We use Macs a lot at Yelp, which means that we see our fair share of Mac-specific security alerts. Host based detectors will tell us about known malware infestations or weird new startup items. Network based detectors see potential C2 callouts or DNS requests to resolve suspicious domains. Sometimes our awesome employees just let us know, “I think I have like Stuxnet or conficker or something on my laptop.”
When alerts fire, our incident response team’s first goal is to “stop the bleeding” – to contain and then eradicate the threat. Next, we move to “root cause the alert” – figuring out exactly what happened and how we’ll prevent it in the future. One of our primary tools for root causing OS X alerts is OSXCollector.
OSXCollector (https://github.com/Yelp/OSXCollector) is an open source forensic evidence collection and analysis toolkit for OS X. It was developed in-house at Yelp to automate the digital forensics and incident response (DFIR) our crack team of responders had been doing manually.
This document provides an overview of Gatekeeper, Apple's built-in macOS security feature that aims to block unauthorized code from being installed or run on a user's system. It discusses how Gatekeeper works under the hood, including how it uses file quarantine attributes and the launchservices framework to check for and potentially block execution of apps from untrusted developers. The document also examines ways that Gatekeeper's protections can be bypassed or understood in more detail.
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack
The document discusses geolocation features in mobile apps and potential security issues. It provides an overview of how geolocation works on iOS, code examples for implementing geolocation in Swift, and discusses common classes of geolocation bugs that could compromise a user's location privacy. These include insecure network communications, insecure local storage of location data, location spoofing, collecting overly precise location data, and user interface errors.
Attacking Oracle with the Metasploit FrameworkChris Gates
The document discusses attacking Oracle databases using Metasploit. It provides an overview of the current Metasploit support for Oracle and new support being added, including TNS and Oracle mixins to simplify interactions. It then outlines an Oracle attack methodology involving locating systems, determining version/SID, bruteforcing credentials, escalating privileges via SQL injection in default packages, manipulating data, and covering tracks. Examples are given of modules that implement each part of the methodology.
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution.
--- Andres Riancho
Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.
In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications.
His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants.
Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires).
Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Most every organization in the world have something in common – they have had websites compromised in some way. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.
The document discusses the uncertainties that come with cloud security due to unknown devices and applications running in cloud environments. It advocates for automating security monitoring and response to help reduce dwell times for attackers. Specific techniques recommended include using Linux auditing tools to monitor processes, logins and network activity across cloud instances and storing the data in a backend for analysis to detect anomalies. Monitoring APIs and authentications is also suggested to detect compromised credentials or suspicious activity. The document stresses the importance of automating security to keep pace with threats in cloud environments.
The document discusses integrating HashiCorp Vault with Kubernetes applications to securely store and distribute secrets without requiring code changes. It provides an overview of how Vault solves problems with perimeter-based security and outlines approaches for initial token authentication, reading secrets, and token renewal within pods. The document also shares a Terraform module example for fully configuring Vault, Kubernetes roles, policies and secret engines for an application.
This document provides an overview of Gatekeeper, Apple's built-in macOS security feature that aims to block unauthorized code from being installed or run on a user's system. It discusses how Gatekeeper works under the hood, including how it uses file quarantine attributes and the launchservices framework to check for and potentially block execution of apps from untrusted developers. The document also examines ways that Gatekeeper's protections can be bypassed or understood in more detail.
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack
The document discusses geolocation features in mobile apps and potential security issues. It provides an overview of how geolocation works on iOS, code examples for implementing geolocation in Swift, and discusses common classes of geolocation bugs that could compromise a user's location privacy. These include insecure network communications, insecure local storage of location data, location spoofing, collecting overly precise location data, and user interface errors.
Attacking Oracle with the Metasploit FrameworkChris Gates
The document discusses attacking Oracle databases using Metasploit. It provides an overview of the current Metasploit support for Oracle and new support being added, including TNS and Oracle mixins to simplify interactions. It then outlines an Oracle attack methodology involving locating systems, determining version/SID, bruteforcing credentials, escalating privileges via SQL injection in default packages, manipulating data, and covering tracks. Examples are given of modules that implement each part of the methodology.
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution.
--- Andres Riancho
Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.
In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications.
His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants.
Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires).
Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Most every organization in the world have something in common – they have had websites compromised in some way. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.
The document discusses the uncertainties that come with cloud security due to unknown devices and applications running in cloud environments. It advocates for automating security monitoring and response to help reduce dwell times for attackers. Specific techniques recommended include using Linux auditing tools to monitor processes, logins and network activity across cloud instances and storing the data in a backend for analysis to detect anomalies. Monitoring APIs and authentications is also suggested to detect compromised credentials or suspicious activity. The document stresses the importance of automating security to keep pace with threats in cloud environments.
The document discusses integrating HashiCorp Vault with Kubernetes applications to securely store and distribute secrets without requiring code changes. It provides an overview of how Vault solves problems with perimeter-based security and outlines approaches for initial token authentication, reading secrets, and token renewal within pods. The document also shares a Terraform module example for fully configuring Vault, Kubernetes roles, policies and secret engines for an application.
Development Security Framework based on Owasp Esapi for JSF2.0Rakesh Kachhadiya
This document discusses developing a security framework for JavaServer Faces (JSF) 2.0 based on the OWASP Enterprise Security API (ESAPI). It introduces ESAPI and JSF, describes how ESAPI can be integrated into JSF at the model, view, and controller levels, and outlines the project goals of providing an ESAPI library to reduce developer work and securely implement features like authorization, validation, and filtering. It presents demos and concludes by seeking feedback on addressing common JSF vulnerabilities.
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianLiang Chen
With the popularity of Apple's system, many OS X kernel vulnerabilities were discovered by fuzzing IOKit. OS X kernel exploitation technology has developed in the past few years, yet recent Apple patches have mitigated most of those technology to avoid generic address leak as well as zone Feng Shui approaches, which, as a result, make harder to exploit OS X kernel vulnerabilities.
In the first part of this talk, we will show several vulnerabilities discovered by KeenTeam whose details have never been published before. Then we conclude about several root causes to Apple IOKit driver's weakness, and how to take advantage of those weakness to find bugs more efficiently.
The second part will cover how to exploit a vulnerability in such case, and how to pave a road from crash to root with the presence of Apple’s new mitigation.
Slides from presentation: "Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)" originally released at Black Hat Asia 2018 in Singapore.
For more information: http://www.danielbohannon.com/presentations/
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheCris Holdorph
The document discusses using various technologies like Ehcache, Hibernate, and Terracotta for distributed caching and clustering. It provides code samples and configuration for using Ehcache as a second-level cache for Hibernate, and using Terracotta to cluster the Ehcache for distributed caching across multiple servers.
Denis Zhuchinski Ways of enhancing application securityАліна Шепшелей
In this lecture we will talk about what you should know and consider in the construction of an application developer to ensure the safe use of confidential user data.
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
My presentation on how to use malware indicators of compromise to create rootcheck signatures for OSSEC. Explains different malware collection and analysis techniques.
Topic: Art of Web Backdoor
Speaker: Pichaya Morimoto
Event: 2600 Thailand Meeting #5
Date: September 6, 2013
Video: https://www.youtube.com/watch?v=QIXTPPBfLyI
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques
NOTE: Use the "Download" option at the top to see the presentation as a PDF properly
The document reports an exception occurring due to a SSL handshake failure between an application and a server. The handshake failed because the application did not have the trust anchor needed to validate the server's certificate path. This led to a javax.net.ssl.SSLHandshakeException being thrown.
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...RootedCON
The document discusses three vulnerabilities in the Android Download Provider and User Dictionary Content Provider. It describes how an app can bypass permissions to access downloads or dictionary words it shouldn't have access to. It also explains how to query the providers via content URIs and exploit lack of input validation. Exploiting these vulnerabilities could allow access to sensitive files or ability to modify dictionary words without permission.
This document provides an overview of big data and the Cosmos big data platform from Telefonica. It discusses what big data is, how much data exists, and common tools for working with big data like Hadoop and MapReduce. It then describes the Cosmos platform, how to create clusters and access data using REST APIs or command line tools. Examples are given for querying data using Hive and writing MapReduce applications.
This document discusses using Fluentd and Norikra to collect, process, and summarize OpenStack logs. Fluentd is used to collect logs from OpenStack components like Nova and forward them to Norikra for processing. Norikra allows logs to be queried and aggregated using SQL. It can summarize logs by hostname, log level, and message to detect issues. Notifications of warnings or errors can then be sent via tools like Slack to alert operators. Together, Fluentd and Norikra provide a scalable log management system that makes it easier to monitor OpenStack deployments and detect problems in large, high-volume log streams.
This document discusses making the Norikra stream processing software more perfect. It outlines how Norikra currently works well for small to medium sites but has limitations for large deployments. The concept of a "Perfect Norikra" is introduced that would add distributed execution, high availability, and dynamic scaling capabilities. A rough design is sketched that involves a new query executor, dataflow manager, and strategies for dynamic scaling through intermediate results and merging across nodes. Challenges mentioned include resource monitoring, multi-tenancy, and supporting queries without aggregations.
이 슬라이드는 개발자를 대상으로 CEP(Complex Event Processing) 소개하기 위한 것입니다.
소프트웨어 공학적인 입장에서 3가지 관점, 즉 범용성, 재사용성, 즉시응답성을 기준으로 CEP의 개념과 기능을 설명하고, 이를 구현한 Data Stream Query 기반 CEP 엔진의 작동방식을 설명합니다.
CEP는 새로운 개념이 아니고, 태초(?)부터 프로그래머들이 계속 해오던 일들입니다. CEP에 대해서 공부하고자 하는 개발자들에게 도움이 되었으면 합니다.
Gatekeeper is a macOS security feature that checks if downloaded apps were signed by identified developers before allowing them to be installed. It aims to protect users by blocking unauthorized code from being installed via the internet. When an unsigned app is downloaded, Gatekeeper displays an alert to get user approval before installation. However, Gatekeeper can be bypassed if malware exploits vulnerabilities to directly download payloads without triggering the quarantine checks. While Gatekeeper prevents many threats, high-tech adversaries may still be able to bypass its protections.
Development Security Framework based on Owasp Esapi for JSF2.0Rakesh Kachhadiya
This document discusses developing a security framework for JavaServer Faces (JSF) 2.0 based on the OWASP Enterprise Security API (ESAPI). It introduces ESAPI and JSF, describes how ESAPI can be integrated into JSF at the model, view, and controller levels, and outlines the project goals of providing an ESAPI library to reduce developer work and securely implement features like authorization, validation, and filtering. It presents demos and concludes by seeking feedback on addressing common JSF vulnerabilities.
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianLiang Chen
With the popularity of Apple's system, many OS X kernel vulnerabilities were discovered by fuzzing IOKit. OS X kernel exploitation technology has developed in the past few years, yet recent Apple patches have mitigated most of those technology to avoid generic address leak as well as zone Feng Shui approaches, which, as a result, make harder to exploit OS X kernel vulnerabilities.
In the first part of this talk, we will show several vulnerabilities discovered by KeenTeam whose details have never been published before. Then we conclude about several root causes to Apple IOKit driver's weakness, and how to take advantage of those weakness to find bugs more efficiently.
The second part will cover how to exploit a vulnerability in such case, and how to pave a road from crash to root with the presence of Apple’s new mitigation.
Slides from presentation: "Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)" originally released at Black Hat Asia 2018 in Singapore.
For more information: http://www.danielbohannon.com/presentations/
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheCris Holdorph
The document discusses using various technologies like Ehcache, Hibernate, and Terracotta for distributed caching and clustering. It provides code samples and configuration for using Ehcache as a second-level cache for Hibernate, and using Terracotta to cluster the Ehcache for distributed caching across multiple servers.
Denis Zhuchinski Ways of enhancing application securityАліна Шепшелей
In this lecture we will talk about what you should know and consider in the construction of an application developer to ensure the safe use of confidential user data.
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
My presentation on how to use malware indicators of compromise to create rootcheck signatures for OSSEC. Explains different malware collection and analysis techniques.
Topic: Art of Web Backdoor
Speaker: Pichaya Morimoto
Event: 2600 Thailand Meeting #5
Date: September 6, 2013
Video: https://www.youtube.com/watch?v=QIXTPPBfLyI
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques
NOTE: Use the "Download" option at the top to see the presentation as a PDF properly
The document reports an exception occurring due to a SSL handshake failure between an application and a server. The handshake failed because the application did not have the trust anchor needed to validate the server's certificate path. This led to a javax.net.ssl.SSLHandshakeException being thrown.
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...RootedCON
The document discusses three vulnerabilities in the Android Download Provider and User Dictionary Content Provider. It describes how an app can bypass permissions to access downloads or dictionary words it shouldn't have access to. It also explains how to query the providers via content URIs and exploit lack of input validation. Exploiting these vulnerabilities could allow access to sensitive files or ability to modify dictionary words without permission.
This document provides an overview of big data and the Cosmos big data platform from Telefonica. It discusses what big data is, how much data exists, and common tools for working with big data like Hadoop and MapReduce. It then describes the Cosmos platform, how to create clusters and access data using REST APIs or command line tools. Examples are given for querying data using Hive and writing MapReduce applications.
This document discusses using Fluentd and Norikra to collect, process, and summarize OpenStack logs. Fluentd is used to collect logs from OpenStack components like Nova and forward them to Norikra for processing. Norikra allows logs to be queried and aggregated using SQL. It can summarize logs by hostname, log level, and message to detect issues. Notifications of warnings or errors can then be sent via tools like Slack to alert operators. Together, Fluentd and Norikra provide a scalable log management system that makes it easier to monitor OpenStack deployments and detect problems in large, high-volume log streams.
This document discusses making the Norikra stream processing software more perfect. It outlines how Norikra currently works well for small to medium sites but has limitations for large deployments. The concept of a "Perfect Norikra" is introduced that would add distributed execution, high availability, and dynamic scaling capabilities. A rough design is sketched that involves a new query executor, dataflow manager, and strategies for dynamic scaling through intermediate results and merging across nodes. Challenges mentioned include resource monitoring, multi-tenancy, and supporting queries without aggregations.
이 슬라이드는 개발자를 대상으로 CEP(Complex Event Processing) 소개하기 위한 것입니다.
소프트웨어 공학적인 입장에서 3가지 관점, 즉 범용성, 재사용성, 즉시응답성을 기준으로 CEP의 개념과 기능을 설명하고, 이를 구현한 Data Stream Query 기반 CEP 엔진의 작동방식을 설명합니다.
CEP는 새로운 개념이 아니고, 태초(?)부터 프로그래머들이 계속 해오던 일들입니다. CEP에 대해서 공부하고자 하는 개발자들에게 도움이 되었으면 합니다.
Gatekeeper is a macOS security feature that checks if downloaded apps were signed by identified developers before allowing them to be installed. It aims to protect users by blocking unauthorized code from being installed via the internet. When an unsigned app is downloaded, Gatekeeper displays an alert to get user approval before installation. However, Gatekeeper can be bypassed if malware exploits vulnerabilities to directly download payloads without triggering the quarantine checks. While Gatekeeper prevents many threats, high-tech adversaries may still be able to bypass its protections.
The document provides an introduction to secure coding in Java. It discusses the Open Web Application Security Project (OWASP) and its mission to improve software security. It then covers 10 simple principles for writing secure code, such as input validation, output encoding, and parameterized queries. Examples of SQL injection and LDAP injection vulnerabilities are shown, along with ways to avoid them through parameterization and input sanitization. The importance of using security mechanisms from trusted libraries rather than reimplementing them is also stressed.
The document discusses automating the process of analyzing mobile malware. It describes standard tools and techniques used in static and dynamic malware analysis of Android APK files. These include strings analysis, disassembling code, decompiling applications, monitoring network activity, and using strace and ltrace. The document proposes automating these analysis steps through scripting to quickly analyze Android apps for malware.
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
The document discusses automating mobile malware analysis processes. It introduces the speaker as a security researcher who works on various online and offline projects related to mobile security. The rest of the document discusses standard processes for static and dynamic malware analysis, including decompiling APK files, disassembling codes, analyzing network activity, and using tools like emulator, adb, and strace. It emphasizes that automating these processes through scripting can help analyze malware more efficiently.
sf bay area dfir meetup (2016-04-30) - OsxCollector Rishi Bhargava
OSXCollector is an open source forensic evidence collection and analysis toolkit for Mac OS X. It collects a wide range of system and application data from an OS X system, including files, browser history, startup items, quarantines, and more. The output is formatted as JSON, which contains metadata like hashes, timestamps, and signature chains for collected artifacts. This standardized format makes the data easy to analyze programmatically through output filters to detect anomalies, malware artifacts, and other interesting findings.
Positive Technologies - S4 - Scada under x-raysqqlan
This document summarizes a presentation given by Sergey Gordeychik, Gleb Gritsai, and Denis Baranov on analyzing the security of WinCC SCADA software. It introduces the presenters and their backgrounds in industrial control system security research. They discuss common vulnerabilities found in WinCC like SQL injection, XSS, and password disclosure. The researchers provide an overview of the WinCC architecture and its various components. They analyze vulnerabilities in the WinCC project files and communication protocols. The presentation aims to bring more attention to automating security assessments of industrial control systems.
This document provides step-by-step instructions for building a simple orchestrator. It begins by setting up the basic components including RabbitMQ as a messaging broker and Celery workers. Step 1 demonstrates executing a simple AWS resource by adding a task to the queue. Step 2 adds a MongoDB database to store resources outside of the queue. Step 3 builds a service level on top by allowing resources like AWS instances and Docker containers to be orchestrated together through a YAML file.
This document provides an overview of iOS app penetration testing with a focus on client-side analysis. It discusses setting up a proxy to intercept traffic, decrypting and extracting app files from the device, analyzing app data like plist files, SQLite databases and logs for sensitive information. Common issues like SSL pinning, lack of jailbreak detection and outdated files are also mentioned. A variety of tools are listed to assist with tasks like decrypting apps, dumping classes, bypassing authentication and detecting security protections.
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
Codetainer is a browser-based sandbox for running Docker containers. It allows users to "try 'X' in your browser" for any X by running Docker containers in an isolated and programmable manner directly in the browser. Codetainer uses Docker APIs to launch and manage lightweight containers via a Go-based API server. Users can create and register Docker images, launch "codetainers" from those images, and interact with the codetainers through the browser via websockets, viewing terminals and sending keystrokes. Codetainer aims to provide a secure and flexible environment for use cases like tutorials, training, and remote management while addressing challenges around container introspection and security.
Esta apresentação é baseada em uma pesquisa que publiquei em 2015 que tratava de malware do tipo mach-o, e o aumento de visibilidade do macOS como novo alvo. Nesta nova pesquisa, a ideia é mostrar algumas dicas sobre internals, kernel e principais ameaças que o macOS vem enfrentando.
This document discusses HTML5 on mobile devices. It begins by explaining why mobile web is growing and why HTML5 is well-suited for mobile. It then provides an overview of what HTML5 is and examples of features like forms, multimedia, geolocation that can be used on mobile. It also discusses considerations for mobile web development like responsive design and frameworks. The document recommends tools for mobile debugging and testing performance.
This document summarizes a Drupal hack that occurred at the University of Toronto Libraries. The hack was detected by analyzing Apache logs and noticing odd traffic patterns, including many wp-conf requests. The hack exploited an FCKEditor bug and the PHP Filter module to inject malicious code that could execute PHP. This allowed the hacker to access files, databases, and user information. To recover, the organization restored from backups, disabled vulnerable modules, reset passwords, and improved security practices like access controls and updates. Lessons included following security guidelines, testing updates, using HTTPS, and establishing security processes and failure rehearsals.
stackconf 2021 | Why you should take care of infrastructure driftNETWAYS
This document discusses infrastructure drift and the driftctl tool. It begins with an agenda for a presentation on learning from infrastructure-as-code (IaC) users about the causes and consequences of drift and stories/demos of drift. It then provides context about the presenter and defines infrastructure drift. The rest of the document discusses why drift is important, examples of drift stories, how the driftctl tool can be used to detect and filter drift, and how it integrates with DevSecOps workflows.
The document discusses penetration testing of iOS applications. It provides an overview of the key aspects of testing including:
- Setting up the testing environment with tools like Xcode, Instruments, Burp Suite, and SQLite Manager.
- Performing whitebox testing through source code analysis, identifying HTTP/WS calls, file system interactions, and manual code review.
- Proxying the iOS simulator to intercept and analyze network traffic.
- Exploring various data storage mechanisms like plists, SQLite databases, and the keychain for sensitive data.
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...Jakub "Kuba" Sendor
This document summarizes a presentation about Jakub Sendor's work responding to malware incidents at Yelp. It discusses Yelp's malware response process, including initial detection using tools like antivirus and osquery, collecting forensic data using OSXCollector, analyzing the data both manually and automatically using tools like ElastAlert and AMIRA, and final remediation steps like blocking malicious domains and educating employees. It emphasizes how automation has helped speed up the process and reduce human errors.
Mathilde Lemée & Romain Maton
La théorie, c’est bien, la pratique … aussi !
Venez nous rejoindre pour découvrir les profondeurs de Node.js !
Nous nous servirons d’un exemple pratique pour vous permettre d’avoir une premiere experience complete autour de Node.js et de vous permettre de vous forger un avis sur ce serveur Javascript qui fait parler de lui !
http://soft-shake.ch/2011/conference/sessions/incubator/2011/09/01/hands-on-nodejs.html
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
Slides from "Web Applications Automated Security Testing in a Continuous Delivery Pipeline" workshop, made during Drupal Developers Days 2017 at Seville, Spain
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
The document discusses vulnerabilities found in various database software products through analyzing their code and installation directories. Local privilege escalation bugs were found in IBM DB2 and Informix by exploiting how environment variables and shared libraries were handled. Remote code execution bugs were also discovered in UniData and Informix through fuzzing protocols and by exploiting unsafe functions. The document encourages searching for more bugs in database software.
PETKO D. PETKOV
Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.
Original slides from Ryan Dahl's NodeJs intro talkAarti Parikh
These are the original slides from the nodejs talk. I was surprised not find them on slideshare so adding them. The video link is here https://www.youtube.com/watch?v=ztspvPYybIY
Similar to OSXCollector: Automated forensic evidence collection & analysis for OS X (BruCON 0x07) (20)
To boldly go where no one has gone before: life after the DevSecOps transform...Jakub "Kuba" Sendor
Learning the lessons from how the development and operations teams joined their forces together mobilizing themselves under a common DevOps umbrella, security teams don't want to stay behind. They see it as a chance to get more involved at each step of the software development in the Agile fashion. Hence DevSecOps approach, closing the gap between the security teams and the rest of the engineering organization.
In my talk I will show the examples of how DevSecOps can lead to a faster feedback loop related to the security issues in the software you are developing. Furthermore, I will explain how to transform your Agile Software Development practices to leverage this new DevSecOps approach and thanks to that produce code with much less security vulnerabilities.
But what after you have embraced this new practice? What will be the next “Holy Grail” of software development? I will try to put my Captain Kirk suit and try to see what is laying at the edges of the DevSecOps galaxy.
DevSecOps: The Final Frontier? Building Secure Software in an Agile OrganizationJakub "Kuba" Sendor
During the past two decades we have started shifting from the waterfall project planning to more agile organization of our software development practices. Utilizing Scrum, Kanban and Lean practices we are now better prepared for the unknown and can faster react to the changing requirements, product plans and team rotation. But it seems that the security requirements for the software we are producing are still living in the "Waterfall World". They are usually being verified as the last step of the development, introducing further delays or simply leaving the deployed software with more and more vulnerabilities.
Learning the lessons from how the Development and Operations teams joined their forces together mobilizing themselves under a common DevOps umbrella, security teams don't want to stay behind. They see it as a chance to get more involved at each step of the software development in the Agile fashion. Hence DevSecOps approach, closing the gap between the security teams and the rest of the engineering organization.
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...Jakub "Kuba" Sendor
Even for a big incident response team handling all of the repetitive tasks related to malware infections is a tedious task. Early on, we automated some of the collection and analysis using our own open source OSXCollector. This helped us quickly identify suspicious domains, URLs and file hashes. But our approach to the analysis still required manual steps that was consuming lots of attention from malware responders.
Enter automation: Further reducing the repetitive tasks will help you deal faster with the incident discovery, forensic collection and analysis, with fewer possibilities to make a mistake. We have turned our OSXCollector toolkit into AMIRA: Automated Malware Incident Response and Analysis service. AMIRA turns the forensic information gathered by OSXCollector into an actionable response plan, suggesting the infection source as well as suspicious files and domains requiring a closer look. Furthermore, we integrated AMIRA with our incident response platform, making sure that as little interaction as necessary is required from the analyst to trigger the collection of the forensic artifacts.
Thanks to that, the incident response team members can focus on what they excel at: finding the unusual patterns and discovering the novel ways that malware was trying to sneak into the corporate infrastructure.
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...Jakub "Kuba" Sendor
Even for a larger incident response team handling all of the repetitive tasks related to malware infections is a tedious task. Our malware analysts have spent a lot of time chasing digital forensics from potentially infected Mac OS X systems, leveraging open source tools, like OSXCollector. Early on, we have automated some part of the analysis process, augmenting the initial set of digital forensics collected from the machines with the information gathered from the threat intelligence APIs. They helped us with additional information on potentially suspicious domains, URLs and file hashes. But our approach to the analysis still required a certain degree of configuration and manual maintenance that was consuming lots of attention from malware responders.
Enter automation: turning all of your repetitive tasks in a scripted way that will help you deal faster with the incident discovery, forensic collection and analysis, with fewer possibilities to make a mistake. We went ahead and turned OSXCollector toolkit into AMIRA: Automated Malware Incident Response and Analysis service. AMIRA turns the forensic information gathered by OSXCollector into actionable response plan, suggesting the infection source as well as suspicious files and domains requiring a closer look. Furthermore, we integrated AMIRA with our incident response platform, making sure that as little interaction as necessary is required from the analyst to follow the investigation. Thanks to that, the incident response team members can focus on what they excel at: finding unusual patterns and the novel ways that malware was trying to sneak into the corporate infrastructure.
Even for a larger incident response team handling all of the repetitive tasks related to malware infections is a tedious task. Our malware analysts have spent a lot of time chasing digital forensics from potentially infected Mac OS X systems, leveraging open source tools, like OSXCollector. Early on, we have automated some part of the analysis process, augmenting the initial set of digital forensics collected from the machines with the information gathered from the threat intelligence APIs. They helped us with additional information on potentially suspicious domains, URLs and file hashes. But our approach to the analysis still required a certain degree of configuration and manual maintenance that was consuming lots of attention from malware responders.
Enter automation: turning all of your repetitive tasks in a scripted way that will help you deal faster with the incident discovery, forensic collection and analysis, with fewer possibilities to make a mistake. We went ahead and turned OSXCollector toolkit into AMIRA: Automated Malware Incident Response and Analysis service. AMIRA turns the forensic information gathered by OSXCollector into actionable response plan, suggesting the infection source as well as suspicious files and domains requiring a closer look. Furthermore, we integrated AMIRA with our incident response platform, making sure that as little interaction as necessary is required from the analyst to follow the investigation.
Thanks to that, the incident response team members can focus on what they excel at: finding unusual patterns and the novel ways that malware was trying to sneak into the corporate infrastructure.
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelJakub "Kuba" Sendor
From the moment of the threat detection, first response throughout the analysis, and the final resolution, we make sure that we can catch as many incidents as possible and properly sanitize the environment so that the potential problems are cut short. All this in an automated and orchestrated fashion, eliminating the manual repetition as much as possible thanks to the in-house built tools like AIR (Automated Incident Response), OSXCollector (Mac OS X forensics collection) and ElastAlert (alerting out of Elasticsearch). We also complement the pipeline with some available open source tools, like osquery and other proprietary threat detection technologies. This adds up to a balanced ecosystem that helps us leverage the current assets, learn about the potential problems quickly and respond to them in a timely fashion.
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
8 Best Automated Android App Testing Tool and Framework in 2024.pdfkalichargn70th171
Regarding mobile operating systems, two major players dominate our thoughts: Android and iPhone. With Android leading the market, software development companies are focused on delivering apps compatible with this OS. Ensuring an app's functionality across various Android devices, OS versions, and hardware specifications is critical, making Android app testing essential.
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
What is Master Data Management by PiLog Groupaymanquadri279
PiLog Group's Master Data Record Manager (MDRM) is a sophisticated enterprise solution designed to ensure data accuracy, consistency, and governance across various business functions. MDRM integrates advanced data management technologies to cleanse, classify, and standardize master data, thereby enhancing data quality and operational efficiency.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Odoo ERP software
Odoo ERP software, a leading open-source software for Enterprise Resource Planning (ERP) and business management, has recently launched its latest version, Odoo 17 Community Edition. This update introduces a range of new features and enhancements designed to streamline business operations and support growth.
The Odoo Community serves as a cost-free edition within the Odoo suite of ERP systems. Tailored to accommodate the standard needs of business operations, it provides a robust platform suitable for organisations of different sizes and business sectors. Within the Odoo Community Edition, users can access a variety of essential features and services essential for managing day-to-day tasks efficiently.
This blog presents a detailed overview of the features available within the Odoo 17 Community edition, and the differences between Odoo 17 community and enterprise editions, aiming to equip you with the necessary information to make an informed decision about its suitability for your business.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemPeter Muessig
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
2. @jsendor
whoami
● Joined Yelp security team in July 2014.
● Mostly involved in malware incident response.
● Also working on automating our security processes.
● Previously worked at SAP in Sophia Antipolis (France) in the Security &
Trust research group.
● Graduated in 2011 from AGH University of Science and Technology in
Kraków (Poland) and Telecom ParisTech/Institut Eurecom (France).
10. @jsendor
OSXCollector is easy to run
1 Python file
0 dependencies
$ sudo osxcollector.py --id DelayedHedgehog
Wrote 35394 lines.
Output in DelayedHedgehog-2015_01_20-19_38_38.tar.gz
$
12. @jsendor
OS X stores lots of data in SQLite DBs
# Dump a sqlite DB in a dozen lines of code
with connect(sqlite_db_path) as conn:
conn.cursor.execute('SELECT * from sqlite_master WHERE type = "table"')
table_names = [table[2] for table in tables.fetchall()]
for table in table_names:
rows = conn.cursor.execute('SELECT * from {0}'.format(table_name))
column_descriptions = [col[0] for col in conn.cursor.description]
for row in rows.fetchall():
record = dict([(key, val) for key, val in zip(column_descriptions, row)])
14. @jsendor
OSXCollector uses Foundation
Foundation is a nice Objective-C wrapper.
import Foundation
# Look! Incredibly long objc style function names!
plist_nsdata, error_message = Foundation.NSData.dataWithContentsOfFile_options_error_(
plist_path, Foundation.NSUncachedRead, None)
# Seriously, incredibly long function names!
plist_dict, _, _ = Foundation.NSPropertyListSerialization.
propertyListFromData_mutabilityOption_format_errorDescription_(
plist_nsdata, Foundation.NSPropertyListMutableContainers,
None, None)
15. @jsendor
Forensic Collection
OS System Info Applications Web Browser Info
Kernel
Extensions
Quarantines Email Info
Downloads Startup Items
Groups &
Accounts
17. @jsendor
Startup items run on boot
Malware running at startup is basically game over.
{
"osxcollector_section": "startup",
"osxcollector_subsection": "launch_agents",
"md5": "dbd251d8a6e4da2419d75f5b18cf5078",
"sha1": "bbb8016ad1026aea499fd47e21ffeb95f9597aca",
"sha2": "9c89666fd071abd203f044ab7b3fd416decafe4468ff2e20a50b6d72f94809e2",
"file_path": "/Library/Application Support/GPGTools/uuid-patcher",
"ctime": "2014-12-05 16:52:00",
"mtime": "2014-11-30 15:49:40",
"osxcollector_plist": "/System/Library/LaunchDaemons/ssh.plist",
"program": "/usr/libexec/sshd-keygen-wrapper",
"label": "com.openssh.sshd",
"signature_chain": [],
"osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38",
}
PRETTY PRETTY!
18. @jsendor
Timestamps are important in forensics
Timestamps get stored in a lot of ways.
OSXCollector normalizes them.
{
"file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight",
"sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614",
"sha1": "99005b68295c202fd359b46cd1411acea96b2469",
"md5": "b8cc164b6546e4b13768d8353820b216",
"ctime": "2014-12-05 16:50:39",
"mtime": "2014-09-19 00:16:50",
"osxcollector_section": "kext",
"osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38",
"osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist",
"osxcollector_bundle_id": "com.apple.driver.Apple_iSight",
"signature_chain": [
"Software Signing",
"Apple Code Signing Certification Authority",
"Apple Root CA"
]
}
VERY NORMALIZED
19. @jsendor
Hashes are still important in forensics
{
"file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight",
"sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614",
"sha1": "99005b68295c202fd359b46cd1411acea96b2469",
"md5": "b8cc164b6546e4b13768d8353820b216",
"ctime": "2014-12-05 16:50:39",
"mtime": "2014-09-19 00:16:50",
"osxcollector_section": "kext",
"osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38",
"osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist",
"osxcollector_bundle_id": "com.apple.driver.Apple_iSight",
"signature_chain": [
"Software Signing",
"Apple Code Signing Certification Authority",
"Apple Root CA"
]
}
STILL USEFUL
20. @jsendor
Quarantines track downloaded content
They live forever in a plist.
{
"osxcollector_section": "quarantines",
"osxcollector_username": "jsendor",
"LSQuarantineAgentName": "Google Chrome",
"LSQuarantineAgentBundleIdentifier": "com.google.Chrome",
"LSQuarantineDataURLString": "https://cachefly.alfredapp.com/Alfred_2.5.1_308.zip",
"LSQuarantineEventIdentifier": "6FA87446-1249-4578-83E4-4BBCF7AEA4A3",
"LSQuarantineOriginURLString": "http://www.alfredapp.com/",
"osxcollector_db_path": "/Users/ivanlei/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2",
"osxcollector_table_name": "LSQuarantineEvent",
"osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38",
"LSQuarantineTimeStamp": "2014-12-05 14:40:33"
}
21. @jsendor
xattr-wherefrom
No need to search around in browser history.
{
..
"md5": "0b984ecc39d5b33e4f6a81ade4e8dbf1",
"xattr-quarantines": [
"0001;5541127e;Google Chrome;63B2C485-1F64-4ADE-A95C-72F7087FA172"
],
"signature_chain": [],
"xattr-wherefrom": [
"http://trojans.evildownloads.com/Trojan.app",
"http://trojans.evildownloads.com/latest-trojans/"
],
"osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38",
"file_path": "/Users/jdoe/Downloads/Trojan.app",
}
THIS IS BAAAD
22. @jsendor
OS X doesn't care if startups and kext are signed
But I kinda do, so OSXCollector lists the signature chain.
{
"osxcollector_section": "startup",
"osxcollector_subsection": "launch_agents",
"md5": "dbd251d8a6e4da2419d75f5b18cf5078",
"sha1": "bbb8016ad1026aea499fd47e21ffeb95f9597aca",
"sha2": "9c89666fd071abd203f044ab7b3fd416decafe4468ff2e20a50b6d72f94809e2",
"file_path": "/Library/Application Support/GPGTools/uuid-patcher",
"ctime": "2014-12-05 16:52:00",
"mtime": "2014-11-30 15:49:40",
"osxcollector_plist": "/System/Library/LaunchDaemons/ssh.plist",
"program": "/usr/libexec/sshd-keygen-wrapper",
"label": "com.openssh.sshd",
"signature_chain": [],
"osxcollector_incident_id": "DelayedHedgehog-2015_01_20-19_38_38",
}
SWELL!
24. @jsendor
Manual analysis with grep and jq works pretty well
grep a time window
only urls in a time window
grep a single user
$ cat foo.json | grep ' 2014-01-01 11:3[2-8]'
$ cat foo.json | grep '2014-01-01 11:3[2-8]' | jq 'select( has("url")).url'
$ cat INCIDENT32.json | jq 'select( .osxcollector_username=="jsendor")|.'
28. @jsendor
Automated analysis with output filters
OpenDNS
related
domains
filter
JSON
in
find domains
filter
check
blacklists
filter
VirusTotal
hash
lookup
filter
Shadowserver
hash
lookup
filter
find
related
files
filter
OpenDNS
domain
reputation
filter
VirusTotal
domain
reputation
filter
JSON
out
construct
browser
history
filter
recommend
next
steps
filter
29. @jsendor
Automated analysis with output filters
OpenDNS
related
domains
filter
JSON
in
find domains
filter
check
blacklists
filter
VirusTotal
hash
lookup
filter
Shadowserver
hash
lookup
filter
find
related
files
filter
OpenDNS
domain
reputation
filter
VirusTotal
domain
reputation
filter
JSON
out
construct
browser
history
filter
recommend
next
steps
filter
30. @jsendor
find domains filter
a lot of filters add a single piece of info
{
"url": "https://biz.yelp.com"
}
{
"url": "https://biz.yelp.com",
"osxcollector_domains": [
"biz.yelp.com",
"yelp.com"
]
}
31. @jsendor
Automated analysis with output filters
OpenDNS
related
domains
filter
JSON
in
find domains
filter
check
blacklists
filter
VirusTotal
hash
lookup
filter
Shadowserver
hash
lookup
filter
find
related
files
filter
OpenDNS
domain
reputation
filter
VirusTotal
domain
reputation
filter
JSON
out
construct
browser
history
filter
recommend
next
steps
filter
32. @jsendor
check blacklist filter
Match any key.
Regex or exact match.
Built in smarts for turning domains into regex.
{
"url": "https://www.evil.com",
"osxcollector_domains": [
"www.evil.com",
"evil.com"
]
}
{
"url": "https://www.evil.com",
"osxcollector_domains": [
"www.evil.com",
"evil.com"
],
"osxcollector_blacklist": [
"domains"
]
}
domain_blacklist.txt
evil.com
streaming-football.com
downloads.com
33. @jsendor
Automated analysis with output filters
OpenDNS
related
domains
filter
JSON
in
find domains
filter
check
blacklists
filter
VirusTotal
hash
lookup
filter
Shadowserver
hash
lookup
filter
find
related
files
filter
OpenDNS
domain
reputation
filter
VirusTotal
domain
reputation
filter
JSON
out
construct
browser
history
filter
recommend
next
steps
filter
34. @jsendor
VirusTotal hash lookup filter
API output filter base does the heavy lifting.
Support for rate limits & response caching issues10s of
requests at once.
{
"sha1": "99005b68295c202fd359b46c"
}
{
"sha1": "99005b68295c202fd359b46c",
"osxcollector_vthash": {
"response_code": 200,
"positives": 36,
"total": 52,
}
}
35. @jsendor
Automated analysis with output filters
OpenDNS
related
domains
filter
JSON
in
find domains
filter
check
blacklists
filter
VirusTotal
hash
lookup
filter
Shadowserver
hash
lookup
filter
find
related
files
filter
OpenDNS
domain
reputation
filter
VirusTotal
domain
reputation
filter
JSON
out
construct
browser
history
filter
recommend
next
steps
filter
36. @jsendor
OpenDNS related domains filter
Judge domains by the company they keep.
Domains related to suspicious domains are usually
suspicious themselves.
{
"url": "https://www.evil.com",
}
{
"url": "https://www.evil.com",
"osxcollector_related": {
"domains": [
"double-evil.com",
"free-lunch.org",
"torrent-malware.net"
]
}
}
37. @jsendor
Automated analysis with output filters
OpenDNS
related
domains
filter
JSON
in
find domains
filter
check
blacklists
filter
VirusTotal
hash
lookup
filter
Shadowserver
hash
lookup
filter
find
related
files
filter
OpenDNS
domain
reputation
filter
VirusTotal
domain
reputation
filter
JSON
out
construct
browser
history
filter
recommend
next
steps
filter
39. @jsendor
Automated analysis with output filters
OpenDNS
related
domains
filter
JSON
in
find domains
filter
check
blacklists
filter
VirusTotal
hash
lookup
filter
Shadowserver
hash
lookup
filter
find
related
files
filter
OpenDNS
domain
reputation
filter
VirusTotal
domain
reputation
filter
JSON
out
construct
browser
history
filter
recommend
next
steps
filter
40. @jsendor
Recommend next steps
This whole things started with just a few clues. Now look what I found.
- downloads downloads
ctime: "2015-02-02 12:15:14"
file_path: "/Users/jdoe/Downloads/screenshot.scr"
mtime: "2015-01-16 19:20:06"
xattr-quarantines: ["0001;54b95657;Googlex20Chrome;162C4043-647D-44A8-83C2-2B1F69C7861F"]
xattr-wherefrom: ["https://evildownloads.
com/docs/securesc/5552qjr0llks3i1r65nm9vjn073v4ahg/82mfdn9k8qmvmo3ta2vja6hta3iink5i/1421431200000/002186363
34715341180/12229357981017199890/0B-HDNU1GNnRAVjBtYlBqdVFrT2s?
e=download&h=01562916784096941731&nonce=850uav3g55qiu&user=12229357981017199890&hash=78ffvfobh7rreq0bj86hqf
hb7i8eq92l", ""]
related-files: ["screenshot.scr"]
Nothing hides from Very Readable Output Bot
If I were you, I'd probably update my blacklists to include:
domain: "evildownloads.com"
That might just help things, Skippy!
41. @jsendor
Automated analysis with output filters
OpenDNS
related
domains
filter
JSON
in
find domains
filter
check
blacklists
filter
VirusTotal
hash
lookup
filter
Shadowserver
hash
lookup
filter
find
related
files
filter
OpenDNS
domain
reputation
filter
VirusTotal
domain
reputation
filter
JSON
out
construct
browser
history
filter
recommend
next
steps
filter