Honey Potz - BSides SLC 2015

•Download as PPTX, PDF•

0 likes•734 views

This document provides an overview of honey pots and the Kippo honey pot in particular. It discusses why honey pots are used for threat intelligence gathering, types of honey pots including low and high interaction, and how Kippo works as a medium interaction SSH honey pot. Specific findings from a Kippo honey pot are presented, including login attempts, successes when default credentials were leaked, and visualizations of attack data with Kippo-Graph. Resources for downloading and hosting Kippo are also listed.

Technology

Disclaimer
The views expressed herein are solely my views and not the views of
my employer, or any other organization with which I am associated. I
am responsible for the content of this presentation.
Likewise, the research conducted and illustrated herein was performed
by me unless otherwise noted.

Audience
lNoobs.
lDon't be afraid to ask questions!
lThose looking to get into the honey pot/threat intelligence
communities.
lThose that already have experience honey potting.

Types of Honey Pots
JUSTA MORSELOF HUNNY

HoneyDrive
Bruteforce.gr
Kippo
Dionaea
Honeyd
Glastopf
Conpot
Thug
Kippo-Graph
Honeyd-Viz
DionaeaFR
ELK Stack

Low Interaction vs. High Interaction
•Actual machine
•Complete functionality
•Can exploit whatever is
exploitable
•Used to observe targeted attacks
•Not easily detectable
•Bifrozt
•Simulation
•Incomplete functionality
•Cannot be used to exploit other
vulnerabilities
•Used to observe behavior
•Often easily detectable
•Kippo

“Kippo is a medium interaction SSH honeypot designed to log brute force
attacks and, most importantly, the entire shell interaction performed by
the attacker.”
https://github.com/desaster/kippo

SimpleWaysTo “Hide” It
•Change the hostname
•Add a login banner
•Edit userdb.txt
•Change file system
•Edit /etc/passwd & /etc/shadow
•Edit script output

Login Attempts vs Successes in the past 30 days - LA
Total attempts: 519
Total successes: 10
Total attempts: 3,924
Total successes: 2

Creds
•Default root/123456 (Top Graph)
•Leaked 14 character password (Bottom Graph)

“Leaking” Creds
•Leaked 14 character password to honeypot of pastebin
•Posted at 1:14AM MST
•Any guesses as to how long it took until someone logged in?

2 Hours 35 Minutes
•First login seen with correct password seen at 3:49 MST.
•Romanian IP Address
•Malicious intent
•Pastebin has over 100 views in 2 minutes (Bots)
•Saw 5 logins from 3 distinct IP addresses in 12 hours

Login Attempts vs Successes in the past 30 days - Canada
Total attempts: 255,059
Total successes: 79
Total attempts: 282,263
Total successes: 0
Hosting Problems
You get what you pay for.
(Cloud At Cost)

Changed userdb.txt
•Rejects most common 100 passwords from the most common 10 usernames (Top
Graph)
•Therefore accepting multiple passwords
•Accepts 7 character password from 5 different usernames
•Yet to be cracked
•Leaked in a key logger dump this morning at 7:53 MST

Changed fs.pickle
•Spun up an Ubuntu box serving DNS
•Used createfs.py to create new fs.pickle
•Yet to see better results
•I will blog about it

Login Attempts vs Successes in the past 30 days - Europe
Total attempts: 429,661
Total successes: 0

Most attacked box
•In the heart of the EU
•Doesn’t get attacked as much as Asian honeypots
•8 character password
•Logon banner in Spanish

Typical malicious session
•Wget/curl some script or executable
•Chmod it
•Execute it
•Delete it
•99% of the time is scripted

Occasional you’ll get a lot more commands

Typical Detection
•Runs ps –a, ifconfig, or cats a standard file
•Sees default Kippo content
•Hops out

Tango Honeypot Intelligence
@Brian_Warehime

Downloads
•Original Kippo: https://github.com/desaster/kippo
•Kippo fork I use: https://github.com/micheloosterhof/kippo
•Supports SFTP and json logging
•Is updated regularly
•DownloadTango: https://apps.splunk.com/app/2666/
•Download Honeydrive: http://sourceforge.net/projects/honeydrive/

Hosting Links
•Crissic – crissic.net ($10/year)
lLA and Florida
•CloudAt Cost – cloudatcost.com ($35/life)
lCanada
•Time4VPS –Time4VPS (€10/year)
lEuropean Union
•Lowendstock.com
•Lowendtalk.com

@Andrew__Morris
@Brian_Warehime
@micheloosterhof
@da_667
@Threat_Inc

Contact
Freenode: chp1n
Twitter: @chp1n
Blog: utzpin.org

The presentation "How overlay networks can make public clouds your global WAN" presented by Ryan Koop on Oct 24, 2013 at LASCON in Austin, TX. Enterprises, organizations and governments are realizing the benefits of cloud flexibility, cost savings, scalability and connectivity. Yet the traditional approach focuses too much on the underlying infrastructure, instead of the applications. So who is making solutions for the people who work at the application layer? Are software-defined things secure? With a focus on application-layer integration, governance and security, overlay networks let developers, and the enterprise apps they work with, use the public clouds as a global WAN network, not just extra storage. Developers can build on top of overlay networking to extend traditional networks to the cloud with added security such as encryption, IPsec connections, VLANs and VPNs into the public cloud networks. Prime examples are the previously cost-prohibitive projects can now use public clouds as global points of presence to create cloud WAN to partners and customers.

How to Scale Your Architecture and DevOps Practices for Big Data Applications

Amazon Web Services

This document discusses how Loggly provides a cloud-based log management solution. It begins by providing background on Loggly, including that it was founded in 2009 and is based in San Francisco. It then discusses how log management has evolved from simple file management to a big data problem. The document uses a case study of how Segment uses Loggly to more easily troubleshoot issues across its many integrations and APIs. It demonstrates how Loggly allows Segment to isolate relevant log data and trace API calls to troubleshoot problems faster.

Fuel cell

Ahmed M. Elkholy

The document discusses hydrogen energy and fuel cells. It provides an introduction and history of fuel cells, explaining their theory of operation. It then discusses hydrogen production and storage methods. The document outlines the different types of fuel cells - alkaline, phosphoric acid, molten carbonate, proton exchange membrane, and solid oxide fuel cells - and compares their characteristics. It also covers fuel cell electrical properties, efficiency comparisons to other technologies, advantages and disadvantages, and applications. The overall document provides a comprehensive overview of hydrogen energy and the different aspects of fuel cells.

Sprint 49 review

ManageIQ

IBM Containers- Bluemix

Virginia Fernandez

A Bluemix offering built on open-source Docker technology. Containers technology originated over 20 years ago with web-hosting vendors seeking to optimize the density of websites residing on each server in a datacenter. IBM, Sun, Google made key contributions to those early iterations. More recently, by isolating an application and its dependencies inside a container, Rocket and Cloud Foundry have evolved standards for working with containers within cloud infrastructure. And Dockerhas eliminated the issues that previously resulted in a containerized application working in one environment but not another. In the context the IBM partnership with Docker, this document provides an overview of IBM Containers as an enterprise-ready solution for using Docker containers.

Raleigh DevDay 2017: Deep Dive on AWS Management Tools

Amazon Web Services

AWS Management Tools provide capabilities to control, gain visibility into, and optimize cloud environments. They include AWS CloudFormation for modeling infrastructure as code, AWS Config for gaining visibility into resource configurations, and AWS CloudTrail and CloudWatch for monitoring user activity and responding to changes. The tools help automate configuration management at scale, simplify compliance, and provide insights to reduce costs and improve performance and security.

Docker security introduction-task-2016

Ricardo Gerardi

This document discusses Docker security. It begins by introducing Docker and containers, then covers securing Docker images through signing and scanning. It discusses how Docker uses namespaces and cgroups for isolation. It also addresses securing the Docker daemon and containers, as well as operational concerns around deployment, networking, monitoring, and logging of containers. It concludes by looking at future directions like unikernels and serverless architectures.

This document discusses monitoring microservices and container-based applications. It begins by explaining why companies are shifting to microservices architectures and container technologies like Docker. It then discusses challenges in monitoring these complex distributed systems and different open source and commercial monitoring options. Finally, it shows how AppDynamics provides unified monitoring of applications, microservices, containers and infrastructure for end-to-end visibility from a single platform.

Better Insights from Your Master Data - Graph Database LA Meetup

Benjamin Nussbaum

Master Data Management, is a practice that involves discovering, cleaning, housing, and governing data. Data architects for enterprises require a data model that offers ad hoc, variable, and flexible structures as business needs are constantly changing. We'll be discussing the benefits of using the Neo4j graph database for Master Data Management including the flexible schema free data model, concepts of layering in data, keeping your data current and flowing and then the benefits of connected data analytics and real-time recommendations that can result. An overview of MDM with Neo4j https://www.graphgrid.com/graph-advantage-master-data-management/ The demo portion of the presentation is here: https://youtu.be/_GnDiwngnXk

Deploy Microservices in the Real World

Elana Krasner

Arquitecturas de microservicios - Medianet Software

Ernesto Hernández Rodríguez

This document discusses microservices architectures and provides examples of tools used in microservices architectures like those implemented at Netflix. It describes common microservices patterns like service discovery (Eureka), configuration management (Archaius), load balancing (Ribbon), circuit breaking (Hystrix), monitoring (Turbine), edge services (Zuul), and logging (Blitz4j). It also discusses using these tools with Spring Cloud and provides code samples for configuring services using Netflix OSS and Spring Cloud.

What is dev ops?

Mukta Aphale

The document discusses how concepts from manufacturing such as car assembly lines and testing can be applied to software development using DevOps. It provides an overview of fundamental DevOps concepts like version control, continuous integration, continuous delivery, configuration management, artifact management, monitoring and how automating these can help build software more efficiently similar to how manufacturing uses automation. It also outlines an assignment to set up a basic CI/CD pipeline from source code to deployment to get hands-on experience with DevOps tools and processes.

Cloud Security Best Practices - Part 2

Cohesive Networks

How to Build a High Performance Application Using Cloud Foundry and Redis (Cl...

VMware Tanzu

Technical Track presented by Yiftach Shoolman, CTO & Co-Founder of Redis Labs. Why Redis? Redis is one of the top 3 databases chosen by developers. Redis is the fastest database available today has many attractive data types and commands for powering modern applications. In this session, you will learn: Why companies like Twitter, Pinterest, and GitHub rely on Redis as a critical infrastructure component. How to leverage Redis for real time analytics, social app functionality, job management, geo-search, and many other use cases. How to utilize CloudFoundry’s PaaS offering to build and maintain an infinitely scalable, highly available, top performing, and fully managed Redis database to power your application.

Automated Infrastructure Security: Monitoring using FOSS

Sonatype

Madhu Akula, Automation Ninja We can see attacks happening in real time using a dashboard. By collecting logs from various sources we will monitor & analyse. Using data gleaned from the logs, we can apply defensive rules against the attackers. We will use AWS for managing and securing the infrastructure discussed in our talk. For most network engineers who monitor the perimeter for malicious content, it is very important to respond to an imminent threat originating from outside the boundaries of their network. Having to crunch through all the logs that the various devices (firewalls, routers, security appliances etc.) spit out, correlating that data and in real time making the right choices can prove to be a nightmare. Even with the solutions already available in the market. As I have experienced this myself, as part of the Internal DevOps and Incident Response Teams, in several cases, I would want to create a space for interested folks to design, build, customise and deploy their very own FOSS based centralised visual attack monitoring dashboard. This setup would be able to perform real time analysis using the trusted ELK stack and visually denote what popular attack hotspots exist on a network.

Cisco Network Functions Virtualization Infrastructure (NFVI)

Cisco Russia

Monitor all the cloud things - security monitoring for everyone

Duncan Godfrey

The document provides an introduction to security monitoring in cloud services. It discusses how to monitor cloud services by collecting logs through APIs and storing them in platforms like Splunk or Elastic Stack. It recommends analyzing the collected data to create security events, taking action like sending alerts, and having processes for tuning and triage. Opportunities in security monitoring include making it accessible for everyone and contributing to open source projects.

Fluentd v1.0 in a nutshell

N Masahiro

This document summarizes Fluentd v1.0 and provides details about its new features and release plan. It notes that Fluentd v1.0 will provide stable APIs and compatibility with previous versions while improving plugin APIs, adding Windows and multicore support, and increasing event time resolution to nanoseconds. The release is planned for Q3 2017 to allow feedback on v0.14 before finalizing v1.0 features.

6 Million Ways To Log In Docker - NYC Docker Meetup 12/17/2014

Christian Beedgen

The document discusses various ways to log data from Docker containers, including: 1. Logging directly from applications by configuring them to send logs to syslog or using logging libraries. 2. Installing a file collector inside each container or as its own container to collect logs written to files within containers. 3. Installing a syslog collector container and linking containers to it so they can send logs to the collector via syslog. 4. Mounting the host's /dev/log directory in containers so their processes write to the host's syslog.

IBM Bluemix Nice meetup #5 - 20170504 - Container Service based on Kubernetes

IBM France Lab

1. IBM Cloud Platform offers a portfolio of services including containers, Cloud Foundry, event-driven apps, infrastructure services, and more. 2. Bluemix Public is available in 5 regions globally and supports containers, virtual servers, and Cloud Foundry apps to meet developer needs with flexibility and efficiency. 3. IBM Container Service provides fully dedicated and customizable Kubernetes clusters integrated with Bluemix services for containerized applications.

Cloud adoption patterns April 11 2016

Kyle Brown

This document discusses cloud adoption patterns to help organizations integrate cloud solutions into their IT strategies. It introduces the concept of patterns and pattern languages as solutions to problems in context. The document outlines categories of cloud adoption patterns and provides examples of patterns for application architecture, deployment styles, data caching, and more. It also discusses considerations for migrating applications to the cloud through lift and shift, cloud tuning, or cloud-centric redesign. The goal is to provide guidance to organizations on evaluating workloads and adopting cloud technologies.

Security Realism in Education

Tajul Azhar Mohd Tajul Ariffin

Introduction to Data Modeling in Cassandra

Jim Hatcher

Jim Hatcher gave a presentation on introducing data modeling with Apache Cassandra. He discussed how Cassandra works by distributing data across nodes and replicating data. He also covered CQL for querying Cassandra, embracing denormalization in data modeling, using an appropriate key structure, and some advanced Cassandra techniques. The presentation provided an overview of modeling data in Cassandra and resources for further learning.

Question 7

Steve Jameson

The document compares the author's preliminary task to their final piece in terms of organization, research, camera work, editing, and sound. In the preliminary, clothing was changed between clips showing a lack of planning, shots were mainly mid-range with few close-ups, transitions between clips only used fades, and there was no music or emotional voiceover. However, in the final piece clothing remained consistent, more close-ups were used, cuts replaced fades for better continuity, and voiceover was confident and portrayed character emotion. These improvements showed better organization, camera work, editing, and use of sound.

How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015

StampedeCon

At the StampedeCon 2015 Big Data Conference: The starting point for this project was a MapReduce application that processed log files produced by the support portal. This application was running on Hadoop with Ruby Wukong. At the time of the project start it was underperforming and did not show good scalability. This made the case for redesigning it using Spark with Scala and Java. Initial review of the Ruby code revealed that it was using disk IO excessively, in order to communicate between MapReduce jobs. Each job was implemented as a separate script passing large data volumes through. Spark is more efficient in managing intermediate data passed between MapReduce jobs – not only it keeps it in memory whenever possible, it often eliminates the need for intermediate data at all. However, that alone not brought us much improvement since there were additional bottlenecks at data aggregation stages. The application involved a global data ordering step, followed by several localized aggregation steps. This first global sort required significant data shuffle that was inefficient. Spark allowed us to partition the data and convert a single global sort into many local sorts, each running on a single node and not exchanging any data with other nodes. As a result, several data processing steps started to fit into node memory, which brought about a tenfold performance improvement.

Microservices mit Java EE - am Beispiel von IBM Liberty

Michael Hofmann

Viele Unternehmen versprechen sich derzeit einiges vom aktuellen Architektur-Trend: Microservices. Unter anderem verbinden sie damit die Hoffnung bestimmte Architektur-Probleme in den Griff zu bekommen: Stichwort Monolith. Dabei stellen sich Entwicklungsorganisationen mit einem Fokus auf Java EE-Technologien die Frage, ob und wie sie mit ihren Java EE-Mitteln optimal Microservices implementieren können. Im Gegenzug erweitern oder verändern Java EE-Hersteller ihre Produkte, um den Trend der Microservices gerecht zu werden. Ziel des Vortrages soll es sein, am Beispiel von IBM's WebSphere Liberty Profile Server zu verdeutlichen, welche Vorteile bzw. Nachteile der Java EE-Ansatz bringen kann. Dabei wird nicht nur auf technologische Aspekte, sondern auch auf organisatorische Problemstellungen eingegangen. Themen wie DevOps und Continous Delivery werden dabei am Rande auch betrachtet. Abgerundet wird das Ganze mit Hinweisen auf bekannte Fallbeispiele, wie z.B. Netflix, um weitere Denkanstöße zu geben.

Don't Get Hacked

YTH

Tim Strazzere provides tips on how to avoid being hacked. His main points are: 1) The number one rule is to not fight for your devices and prepare for the loss of any device. 2) Passwords should never be shared as sharing passwords is the most common way people get hacked. 3) Enable two-factor authentication on accounts and use a password manager to generate strong, unique passwords in order to protect accounts even if a device is lost or stolen.

OSINT Black Magic: Listen who whispers your name in the dark!!!

Nutan Kumar Panda

Open Source Intelligence is the art of collecting information which is scattered on publicly available sources. With evolution of social media and digital marketplaces a huge amount of information is constantly generated on the Internet (sometimes even without our conscious consent). This is of great concern for organizations and businesses as chances of confidential data floating in the public domain may seriously harm their business integrity. All recent hacks are related to internal source code disclosure, API keys leakage, known vulnerability in third party plugin, data dump leaks etc. Based on experience and robust research in this domain, for this talk the speakers have created a tool which will help all kind of organizations to monitor cyberspace effectively without much investment. This tool is simple but an effective solution which is capable of hearing digital whispers which are usually missed or ignored but shouldn’t be.

Blackmagic Open Source Intelligence OSINT

Sudhanshu Chauhan

This document discusses open source intelligence (OSINT) and a solution for integrating various open source OSINT tools into a single platform. It introduces the presenters and provides an agenda that will cover what OSINT is, why it is useful, examples of recent hacks, challenges organizations face, available solutions, and a demonstration of their integrated platform. The platform aims to make OSINT capabilities more accessible and help detect sensitive information exposed online that could pose security risks. The presentation concludes by thanking contributors to open source projects and welcoming questions.

Viewers also liked

Get complete visibility into containers based application environment

AppDynamics

Better Insights from Your Master Data - Graph Database LA Meetup

Benjamin Nussbaum

Deploy Microservices in the Real World

Elana Krasner

Arquitecturas de microservicios - Medianet Software

Ernesto Hernández Rodríguez

What is dev ops?

Mukta Aphale

Cloud Security Best Practices - Part 2

Cohesive Networks

How to Build a High Performance Application Using Cloud Foundry and Redis (Cl...

VMware Tanzu

Automated Infrastructure Security: Monitoring using FOSS

Sonatype

Cisco Network Functions Virtualization Infrastructure (NFVI)

Cisco Russia

Monitor all the cloud things - security monitoring for everyone

Duncan Godfrey

Fluentd v1.0 in a nutshell

N Masahiro

6 Million Ways To Log In Docker - NYC Docker Meetup 12/17/2014

Christian Beedgen

IBM Bluemix Nice meetup #5 - 20170504 - Container Service based on Kubernetes

IBM France Lab

Cloud adoption patterns April 11 2016

Kyle Brown

Security Realism in Education

Tajul Azhar Mohd Tajul Ariffin

Introduction to Data Modeling in Cassandra

Jim Hatcher

Question 7

Steve Jameson

How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015

StampedeCon

Microservices mit Java EE - am Beispiel von IBM Liberty

Michael Hofmann

Viewers also liked (19)

Get complete visibility into containers based application environment

Better Insights from Your Master Data - Graph Database LA Meetup

Deploy Microservices in the Real World

Arquitecturas de microservicios - Medianet Software

What is dev ops?

Cloud Security Best Practices - Part 2

How to Build a High Performance Application Using Cloud Foundry and Redis (Cl...

Automated Infrastructure Security: Monitoring using FOSS

Cisco Network Functions Virtualization Infrastructure (NFVI)

Monitor all the cloud things - security monitoring for everyone

Fluentd v1.0 in a nutshell

6 Million Ways To Log In Docker - NYC Docker Meetup 12/17/2014

IBM Bluemix Nice meetup #5 - 20170504 - Container Service based on Kubernetes

Cloud adoption patterns April 11 2016

Security Realism in Education

Introduction to Data Modeling in Cassandra

Question 7

How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015

Microservices mit Java EE - am Beispiel von IBM Liberty

Similar to Honey Potz - BSides SLC 2015

Don't Get Hacked

YTH

OSINT Black Magic: Listen who whispers your name in the dark!!!

Nutan Kumar Panda

Blackmagic Open Source Intelligence OSINT

Sudhanshu Chauhan

How To Run a 5 Whys (With Humans, Not Robots)

Dan Milstein

Doonish

betabeers

The document describes Doonish, an online trivia game inspired by Trivial Pursuit. Players can create and answer questions in different categories. The game was first created in 2007 and redesigned in 2010. It is developed by a team of 4 programmers using technologies like a naive Bayes text classifier, tagging engine, and Wikipedia text integration to enhance the questions. The goal is to build the game using known technologies to minimize learning time.

Doonish

betabeers

The document describes Doonish, an online trivia game inspired by Trivial Pursuit. Players can create and answer questions in different categories. The game was first created in 2007 and redesigned in 2010. It is developed by a team of 4 programmers using technologies like a naive Bayes text classifier, tagging engine, and Wikipedia text to enhance questions. The goal is to build the game using known technologies to minimize learning time and optimize elements like SEO, user experience, and content approval processes.

Corp Web Risks and Concerns

PINT Inc

The document discusses various risks facing organizations with a web presence and provides recommendations to address those risks. It identifies issues such as security vulnerabilities, privacy concerns, social media risks, and analytics inaccuracies. It recommends that organizations conduct security audits, monitor their websites for hackability, disclose any required information, and stay aware of their site's performance, uptime, and what search engines are indexing about them.

11 Commandments of Cyber Security for the Home

zaimorkai

The document provides 11 commandments of cyber security for home users. The commandments are: 1) pay attention, 2) use anti-malware software, 3) use firewalls, 4) update all software and systems regularly, 5) use strong passwords and multi-factor authentication, 6) backup data regularly, 7) trust but verify suspicious messages and links, 8) secure your home network, 9) use a VPN for public WiFi, 10) be wary of things that seem too good to be true, and 11) the attacker will likely move on to easier targets if you follow cyber security best practices. Examples and explanations are provided for each commandment.

How to Run a Post-Mortem (With Humans, Not Robots), Velocity 2013

Dan Milstein

Owning windows 8 with human interface devices

Nikhil Mittal

This document discusses using human interface devices like the Teensy microcontroller in penetration tests against Windows 8 systems. It introduces the Kautilya toolkit for programming Teensy payloads and demonstrates attacks against Windows 8 by connecting the Teensy and executing payloads with the privileges of the logged-in user. Limitations of this technique include storage limits on Teensy and an inability to read responses or clear itself after running. Defenses include disabling removable devices or locking USB ports.

Clean Manifests with Puppet::Tidy

Puppet

This document discusses Puppet::Tidy, a tool for formatting Puppet manifests. Puppet::Tidy works by parsing manifests line-by-line and applying transformations to lines that match certain criteria in order to standardize formatting. The talk describes how Puppet::Tidy currently works, examples of checks it performs, and ideas for future improvements such as incorporating more semantic knowledge and using a full parser.

Defcon 23 - David Huerta - alice and bob are really confused

Felipe Prado

Alice and Bob want to communicate privately but Eve is spying on them. Alice learns about cryptography at a crypto party and learns how to use tools like PGP and Signal to encrypt her messages. The document discusses challenges with usability and interoperability of encryption tools and lessons learned about user interface design for cryptography from 1992, 1999, and 2015. It provides tips on tools like Pidgin, ChatSecure, and in-browser PGP solutions but also notes continued challenges with adoption of encryption.

Dark Patterns in UX

Nomensa

Dylan Thomas' presentation from World Usability Day on 14th November 2013. Dark patterns are anti-patterns with a nefarious purpose - intentionally flawed designs. Carefully-crafted ‘bad’ designs; built with a pinch of psychology and a healthy dose of trickery. This is an introduction to this interesting, and often fun, side of web design and some of the methods used by companies to swindle and snare their users. This is not user-centred design!

BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...

Andrew Morris

This document summarizes how to track threat actors on a budget by setting up honeypots to monitor attacks. It describes tracking a group in China that spreads malware via SSH passwords. Samples of the group's malware were analyzed, revealing DNS servers and routers as targets for DDoS attacks. The communication protocol was reversed to identify targets in real-time. This provided insights into the group's operations and infrastructure to block.

Optimizing for change: Taking risks safely & e-commerce

Kellan

This document discusses techniques for optimizing software development for continuous change. It recommends (1) frequently pushing small code changes using techniques like feature flags, (2) using metrics to measure everything and provide feedback, and (3) automating analysis of metrics to identify issues. The goal is to safely take more risks by avoiding large mistakes through continuous deployment and monitoring systems closely.

Jason Yee - Chaos! - Codemotion Rome 2019

Codemotion

Social Zombies II: Your Friends Need More Brains

Tom Eston

In Social Zombies II: Your Friends Need More Brains, Tom Eston, Kevin Johnson and Robin Wood continue the Zombie invasion from "Social Zombies: Your Friends want to eat Your Brains" presented at DEFCON 17. This presentation will further examine the risks of social networks and then present new techniques and tools that can be used to exploit these issues. This presentation begins by discussing new twists on existing privacy concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests. The presentation then discusses social network botnets and bot programs. Both the delivery of malware through social networks and the use of these social networks as command and control channels will be examined. Tom, Kevin and Robin next explore the use of browser-based bots and their delivery through custom social network applications and show new ways social network applications can be used for malware delivery. Finally, the information available through the social network APIs is explored using third-party applications designed for penetration testing. This allows for complete coverage of the targets and their information. This was presented at Shmoocon 2010 on February 6, 2010.

FUEL_USERS_GROUP

Will Pearce

Purple teaming involves collaborating red and blue teams to improve cybersecurity. By using red team tactics, blue teams can practice detecting and responding to active threats. This helps validate tools and processes, find gaps in detection and response, and ensures organizations are prepared to handle real-world attacks. It differs from traditional penetration testing by focusing more on detection and response rather than just finding vulnerabilities. The goal is to gain confidence in incident response plans through practical exercises.

Phish training final

Jen Ruhman

This document provides an overview of cybersecurity threats and preventive measures. It discusses the main causes of data breaches being human error, process failures, and malicious attacks. Common cyber threats include malware, phishing, and social engineering. The document provides tips for safe password usage, internet protection on public networks and IoT devices, and email security through the use of two-factor authentication and secure attachment policies. The overall message is that cybersecurity requires vigilance across all areas like passwords, email, web browsing, and devices in order to prevent data breaches and malware infections.

Basic Security for Digital Companies - #MarketersUnbound (2014)

Justin Bull

Similar to Honey Potz - BSides SLC 2015 (20)

Don't Get Hacked

OSINT Black Magic: Listen who whispers your name in the dark!!!

Blackmagic Open Source Intelligence OSINT

How To Run a 5 Whys (With Humans, Not Robots)

Doonish

Corp Web Risks and Concerns

11 Commandments of Cyber Security for the Home

How to Run a Post-Mortem (With Humans, Not Robots), Velocity 2013

Owning windows 8 with human interface devices

Clean Manifests with Puppet::Tidy

Defcon 23 - David Huerta - alice and bob are really confused

Dark Patterns in UX

BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...

Optimizing for change: Taking risks safely & e-commerce

Jason Yee - Chaos! - Codemotion Rome 2019

Social Zombies II: Your Friends Need More Brains

FUEL_USERS_GROUP

Phish training final

Basic Security for Digital Companies - #MarketersUnbound (2014)

Recently uploaded

How to use Firebase Data Connect For Flutter

Daiki Mogmet Ito

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Neo4j

Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

GenAI Pilot Implementation in the organizations

kumardaparthi1024

Serial Arm Control in Real Time Presentation

tolgahangng

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

SOFTTECHHUB

The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing. One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

Neo4j

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

SOFTTECHHUB

As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.

Climate Impact of Software Testing at Nordic Testing Days

Kari Kakkonen

My slides at Nordic Testing Days 6.6.2024 Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...

Edge AI and Vision Alliance

For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/ Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit. In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing. van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.

Presentation of the OECD Artificial Intelligence Review of Germany

innovationoecd

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Speck&Tech

ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune. Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile. BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

Pushing the limits of ePRTC: 100ns holdover for 100 days

Adtran

“I’m still / I’m still / Chaining from the Block”

Claudio Di Ciccio

Mind map of terminologies used in context of Generative AI

Kumud Singh

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

Leonard Jayamohan, Partner & Generative AI Lead, Deloitte This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.

Infrastructure Challenges in Scaling RAG with Custom AI models

Zilliz

Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.

Best 20 SEO Techniques To Improve Website Visibility In SERP

Pixlogix Infotech

Recently uploaded (20)

How to use Firebase Data Connect For Flutter

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

20240607 QFM018 Elixir Reading List May 2024

GenAI Pilot Implementation in the organizations

Serial Arm Control in Real Time Presentation

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

Climate Impact of Software Testing at Nordic Testing Days

Artificial Intelligence for XMLDevelopment

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...

Presentation of the OECD Artificial Intelligence Review of Germany

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Removing Uninteresting Bytes in Software Fuzzing

Pushing the limits of ePRTC: 100ns holdover for 100 days

“I’m still / I’m still / Chaining from the Block”

Mind map of terminologies used in context of Generative AI

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Infrastructure Challenges in Scaling RAG with Custom AI models

Best 20 SEO Techniques To Improve Website Visibility In SERP

Honey Potz - BSides SLC 2015

1. Honey Potz ETHAN DODGE (CHP1N)

2. Disclaimer The views expressed herein are solely my views and not the views of my employer, or any other organization with which I am associated. I am responsible for the content of this presentation. Likewise, the research conducted and illustrated herein was performed by me unless otherwise noted.

3. Audience lNoobs. lDon't be afraid to ask questions! lThose looking to get into the honey pot/threat intelligence communities. lThose that already have experience honey potting.

4. Honey Potz BEWARE OF ADDICTION

5. Why Honey Pots?

6. Threat Intel?

7. Threat Intel?

8. Types of Honey Pots JUSTA MORSELOF HUNNY

9. HoneyDrive Bruteforce.gr Kippo Dionaea Honeyd Glastopf Conpot Thug Kippo-Graph Honeyd-Viz DionaeaFR ELK Stack

10. Low Interaction vs. High Interaction •Actual machine •Complete functionality •Can exploit whatever is exploitable •Used to observe targeted attacks •Not easily detectable •Bifrozt •Simulation •Incomplete functionality •Cannot be used to exploit other vulnerabilities •Used to observe behavior •Often easily detectable •Kippo

11. Kippo THE GOODANDTHE BAD

12. “Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.” https://github.com/desaster/kippo

13. How KippoWorks

14. HowTo Detecet Kippo

15. HowTo Detecet Kippo

16. SimpleWaysTo “Hide” It •Change the hostname •Add a login banner •Edit userdb.txt •Change file system •Edit /etc/passwd & /etc/shadow •Edit script output

17. Findings

18. Login Attempts vs Successes in the past 30 days - LA Total attempts: 519 Total successes: 10 Total attempts: 3,924 Total successes: 2

19. Creds •Default root/123456 (Top Graph) •Leaked 14 character password (Bottom Graph)

20. “Leaking” Creds •Leaked 14 character password to honeypot of pastebin •Posted at 1:14AM MST •Any guesses as to how long it took until someone logged in?

21. 2 Hours 35 Minutes •First login seen with correct password seen at 3:49 MST. •Romanian IP Address •Malicious intent •Pastebin has over 100 views in 2 minutes (Bots) •Saw 5 logins from 3 distinct IP addresses in 12 hours

22. Login Attempts vs Successes in the past 30 days - Canada Total attempts: 255,059 Total successes: 79 Total attempts: 282,263 Total successes: 0 Hosting Problems You get what you pay for. (Cloud At Cost)

23. Changed userdb.txt •Rejects most common 100 passwords from the most common 10 usernames (Top Graph) •Therefore accepting multiple passwords •Accepts 7 character password from 5 different usernames •Yet to be cracked •Leaked in a key logger dump this morning at 7:53 MST

24. Changed fs.pickle •Spun up an Ubuntu box serving DNS •Used createfs.py to create new fs.pickle •Yet to see better results •I will blog about it

25. Login Attempts vs Successes in the past 30 days - Europe Total attempts: 429,661 Total successes: 0

26. Most attacked box •In the heart of the EU •Doesn’t get attacked as much as Asian honeypots •8 character password •Logon banner in Spanish

27. Typical malicious session •Wget/curl some script or executable •Chmod it •Execute it •Delete it •99% of the time is scripted

28. Occasional you’ll get a lot more commands

29. Typical Detection •Runs ps –a, ifconfig, or cats a standard file •Sees default Kippo content •Hops out

30. KippoVisualization THE OLDANDTHE NEW

31. Kippo-Graph

32. Kippo-Graph

33. Kippo-Graph

34. Tango Honeypot Intelligence @Brian_Warehime

35. DemoTime

36. Downloads •Original Kippo: https://github.com/desaster/kippo •Kippo fork I use: https://github.com/micheloosterhof/kippo •Supports SFTP and json logging •Is updated regularly •DownloadTango: https://apps.splunk.com/app/2666/ •Download Honeydrive: http://sourceforge.net/projects/honeydrive/

37. Hosting Links •Crissic – crissic.net ($10/year) lLA and Florida •CloudAt Cost – cloudatcost.com ($35/life) lCanada •Time4VPS –Time4VPS (€10/year) lEuropean Union •Lowendstock.com •Lowendtalk.com

38. @Andrew__Morris @Brian_Warehime @micheloosterhof @da_667 @Threat_Inc

39. Contact Freenode: chp1n Twitter: @chp1n Blog: utzpin.org

40. el fin.

Honey Potz - BSides SLC 2015

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (19)

Similar to Honey Potz - BSides SLC 2015

Similar to Honey Potz - BSides SLC 2015 (20)

Recently uploaded

Recently uploaded (20)

Honey Potz - BSides SLC 2015

Editor's Notes