Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease

•

2 likes•1,167 views

This document discusses analyzing Visual Basic 6 programs. It begins by providing background on VB6 and transitions to discussing challenges with classical analysis approaches. It then outlines approaches for dynamic analysis using instrumentation of the VB6 virtual machine to monitor execution and APIs called. This includes patching jump tables and implementing custom instruction handlers. The goal is to generate tailored reporting and analyze obfuscation techniques in VB6 programs.

Technology

Your
Researchers
Today
Jurriaan Bremer
Cuckoo Sandbox, Freelancer
Marion Marschalek
Cyphort Inc.

Visual Basic 6.0
Microsoft, 1998
Object-based / event-driven
Rapid Application Development
Replaced by VB .NET in 2002
End of support in 2008

2000: Pikachu Worm
• pikachupokemon.exe – „Pikachu is your friend!“
• Modifies AUTOEXEC.BAT
to remove C:WINDOWS and
C:WINDOBadWSsystem32
• Bad coding...

2005: Kelvir Worm
• Spreads through MSN Messenger by
„lol! see it! u'll like it” message
• Message points to omg.pif on
home.earthlink.net
• Spreads further & downloads
and executes other malware

2009: Changeup Worm
• Polymorphic
• Spreads through removable media and shared
folders by 'LNK/PIF' Files
Automatic File Execution
Vulnerability
• Downloads other malware

VB6 101
1991: Visual Basic born
1998: Visual Basic 5.0/6.0 p-code and native code
2002: VB.NET and MSIL byte code

P-Code
Translation
P-code mnemonics
interpreted
by msvbvm60.dll
handler13:
ExitProcHresult
...
handler14:
ExitProc
...
handler15:
ExitProcI2
...
... FC C8 13 76 ...

Instruction Handler
pushes integer onto the stack

Classical
Analysis
Approaches
DONT WORK.

Existing VB Stuff
•VB Decompiler
•Tequila Debugger
•IDA Scripts
•Peter Ferrie, Masaki Suenaga

Most Advanced
Sophisticated Private
Cloud-based Big Data
Intelligence Cyber
Solution! (tm)

MASPCbBDICS
FAIL COMPILATION
Everything that didnt work...

Most Advanced Sophisticated Private
Cloud-based Big Data Intelligence
Cyber Solution
See which instructions are executed.
Monitor interesting events as they happen.
Inspect referenced strings, memory, and x86 code.

VB6 Instrumentation
Patch the 6 jumptables!
Generic
Instrument everything
Capture everything
Create Statistics
Specific
Implementing specific
instruction handlers
“OpenFile” - filename

Patching A Function Handler
Patch original address with our custom assembly stub
1. Store current register / stack state
2. Call custom instruction handler
3. Pass registers as parameters
4. Do STUFF
5. Restore original state
Jump to original
function handler.
Life goes on.

Tailored Reporting For VB6
Custom printf()
• BSTR unicode string with its size prepended
• VARIANT generic wrapper around int, str, etc.
Custom hexdump() to aid debugging

Slightly modified
Cuckoo Sandbox
Execute the sample
with our custom DLL
Cuckoofy
It

VB6 ANALYSIS
Obfuscation and garbage
Anti-X features
Three ways to call
external functions
The Somewhat Peculiar
Results aka. Disease

Import Address Table (IAT)
Only legitimate VB6 VM methods
Dynamically Resolved Functions
VB6 feature: DllFunctionCall
Runtime decryption of API names
WesumeThread,
ZwWriteQirtualMemory,
TetExitCodeThread
Execute native x86

x86 to call
CreateThread()
other x86 code in
a new thread

The Yet To Be
Identified
Infamous Anti-Cuckoo
Feature (c)

Thank You!
Project @ https://github.com/jbremer/vb6tracer

It's a 'brave new world' or 'hell has frozen over' (depending on your point-of-view). Microsoft is the top contributor on GitHub, they have opened-sourced their entire .NET platform and gone cross-platform! In this talk we will look at what the new 'Open-Source' Microsoft actually looks like, what they've done, how they're doing it and what it all means. From new features to compiler design meetings, from TechEmpower benchmarks to increased community contributions, we will examine it all!

Containers what are they, and why are they important v2.1

Derrick Wippler

Struggling to understand all the hype around Docker? Don't understand the difference between a VM and a container? Why are immutable operating systems cool? Why is everyone going crazy over Kubernetes/Swarm/Apache Mesos? This talk will attempt to inform by pulling back the curtain on the container hype. We will dissect what a container is, why clustering containers and orchestration matters, immutable operating systems and finally where this is all going and how it will effect your future interaction with the cloud.

Git MoneyTim N

Introduction to Docker

Emil Stenqvist

Telehack: May the Command Line Live Forever

Gregory Hanis

Want to play a game? I bet I can root more boxes than you and stop you from gaining control. Telehack is a simulation of a stylized arpanet/usenet, circa 1985-1990. It is a full multi-user simulation, including 25,000 hosts and BBS’s the early net, thousands of files from the era, a collection of adventure and IF games, a working BASIC interpreter with a library of programs to run, simulated historical users, and more.

Aide 2014 - Fundamentals of Linux Privilege Escalationnullthreat

Device inspection to remote root

Tim N

One might find it ironic that some of the world's fastest supercomputers -- vast clusters capable of trillions of floating point operations per second -- can take upwards of a half an hour to reboot in between jobs. While we often talk about the density advantages of containers, it's the opposite approach that we use in the High Performance Computing world! Here, we use exactly 1 system container per node, giving it unlimited access to all of the host's CPU, Memory, Disk, IO, and Network. And yet we can still leverage the management characteristics of containers -- security, snapshots, live migration, and instant deployment to recycle each node in between jobs. In this talk, we'll examine a reference architecture and some best practices around containers in HPC environments.

BSides Algiers - Metasploit framework - Oussama ElhamerShellmates

Metasploit for Web Workshop

Dennis Maldonado

20160929 android taipei Sonatype nexus on amazon ec2

TSE-JU LIN(Louis)

So Easy, A Ten Year Old Can Do It by Zeph Gardler

Docker, Inc.

Docker focuses on simplicity. In this session we will here how, Zeph, a 10 year old boy went from asking his dad a simple question, to deploying Docker containers to help search for a cancer cure and to build worlds. We’ll hear how the simplicity of Docker inspired him to learn more, and now as an 11 year old, he has moved on to programming his own containerized applications to process vital data streams from public APIs.

The internet of $h1t

Amit Serper

I was asked to talk in front of Computer science students at the Bar-Ilan university about "what happens" when you don't care about writing "secured" or "safe" code. A perfect example for that, in my opinion, was the world of embedded computing AKA the IoT. I talked about the history of consumer embedded devices and showed a live demo of an 0day I found in one of the most popular routers in the country.

Enemy at the gates: vulnerability research in embedded appliances

Chris Hernandez

Exploiting Llinux EnvironmentEnrico Scapin

EMBA Firmware analysis - TROOPERS22

MichaelM85042

IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area the used operating systems are summarized with the term firmware. The devices by themself, so called embedded devices, are essential in the private, as well as in the industrial environment and in the so-called critical infrastructure. Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection. With EMBA you always know which public exploits are available for the target firmware. Beside the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more. EMBA is an open-source firmware scanner, created by penetration testers for penetration testers. Project page: https://github.com/e-m-b-a/emba Conference page: https://troopers.de/troopers22/agenda/tr22-1042-emba-open-source-firmware-security-testing/

Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12

Puppet

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

Hackito Ergo Sum

Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed. Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER! https://www.hackitoergosum.org

IDA Vulnerabilities and Bug Bounty　 by Masaaki Chida

CODE BLUE

IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them. http://codeblue.jp/en-speaker.html#MasaakiChida

Larson Macaulay apt_malware_past_present_future_out_of_band_techniques

Scott K. Larson

Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg

Sam Bowne

EMBA - Firmware analysis DEFCON30 demolabs USA 2022

MichaelM85042

Penetration testing of current embedded devices is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify, optimize and automate the complex task of firmware security analysis. Project page: https://github.com/e-m-b-a/emba Conference page: https://forum.defcon.org/node/242109

Project Basecamp: News From Camp 4

Digital Bond

What's hot

ifwt remote (sydney ruxmon edition)

Practically DROWNing

My virtual firewall

Kali net hunter

Kwort Linux 4.3 the new stable version is released

Linux Training Chennai

Find the Hacker

Sysdig

Streamlining HPC Workloads with Containers

Dustin Kirkland

BSides Algiers - Metasploit framework - Oussama ElhamerShellmates

Metasploit for Web Workshop

Dennis Maldonado

20160929 android taipei Sonatype nexus on amazon ec2

TSE-JU LIN(Louis)

So Easy, A Ten Year Old Can Do It by Zeph Gardler

Docker, Inc.

The internet of $h1t

Amit Serper

Enemy at the gates: vulnerability research in embedded appliances

Chris Hernandez

Exploiting Llinux EnvironmentEnrico Scapin

What's hot (14)

ifwt remote (sydney ruxmon edition)

Practically DROWNing

My virtual firewall

Kali net hunter

Kwort Linux 4.3 the new stable version is released

Find the Hacker

Streamlining HPC Workloads with Containers

BSides Algiers - Metasploit framework - Oussama Elhamer

Metasploit for Web Workshop

20160929 android taipei Sonatype nexus on amazon ec2

So Easy, A Ten Year Old Can Do It by Zeph Gardler

The internet of $h1t

Enemy at the gates: vulnerability research in embedded appliances

Exploiting Llinux Environment

Similar to Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease

EMBA Firmware analysis - TROOPERS22

MichaelM85042

Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12

Puppet

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

Hackito Ergo Sum

IDA Vulnerabilities and Bug Bounty　 by Masaaki Chida

CODE BLUE

Larson Macaulay apt_malware_past_present_future_out_of_band_techniques

Scott K. Larson

Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg

Sam Bowne

EMBA - Firmware analysis DEFCON30 demolabs USA 2022

MichaelM85042

Project Basecamp: News From Camp 4

Digital Bond

BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...

Alexandre Moneger

This presentation shows that code coverage guided fuzzing is possible in the context of network daemon fuzzing. Some fuzzers are blackbox while others are protocol aware. Even ones which are made protocol aware, fuzzer writers typically model the protocol specification and implement packet awareness logic in the fuzzer. Unfortunately, just because the fuzzer is protocol aware, it does not guarantee that sufficient code paths have been reached. The presentation deals with specific scenarios where the target protocol is completely unknown (proprietary) and no source code or protocol specs are accessible. The tool developed builds a feedback loop between the client and the server components using the concept of "gate functions". A gate function triggers monitoring. The pintool component tracks the binary code coverage for all the functions untill it reaches an exit gate. By instrumenting such gated functions, the tool is able to measure code coverage during packet processing.

DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...

Felipe Prado

PHP Backends for Real-Time User Interaction using Apache Storm.

DECK36

Engaging users in real-time is the topic of our times. Whether it’s a game, a shop, or a content-network, the aim remains the same: providing a personalized experience. In this workshop we will look under the hood of Apache Storm and lay a firm foundation on how to use it with PHP. By that, you can leverage your existing codebase and PHP expertise for an entirely new world: real-time analytics and business logic working on message streams. During the course of the workshop, we will introduce Apache Storm and take a look at all of its components. We will then skyrocket the applicability of Storm by showing you how to implement their components with PHP. All exercises will be conducted using an example project, the infamous and most exhilarating lolcat kitten game ever conceived: Plan 9 From Outer Kitten. In order to follow the hands-on excercises, you will need a development VM prepared by us with all relevant system components and our project repositories. To make the workshop experience as smooth as possible for all participants, please bring a prepared computer to the workshop, as there will be no time to deal with installation and setup issues. Please download all prerequisites and install them as described: VM, Plan 9 webapp, Plan 9 storm backend, (Tutorial: https://github.com/DECK36/plan9_workshop_tutorial ).

Reverse Engineering the TomTom Runner pt. 1

Luis Grangeia

A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device. This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried. Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon

Iot Bootcamp - abridged - part 1

Marcus Tarquinio

DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...

Felipe Prado

Project Malware AnalysisCS 6262 Project 3Agenda.docx

briancrawford30935

Project: Malware Analysis CS 6262 Project 3 Agenda • Part 1: Analyzing Windows Malware • Part 2: Analyzing Android Malware Scenario • Analyzing Windows Malware • You got a malware sample from the wild. Your task is to discover what malware does by analyzing it • How do you discover the malware’s behaviors? • Static Analysis • Manual Reverse Engineering • Programming binary analysis • Dynamic Analysis • Network behavioral tracing • Run-time system behavioral tracing(File/Process/Thread/Registry) • Symbolic Execution • Fuzzing Scenario • In our scenario, you are going to analyze the given malware with tools that we provide. • The tools help you to analyze the malware with static and dynamic analysis. • Objective 1. Find which server controls the malware (the command and control (C2) server) 2. Discover how the malware communicates with the command and control (C2) server • URL and Payload 3. Discover what activities are done by the malware payload • Attack Activities Scenario • Requirement • Make sure that no malware traffic goes out from the virtual machine • But, updating of malware (stage 2), and downloading payload (stage 3) are required to be allowed (set as default option) • The command and control server is dead. You need to reconstruct it • Use tools to reconstruct the server, then reveal hidden behaviors of the malware • Analyze network traffic on the host, and figure out the list of available commands for the malware • Analyze network traffic trace of the host, and figure out what malware does • Write down your answer into assignment-questionnaire.txt Project Structure • A Virtual Machine for Malware analysis • Please download and install the latest version or update your virtual box. • https://www.virtualbox.org/wiki/Downloads • Download the VM • Download links • http://ironhide.gtisc.gatech.edu/vm_2018.7z • http://bombshell.gtisc.gatech.edu/vm_2018.7z • Verify the md5 hash of the 7z file: 537e70c4cb4662d3e3b46af5d8223fd • Please install 7zip or p7zip • Windows, Linux and MacOs: http://www.7-zip.org/download.html • Unarchive the 7z file • Password: GTVM! https://www.virtualbox.org/wiki/Downloads http://ironhide.gtisc.gatech.edu/vm_2018.7z http://bombshell.gtisc.gatech.edu/vm_2018.7z http://www.7-zip.org/download.html Project Structure • Open VirtualBox • Go to File->Import Appliance. • Select the ova file and import it. • For detailed information on how to import the VM, see: • https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html • VM user credentials • Username: analysis • Password: analysis https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html Project Structure • In the Virtual Machine (VM) • Files • init.py • This initializes the project environment • Type your Georgia Tech username (same login name as Canvas) after running this • update.sh • This script updates the VM if any further update has been made by TA • DO NOT execute the scri.

Beefing Up AIR - FITC AMS 2012

Wouter Verweirder

IzPack - PoitouJUG

julien.ponge

Automating Security Response with Serverless

Michael Ducy

Serverless (or Functions as a Service) tends to get thrown in the "paradigms nice for developers" bucket, but Serverless can provide meaningful benefits to Operations, DevOps, and SRE teams. In a world where everything is presented or controlled via an API, Serverless' event driven, api first philosophy can help these teams create new levels of automation that were typically the realm of runbook tooling. In this talk we'll cover the various open source Serverless frameworks and platforms available. We'll show how to automate basic day to day operational task with Serverless functions. Finally, we will show how to build an open source, automated, Serverless based, event driven pipeline to automatically secure and protect a Kubernetes cluster.

Breaking Smart Speakers: We are Listening to You.

Priyanka Aash

"In the past two years, smart speakers have become the most popular IoT device, Amazon_ Google and Apple have introduced their own smart speaker products. Most of these smart speakers have natural language recognition, chat, music playback, IoT device control, shopping, and so on. Manufacturers use artificial intelligence technology to make smart speakers have similar human capabilities in the chat conversation. However, with the smart speakers coming into more and more homes, and the function is becoming more powerful, its security has been questioned by many people. People are worried that smart speakers will be hacked to leak their privacy, and our research proves that this concern is very necessary. In this talk, we will present how to use multiple vulnerabilities to achieve remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice."

Unikernels: Rise of the Library Hypervisor

Anil Madhavapeddy

Similar to Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old Disease (20)

EMBA Firmware analysis - TROOPERS22

Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

IDA Vulnerabilities and Bug Bounty　 by Masaaki Chida

Larson Macaulay apt_malware_past_present_future_out_of_band_techniques

Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg

EMBA - Firmware analysis DEFCON30 demolabs USA 2022

Project Basecamp: News From Camp 4

BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...

DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...

PHP Backends for Real-Time User Interaction using Apache Storm.

Reverse Engineering the TomTom Runner pt. 1

Iot Bootcamp - abridged - part 1

DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...

Project Malware AnalysisCS 6262 Project 3Agenda.docx

Beefing Up AIR - FITC AMS 2012

IzPack - PoitouJUG

Automating Security Response with Serverless

Breaking Smart Speakers: We are Listening to You.

Unikernels: Rise of the Library Hypervisor

More from Area41

Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...

Area41

As file format specs leave room for interpretation and sometimes are misunderstood or ignored by the programmers, some well-formed files may be interpreted inconsistently by different tools and libraries. As a result, this can be (ab)used for simple jokes, anti-forensics or to bypass sanitizers which might lead to data exfiltration. Ange Albertini: Reverse Engineer, author of Corkami Gynvael Coldwind: His main areas of interest are low-level security (kernel, OS, client), web security and reverse-engineering. Captain of Dragon Sector CTF team :) Currently working as an Information Security Engineer at Google.

Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...

Area41

The talk discusses the approach, possibilities and difficulties that a vulnerability database maintainer is handling. It will offer real-world insight into almost 15 years of vulnerability database management and a database that covers more than 12.000 entries today. The task didn't get any easier as more and more vulnerabilities get published with increasing complexity but much less information is provided in most original advisories. Correlating this data and compiling the best for the users is a complex task that requires a solid processing and a deep understanding of the technical background. Marc Ruef is co-founder and member of the board at scip AG in Zürich (http://www.scip.ch). The Swiss company provides consulting services covering security testing and forensic analysis, primarily in the financial sphere. He has written several books, whereas "Die Kunst des Penetration Testing" (The Art of Penetration Testing) is the most well-known (http://www.computec.ch/mruef/?s=dkdpt). He launched and joined several projects, discussing and improving the broad field of information technology. One of these projects is scip VulDB, a free vulnerability database which is covering more than 12.000 entries since 2003.

Rob "Mubix" Fuller: Attacker Ghost Stories

Area41

This talk was originally titled “I'm tired of defenders crying”, but thought better of it. This talk is about the tidbits that I've seen piecemeal across the multitude of businesses big and small that were innovated and highly effective, yet free, or mostly free and stopped me dead in my tracks. Going over a number of free, or nearly free methods, tactics, and software setups that will cut down intrusions significantly that you can deploy or start deployment of the hour after the talk is done. Mubix is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest is FATHER, HUSBAND and United States Marine.

Halvar Flake: Why Johnny can’t tell if he is compromised

Area41

hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...

Area41

This talk shows the possibilities of reversing Android applications. After an introduction about Android issues in the past, Tobias Ospelt explains how he managed to download several thousand Android applications from the Google Market, and which security issues are present in various apps. Apps can be decompiled, altered and recompiled, which means that for most apps it is very easy to steal code or to include malware. Some of the apps use obfuscation to disguise the code, but for example encryption keys can easily be extracted. Small game developers, as well as big companies are not aware of the risk that their code can be decompiled to java and disassembled to smali code. This is how a lot of protection mechanisms can be circumvented, such as licensing (cracking a Game) or corporate solutions (enforcing policies on the mobile). The talk shows how easy everybody can reverse android apps and how encryption keys can be extracted, even when the code is obfuscated. The material is a nice follow-up to the Android talk of Jesse Burns from last year at #days, although this talk is more focused on the apps and shows some more hacks/code/encryption/obfuscation/reversing. Bio: Tobias Ospelt is working as a security expert and tester for Dreamlab Technologies AG in Bern. He is mainly involved in web application and mobile security penetration tests. Tobias Ospelt joined Dreamlab after having achieved his Master Degree focusing IT-Security, and after having worked as a Research Assistant at the Zurich University of Applied Sciences.

hashdays 2011: Mikko Hypponen - KeynoteArea41

hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...

Area41

The talk will show you the techical details of Stuxnet in their full glory and make you appreciate this work of engineering more. Based on a code-level analysis of the Stuxnet PLC payload, the presentation will explain techniques therein that can be used for industrial espionage and sabotage by copycat attackers against competitor's production facilities. Currently recommended defenses, their shortcomings and alternative approaches will also be discussed. Bio: Felix 'FX' Lindner is founder and technical lead of the Recurity Labs GmbH consulting and research team. He is also the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. He looks back at 15+ years of (legal) hacking with only a couple Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road.

hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...

Area41

Request delaying attacks like slowloris or RUDY made it clear that killing a webserver via HTTP is trivial. No, it is not trivial. It's even easier than that. One netbook, probably a smartphone, is enough to consume all the threads a big iron server has to offer. In this age of super-smart AJAX services with fat backend application servers exposed on the internet, this is bad news. When the anonymous network attacked, VISA, Mastercard and Swiss Post got a bloody nose out of it. This talk will teach you some basics and then fairly advanced defense methods. This is a hands on guide on configuring the standard defense techniques on Apache including ModSecurity recipes. Furthermore, a custom script will be presented that helps you monitor your server's incoming connection and throw out the attackers. Some of the infos are useful for other server types as well. Along the line you will also pick up useful information on the defense of medieval castles, but that is not the main focus of the talk. Really. Bio: Christian Folini studied History and Computer science at the Universities of Fribourg, Switzerland and Bern. His postgraduate studies took him to Bielefeld and Berlin. Christian Folini holds a PhD in Medieval History and has ten years of experience with Unix and Webservers in particular. Christian Folini works as a security consultant and webserver engineer for netnea.com, a contracting Company based in Berne, Switzerland. His customers include Swiss Post, Federal Office of Information Technology (BIT), IBM, Novartis, Cornerbank and Swiss TV. He has several years of experience with ModSecurity installations and developed REMO, a graphical rule editor for ModSecurity. He gave ModSecurity classes at OWASP conferences and contributed to the latest editions of the Center for Internet Security (CIS) Apache Benchmark. Recently, he started to write a series of tutorials on secure enterprise-level Apache deployments with a purely Open Source approach. These tutorials are all in German. See http://www.netnea.com. Christian Folini started to do research on request delaying or slowloris-type DoS/DDoS in 2006, but never published his findings beyond the Apache/ModSecurity mailinglists until Slowloris was released by RSnake in June 2009. Christian Folini's analysis of Slowloris appeared in Linux Weekly News the day his first son was born (and I tell you, finishing the article in time was a tough race). http://lwn.net/Articles/338407/

hashdays 2011: Christian Bockermann - Protecting Databases with Trees

Area41

Though publicly known for a long time, SQL injection attacks do not yet seem to have reached their peak – the LulzSec activities in mid 2011 showed the overall presence of applications vulnerable to SQL attacks. Organizations like OWASP and Mitre rank SQL injections as the most dangerous threats to our (web) infrastructures and even SQL injections in SMS text messages have been reported. Vendors of Web Application Firewalls spend enormous e?orts to create patterns to detect SQL injections at the application protocol layer, but attackers spend even more e?orts ?nding evasions of these patterns using various encodings or polymorphic substitutions within SQL. In this talk we will have a look at SQL injections from the syntax level perspective of the SQL language. We exploit the parser component of the database system to produce a syntax tree of the command that has been passed to the database by the web frontend. The resulting tree provides a representation of the command that can be compared to a set of known commands expected to be used by the deployed web application. Bio: Starting with Linux/network security in 1996, Christian Bockermann has been working in computer security for over 10 years. While working as a Java web-application developer for several years he started concentrating on web-security as primary subject. Since he graduated with a MSc in computer science with an emphasis on Anomaly Detection in Web-Applications, he is currently working on his Ph.D. combining methods of machine learning and artificial intelligence in web-application firewalls and system monitoring. A proposal of his intelligent web-application firewall project has been elected among the top-10 projects of the 2nd GermanIT-Security Award. Alongside to this Ph.D. research, Christian is working as a freelancer in web-security consulting, mostly focused on Apache and ModSecurity. He is also author of several Java tools supplementary to ModSecurity, most prominent being the AuditConsole log-management server for ModSecurity.

hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...

Area41

Whether it's for malware analysis, vulnerability research or emulation, having a correct disassembly of a binary is the essential thing you need when you analyze code. Unfortunately, many people are not aware that there are a lot of opcodes that are rarely used in normal files, but valid for execution, but also several common opcodes have rarely seen behaviours, which could lead to wrong conclusions after an improper analysis. For this research, I decided to go back to the basics and study assembly from scratch, covering all opcodes, whether they're obsolete or brand new, common or undocumented. This helped me to find bugs in all the disassemblers I tried, including the most famous ones. This presentation introduces the funniest aspects of the x86 CPUs, that I discovered in the process, including unexpected or rarely known opcodes and undocumented behavior of common opcodes. The talk will also cover opcodes that are used in armored code (malware/commercial protectors) that are likely to break tools (disassemblers, analyzers, emulators, tracers,...), and introduce some useful tools and documents that were created in the process of the research. Bio: Ange Albertini is a reverse-engineering and assembly language enthusiast for around 20 years, and malware analyst for 6 years. He has a technical blog, where he shares experimental sources files, and some infographics that are useful in his daily work.

hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality

Area41

Cryptanalysts publish a tremendous number of research articles presenting attacks on ciphers, hash functions, or authentication protocols. However, not all academic attacks pose a threat to the real-world applications where the attacked crypto is deployed. In this talk, we’ll explain why attacks are not always attacks by going through technical subtleties of state-of-the-art cryptanalysis research, which we’ll illustrate with concrete ?eld examples. The topics discussed include related-key attacks, the real security of AES, as well as the role of the human factor. Bio: Jean-Philippe Aumasson is a cryptographer at Nagravision SA, a world leader in digital security and conditional access systems. He received a PhD from EPFL in 2009 and authored more than 20 research papers in the ?eld of cryptanalysis. He was co-awarded prizes for his cryptanalysis results, and is the co-inventor of new attacks such as cube testers, zero-sum attacks, tuple attacks, and banana attacks. He is the principal designer of the hash function BLAKE, one of the 5 finalists in NIST’s SHA-3 competition.

More from Area41 (11)

Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...

Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...

Rob "Mubix" Fuller: Attacker Ghost Stories

Halvar Flake: Why Johnny can’t tell if he is compromised

hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...

hashdays 2011: Mikko Hypponen - Keynote

hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...

hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...

hashdays 2011: Christian Bockermann - Protecting Databases with Trees

hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...

hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. Reality

Recently uploaded

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

Assure Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

Essentials of Automations: Optimizing FME Workflows with Parameters

Safe Software

Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place. Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects. Here’s what you’ll gain: - Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows. - Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy. - Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency. - Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity. We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic. Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.

UiPath Test Automation using UiPath Test Suite series, part 4

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap. The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies. Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques What will you get from this session? 1. Insights into SAP testing best practices 2. Heatmap utilization for testing 3. Optimization of testing processes 4. Demo Topics covered: Execution from the test manager Orchestrator execution result Defect reporting SAP heatmap example with demo Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

UiPath Test Automation using UiPath Test Suite series, part 3

DianaGray10

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

nkrafacyberclub

DevOps and Testing slides at DASA Connect

Kari Kakkonen

Key Trends Shaping the Future of Infrastructure.pdf

Cheryl Hung

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Sri Ambati

How world-class product teams are winning in the AI era by CEO and Founder, P...

Product School

Free Complete Python - A step towards Data Science

RinaMondal9

The Future of Platform Engineering

Jemma Hussein Allen

Welocme to ViralQR, your best QR code generator.

ViralQR

Welcome to ViralQR, your best QR code generator available on the market! At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies. Our Vision We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide. Our Achievements Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes. Our Services At ViralQR, here is a comprehensive suite of services that caters to your very needs: Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses. Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding. Pricing and Packages Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service. Why choose us? ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations. Comprehensive Analytics Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country. So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!

PHP Frameworks: I want to break free (IPC Berlin 2024)

Ralf Eggert

In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development. This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Product School

Recently uploaded (20)