The document discusses technical defenses against phishing attacks when human users fail to prevent infection initially. It describes how phishing messages can be purged from mailboxes post-delivery if enough users mark them as spam. It also explains how image referrers can be used to detect and block phishing sites, and how monitoring changes to webmail preferences can help identify compromised accounts being used to send spam by phishers.
The document discusses technical defenses that can be used against phishing attacks even after phishing messages have been delivered. It describes how phishing works, particularly Nigerian spear phishing attacks. It then outlines four technical approaches that can be used: (1) purging phishing messages from user mailboxes post-delivery, (2) intercepting phishing sites through image referrer tricks, (3) monitoring changes to webmail preferences for signs of compromised accounts, and (4) detecting when stolen accounts start sending spam.
This 5-day Certified Ethical Hacker training course teaches students how to scan, test, hack, and secure their own systems by learning the techniques used by hackers. The course covers topics like footprinting, scanning, enumeration, system hacking, viruses, sniffers, denial of service attacks, session hijacking, web server hacking, web application vulnerabilities, password cracking, SQL injection, and wireless and cryptography attacks. The goal is to help security professionals and network administrators enhance cybersecurity by thinking like an attacker in order to defend systems from real-world threats.
The document discusses the need for network security. It notes that more information is being created and shared digitally, creating vulnerabilities. The objectives are to understand security services like confidentiality and integrity, be aware of threats like viruses and hacking, and realize why comprehensive security programs are necessary. Such programs include elements like strong passwords, antivirus software, firewalls, backups, auditing, and user training. Cryptography and firewalls are discussed as important security countermeasures. The goal is to protect systems and data from increasing security risks on interconnected networks.
I used to get questions on what it takes to have a career in Information Security. Here are my thoughts on building a career in Security touching points like skills, job titles, are certifications needed etc
The document summarizes a student project on simulating and detecting SQL injection. It introduces the students working on the project, Farhan Tanvir, Shakhawat Hossain, and Md. Eram Talukder. It then outlines the introduction, motivations, objectives, tools, and expected outcome of the project, which are to study web vulnerabilities, existing security options, develop a platform to simulate SQL injection, find a solution to detect SQL injection, and ultimately create a real-time detection method.
Web security
Threats,
Available Technologies,
Web Security Software's
Note: It's not advance and completed, but it's enough to understand what is actually web security.
How to keep safe our website or web application
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://youtu.be/BQWcUjzxJE0
Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.
The document discusses technical defenses that can be used against phishing attacks even after phishing messages have been delivered. It describes how phishing works, particularly Nigerian spear phishing attacks. It then outlines four technical approaches that can be used: (1) purging phishing messages from user mailboxes post-delivery, (2) intercepting phishing sites through image referrer tricks, (3) monitoring changes to webmail preferences for signs of compromised accounts, and (4) detecting when stolen accounts start sending spam.
This 5-day Certified Ethical Hacker training course teaches students how to scan, test, hack, and secure their own systems by learning the techniques used by hackers. The course covers topics like footprinting, scanning, enumeration, system hacking, viruses, sniffers, denial of service attacks, session hijacking, web server hacking, web application vulnerabilities, password cracking, SQL injection, and wireless and cryptography attacks. The goal is to help security professionals and network administrators enhance cybersecurity by thinking like an attacker in order to defend systems from real-world threats.
The document discusses the need for network security. It notes that more information is being created and shared digitally, creating vulnerabilities. The objectives are to understand security services like confidentiality and integrity, be aware of threats like viruses and hacking, and realize why comprehensive security programs are necessary. Such programs include elements like strong passwords, antivirus software, firewalls, backups, auditing, and user training. Cryptography and firewalls are discussed as important security countermeasures. The goal is to protect systems and data from increasing security risks on interconnected networks.
I used to get questions on what it takes to have a career in Information Security. Here are my thoughts on building a career in Security touching points like skills, job titles, are certifications needed etc
The document summarizes a student project on simulating and detecting SQL injection. It introduces the students working on the project, Farhan Tanvir, Shakhawat Hossain, and Md. Eram Talukder. It then outlines the introduction, motivations, objectives, tools, and expected outcome of the project, which are to study web vulnerabilities, existing security options, develop a platform to simulate SQL injection, find a solution to detect SQL injection, and ultimately create a real-time detection method.
Web security
Threats,
Available Technologies,
Web Security Software's
Note: It's not advance and completed, but it's enough to understand what is actually web security.
How to keep safe our website or web application
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://youtu.be/BQWcUjzxJE0
Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts: The Underrated Web-Danger
Testing and Exploiting Backup-File Artifacts with BFAC
BFAC Homepage: https://github.com/mazen160
Blog Post: http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
in this presentation we have discussed about different methodology in password cracking. Password bruteforce, social engineering attack , phishing attack, windows login cracking, web login cracking, application password cracking, Gmail password and facebook password extracting
Basics of getting Into Bug Bounty Hunting
Presentation Given by Muhammad Khizer Javed at Qarshi university Lahore, Pakistan.
https;//whoami.securitybreached.org/
@KHIZER_JAEVD47
Pankaj Kumar Jangid is seeking a position that allows him to continue growing professionally. He has completed training in ethical hacking and PHP development. He has degrees in computer science and describes himself as a motivated learner passionate about upgrading his skills. His technical skills include Linux, Windows, databases, web technologies, programming languages, and networking and cybersecurity tools. He maintains a technical blog and enjoys learning about new technologies online.
Methods Hackers Use to Attack a Network can include software-based attacks like cross-site scripting (XSS) and buffer overflows, infrastructure attacks such as denial-of-service (DOS) attacks and viruses, and physical attacks involving theft of hardware, information, or other resources. Software attacks target application vulnerabilities, infrastructure attacks compromise network resources, and physical attacks involve directly accessing systems or stealing equipment. Defenses include keeping software updated, using firewalls and antivirus software, and protecting physical access to systems and sensitive data.
The document discusses brute force attacks and dictionary attacks on systems. It describes how brute force attacks try all possible keys while dictionary attacks try commonly used keys. The document then provides steps for an automated system to conduct these attacks by looking for "wrong signs" when keys are tried. It concludes by stating that firewalls, captchas, limited login attempts, and other methods can help secure systems but true security requires multiple approaches.
This document provides information for a bug bounty presentation. It introduces the speaker, Sagar Parmar, and his background in security. It then outlines topics to cover, including what a bug bounty is, how to get started as a new bug bounty hunter, tips for progressing, and example vulnerabilities to target like XSS, SQLi, SSRF, LFI, and RCE. Details are given on finding and reporting vulnerabilities with the goal of helping others learn and advance in bug bounty hunting.
This document summarizes the capabilities of the Ettercap tool, which can intercept and alter network traffic. It discusses how Ettercap can intercept passwords through sniffing protocols like FTP, intercept DNS requests to redirect to illegitimate IP addresses, and sniff SSL traffic by injecting its own unsigned certificate. Studies show that many users will ignore certificate warnings. The document provides examples of how Ettercap can be used for these purposes and discusses ways to potentially detect or prevent its use.
This is a presentation I have delivered to under graduate students who are interested in cyber security and want to know the strategy to get into cyber security by preparing themselves while studying their under graduation.
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
http://blog.mazinahmed.net/2016/10/bug-bounty-hunting-swiss-cyber-storm.html
The document discusses various topics related to web security including what it is, why it is important, common types of web attacks like SQL injection, cross-site scripting, password cracking, and phishing. It also discusses methods to provide security, such as using high security passwords, digital signatures, encryption/decryption, and biometric authentication. The conclusion states that as more security methods are available for websites, the future will be safer.
2020 FRsecure CISSP Mentor Program - Class 1FRSecure
The document summarizes a CISSP mentor program session. It introduces the instructors and their backgrounds. It discusses the severe talent shortage problem in cybersecurity, with estimates of over 1 million unfilled jobs in the US currently. It notes that while some claim the shortage is overhyped, most experts agree there is a real shortage. The document aims to help address this problem through the free CISSP mentor program.
The web security training teaches you the advanced web browsing vulnerabilities from system penetration to identity theft as well as protection solutions to ensure the web security.
TONEX as a leader in security industry for more than 15 years is now announcing the web security training which helps you to secure the communication between a client and server as well as integrity of data in web.
By taking the web security training by TONEX, you will learn about main features of HTTP protocol, header fields in HTTP, URL encoding and HTTP security issues as the most basic knowledge needed for web security.
Audience:
IT professionals in the area of information security and web security
Executives and managers of cyber security and web security area
Information technology professionals, web engineers, security analysts, policy analysts
Security operation personnel, network administrators, system integrators and security consultants
Security traders to understand the software security of web system, mobile devices, or other devices.
Investors and contractors who plan to make investments in system engineering industry.
Technicians, operators, and maintenance personnel who are or will be working on cyber security projects
Managers, accountants, and executives of cyber security industry.
Training Objectives:
Understand the information security related to World Wide Web.
Understand the security issues of servers related to web application.
Explain the main concepts of web attacks and web vulnerabilities such as malicious emails, web scripts, cookies, web bugs and spywares.
Explore deeply into security issues and develop test potential solutions
Investigate secure communication between client and server by encrypting data streams such as SSL
Explore the browser vulnerabilities and protection of the system against web vulnerabilities
Training Outline
The web security training course consists of the following lessons, which can be revised and tailored to the client’s need:
Overview of Information Security
HTTP Protocol
Basic Cryptography
The SSL Protocol
Web Attacks
Browser Security
Cookies, Web Bugs and Spyware
Windows Systems Security
UNIX/Linux Server Security
Apache and IIS Web Servers
Various Access Controls
Packet Filtering and Web Firewall
Introduction to Computer Networks
Hands On, Workshops and, Group Activities
Sample Workshops and Labs for Web Security Training
Learn more about Web Security Training. Call us today +1-972-665-9786. Visit our web security course links below
https://www.tonex.com/training-courses/web-security/
This document discusses the history and types of computer malware. It begins with definitions of malware and viruses, then outlines a timeline of major viruses from 1950 to present. The document describes key characteristics of malware, including self-replication and parasitic behavior. It categorizes common malware types such as viruses, Trojan horses, spyware, and adware, providing examples of each. The document also discusses methods of malware detection using command prompts and antivirus software, how antiviruses work, and recommendations for safe computing practices.
2020 FRSecure CISSP Mentor Program - Class 4FRSecure
This document summarizes a CISSP mentor program session on April 22, 2020. It discusses housekeeping for the online chat, reviews material covered in previous chapters, and begins covering the topic of security engineering from the CISSP common body of knowledge. Specific technical concepts summarized include computer bus architecture, the central processing unit components, and pipelining. The session includes a short quiz on memory types.
Cyber security diploma level 3 - Adams AcademyAdams Academy
Cybersecurity is the state of being protected against the criminal or unauthorized use of the electronic data. Cybersecurity is a preventative technique to prevent the integrity of networks, programs and data from cyber attack, damage and unauthorised access.
See more: https://bit.ly/2K6Y70A
Praesidio CTO, Sean Cassidy presented at FinDEVr New York 2016 on role-based behavior analytics, using patterns and anomalies in user behavior as indicators of attack. View his slides from the presentation here.
Overview:
It is easy for attackers to beat traditional security measures: antivirus, firewalls, and intrusion detection systems. This is because those methods are akin to blacklisting known bad behavior. Attackers need only to modify their behavior slightly to avoid the blacklist. Anomaly detection, instead models normal user behavior and alerts when attackers deviate from that without any humans specifying what normal behavior is.
So what is anomaly detection, how does it work, and how can you apply it to your network?
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
This document discusses strategies for improving security awareness and practices among employees and organizations. It addresses issues like uninformed employees falling for phishing scams, securing home networks and devices, and ensuring new applications developed during business pivots are secure. The key recommendations are to educate employees and software teams, implement defense in depth with tools like two-factor authentication and encryption, and address security throughout the software development lifecycle when creating new applications and integrating third-party software.
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts: The Underrated Web-Danger
Testing and Exploiting Backup-File Artifacts with BFAC
BFAC Homepage: https://github.com/mazen160
Blog Post: http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
in this presentation we have discussed about different methodology in password cracking. Password bruteforce, social engineering attack , phishing attack, windows login cracking, web login cracking, application password cracking, Gmail password and facebook password extracting
Basics of getting Into Bug Bounty Hunting
Presentation Given by Muhammad Khizer Javed at Qarshi university Lahore, Pakistan.
https;//whoami.securitybreached.org/
@KHIZER_JAEVD47
Pankaj Kumar Jangid is seeking a position that allows him to continue growing professionally. He has completed training in ethical hacking and PHP development. He has degrees in computer science and describes himself as a motivated learner passionate about upgrading his skills. His technical skills include Linux, Windows, databases, web technologies, programming languages, and networking and cybersecurity tools. He maintains a technical blog and enjoys learning about new technologies online.
Methods Hackers Use to Attack a Network can include software-based attacks like cross-site scripting (XSS) and buffer overflows, infrastructure attacks such as denial-of-service (DOS) attacks and viruses, and physical attacks involving theft of hardware, information, or other resources. Software attacks target application vulnerabilities, infrastructure attacks compromise network resources, and physical attacks involve directly accessing systems or stealing equipment. Defenses include keeping software updated, using firewalls and antivirus software, and protecting physical access to systems and sensitive data.
The document discusses brute force attacks and dictionary attacks on systems. It describes how brute force attacks try all possible keys while dictionary attacks try commonly used keys. The document then provides steps for an automated system to conduct these attacks by looking for "wrong signs" when keys are tried. It concludes by stating that firewalls, captchas, limited login attempts, and other methods can help secure systems but true security requires multiple approaches.
This document provides information for a bug bounty presentation. It introduces the speaker, Sagar Parmar, and his background in security. It then outlines topics to cover, including what a bug bounty is, how to get started as a new bug bounty hunter, tips for progressing, and example vulnerabilities to target like XSS, SQLi, SSRF, LFI, and RCE. Details are given on finding and reporting vulnerabilities with the goal of helping others learn and advance in bug bounty hunting.
This document summarizes the capabilities of the Ettercap tool, which can intercept and alter network traffic. It discusses how Ettercap can intercept passwords through sniffing protocols like FTP, intercept DNS requests to redirect to illegitimate IP addresses, and sniff SSL traffic by injecting its own unsigned certificate. Studies show that many users will ignore certificate warnings. The document provides examples of how Ettercap can be used for these purposes and discusses ways to potentially detect or prevent its use.
This is a presentation I have delivered to under graduate students who are interested in cyber security and want to know the strategy to get into cyber security by preparing themselves while studying their under graduation.
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
http://blog.mazinahmed.net/2016/10/bug-bounty-hunting-swiss-cyber-storm.html
The document discusses various topics related to web security including what it is, why it is important, common types of web attacks like SQL injection, cross-site scripting, password cracking, and phishing. It also discusses methods to provide security, such as using high security passwords, digital signatures, encryption/decryption, and biometric authentication. The conclusion states that as more security methods are available for websites, the future will be safer.
2020 FRsecure CISSP Mentor Program - Class 1FRSecure
The document summarizes a CISSP mentor program session. It introduces the instructors and their backgrounds. It discusses the severe talent shortage problem in cybersecurity, with estimates of over 1 million unfilled jobs in the US currently. It notes that while some claim the shortage is overhyped, most experts agree there is a real shortage. The document aims to help address this problem through the free CISSP mentor program.
The web security training teaches you the advanced web browsing vulnerabilities from system penetration to identity theft as well as protection solutions to ensure the web security.
TONEX as a leader in security industry for more than 15 years is now announcing the web security training which helps you to secure the communication between a client and server as well as integrity of data in web.
By taking the web security training by TONEX, you will learn about main features of HTTP protocol, header fields in HTTP, URL encoding and HTTP security issues as the most basic knowledge needed for web security.
Audience:
IT professionals in the area of information security and web security
Executives and managers of cyber security and web security area
Information technology professionals, web engineers, security analysts, policy analysts
Security operation personnel, network administrators, system integrators and security consultants
Security traders to understand the software security of web system, mobile devices, or other devices.
Investors and contractors who plan to make investments in system engineering industry.
Technicians, operators, and maintenance personnel who are or will be working on cyber security projects
Managers, accountants, and executives of cyber security industry.
Training Objectives:
Understand the information security related to World Wide Web.
Understand the security issues of servers related to web application.
Explain the main concepts of web attacks and web vulnerabilities such as malicious emails, web scripts, cookies, web bugs and spywares.
Explore deeply into security issues and develop test potential solutions
Investigate secure communication between client and server by encrypting data streams such as SSL
Explore the browser vulnerabilities and protection of the system against web vulnerabilities
Training Outline
The web security training course consists of the following lessons, which can be revised and tailored to the client’s need:
Overview of Information Security
HTTP Protocol
Basic Cryptography
The SSL Protocol
Web Attacks
Browser Security
Cookies, Web Bugs and Spyware
Windows Systems Security
UNIX/Linux Server Security
Apache and IIS Web Servers
Various Access Controls
Packet Filtering and Web Firewall
Introduction to Computer Networks
Hands On, Workshops and, Group Activities
Sample Workshops and Labs for Web Security Training
Learn more about Web Security Training. Call us today +1-972-665-9786. Visit our web security course links below
https://www.tonex.com/training-courses/web-security/
This document discusses the history and types of computer malware. It begins with definitions of malware and viruses, then outlines a timeline of major viruses from 1950 to present. The document describes key characteristics of malware, including self-replication and parasitic behavior. It categorizes common malware types such as viruses, Trojan horses, spyware, and adware, providing examples of each. The document also discusses methods of malware detection using command prompts and antivirus software, how antiviruses work, and recommendations for safe computing practices.
2020 FRSecure CISSP Mentor Program - Class 4FRSecure
This document summarizes a CISSP mentor program session on April 22, 2020. It discusses housekeeping for the online chat, reviews material covered in previous chapters, and begins covering the topic of security engineering from the CISSP common body of knowledge. Specific technical concepts summarized include computer bus architecture, the central processing unit components, and pipelining. The session includes a short quiz on memory types.
Cyber security diploma level 3 - Adams AcademyAdams Academy
Cybersecurity is the state of being protected against the criminal or unauthorized use of the electronic data. Cybersecurity is a preventative technique to prevent the integrity of networks, programs and data from cyber attack, damage and unauthorised access.
See more: https://bit.ly/2K6Y70A
Praesidio CTO, Sean Cassidy presented at FinDEVr New York 2016 on role-based behavior analytics, using patterns and anomalies in user behavior as indicators of attack. View his slides from the presentation here.
Overview:
It is easy for attackers to beat traditional security measures: antivirus, firewalls, and intrusion detection systems. This is because those methods are akin to blacklisting known bad behavior. Attackers need only to modify their behavior slightly to avoid the blacklist. Anomaly detection, instead models normal user behavior and alerts when attackers deviate from that without any humans specifying what normal behavior is.
So what is anomaly detection, how does it work, and how can you apply it to your network?
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
This document discusses strategies for improving security awareness and practices among employees and organizations. It addresses issues like uninformed employees falling for phishing scams, securing home networks and devices, and ensuring new applications developed during business pivots are secure. The key recommendations are to educate employees and software teams, implement defense in depth with tools like two-factor authentication and encryption, and address security throughout the software development lifecycle when creating new applications and integrating third-party software.
The document provides an overview of security testing and hacking. It discusses the basics of vulnerability testing, different methodologies like network testing and web application testing. It outlines three main types of security tests: audits, assessments, and penetration tests. It discusses the importance of having permission and ethics when conducting security work. The document also provides a brief history of hacking and how the techniques have evolved over time as external vulnerabilities have been addressed.
The Phishing Intelligence Engine (PIE) is a framework that will assist with the detection and response to phishing attacks. An Active Defense framework built around Office 365, that continuously evaluates Message Trace logs for malicious contents, and dynamically responds as threats are identified or emails are reported. This talk covers the framework and then dives into some stories from the field.
Defeating Social Engineering, BECs & PhishingBishop Fox
Over 90 percent of cyber attacks start the same way: with a phishing message. Attackers slip all manner of malware into your organization just by convincing users — even admin-level users in the IT department — to click on a link. Fraudsters carrying out business email compromise attacks are even more clever, forgoing malware and malicious links altogether, and scamming companies out of $47 million, $75 million and more, simply by asking for it the right way. Social engineering is, at the very least, how attackers get their foot in the door, and at worst, how they get away with your crown jewels.
Originally presented at Interop ITX in 2017.
This document discusses advanced persistent threats (APTs). It defines APTs, describes their stages including reconnaissance, delivery, exploitation, operation, data collection, and exfiltration. It then presents an APT detection framework called the Attack Pyramid that models APT attacks across physical, user access, network, and application planes and detects relevant events using algorithms and rules. Research papers are cited that further define APTs and propose the Attack Pyramid model for detecting such threats.
The document discusses Facebook's immune system to protect users and the social graph from threats. It focuses on compromised accounts, fake accounts, and unwanted interactions ("creepers"). The system uses big data and real-time analysis with 25B daily checks to classify interactions. Features are extracted and models are loaded dynamically. Response policies aim to shorten attack/detection times while lengthening defense/adaptation to stay ahead of adversaries.
This document provides an overview of an offensive cyber security engineer training program offered by infosectrain.com. The 120-hour instructor-led online program includes training in ethical hacking, penetration testing, cyber security tools and techniques. It aims to provide students with skills in areas like reconnaissance, scanning, vulnerability analysis, exploitation, post-exploitation, and reporting. The program covers topics such as Active Directory penetration testing, password cracking, and privilege escalation. It includes hands-on labs and prepares students for the EC-Council Certified Ethical Hacker certification exam.
The Offensive Cyber Security Certification will upgrade your skills to become a pentester, exploit developer. You will learn multiple offensive approaches to access infrastructure, environment, and information, performing risk analysis and mitigation, compliance, and much more with this program.
The Offensive Cyber Security Certification will upgrade your skills to become a pentester, exploit developer. You will learn multiple offensive approaches to access infrastructure, environment, and information, performing risk analysis and mitigation, compliance, and much more with this program.
https://www.infosectrain.com/courses/offensive-cyber-security-engineer-training/
Interop 2017 - Defeating Social Engineering, BEC, and PhishingRob Ragan
Over 90 percent of cyber attacks start the same way: with a phishing message. Attackers slip all manner of malware into your organization just by convincing users -- even admin-level users in the IT department -- to click on a link. Fraudsters carrying out business email compromise attacks are even more clever, forgoing malware and malicious links altogether, and scamming companies out of $47 million, $75 million and more, simply by asking for it the right way. Social engineering is, at the very least, how attackers get their foot in the door, and at worst, how they get away with your crown jewels. In this session, learn about attackers' new twists on the oldest tricks in the book, and how to protect your organization against them.
This document provides an overview of becoming a penetration tester or pentester. It discusses Phillip Wylie's background and experience in information security. It defines pentesting and explains why organizations use pentesting for security assessments and regulatory compliance. It outlines the skills, knowledge, and mindset needed to become a pentester including technological knowledge, hacking skills, and developing a "hacker mindset". It provides recommendations for building a home lab, recommended reading, learning resources, certifications, and tips for getting pentester jobs.
Justin Robinson is a US citizen born in 1989 seeking a career in information sciences and technology with interests in game development, networking, and programming. He has a Bachelor's degree in Information Sciences and Technology from Penn State, and Master's degrees in Cyber Security from University of Maryland and concurrent degrees in Software Engineering and Information Systems from Penn State. He has worked as a programmer/analyst at Boeing since 2015 where he develops applications in C# and SQL, and previously worked as a computer forensic analyst and rotational employee at Boeing as well.
This document discusses self defense for cybersecurity and protecting personal and organizational assets from cyber threats. It provides examples of common cyber attacks like hacking and phishing. It also outlines traditional security fixes like firewalls, antivirus software, and password best practices. Throughout it provides scenarios of past security breaches at companies to illustrate the risks and impacts of attacks. The key messages are that social engineering, weak passwords, and lack of backups leave both personal and business systems vulnerable to cyber criminals. Regular security updates, strong unique passwords, and backing up important data are recommended for protection.
This document provides an overview of network security concepts and techniques. It defines common attacks such as denial of service attacks, man-in-the-middle attacks, and SQL injection. It also describes defenses such as firewalls, intrusion detection systems, and encryption. The document outlines the stages of a cyber operation from target identification to gaining access and establishing persistence. It provides examples of passive and active attacks and how to classify network services and roles to implement security zones and isolation.
This document discusses network security and provides definitions for common attacks, technical solutions, and objectives. It begins with an overview of the challenges of network security and stages of a cyber operation. Specific attacks covered include denial of service, man-in-the-middle, SQL injection, and password cracking. Defenses such as firewalls, intrusion detection/prevention systems, and encryption techniques are also defined. The objectives are to understand these concepts and apply security best practices like layered defenses and network segmentation.
Critical Controls Might Have Prevented the Target BreachTeri Radichel
The document discusses how implementing the 20 Critical Controls could have prevented the 2014 Target data breach. It analyzes each stage of the attack, from initial reconnaissance to data exfiltration, and explains how controls like secure configurations, malware defenses, and log monitoring would have disrupted the attacker's activities. Proper implementation of the Critical Controls aims to limit opportunities for attackers by restricting access and visibility, detecting anomalous behavior, and strengthening security across the network, endpoints, and applications.
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
Corporate cybercrime is usually blamed on outsiders, but sometimes, your employees can represent the biggest threat to your organization’s IT security. In this presentation, Kaspersky Lab’s Mark Villinski, will provide practical advice for educating your employees about cybersecurity. Attend to learn:
• How to create efficient and effective security policies
• Overview and statistics of the current threat landscape
• The importance of keeping your employees updated about the latest threats and scams
• Security solutions that can help keep your systems updated and protected
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
What is an RPA CoE? Session 2 – CoE RolesDianaGray10
In this session, we will review the players involved in the CoE and how each role impacts opportunities.
Topics covered:
• What roles are essential?
• What place in the automation journey does each role play?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
This talk will cover ScyllaDB Architecture from the cluster-level view and zoom in on data distribution and internal node architecture. In the process, we will learn the secret sauce used to get ScyllaDB's high availability and superior performance. We will also touch on the upcoming changes to ScyllaDB architecture, moving to strongly consistent metadata and tablets.
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
"NATO Hackathon Winner: AI-Powered Drug Search", Taras KlobaFwdays
This is a session that details how PostgreSQL's features and Azure AI Services can be effectively used to significantly enhance the search functionality in any application.
In this session, we'll share insights on how we used PostgreSQL to facilitate precise searches across multiple fields in our mobile application. The techniques include using LIKE and ILIKE operators and integrating a trigram-based search to handle potential misspellings, thereby increasing the search accuracy.
We'll also discuss how the azure_ai extension on PostgreSQL databases in Azure and Azure AI Services were utilized to create vectors from user input, a feature beneficial when users wish to find specific items based on text prompts. While our application's case study involves a drug search, the techniques and principles shared in this session can be adapted to improve search functionality in a wide range of applications. Join us to learn how PostgreSQL and Azure AI can be harnessed to enhance your application's search capability.
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfleebarnesutopia
So… you want to become a Test Automation Engineer (or hire and develop one)? While there’s quite a bit of information available about important technical and tool skills to master, there’s not enough discussion around the path to becoming an effective Test Automation Engineer that knows how to add VALUE. In my experience this had led to a proliferation of engineers who are proficient with tools and building frameworks but have skill and knowledge gaps, especially in software testing, that reduce the value they deliver with test automation.
In this talk, Lee will share his lessons learned from over 30 years of working with, and mentoring, hundreds of Test Automation Engineers. Whether you’re looking to get started in test automation or just want to improve your trade, this talk will give you a solid foundation and roadmap for ensuring your test automation efforts continuously add value. This talk is equally valuable for both aspiring Test Automation Engineers and those managing them! All attendees will take away a set of key foundational knowledge and a high-level learning path for leveling up test automation skills and ensuring they add value to their organizations.
The Department of Veteran Affairs (VA) invited Taylor Paschal, Knowledge & Information Management Consultant at Enterprise Knowledge, to speak at a Knowledge Management Lunch and Learn hosted on June 12, 2024. All Office of Administration staff were invited to attend and received professional development credit for participating in the voluntary event.
The objectives of the Lunch and Learn presentation were to:
- Review what KM ‘is’ and ‘isn’t’
- Understand the value of KM and the benefits of engaging
- Define and reflect on your “what’s in it for me?”
- Share actionable ways you can participate in Knowledge - - Capture & Transfer
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...AlexanderRichford
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation Functions to Prevent Interaction with Malicious QR Codes.
Aim of the Study: The goal of this research was to develop a robust hybrid approach for identifying malicious and insecure URLs derived from QR codes, ensuring safe interactions.
This is achieved through:
Machine Learning Model: Predicts the likelihood of a URL being malicious.
Security Validation Functions: Ensures the derived URL has a valid certificate and proper URL format.
This innovative blend of technology aims to enhance cybersecurity measures and protect users from potential threats hidden within QR codes 🖥 🔒
This study was my first introduction to using ML which has shown me the immense potential of ML in creating more secure digital environments!
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...DanBrown980551
This LF Energy webinar took place June 20, 2024. It featured:
-Alex Thornton, LF Energy
-Hallie Cramer, Google
-Daniel Roesler, UtilityAPI
-Henry Richardson, WattTime
In response to the urgency and scale required to effectively address climate change, open source solutions offer significant potential for driving innovation and progress. Currently, there is a growing demand for standardization and interoperability in energy data and modeling. Open source standards and specifications within the energy sector can also alleviate challenges associated with data fragmentation, transparency, and accessibility. At the same time, it is crucial to consider privacy and security concerns throughout the development of open source platforms.
This webinar will delve into the motivations behind establishing LF Energy’s Carbon Data Specification Consortium. It will provide an overview of the draft specifications and the ongoing progress made by the respective working groups.
Three primary specifications will be discussed:
-Discovery and client registration, emphasizing transparent processes and secure and private access
-Customer data, centering around customer tariffs, bills, energy usage, and full consumption disclosure
-Power systems data, focusing on grid data, inclusive of transmission and distribution networks, generation, intergrid power flows, and market settlement data
Session 1 - Intro to Robotic Process Automation.pdfUiPathCommunity
👉 Check out our full 'Africa Series - Automation Student Developers (EN)' page to register for the full program:
https://bit.ly/Automation_Student_Kickstart
In this session, we shall introduce you to the world of automation, the UiPath Platform, and guide you on how to install and setup UiPath Studio on your Windows PC.
📕 Detailed agenda:
What is RPA? Benefits of RPA?
RPA Applications
The UiPath End-to-End Automation Platform
UiPath Studio CE Installation and Setup
💻 Extra training through UiPath Academy:
Introduction to Automation
UiPath Business Automation Platform
Explore automation development with UiPath Studio
👉 Register here for our upcoming Session 2 on June 20: Introduction to UiPath Studio Fundamentals: https://community.uipath.com/events/details/uipath-lagos-presents-session-2-introduction-to-uipath-studio-fundamentals/
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
"What does it really mean for your system to be available, or how to define w...Fwdays
We will talk about system monitoring from a few different angles. We will start by covering the basics, then discuss SLOs, how to define them, and why understanding the business well is crucial for success in this exercise.
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Keywords: AI, Containeres, Kubernetes, Cloud Native
Event Link: https://meine.doag.org/events/cloudland/2024/agenda/#agendaId.4211
From Natural Language to Structured Solr Queries using LLMsSease
This talk draws on experimentation to enable AI applications with Solr. One important use case is to use AI for better accessibility and discoverability of the data: while User eXperience techniques, lexical search improvements, and data harmonization can take organizations to a good level of accessibility, a structural (or “cognitive” gap) remains between the data user needs and the data producer constraints.
That is where AI – and most importantly, Natural Language Processing and Large Language Model techniques – could make a difference. This natural language, conversational engine could facilitate access and usage of the data leveraging the semantics of any data source.
The objective of the presentation is to propose a technical approach and a way forward to achieve this goal.
The key concept is to enable users to express their search queries in natural language, which the LLM then enriches, interprets, and translates into structured queries based on the Solr index’s metadata.
This approach leverages the LLM’s ability to understand the nuances of natural language and the structure of documents within Apache Solr.
The LLM acts as an intermediary agent, offering a transparent experience to users automatically and potentially uncovering relevant documents that conventional search methods might overlook. The presentation will include the results of this experimental work, lessons learned, best practices, and the scope of future work that should improve the approach and make it production-ready.
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...Fwdays
Direct losses from downtime in 1 minute = $5-$10 thousand dollars. Reputation is priceless.
As part of the talk, we will consider the architectural strategies necessary for the development of highly loaded fintech solutions. We will focus on using queues and streaming to efficiently work and manage large amounts of data in real-time and to minimize latency.
We will focus special attention on the architectural patterns used in the design of the fintech system, microservices and event-driven architecture, which ensure scalability, fault tolerance, and consistency of the entire system.
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Sans phish-orlando
1. Phish Stories
Technical Intervention when Humans Fail
Rich Graves
March 2013
GIAC GSE, GSEC, GCIA, GCIH, GWEB,
GAWN, GCFE, GPEN, GWAPT; CISSP
SANS Technology Institute - Candidate for Master of Science Degree 1
1
2. Objective
• The story of Nigerian webmail phishing
• Technical defense in depth
1. Purge phishing messages post-delivery
2. Image referrer tricks
3. Monitor webmail preferences
4. When stolen accounts start sending
spam, detect and act
• Summary
SANS Technology Institute - Candidate for Master of Science Degree 2
3. “Phishing is not my problem”
• This is a user awareness problem,
not a technical problem
• (The Cloud) handles our email
• Non-targeted phishing is not a
serious issue
• We require two-factor auth
SANS Technology Institute - Candidate for Master of Science Degree 3
4. Nigerian Spear Phishing
• Labor-intensive, coordinated
• Phish sent from previously phished
accounts; “IP reputation” useless
• Collect passwords via web forms,
sometimes Reply-To
• A Persistent Threat
SANS Technology Institute - Candidate for Master of Science Degree 4
5. Phishing Message Inbound
From: helpdesk@example.edu <joeschmo@this.com>
To: undisclosed-recipients: ;
Subject: mailbox quota exceeded #[1M1QC063GF4xn2r]
Your mailbox storage limit/quota has been exceeded
until you re-validate your mailbox you cannot send
or recieve e-mail.To re-validate your mailbox. - >
Click Here:
https://docs.google.com/a/nebo.edu/spreadsheet/viewf
orm?formkey=dFkzcXM5Z3dLUWRmckl5UEQzZzZ6dVE6MQ
Stolen account at
https to Google Apps nebo.edu
SANS Technology Institute - Candidate for Master of Science Degree 5
6. Phishing Collection Forms
/viewform: the form
/viewanalytics: the answers
• Not sophisticated
• Mostly use free forms,
like Google Drive
• This site live > 7 days
• Sometimes use hacked
sites: PHPFormGen 6
7. Upon Successful Phish
• Attacker logs on
• Usually webmail, sometimes smtp
• Usually from abroad, or a VPN
• Sends email, with Bcc to the boss
• Might change signature, full name
SANS Technology Institute - Candidate for Master of Science Degree 7
8. Scam Message Outbound
Received: from JoeUser ([41.203.67.50])
(authenticated bits=0) Nigeria
(version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256)
Reply-To: <yee.leegrace4@yahoo.com.hk>
From: "Grace Lee Yee"<********@carleton.edu>
Subject: Genuine Deal.Interested? Hong Kong
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-Antivirus: avast! (VPS 121206-1, 12/06/2012), Outbound
message
X-Antivirus-Status: Clean
Vietnam
Deal worth USD45,275, 000.00. Are you interested? Please
get back for more details.via email: yee.leegrace1@zing.vn
SANS Technology Institute - Candidate for Master of Science Degree 8
9. Who is Doing This?
Accounts stolen by
Nigerian phish have
contacted ojo4live,
aka “Mafioso,” party
to a CREDIT CARD
thread on faqs.org.
SANS Technology Institute - Candidate for Master of Science Degree 9
10. Defense in Depth
• Block inbound phish (antispam)
• If that fails, stop users from
replying
• If users reply, identify and contain
SANS Technology Institute - Candidate for Master of Science Degree 10
11. Remove Phish from Mailboxes
• We delivered a phishing message,
but it does not need to stay
• If more than n users hit the Spam
button, trigger global removal
• Joe St. Sauver’s “Filtering spam at
your leisure”
SANS Technology Institute - Candidate for Master of Science Degree 11
12. Phishing Site Interdiction:
Use the Referer
If phishing site HREFs your images:
a) You get log entries. b) You can change them.
Before: After:
SANS Technology Institute - Candidate for Master of Science Degree 12
13. Monitor Webmail Preferences
• The bad guys often:
– Put spam text in signature
– Set full name and Reply-To headers
– Disable “Save to Sent folder”
• Monitor prefs changes, disable
suspect accounts – 80% success
SANS Technology Institute - Candidate for Master of Science Degree 13
14. Detect Internal Spammers
• Finally, if not detected, bad guys
will use your accounts to spam
• Rate-limit. Watch for these
regarding outbound email:
stat=Deferred.+http://postmaster.yahoo.com
stat=Deferred.+http://postmaster.info.aol.com
stat=Deferred.+mail.live.com/mail/troubleshoo
SANS Technology Institute - Candidate for Master of Science Degree 14
15. Summary
• Phishing is a real problem
• Takeaways:
– Know your enemy’s methods
– When prevention fails, detect and respond
– Phishing is a human problem, but technical
solutions are relevant even post-delivery
• Q&A: rgraves@carleton.edu
SANS Technology Institute - Candidate for Master of Science Degree 15
Editor's Notes
Here we address some “myths” about why serious security professionals should not waste time worrying about phishing. There were precisely zero “Email Issues” papers added to the SANS Reading Room between January 2009 and January 2013. Is there really nothing new to say? User awareness: Granted, user awareness is critical. However, we all know that users fail: HBGary, RSA, Google/Aurora, to name three organizations that saw serious phishing attacks recently. If you believe in the concept of defense in depth, you need to look for the immediate next line of defense.The Cloud: Yes, due to their privileged position and scale, Gmail and Microsoft can do a better job of antispam/antiphishing filtering than the individual enterprise, and probably better than most antispam vendors. However, as we will see, “cloud” accounts are still abused both to send phishing messages and to collect passwords. Although beyond the scope of this talk, consider how much valuable log data you lose when outsourcing email. With an on-premises server, you know when users log on, and from where; with most systems, you can find the IP address and user-agent used when they sent each email. Google has a little-known Audit API described at https://developers.google.com/google-apps/email-audit/ but it is not real-time.Seriousness: Yes, each non-targeted phish has a low Single Loss Expectancy (SLE). But the Annual Loss Expectancy (ALE) can be high, due to the large number of events. Also, how, exactly, do you tell the difference between a targeted phish and a non-targeted phish?2-factor authentication: True. The attacks described in this talk are defeated by 2FA.
Our #1 bad actor is clearly a persistent threat, though not an advanced one. This is the opposite of targeted spear phishing.All available evidence (user-agents, timing of page hits, occasional mistakes) is that the attacks are manual.We can attribute them to Nigeria based on IP addresses (various sub-ranges of 41.* and 88.*) and names associated with a few known C&C email addresses.Most of the phish that we see is sent from webmail accounts that were, themselves, phished. Three things to note here:“The phish that we see” is obviously not the complete set. First-tier antispam measures such as DNS-based real-time IP blacklists surely block some.This suggests that it might be cheaper for the attackers to get new accounts from phishing than from signing up for new webmail accounts. Thatis sad.Antispam strategies that depend on the source IP or other stable point-source characteristics are not effectiveYears ago, we saw a lot of emails requesting passwords via email, usually with a Reply-To, and sometimes specifying the email address in the body. Users have become (slightly) more savvy, and email providers are (slightly) better at closing those accounts for abuse. Now, almost all phish offers a link to a web form. Those forms are inevitably on “free form” sites such as 123contactform.com and formstack.com (just 2 examples; there are many such sites).
A “SYSTEM ADMINISTRATOR HELPDESK” phishing form hosted on Google Drive. The lack of attention to look and feel is not unusual; I have seen forms called “Untitled.” Incredibly, people actually fall for the scam and provide their passwordto forms this bare.Sometimes, as in this case, the attackers fail to secure the data. All collected email addresses and passwords are available simply by changing the last component of the URL from “viewform” to “viewanalytics.”As you can (barely) see at the bottom, every Google Docs form has a “Report Abuse” link. Unfortunately, Google have been extremely slow to respond to abuse complaints.123contactform.com is another form processor that has been abused for phishing. Although the Romanian address might lead you to assume otherwise, this site has an excellent record in dealing with takedown requests. I often get a confirmedtakedown within 30 minutes. Sometimes they have sent me the collected data, i.e., the list of victims.formstack.com and tuclouds.com phishing form URLs are shown in my GSEC Gold paper, http://www.sans.org/reading_room/whitepapers/email/phishing-detecton-remediation_34082. There are many other “free” form sites of that ilk.Many mom & pop web sites (laundromats, churches, etc.) run the general-purpose form processor phpFormGenerator. It generates URLs like /use/(something)/form1.html. From 2010 to mid-2012, it was very common for attackers to search the web for vulnerable installations, install a bunch of phishing forms, and spam them around. I had an IDS rule alerting on POSTs to */form1.html. We still get hits on that rule, and I have also seen phishing forms on hacked WordPress sites. Keep an eye out for entire classes of URLs that might be phishy.
Attackers who spam and phish like to… spam and phish some more!They test pilfered credentials by logging on via webmail (or occasionally an exposed SMTP server).Often, they expose a Nigerian IP address. If you only expect legitimate logins from a small set of countries, here is an obvious place to detect and stop attacks.To evade that control, they will use a VPN or proxy of some sort. I have seen webmail phishers use the VPN service anchorfree.com, the AOL Desktop client (yes, it still exists), and university VPNs to cover their tracks.They send email, often Cc’ing a known phishing-gang email address on their first or second message (discussed later).They often customize their environment by going into webmail preferences and changing signature and full name.
We often notice that the first or second message sent by a compromised account goes to a special address, possibly that of a ringleader.The first message sent by the compromised account in the previous slide was copied to ojo4live@yahoo.com, which has a 6-year history on the Internet. On a Nigerian social networking site, he takes the name “Mafioso” and says he is “Exiled to Australasia.” Many years ago, when his English was even worse and he had a keyboard with a STUCK SHIFT KEY, he tried, ineptly, to get into carding.We can use such email addresses, as well as the Reply-To and body email addresses, to identify incoming and outgoing spam. The Anti-Phishing-Email-Reply project collects them, at http://code.google.com/p/anti-phishing-email-reply/
The rest of this presentation is dedicated to some creative techniques for the prevention, detection, and containment of webmail account compromises. Remember, we are looking at what we can do as sysadmins and incident responders; user security awareness is out of scope, and assumed to have failed.Obviously, we would prefer not to receive or deliver phishing messages. My GSEC Gold paper at http://www.sans.org/reading_room/whitepapers/email/phishing-detecton-remediation_34082 has some thoughts on this. However, in order to make this presentation manageable, today we are assuming that antispam has already failed. The phishing messages are sitting in user inboxes. So, let us remove them as quickly as we can and, in parallel, stop users who might have opened the phish already from replying. If users have already replied, then we need to identify and treat those accounts as compromised.
Joe St. Sauver had some very interesting musings on the strategy and implications of post-delivery antispam reprocessing at a Mail Anti-Abuse Working Group meeting back in 2006. Check out http://www.uoregon.edu/~joe/maawg7At present, we are not able to do post-delivery spam filtering, but the idea inspired a system for retroactive message removal. The strategy for efficient retroactive phish removal from Zimbra mailboxes is:Decide on an email address and/or Message-ID regular expression to censor.Search the mailbox.log file for matching email deliveries. This requires correlating two separate log messages, first for the LMTP delivery, which includes the sender email address, and then for the deposit in the user’s Inbox, which has the message number we need in order to delete it. The two are threaded together by the Message-ID. 3) Delete the message(s). This can be done with SOAP calls, but it is easiest to pipe deleteMessage commands to the zmmailbox command-line utility, which will create the SOAP calls for us. The zmmailbox commands are:setMailbox (sm) johndoe@example.comdeleteMessage (dm) 376211For details, see my Gold paper,http://www.sans.org/reading_room/whitepapers/email/phishing-detecton-remediation_34082
(Yes, the HTTP protocol standard spells “referrer” incorrectly.)You can delete phishing messages from your central server, but most organizations allow mobile, IMAP, or MAPI clients in cached mode, so it is possible that people might still be trying to get to the phishing site. Other considerations include users who forward their email to an outside email address, phishing by non-email means (social media, search engine poisoning, etc.), and repeated phish (i.e., they spam you again with the same content). Sometimes you do not actually need to take the phishing site down. If they include images or CSS on your real web site, as here, simply change them based on the referring site. With Apache, you can do something like this:# Redirect requests for CarletonLogoSmall to a phishing warning graphic.RewriteCond %{HTTP_REFERER} .RewriteCond %{HTTP_REFERER}!^https?://(apps|wiki|www)\\.carleton\\.edu [NC]RewriteRule ^/departments/ITS/Images/CarletonLogoSmall.png \\ http://www.carleton.edu/departments/ITS/Images/phish-banner.png [L,NC,R=307]For more, including ideas on how to use referer analysis proactively when the phishers are still at the recon stage, see Rossell, Shelley (2011, April). Phishing technical controls: beyond Proofpoint. Presentation delivered at the EDUCAUSE Security Professionals Conference, San Antonio, Texas. Slides available under the Resources tab at http://www.educause.edu/events/security-professionals-conference/2011/phishing-technical-controls-beyond-proofpoint
On a Zimbra server, webmail preferences are stored in an LDAP directory. You could tail –f the logs for messages indicating that an account’s preferences have changed, but I just ldapsearch all accounts every minute. If an account’s preferences appear “bad,” we contain it:Kill all current webmail sessionsTrigger account lockout in Active Directory with an intentional series of bad passwords (no privileges needed)Create a help desk ticket, populated with the evidenceSome of the most useful attributes to investigate are zimbraPrefFromDisplay, the full name shown on outbound email; zimbraPrefSaveToSent, which toggles the saving of outbound email; and zimbraPrefMailSignature/zimbraPrefMailSignatureHTML, the signature.zimbraPrefFromDisplay: MrsMagaritaYakovzimbraPrefReplyToAddress: mrsyakov@live.comzimbraPrefMailForwardingAddress: mrsyakov@live.comzimbraPrefSaveToSent: FALSEzimbraPrefMailSignatureHTML: My Name is MrsMagaritaYakov ,I am married to la te Dr. Slavic Yakov who was an Oil&nbsp; Merchant and international businessm an before he died in the year 2001 i have a business of ($18,000,000.00 USD) Full names starting with “Mr” or “Mrs” are associated with advance fee fraud (419 scams). Full names or Reply-To including webmaster, helpdesk, account, and so on suggest phish.
If absolutely everything else fails, and the bad guys are able to log on undetected, there is a chance to catch them when they start spamming.Rate-limiting with something like Mailfromd or Policy: A good idea, but difficult to set the threshold low without false positives on “legitimate” spammers, like Admissions, Development, and Summer School.Alert when SMTP queue size gets large: If the spammers are trying to contact a lot of bogus domains or if real domains are greylisting you, you will get a queue.Outbound antispam filtering: Useful, but has the same problems as inbound antispam.All of the above are good to do, but more effort than what is suggested in the slide: carefully watch for evidence that other sites are rejecting your mail as spam, and trace why. Yahoo, AOL, and Microsoft Hotmail/Live/Outlook.com all give very lucid, and very quick, feedback.