIT-Spray Shellcode for fun
and profit
Enhanced Mitigation Experience
Toolkit v2.1
swfretool
MS11-050 IE
mshtml!CObjectElement.
Use After Free
Win32_Process Class
Bypassing Export address table
Address Filter (EAF)
Heap Feng Shui in JavaScript
http://exploitspace.blogspot.com/2011/06/ourpresentation-in-syscan-10-singapore.html
http://www.swftools.org/
http://www.adobe.com/devnet/actionscript/articles/avm
2overview.pdf
http://www.semantiscope.com/research/BHDC2010/BHD
C-2010-Paper.pdf
http://dsecrg.com/files/pub/pdf/Writing%20JITSpray%20Shellcode%20for%20fun%20and%20profit.pdf
http://www.microsoft.com/download/en/details.aspx?id=
1677
https://github.com/sporst/SWFREtools
http://d0cs4vage.blogspot.com/2011/06/insecticidesdont-kill-bugs-patch.html
http://msdn.microsoft.com/enus/library/aa394372(v=VS.85).aspx
http://skypher.com/index.php/2010/11/17/bypassingeaf/
https://www.blackhat.com/presentations/bh-europe07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf