Autonomous: no human interaction
Semi-autonomous: limited human interaction
Managed: extensive human interaction
Source: http://www.honeynet.org/papers/honeynet/tools/taxonomy.html
The document discusses elements of Linux security. It outlines threats like remote access attacks, local access attacks, and post-exploit activities. It also discusses countermeasures like minimizing exploit potential through patching and firewalls, minimizing post-exploit damage through privileges and capabilities, and maximizing discovery through auditing and monitoring. Security elements covered include authentication, access control, availability, integrity, and confidentiality.
This document outlines steps to secure a Linux server running Ubuntu, including changing passwords, updating the system, installing fail2ban to block login attempts, creating a user account with SSH key-based authentication only, setting up a firewall with ufw, enabling automatic security updates, and installing logwatch to monitor logs. Additional steps mentioned include configuring two-factor authentication for SSH, securing databases, blocking brute force attacks, auditing for rootkits, and preventing IP spoofing.
This document discusses the history and evolution of rootkits from the 1980s to present day. It defines rootkits as software designed to take control of a system without authorization and hide its presence. The document outlines different classes of rootkits including application, library, kernel, and firmware level rootkits. It also discusses techniques for detecting rootkits at each level, noting that kernel and firmware level rootkits are the most difficult to detect.
This document discusses memory forensics and the Volatility framework. It begins by distinguishing memory forensics from disk forensics and explaining why memory forensics is needed to analyze skilled attackers and advanced malware that aim to avoid disk artifacts. It then provides an overview of Volatility capabilities for analyzing processes, network connections, code injection techniques, and decrypting software-based encryption keys from memory captures. It emphasizes that memory forensics can recover important evidence that is never written to disk.
This 2-part presentation, "Mission Critical Security in a Post-Stuxnet World," contains slides from the Hirschmann 2011 Mission Critical Network Design Seminar. It summarizes a lot of information about the Stuxnet malware and discusses what it means for the future of SCADA and ICS security.
The presentation is ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.
Stuxnet is a sophisticated malware that targeted Siemens supervisory control and data acquisition (SCADA) systems. It used multiple zero-day exploits to spread via USB devices and network shares to infect SCADA systems indirectly connected to the internet. Stuxnet installed rootkits to hide its files and injected itself into processes to remain undetected while sabotaging its targets. It was the first malware known to target and damage physical infrastructure.
This document provides a quick reference guide for Linux security that includes definitions of common security terms, general security tips, and Linux security resources. It defines terms like buffer overflow, cryptography, denial of service, and port scanning. It offers tips such as using automatic package managers to update software, configuring firewalls and intrusion detection, and enforcing strong password policies. The document also lists various security-related websites, books, and open source tools that can aid in hardening Linux systems.
The document discusses elements of Linux security. It outlines threats like remote access attacks, local access attacks, and post-exploit activities. It also discusses countermeasures like minimizing exploit potential through patching and firewalls, minimizing post-exploit damage through privileges and capabilities, and maximizing discovery through auditing and monitoring. Security elements covered include authentication, access control, availability, integrity, and confidentiality.
This document outlines steps to secure a Linux server running Ubuntu, including changing passwords, updating the system, installing fail2ban to block login attempts, creating a user account with SSH key-based authentication only, setting up a firewall with ufw, enabling automatic security updates, and installing logwatch to monitor logs. Additional steps mentioned include configuring two-factor authentication for SSH, securing databases, blocking brute force attacks, auditing for rootkits, and preventing IP spoofing.
This document discusses the history and evolution of rootkits from the 1980s to present day. It defines rootkits as software designed to take control of a system without authorization and hide its presence. The document outlines different classes of rootkits including application, library, kernel, and firmware level rootkits. It also discusses techniques for detecting rootkits at each level, noting that kernel and firmware level rootkits are the most difficult to detect.
This document discusses memory forensics and the Volatility framework. It begins by distinguishing memory forensics from disk forensics and explaining why memory forensics is needed to analyze skilled attackers and advanced malware that aim to avoid disk artifacts. It then provides an overview of Volatility capabilities for analyzing processes, network connections, code injection techniques, and decrypting software-based encryption keys from memory captures. It emphasizes that memory forensics can recover important evidence that is never written to disk.
This 2-part presentation, "Mission Critical Security in a Post-Stuxnet World," contains slides from the Hirschmann 2011 Mission Critical Network Design Seminar. It summarizes a lot of information about the Stuxnet malware and discusses what it means for the future of SCADA and ICS security.
The presentation is ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.
Stuxnet is a sophisticated malware that targeted Siemens supervisory control and data acquisition (SCADA) systems. It used multiple zero-day exploits to spread via USB devices and network shares to infect SCADA systems indirectly connected to the internet. Stuxnet installed rootkits to hide its files and injected itself into processes to remain undetected while sabotaging its targets. It was the first malware known to target and damage physical infrastructure.
This document provides a quick reference guide for Linux security that includes definitions of common security terms, general security tips, and Linux security resources. It defines terms like buffer overflow, cryptography, denial of service, and port scanning. It offers tips such as using automatic package managers to update software, configuring firewalls and intrusion detection, and enforcing strong password policies. The document also lists various security-related websites, books, and open source tools that can aid in hardening Linux systems.
Stuxnet is a computer worm that targets industrial control systems and was the first discovered malware that spies on and subverts industrial systems. It uses zero-day exploits to spread via USB drives to programmable logic controllers, sabotaging operations by overriding input/output functions without the operator's knowledge. The sophisticated worm was likely developed with stolen technical specifications and digital certificates to infiltrate targeted Iranian nuclear facilities.
Stuxnet, Duqu, and Flame are sophisticated cyber weapons discovered between 2010-2012 that targeted industrial systems and stole information. Kaspersky Lab analysis found that a module from the early 2009 version of Stuxnet, known as "Resource 207", was actually a Flame plugin, indicating Flame existed prior to Stuxnet. This module was used by both Stuxnet and Flame to spread via USB drives using identical code. Stuxnet and Flame are believed to have been used by the U.S. to wage cyber warfare against Iran.
HackBama is a hacker bootcamp and CTF event that includes various Capture the Flag competitions and team server battles. Participants will build their own IoT devices and take courses covering topics like hardware assembly, Linux kernel, embedded operating systems, hardware and software reverse engineering, and penetration testing methodology. The event integrates these courses with the CTF competitions.
The document provides an overview of the Linux filesystem, including its hierarchical tree structure with common subdirectories like /bin, /home, and /usr. It discusses useful commands for navigating the filesystem like cd, pwd, and running privileged commands with sudo. The document also compares the Linux and Windows filesystem structures and file types. It introduces package management with apt-get and the power of pipes in Linux.
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
The document describes vulnerabilities found in the Windows kernel trap handlers and NTVDM subsystem. It provides a case study of vulnerabilities disclosed in MS13-063, including CVE-2013-3196 which allowed a write-what-where condition in the nt!PushInt handler due to improper validation of operands during emulation of 16-bit instructions. The document also covers prior research on NTVDM vulnerabilities and the architecture of legacy software execution in Windows, highlighting the complex kernel interfaces and large attack surface involved in supporting older programs.
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
Versions of Microsoft Windows 64 bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, today there are examples of malware that use methods to bypass the security mechanisms Implemented. This presentation focuses on issues x64 acquitectura security, specifically in the signature policies kernel mode code and the techniques used by modern malware to sauté. We analyze the techniques of penetration of the address space of kernel mode rootkits used by modern in-the-wild: - Win64/Olmarik (TDL4) - Win64/TrojanDownloader.Necurs (rootkit dropper) - NSIS / TrojanClicker.Agent.BJ (rootkit dropper) special attention is given to bootkit Win64/Olmarik (TDL4) for being the most prominent example of a kernel mode rootkit aimed at 64-bit Windows systems. Detail the remarkable features of TDL4 over its predecessor (TDL3/TDL3 +): the development of user mode components and kernel mode rootkit techniques used to bypass the HIPS, hidden and system files as bootkit functionality. Finally, we describe possible approaches to the removal of an infected computer and presents a free forensics tool for the dump file system hidden TDL.
This document summarizes the Stuxnet computer worm, which targeted industrial control systems. It provides a timeline of Stuxnet from 2008-2010, describes its infection mechanisms using zero-day exploits and stolen digital certificates. It explains how Stuxnet intercepted communications between Siemens Step 7 software and PLC controllers to reprogram industrial systems without detection. While the origins of Stuxnet are unknown, speculation points to the US, Israel, or other nation states as the likely creator in order to sabotage Iran's nuclear program.
This document provides a complete report on a penetration test using Kali Linux with a vulnerable machine available on Vulnhub.com. The Game of Thrones CTF: 1 (Capture The Flag) contains 11 flags in total (7 kingdom flags, 3 secret flags and one battle flag). The first chapter introduces a short description about cyber-risks and general IT security nowadays. The second chapter contains the setting for the laboratory in Oracle Virtual Box software to virtualize the attacker machine and the target machine. Furthermore, the subchapters are about the attack narrative, each one according to a specific
step-by-step location. Please notice that this walkthrough might contain spoilers to the actual TV series.
Ultimately, a comment about the vulnerabilities found in this challenge, some recommendations and the major consulted resources and used tools.
This document provides an overview of ransomware, including what it is, how it spreads, examples of ransomware families, and prevention strategies. Ransomware encrypts files on an infected system and demands payment, usually in cryptocurrency, to decrypt the files. It spreads through spam emails containing malicious attachments or links, compromised websites using exploit kits, and by exploiting vulnerabilities in operating systems. The document demonstrates ransomware infections through snapshots and shares folders. Prevention includes regularly backing up important files, avoiding unsolicited documents, and keeping systems updated.
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
The document discusses the five phases of a hacking attack: reconnaissance, scanning, gaining access, maintaining access, and covering tracks. It provides details on various reconnaissance techniques like searching publicly available information, whois databases, and DNS records to learn about a target organization. Scanning involves probing open ports using techniques like port scanning, war dialing, and tracerouting to map out a network.
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
This document outlines the evolution of botnets and their threats. It discusses how botnets have moved from centralized command and control structures to using exploit kits and scripts for distribution. The document is divided into two parts, with part one covering traditional botnet landscapes and how they have evolved to use techniques like exploit kits, social engineering, and drive-by downloads to more efficiently infect computers and spread malware. Part two will focus specifically on web exploit kits, examining what they are, how they work, case studies, and how they generate revenue. The document provides an overview of the changing botnet ecosystem.
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
In this deck from the FOSDEM 2018 conference, Jon Masters from Red Hat presents: Exploiting modern microarchitectures Meltdown, Spectre, and other hardware attacks.
"Recently disclosed vulnerabilities against modern high performance computer microarchitectures known as 'Meltdown' and 'Spectre' are among an emerging wave of hardware-focused attacks. These include cache side-channel exploits against underlying shared resources, which arise as a result of common industry-wide performance optimizations. More broadly, attacks against hardware are entering a new phase of sophistication that will see more in the months ahead. This talk will describe several of these attacks, how they can be mitigated, and generally what we can do as an industry to bring performance without trading security."
Jon Masters is a Computer Architect at Red Hat, where he was tech lead for mitigation efforts against Meltdown and Spectre. Jon has worked closely with high performance microprocessor design teams for years on emerging alternative server platforms, and also currently leads the CCIX software working group helping to define high performance cache coherent interconnects for workload acceleration. Jon has been a Linux developer for 22 years, since beginning college at the age of 13, and has authored a number of books on Linux technology. He lives in Cambridge, MA, and will run his 11th marathon later this spring.
Watch the video: https://insidehpc.com/2018/02/exploiting-modern-microarchitectures-meltdown-spectre-attacks/
Learn more: https://fosdem.org/2018/
Sign up for our insideHPC Newsletter: http://insidehpc.com/newsletter
Enabling Worm and Malware Investigation Using Virtualizationamiable_indian
This document discusses using virtualization to enable worm and malware investigation. It presents Collapsar as a front-end for distributed and centralized honeypot operation, aggregating unused IP addresses. It also presents vGround as a back-end for enabling large-scale, live but confined worm experiments through virtualization. Together, Collapsar and vGround form an integrated platform for automated worm characterization, zero-day signature generation, and tracking worm contaminations.
This document provides an introduction to Linux security. It covers turning off unnecessary servers and services, limiting access to needed servers using IPTables, updating the system regularly, and reading Linux log files. The document recommends keeping daemons and services disabled or bound to localhost when possible, using tools like netstat, IPTables, and log checking utilities to monitor open ports and system activity. It concludes with a question and answer section and recommends additional security resources.
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
Hardware backdooring by state actors is practical according to the speaker. The speaker demonstrates a proof of concept called Rakshasa that can backdoor computer firmware like BIOS and network cards to achieve persistent remote access. Rakshasa leverages existing free and open source software like Coreboot and iPXE to make the backdoor stealthy and hard to detect. It also discusses challenges with attribution and detection of such backdoors, and argues that strong protections are not currently possible given vulnerabilities in computer hardware and supply chains.
FinFisher is cyber espionage software sold by Gamma Group to law enforcement and intelligence agencies. It can infect Windows, iOS, Android, Blackberry, Symbian, and other mobile devices to monitor users. The malware disguises itself using various techniques and communicates with command and control servers located around the world. It has extensive surveillance capabilities including recording calls, intercepting messages, and tracking locations.
Introduction to Android
The Android Platform, Understanding Android Market, Layers of Android, Intent of Android Development, Types of Android Components, Mapping Applications to Processes, Creating
an Android Application.
Android’s Development Environment: Introduction to Android SDK, Exploring Android Development Environment and Building Android Application in Eclipse, Android Emulator
and User Interfaces, Working with Views, Using Resources, and Understanding and Exploring Android Manifest File.
Kumar Setty gave a presentation on assessing UNIX security to IT and financial auditors. He discussed the objectives of educating auditors on UNIX risks and controls and how to conduct a risk assessment. The presentation covered UNIX history, advantages, and disadvantages. It provided an overview of how UNIX works and its file system. It also discussed common security risks like privileged accounts and files, and provided examples of assessing risks like examining root access, SUID/SGID permissions, and network security.
La biotecnología moderna se usa para crear productos útiles como vacunas y antibióticos mediante la modificación genética. China ha logrado avances en técnicas biológicas y tecnología punta para la agricultura, creando nuevas variedades de plantas con alto rendimiento. Sin embargo, la agricultura consume gran parte del agua dulce de forma insostenible, contaminando las fuentes de agua y destruyendo ecosistemas.
This presentation proposes creating a new "Upsight" membership program targeted at people aged 39-49 to attract them to AARP early. Upsight would include benefits like an affinity credit card that earns points towards retirement accounts, gym discounts, and travel rewards. Points could be earned through partner retailers and used for upgrades. The goal is to transition Upsight members to AARP membership at age 50 by priming them early and offering exclusive perks to retain them. Upsight would be promoted through publications their target demographic reads and an online community portal.
Stuxnet is a computer worm that targets industrial control systems and was the first discovered malware that spies on and subverts industrial systems. It uses zero-day exploits to spread via USB drives to programmable logic controllers, sabotaging operations by overriding input/output functions without the operator's knowledge. The sophisticated worm was likely developed with stolen technical specifications and digital certificates to infiltrate targeted Iranian nuclear facilities.
Stuxnet, Duqu, and Flame are sophisticated cyber weapons discovered between 2010-2012 that targeted industrial systems and stole information. Kaspersky Lab analysis found that a module from the early 2009 version of Stuxnet, known as "Resource 207", was actually a Flame plugin, indicating Flame existed prior to Stuxnet. This module was used by both Stuxnet and Flame to spread via USB drives using identical code. Stuxnet and Flame are believed to have been used by the U.S. to wage cyber warfare against Iran.
HackBama is a hacker bootcamp and CTF event that includes various Capture the Flag competitions and team server battles. Participants will build their own IoT devices and take courses covering topics like hardware assembly, Linux kernel, embedded operating systems, hardware and software reverse engineering, and penetration testing methodology. The event integrates these courses with the CTF competitions.
The document provides an overview of the Linux filesystem, including its hierarchical tree structure with common subdirectories like /bin, /home, and /usr. It discusses useful commands for navigating the filesystem like cd, pwd, and running privileged commands with sudo. The document also compares the Linux and Windows filesystem structures and file types. It introduces package management with apt-get and the power of pipes in Linux.
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
The document describes vulnerabilities found in the Windows kernel trap handlers and NTVDM subsystem. It provides a case study of vulnerabilities disclosed in MS13-063, including CVE-2013-3196 which allowed a write-what-where condition in the nt!PushInt handler due to improper validation of operands during emulation of 16-bit instructions. The document also covers prior research on NTVDM vulnerabilities and the architecture of legacy software execution in Windows, highlighting the complex kernel interfaces and large attack surface involved in supporting older programs.
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
Versions of Microsoft Windows 64 bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, today there are examples of malware that use methods to bypass the security mechanisms Implemented. This presentation focuses on issues x64 acquitectura security, specifically in the signature policies kernel mode code and the techniques used by modern malware to sauté. We analyze the techniques of penetration of the address space of kernel mode rootkits used by modern in-the-wild: - Win64/Olmarik (TDL4) - Win64/TrojanDownloader.Necurs (rootkit dropper) - NSIS / TrojanClicker.Agent.BJ (rootkit dropper) special attention is given to bootkit Win64/Olmarik (TDL4) for being the most prominent example of a kernel mode rootkit aimed at 64-bit Windows systems. Detail the remarkable features of TDL4 over its predecessor (TDL3/TDL3 +): the development of user mode components and kernel mode rootkit techniques used to bypass the HIPS, hidden and system files as bootkit functionality. Finally, we describe possible approaches to the removal of an infected computer and presents a free forensics tool for the dump file system hidden TDL.
This document summarizes the Stuxnet computer worm, which targeted industrial control systems. It provides a timeline of Stuxnet from 2008-2010, describes its infection mechanisms using zero-day exploits and stolen digital certificates. It explains how Stuxnet intercepted communications between Siemens Step 7 software and PLC controllers to reprogram industrial systems without detection. While the origins of Stuxnet are unknown, speculation points to the US, Israel, or other nation states as the likely creator in order to sabotage Iran's nuclear program.
This document provides a complete report on a penetration test using Kali Linux with a vulnerable machine available on Vulnhub.com. The Game of Thrones CTF: 1 (Capture The Flag) contains 11 flags in total (7 kingdom flags, 3 secret flags and one battle flag). The first chapter introduces a short description about cyber-risks and general IT security nowadays. The second chapter contains the setting for the laboratory in Oracle Virtual Box software to virtualize the attacker machine and the target machine. Furthermore, the subchapters are about the attack narrative, each one according to a specific
step-by-step location. Please notice that this walkthrough might contain spoilers to the actual TV series.
Ultimately, a comment about the vulnerabilities found in this challenge, some recommendations and the major consulted resources and used tools.
This document provides an overview of ransomware, including what it is, how it spreads, examples of ransomware families, and prevention strategies. Ransomware encrypts files on an infected system and demands payment, usually in cryptocurrency, to decrypt the files. It spreads through spam emails containing malicious attachments or links, compromised websites using exploit kits, and by exploiting vulnerabilities in operating systems. The document demonstrates ransomware infections through snapshots and shares folders. Prevention includes regularly backing up important files, avoiding unsolicited documents, and keeping systems updated.
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
The document discusses the five phases of a hacking attack: reconnaissance, scanning, gaining access, maintaining access, and covering tracks. It provides details on various reconnaissance techniques like searching publicly available information, whois databases, and DNS records to learn about a target organization. Scanning involves probing open ports using techniques like port scanning, war dialing, and tracerouting to map out a network.
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
This document outlines the evolution of botnets and their threats. It discusses how botnets have moved from centralized command and control structures to using exploit kits and scripts for distribution. The document is divided into two parts, with part one covering traditional botnet landscapes and how they have evolved to use techniques like exploit kits, social engineering, and drive-by downloads to more efficiently infect computers and spread malware. Part two will focus specifically on web exploit kits, examining what they are, how they work, case studies, and how they generate revenue. The document provides an overview of the changing botnet ecosystem.
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
In this deck from the FOSDEM 2018 conference, Jon Masters from Red Hat presents: Exploiting modern microarchitectures Meltdown, Spectre, and other hardware attacks.
"Recently disclosed vulnerabilities against modern high performance computer microarchitectures known as 'Meltdown' and 'Spectre' are among an emerging wave of hardware-focused attacks. These include cache side-channel exploits against underlying shared resources, which arise as a result of common industry-wide performance optimizations. More broadly, attacks against hardware are entering a new phase of sophistication that will see more in the months ahead. This talk will describe several of these attacks, how they can be mitigated, and generally what we can do as an industry to bring performance without trading security."
Jon Masters is a Computer Architect at Red Hat, where he was tech lead for mitigation efforts against Meltdown and Spectre. Jon has worked closely with high performance microprocessor design teams for years on emerging alternative server platforms, and also currently leads the CCIX software working group helping to define high performance cache coherent interconnects for workload acceleration. Jon has been a Linux developer for 22 years, since beginning college at the age of 13, and has authored a number of books on Linux technology. He lives in Cambridge, MA, and will run his 11th marathon later this spring.
Watch the video: https://insidehpc.com/2018/02/exploiting-modern-microarchitectures-meltdown-spectre-attacks/
Learn more: https://fosdem.org/2018/
Sign up for our insideHPC Newsletter: http://insidehpc.com/newsletter
Enabling Worm and Malware Investigation Using Virtualizationamiable_indian
This document discusses using virtualization to enable worm and malware investigation. It presents Collapsar as a front-end for distributed and centralized honeypot operation, aggregating unused IP addresses. It also presents vGround as a back-end for enabling large-scale, live but confined worm experiments through virtualization. Together, Collapsar and vGround form an integrated platform for automated worm characterization, zero-day signature generation, and tracking worm contaminations.
This document provides an introduction to Linux security. It covers turning off unnecessary servers and services, limiting access to needed servers using IPTables, updating the system regularly, and reading Linux log files. The document recommends keeping daemons and services disabled or bound to localhost when possible, using tools like netstat, IPTables, and log checking utilities to monitor open ports and system activity. It concludes with a question and answer section and recommends additional security resources.
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
Hardware backdooring by state actors is practical according to the speaker. The speaker demonstrates a proof of concept called Rakshasa that can backdoor computer firmware like BIOS and network cards to achieve persistent remote access. Rakshasa leverages existing free and open source software like Coreboot and iPXE to make the backdoor stealthy and hard to detect. It also discusses challenges with attribution and detection of such backdoors, and argues that strong protections are not currently possible given vulnerabilities in computer hardware and supply chains.
FinFisher is cyber espionage software sold by Gamma Group to law enforcement and intelligence agencies. It can infect Windows, iOS, Android, Blackberry, Symbian, and other mobile devices to monitor users. The malware disguises itself using various techniques and communicates with command and control servers located around the world. It has extensive surveillance capabilities including recording calls, intercepting messages, and tracking locations.
Introduction to Android
The Android Platform, Understanding Android Market, Layers of Android, Intent of Android Development, Types of Android Components, Mapping Applications to Processes, Creating
an Android Application.
Android’s Development Environment: Introduction to Android SDK, Exploring Android Development Environment and Building Android Application in Eclipse, Android Emulator
and User Interfaces, Working with Views, Using Resources, and Understanding and Exploring Android Manifest File.
Kumar Setty gave a presentation on assessing UNIX security to IT and financial auditors. He discussed the objectives of educating auditors on UNIX risks and controls and how to conduct a risk assessment. The presentation covered UNIX history, advantages, and disadvantages. It provided an overview of how UNIX works and its file system. It also discussed common security risks like privileged accounts and files, and provided examples of assessing risks like examining root access, SUID/SGID permissions, and network security.
La biotecnología moderna se usa para crear productos útiles como vacunas y antibióticos mediante la modificación genética. China ha logrado avances en técnicas biológicas y tecnología punta para la agricultura, creando nuevas variedades de plantas con alto rendimiento. Sin embargo, la agricultura consume gran parte del agua dulce de forma insostenible, contaminando las fuentes de agua y destruyendo ecosistemas.
This presentation proposes creating a new "Upsight" membership program targeted at people aged 39-49 to attract them to AARP early. Upsight would include benefits like an affinity credit card that earns points towards retirement accounts, gym discounts, and travel rewards. Points could be earned through partner retailers and used for upgrades. The goal is to transition Upsight members to AARP membership at age 50 by priming them early and offering exclusive perks to retain them. Upsight would be promoted through publications their target demographic reads and an online community portal.
This document summarizes activations and promotions for universities in Brazil between April and October. It details activations at beaches in Maresias between December 6-7 and promotions at various universities between November 13-28. It provides the names of over 50 universities and details on promotional materials, media spending, and links to further information. The summary focuses on the high-level overview of university promotions and activations across Brazil within the given timeframe.
Lisa lives with her mother, brother, and sister in Castelló d’Empúries, Spain. She describes herself as extroverted, spontaneous, annoying, and impolite. Lisa claims to hate humans and prefers solitude, though she treats the few people she likes with tolerance and respect. She loves art, music, painting, and writing poetry. Lisa's motto is "sex, drugs, and rock and roll" which she takes seriously, enjoying drinking, smoking, and doing foolish things. She admires her mother for being a great parent and Bob Dylan for his intelligence and humor. Lisa considers herself open-minded, prefers listening over talking, and values her freedom most of all.
El documento trata sobre la automatización en la industria aeronáutica. Explica que la industria aeronáutica utiliza robots para realizar tareas repetitivas y de alta precisión como taladrado, pintado e inspección. También habla sobre cómo la automatización ha encontrado un mercado creciente entre los fabricantes de aeronaves que han adoptado robots para mejorar la calidad y eficiencia en la fabricación de piezas y montajes. Por último, resalta que la industria aeronáutica requiere de alta precisión y minimización
This document provides an overview of Unix rootkits, including their functionality, types, usage trends, and case studies of captured rootkits. Rootkits aim to maintain access, attack other systems, and conceal evidence. They are implemented through binary, kernel, and library techniques. Case studies examine the SA binary kit, the W00tkit kernel kit, and the RK library kit to illustrate rootkit techniques and evolution over time. The document concludes that rootkits combine tools to establish hidden, persistent access and attack other machines while avoiding detection.
Serão demonstradas diversas técnicas de ataque, tais como: Injeções de codigos,brute force, backdoors, root kits, exploits e várias outras maneiras para acessar e se manter indevidamente a servidores,em contra-partida são discutidas melhores praticas para se
evitar os tipos de ataques citados. (Palestra realizada no 3º Festival de Software livre em belo horizonte - FSLBH)
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
The document discusses the security of running applications in Linux containers. It begins by acknowledging that containers were not originally designed with security in mind. However, it then outlines several techniques that can be used to improve security, such as running containers without root privileges, dropping capabilities, enabling security modules like SELinux, and limiting access to devices and system calls. For the most security-sensitive tasks, it recommends running containers inside virtual machines to isolate them further. In the end, it argues that with the right precautions, containers can be used securely for many applications.
The document summarizes a presentation given by Tomer Teller about the Stuxnet malware. It describes how Stuxnet infected industrial control systems by exploiting Windows vulnerabilities, spreading on removable drives, and ultimately reprogramming PLCs to sabotage Iran's nuclear program. Key infection techniques discussed include exploiting LNK and Print Spooler vulnerabilities, using autorun.inf files and rootkit techniques to propagate, and replacing DLL files to monitor and inject commands to PLCs.
The document summarizes a presentation on network security and Linux security. The presentation covered introduction to security, computer security, and network security. It discussed why security is needed, who is vulnerable, common security attacks like dictionary attacks, denial of service attacks, TCP attacks, and packet sniffing. It also covered Linux security topics like securing the Linux kernel, file and filesystem permissions, password security, and network security using firewalls, IPSEC, and intrusion detection systems. The presentation concluded with a reference to an ID-CERT cybercrime report and a call for questions.
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
Containers are becoming increasingly popular. They have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting an new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
In this presentation, we will:
- Review the actual security risks, in particular for multi-tenant environments running arbitrary applications and code
- Discuss how to mitigate those risks
- Focus on containers as implemented by Docker and the libcontainer project, but the discussion also stands for plain containers as implemented by LXC
This document discusses various techniques for anonymizing datasets to protect privacy, including k-anonymity, l-diversity, and t-closeness. It notes that achieving strong privacy guarantees is difficult and outlines challenges with different approaches. The document also covers network security techniques like network segmentation using zones, firewalls, proxies, virtual private networks (VPNs), and intrusion detection systems (IDS). Differential privacy is introduced as an approach that provides privacy guarantees regardless of an adversary's background knowledge.
Linux containers provide isolation between applications using namespaces and cgroups. While containers appear similar to VMs, they do not fully isolate applications and some security risks remain. To improve container security, Docker recommends: 1) not running containers as root, 2) dropping capabilities like CAP_SYS_ADMIN, 3) enabling user namespaces, and 4) using security modules like SELinux. However, containers cannot fully isolate applications that need full hardware or kernel access, so virtual machines may be needed in some cases.
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Common attack techniques explored include man-in-the-middle attacks using ARP poisoning, password cracking through tools like John the Ripper, and "Google hacking" to find sensitive information online.
Kunal - Introduction to backtrack - ClubHack2008ClubHack
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Common attack techniques explored include man-in-the-middle attacks using ARP poisoning, password cracking through tools like John the Ripper, and hacking web servers through techniques like Google hacking.
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Attackers can use these tools along with techniques like ARP poisoning to conduct remote exploits or hack passwords on Windows systems.
The document discusses several pieces of malware including Stuxnet, Duqu, Flame, and Gauss. Stuxnet was the first malware discovered to target industrial control systems and included a PLC rootkit. Duqu shares code with Stuxnet and gathered intelligence. Flame was a large and complex malware that supported eliminating traces of its files. Gauss was designed to steal credentials from banking and social media accounts. All of the malware discussed exploited vulnerabilities and some signed with stolen certificates to propagate and communicate with command and control servers.
The document discusses several cyber threats including Stuxnet, Duqu, Flame, and Gauss. Stuxnet was the first malware discovered to target industrial control systems in 2010. Duqu shares code with Stuxnet and gathered intelligence. Flame was a large and complex malware discovered in 2012 that supported eliminating traces of its files. Gauss stole credentials and collected information from infected machines. All pose serious risks to computer networks and systems critical to society.
The document discusses how unprotected Windows file shares can expose systems to exploitation. Malicious software like the Klez worm, Nimda worm, and Sircam virus spread rapidly in 2001 by accessing unprotected shares. The document outlines techniques attackers use like scanning for systems with port 445 open and exploiting weak or null passwords. Examples of malware discussed are the W32/Deloder, GT-bot, and W32/Slackor worms which use these techniques to spread. The document recommends disabling unnecessary shares, using strong unique passwords, and keeping anti-virus software up to date to prevent exploitation.
This document discusses hacking and methods for defending against it. It provides background on common hacking techniques like smurfing and spoofing. It also lists estimated costs of major computer worms and viruses. The document demonstrates hacking methodology, including gathering target information, identifying services, exploiting vulnerabilities, and preventing attacks. It recommends defenses like firewalls, intrusion detection systems, and keeping software patched.
Talk of the hour, the wanna crypt ransomwareshubaira
The document discusses the WannaCrypt ransomware attack that occurred in May 2017. It describes how WannaCrypt exploited a Windows vulnerability to spread, encrypted files on infected systems, and demanded ransom payments in Bitcoin. The document provides details on the malware components, infection cycle, indicators of infection, and recommendations for prevention and cleanup of infected systems. It also includes definitions of relevant cybersecurity terminology.
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
This presentation is made for my college presentation of explaining "Threats, Vulnerabilities & Security measures in Linux' and also suggestion how you could enhance ur Linux OS security.
Similar to Rootkit&honeypot aalonso-dcu-dec09 (20)
3. Linux: Sycalls & modules
During some lectures we have studied some of the Linux
kernel’s features: System calls and Modules
What happens if we are able to ‘hack’ the Syscalls through
loading a module? ;)
Source: http://www.filmsy.com
4. Typical scenario
1. Reconnaissance of the target
2. Access to the target somehow
3. Privileges escalation
4. Hide, delete evidences, assurance access == Rootkits!!!!
5. Rootkit Definition
NSA: “A hacker security tool that captures passwords and
message traffic to and from a computer. A collection of tools that
allows a hacker to provide a backdoor into a system, collect
information on other systems on the network, mask the fact that
the system is compromised, and much more. Rootkit is a classic
example of Trojan Horse software. Rootkit is available for a wide
range of operating systems. ”
A tool or set of tools used by an intruder to hide itself masking
the fact that the system has been compromise and to keep or
reobtain administrator-level (privileged )access inside a system.
Hide activity, Provide unauthorized access, Eavesdropping tools,
Hacking tools, Systems logs cleaners, etc.
6. Taxonomy I
User mode == Trojan Horse backdoor
Modification of some system binaries to hide FILES,
PROCESSES, SNIFFING, CONNECTIONS, TASKS, LOGINS,
LOGS, etc. (ls, ps, ifconfig, netstat, who, cron, syslog, etc
Many binaries to be modified and very dependent on the OS
Can be detected easily (checksums )
Kernel mode
Loadable Kernel Modules (LKM) (device drivers in Windows)
Modify the system call by loading a module. It is possible to
modify or infect a ‘trusted’ module as well.
7. Taxonomy II
Kernel mode
Patch the running kernel: modify the kernel image running in
memory through /dev/kmem
Patch the image /boot/vmlinuz
Create a fraudulent VFS: run a exact copy of the real system in
a virtual environment (UML, VMware..). This has not been
implemented.
Run programs in kernel mode: User program can run in the
kernel space hence is able to modify the kernel structures and
memory. (Kernel Mode Linux project)
8. Syscall Implementation
Kernel Space is defined in GDT (Global Descriptor table) and
mapped to every process.
Syscalls through INT 0x80. EAX == number of the syscall (from
sys_call_table[]) EBX, ECX, EDX, ESI, EDI for parameters
Source: http://www.giac.org/certified_professionals/practicals/gcux/0243.php
9. Syscalls Replacement
The arguments issued to the system call must be obtained from
the user space. -> Access to user space memory
Declare of extern void* sys_call_table[]
Examples of functions:
Hide file contents: intercept sys_open() and block if some pattern
in the filename
Hide directories: sys_chdir(), sys_mkdir()
Hide network connections: sys_read() to /proc/net/tcp and
/proc/net/udp
Hide processes: sys_getends() to /proc
10. Example of module
The module is loaded through “insmod module.o” and
becomes part of the kernel.
int init_module(void) {
official_example_call = sys_call_table[ SYS_example_call ];
sys_call_table[SYS_example_call ] = (void *) hacked_example_call;
}
void cleanup_module(void) {
sys_call_table[SYS_example_call ] = (void *) official_example_call ;
}
11. Detection Linux Rootkits
File Integrity / HIDS (Osiris, Tripware, AIDE). RPM can check
the integrity of the binaries.
Some ideas:
/proc /cmdline, /proc/modules, /proc/kcore
Big size files , files without user/group, files with “,” as name, MAC
times.
Binary analysis: strace (user mode rootkit)
Network layer: external nmap (port knocking could be an issue!!),
promiscuous mode (ip link) or /var/log/messages
Tools: Chrookit, Rootkithunter, Kstat, Module hunter, Unhide
12. Prevention
Hardening the SO: patches, services, accounts, compilers,
modutils, etc
Use some security baseline and tools: CIS, bastille, LIDS,
Tiger.
Add security tools: grsecurity, SELinux, etc
Systrace: capture all the systemcalls (IPS)
Locking LKM: baseline of LKM
Security VS usability: disable kernel modules? ?
13. Examples of other rootkits
Sony BMG CD copy protection scandal
http://en.wikipedia.org/wiki/Sony_BMG_CD_copy_protection_scandal
Rookit that modifies the way Windows plays CDs. Besides, it creates a vulnerability
(malware). It uses software with GNU license.
Rootkits headed for BIOS http://www.securityfocus.com/news/11372
Cisco IOS rootkit: http://eusecwest.com/sebastian-muniz-da-ios-rootkit.html
MacOSX rootkits in BlackHat: http://www.blackhat.com/presentations/bh-usa-
09/DAIZOVI/BHUSA09-AdvOSXRootkits-PAPER.pdf
SSM rootkits (System Memory Management) in Intel:
http://www.eecs.ucf.edu/~czou/research/SMM-Rootkits-Securecom08.pdf
Hardware virtualization rootkits: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-
Zovi.pdf
Oracle rootkits:
http://www.red-data-base-security.com/wp/oracle_rootkits_2.0.pdf
14. Bibliography
Linux kernel rootkits: protecting the system's "ring-zero"
http://www.giac.org/certified_professionals/practicals/gcux/0243.php Raul Siles May, 2004
Hiding processes (understanding the linux scheduler):
http://www.phrack.org/show.php?p=63&a=18 Rainer Wichmann 2002
Finding hidden kernel modules (the extreme way) http://www.phrack.org/phrack/61/p61-
0x03_Linenoise.txt madsys August, 2003
The Implementation of Passive Covert Channels in the Linux Kernel
http://invisiblethings.org/papers/passive-covert-channels-linux.pdf Joanna Rutkowska
October, 2004
Analysis of the t0rn rootkit http://www.securityfocus.com/infocus/1230 Miller November,
2000
Linux Kernel Rootkits http://la-samhna.de/library/rootkits/index.html Rainer Wichmann
2002
15. Real Scenario
S1
S1
S1
FTP, WWW to S1
Server 1
From S1: WWW
1. System compromised with
a remote exploit (BO over
WU-FTPD) == root shell!!
2. Server 2
Some “hacking” set of
tools were download
through WWW (tar.gz
package)
1. S1: “weird” traffic to
3. The package contained an
Internet
“autorooter” and “Rootkit“
2. S1: “weird traffic to the same
VLAN” as well
3. S1: Alerts triggered with an 4. The “bad” guy was not
IDS aware about the
Server 3
autorooter and the rootkit
16. Honeypots
“If you know the enemy and know yourself, you need not fear the
result of a hundred battles. If you know yourself but not the
enemy, for every victory gained you will also suffer a defeat. If
you know neither the enemy nor yourself, you will succumb in
every battle.” The Art of the War - Sun Tzu
An example of a honeypot is a system used to simulate one or more
network services that you designate on your computer's ports. An
attacker assumes you're running vulnerable services that can be used to
break into the machine. This kind of honeypot can be used to log
access attempts to those ports including the attacker's keystrokes. This
could give you advanced warning of a more concerted attack.” Source:
http://www.honeypots.net
18. Features of Honeypots
Historically: Intrusion Detection System (IDS)
No production value
Honeypot VS Intrusion Detection System (no FP)
Currently, no sufficient taxonomy in this area
Useful for 0-days attacks
Work in encryption environments
Risk of take over
19. Taxonomy I
Interaction level
Low : Limited interaction. i.e : SSHD that doesn’t give real access
High: fully simulation of the service.
Data capturing
Event: change in the state
Attack: threatening the security policy
Intrusion: break the security policy
Containment:
Block : the attack is block and never reach the target
Defuse: the attack reach the target but is modified
Slow down: the attacker is slowed down to limit the spreading malicious activity
Source: http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-TR-06-12.pdf
20. Taxonomy II
Distribution appearance:
Distributed: multiple systems.
Stand-alone: single system
Communication Interface
Network Interface: the honeypot can be directly
communicated via a network interface
Not network hardware interface: USB Keys, CDROM..
Software: API
Multi tier: server or client
21. Some examples
Google Hack Honeypot: logs the attempts of exploit through
Google search. i.e: version of a vulnerable CMS
Honeyclient: monitors behaviour of IE while browsing to
suspicious URLs.
Honeyd: several servers with different services (SMTP, FTP,
HTTP..)
Honeynet: real system reachable through the Honeywall
Gateway (IDS, Iptables, logging, etc)
Sebek: monitors all the connections and the commands
launched by the intruder. Captured tool.
22. Sebek
Kernel based data captured tool: intercepting syscalls at kernel level. (LKM, kernel
driver in windows, kernel patch BSD)
Based on a server-client architecture: honeywall and sebek. Covert channel with
UDP (raw sockets modification)
1st version kernel was for kernel 2.4. Latest version for 2.6.x, windows, etc
Sniffing the traffic is a problem when the communication is encrypted
Intercepts all ‘read’ syscalls, ‘socket’ syscall, ‘fork’ syscall, ‘clone’ sycall.
The information gathered from ‘socket’ syscall is correlated with the traffic gather
from the honeywall (process and flow)
The information gathered from ‘open’ syscall permits to maps processes with files.
So it’s possible to know which files have been opened during the intrusion.
The information gathered from ‘fork’ sycalls permits to know the processes
relationship and rebuild the whole execution
23. Sebek: ‘issues’
Capture the response received from the attacker (already
done with some patches)
Can be detected: cat /proc/modules
Sebek Linux sycall table modification can be detected and
overwritten.
It does not survive after a reboot: (Kernel Patch?? – not so
flexible to analyze a real intrusion)
24. Honeywall
Tool to gather the information from different honeypots
It correlates: hosts, processes, files and network flows.
Sebek: with the syscalls it’s possible to gather all this
information and do relations between them
Traffic captured with tcpdump and analyze with p0f, snort
and Argus
Database to store all the information
Walleye: web Interface
25. Example of correlation
Bridge mode:
IDS, correlator,
DB, www
Sebek
1st : detection of suspiciuos alerts in the flows (IDS).
Exploit to samba on 139/tcp
2nd: we can see which process is related to that flow
Ps: 6781 Sambad, 6781 /bin/bash, 6782 nmap, etc
3rd: it’s possible to see which files have been opened.
Write /etc/passwd and /etc/shadow
27. Sebek Server (honeywall)
sbk_extract: read from the network card (libpcap)
sbk_ks_log.pl: process the logs and write to ‘stdout’
sebekd.pl: process the logs and insert the information in a
DB.
Possible to apply filter to the ‘stdout’.
28. Some papers..
Know your Enemy: Web Application Threats
http://www.honeynet.org/papers/webapp
Know your Enemy: Tracking Botnets
http://www.honeynet.org/papers/bots
Know Your Enemy: Malicious Web Servers
http://www.honeynet.org/papers/mws
Know your Enemy: Phishing
http://www.honeynet.org/papers/phishing
Know Your Enemy: Containing Conficker
http://www.honeynet.org/papers/conficker
29. Bibliography
Sebek: the honeypot projet http://www.honeynet.org/project/sebek/
https://projects.honeynet.org/sebek/
Sebek 3: tracking the attackers, part one http://www.securityfocus.com/infocus/1855/2
Sebek 3: tracking the attackers, part two http://www.securityfocus.com/infocus/1858/2
Building and Installing Sebek client in Ubuntu Server 7.10
https://projects.honeynet.org/sebek/wiki/Building%20and%20Installing%20Sebek%20client%20in%
20Ubuntu%20Server%207.10
Know your enemy: sebek http://old.honeynet.org/papers/sebek.pdf
Xebek: a next generation honeypot monitoring system
http://www.authorstream.com/Presentation/aSGuest18341-186692-ppt-honey-pot-entertainment-
powerpoint/
30. Sebek example
server: 10.0.0.2
Sebekd
sebek-hp: 10.0.0.3
sbk.o