The interim report provides a summary of the investigation into the DigiNotar certificate authority breach known as "Operation Black Tulip". 531 fraudulent certificates were issued by attackers who had gained administrative access to DigiNotar's Windows domain and several certificate authorities. Monitoring of the OCSP responder logs found that a rogue *.google.com certificate was used to intercept email and login cookies for about 300,000 users in Iran between the date of issue and revocation. The investigation is ongoing and the full scope and impact has not yet been determined.
Stealth Mango and the Prevalence of Mobile SurveillancewarePriyanka Aash
In this talk, we will unveil the new in-house capabilities of a nation state actor who has been observed deploying both Android and iOS surveillance tooling, known as Stealth Mango and Tangelo. The actor behind these offensive capabilities has successfully compromised the devices of government officials and military personnel in numerous countries with some directly impacting Western interests. Our research indicates this capability has been created by freelance developers who primarily release commodity spouse-ware but moonlight by selling their own custom surveillanceware to state actors. One such state actor has been observed deploying Stealth Mango and this presentation will unveil the depth and breadth of their campaigns, detailing not only how we watched them grow and develop, test, QA, and deploy their offensive tooling, but also how operation security mistakes ultimately led to their attribution.
This is a proof-of-concept about creating a creditable, publicly-available, freely-available, and openly-available ICS and SCADA event and incident database.
The latest massive IoT DDoS attack from the Mirai botnet that took major websites like Twitter and Reddit offline for hours – has already gained notoriety as one of the worst DDoS strikes in history.
In this webinar Manish Rai & Ty Powers of Great Bay Software will help you understand exactly how the enterprise IoT landscape is changing, and what it means for the assumptions organizations have been making in regards to safeguarding against IoT cyberattacks. You will:
Gain insights into how the recent IoT-based DDoS attacks were launched
How similar attacks could be launched inside enterprise networks
How to safeguard against IoT device compromises
How to reduce your risk, whose job is it anyway?
Learn about what your peers are doing for IoT device security, relevant findings from the 2016 Great Bay Software IoT Security Survey
Watch this ondemand webinar with this link: https://go.greatbaysoftware.com/owb-safeguarding-against-iot-ddos-attacks
Enabling Data Protection through PKI encryption in IoT m-Health DevicesCharalampos Doukas
Short presentation about a gateway-based solution for medical data encryption and the Internet of Things. Paper presented at 12th IEEE International Conference on BioInformatics and BioEngineering
IRJET- Ethical Hacking Techniques and its Preventive Measures for NewbiesIRJET Journal
This document discusses ethical hacking techniques and preventive measures. It defines ethical hacking as hacking performed with authorization to identify security vulnerabilities. It describes different types of hackers like white hat hackers who perform ethical hacking, black hat hackers who hack maliciously, and others. The document outlines the phases of hacking including reconnaissance, scanning, gaining access, and covering tracks. It also lists some operating systems commonly used by hackers like Kali Linux, BackTrack, and others. In conclusion, the document provides a brief overview of ethical hacking and techniques used by different types of hackers.
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Mender.io
Drew Moseley presented on Linux IoT botnets and the lack of security hardening. He discussed three major botnets - Mirai, Hajime, and BrickerBot - and how they exploited common security problems like default credentials and unpatched vulnerabilities. Moseley emphasized that developers can learn from past mistakes by reviewing vulnerabilities and implementing secure designs to avoid compromising products. Basic security measures like unique passwords, updates, and least privilege access could significantly increase the costs for attackers while lowering risks for IoT device manufacturers and users.
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...REVULN
TWCSIRT is a full member of FIRST and mainly focuses on the protection of NARLabs, TANet and TWAREN. We are defense cyber-attack from internet and according to government policy to handling incident every day. I am a research fellow with National Center for High-performance Computing and lead cyber security team to operation security operation center to handling incident in Taiwan Academic Network.
In our research project from government, we are deployed the biggest honeynet in Taiwan and used over 6000 IP address to detection malicious network attack come from internet.
We have published our malware knowledge base to sharing malware samples and reports for many researchers, students, research center and sharing our data set for deep tracking about cyber security.
There are many new types of cyber-attack that’s is include ransomware, website mining, DDoS and hybrid malicious attack.
Main Points:
- What’s TWCSIRT Mission and Scope
- How to coordinate in National level with ISAC, CERT and SOC
- Cyber-attack and threat hunting in Taiwan Academic Network
- How to develop cyber security platform for incident handling
- How to do red team and blue team training by CDX
The document discusses trends, tactics, and perspectives related to cybercrime investigations. It outlines the top cybercrime threats as financial fraud, social media-related crimes, and other online scams. The document also discusses popular cybercrime tactics like social engineering and anonymity through cryptocurrency. It emphasizes the need for government coordination, cybersecurity preparedness, and proactive threat hunting to effectively address evolving cybercrime.
Stealth Mango and the Prevalence of Mobile SurveillancewarePriyanka Aash
In this talk, we will unveil the new in-house capabilities of a nation state actor who has been observed deploying both Android and iOS surveillance tooling, known as Stealth Mango and Tangelo. The actor behind these offensive capabilities has successfully compromised the devices of government officials and military personnel in numerous countries with some directly impacting Western interests. Our research indicates this capability has been created by freelance developers who primarily release commodity spouse-ware but moonlight by selling their own custom surveillanceware to state actors. One such state actor has been observed deploying Stealth Mango and this presentation will unveil the depth and breadth of their campaigns, detailing not only how we watched them grow and develop, test, QA, and deploy their offensive tooling, but also how operation security mistakes ultimately led to their attribution.
This is a proof-of-concept about creating a creditable, publicly-available, freely-available, and openly-available ICS and SCADA event and incident database.
The latest massive IoT DDoS attack from the Mirai botnet that took major websites like Twitter and Reddit offline for hours – has already gained notoriety as one of the worst DDoS strikes in history.
In this webinar Manish Rai & Ty Powers of Great Bay Software will help you understand exactly how the enterprise IoT landscape is changing, and what it means for the assumptions organizations have been making in regards to safeguarding against IoT cyberattacks. You will:
Gain insights into how the recent IoT-based DDoS attacks were launched
How similar attacks could be launched inside enterprise networks
How to safeguard against IoT device compromises
How to reduce your risk, whose job is it anyway?
Learn about what your peers are doing for IoT device security, relevant findings from the 2016 Great Bay Software IoT Security Survey
Watch this ondemand webinar with this link: https://go.greatbaysoftware.com/owb-safeguarding-against-iot-ddos-attacks
Enabling Data Protection through PKI encryption in IoT m-Health DevicesCharalampos Doukas
Short presentation about a gateway-based solution for medical data encryption and the Internet of Things. Paper presented at 12th IEEE International Conference on BioInformatics and BioEngineering
IRJET- Ethical Hacking Techniques and its Preventive Measures for NewbiesIRJET Journal
This document discusses ethical hacking techniques and preventive measures. It defines ethical hacking as hacking performed with authorization to identify security vulnerabilities. It describes different types of hackers like white hat hackers who perform ethical hacking, black hat hackers who hack maliciously, and others. The document outlines the phases of hacking including reconnaissance, scanning, gaining access, and covering tracks. It also lists some operating systems commonly used by hackers like Kali Linux, BackTrack, and others. In conclusion, the document provides a brief overview of ethical hacking and techniques used by different types of hackers.
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Mender.io
Drew Moseley presented on Linux IoT botnets and the lack of security hardening. He discussed three major botnets - Mirai, Hajime, and BrickerBot - and how they exploited common security problems like default credentials and unpatched vulnerabilities. Moseley emphasized that developers can learn from past mistakes by reviewing vulnerabilities and implementing secure designs to avoid compromising products. Basic security measures like unique passwords, updates, and least privilege access could significantly increase the costs for attackers while lowering risks for IoT device manufacturers and users.
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...REVULN
TWCSIRT is a full member of FIRST and mainly focuses on the protection of NARLabs, TANet and TWAREN. We are defense cyber-attack from internet and according to government policy to handling incident every day. I am a research fellow with National Center for High-performance Computing and lead cyber security team to operation security operation center to handling incident in Taiwan Academic Network.
In our research project from government, we are deployed the biggest honeynet in Taiwan and used over 6000 IP address to detection malicious network attack come from internet.
We have published our malware knowledge base to sharing malware samples and reports for many researchers, students, research center and sharing our data set for deep tracking about cyber security.
There are many new types of cyber-attack that’s is include ransomware, website mining, DDoS and hybrid malicious attack.
Main Points:
- What’s TWCSIRT Mission and Scope
- How to coordinate in National level with ISAC, CERT and SOC
- Cyber-attack and threat hunting in Taiwan Academic Network
- How to develop cyber security platform for incident handling
- How to do red team and blue team training by CDX
The document discusses trends, tactics, and perspectives related to cybercrime investigations. It outlines the top cybercrime threats as financial fraud, social media-related crimes, and other online scams. The document also discusses popular cybercrime tactics like social engineering and anonymity through cryptocurrency. It emphasizes the need for government coordination, cybersecurity preparedness, and proactive threat hunting to effectively address evolving cybercrime.
DIGITAL FORENSICS IS A BRANCH OF FORENSIC SCIENCE FOCUSING ON THE RECOVERY AND INVESTIGATION OF RAW DATA RESIDING IN ELECTRONIC OR DIGITAL DEVICES. THE GOAL OF THE PROCESS IS TO EXTRACT AND RECOVER ANY INFORMATION FROM A DIGITAL DEVICE WITHOUT ALTERING THE DATA PRESENT ON THE DEVICE.
--D3
For more; https://d3pakblog.wordpress.com
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSijfls
The increase in the deployment of IoT networks has improved productivity of humans and organisations.
However, IoT networks are increasingly becoming platforms for launching DDoS attacks due to inherent
weaker security and resource-constrained nature of IoT devices. This paper focusses on detecting DDoS
attack in IoT networks by classifying incoming network packets on the transport layer as either
“Suspicious” or “Benign” using unsupervised machine learning algorithms. In this work, two deep
learning algorithms and two clustering algorithms were independently trained for mitigating DDoS
attacks. We lay emphasis on exploitation based DDOS attacks which include TCP SYN-Flood attacks and
UDP-Lag attacks. We use Mirai, BASHLITE and CICDDoS2019 dataset in training the algorithms during
the experimentation phase. The accuracy score and normalized-mutual-information score are used to
quantify the classification performance of the four algorithms. Our results show that the autoencoder
performed overall best with the highest accuracy across all the datasets.
This document defines digital forensics and outlines the typical digital forensic process. Digital forensics involves the preservation, collection, analysis and presentation of digital evidence for legal proceedings. The digital forensic process consists of identification of potential evidence, preservation of evidence, analysis of evidence, documentation of findings and presentation of conclusions. Digital forensics is used to investigate various cyber crimes and requires specialized skills and tools to deal with challenges such as rapid technology changes and large amounts of digital data.
[CB20] It is a World Wide Web, but All Politics is Local: Planning to Survive...CODE BLUE
Since the birth of the World Wide Web in 1989, despite the fact that the key function of the Internet is to communicate, share and distribute information without borders, countries have varied in their understanding and policies on how the Internet should work in their jurisdiction; some have codified laws bolstering Internet sovereignty or built firewalls to control online information flows. At the 25th anniversary of the Internet in 2014, the Pew Research Center invited over 1400 technology industry leaders and academics to reflect on the impact of the Internet over the next ten years. The top Internet threat these experts named was that nation-states could increasingly block, filter, segment and Balkanize the Internet for geopolitical, economic, social and security reasons.
In 2020, six years after that Pew report, amidst a global pandemic, growing populist partisanship in many countries, and heightened geopolitical tensions between the world’s largest economies, the splintering of Internet communities seems even more imminent than before, as governments seek to limit the sometimes harmful power of social media speech and Internet companies' encroachments on personal privacy. Is the global trend towards segmentation and Balkanization of the Internet forthcoming? What are its implications for business operations globally in terms of cost, planning, continuity, and liabilities ? How will cyber threats evolve as businesses adjust their operations to adapt to a more-segmented Internet? This talk will address these issues by identifying and characterizing the evidence of the segmentation and Balkanization of the Internet and by providing broad cyber threat and risk profiles for each region and practical mitigation measures to improve business resilience.
A look at the methodology and techniques or hackers, cyber criminals and state sponsored attackers. Explores the kill chain, Geo political instability and the dark web.
This talk summarizes the state of IoT security, specifically as it relates to Industrial Control and Energy. When hearing the buzz-word “Internet of Things,” we typically think of the consumer world: smart toasters and connected fridges. However, there is a staggering number of networked embedded devices that perform life- and mission-critical tasks that our daily lives depend on. Industrial Control Systems (ICS) are not unique snowflakes anymore but use the same ubiquitous technology as found in consumer IoT Devices. This presentation summarizes our experiences at Senrio exploiting embedded system and discusses the reasons why these insecure design patterns exist; including business drivers and technology factors. We will share stories and anecdotes based on 10 years of research, training and consulting (including real vulnerabilities and how they work).
ETHICAL HACKING AND SOCIAL ENGINEERING
Topics Covered: Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling, Enterprise Information Security Architecture, Vulnerability, Assessment and Penetration Testing, Types of Social Engineering, Insider Attack, Preventing Insider Threats, Social Engineering Targets and Defence Strategies
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...CODE BLUE
Tons of insecure IoT devices are out there and ready to be compromised to join next IoT botnet or misused in even more serious threats. Since many of them are unmanaged, the situation does not seem to improve naturally in a short term. This talk will focus on series of efforts on discovery, monitoring, analysis, and notification of these devices trying to clean up "the mess".
Insights Into Modern Day Threat ProtectionAbhinav Biswas
This document discusses cybersecurity threats and strategies for mitigation. It covers topics like advanced persistent threats, zero-day attacks, exploit kits, and common attack vectors involving social media, email, mobile apps, and the web. The document also summarizes traditional threats compared to more advanced threats, outlines a 7-stage threat model, and emphasizes the importance of prevention, detection, and rapid response for effective cybersecurity.
The good, the bad and the ugly of the target data breachUlf Mattsson
The document discusses the Target data breach and lessons learned about data security. It covers how the breach occurred through memory scraping malware installed on Target's point of sale systems. The document also discusses how compliance with PCI standards does not guarantee security, and how new technologies like tokenization can help protect sensitive data by reducing the attack surface and use of cleartext data. Big data analytics is also discussed as a way to help detect abnormal usage patterns that could indicate a security incident.
Verizon 2014 data breach investigation report and the target breachUlf Mattsson
The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to adapt to the shifts around them.
What’s needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
In this webinar, Protegrity CTO and data security thought leader Ulf Mattsson integrates new information from the Verizon 2014 Data Breach Investigation Report (DBIR) into his analysis on what is driving data breaches today, and how we can prevent them in the future.
KEY TOPICS INCLUDE:
• The changing threat landscape
• The effects of new technologies on breaches
• Analysis of recent breaches, including Target
• Compliance vs. security
• The importance of shifting from reactive to proactive thinking
• Preparing for future attacks with new technology & techniques
[CB20] Illicit QQ Communities: What's Being Shared? by Aaron ShrabergCODE BLUE
QQ, a Chinese chat service with hundreds of millions of active monthly users, contains numerous groups discussing hacking and fraud tools and techniques. These groups use a unique language to discuss illicit activities, including a mix of Chinese and English characters, emoticons and memes. Assessing data from hundreds of such groups, this case study aims to discuss insights about the tools and techniques being shared. An examination of file names, the content of some files, and the nature of discussions around sharing of the files sheds light on discussions around illicit online activity, identifying rules of engagement and cultural norms for this unique and relatively closed community of online actors.
Despite its widespread usage within China and its exposure to China's well-documented surveillance apparatus, QQ is still rife with discussions themed around illicit hacking behavior as QQ group members share a large number of fraud tools and techniques. This may suggest some degree of permissiveness or "turning a blind eye" on the part of Chinese authorities—who undoubtedly have an aperture into these group’s chat histories. At the same time, creative jargon and subtle communication about fraud schemes likely makes detection challenging as hacking services, malicious file sharing, and cybercrime remain rampant.
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
The document discusses using big data analytics to counter advanced cyber threats. It notes that traditional security information and event management (SIEM) systems have limitations in detecting advanced threats due to incomplete data collection and inflexible analytics. A big data solution collects data from all possible sources, including network, endpoint, mobile and cloud systems. It then applies analytics to identify anomalous patterns that may indicate advanced threat activity based on factors like unusual user behavior, network connections, or changes from normal baselines. This helps security teams more effectively detect threats that can evade traditional defenses and are difficult to identify with signature-based tools alone.
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
IoT security poses serious risks due to vulnerabilities in many IoT devices that are never patched by manufacturers. Common excuses for the poor security of IoT devices are shown to be invalid, as attacks can bypass passwords, networks, and firewalls using techniques like UPnP, IPv6, WebRTC, and DNS rebinding. Lessons for home users include disconnecting devices when not in use, changing passwords, filtering connections and protocols, and monitoring networks. Lessons for vendors are to implement secure development practices, automatic updates, and optional cloud connections. Governments should regulate vendors to protect users and incentivize more secure practices.
This talk focuses on how AI can be leveraged to solve some of the subproblems in cybersecurity. The talk will start with a discussion on why there is a surge in data breaches, and cybersecurity attacks? Then I will discuss some of the use cases, data pipeline, and architectural details of AI solutions for the cybersecurity. Here is a detailed plan for the talk:
(1) The current state of Information security and tools (5 mins).
(2) A brief history and current status of using AI for the InfoSec (5 mins).
Currently, security data science tools primarily process raw data from multiple data sources such as network flows, authentication logs, firewall logs, endpoints, and detect anomalous events. These tools generate a large number of false positives, and they need to be further investigated by security analysts. Specifically, I will address the following questions:
- What is the foundation of current security data science tools?
- What are the pros and cons of existing tools?
(3) AI use cases, data pipeline, architecture, and data experiments (15 mins): Following questions will be addressed:
- What are the different use cases that can be enabled by AI?
- How would it transform the incident response?
What's a typical data pipeline and architecture of cybersecurity AI solution?
Demo 1: PowerShell Obfuscation Detection using Deep Learning Neural Networks
Demo 2: Malicious URL Detection using Recurrent Neural Networks
(4) Challenges and limitations of using AI alone for cybersecurity (5 mins)
- AI generates too many false positives
- Enterprises can investigate only 2-5% of alerts due to the limited number of security analysts
Need for an automated response, not just detection
(5) Our approach: fuse deception with AI (10 mins):
A key objective of the deception is to deceive the inside-network attacks and threats to detect, engage, trap, and remediate them. Deception provides high fidelity alerts, and AI delivers an ability to construct context about the alert. By fusing deception and data science, security analysts can do proactive defense. We shall demonstrate our approach with specific case studies:
- Demo 3- Detecting and Inferring threats in a high interaction decoy using AI engine
(6) Q&A (5 mins)
This document provides an overview of computer forensics. It defines computer forensics as identifying, preserving, analyzing and presenting digital evidence in a legally acceptable manner. The objective is to find evidence related to cyber crimes. Computer forensics has a history in investigating financial fraud, such as the Enron case. It describes the types of digital evidence, tools used, and steps involved in computer forensic investigations. Key points are avoiding altering metadata and overwriting unallocated space when collecting evidence.
Intrusion Detection and Prevention System in an Enterprise NetworkOkehie Collins
This document describes a project on intrusion detection and prevention systems in an enterprise network. It was submitted by Okehie Collins Obinna to the Department of Computer Science at the Federal University of Technology in partial fulfillment of a Bachelor of Technology degree in Computer Science. The project analyzes intrusion detection and prevention technologies used in enterprise networks and designs a desktop application to monitor a computer network system for possible intrusions and provide an interface for a network administrator.
Task Force on IoT Security
About CISO Platform
Largest DDOS Attack Against DYN
How can we minimize the risk?
IoT Architectural Layers
Components of an IoT Node
Cybercrime, Digital Investigation and Public Private Partnership by Francesca...Tech and Law Center
The document discusses cybercrime and digital investigation. It begins with defining cybercrime and listing its common forms. It then discusses the underground economy of cybercrime, describing how criminal networks operate similarly to legitimate businesses. Several specific cybercrimes are examined in depth, including malware, data theft, identity theft, phishing, and botnets. The document also profiles some case studies of major cybercriminal groups and hacking incidents to illustrate how crimes are committed. It aims to outline the scope and techniques of cybercrime threats.
DIGITAL FORENSICS IS A BRANCH OF FORENSIC SCIENCE FOCUSING ON THE RECOVERY AND INVESTIGATION OF RAW DATA RESIDING IN ELECTRONIC OR DIGITAL DEVICES. THE GOAL OF THE PROCESS IS TO EXTRACT AND RECOVER ANY INFORMATION FROM A DIGITAL DEVICE WITHOUT ALTERING THE DATA PRESENT ON THE DEVICE.
--D3
For more; https://d3pakblog.wordpress.com
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSijfls
The increase in the deployment of IoT networks has improved productivity of humans and organisations.
However, IoT networks are increasingly becoming platforms for launching DDoS attacks due to inherent
weaker security and resource-constrained nature of IoT devices. This paper focusses on detecting DDoS
attack in IoT networks by classifying incoming network packets on the transport layer as either
“Suspicious” or “Benign” using unsupervised machine learning algorithms. In this work, two deep
learning algorithms and two clustering algorithms were independently trained for mitigating DDoS
attacks. We lay emphasis on exploitation based DDOS attacks which include TCP SYN-Flood attacks and
UDP-Lag attacks. We use Mirai, BASHLITE and CICDDoS2019 dataset in training the algorithms during
the experimentation phase. The accuracy score and normalized-mutual-information score are used to
quantify the classification performance of the four algorithms. Our results show that the autoencoder
performed overall best with the highest accuracy across all the datasets.
This document defines digital forensics and outlines the typical digital forensic process. Digital forensics involves the preservation, collection, analysis and presentation of digital evidence for legal proceedings. The digital forensic process consists of identification of potential evidence, preservation of evidence, analysis of evidence, documentation of findings and presentation of conclusions. Digital forensics is used to investigate various cyber crimes and requires specialized skills and tools to deal with challenges such as rapid technology changes and large amounts of digital data.
[CB20] It is a World Wide Web, but All Politics is Local: Planning to Survive...CODE BLUE
Since the birth of the World Wide Web in 1989, despite the fact that the key function of the Internet is to communicate, share and distribute information without borders, countries have varied in their understanding and policies on how the Internet should work in their jurisdiction; some have codified laws bolstering Internet sovereignty or built firewalls to control online information flows. At the 25th anniversary of the Internet in 2014, the Pew Research Center invited over 1400 technology industry leaders and academics to reflect on the impact of the Internet over the next ten years. The top Internet threat these experts named was that nation-states could increasingly block, filter, segment and Balkanize the Internet for geopolitical, economic, social and security reasons.
In 2020, six years after that Pew report, amidst a global pandemic, growing populist partisanship in many countries, and heightened geopolitical tensions between the world’s largest economies, the splintering of Internet communities seems even more imminent than before, as governments seek to limit the sometimes harmful power of social media speech and Internet companies' encroachments on personal privacy. Is the global trend towards segmentation and Balkanization of the Internet forthcoming? What are its implications for business operations globally in terms of cost, planning, continuity, and liabilities ? How will cyber threats evolve as businesses adjust their operations to adapt to a more-segmented Internet? This talk will address these issues by identifying and characterizing the evidence of the segmentation and Balkanization of the Internet and by providing broad cyber threat and risk profiles for each region and practical mitigation measures to improve business resilience.
A look at the methodology and techniques or hackers, cyber criminals and state sponsored attackers. Explores the kill chain, Geo political instability and the dark web.
This talk summarizes the state of IoT security, specifically as it relates to Industrial Control and Energy. When hearing the buzz-word “Internet of Things,” we typically think of the consumer world: smart toasters and connected fridges. However, there is a staggering number of networked embedded devices that perform life- and mission-critical tasks that our daily lives depend on. Industrial Control Systems (ICS) are not unique snowflakes anymore but use the same ubiquitous technology as found in consumer IoT Devices. This presentation summarizes our experiences at Senrio exploiting embedded system and discusses the reasons why these insecure design patterns exist; including business drivers and technology factors. We will share stories and anecdotes based on 10 years of research, training and consulting (including real vulnerabilities and how they work).
ETHICAL HACKING AND SOCIAL ENGINEERING
Topics Covered: Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling, Enterprise Information Security Architecture, Vulnerability, Assessment and Penetration Testing, Types of Social Engineering, Insider Attack, Preventing Insider Threats, Social Engineering Targets and Defence Strategies
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...CODE BLUE
Tons of insecure IoT devices are out there and ready to be compromised to join next IoT botnet or misused in even more serious threats. Since many of them are unmanaged, the situation does not seem to improve naturally in a short term. This talk will focus on series of efforts on discovery, monitoring, analysis, and notification of these devices trying to clean up "the mess".
Insights Into Modern Day Threat ProtectionAbhinav Biswas
This document discusses cybersecurity threats and strategies for mitigation. It covers topics like advanced persistent threats, zero-day attacks, exploit kits, and common attack vectors involving social media, email, mobile apps, and the web. The document also summarizes traditional threats compared to more advanced threats, outlines a 7-stage threat model, and emphasizes the importance of prevention, detection, and rapid response for effective cybersecurity.
The good, the bad and the ugly of the target data breachUlf Mattsson
The document discusses the Target data breach and lessons learned about data security. It covers how the breach occurred through memory scraping malware installed on Target's point of sale systems. The document also discusses how compliance with PCI standards does not guarantee security, and how new technologies like tokenization can help protect sensitive data by reducing the attack surface and use of cleartext data. Big data analytics is also discussed as a way to help detect abnormal usage patterns that could indicate a security incident.
Verizon 2014 data breach investigation report and the target breachUlf Mattsson
The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to adapt to the shifts around them.
What’s needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
In this webinar, Protegrity CTO and data security thought leader Ulf Mattsson integrates new information from the Verizon 2014 Data Breach Investigation Report (DBIR) into his analysis on what is driving data breaches today, and how we can prevent them in the future.
KEY TOPICS INCLUDE:
• The changing threat landscape
• The effects of new technologies on breaches
• Analysis of recent breaches, including Target
• Compliance vs. security
• The importance of shifting from reactive to proactive thinking
• Preparing for future attacks with new technology & techniques
[CB20] Illicit QQ Communities: What's Being Shared? by Aaron ShrabergCODE BLUE
QQ, a Chinese chat service with hundreds of millions of active monthly users, contains numerous groups discussing hacking and fraud tools and techniques. These groups use a unique language to discuss illicit activities, including a mix of Chinese and English characters, emoticons and memes. Assessing data from hundreds of such groups, this case study aims to discuss insights about the tools and techniques being shared. An examination of file names, the content of some files, and the nature of discussions around sharing of the files sheds light on discussions around illicit online activity, identifying rules of engagement and cultural norms for this unique and relatively closed community of online actors.
Despite its widespread usage within China and its exposure to China's well-documented surveillance apparatus, QQ is still rife with discussions themed around illicit hacking behavior as QQ group members share a large number of fraud tools and techniques. This may suggest some degree of permissiveness or "turning a blind eye" on the part of Chinese authorities—who undoubtedly have an aperture into these group’s chat histories. At the same time, creative jargon and subtle communication about fraud schemes likely makes detection challenging as hacking services, malicious file sharing, and cybercrime remain rampant.
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
The document discusses using big data analytics to counter advanced cyber threats. It notes that traditional security information and event management (SIEM) systems have limitations in detecting advanced threats due to incomplete data collection and inflexible analytics. A big data solution collects data from all possible sources, including network, endpoint, mobile and cloud systems. It then applies analytics to identify anomalous patterns that may indicate advanced threat activity based on factors like unusual user behavior, network connections, or changes from normal baselines. This helps security teams more effectively detect threats that can evade traditional defenses and are difficult to identify with signature-based tools alone.
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
IoT security poses serious risks due to vulnerabilities in many IoT devices that are never patched by manufacturers. Common excuses for the poor security of IoT devices are shown to be invalid, as attacks can bypass passwords, networks, and firewalls using techniques like UPnP, IPv6, WebRTC, and DNS rebinding. Lessons for home users include disconnecting devices when not in use, changing passwords, filtering connections and protocols, and monitoring networks. Lessons for vendors are to implement secure development practices, automatic updates, and optional cloud connections. Governments should regulate vendors to protect users and incentivize more secure practices.
This talk focuses on how AI can be leveraged to solve some of the subproblems in cybersecurity. The talk will start with a discussion on why there is a surge in data breaches, and cybersecurity attacks? Then I will discuss some of the use cases, data pipeline, and architectural details of AI solutions for the cybersecurity. Here is a detailed plan for the talk:
(1) The current state of Information security and tools (5 mins).
(2) A brief history and current status of using AI for the InfoSec (5 mins).
Currently, security data science tools primarily process raw data from multiple data sources such as network flows, authentication logs, firewall logs, endpoints, and detect anomalous events. These tools generate a large number of false positives, and they need to be further investigated by security analysts. Specifically, I will address the following questions:
- What is the foundation of current security data science tools?
- What are the pros and cons of existing tools?
(3) AI use cases, data pipeline, architecture, and data experiments (15 mins): Following questions will be addressed:
- What are the different use cases that can be enabled by AI?
- How would it transform the incident response?
What's a typical data pipeline and architecture of cybersecurity AI solution?
Demo 1: PowerShell Obfuscation Detection using Deep Learning Neural Networks
Demo 2: Malicious URL Detection using Recurrent Neural Networks
(4) Challenges and limitations of using AI alone for cybersecurity (5 mins)
- AI generates too many false positives
- Enterprises can investigate only 2-5% of alerts due to the limited number of security analysts
Need for an automated response, not just detection
(5) Our approach: fuse deception with AI (10 mins):
A key objective of the deception is to deceive the inside-network attacks and threats to detect, engage, trap, and remediate them. Deception provides high fidelity alerts, and AI delivers an ability to construct context about the alert. By fusing deception and data science, security analysts can do proactive defense. We shall demonstrate our approach with specific case studies:
- Demo 3- Detecting and Inferring threats in a high interaction decoy using AI engine
(6) Q&A (5 mins)
This document provides an overview of computer forensics. It defines computer forensics as identifying, preserving, analyzing and presenting digital evidence in a legally acceptable manner. The objective is to find evidence related to cyber crimes. Computer forensics has a history in investigating financial fraud, such as the Enron case. It describes the types of digital evidence, tools used, and steps involved in computer forensic investigations. Key points are avoiding altering metadata and overwriting unallocated space when collecting evidence.
Intrusion Detection and Prevention System in an Enterprise NetworkOkehie Collins
This document describes a project on intrusion detection and prevention systems in an enterprise network. It was submitted by Okehie Collins Obinna to the Department of Computer Science at the Federal University of Technology in partial fulfillment of a Bachelor of Technology degree in Computer Science. The project analyzes intrusion detection and prevention technologies used in enterprise networks and designs a desktop application to monitor a computer network system for possible intrusions and provide an interface for a network administrator.
Task Force on IoT Security
About CISO Platform
Largest DDOS Attack Against DYN
How can we minimize the risk?
IoT Architectural Layers
Components of an IoT Node
Cybercrime, Digital Investigation and Public Private Partnership by Francesca...Tech and Law Center
The document discusses cybercrime and digital investigation. It begins with defining cybercrime and listing its common forms. It then discusses the underground economy of cybercrime, describing how criminal networks operate similarly to legitimate businesses. Several specific cybercrimes are examined in depth, including malware, data theft, identity theft, phishing, and botnets. The document also profiles some case studies of major cybercriminal groups and hacking incidents to illustrate how crimes are committed. It aims to outline the scope and techniques of cybercrime threats.
B2 Sailing offers luxury yacht charters and sailing experiences of the highest quality, with elegant vessels and expert crews to provide adventures from casual sailing to competitive regattas. They operate a fleet of technologically advanced and graceful yachts, and have an elite team of champion sailors to ensure passengers have an unforgettable time on the water. B2 Sailing aims to combine sailing passion, luxury amenities, and immersive natural experiences for clients.
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
We asked LinkedIn members worldwide about their levels of interest in the latest wave of technology: whether they’re using wearables, and whether they intend to buy self-driving cars and VR headsets as they become available. We asked them too about their attitudes to technology and to the growing role of Artificial Intelligence (AI) in the devices that they use. The answers were fascinating – and in many cases, surprising.
This SlideShare explores the full results of this study, including detailed market-by-market breakdowns of intention levels for each technology – and how attitudes change with age, location and seniority level. If you’re marketing a tech brand – or planning to use VR and wearables to reach a professional audience – then these are insights you won’t want to miss.
The Breach at Limetree Updated November 18, 2017 Bac.docxmehek4
The Breach at Limetree
Updated November 18, 2017
Background: Limetree Inc. is a research and development firm that engages in multiple
research projects with the federal government and private corporations in the areas of
healthcare, biotechnology, and other cutting-edge industries
Limetree recently lost a DOD contract worth millions of dollars, because another competitor
claimed to have “superior chemical process that brought about the desired results in half the
time, with over seventy-five percent more yield than conventional technologies.” This contract
loss troubled Limetree Inc. management because Limetree has been working on that exact
same technology for years and they suspect that it’s no mere coincidence that a competitor has
claimed their proprietary process for their own.
The management then asked Jack Sterling, Limetree’s security manager, to investigate if there
were any IT related security problems that could shed some light on the possibility of an insider
threat. Jack performed an unannounced sweep of the office area and found serious problems.
There were poor security practices with every workstation, such as unauthorized external hard-
drives & USBs, passwords under mouse pads, unlocked displays, unauthorized software,
obvious phone PINs, wireless passwords on bulletin boards, and improper destruction of
sensitive documents.
Jacks’ investigation lead him to three suspects: Jamie Kim at workstation #14 because her
external hard-drive had the same proprietary processes files as was leaked to the competitor;
Duncan Harris at workstation #11 because he had a USB with deleted files that also had the
proprietary processes leaked; Steve Kim at workstation #4 because he had passwords and
usernames of Jamie Kim on a partially shredded paper in the trash. No other employees had
any file or potential access to the files that contained the proprietary processes.
Jack also conducted a review of the access logs on the server to rule out any unwarranted
wireless access from in or outside the facility. There were several unauthorized users using the
wireless resource, but no access to the servers. Logs on the servers themselves revealed
unauthorized directory traversals and DNS poisoning but these attacks were not in the narrow
timeframe that the insider sold the proprietary process. Jack then navigated to the folder that
the proprietary process was kept and observed there was no encryption; nor was it isolated on
the network. Jack looked up the default password for the CISCO switch and sure enough, it had
not been changed on the routers and switches. Jack also ran a root-kit detector and although it
didn’t find one, it did show that a backdoor had been planted in the distant past but wasn’t
active now. After finding the backdoor, Jack then examined the public-facing webpage and
noticed that many of the input fields did not do any data integrity checks. Since that is a poor
security pract ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
This presentation will dive into research, outcomes, and recommendations regarding information security for the "Internet of Things". Mark and Zach will discuss IoT security failures both from their own research as well as the work of people they admire. Attendees are invited to laugh/cringe at concerning examples of improper access control, a complete lack of transport security, hardcoded-everything, and ways to bypass paying for stuff.
Mark and Zach will also discuss the progress that their initiative, BuildItSecure.ly, has made since it was announced this past February at B-Sides San Francisco. Based on their own struggles with approaching smaller technology vendors with bugs and trying to handle coordinated disclosure, Mark and Zach decided to change the process and dialog that was occurring into one that is inclusive, friendly, researcher-centric. They will provide results and key learnings about the establishment of this loose organization of security-minded vendors, partners, and researchers who have decided to focus on improving information security for bootstrapped/crowd-funded IoT products and platforms.
If you're a researcher who wants to know more about attacking this space, an IoT vendor trying to refine your security processes, or just a consumer who cares about their own safety and privacy, this talk will provide some great insights to all of those ends.
MARK STANISLAV
DUO SECURITY
Mark Stanislav is the Security Evangelist for Duo Security. With a career spanning over a decade, Mark has worked within small business, academia, startup and corporate environments, primarily focused on Linux architecture, information security, and web application development. He has presented at over 70 events internationally including RSA, ShmooCon, SOURCE Boston, and THOTCON. His security research has been featured on web sites including CSO Online, Security Ledger, and Slashdot. Mark holds a B.S. in Networking & IT Administration and an M.S. in Information Assurance, both from Eastern Michigan University. Mark is currently writing a book titled, "Two-Factor Authentication" (published by IT Governance).
ZACH LANIER
DUO SECURITY
Zach Lanier is a Security Researcher with Duo Security, specializing in various bits of network, mobile, and application security. Prior to joining Duo, Zach most recently served as a Senior Research Scientist with Accuvant LABS. He has spoken at a variety of security conferences, such as Black Hat, CanSecWest, INFILTRATE, ShmooCon, and SecTor, and is a co-author of the recently published "Android Hackers' Handbook."
MassTLC Opening Slides and Simulation SessionMassTLC
The MassTLC Security Conference featured a simulated data breach of WindResources, a wind turbine manufacturer. The breach began when a sales director's computer was infected with malware from a phishing email. An investigation found other infected computers and logs showing customer credentials being accessed from Russia. The breach escalated as stolen data was found online and a customer discovered their personal details exposed. The simulation panel discussed lessons around having an incident response plan, engaging legal and law enforcement, communicating about the breach, and practicing incident response.
Digital certificates are used to verify the identity of entities providing services over the internet and ensure secure communication. A digital certificate contains a public key, identity information, and has an expiration date. It is issued by a trusted certificate authority to validate the owner of a public key. When requests are made to a service, the recipient can verify the certificate to confirm the sender is authentic. Certificates help establish encrypted connections and trust in online transactions. Expired or stolen certificates still allow the thief to use the public key until the expiration date, so timely renewal and revocation is important for security.
Designing an Incident Response Plan is difficult. On one hand, you have the extremely detailed "Best Practices" while on the other hand you have real world resource constraints.
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...PROIDEA
PKI is widely understood and accepted as golden standard for Authentication, Non-repudiation and Integrity. It secures protocols for emails, web, software distributions, replaces ink with electronic signature, infrastructure, financial and other transactions. While obtaining the private key or gaining access to its usage is the first thought when attacking PKI based systems, there are usually easier ways and a multitude of attack vectors.
The document discusses implementing a public key infrastructure (PKI) strategy. It outlines various considerations for companies including their security needs, possible implementation options of building or outsourcing their PKI, and the benefits of cross-certification which allows different PKIs to trust each other. The conclusion recommends companies clearly define their identity, regulatory, partnership, and interoperability needs to determine the best PKI approach.
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
With the advent of IOT, Every 'Thing' is getting Smart, starting from the range of smartwatches, smart refrigerators, smart bulbs to smart car, smart healthcare, smart agriculture, smart retail, smart city and what not, even smart planet. But why is every thing getting smart? People are trying to bridge the gap between Digital World & Physical World by means of ubiquitous connectivity to Internet, and when digital things become physical, digital threats also become physical threats. Security & Privacy issues are rising as never before. What if the microphone in your smart TV can be used to eavesdrop the private communications in your bed room? What if a smart driverless car deliberately crashes itself into an accident? What if you want to be Anonymous over Internet and don't want anybody to track you?
This talk will focus on answering the above questions with a view on 'What are we currently doing to protect ourselves' and 'What we need to do'. What are the new security challenges that are coming up and how privacy & anonymity is taking the lead over security. The talk will also sensitive the audience about the paradigm shift that is happening in IOT DevOps, with help of Docker Containers and how they can be anonymised using TOR.
The document discusses network scanning, which involves identifying live hosts, open ports, services, and vulnerabilities on a network. It describes how the Sality botnet was able to scan the entire IPv4 address space in a stealthy manner using "reverse-byte order scanning." Researchers observed this technique being used to map out vulnerable voice-over-IP servers while evading detection. The document also provides an overview of network scanning objectives and techniques.
The Internet of Things: We've Got to ChatDuo Security
BSides SF, February 2014: http://www.securitybsides.com/w/page/70849271/BSidesSF2014
Duo's Zach Lanier (@quine) & Mark Stanislav (@markstanislav) on IoT (Internet of Things) security, announcing http://BuildItSecure.ly
Proxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public CloudIRJET Journal
This document proposes a system called proxy-oriented data uploading and remote data integrity checking using identity-based public key cryptography (ID-PUIC) to address security issues in public cloud storage. The system allows a user to designate a proxy to upload data to the cloud on their behalf and check the integrity of the remotely stored data without downloading it. The proposed ID-PUIC protocol uses cryptographic techniques like key generation, encryption, and decryption to securely upload data from proxies, detect malware, and verify data integrity in a private or public manner depending on the user's authorization. The system aims to improve security, efficiency and flexibility compared to existing public key infrastructure approaches for remote data integrity checking and proxy-based data uploading in public
IoT Vulnerability Analysis and IOT In security ControlsJay Nagar
1) The document discusses vulnerabilities found in IoT devices, including a lack of strong passwords, encryption of communications and updates, and other security issues.
2) The author analyzed 50 smart home devices and found major issues with all of them, such as none enforcing strong passwords or using mutual authentication.
3) The document provides examples of potential attacks on IoT devices when an attacker has access to the local network, such as intercepting unencrypted traffic or reprogramming devices by spoofing firmware updates.
The document discusses the importance of information security for businesses. It outlines some key concepts in information security including confidentiality, integrity, availability, non-repudiation, authentication, and authorization. These concepts help mitigate risks like denial of service attacks, which can cause losses for small businesses. The document argues that while information security requires costs, it provides important benefits in protecting a business from various cyber threats and risks. Effective information security measures are essential for all businesses regardless of size.
ISE 510 Final Project Scenario Background Limetree In.docxchristiandean12115
ISE 510 Final Project Scenario
Background
Limetree Inc. is a research and development firm that engages in multiple research projects with the
federal government and private corporations in the areas of healthcare, biotechnology, and other
cutting-edge industries. It has been experiencing major growth in recent years, but there is also a
concern that information security lapses are becoming rampant as the company grows. Limetree Inc. is
working to establish a strong reputation in the industry, and it views a robust information security
program as part of the means to achieving its goal. The company looks to monitor and remain compliant
to any regulation impacting its operations.
Limetree Inc. recently experienced a security breach; it believes confidential company data has been
stolen, including personal health information (PHI) used in a research study. Limetree Inc. believes the
breach may have occurred because of some security vulnerabilities within its system and processes.
Limetree Inc.’s virtual environment is presented in the Agent Surefire: InfoSec educational video game.
The rest of the environment is presented via an interview with the security manager, Jack Sterling.
Highlight of Interview with Jack Sterling
Interview with Jack Sterling revealed the following about Limetree Inc.’s system and processes:
Hardware/Software:
Desktop Apps: Internet Explorer, Firefox, Google Chrome, MS Office, Adobe Flash, Adobe Acrobat
Applications/Databases:
Browser – Browser in use is Internet Explorer and browser security setting was set to low.
Browsers allow remote installation of applets, and there is no standard browser for the
environment.
Virus Software – MacAfee is deployed locally on each user's machine and users are mandated to
update their virus policy every month.
SQL Database – Ordinary users can escalate privilege via SQL Agent. Disk space for SQL database
log is small and is overwritten with new information when it is full. Limetree Inc. is not using any
encryption for sensitive data at rest within the SQL server environment.
Network:
The network comprises the following: three web/applications servers, three email servers, five file and
printer servers, two proxy servers, seven remotely manageable Cisco switches, 250 desktops, three
firewall devices, one gateway (router) device to the internet, and three wireless access points.
Configuration Highlights:
Wireless – Wireless network is available with clearly advertised SSID, and it is part of the local
area network (LAN). There is no segmentation or authentication between the wireless and wired
LAN. Visitors are provided access code to the wireless network at the front desk to use the
internet while they wait to be attended to.
Managed switches – There is no logging of network activities on any of the switches.
Web server – Public-facing web server is part of the LAN. This is where internet users get
needed .
This document provides an overview of cyber forensics. It discusses the cyber forensics process, which involves collection, preservation, analysis, documentation and presentation of digital evidence. It also covers topics like the chain of custody process, the role of first responders, acquisition and duplication of evidence, hashing and write protection, analyzing deleted data through data recovery tools, Windows and Linux log analysis, and responding to cyber crimes. Specific cyber crimes discussed include phishing, 419 scams, spamming, malware distribution, cyberstalking, fake online profiles, credit card fraud, and ransomware attacks. Reporting mechanisms and analysis tools for each are presented. The document concludes with a discussion of career paths in cyber forensics
This document proposes a Cyber Investigation Portal to help investigators monitor criminal activities online and investigate cybercrimes. The portal would collect logs of criminals' online activities through malware installed on their devices without detection. It would send logs and device screenshots to investigators to aid investigations. The portal aims to address issues that make cybercrimes difficult to investigate, such as crossing legal jurisdictions. It would collect threat intelligence, investigate cases, and conduct awareness campaigns. The document outlines the system architecture, including a backend that uses machine learning to detect incidents and fraud patterns from a security database.
Assignment 1 ) ----- Portfolio Assignments
Preface
Listed below are areas of concentration for MSDF-630 202 Portfolio Assignment. Keep in mind that the portfolio research concentration is an essential segment of the course. Two research topics are created for you, and I hope that your professional effort will be represented in this project. Portfolio projects consist of the following three unique phases:
Profile.
Research Question 1
Investigation of Alabi, Time as Alibi and Location as Alibi.
Research Question 2.
Cybercrime Law, Computer-Integrity Crime, Fraud, and Abuse.
Portfolio Project
Profile: Required
Group 1. Research Question 1
Group 2. Research Question 2
Group 3. Research Question 1
Group 4. Research Question 2
Each student Must submit two (2) successful completed documents (here):
Profile
Collaborative Group Assignment.
Phase 1: Student Professional Profile
Portfolio
Full-Name
Profile
Status: Graduate or Post-graduate
Academic areas concentration
Current Professional Career Path
Professional Career Path Completion Upon successful completion of your studies at the University of the Cumberlands.
Research Question 1.
Investigation of Alabi, Time as Alibi and Location as Alibi.
Preamble
Alibi is a Latin acronym, meaning somewhere else and someone other than the culprit. A scenario that identifies the perpetrator of a crime to be someone or somewhere else other than where the crime took place. Criminal activities involving location, login and logout time, illegal behaviors, can be easily tracked by use computer and internet technologies.
Offenders and their Alabi are often naive and ignore the fact that telephone companies always keep records of the number dialed, the time and duration of the call, and caller's number.
Offenders and their Alabi are oblivious and unaware of the fact that credit card corporations keep records of the dates, times, and locations of all purchases, banks keep track of the dates, times, and locations of all deposits and withdrawals, and dates, times, and locations reside on computers for an indefinite period. Customers receive a report each month with detailed information in the form of a bill and financial statement.
Offenders and their Alabi are often neglectful of the fact that when an e-mail message is sent, the time and originating internet protocol (IP) addresses are noted in the header and log files that contain information of the past and current activities.
Forensic investigator must be vigilant at all times and try to acknowledge and recognize criminal Modus Operandi (MO) motive, intent, and ability to manipulate and change contents of the conclusive evidence and create false Alibi to amplify deceitful schemes. During the investigation of an alibi, the first step is to secure access to the data and information on the computer workstations, file servers, protocol, and network system.
BOOTP is the computer network designed to control .
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
This document discusses how Splunk can be used for security analytics and threat detection. It describes how Splunk allows organizations to centrally gather and correlate security-related data from various sources like networks, endpoints, applications and threat intelligence feeds. This enables use cases like monitoring for known threats, detecting unknown threats, incident investigation and user behavior analytics. Advanced techniques like machine learning and user/entity behavior analytics are also discussed to help identify anomalous activity that could indicate security incidents or threats.
Computer forensics is expected to face significant changes over the next 5-50 years:
- Within 5 years, storage capacity and processing speeds will increase dramatically, resulting in exponentially more data to analyze per case. Automated tools will help speed up initial processing but full analyses may still take similar time.
- By 10 years, computers may be much smarter and interfaces more advanced, changing the examiner's role. Experts will need deeper knowledge of human-computer interactions. Malware threats will likely escalate as well.
- Predicting 50 years is difficult but storage capacities may reach zettabytes, fit in dental fillings. Computers may surpass human intelligence. The legal system may remain
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Diginotar Hack - Black-tulip
1. Interim Report
September 5, 2011
DigiNotar Certificate Authority breach
“Operation Black Tulip”
Classification PUBLIC
Customer DigiNotar B.V.
Subject: Investigation DigiNotar Certificate Authority Environment
Date 5 September 2011
Version 1.0
Author J.R. Prins (CEO Fox-IT)
Business Unit Cybercrime
Pages 13
3. 1 Introduction
1.1 Background
The company DigiNotar B.V. provides digital certificate services; it hosts a number of Certificate
Authorities (CA‟s). Certificates issued include default SSL certificates, Qualified Certificates and
„PKIoverheid‟ (Government accredited) certificates.
On the evening of Monday August 29th it became public knowledge that a rogue *.google.com certificate
was presented to a number of Internet users in Iran. This false certificate had been issued by DigiNotar
B.V. and was revoked1 that same evening.
On the morning of the following Tuesday, Fox-IT was contacted and asked to investigate the breach and
report its findings before the end of the week.
Fox-IT assembled a team and started the investigation immediately. The investigation team includes
forensic IT experts, cybercrime investigators, malware analysts and a security expert with PKI
experience. The team was headed by CEO J.R. Prins directly.
It was communicated and understood from the outset, that Fox-IT wouldn't be able to complete an in-
depth investigation of the incident within this limited timeframe. This is due to the complexity of the PKI
environment and the uncommon nature of the breach.
Rather, due to the urgency of this matter, Fox-IT agreed to prepare an interim report at the end of the
week with its preliminary findings, which would be published.
1.2 Investigation questions
The investigation predominately focused on following questions:
1. How did the perpetrators access the network?
2. What is the scope and status of the breach?
- Have other DigiNotar CA environments been breached?
- Do we still see hacker activity on the network of DigiNotar?
- Are rogue certificates actively being used by hackers?
3. Can we discover anything about the impact of the incident?
- What certificates were issued without knowledge of DigiNotar?
- What other (rogue) certificates might have been generated?
- How many rogue connections were made using rogue certificates?
- What was the nature of these connections?
In order to address these questions we (basically) (i) implemented specialized monitoring to be able to
detect, analyse and follow up on active misuse, and (ii) analysed digital traces on hard disks, and in
databases and log files to investigate the origin and impact of the breach.
1
Revoked: A certificate is irreversibly revoked if, for example, it is discovered that the certificate
authority (CA) had improperly issued a certificate, or if a private-key is thought to have been
compromised. Certificates may also be revoked for failure of the identified entity to adhere to policy
requirements such as publication of false documents, mis-representation of software behavior, or
violation of any other policy specified by the CA operator or its customer. The most common reason for
revocation is the user no longer being in sole possession of the private key (e.g., the token containing the
private key has been lost or stolen).
PUBLIC 3
4. 1.3 This report
The goal of this report is to share relevant information with DigiNotar stakeholders (such as the Dutch
Government and the Internet community), based on which they can make their own risk analysis.
Because this is a public report, some investigation results and details cannot be included for privacy and/
or security reasons.
Since the investigation has been more of a fact finding mission thus far, we will not draw any conclusions
with regards to the network-setup and the security management system. In this report we will not give
any advice to improve the technical infrastructure for the long term. Our role is to investigate the incident
and give a summary of our findings until now. We leave it to the reader in general and other responsible
parties in the PKI- and internet community to draw conclusions, based on these findings. We make a
general reservation, as our investigations are still on going.
PUBLIC 4
5. 2 Investigations
2.1 Prior investigations
Some investigations were conducted before we started.
Fox-IT was given access to a report produced by another IT-security firm which performs the regular
penetration testing and auditing for DigiNotar. The main conclusions from this report dated July 27 th
were:
A number of servers were compromised. The hackers have obtained administrative rights to the
outside webservers, the CA server “Relaties-CA” and also to “Public-CA”. Traces of hacker activity
started on June 17th and ended on July 22nd.
Furthermore, staff from DigiNotar and the parent company Vasco performed their own security
investigation. E-mail communication and memos with further information were handed over to us.
This information gave us a rough overview of what happened:
- The signing of 128 rogue certificates was detected on July 19th during the daily routine security
check. These certificates were revoked immediately;
- During analysis on July 20th the generation of another 129 certificates was detected. These were
also revoked on July 21th;
- Various security measures on infrastructure, system monitoring and OCSP validation have been
taken immediately to prevent further attacks.
- More fraudulent issued certificates were discovered during the investigation and 75 more
certificates were revoked on July 27th.
- On July 29th a *.google.com certificate issued was discovered that was not revoked before. This
certificate was revoked on July 29th.
- DigiNotar found evidence on July 28th that rogue certificates were verified by internet addresses
originating from Iran.
On August 30th Fox-IT was asked investigate the incident and recommend and implement new security
measures. Fox-IT installed a specialized incident response network sensor to assist in the investigation.
Furthermore we created images of several other servers.
2.2 Monitoring
The rogue certificate found by Google was issued by the DigiNotar Public CA 2025. The serial number of
the certificate was, however, not found in the CA system‟s records. This leads to the conclusion that it is
unknown how many certificates were issued without any record present. In order to identify these
unknown certificates and to prevent them from being used by victims, the OCSP responder2 requests
were monitored.
Current browsers perform an OCSP check as soon as the browser connects to an SSL protected website
through the https-protocol3. The serial number of the certificate presented by the website a user visits is
send to the issuing CA OCSP-responder. The OCSP-responder can only answer either with „good‟,
„revoked‟ or „unknown‟. If a certificate serial number is presented to the OCSP-responder and no record of
this serial is found, the normal OCSP-responder answer would be „good‟4. The OCSP-responder answer
„revoked‟ is only returned when the serial is revoked by the CA. In order to prevent misuse of the
unknown issued serials the OCSP-responder of DigiNotar has been set to answer „revoked‟ when
presented any unknown certificate serial it has authority over. This was done on September 1st.
The incident response sensor immediately informs if a serial number of a known fraudulently issued
certificate is being misused. Also, all unknown serial number requests can be analysed and used in the
investigation. All large number of requests to a single serial number is suspicious and will be detected.
2
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of
an X.509 digital certificate.
3
Other applications using certificates can also use the OCSP verification method.
4
According to the RFC2560
PUBLIC 5
6. Note that advanced methods for misusing the rogue certificates are possible by which a thorough
attacker can circumvent our detection method.
The incident response sensor logged all network traffic since August 30th. Current analyses still show
hacking attempts on the web server originating from Iran. During monitoring, we also saw unusual traffic
after the company F-Secure announced its findings of a possible earlier breach of the website.5 We
haven‟t investigated this breach yet in detail. In August, DigiNotar installed a new web server. It‟s fair to
assume these hacker traces where copied from the previous web server install.
2.3 CA servers investigation
DigiNotar hosts several CA services on different servers. Earlier reports indicated two of these servers
where compromised and misused by the attacker(s). It was essential to verify the status of the other CA
systems and investigate if they were compromised or misused. Forensic disk images were made of all the
CA servers for investigation.
Because of security implications, the details of these results are not shared in this public report. More
generally, we found traces of hacker activity with administrator rights on the Qualified and PKIoverheid
CA server as well as on other CA servers. Furthermore, we can share that on September 3 rd more rogue
certificates were discovered. The list of certificates is in the Annex 5.1.
The log files on the Qualified & PKI Overheid CA server do not show traces of deleted entries. These
traces are present on other CA servers, where rogue certificates were produced. During further
investigation however, we encountered several serial numbers of certificates that cannot be related to
trusted certificates. Two of these were found on the Qualified & PKI Overheid CA server. It might be
possible that these serial numbers have been temporarily generated by the CA software without being
used. Alternatively, these serials were generated as a result of a bug of the software. However, we
cannot rule out the possibility that these serial numbers relate to rogue certificates. Further investigation
needs to be done to confirm or contradict this. The list of serials is in the Annex 5.2; this list has been
communicated with the web browser vendors.
2.4 Firewall investigation
The firewall log files have not been analysed yet.
2.5 Malicious software analyses
A number of malicious/hacker software tools was found. These vary from commonly used tools such a the
famous Cain & Abel tool6 to tailor made software.
Specifically developed software probably enabled the hackers to upload the generated certificates to a
dropbox. Both the IP-addresses of an internal DigiNotar server and the IP-address of the dropbox were
hardcoded in the software. Possibilities are being explored to investigate this server, as (parts of) the
uploaded rogue certificates might be still available there.
A script was found on CA server public 2025. The script was written in a special scripting language only
used to develop PKI software. The purpose of the script was to generate signatures by the CA for
certificates which have been requested before. The script also contains English language which you can
find in Annex 5.3. In the text the hacker left his fingerprint: Janam Fadaye Rahbar7. The same text was
found in the Comodo hack in March of this year8. This breach also resulted in the generation of rogue
certificates.
5
The IT-Security company F-Secure blogs about a breach of the webserver of DigiNotar in May 2009. http://www.f-
secure.com/weblog/archives/00002228.html
6
Cain&Abel is a very powerful hackers toolkit. It‟s capable of sniffing and breaking passwords. Most anti-virus software
will detect C&A and flag is as malicious.
7
Supposedly meaning: “I will sacrifice my soul for my leader”
8
http://www.wired.com/threatlevel/2011/03/comodo_hack/
PUBLIC 6
7. 3 Provisional results
3.1 Fraudulent issued certificates
In total 531 fraudulent certificates have been issued. We have no indication that more certificate were
issued by the attacker(s). 344 Of these contain a domain name in the common name. 187 Certificates
have in the common name „Root CA‟. We have reason to believe these certificates are not real CA
certificates but normal end user certificates.
3.2 Compromised CAs
The attacker(s) had acquired the domain administrator rights. Because all CA servers were members of
the same Windows domain, the attacker had administrative access to all of them. Due to the limited time
of the ongoing investigation we were unable to determine whether all CA servers were used by the
attacker(s). Evidence was found that the following CAs were misused by the attacker(s):
- DigiNotar Cyber CA
- DigiNotar Extended Validation CA
- DigiNotar Public CA - G2
- DigiNotar Public CA 2025
- Koninklijke Notariele Beroepsorganisatie CA
- Stichting TTP Infos CA
The security of the following CAs was compromised, but no evidence of misuse was found (this list is
incomplete):
- Algemene Relatie Services System CA
- CCV CA
- DigiNotar PKIoverheid CA Organisatie - G2
- DigiNotar PKIoverheid CA Overheid en Bedrijven
- DigiNotar Qualified CA
- DigiNotar Root CA
- DigiNotar Root CA Administrative CA
- DigiNotar Root CA G2
- DigiNotar Root CA System CA
- DigiNotar Services 1024 CA
- DigiNotar Services CA
- EASEE-gas CA
- Hypotrust CA
- MinIenM Autonome Apparaten CA - G2
- MinIenM Organisatie CA - G2
- Ministerie van Justitie JEP1 CA
- Nederlandse Orde van Advocaten - Dutch Bar Association
- Orde van Advocaten SubCA Administrative CA
- Orde van Advocaten SubCA System CA
- Renault Nissan Nederland CA
- SNG CA
- TenneT CA 2011
- TRIAL DigiNotar PKIoverheid Organisatie TEST CA - G2
- TU Delft CA
For some of these CAs extra security measures were in place (like the CCV CA). This makes it more
unlikely they were misused.
3.3 Misuse
We investigated the OCSP responder log files around the time of the *.google.com incident. That incident
was detected on August 27th. The first known public mention was a posting in a google forum. The user
(from Iran) was warned by the Google Chrome browser that there was something wrong with the
certificate. The corresponding rogue certificate was created on July 10th.
PUBLIC 7
8. Based on the logging mentioned above from the OCSP responder, we were able to extract the following
information. On August 4th the number of request rose quickly until the certificate was revoked on August
29th at 19:09. Around 300.000 unique requesting IPs to google.com have been identified. Of these IPs
>99% originated from Iran, as illustrated in figure 1.9
Figure 1: OCSP requests for the rogue *.google.com certificate
A sample of the IP‟s outside of Iran showed mainly to be TOR-exit nodes, proxies and other (VPN)
servers, and almost no direct subscribers.
The list of IP-addresses will be handed over to Google. Google can inform their users that during this
period their e-mail might have been intercepted. Not only the e-mail itself but also a login cookie could
have been intercepted. Using this cookie the hacker is able to log in directly to the Gmail mailbox of the
victim and also read the stored e-mails. Besides that, he is able to log in all other services Google offers
to users like stored location information from Latitude or documents in GoogleDocs. Once the hacker is
able to receive his targets‟ e-mail he is also able to reset passwords of others services like Facebook and
Twitter using the lost password button. The login cookie stays valid for a longer period. It would be wise
for all users in Iran to at least logout and login but even better change passwords.
Other OSCP request logs show some activity on August the 30th with a misused *.torproject.org
certificate. None of these originated from Iran. However this does not prove that rogue certificates
weren‟t abused between the issue date and revocation date of the certificates based on the OCSP logs
because some applications might not use the OCSP protocol for revocation checking.
9
This static image shows all IP-addresses detected. On http://www.youtube.com/watch?v=_eIbNWUyJWQ you can
see the interception of Google users taking place in a timeline.
PUBLIC 8
9. 4 Discussion
4.1 Skills and goal of the hackers
We found that the hackers were active for a longer period of time. They used both known hacker tools as
well as software and scripts developed specifically for this task. Some of the software gives an
amateurish impression, while some scripts, on the other hand, are very advanced. In at least one script,
fingerprints from the hacker are left on purpose, which were also found in the Comodo breach
investigation of March 2011. Parts of the log files, which would reveal more about the creation of the
signatures, have been deleted.
The list of domains and the fact that 99% of the users are in Iran suggest that the objective of the
hackers is to intercept private communications in Iran.
4.2 Other possible rogue certificates
Using the OCSP responder requests we verify if the requested serial belongs to a known certificate. We
have seen requests for unknown serials that cannot be matched against a known certificate. It‟s possible
that these serials belong to a “rogue” certiticate or are just bogus OCSP requests, for instance done by
security researchers. It‟s still possible other unknown10 rogue certificates have been produced.
OCSP logging could still catch other possible rogue certificates based on the number of requests for an
unknown serial, although it‟s difficult to match the common name with that serial if the certificate in
question is not known.
4.3 Trust in the PKIoverheid and Qualified environment
Although all CA-servers have been accessed by a hacker with full administrative access rights and
attempts have been made to use the running PKI-software we have no proof of generated rogue Qualified
or PKIoverheid certificates. The log files of these CA-Servers validate as correct and no deleted log files
have been found on these CA-servers. This is in contrast to our findings on the other breached CA
servers.
Investigators encountered two (2) serial numbers of certificates on the Qualified or PKIoverheid server
that cannot be related to trusted certificates11. Based on this, we cannot rule out the possibility that
these relate to rogue certificates.
4.4 Current network infrastructure at DigiNotar
The successful hack implies that the current network setup and / or procedures at DigiNotar are not
sufficiently secure to prevent this kind of attack.
The most critical servers contain malicious software that can normally be detected by anti-virus software.
The separation of critical components was not functioning or was not in place. We have strong indications
that the CA-servers, although physically very securely placed in a tempest proof environment, were
accessible over the network from the management LAN.
The network has been severely breached. All CA servers were members of one Windows domain, which
made it possible to access them all using one obtained user/password combination. The password was
not very strong and could easily be brute-forced.
The software installed on the public web servers was outdated and not patched.
No antivirus protection was present on the investigated servers.
An intrusion prevention system is operational. It is not clear at the moment why it didn‟t block some of
the outside web server attacks. No secure central network logging is in place.
10
Unknown as in, that we haven‟t been able to revoke them yet because we don‟t know their existence.
11
OCSP requests to these serial numbers will result in a „revoke‟ reply.
PUBLIC 9
10. 5 Appendix
5.1 Fraudulent issued certificates
The following list of Common Names in certificates are presumed to be generated by the attacker(s):
Common Name Number CN=DigiCert Root CA 21
of certs CN=Equifax Root CA 40
issued CN=GlobalSign Root CA 20
CN=*.*.com 1 CN=Thawte Root CA 45
CN=*.*.org 1 CN=VeriSign Root CA 21
CN=*.10million.org 2 CN=addons.mozilla.org 17
CN=*.JanamFadayeRahbar.com 1 CN=azadegi.com 16
CN=*.RamzShekaneBozorg.com 1 CN=friends.walla.co.il 8
CN=*.SahebeDonyayeDigital.com 1 CN=login.live.com 17
CN=*.android.com 1 CN=login.yahoo.com 19
CN=*.aol.com 1 CN=my.screenname.aol.com 1
CN=*.azadegi.com 1 CN=secure.logmein.com 17
CN=*.balatarin.com 3 CN=twitter.com 19
CN=*.comodo.com 3 CN=wordpress.com 12
CN=*.digicert.com 2 CN=www.10million.org 8
CN=*.globalsign.com 7 CN=www.Equifax.com 1
CN=*.google.com 26 CN=www.balatarin.com 16
CN=*.logmein.com 1 CN=www.cia.gov 25
CN=*.microsoft.com 3 CN=www.cybertrust.com 1
CN=*.mossad.gov.il 2 CN=www.facebook.com 14
CN=*.mozilla.org 1 CN=www.globalsign.com 1
CN=*.skype.com 22 CN=www.google.com 12
CN=*.startssl.com 1 CN=www.hamdami.com 1
CN=*.thawte.com 6 CN=www.mossad.gov.il 5
CN=*.torproject.org 14 CN=www.sis.gov.uk 10
CN=*.walla.co.il 2 CN=www.update.microsoft.com 4
CN=*.windowsupdate.com 3
CN=*.wordpress.com 14
CN=Comodo Root CA 20
CN=CyberTrust Root CA 20
PUBLIC 10
11. 5.2 Unknown serial numbers
Root-CA server
On the „Root-CA‟ server the following serials were encountered:
83120A023016C9E1A59CC7D146619617
68E32B2FE117DFE89C905B1CCBE22AB7
711CE18C0423218425510EF51513B7B8
B7ABEFC8A1F844207B774C782E5385B3
6E0088D11C7E4E98CC9E0694D32A0F6B
80C990D339F177CA9FDAC258105882AB
7F73EC0A14C4BA065BECFAD69DC5A61D
Qualified-CA server
On the „Qualified-CA‟ server the following serials were encountered:
C6E2E63E7CA99BBA1361E4FB7245493C
863DE266FB30C5C489BF53F6553088C4
These serials might have been issued by the following CAs:
- DigiNotar PKIoverheid CA Organisatie - G2
- DigiNotar Qualified CA System CA
- DigiNotar Root CA
- DigiNotar Qualified CA Administrative CA
- DigiNotar Qualified CA
- TRIAL DigiNotar PKIoverheid Organisatie TEST CA G2
- TRIAL DigiNotar PKIoverheid Organisatie TEST CA - G2
- DigiNotar PKIoverheid CA Overheid en Bedrijven
„Taxi-CA
On the „Taxi-CA‟ server the following serials were encountered:
25B6CA311C52F0E4F72A1BD53774B5B3
A0CF459D0D1EA9A946861A0A02783D88
71A10FA4C491D3A72D18D33E3CCF576C
FE456B099700A6C428A193FE5968C9FD
E7E2B46B8C9AA64679E03841F88CA5A0
AEC9F2324D80020B6E2B2A1103D6A4E8
CB20C25F14583AFC86465F14E621FBC1
947FF1DB66A41D809A9BC7E7344E342A
90BCA541B4DF5E77FB1349684F84A930
AB4967CE8B94FCF8DA7691922E6FD59C
BA479991C9103C005726FAB83088A8D6
363E9AAF4DAC7085F31B89B2AC49059A
8A63042B8A8FA256035773BC9417435A
963CCB2601B15C73DCA821F4BC4C7458
6B7057D5DE0170842C372821D3F17DB2
C391438C15FF31BD89544A7F68DDF3B3
7278CB2A8270A3E66A021A7CD75F1211
F401D4C50FCA9161A70ED9D91D40E684
6C396359C423417E20C54CFC6690F3FF
9916C8350225BB607857375A02B6DC72
0F48A14121370B5CF4828EF826749FBC
DB43E2CE6110750785FCBBE9A8EAE061
C641E4B7F19B63C4FF1EA6D3833FC874
D8B771F90BC01C9ED1333C23EF24CFC1
„Public-CA server
On the „Public-CA‟ server the following serials were encountered:
79C03FE0C81A3022DBF8143B27E40223 8B0EABAF922D4C6E6917FCBE365DD64A 82C42F0EDC18BD751727BE5C54413EF7
FCCF53CB3D0A71494AF9664690FFCF84 4FC2D72D6427CABBE3E859453865F43B 03124C25849D9E49BC2A2FAD3E10C8A4
82BC18B1AA5D59C61D0EFDBEA7664C08 53B53BF2F74997EBEB2577D63DA692B7 EFF0DD4B4927DF64232C5D2FF280C1E4
5D4352671C39616670B2F34C173A1F63 ABB21F43553F2695031A1C85355D7F1C 9EDCB5E1FE1255A2F1D7FC52C4AFA3B1
6FA3C48173B3B289943F113A8CD9DB8C 5563605FDC2DC865E2A1C32995B5A086 3A32AAA9DFE2CA7F9E003885E316944B
CFAF9BE4E5BD0F5A75F628E45E0178C9 5DD6A72747D90C018B63F959DFE7C976 4455B43B9173CBAE4E247272EE2573D5
4ADA28D281D3D14D19FB782D64086D0C CAB736FFE7DCB2C47ED2FF88842888E7 B95F62E86194734C9F68D4BF8B200C49
0B41ABEE6F4168D3CDE5A7D223B58BC1 9C79C9FE16727BAC407B4AA21B153A54 FE873B742B230B22AE540E840490A2F4
13548FC160BC5C9F315AE28CDB490E36 2D711C9CB79EC15445747BFE3F8BC92F 8779917563EC38B7746B8ECAFE239BE6
5D8D0D43611275982E6A5490E7F87BD7 752A2D0325A3D34D9F5198C2F5C92A6C 72CBC4824C6215B139FDE6BA10DAC6AD
C880AE4D7927E6A8FA7D456CB03E9763 39936336286F843756FC4BC296D7A8E0 8D09D4B98DE67C9E9C7C18CB72AD2418
82072FC8F8DD7E6C0ECE9B47185F0521 4A6D90618A5CA6797C768C03C860C4F8 07BC72A463D4DE33B2BE733D6FAC991D
90DB656E273476CC836778255582FA8B 0954E1AB9141ED7E8B640FE681046451 D3E2205C3B899FC99D77FE802985283F
171A8599EDE711A3315BC7D694CEBEC6 8259C3E1DB6C2C9B7FCD6A305EADEFE4 A5029D6A057D50D20ECFE0E528EDA067
E9EB8075F7FE3683B431552C2D962CB0 BC01852405D3F4E22C48600266655026 C8B2487ADFAF969E34306029AC934406
E6F9E095464F64448840A832FB3443DB 9F7DDFE3CAAD224EC6BD68B60DE78550 5F3C1BDC7A2BCD47ABAF0C8E62D9F757
C83D16E9CB29DCF35F3B351CB942FE0D A67C22A6E1F9D87799548EBFC7D5527E 601315BB085FECF29538DA3F9B7BA1CE
39B5DD0ECC85C3F62A72391DC055F561 11661878CCE9DC337CEEBB16E30F9A3A 30170F15A240446E6B482E0A364E3CCA
DF3FD6AFBBFBC30C9AD80BF764A102DB 6BF3BEB26AFF31116200B14F4378C33B 0590B310AEFC7A3EDC03ECA2A6F6624F
327B9A443C49018D7B0A97B6EC2254B8 7A61A7778842E502E2291166C4574485 FDEB145AAC81B8CD29B8DA018E71456F
PUBLIC 11
12. C3F9F45F19E334C8303F44288856D843 DEB427AC9F1E8A0D0237049C80DF7E7F ED4C2EBC14B85F46A9A75F159DF8BEB3
028CF7556F8BE27026800448FA6AA527 FD8FE350325318C893AFE03F9DFC7096 CDBC0441C10DB5ABA43120E63A048425
E93B28B47C34B243EBA62E58FE2FF46F A8031D608F6549941879981764674DD7 DC1665266A0198728861AC99ED368928
F89F5DE575755A3B4C0DECC6EDA7C804 DDAD29B8B1215191E7EB5AAEE0219338 706BBC770C62D41DD799721ABD1868AB
5D8F8D78B0C19EF4479F744DECBD84BC 3F8A5EA1756DDF4A6B6F2645B4911486 B2205D8CBDDFE49D7C5F0F95D506718F
EAACDC2F46D4A86F39B035B793F4A94F 30DF96D87EEC8CA77A135ECCAB1AD25E 901F30DB86EEB1666F5A8CAE1C7BD08B
9D06313F21A4EDF734C324FFBCB9E2B5 7DD8E0E1906C1754E11E901927CCABBD 9A3A951BE27E0729726FD8B80060E7E1
35C54E845AE855F818504C8C189F52C7 DAC51C3D23B163601305AF99DF129689 6410577C738133297472F6C22C2BB397
E3E120935934CBD77E1DA7F00431F745 D77EC92400AE0D9FA57DEF4DD8CFA4D4 C8C06B0C6B7FE7CA66BCFE617AB6C4E6
0A6DFACFDEAE74A816031534BE90B75A 09369288E36D7AFFEE94EA81998FA316 58C18B290620E18B8C78AC1912E5DCD7
9AD82BE2FED538B10BDFBD229A8A5AEA EEBE18855322343289191913F6D769EB 2F5ABFDCCAB1A2927E54283296F19FB8
C0F216CA8197AD00F0D98927EAE29E64 C00132DA154BDEE361EDEE727226D0F5 A07CB7881E35C91FD9C5D20F6102572C
DE76B17BFB1B6D6D6634C8C104A6E59F 6580BE22A0566352B9622777BFCB7164 05E2E6A4CD09EA54D665B075FE22A256
A90F1BB43E9DB5EDFC60C15FB897C593 7352C61297D6B04E874EDAD12480F78E 8BA800DDDD865B6BF3A85ADEC4C29730
8625B32398C2722D96E7B972580A0238 F658C0D52B3EEF71DDE6C284E7E1B337 07B546E8E002FC5854651BE31802F96D
D1FDE3A78C9D2E80C2303CC4E3E92A4C E1253D04A17AB8E47F4A5916B9BF9D23 DF2AD7F766E2EEFAF0FD1FB5C6883AB4
B355E909FD55C5E9EF1A6E67E9C18203 8922A9A23BE960FFE9707A0B3F4D75BD 1C6EA2DA6ECED5C5C761BCA9CA4C5308
ADB59A303C6260DBE466F0149AB11A4A EAE97F465015E49A14F3B23403ACFA11 A640A29E706AF38557B86619EAF45E7A
5CEBD524469A075FB6B42D06C9BF27AD 13A757022817C0514A5C142FE9BF143A F88885670C3D55EBA52096A65310DACA
0E0886EEAA119CF14F1C54387060929A 5132F0FCB3F8DCAA501C620575D33FEE B85E7BB83667097F15D8A3DEAAA1B198
B4F9299F05A327E60543C4CDE3277FC0 39953BF6383A00D29BEB377568E3DE7A A5F6F149B468683318DC178F4208E237
E4B2F09505726306314DF05B734FD9D0 67887932934DFF086153CA905E7DE9EE 04841B82A9D81E44CB4F2D98CFE7C374
4DD0497CBAABBA058574A611B26151BA DCD1072719692871126E4159D80EFDA8 A81686CEFDEFFCE82B8DBF100E1395F1
7073C6C01DEE4E158F554555F697F7D9 C6741E3D08C0FFD4617B94E654DD89F1 9952073595776A3D7A8101664A56AB96
EB72415ECD0B4AACBDEEA3734F4349BF D0BA58BA609CC1A001F612987A822BEF A076DA72A8C8E2137F05FE3FA59870EB
BED90D98FA3A1E0A5BD78AD54E55774D 6B339433956F1505104BB231314A153E 121378A6DE0A13DDB295106E912A4E14
3CDCD81930F91AC0B990664931E5412E C1366C7246041A3089E1C244C5DC42E7 65A925E578098658FADA30E9FB67B5E4
763B0C2A7B83066A9D995C8C4FD9E35E 61D11B35765ECB85890D5349786D9FCA 5B8E5202EC6769F2389605D33DC245B2
720DF591261D710ADC73127C1BC4303D 44C287C1C3697367B0E6CB78A78C1DF5 EA71F746BD17D1B05450329818572F2E
C06C12DBBC7055FE40950803238EC104 DAACF72BC91FB6DA90A804933CB72E23 DD8C315D2CA61870CBCF9D56ED7474E2
62BF5A170CC779ADE7EF0090F395D5E6 2ACBA14BB6F65F7BD0A485BFCB6D023F F346A1E62FED476F472560C6DDE0CADC
61BF9A0FF2CE9D55D86BC063839F72F4 84BE5D762F37E9018D623C8E91F4D924 CBBCB9E06F9FC92C533B2F2A5284BA22
B5D7A148CA6C1F9693A2C16ACDD66226 1A89324D6D3E6DE6726C688BFF225DDD 79DCFDA2700E06F8EAA640BA9B827810
35FBDCDF923F99B5E1C5FF4423B715B8 F5FA42A5B421705E4803DA93C4F7E099 17CF5474D5A8B4E735E69E017CEC2F37
F1EBE73557546DC8B21E0A2DE5E3A33E A869B96BCDF1D474C0714763AA34A8C9 7034FBF641CEB257FC109A6819D19DA0
EBE7561CA573DA5DBB8EFAA250A40FD3 3EA0F90DE57187FC7E1AC45AE44D16C6 6E6D052B5ABC015C779EA3500FA11A28
6BACB6C5B74FA747A3CF375EC3095035 F7DE638B76C3958AA3413A9785A19900 FAB79682C8EAE556F11ECF6DAD7121BA
6C1950AA83F4663F1BA063B5275C25EC 3F8C9CDAACBB533AE94F47456819FA0E 0370390E48A7F26AA62188A79E612DC3
56EF1EE54D65EF7B39AF541E95BB45A9 209920C169512D3EB4A1ED7CAD17D033 59F8BDDA3F56D8026FAB6E3130F5D843
2B1EA767EC59E46364BC2DF9B1F30B97 B2F57BD01BAAF7AF01EF442910CEBBA0 C731140FAA7690918BABF17BECB7938D
3913B1E1C35BDDF02CE03C916E8AA638 C0766829AA4D2E1A5D97213A4E4A654E 8C605DFAA0EC88CDB7D12F7250C9F53A
AFA2F7E964280B36DB0D714B86256F54 FC9993EA7A4E761B6CB79ABE2BD3CDE1 68F252CD36F2798A2182F6406A31A5A2
022E35B1ACD40F040C444DF32A7B8DE6 4D556B338FAA020979A740B4C3AEE28C BD7CB0D124DFDE784CD5B9EF288C304E
170370B60D515F164119BE54FD55E1ED 8ED896B9A622FF24559A3429E5888E0A 3D2BC95A85EF539A68DAC84542A1AE7A
CBFE437C9B62805C4353516699E44649 8CF1F45323EC5AB449451E7A9476CFDC 8CC74931E64061491652CC169C8BAAB3
5FFA79AB76CE359089A2F729A1D44B31 D1718E9BD91257D2169C81197D508A67 4157D99E46A3E45E6130A95645410DAC
5298BCBD11B3952E3FDDC6FDD6711F5C E4A691D60266784968DF971D6BF473AF E34C4FC7488C4DFEF0EA475A17AF2C7B
1836289F75F74A0BA5E769561DE3E7CD B3B64F1925F759A2E145190333D1D6D2
These serials might have been issued by the following CAs (list incomplete):
- Algemene Relatie Services System CA
- CCV CA
- DigiNotar Cyber CA
- DigiNotar Extended Validation CA
- DigiNotar PKIoverheid CA Organisatie - G2
- DigiNotar PKIoverheid CA Overheid en Bedrijven
- DigiNotar Public CA - G2
- DigiNotar Public CA 2025
- DigiNotar Qualified CA
- DigiNotar Qualified CA Administrative CA
- DigiNotar Qualified CA System CA
- DigiNotar Root CA
- DigiNotar Root CA Administrative CA
- DigiNotar Root CA G2
- DigiNotar Root CA System CA
- DigiNotar Services 1024 CA
- DigiNotar Services CA
- EASEE-gas CA
- Hypotrust CA
- Koninklijke Notariele Beroepsorganisatie CA
- MinIenM Autonome Apparaten CA - G2
- MinIenM Organisatie CA - G2
- Ministerie van Justitie JEP1 CA
- Nederlandse Orde van Advocaten - Dutch Bar Association
PUBLIC 12
13. - Orde van Advocaten SubCA Administrative CA
- Orde van Advocaten SubCA System CA
- Renault Nissan Nederland CA
- SNG CA
- Stichting TTP Infos CA
- TenneT CA 2011
- TRIAL DigiNotar PKIoverheid Organisatie TEST CA - G2
- TRIAL DigiNotar PKIoverheid Organisatie TEST CA G2
- TU Delft CA
5.3 Plain text left in script to generate signatures on rogue
certificates
5.4 Timeline
06-Jun-2011 Possibly first exploration by the attacker(s)
17-Jun-2011 Servers in the DMZ in control of the attacker(s)
19-Jun-2011 Incident detected by DigiNotar by daily audit procedure
02-Jul-2011 First attempt creating a rogue certificate
10-Jul-2011 The first succeeded rogue certificate (*.Google.com)
20-Jul-2011 Last known succeeded rogue certificate was created
22-Jul-2011 Last outbound traffic to attacker(s) IP (not confirmed)
22-Jul-2011 Start investigation by IT-security firm (not confirmed)
27-Jul-2011 Delivery of security report of IT-security firm
27-Jul-2011 First rogue *.google.com OSCP request
28-Jul-2011 First seen that rogue certificates were verified from Iran
04-Aug-2011 Start massive activity of *.google.com on OCSP responder
27-Aug-2011 First mention of *.google.com certificate in blog
29-Aug-2011 GOVCERT.NL is notified by CERT-BUND
29-Aug-2011 The *.google.com certificate is revoked
30-Aug-2011 Start investigation by Fox-IT
30-Aug-2011 Incident response sensor active
01-Sep-2011 OSCP based on white list
PUBLIC 13