This document discusses how files can contain data in multiple formats by piggybacking one file type into another. It provides examples of how files like JPEGs, PDFs, and GIFs can sometimes contain additional hidden data like archives, scripts, or documents. This technique could allow for covert channels, bypass of security tools like antivirus, and denial of service attacks if file size limits are not properly enforced. The document recommends defenses like validating the full file contents and allowed extensions for file uploads to prevent abuse of this flexibility in file formats.
In this presentation, I discuss four different approaches to merging multiple files of different formats into one, such that it can be read as each type. I then discuss the security implications of this property inherent in many file formats, theorize about attacks which can be launched when developers assume that files can only be one format.
A presentation on using alternate ways to reference file names and paths in Windows systems to bypass security measures.
There's a relevant haiku on every slide, so if you get bored, you can always read the haiku.
Digging into File Formats: Poking around at data using file, DROID, JHOVE, an...stepheneisenhauer
An informal introduction to file format identification using tools like "file" and DROID, originally presented internally as a workshop at UNT Libraries.
In this presentation, I discuss four different approaches to merging multiple files of different formats into one, such that it can be read as each type. I then discuss the security implications of this property inherent in many file formats, theorize about attacks which can be launched when developers assume that files can only be one format.
A presentation on using alternate ways to reference file names and paths in Windows systems to bypass security measures.
There's a relevant haiku on every slide, so if you get bored, you can always read the haiku.
Digging into File Formats: Poking around at data using file, DROID, JHOVE, an...stepheneisenhauer
An informal introduction to file format identification using tools like "file" and DROID, originally presented internally as a workshop at UNT Libraries.
Introduction: File extensions play a crucial role in identifying and categorizing different types of files on your computer. Understanding file extensions can help you navigate and work with various file formats more effectively.
841- Advanced Computer Forensics
Unix Forensics Lab
Due Date: Please submit your answers to the Linux Lab dropbox by midnight of July 2nd 2013.
******************************************************************************
To challenge yourself, you may work on the advanced Unix forensics lab analyzing the Lewis USB image and writing a report about this case. See the file UNIXForensicslab-usb for details.
******************************************************************************
Objective
This lab will use Autopsy, PTK, Sleuthkit and foremost to analyze a given image. Read the entire document before starting to be sure you have all the necessary tools and files required to complete the lab. You should further explore the tools used in this lab to ensure your familiarity with alternative investigation options.
Deliverable
Answer all the exercise questions and include screenshots as supporting data if necessary.
OPTIONS:
You can work on this lab by
1. using a bootable live CD, for example, backtrack 5
2. using the RLES vCloud.
3. using SANS Investigate Forensic Toolkit (SIFT) Workstation, http://computer-forensics.sans.org/community/downloads.
4. installing the software on your own system (check the appendix for more installation details).
If you choose to use the RLES vCloud, please continue.
Lab Setup for using RLES vCloud
This lab is designed to function on the RLES vCloud via https://rlesvcloud.rit.edu/cloud/org/NAT. Please FIRST read the RLES VCLOUD user guide in myCourses > Content > Hands-on Labs.
Special Browser Setting Requirement (See RLES VCLOUD user guide)
In order to view the console of virtual machines, the VMRC plugin must be installed within the browser. The first time the console is accessed, the plugin can be downloaded. In Internet Explorer, https://rlesvlcoud.rit.edu must be added to the Local intranet zone.
(Go to Tools -> Internet Options -> Security tab -> Local intranet, click the Sites button, click Advanced and add the URL.)
The interface is available by navigating to https://rlesvcloud.rit.edu/cloud/org/NAT. (Yes, we know the certificate wasn’t issued by a commonly trusted certificate authority. Also check the user guide for your browser compatibility).
Use your RIT Computer Account credentials to gain access to the rlesvcloud interface.
To start, you will first create your vApp by following the instructions of Add a vApp Template to My Cloud in the RLES VCLOUND user guide. Make sure to follow the vApp name convention defined in the RLES VCLOUND user guide and select the vApp template, 841_Linux_Forensics, from the Public Catalogs. No network/IP address is needed for this lab.
Double click on the virtual machine to power it on, now you should have a Linux forensics machine with all the forensics’ tools to provide you with a highly interesting experience in forensics investigation. Login to the virtual machine with
Username: root
Password: netsys
Exercise 1:Using Autopsy and Sleuthkit
Require.
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
During the session we will go through different methods of exploiting file upload pages in order to trigger Remote Code Execution, SQL Injection, Directory Traversal, DOS, Cross Site Scripting and else of web application vulnerabilities with demo codes. Also, we will see things from both Developers and Attackers side. What are the protections done by Developers to mitigate file upload issues by validating File Name, File Content-Type, actual File Content and how to bypass it All using 15 Technique!
This topic is about Files .I am explain about different type of file extensions in this presentation . In our computer or laptop ,we have these type of files in our system .
Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
Stephen Doherty, Symantec - iBanking is a relative newcomer to the mobile malware scene whose use was first identified in August of 2013. The Trojan targets Android devices and can be remotely controlled over SMS and HTTP. iBanking began life as a simple SMS stealer and call redirector, but has undergone significant development since then. iBanking is available for purchase on a private underground forum for between $4k - $5k, with the next release expected to include a 0-day exploit for the Android operating system. This presentation will discuss iBanking - it's capabilities and the reasons for targeting mobile devices.
Introduction: File extensions play a crucial role in identifying and categorizing different types of files on your computer. Understanding file extensions can help you navigate and work with various file formats more effectively.
841- Advanced Computer Forensics
Unix Forensics Lab
Due Date: Please submit your answers to the Linux Lab dropbox by midnight of July 2nd 2013.
******************************************************************************
To challenge yourself, you may work on the advanced Unix forensics lab analyzing the Lewis USB image and writing a report about this case. See the file UNIXForensicslab-usb for details.
******************************************************************************
Objective
This lab will use Autopsy, PTK, Sleuthkit and foremost to analyze a given image. Read the entire document before starting to be sure you have all the necessary tools and files required to complete the lab. You should further explore the tools used in this lab to ensure your familiarity with alternative investigation options.
Deliverable
Answer all the exercise questions and include screenshots as supporting data if necessary.
OPTIONS:
You can work on this lab by
1. using a bootable live CD, for example, backtrack 5
2. using the RLES vCloud.
3. using SANS Investigate Forensic Toolkit (SIFT) Workstation, http://computer-forensics.sans.org/community/downloads.
4. installing the software on your own system (check the appendix for more installation details).
If you choose to use the RLES vCloud, please continue.
Lab Setup for using RLES vCloud
This lab is designed to function on the RLES vCloud via https://rlesvcloud.rit.edu/cloud/org/NAT. Please FIRST read the RLES VCLOUD user guide in myCourses > Content > Hands-on Labs.
Special Browser Setting Requirement (See RLES VCLOUD user guide)
In order to view the console of virtual machines, the VMRC plugin must be installed within the browser. The first time the console is accessed, the plugin can be downloaded. In Internet Explorer, https://rlesvlcoud.rit.edu must be added to the Local intranet zone.
(Go to Tools -> Internet Options -> Security tab -> Local intranet, click the Sites button, click Advanced and add the URL.)
The interface is available by navigating to https://rlesvcloud.rit.edu/cloud/org/NAT. (Yes, we know the certificate wasn’t issued by a commonly trusted certificate authority. Also check the user guide for your browser compatibility).
Use your RIT Computer Account credentials to gain access to the rlesvcloud interface.
To start, you will first create your vApp by following the instructions of Add a vApp Template to My Cloud in the RLES VCLOUND user guide. Make sure to follow the vApp name convention defined in the RLES VCLOUND user guide and select the vApp template, 841_Linux_Forensics, from the Public Catalogs. No network/IP address is needed for this lab.
Double click on the virtual machine to power it on, now you should have a Linux forensics machine with all the forensics’ tools to provide you with a highly interesting experience in forensics investigation. Login to the virtual machine with
Username: root
Password: netsys
Exercise 1:Using Autopsy and Sleuthkit
Require.
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
During the session we will go through different methods of exploiting file upload pages in order to trigger Remote Code Execution, SQL Injection, Directory Traversal, DOS, Cross Site Scripting and else of web application vulnerabilities with demo codes. Also, we will see things from both Developers and Attackers side. What are the protections done by Developers to mitigate file upload issues by validating File Name, File Content-Type, actual File Content and how to bypass it All using 15 Technique!
This topic is about Files .I am explain about different type of file extensions in this presentation . In our computer or laptop ,we have these type of files in our system .
Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
Stephen Doherty, Symantec - iBanking is a relative newcomer to the mobile malware scene whose use was first identified in August of 2013. The Trojan targets Android devices and can be remotely controlled over SMS and HTTP. iBanking began life as a simple SMS stealer and call redirector, but has undergone significant development since then. iBanking is available for purchase on a private underground forum for between $4k - $5k, with the next release expected to include a 0-day exploit for the Android operating system. This presentation will discuss iBanking - it's capabilities and the reasons for targeting mobile devices.
Matt Summers, NCC Group - Web technology has changed a lot in the last 25 years but the underlying transport mechanism has stayed the same. The web we have today was not designed for the plethora of new device types and communication methods but things are changing and you probably don’t even know it. You probably don’t even notice the problem because it is so ingrained. In this presentation we are going to delve into the problems with the web and how we use it today. We will also take an in depth look at the proposed solutions for the next generation web and the implications that come with it.
Mathieu Letourneau, Andrei Saygo, Eoin Ward, Microsoft
This talk will present our research project on .Net file clustering based on their respective basic blocks and the parallel that can be made with DNA sequence variation analysis. We implemented a system that extracts the basic blocks on each file and creates clusters based on them. We also developed an IDA plugin to make use of that data and speed up our analysis of .Net files.
Andrei Saygo, Eoin Ward and Mathieu Letourneau all work as Anti-Malware Security Engineers in the AM Scan team of Microsoft’s Product Release & Security Services group in Dublin, Ireland.
Brian Honan, IRISSCERT
Social media networks provide individuals and businesses with exciting opportunities to communicate and collaborate with others throughout the world. But with these opportunities come a number of security challenges and risks. This talk will outline how social media networks can pose various threats to businesses, from information leakage, reputational damage, to social engineering profiling, and vectors for enabling compromise of corporate systems. Social media networks also enable the rapid dissemination of news which in the event of an information security breach could either save or destroy an organisations reputation. Understanding and dealing with these challenges will enable companies to like and favourite social media networks in a secure way.
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland's first CERT. He is a Special Advisor to Europol's Cybercrime Centre (EC3), an adjunct lecturer on Information Security in University College Dublin. He is the author of the book "ISO 27001 in a Windows Environment" and co-author of "The Cloud Security Rules", and regularly speaks at major industry conferences. In 2013 Brian was awarded SC Magazine's Information Security Person of the year for his contribution to the computer security industry.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Securing your Kubernetes cluster_ a step-by-step guide to success !
Dan Crowley - Jack Of All Formats
1. Jack of all Formats Daniel “unicornFurnace” Crowley Penetration Tester, Trustwave - SpiderLabs
2. Introductions How can files be multiple formats? Why is this interesting from a security perspective? What can we do about it? (yodawg we heard you like files so we put files in your files)
3. Terms File piggybacking Placing one file into another File consumption Parsing a file and interpreting its contents
4. Scope of this talk Files which can be interpreted as multiple formats …with at most a change of file extension Covert channels Through use of piggybacking Examples are mostly Web-centric Only because it’s my specialty This concept applies to more than Web applications Srsly this applies to more than Web applications GUYS IT’S NOT JUST WEB APPS
6. File format flexibility Not always rigidly defined From the PDF specification:“This standard does not specify the following:……methods for validating the conformance of PDF files or readers…” Thank you Julia Wolf for “OMG WTF PDF” CSV comments exist but are not part of the standard Not all data in a file is parsed Metadata Unreferenced blocks of data Data outside start/end markers Reserved, unused fields
7. File format flexibility Some data can be interpreted multiple ways Method of file consumption often determined by: File extension Multiple file extensions may result in multiple parses Bytes at beginning of file First identified file header
10. Multiple file extensions Apache has: Languages Handlers MIME types File.en.php.png Basename– largely ignored File.en.php.png Language – US English File.en.php.png Triggers PHP handler File.en.php.png Triggers image/png MIME type
11. Metadata Information about the file itself Not always parsed by the file consumer “Comment”fields, few restrictions on data Files can be inserted into comment fields for one format ID3 tags for mp3 files will be shown in players But not usually interpreted
14. Unreferenced blocks of data Certain formats define resources with offsets and sizes Unmentioned parts of the file are ignored Other files can occupy unmentioned space Other formats indicate a total size of data to be parsed Any additional data is ignored Other files can simply be appended
15. Unreferenced PDF object PDF xref table, lists object offsets in the file We first remove one reference Next, we replace part of that object’s content…
19. Start/End markers Many formats use a magic byte sequence to denote the beginning of data Similarly, many have one to denote the end of data Data outside start/end markers is ignored Files can be placed before or after such markers Files must not contain conflicting markers
20. Start/End markers JPEG Start marker: 0xFFD8 End marker: 0xFFD9 RAR Start marker: 0x526172211A0700 PDF Start marker: %PDF End marker: %%EOF ( and can replace ) PHP Start marker: <?php End marker: ?>
23. Limitations Some formats use absolute offsets They must be placed at start of file or offsets must be adjusted Examples: JPEG, BMP, PDF Some have headers which indicate the size of each resource to follow Such files are usually easy to work with Other files can be appended without breaking things Examples: RAR
24. Limitations Some files are simply parsed from start to end Such files require some metadata, unreferenced space, or data which can be manipulated to have multiple meanings Different parsers for the same format operate differently Might implement different non-standard features May interpret format of files in different ways
25. TrueCrypt volumes No start/end markers No publicly known signature Parsed from start of file to end of file No metadata fields No unused space Data is difficult to manipulate
28. Security Implications File upload pwnage Checking for well-formed images doesn’t prevent backdoor upload Anti-Virus evasion Some AV detect file format being scanned then apply format specific rules If file is multiple formats the wrong rules might be applied Data infiltration/exfiltration Do you care what .mp3 files pass in and out of your network? How about .exe and .doc files?
29. Security Implications Multiple file consumers Different programs may interpret the file in different ways GIFAR issue Parasitic storage How many file uploads allow only valid images? Disk space exhaustion DoS Some image uploads limit uploads by picture dimensions Size of the file may not actually be checked
30. File upload pwnage Imagine a Web-based image upload utility It confirms that the uploaded file is a valid JPEG It doesn’t check the file extension It uploads the file into the Web root It doesn’t set the permissions to disallow execution Code upload is possible if the file is also a valid JPEG This isn’t hard…
31. Anti-Virus evasion exercise Check detection rates on Win32 netcat Place it in an archive and check Put junk data at the beginning of the file and check Piggyback the archive onto the end of a JPEG and check Change the file extension to .JPG and check
Here we have placed the string “test\\n” in front of a valid 7zip file.
Given that the file doesn’t start with the 7zip start marker and instead begins with plaintext and a newline, the UNIX ‘file’ utility misinterprets it as a data file. p7zip, on the other hand, begins its interpretation of the file starting at the 7zip header. This results in the file still being a valid 7zip archive.
Here, while saving a GIF in GIMP, we write a PHP backdoor into a comment. This will be mostly ignored when parsing the file as an image, but as PHP only interprets code between its start and end markers “<?php” and “?>”, the image data will not affect the execution of the script.
The backdoor is written directly into the file.
Here is the combination PDF and 7zip file we’ve created, opened as a PDF.
Then, we change the file extension (though this actually should be unnecessary) and list the contents of the embedded 7zip archive.
This is a JPEG file. It looks ordinary and parses correctly.
When we interpret the same file as a RAR archive, we find that we have a valid archive, too! This RAR archive was simply appended to the end of our original JPEG. While it is possible to append a RAR to the end of a JPEG and get a file which opens as either format, it is not possible to append a JPEG to the end of a RAR and achieve the same results. This is due to the use of absolute offsets in the JPEG format which must be adjusted to point to the correct resources.
Before the fix was put in place, it was fairly commonplace to see book sharing threads on 4chan, where people appended rar files containing ebook versions of books to jpegs of book covers for the appropriate book. People could download the jpegs, change the extension to .rar, and get an ebook of the book mentioned.