Bsides chicago 2013 honeypots
•Download as PPTX, PDF•
0 likes•630 views
This document discusses different types of honeypots used to detect unauthorized access and malware. It provides statistics on attacks detected by the Dionaea, Kippo, and Honeydrive honeypots, including top attacking IP addresses and malware captured. Interactive portions allow the reader to access honeypot systems to observe attacks firsthand. The author analyzes the data collected and shares insights into cyber threats and how honeypots can help security analysts.
Report
Share
Report
Share
Recommended
Bsides detroit 2013 honeypots
This document discusses various honeypot tools and the findings from deploying them. It begins with an introduction to honeypots and what they are used for. It then discusses specific low and high interaction honeypots like Dionaea, Kippo, Amun and Thug. For each honeypot, it provides statistics on IP addresses, login attempts, files uploaded and malware captured. It also analyzes these findings through tools like Wireshark and virus total. Overall, the document aims to educate about honeypot tools and share the results from the author's own honeypot deployments.
Malware analysis - What to learn from your invaders
This document outlines a presentation on malware analysis. It discusses analyzing samples of phishing emails to learn about malware behavior. The speaker will demonstrate using tools like VirtualBox, Remnux, Regshot and Wireshark to perform static and behavioral analysis of malware samples. Network and host-based analysis will be used to observe a sample's network activity and changes it makes to the system. Resources for continuing malware research are also provided.
(130119) #fitalk apt, cyber espionage threat
The document discusses several advanced persistent threats (APTs) that have targeted systems in Korea and other countries, including the LuckyCat, Heartbeat, and Flashback malware campaigns. It provides details on the attacks, malware components, command and control infrastructure, and technical analysis of the threats. The document aims to help the digital forensics community in Korea understand these sophisticated cyber espionage activities and improve defenses against similar attacks.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Introduction to Malware Analysis
This document provides an overview of malware analysis, including both static and dynamic analysis techniques. Static analysis involves examining a file's code and components without executing it, such as identifying file types, checking hashes, and viewing strings. Dynamic analysis involves executing the malware in a controlled environment and monitoring its behavior and any system changes. Dynamic analysis tools discussed include Process Explorer, Process Monitor, and Autoruns to track malware processes, files accessed, and persistence mechanisms. Both static and dynamic analysis are needed to fully understand malware behavior.
LOGGING FOR FUN, AND PROFIT
Have you ever wondered “Should I log this?” or “What should I put in this log statement?” or ”What level should I log this at?” If so, you are not alone. Logging is often an afterthought, and usually when you are having a production issue that lacks sufficient logging. If the proper things are logged, lots of value can be unlocked from them. You can help answer a variety of questions: “Is this functionality even being used?”, “Have we seen this before, and if so, under what conditions?”. Questions that can be answered from all perspectives: development, operations and the actual business users themselves!
Larry Shatzer
Di shen pacsec_final
- The document discusses exploiting unconventional use-after-free (UAF) bugs in the Android kernel perf system to gain root privileges on Android devices.
- It describes two UAF bugs, CVE-2016-6787 and CVE-2017-0403, that are difficult to exploit due to lack of control over freed objects and inability to achieve code execution.
- Novel exploitation techniques are proposed, such as freezing threads to gain time to refill freed objects for CVE-2016-6787 and compromising the pipe subsystem to achieve arbitrary kernel writes for CVE-2017-0403.
Anton Chuvakin on Discovering That Your Linux Box is Hacked
This presentation covers how to discover the common signs that your Linux system is compromised by attackers
Recommended
Bsides detroit 2013 honeypots
This document discusses various honeypot tools and the findings from deploying them. It begins with an introduction to honeypots and what they are used for. It then discusses specific low and high interaction honeypots like Dionaea, Kippo, Amun and Thug. For each honeypot, it provides statistics on IP addresses, login attempts, files uploaded and malware captured. It also analyzes these findings through tools like Wireshark and virus total. Overall, the document aims to educate about honeypot tools and share the results from the author's own honeypot deployments.
Malware analysis - What to learn from your invaders
This document outlines a presentation on malware analysis. It discusses analyzing samples of phishing emails to learn about malware behavior. The speaker will demonstrate using tools like VirtualBox, Remnux, Regshot and Wireshark to perform static and behavioral analysis of malware samples. Network and host-based analysis will be used to observe a sample's network activity and changes it makes to the system. Resources for continuing malware research are also provided.
(130119) #fitalk apt, cyber espionage threat
The document discusses several advanced persistent threats (APTs) that have targeted systems in Korea and other countries, including the LuckyCat, Heartbeat, and Flashback malware campaigns. It provides details on the attacks, malware components, command and control infrastructure, and technical analysis of the threats. The document aims to help the digital forensics community in Korea understand these sophisticated cyber espionage activities and improve defenses against similar attacks.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Introduction to Malware Analysis
This document provides an overview of malware analysis, including both static and dynamic analysis techniques. Static analysis involves examining a file's code and components without executing it, such as identifying file types, checking hashes, and viewing strings. Dynamic analysis involves executing the malware in a controlled environment and monitoring its behavior and any system changes. Dynamic analysis tools discussed include Process Explorer, Process Monitor, and Autoruns to track malware processes, files accessed, and persistence mechanisms. Both static and dynamic analysis are needed to fully understand malware behavior.
LOGGING FOR FUN, AND PROFIT
Have you ever wondered “Should I log this?” or “What should I put in this log statement?” or ”What level should I log this at?” If so, you are not alone. Logging is often an afterthought, and usually when you are having a production issue that lacks sufficient logging. If the proper things are logged, lots of value can be unlocked from them. You can help answer a variety of questions: “Is this functionality even being used?”, “Have we seen this before, and if so, under what conditions?”. Questions that can be answered from all perspectives: development, operations and the actual business users themselves!
Larry Shatzer
Di shen pacsec_final
- The document discusses exploiting unconventional use-after-free (UAF) bugs in the Android kernel perf system to gain root privileges on Android devices.
- It describes two UAF bugs, CVE-2016-6787 and CVE-2017-0403, that are difficult to exploit due to lack of control over freed objects and inability to achieve code execution.
- Novel exploitation techniques are proposed, such as freezing threads to gain time to refill freed objects for CVE-2016-6787 and compromising the pipe subsystem to achieve arbitrary kernel writes for CVE-2017-0403.
Anton Chuvakin on Discovering That Your Linux Box is Hacked
This presentation covers how to discover the common signs that your Linux system is compromised by attackers
Malware analysis
- Malware analysis involves both static and dynamic analysis techniques to understand malware behavior and assess potential damage. Static analysis involves disassembling and reviewing malware code and structure without executing it. Dynamic analysis observes malware behavior when executed in an isolated virtual environment.
- Tools for static analysis include file hashing, string extraction, and PE header examination. Dynamic analysis tools monitor the registry, file system, processes, and network traffic created by malware runtime behavior. These include Process Monitor, Wireshark, Process Explorer, and network sniffers.
- To safely conduct malware analysis, one should create an isolated virtual lab separated from production networks, and install behavioral monitoring and code analysis tools like OllyDbg, Process Monitor, and Wiresh
Hunting for the secrets in a cloud forest
Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not “mistakenly” available to the public? In my presentation I’m going to present you hackish methods used by cyber criminals to find access keys in the public Internet. How can Shannon Entropy help you? During the presentation, I’ll release my own scaners to search AWS and Azure space and in the end I will demonstrate my own tool to analyze big amounts of data in search for sensitive data. Lots of demos, technical stuff and educating moral for unaware specialists in the end. It’s gonna be fun!
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
Chi-en Shen (Ashley) is a security researcher at FireEye, where she focuses on threat intelligence research. She specializes in threat hunting, malware analysis, reverse engineering, and targeted attacks research. Prior to FireEye, Ashley helped found Team T5, a threat research security company where she also works as a threat analyst. For supporting women in InfoSec, Ashley co-founded “HITCON GIRLS” – the first security community for women in Taiwan. Ashley is also a regular speaker at global security conferences, including Black Hat Europe, Black Hat Asia, FIRST, HITB GSEC, CODE BLUE, Troopers, HITCON and VXCON. Ashley also serves as a member of the Black Hat Asia review board where she evaluates research for briefings and training.
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
I'm Cuckoo for Malware provides an introductory overview to Cuckoo Sandbox and Malware Analysis. This talk walks through discussing different types of malware and what they do, to explaining how Cuckoo Sandbox works and how to get the best results from it. The talk will cover how to harden your sandbox against Malware authors attempts to avoid analysis and give ideas for listeners wanting to set up custom environments of their own. The goal of the talk is to allow listeners with enough information so that they can begin analyzing malware in their own Cuckoo-based sandbox environment.
Real-Time Static Malware Analysis using NepenthesFE
My presentation slides for International Malware Conference - Malcon 2010 - held in Mumbai, India on 3rd December, 2010
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
BlueHat v18 || The matrix has you - protecting linux using deception
Ross Bevington, Microsoft
In ‘The Matrix’ sentient machines subdue the population by developing a highly sophisticated simulation. High interaction honeypots are a lot like The Matrix, designed to convince an attacker to execute an attack so we can monitor them. But these honeypots are flawed!
Attackers are continually adapting in order to evade our defenses - meaning that it’s often not enough to just set up a honeypot and watch the results roll in. Is a new approach better?
Did you know that 40% of IaaS VMs in Azure are Linux? For Microsoft to protect itself and its customers Linux is a priority.
At MSTIC we’ve developed a new type of Linux honeypot that allows us to deceive and control the behavior of an attacker. We are using this to understand the person behind the attack, examining them as they examine us. Using these techniques, we are able to better track the person behind the threat, build better protections and ultimately protect more Linux users - whether they are using Azure or not.
In this presentation I’ll show some of the successes of running a Matrix like environment, failures where a glitch was spotted as well as deception approaches that could be applied to other domains. Finally I’ll show how easy it is to leverage Azure’s big data capabilities to build and ultimately query all this data at scale as well as how you can immediately reap the benefits of this work by connecting your Linux box to Azure Security Center.
My Bro The ELK
The document discusses using the ELK stack (Elasticsearch, Logstash, Kibana) to analyze security logs and events. It describes how to ingest logs into Logstash, normalize the data through filtering and parsing, enrich it with threat intelligence and geolocation data, and visualize the results in Kibana. The TARDIS framework is introduced as a way to perform threat analysis, detection, and data intelligence on historical security logs processed through the ELK stack.
International collaborative efforts to share threat data in a vetted member c...
The APWG has been sharing threat data for over 12 years to help protect organizations and the all internet users against cyber threats. Initially founded to focus on the phishing, as the threat landscape on the internet has grown so has APWG. Today our vetted member community shares information to fight cybercrime and fraud not only on phishing but numerous other types of threat data including malicious IP addresses and ransomware information. This session will look at the history of sharing these types of data, how sharing has changed over the years and the necessity to automate these process.
Internal Pentest: from z3r0 to h3r0
This presentation talks about tricks and tools to use during internal penetration tests gigs. It was presented at Roadsec SP in November 2016.
Hunting for APT in network logs workshop presentation
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
Hunting for the secrets in a cloud forest
This presentation discusses how access keys can leak from cloud services like AWS, Azure, and GCP. It outlines several ways keys may leak, such as from unsecured storage containers, compromised accounts, and web applications. The presentation then demonstrates a tool called DumpsterDiver that uses entropy analysis to hunt for private keys within files. Countermeasures discussed include access control, encryption, VPN access only, multi-factor authentication, regular data verification, and penetration testing. The goal is to show how keys can leak and discuss reliable prevention strategies.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
The document discusses methods for identifying and investigating lateral movement by attackers during security incidents. It describes common tools and techniques used by attackers during different stages of an advanced persistent threat (APT) incident, including initial investigation, internal reconnaissance, spreading infection, and deleting evidence. The document analyzes logs and commands from past APT attacks to identify patterns in attacker behavior that can help with incident response. It notes that default system logs often do not provide enough information, so additional logging of events, processes, and network connections may be needed to fully trace attacker activities within a target network.
Detection index learning based on cyber threat intelligence and its applicati...
While the importance of sharing cyber threat intelligence (CTI) and considering countermeasures in advance as cyber attacks become more sophisticated is increasing, IP addresses and domains as detection indices included in CTI are attacked by attackers in short cycles Dispose (change or disappear). As a countermeasure on the defender side, we are moving towards increasing the cost of attackers by improving the sharing speed of CTI, and we receive large amounts of CTI every day. As a result, the situation is such that the CTI is also disposable in a short cycle. In this report, we built a detection index learning method based on CTI that is accumulated day by day and implemented a detection index learning engine learning how detection indices are used by attackers Report on the learning result. We also report on the possibility of reconstructing and combining the result of learning the detection index and applying it to mid- to long-term advanced protection in combination with another data source.
Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1
With many organizations using a sandbox to detonate suspicious files, many threats are implementing logic to detect sandbox environments, to alter their behavior and evade detection. This talk will highlight many real-world evasion tactics employed by recent malware, discussing challenges in measuring evasive behaviors and offering insights to improving the effectiveness of the sandbox.
(Source: RSA Conference USA 2018)
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve coverage guided fuzzing and find new zero days in tough targets
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
This document discusses forensic investigations of web exploitations. It presents a scenario where a web server in a DMZ zone was exploited but logs are unavailable, so network traffic must be analyzed. Wireshark will be used to analyze a PCAP file of recorded traffic to determine what happened and find any traces of commands or malware. The document also provides information on the costs of different types of cyber attacks, how to decode HTTP requests, and discusses tools that can be used for network forensics investigations like Wireshark, tcpdump, and Xplico.
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
The document discusses analyzing domain generation algorithms (DGAs) used by malware to establish resilient command and control connections. It focuses on analyzing the DGA used by the Ramnit malware. The Ramnit DGA works by seeding a linear congruential generator with an unknown seed value, generating domain names of random lengths between 8-19 characters from an alphabet of letters, and appending ".com". The document aims to identify the seed values used by brute forcing all possible seeds and analyzing DNS query patterns to determine how many domain names each seed generates.
SBI PO exam preparation online
The document discusses the State Bank of India Probationary Officer (SBI PO) 2016 exam. It provides information about the exam dates, eligibility requirements, exam pattern and syllabus, preparation tips, and free mock tests being offered. The SBI PO exam will be conducted in July and August 2016 in three phases - preliminary exam, main exam, and interview. The preliminary exam will test English, quantitative aptitude, and reasoning ability. The main exam will have objective and descriptive tests. TopRankers provides study materials and free online mock tests to help candidates prepare for the SBI PO 2016 exam.
Honeypots
The document discusses honeypots, which are decoy computer systems used to detect cyber attacks. It describes two main types of honeypots: low-interaction honeypots, which emulate services and operating systems, and high-interaction honeypots, which use real systems and software. Low-interaction honeypots are easier to deploy but provide limited information, while high-interaction honeypots provide more complete data but also higher risks if not isolated properly. Specific honeypot examples discussed include Honeyd, a low-interaction honeypot, and Honeynets, which use entire decoy networks of high-interaction systems.
Indian government jobs for graduates
The document discusses various types of government jobs available in India for graduates. It describes two main types of government jobs - central government jobs which include departments like railways and state government jobs which include departments like education. It provides details on the eligibility criteria and selection process for popular government jobs in sectors such as banking, engineering, defence, telecom, IT and judiciary. Banking jobs are described in depth, including the role of the Institute of Banking Personnel Selection in conducting exams. Overall, the document serves as a guide to the different career opportunities available in the Indian public sector.
More Related Content
What's hot
Malware analysis
- Malware analysis involves both static and dynamic analysis techniques to understand malware behavior and assess potential damage. Static analysis involves disassembling and reviewing malware code and structure without executing it. Dynamic analysis observes malware behavior when executed in an isolated virtual environment.
- Tools for static analysis include file hashing, string extraction, and PE header examination. Dynamic analysis tools monitor the registry, file system, processes, and network traffic created by malware runtime behavior. These include Process Monitor, Wireshark, Process Explorer, and network sniffers.
- To safely conduct malware analysis, one should create an isolated virtual lab separated from production networks, and install behavioral monitoring and code analysis tools like OllyDbg, Process Monitor, and Wiresh
Hunting for the secrets in a cloud forest
Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not “mistakenly” available to the public? In my presentation I’m going to present you hackish methods used by cyber criminals to find access keys in the public Internet. How can Shannon Entropy help you? During the presentation, I’ll release my own scaners to search AWS and Azure space and in the end I will demonstrate my own tool to analyze big amounts of data in search for sensitive data. Lots of demos, technical stuff and educating moral for unaware specialists in the end. It’s gonna be fun!
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
Chi-en Shen (Ashley) is a security researcher at FireEye, where she focuses on threat intelligence research. She specializes in threat hunting, malware analysis, reverse engineering, and targeted attacks research. Prior to FireEye, Ashley helped found Team T5, a threat research security company where she also works as a threat analyst. For supporting women in InfoSec, Ashley co-founded “HITCON GIRLS” – the first security community for women in Taiwan. Ashley is also a regular speaker at global security conferences, including Black Hat Europe, Black Hat Asia, FIRST, HITB GSEC, CODE BLUE, Troopers, HITCON and VXCON. Ashley also serves as a member of the Black Hat Asia review board where she evaluates research for briefings and training.
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
I'm Cuckoo for Malware provides an introductory overview to Cuckoo Sandbox and Malware Analysis. This talk walks through discussing different types of malware and what they do, to explaining how Cuckoo Sandbox works and how to get the best results from it. The talk will cover how to harden your sandbox against Malware authors attempts to avoid analysis and give ideas for listeners wanting to set up custom environments of their own. The goal of the talk is to allow listeners with enough information so that they can begin analyzing malware in their own Cuckoo-based sandbox environment.
Real-Time Static Malware Analysis using NepenthesFE
My presentation slides for International Malware Conference - Malcon 2010 - held in Mumbai, India on 3rd December, 2010
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
BlueHat v18 || The matrix has you - protecting linux using deception
Ross Bevington, Microsoft
In ‘The Matrix’ sentient machines subdue the population by developing a highly sophisticated simulation. High interaction honeypots are a lot like The Matrix, designed to convince an attacker to execute an attack so we can monitor them. But these honeypots are flawed!
Attackers are continually adapting in order to evade our defenses - meaning that it’s often not enough to just set up a honeypot and watch the results roll in. Is a new approach better?
Did you know that 40% of IaaS VMs in Azure are Linux? For Microsoft to protect itself and its customers Linux is a priority.
At MSTIC we’ve developed a new type of Linux honeypot that allows us to deceive and control the behavior of an attacker. We are using this to understand the person behind the attack, examining them as they examine us. Using these techniques, we are able to better track the person behind the threat, build better protections and ultimately protect more Linux users - whether they are using Azure or not.
In this presentation I’ll show some of the successes of running a Matrix like environment, failures where a glitch was spotted as well as deception approaches that could be applied to other domains. Finally I’ll show how easy it is to leverage Azure’s big data capabilities to build and ultimately query all this data at scale as well as how you can immediately reap the benefits of this work by connecting your Linux box to Azure Security Center.
My Bro The ELK
The document discusses using the ELK stack (Elasticsearch, Logstash, Kibana) to analyze security logs and events. It describes how to ingest logs into Logstash, normalize the data through filtering and parsing, enrich it with threat intelligence and geolocation data, and visualize the results in Kibana. The TARDIS framework is introduced as a way to perform threat analysis, detection, and data intelligence on historical security logs processed through the ELK stack.
International collaborative efforts to share threat data in a vetted member c...
The APWG has been sharing threat data for over 12 years to help protect organizations and the all internet users against cyber threats. Initially founded to focus on the phishing, as the threat landscape on the internet has grown so has APWG. Today our vetted member community shares information to fight cybercrime and fraud not only on phishing but numerous other types of threat data including malicious IP addresses and ransomware information. This session will look at the history of sharing these types of data, how sharing has changed over the years and the necessity to automate these process.
Internal Pentest: from z3r0 to h3r0
This presentation talks about tricks and tools to use during internal penetration tests gigs. It was presented at Roadsec SP in November 2016.
Hunting for APT in network logs workshop presentation
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
Hunting for the secrets in a cloud forest
This presentation discusses how access keys can leak from cloud services like AWS, Azure, and GCP. It outlines several ways keys may leak, such as from unsecured storage containers, compromised accounts, and web applications. The presentation then demonstrates a tool called DumpsterDiver that uses entropy analysis to hunt for private keys within files. Countermeasures discussed include access control, encryption, VPN access only, multi-factor authentication, regular data verification, and penetration testing. The goal is to show how keys can leak and discuss reliable prevention strategies.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
The document discusses methods for identifying and investigating lateral movement by attackers during security incidents. It describes common tools and techniques used by attackers during different stages of an advanced persistent threat (APT) incident, including initial investigation, internal reconnaissance, spreading infection, and deleting evidence. The document analyzes logs and commands from past APT attacks to identify patterns in attacker behavior that can help with incident response. It notes that default system logs often do not provide enough information, so additional logging of events, processes, and network connections may be needed to fully trace attacker activities within a target network.
Detection index learning based on cyber threat intelligence and its applicati...
While the importance of sharing cyber threat intelligence (CTI) and considering countermeasures in advance as cyber attacks become more sophisticated is increasing, IP addresses and domains as detection indices included in CTI are attacked by attackers in short cycles Dispose (change or disappear). As a countermeasure on the defender side, we are moving towards increasing the cost of attackers by improving the sharing speed of CTI, and we receive large amounts of CTI every day. As a result, the situation is such that the CTI is also disposable in a short cycle. In this report, we built a detection index learning method based on CTI that is accumulated day by day and implemented a detection index learning engine learning how detection indices are used by attackers Report on the learning result. We also report on the possibility of reconstructing and combining the result of learning the detection index and applying it to mid- to long-term advanced protection in combination with another data source.
Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1
With many organizations using a sandbox to detonate suspicious files, many threats are implementing logic to detect sandbox environments, to alter their behavior and evade detection. This talk will highlight many real-world evasion tactics employed by recent malware, discussing challenges in measuring evasive behaviors and offering insights to improving the effectiveness of the sandbox.
(Source: RSA Conference USA 2018)
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve coverage guided fuzzing and find new zero days in tough targets
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
This document discusses forensic investigations of web exploitations. It presents a scenario where a web server in a DMZ zone was exploited but logs are unavailable, so network traffic must be analyzed. Wireshark will be used to analyze a PCAP file of recorded traffic to determine what happened and find any traces of commands or malware. The document also provides information on the costs of different types of cyber attacks, how to decode HTTP requests, and discusses tools that can be used for network forensics investigations like Wireshark, tcpdump, and Xplico.
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
The document discusses analyzing domain generation algorithms (DGAs) used by malware to establish resilient command and control connections. It focuses on analyzing the DGA used by the Ramnit malware. The Ramnit DGA works by seeding a linear congruential generator with an unknown seed value, generating domain names of random lengths between 8-19 characters from an alphabet of letters, and appending ".com". The document aims to identify the seed values used by brute forcing all possible seeds and analyzing DNS query patterns to determine how many domain names each seed generates.
What's hot (19)
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFE
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...
Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1
Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Viewers also liked
SBI PO exam preparation online
The document discusses the State Bank of India Probationary Officer (SBI PO) 2016 exam. It provides information about the exam dates, eligibility requirements, exam pattern and syllabus, preparation tips, and free mock tests being offered. The SBI PO exam will be conducted in July and August 2016 in three phases - preliminary exam, main exam, and interview. The preliminary exam will test English, quantitative aptitude, and reasoning ability. The main exam will have objective and descriptive tests. TopRankers provides study materials and free online mock tests to help candidates prepare for the SBI PO 2016 exam.
Honeypots
The document discusses honeypots, which are decoy computer systems used to detect cyber attacks. It describes two main types of honeypots: low-interaction honeypots, which emulate services and operating systems, and high-interaction honeypots, which use real systems and software. Low-interaction honeypots are easier to deploy but provide limited information, while high-interaction honeypots provide more complete data but also higher risks if not isolated properly. Specific honeypot examples discussed include Honeyd, a low-interaction honeypot, and Honeynets, which use entire decoy networks of high-interaction systems.
Indian government jobs for graduates
The document discusses various types of government jobs available in India for graduates. It describes two main types of government jobs - central government jobs which include departments like railways and state government jobs which include departments like education. It provides details on the eligibility criteria and selection process for popular government jobs in sectors such as banking, engineering, defence, telecom, IT and judiciary. Banking jobs are described in depth, including the role of the Institute of Banking Personnel Selection in conducting exams. Overall, the document serves as a guide to the different career opportunities available in the Indian public sector.
Honeypot ss
Honeypots are decoy systems used to gather threat intelligence. They allow monitoring of attacks to better understand tactics and improve defenses. There are different types, including low-interaction virtual honeypots for ease of use and high-interaction physical honeypots for more detailed data. Honeypots are placed in various network locations and can operate as production systems to detect threats or research systems to collect information. They provide security benefits but also have limitations like narrow views and fingerprinting risks.
Honeypots (Ravindra Singh Rathore)
This document discusses honeypots, which are decoy systems used to gather information about cyber attacks. Honeypots have no production value and anything accessing them is likely an unauthorized probe or attack. They are used to monitor networks for security threats without disrupting normal operations. Honeypots can be classified based on their level of interaction, implementation (physical or virtual), and purpose (production systems or research). They provide valuable security benefits like detecting intruders and gathering threat intelligence, but also have disadvantages like risks of being compromised.
Honeypots.ppt1800363876
This document provides an overview of honeypots and the Honeynet Project. Honeypots are fake computer systems designed to attract and monitor hackers. They allow researchers to gather data on hacking techniques without endangering real systems. The document discusses low and high interaction honeypots, virtual versus physical honeypots, and how honeypots are used to collect information on attackers. It also provides an overview of the Honeynet Project, which uses entire networks of high interaction honeypots to obtain in-depth data on hacker tactics and tools.
Ppt
Honeypots are security tools that allow systems to be monitored, analyzed and defended. They work by emulating vulnerabilities to attract hackers and observe their behavior without exposing real systems to harm. There are different types of honeypots based on level of interaction, from low to high. Low interaction honeypots like Honeyd emulate services with limited functionality while high interaction ones like Honeynets create fully functional virtual systems. Honeypots provide benefits like reduced false alarms, new threat intelligence and forensic data but also have drawbacks like single data points and fingerprinting risks. They are useful for research, detection and prevention when used carefully alongside other security practices.
Honeypots in Cyberwar
Honeypots and honeynets are used to study cyber attacks. A honeypot is a computer system set up to attract cyber attacks so threats can be observed and analyzed. A honeynet contains multiple honeypots and allows attacks on an entire network to be monitored. Deploying honeypots provides benefits like risk mitigation, intrusion detection, and research opportunities to study attacker techniques. However, honeypots also have downsides like limited visibility and potential additional security risks if compromised.
Honeypot Basics
This ppt contains all the basics of honeypots like their types, implementation technologies, position in the network etc.
In the end, it contains a screenshot of a live honeypot processing.
Honeypots for Active Defense
InfoSec analysts are all somewhat familiar with Honeypots. When they are given the proper attention, care and feeding, they produce invaluable information and can be a critical asset when it comes to defending the network. This intel has been primarily used by security researchers and organizations with advanced defensive capabilities to study their adversaries and learn from their actions. But what about the rest of us? Honeypots are a lot of work to configure, maintain, and monitor, right? Not exactly; when deployed and monitored properly, Honeypots and Honey Tokens are a simple way to alert on anomalous activity inside the network. But how can an organization that is not focused on research gain valuable threat intelligence using Honeypots and actively defend their network using indicators generated from an internal Honeynet?
The answer is Honeypots for Active Defense. There are currently many open source security tool distributions that come pre-loaded with Honeypots among other useful tools, however the Honeypot software is often not deployed in an effective manner. This session will discuss techniques to leverage Honeypots in ways that will not overburden the security team with massive logs to sift through and focuses efforts on correlating active threat data observed in the Honeypots with the production environment. When deploying Honeypots effectively, this can give security analysts one additional mechanism to tip them off to nefarious activity within their network before they become the next headline.
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Community From Jae Chung, Matt Hartling, Zach Lawson, Frank Posluszny
Automatic Road Sign Recognition From Video
The document describes an automatic road sign recognition system developed for high resolution roadside video. It uses a color space method to detect signs by recognizing color patterns. Specifically, it detects signs by converting RGB images to HSI color space and matching hue values. The system was tested on various sign types under different lighting conditions with good detection results. In conclusion, the approach provides a robust and fast way to detect most common road signs in New Zealand videos and identify the sign type and location.
Using Canary Honeypots for Network Security Monitoring
In this presentation I talk about how honeypots that have more traditionally been used for research purposes can also be used as an effective part of a network security monitoring strategy.
All about Honeypots & Honeynets
The document discusses honeypots and honeynets. It defines a honeypot as a decoy system intended to be attacked to gather threat intelligence. Honeynets contain multiple honeypots within a controlled network for monitoring. The document outlines the benefits of deploying honeypots, such as risk mitigation and research. It also discusses techniques for installing and detecting honeypots, and the future of honeypot technologies.
Honeypots for Cloud Providers - SDN World Congress
1. Cloud providers face new security challenges with software-defined networking and network function virtualization technologies, as virtualized network appliances can now be remotely accessed and hacked.
2. Honeypots can help by diverting attacks to isolated, monitored systems, collecting valuable attacker data without risk to real systems. Analytics of honeypot data can reveal attack patterns to predict future threats.
3. Pairing honeypots with cloaking technologies provides layered defenses, and honeypot data analytics could enable new "security as a service" offerings from cloud providers.
Honeypots
This document provides an introduction and overview of honeypots including definitions, uses, types, deployment, and legal issues. It defines a honeypot as a resource designed to be attacked in order to gather information about attacks. Honeypots are used for research, understanding blackhat activities, and building better defenses. They come in low, mid, and high interaction varieties depending on how much an attacker can interact with the operating system. Deployment involves running honeypot programs on hardened machines or using unpatched servers protected by firewalls. Legal issues include privacy, entrapment, and liability concerns.
Honey Pot
The document discusses honeypots, which are computer systems designed to attract hackers in order to study their behavior. Honeypots come in two types - production honeypots, which directly protect networks, and research honeypots, which are used to gather threat intelligence. They also vary in their level of interaction, from low-interaction honeypots that emulate systems to high-interaction honeypots with fully functional operating systems. The goals of honeypots are to learn about new attacks, build attacker profiles, and identify vulnerabilities. They provide security benefits but also carry risks if compromised.
Honeypots
This document provides an overview of honeypots, which are security resources that are intended to be probed, attacked, or compromised in order to gather information about attackers. Honeypots can be used to learn about past attacks, detect currently occurring attacks, and identify new types of attacks. They work by monitoring any traffic to resources that are not expected to receive data. Honeypots have advantages like reducing false alarms and providing data for analysis, but also have disadvantages like narrow visibility and risks of the attacker using the honeypot to attack other systems. The document discusses different types of honeypots including low and high interaction honeypots, and specific honeypot tools like Honeyd and Honeynets.
Design & Implementation of Honeyd to Simulate Virtual Honeypots
Honeyd is a tool that enables setting up multiple virtual honeypots on a single machine, each with different characteristics and services. It simulates entire networks and can claim up to 65,536 IP addresses. Honeyd responds appropriately to fingerprinting tools to emulate different operating systems. The document discusses implementing Honeyd to simulate virtual honeypots, along with Snort for intrusion detection and MySQL for logging. Results show Honeyd effectively collected information on attack sources and traffic to the virtual honeypots.
Viewers also liked (19)
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
Honeypots for Cloud Providers - SDN World Congress
Honeypots for Cloud Providers - SDN World Congress
Design & Implementation of Honeyd to Simulate Virtual Honeypots
Design & Implementation of Honeyd to Simulate Virtual Honeypots
Similar to Bsides chicago 2013 honeypots
OSINT tools for security auditing [FOSDEM edition]
This document discusses various open source intelligence (OSINT) tools for security auditing that can be used with Python. It begins by defining the types of data that can be gathered through OSINT, including technical, social, physical, and logical information. Several Python-based tools are then introduced for gathering server information, geolocation, metadata extraction, footprinting, and social media intelligence including Censys, Shodan, Recon-ng, The Harvester, OSR Framework, SpiderFoot, and Tinfoleak. The document provides an overview of the capabilities and modules for each tool.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
This document discusses using honeypots to reverse penetrate attackers and gain intelligence on them. It describes how a honeypot was used to collect information from attackers like usernames, source IPs, and intermediate hosts. On some occasions, it allowed gaining access to third party services those attackers had authenticated with. The document concludes honeypots can provide useful intelligence but also raises legal and ethical concerns with counterattacking or collecting personal information.
Phd final
This document discusses using honeypots to reverse penetrate attackers and gain intelligence on them. It describes how a honeypot was used to collect information from attackers like usernames, source IPs, and intermediate hosts. On some occasions, it was able to exploit browsers or third party services to gather additional data like email addresses. However, more skilled attackers avoided running untrusted software. The document concludes honeypots can provide useful intelligence but also raises moral and legal issues with counterattacking or exploiting attackers.
Luiz eduardo. introduction to mobile snitch
Mobile devices broadcast information passively through protocols like mDNS and NetBios that can be used to profile and fingerprint individuals. This metadata includes a person's name, device details, social media profiles, locations visited and more. While concerning for privacy, there are some mitigation tips like disabling WiFi when not in use. In the future, passive profiling may become more advanced through integration with other tools and online databases to create detailed profiles of individuals based solely on information broadcast from their mobile devices.
Data Driven Security, from Gartner Security Summit 2012
This document summarizes a presentation by Nick Galbreath on how Etsy uses Splunk to enable data-driven security. Some key points:
- Etsy uses Splunk to detect web application attacks like SQL injection and cross-site scripting by monitoring logs for malicious patterns.
- Splunk helps Etsy identify potential account takeovers from anomalous login activity like many failed passwords from one IP or high-volume password reset requests.
- Payment data in Splunk allows Etsy to monitor for fraud risks like abnormal payment amounts or velocities.
- Splunk supports Etsy's PCI compliance by enabling log searches and customized reports on sensitive systems.
OSINT tools for security auditing with python
This document discusses an OSINT (open-source intelligence) presentation on tools developed with Python for server information, geolocation, metadata, and social media footprinting from Twitter and other sources. It provides information on defining intelligence targets and the types of data to obtain (technical, social, physical, logical). It also lists tools and APIs for geolocation, server information from Censys and Shodan, the Recon-NG toolkit, and OSINT frameworks like Spiderfoot and theHarvester. Python libraries mentioned include BeautifulSoup, Requests, Shodan, and GeoIP. The presentation will be given at PYCONES in October 2016.
BinaryPig - Scalable Malware Analytics in Hadoop
The document describes BinaryPig, a framework for processing small binary files like malware samples using Apache Hadoop and Apache Pig. It allows for scalable storage and analysis of large datasets. BinaryPig addresses issues with previous approaches like lack of data locality, failure resilience, and dynamic schema support. It introduces loaders for running analysis scripts and daemons on binary data to extract features. Clustering results on a dataset of 20 million malware samples are also presented to demonstrate BinaryPig's capabilities for malware triage and research.
Getting Started with Splunk Enterprise
What is Splunk? At the end of this session you’ll have a high-level understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll see practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
Dmitry Lebedev: Agile Testing Using Agile Tools
The document discusses agile testing tools and techniques. It advocates becoming a software craftsman and creating test automation tools rather than buying them. Some recommended agile testing tools include whiteboards, index cards, stickies and sharpies. The document also provides examples of using Ruby tools like Watir, Selenium and Cucumber to automate tests for a web frontend, Java application, third-party web services and databases. It shows code examples for log parsing and testing web services using Ruby.
NPTs
BSides Boston and RI 2013
Video (BSides RI: http://www.irongeek.com/i.php?page=videos/bsidesri2013/2-0-booting-the-booters-stressing-the-stressors-allison-nixon-and-brandon-levene)
Natalie Pistunovich - Using Go In Dev Ops
This document discusses using the Go programming language for DevOps tools and applications. It begins with an introduction to Go, highlighting its benefits for system and site reliability engineering like being simple, reliable, and efficient. It then covers several existing open source DevOps tools built in Go, such as monitoring and logging programs. Finally, it discusses the growing adoption of Go and future developments like Go 2.0, noting how the Go community has doubled in size recently.
Using Go in DevOps
Natalie Pistunovich
Engineering Manager – Fraugster
Natalie is an Engineering Manager, Go Developer, Berlin’s Go User Group Lead, GopherCon Europe organizer and Public Speaker. She also describes herself as a Passionate Learner and Professional Questions Asker.
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber security is one of the most challenging topic in the current era. Cyber attacks are becoming day by day more sophisticated and difficult to be detected by automated systems. People who understand cyber threats and act to block cyber attacks are defined as cyber analysts. But what do they really do ? What dificulties do they meet and what background should they have before starting the "neverending" "cyber security" learning path ? Why is not enough an automated system ? Marco will talk about real experiences on the cyber analyst field.
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
This document discusses extended differential fuzzing techniques. It begins with an overview of common fuzzing and differential fuzzing. Extended differential fuzzing aims to detect more vulnerability types by analyzing outputs across different implementations, inputs, versions, and operating systems. These include path disclosure, user disclosure, error disclosure, code evaluation, command execution, network connections, and file reads. The document demonstrates examples of detecting these behaviors in PHP, Perl, Python and other languages. It promotes an open source fuzzing framework called XDiFF that automates extended differential analysis.
Nagios Conference 2012 - Robert Bolton - Custom SNMP OID Creation
Robert Bolton presentation on creating custom SNMP OID's for use with Nagios.
The presentation was given during the Nagios World Conference North America held Sept 25-28th, 2012 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber security is one of the most challenging topics in the current era. Cyber attacks are becoming day by day more sophisticated and difficult to be detected by automated systems. People who understand cyber threats and act to block cyber attacks are defined as cyber analysts. But what do they really do? What difficulties do they meet and what background should they have before starting the "neverending" "cyber security" learning path? Why is not enough an automated system? Marco will talk about real experiences on the cyber analyst field.
IoT security is a nightmare. But what is the real risk?
1) IoT security is a major issue as many devices have poor security and will never receive patches. This leaves them vulnerable to attacks over the internet or through home networks.
2) There are many risks even for devices that are behind routers or firewalls due to issues like UPnP, IPv6, cloud connections, and protocol tunneling that can bypass network protections.
3) Home users should take steps like disconnecting devices when not in use, changing passwords, filtering incoming connections, and monitoring their network to improve their security, but there are no complete solutions given flaws in IoT design and updates.
Hunting for the secrets in a cloud forest
Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not "mistakenly" available to the public?
In my presentation I'm going to present you hackish methods used by cyber criminals to find access keys, credentials and other secrets in the public Internet. How can Shannon Entropy help you to do that? This is a presentation about my tool the DumpsterDiver (https://github.com/securing/DumpsterDiver) and the BucketScanner (https://github.com/securing/BucketScanner).
CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)
Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not "mistakenly" available to the public? In my presentation I'm going to present you hackish methods used by cyber criminals to find access keys, credentials and other secrets in the public Internet. How can Shannon Entropy help you to do that? During the presentation, I'll release my own scanners to search AWS space and in the end I will demonstrate my own tool to analyse big amounts of data in search for sensitive data. Lots of demos, technical stuff and educating moral for unaware specialists in the end. It's gonna be fun!
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
The document discusses cryptography and security. It argues that most users want cryptography solutions that are simple, easy to use, cross-platform, and avoid common mistakes rather than new algorithms. It promotes the idea of "boring crypto" that just works without needing upgrades. It also discusses different options for implementing cryptography like crypto libraries, systems, and boxed solutions and how to choose the right approach for a given use case.
Similar to Bsides chicago 2013 honeypots (20)
OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition]
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Nagios Conference 2012 - Robert Bolton - Custom SNMP OID Creation
Nagios Conference 2012 - Robert Bolton - Custom SNMP OID Creation
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)
CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Recently uploaded
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
AWS Cloud Cost Optimization Presentation.pptx
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Taking AI to the Next Level in Manufacturing.pdf
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Generating privacy-protected synthetic data using Secludy and Milvus
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Introduction of Cybersecurity with OSS at Code Europe 2024
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Presentation of the OECD Artificial Intelligence Review of Germany
Consult the full report at https://www.oecd.org/digital/oecd-artificial-intelligence-review-of-germany-609808d6-en.htm
Skybuffer SAM4U tool for SAP license adoption
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
A Comprehensive Guide to DeFi Development Services in 2024
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
Building Production Ready Search Pipelines with Spark and Milvus
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
When it comes to unit testing in the .NET ecosystem, developers have a wide range of options available. Among the most popular choices are NUnit, XUnit, and MSTest. These unit testing frameworks provide essential tools and features to help ensure the quality and reliability of code. However, understanding the differences between these frameworks is crucial for selecting the most suitable one for your projects.
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Main news related to the CCS TSI 2023 (2023/1695)
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Recently uploaded (20)
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Bsides chicago 2013 honeypots
- 1. Be vewy, vewy quiet…. let’s watch some hackers..
- 2. Interactive portion intro Whoami What is a Honeypot? Different Honeypots Why Honeypots? Things I discovered Interactive portion end results
- 3. Interactive portion SSID – FBI Mobile IP address – 192.168.2.5 User ID – root The password is….123456
- 5. Geek Antagonist of the shiny things
- 7. A Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. (May 2003)
- 11. Windows XP SP 0 Windows Vista SP 0 Client Honeypots High Interaction Different Honeypots
- 13. Initial Research
- 14. A word of advice on using an EC2 instance.
- 16. GeoIP location Dionaea - Ireland
- 17. Dionaea stats Started 3/7/2013 Stopped 3/9/2013 Started 3/12/2013 Stopped 3/14/2013
- 18. Dionaea stats • Don’t forget to add your API key from VirusTotal to your config file!! • If you don’t add the API key, then the pretty visualization tool can’t do it’s job and you have to do manually!!!
- 19. 144 109 71 56 17 14 14 9 9 8 Dionaea stats Top 10 IP addresses
- 21. Malware Captures MD5 Virus Total Detection Ratio Common name Source IP Address/WhoIs 78c9042bbcefd65beaa 0d40386da9f89 44 / 46 Microsoft - Worm:Win32/Conficker.C • 209.190.25.37 • XLHost – VPS provider • http://www.xlhost.com/ 7acba0d01e49618e25 744d9a08e6900c 45 / 46 Microsoft - Worm:Win32/Conficker.B 69.28.137.10 LimeLight Networks - a Digital Presence Management company http://www.limelight.com/ 90c081de8a30794339 d96d64b86ae194 42 / 43 Kaspersky - Backdoor.Win32.Rbot.aftu 69.38.10.83 WindStream Communications – Voice and data provider http://NuVox.net bcaef2729405ae54d62 cb5ed097efa12 43 / 44 Kaspersky - Backdoor.Win32.Rbot.bqj 69.9.236.128 Midwest Communications – Comcast/WideOpenWest parallel http://midco.net/
- 22. GeoIP location Dionaea - recent
- 23. Kippo Started 2/27/2013 Stopped 3/1/2013 IP addresses • 14 unique IP addresses • Maximum password attempts – 1342 • Successful logins – 7 • Replay scripts – 1 •Files uploaded - 1
- 24. 1342 1190 454 163 163 156 28 22 16 5 4 1 1 Kippo stats Attacker's IP addresses/connection attempts
- 25. GeoIP location Kippo – recent
- 26. Kippo statsroot bin oracle test nagios martin toor ftpuser user postgres info webmaster apache backup guest r00t public green demo site jeff andy i-heart user0 content 1856 67 17 10 9 6 6 6 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 3 Top 25 User names Times tried
- 27. Kippo stats 27 16 9 9 9 8 7 7 7 7 7 7 7 7 7 7 7 6 6 6 Top 25 Passwords Tries
- 28. Kippo stats Accounts that used 123456 as password User ID Tries root 7 ftpuser 3 oracle 3 andy 2 info 2 jeff 2 site 2 test 2 webmaster 2 areyes 1 brian 1 “7 successful logons? But your chart says 27 used the password of 123456?! WTF?”
- 29. Kippo stats root öÎÄ¥þ.òÄ¿Â¥ root !Q@W#E$ root !@$#jMu2vEUIOLweoP#!TTG$@#dsgfGR#$sgs root !Q@W#E$R root $hack4m3baby#b1gbroth3r$ root !Q@W#E$R% root 654321 root !Q@W#E$R%T root Ki!l|iN6#Th3Ph03$%nix@NdR3b!irD root !Q@W#E$R%T^ root @!#$%&*Th3@#$!F0RcE%&*@#IS!@#$%!& root !Q@W#E$R%T^Y root diffie-hellman-group-exchange-sha11 root !Q@W#E$R%T^Y& root 123 root !Q@W#E$R%T^Y&U root 1234 root !Q@W#E$R%T^Y&U* root 12345 root !Q@W#E$R%T^Y&U*I root 1234567 root !Q@W#E$R%T^Y&U*I( root 12345678 root !Q@W#E$R%T^Y&U*I(O root 123456789 root !Q@W#E$R%T^Y&U*I(O) root deathfromromaniansecurityteamneversleepba root !Q@W#E$R%T^Y&U*I(O)P root rooooooooooooooooooooooooooooooooot root !Q@W#E$R%T^Y&U*I(O)P_ Interesting passwords
- 30. Kippo stats File downloaded psyBNC 2.3.2 ------------ This program is useful for people who cannot be on irc all the time. Its used to keep a connection to irc and your irc client connected, or also allows to act as a normal bouncer by disconnecting from the irc server when the client disconnects.
- 31. HoneyD
- 32. How you can your netbook useful and fun again!
- 35. Honeydrive
- 36. Keith Dixon @Tazdrumm3r #misec – Tazdrumm3r tazdrummer@gmail.com http://tazdrumm3r.wordpress.com
Editor's Notes
- RECALCULATE!! Somehow my Excel sorting and calculating may be off a bit.