The document discusses various techniques used to evade malware analysis, including anti-disassembly, anti-debugging, anti-VM, and anti-sandbox methods. It provides examples of how malware authors insert garbage bytes, splice instructions, and use packing to confuse disassembly. It also explains how checks of API functions, registry entries, and CPU instruction timing can detect debugging and the virtual machine environment. The goal is to summarize the key points and techniques discussed in the document.
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh TâmSecurity Bootcamp
The document discusses the TIME attack which is a timing side-channel attack that leaks sensitive information. TIME extends the CRIME attack to exploit differences in timing of HTTP requests and responses to extract data. It demonstrates how JavaScript can measure timing differences of requests to detect payload size variations of up to a single byte. The document also reviews mitigations like adding random delays, CSRF tokens and unknown parameters but notes these have limitations for defending against timing attacks.
This document discusses automated malware analysis. It describes how malware attacks are growing and the typical stages of an attack. Automated analysis is needed to efficiently analyze the large number of malware samples collected daily. The document reviews online and offline automated malware analysis systems, and specifically recommends the open source Cuckoo Sandbox. It outlines Cuckoo's architecture and execution flow. The document also discusses enhancing Cuckoo's defenses against malware that detects virtual machines. It proposes using Volatility and YARA for additional post-analysis of malware behavior and identification.
This document summarizes various techniques for attacking SSH clients and servers by exploiting insecure configurations and options. It begins with an introduction explaining the goals of understanding practical attacks beyond typical secure configuration advice. It then covers attacks using X11 forwarding, disabling strict host key checking, agent forwarding, and stream local binding. Specific examples are provided for man-in-the-middle attacks using ARP spoofing, capturing credentials by impersonating SSH servers, and escalating privileges by reusing SSH agent sockets. The document aims to demonstrate real-world risks of deviating from default secure configurations.
Ведущий: Макс Мороз
Обзор системы ClusterFuzz, позволяющей осуществить проверку браузера Chrome на наличие уязвимостей в режиме реального времени и получить воспроизводимые результаты исследования каждого конкретного сбоя. Будут продемонстрированы преимущества использования различных санитайзеров и LibFuzzer, библиотеки для направленного фаззинга. Будет приведена подробная статистика видов уязвимостей, найденных в Chrome. Слушатели узнают о подводных камнях распределенного фаззинга; о том, как можно запустить свои собственные фаззеры в инфраструктуре Google и получить вознаграждение за найденные уязвимости.
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
Matt Swann, Microsoft
As defenders, we watch our intrusion detection systems like a hawk so that we know when to jump into action. However, successfully evicting an adversary in a large-scale environment requires capabilities beyond detection.
In this talk I describe 5 capabilities that network defenders must have in order to effectively respond to an intrusion in a large-scale service. I describe how we overcame these challenges in Office 365 with pointers to source code and reusable tooling.
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh TâmSecurity Bootcamp
The document discusses the TIME attack which is a timing side-channel attack that leaks sensitive information. TIME extends the CRIME attack to exploit differences in timing of HTTP requests and responses to extract data. It demonstrates how JavaScript can measure timing differences of requests to detect payload size variations of up to a single byte. The document also reviews mitigations like adding random delays, CSRF tokens and unknown parameters but notes these have limitations for defending against timing attacks.
This document discusses automated malware analysis. It describes how malware attacks are growing and the typical stages of an attack. Automated analysis is needed to efficiently analyze the large number of malware samples collected daily. The document reviews online and offline automated malware analysis systems, and specifically recommends the open source Cuckoo Sandbox. It outlines Cuckoo's architecture and execution flow. The document also discusses enhancing Cuckoo's defenses against malware that detects virtual machines. It proposes using Volatility and YARA for additional post-analysis of malware behavior and identification.
This document summarizes various techniques for attacking SSH clients and servers by exploiting insecure configurations and options. It begins with an introduction explaining the goals of understanding practical attacks beyond typical secure configuration advice. It then covers attacks using X11 forwarding, disabling strict host key checking, agent forwarding, and stream local binding. Specific examples are provided for man-in-the-middle attacks using ARP spoofing, capturing credentials by impersonating SSH servers, and escalating privileges by reusing SSH agent sockets. The document aims to demonstrate real-world risks of deviating from default secure configurations.
Ведущий: Макс Мороз
Обзор системы ClusterFuzz, позволяющей осуществить проверку браузера Chrome на наличие уязвимостей в режиме реального времени и получить воспроизводимые результаты исследования каждого конкретного сбоя. Будут продемонстрированы преимущества использования различных санитайзеров и LibFuzzer, библиотеки для направленного фаззинга. Будет приведена подробная статистика видов уязвимостей, найденных в Chrome. Слушатели узнают о подводных камнях распределенного фаззинга; о том, как можно запустить свои собственные фаззеры в инфраструктуре Google и получить вознаграждение за найденные уязвимости.
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
Matt Swann, Microsoft
As defenders, we watch our intrusion detection systems like a hawk so that we know when to jump into action. However, successfully evicting an adversary in a large-scale environment requires capabilities beyond detection.
In this talk I describe 5 capabilities that network defenders must have in order to effectively respond to an intrusion in a large-scale service. I describe how we overcame these challenges in Office 365 with pointers to source code and reusable tooling.
Veil-Ordnance is a new tool recently added into the Veil-Framework. It's designed to quickly generate shellcode for exploits or use inside backdoor executables.
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
The document discusses automating mobile malware analysis processes. It introduces the speaker as a security researcher who works on various online and offline projects related to mobile security. The rest of the document discusses standard processes for static and dynamic malware analysis, including decompiling APK files, disassembling codes, analyzing network activity, and using tools like emulator, adb, and strace. It emphasizes that automating these processes through scripting can help analyze malware more efficiently.
The document discusses security best practices for Node.js applications. It covers using packages like Helmet to set secure HTTP headers, encrypting sessions with packages like cookie-session, preventing XSS attacks with csurf, sanitizing user input with express-validator, and encrypting passwords with bcrypt. It also discusses building secure HTTPS servers, analyzing dependencies for vulnerabilities with tools like NSP and Snyk, and using the Node Goat project to intentionally introduce vulnerabilities for testing security.
Ведущий: Артем Шишкин
Доклад описывает разработку средства отладки при помощи виртуализации: как применить существующие средства виртуализации для отладки, как обеспечить целостность отлаживаемой среды, как сделать отладку интерактивной и как обуздать низкоуровневую специфику аппаратной виртуализации. Докладчик расскажет об интеграции железа с операционной системой и о том, как встроить отладчик прямо в прошивку. Будут рассмотрены несколько жизненных примеров динамического анализа.
Js deobfuscation with JStillery - bsides-roma 2018Minded Security
The document discusses JavaScript deobfuscation techniques. It begins by introducing common JavaScript obfuscation methods like Eval Packer, Metasploit JSObfu, JSFuck, JJEncode, AAEncode, and others. It then discusses the goals of deobfuscation, including semantics preservation, automation, robustness, readability, and efficiency. Several deobfuscation techniques are presented, such as using a sandboxed runtime environment or static and dynamic analysis with partial evaluation. The document dives deeper into an AST-based approach using Esprima to parse code into an AST and then reduce subtrees. It references an existing deobfuscation tool for JSObfu code and discusses areas for improvement. In the
[OPD 2019] Side-Channels on the Web: Attacks and DefensesOWASP
The document discusses side-channel attacks on the web that exploit unintended information leakage across origins. It describes various side-channel attacks like cross-site timing attacks, response size inference attacks, and quota management attacks. It also discusses defenses deployed by browsers like same-site cookies, cross-origin read blocking, and cache partitioning to prevent such attacks by limiting unintended information leakage across origins.
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
This document summarizes techniques for detecting XXE and SSRF vulnerabilities using DNS records. It describes how an attacker can configure their own DNS server to return their IP address instead of the actual domain, allowing them to detect if the application makes external requests. It also discusses challenges of detecting these vulnerabilities, and provides examples of how to test for them including checking web server access logs for requests to domains controlled by the attacker. The document then covers additional techniques like bypassing content security policies, detecting real users behind Cloudflare, and exploiting URL encoding to bypass input filtering.
The Supporting Role of Antivirus Evasion while PersistingCTruncer
This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
Benjamin Delpy is a security researcher from France known for creating the tool mimikatz. Mimikatz can retrieve credentials like hashes and keys from the LSASS process memory. It supports techniques like pass-the-hash, over-pass-the-hash, and credential dumping from memory dumps. Delpy gives presentations to teach people about Windows authentication and how mimikatz works.
John presents several tools and techniques he uses to automate tasks and maintain consistency across systems in order to maximize his productivity while developing software. Some of the key tools and strategies he discusses include: App::MiseEnPlace for managing directory structures and symlinks; smartcd for running scripts when entering or leaving directories; building critical tools like Perl, Node.js, and Git from source instead of relying on system versions; and keeping his entire $HOME directory under revision control with GitGot. He emphasizes automating repetitive tasks, maintaining consistency across systems, and not having to think about tools or environments.
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
«Cybercrime» является особым направлением в области компьютерной безопасности и приватности. Это направление объединяет научные работы, которые исследуют различные сценарии атак или мошенничества, анализируют вредоносные экосистемы, обнаруживают злоумышленников и изучает их методы с целью разработки эффективных мер противодействия. В текущем докладе будут предоставлены рекомендации о том, как проводить киберрасследования, основываясь на примерах из наших работ и статей. Например, я расскажу о нашем масштабном исследовании вредоносных веб-оболочек и как мы смогли обнаружить жертв и нападающих по всему земному шару, а так же о том, как мы использовали навыки социальной инженерии, чтобы исследовать экосистему мошеннической технической поддержки, и многое другое. Моя цель состоит в том, чтобы заинтересовать научных исследователей и других представителей области ИБ в работе по направлению “Cybercrime”, в поиске различных путей предотвращения и расследования киберпреступлений. А также, показать, что подобные полезные исследования не всегда требует огромных ресурсов и сотрудничеств. Формат доклада: разговор в виде легкого семинара с элементами коллективного мозгового штурма (ноутбук не требуется). Мы рассмотрим 3 урока, из каждого выделяя полезные методы, инструменты и навыки. Язык: русский (с элементами английского).
This document summarizes security best practices for Node.js applications, including using packages like Helmet to set secure HTTP headers, encrypting sessions, protecting against XSS and CSRF attacks, input validation with Express Validator, and tools for analyzing vulnerabilities like NodeJsScan. It also recommends the Node Goat project for hands-on security testing and references like the Node.js Security Checklist for additional guidance.
CheckPlease is a tool that provides payload-agnostic checks to determine if malware is running in a targeted environment or sandbox. It evolved from signatures to behavioral detection as malware changed languages and used obfuscation. CheckPlease implements over 70 checks across multiple languages to validate processes, user behavior, system metadata and environment matches the target before executing malicious code. The presenters demonstrate various checks and encourage integrating CheckPlease with frameworks like Veil to automatically generate targeted malware payloads.
Your website just went down. As you try to understand what has gone wrong, you quickly realize something is different this time. There’s no clear reason why your site should be down, but indeed it is.
This talk is about the story of our team’s first unprepared fight against a DDoS attack.
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCanSecWest
The document summarizes a presentation on analyzing the security of QEMU. It introduces QEMU and describes its main attack surfaces, including device emulation, virtio, third-party libraries, VNC, Spice, and QMP. Examples of vulnerabilities found in Cirrus VGA, virtio filesystem, virglrenderer library, VNC, and QMP are provided. The document concludes with thoughts on efficient security analysis, noting that combining in-depth knowledge with fuzzing is most effective for finding bugs in complex software like QEMU.
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
The document discusses techniques for protecting web applications from client-side attacks using JavaScript (Waf.js). It covers the following key points in 3 sentences:
Waf.js provides defenses like CSRF prevention, DOM-based XSS prevention, and detection of unwanted applications. It utilizes parsers like Acorn and DOMPurify to parse and sanitize inputs to prevent injections. The document outlines approaches used by Waf.js to build the AST of an input and search for dangerous code like function calls to prevent attacks while minimizing false positives.
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
The document discusses practical exploitation techniques used by penetration testers and red teams. It outlines the speaker's background as a senior red teamer who breaks into various systems like mainframes, bank accounts, SCADA systems, and web applications. The speaker defines practical exploitation as applying techniques, tactics, and procedures to accomplish objectives within a targeted engagement. The speaker then demonstrates three exploits: 1) Using a Linux pivot to exploit MS08_067 on Windows, 2) Exploiting a Rails vulnerability to steal credentials using Mimikatz on Windows, and 3) Using a Windows pivot to exploit DistCC on Linux via WinRM on IIS. The speaker emphasizes patching vulnerabilities and not enabling services like WinRM on DMZ
DLP stands for data loss prevention. It is a solution that helps organizations understand how and what data is leaving their networks in order to protect sensitive information. DLP works by deploying various modules to discover data at rest, prevent data loss in motion via email and web, and monitor data in use on endpoints and networks. It analyzes network traffic and endpoints to detect policy violations and capture data according to defined policies. DLP provides comprehensive protection by integrating with other security tools like email and web gateways, encryption, and mobile device management.
Veil-Ordnance is a new tool recently added into the Veil-Framework. It's designed to quickly generate shellcode for exploits or use inside backdoor executables.
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
The document discusses automating mobile malware analysis processes. It introduces the speaker as a security researcher who works on various online and offline projects related to mobile security. The rest of the document discusses standard processes for static and dynamic malware analysis, including decompiling APK files, disassembling codes, analyzing network activity, and using tools like emulator, adb, and strace. It emphasizes that automating these processes through scripting can help analyze malware more efficiently.
The document discusses security best practices for Node.js applications. It covers using packages like Helmet to set secure HTTP headers, encrypting sessions with packages like cookie-session, preventing XSS attacks with csurf, sanitizing user input with express-validator, and encrypting passwords with bcrypt. It also discusses building secure HTTPS servers, analyzing dependencies for vulnerabilities with tools like NSP and Snyk, and using the Node Goat project to intentionally introduce vulnerabilities for testing security.
Ведущий: Артем Шишкин
Доклад описывает разработку средства отладки при помощи виртуализации: как применить существующие средства виртуализации для отладки, как обеспечить целостность отлаживаемой среды, как сделать отладку интерактивной и как обуздать низкоуровневую специфику аппаратной виртуализации. Докладчик расскажет об интеграции железа с операционной системой и о том, как встроить отладчик прямо в прошивку. Будут рассмотрены несколько жизненных примеров динамического анализа.
Js deobfuscation with JStillery - bsides-roma 2018Minded Security
The document discusses JavaScript deobfuscation techniques. It begins by introducing common JavaScript obfuscation methods like Eval Packer, Metasploit JSObfu, JSFuck, JJEncode, AAEncode, and others. It then discusses the goals of deobfuscation, including semantics preservation, automation, robustness, readability, and efficiency. Several deobfuscation techniques are presented, such as using a sandboxed runtime environment or static and dynamic analysis with partial evaluation. The document dives deeper into an AST-based approach using Esprima to parse code into an AST and then reduce subtrees. It references an existing deobfuscation tool for JSObfu code and discusses areas for improvement. In the
[OPD 2019] Side-Channels on the Web: Attacks and DefensesOWASP
The document discusses side-channel attacks on the web that exploit unintended information leakage across origins. It describes various side-channel attacks like cross-site timing attacks, response size inference attacks, and quota management attacks. It also discusses defenses deployed by browsers like same-site cookies, cross-origin read blocking, and cache partitioning to prevent such attacks by limiting unintended information leakage across origins.
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
This document summarizes techniques for detecting XXE and SSRF vulnerabilities using DNS records. It describes how an attacker can configure their own DNS server to return their IP address instead of the actual domain, allowing them to detect if the application makes external requests. It also discusses challenges of detecting these vulnerabilities, and provides examples of how to test for them including checking web server access logs for requests to domains controlled by the attacker. The document then covers additional techniques like bypassing content security policies, detecting real users behind Cloudflare, and exploiting URL encoding to bypass input filtering.
The Supporting Role of Antivirus Evasion while PersistingCTruncer
This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
Benjamin Delpy is a security researcher from France known for creating the tool mimikatz. Mimikatz can retrieve credentials like hashes and keys from the LSASS process memory. It supports techniques like pass-the-hash, over-pass-the-hash, and credential dumping from memory dumps. Delpy gives presentations to teach people about Windows authentication and how mimikatz works.
John presents several tools and techniques he uses to automate tasks and maintain consistency across systems in order to maximize his productivity while developing software. Some of the key tools and strategies he discusses include: App::MiseEnPlace for managing directory structures and symlinks; smartcd for running scripts when entering or leaving directories; building critical tools like Perl, Node.js, and Git from source instead of relying on system versions; and keeping his entire $HOME directory under revision control with GitGot. He emphasizes automating repetitive tasks, maintaining consistency across systems, and not having to think about tools or environments.
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
«Cybercrime» является особым направлением в области компьютерной безопасности и приватности. Это направление объединяет научные работы, которые исследуют различные сценарии атак или мошенничества, анализируют вредоносные экосистемы, обнаруживают злоумышленников и изучает их методы с целью разработки эффективных мер противодействия. В текущем докладе будут предоставлены рекомендации о том, как проводить киберрасследования, основываясь на примерах из наших работ и статей. Например, я расскажу о нашем масштабном исследовании вредоносных веб-оболочек и как мы смогли обнаружить жертв и нападающих по всему земному шару, а так же о том, как мы использовали навыки социальной инженерии, чтобы исследовать экосистему мошеннической технической поддержки, и многое другое. Моя цель состоит в том, чтобы заинтересовать научных исследователей и других представителей области ИБ в работе по направлению “Cybercrime”, в поиске различных путей предотвращения и расследования киберпреступлений. А также, показать, что подобные полезные исследования не всегда требует огромных ресурсов и сотрудничеств. Формат доклада: разговор в виде легкого семинара с элементами коллективного мозгового штурма (ноутбук не требуется). Мы рассмотрим 3 урока, из каждого выделяя полезные методы, инструменты и навыки. Язык: русский (с элементами английского).
This document summarizes security best practices for Node.js applications, including using packages like Helmet to set secure HTTP headers, encrypting sessions, protecting against XSS and CSRF attacks, input validation with Express Validator, and tools for analyzing vulnerabilities like NodeJsScan. It also recommends the Node Goat project for hands-on security testing and references like the Node.js Security Checklist for additional guidance.
CheckPlease is a tool that provides payload-agnostic checks to determine if malware is running in a targeted environment or sandbox. It evolved from signatures to behavioral detection as malware changed languages and used obfuscation. CheckPlease implements over 70 checks across multiple languages to validate processes, user behavior, system metadata and environment matches the target before executing malicious code. The presenters demonstrate various checks and encourage integrating CheckPlease with frameworks like Veil to automatically generate targeted malware payloads.
Your website just went down. As you try to understand what has gone wrong, you quickly realize something is different this time. There’s no clear reason why your site should be down, but indeed it is.
This talk is about the story of our team’s first unprepared fight against a DDoS attack.
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCanSecWest
The document summarizes a presentation on analyzing the security of QEMU. It introduces QEMU and describes its main attack surfaces, including device emulation, virtio, third-party libraries, VNC, Spice, and QMP. Examples of vulnerabilities found in Cirrus VGA, virtio filesystem, virglrenderer library, VNC, and QMP are provided. The document concludes with thoughts on efficient security analysis, noting that combining in-depth knowledge with fuzzing is most effective for finding bugs in complex software like QEMU.
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
The document discusses techniques for protecting web applications from client-side attacks using JavaScript (Waf.js). It covers the following key points in 3 sentences:
Waf.js provides defenses like CSRF prevention, DOM-based XSS prevention, and detection of unwanted applications. It utilizes parsers like Acorn and DOMPurify to parse and sanitize inputs to prevent injections. The document outlines approaches used by Waf.js to build the AST of an input and search for dangerous code like function calls to prevent attacks while minimizing false positives.
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
The document discusses practical exploitation techniques used by penetration testers and red teams. It outlines the speaker's background as a senior red teamer who breaks into various systems like mainframes, bank accounts, SCADA systems, and web applications. The speaker defines practical exploitation as applying techniques, tactics, and procedures to accomplish objectives within a targeted engagement. The speaker then demonstrates three exploits: 1) Using a Linux pivot to exploit MS08_067 on Windows, 2) Exploiting a Rails vulnerability to steal credentials using Mimikatz on Windows, and 3) Using a Windows pivot to exploit DistCC on Linux via WinRM on IIS. The speaker emphasizes patching vulnerabilities and not enabling services like WinRM on DMZ
DLP stands for data loss prevention. It is a solution that helps organizations understand how and what data is leaving their networks in order to protect sensitive information. DLP works by deploying various modules to discover data at rest, prevent data loss in motion via email and web, and monitor data in use on endpoints and networks. It analyzes network traffic and endpoints to detect policy violations and capture data according to defined policies. DLP provides comprehensive protection by integrating with other security tools like email and web gateways, encryption, and mobile device management.
This document summarizes various web coding security vulnerabilities including SQL injection, cross-site scripting (XSS), and file uploads. For SQL injection, it provides examples of vulnerable code and discusses preventing vulnerabilities using prepared statements. For XSS, it discusses persistent and non-persistent types and provides examples of vulnerable code and prevention through input validation and output encoding. For file uploads, it provides examples of vulnerable upload code and discusses prevention by storing files outside the web root and using system-generated filenames.
The document discusses various approaches to mitigate DDoS attacks in 3 sentences or less:
The document outlines different types of DDoS attacks and discusses implementing defense in depth across multiple network layers, including hardening operating systems, implementing firewalls and web application firewalls, caching, and using cloud-based mitigation services. Effective mitigation requires identifying vulnerable systems, monitoring logs, testing defenses, and having sufficient resources to handle large-scale attacks. While no single technique prevents all DDoS attacks, implementing layered defenses along with outsourcing to specialized services can help reduce vulnerabilities.
This document summarizes various web coding security vulnerabilities including SQL injection, cross-site scripting (XSS), and file uploads. For SQL injection, it provides examples of vulnerable code and discusses preventing vulnerabilities using prepared statements. For XSS, it discusses persistent and non-persistent types and provides examples of vulnerable code and prevention through input validation and output encoding. For file uploads, it discusses the risks and provides examples of vulnerable upload code as well as solutions like storing files outside the web root and using system-generated filenames.
Huong dan viet cv cho Lap Trinh Vien, Cach phong van xin viec hieu qua - TopC...TopCV Vietnam
Cách viết CV dành riêng cho đối tượng Lập trình viên.
Hướng dẫn Cách phỏng vấn xin việc hiệu quả.
Bài giảng của TopCV.vn
Các mục chính:
1. CV là gì?
2. Các mục cần có trong CV:
- Thông tin cá nhân
- Kinh nghiệm làm việc
- Học vấn
- Kỹ năng đặc biệt
- Mục tiêu nghề nghiệp / Tóm tắt chuyên môn
- Dự án (dành riêng cho lập trình viên)
- Các mục phụ khác: Hoạt động xã hội, sở thích,...
3. Kỹ năng phỏng vấn
---
Thực hành viết CV trực tuyến ngay tại đây:
http://www.topcv.vn
This document discusses software development center web application security testing tools. It provides an overview of the top 10 most critical web application security risks according to OWASP and describes several individual tools that can test for each risk, including W3AF for injection, ZAP for cross-site scripting, and Burp Suite for insecure direct object references. It also outlines steps for using the security tools to test a web application, generating a security report, and planning to address prioritized issues found.
Big Data Analytics - Volume,Velocity,Variety,Veracity, #Value! view from expert
Big Data Analytics - Volume,Velocity,Variety,Veracity, #Value! view from expert
http://dinhledat.com/data-driven-marketing/big-data-goc-nhin-nguoi-trong-cuoc-itlc-offline-7/
#Big Data: Góc nhìn người trong cuộc -- ITLC Offline 7
AdTechVietnam -- Với trách nhiệm vận hành cộng đồng CNTT Việt Nam, ITLC phải làm cách này cách kia để câu hỏi trên có lời giải. Vì vậy sau sự kiện "Ngày công nghệ FPT", ITLC đã nhanh tay "đặt hàng" anh Đinh Lê Đạt, một chuyên gia về Data-Driven của ngành giúp trả lời cụ thể hơn, thực tế hơn về tồn tại của "huyền thoại" dữ liệu lớn!
http://dinhledat.com
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
This document discusses techniques for detecting and evading malware analysis sandboxes. It begins by outlining common sandbox detection methods like checking screen resolution, installed software, CPU/system information, and network settings. It then discusses challenges like simulating sleep functions and network connections. The document emphasizes that while evading analysis is possible, manual review remains difficult to defeat. It concludes by advising blue teams to thoroughly test sandboxes and customize them to their environment before purchasing.
SCADA Software or Swiss Cheese Software? by Celil UNUVERCODE BLUE
The talk is about SCADA vulnerabilities and exploiting. We will answer some specific questions about SCADA software vulnerabilities with technical details.
The questions are;
- Why are SCADA applications buggy?
- What is the status and impact of the threat?
- How do researchers or hackers discover these vulnerabilities?
In this talk we will also look at some SCADA vulnerabilities that affects well-known SCADA/HMI vendors, and will show how it's easy to hunt these vulnerabilities via reverse engineering , fuzzing etc.
Celil UNUVER
Celil Unuver is co-founder & security researcher of SignalSEC Ltd. He is also founder of NOPcon Security Conference. His areas of expertise include Vulnerability Research & Discovery, Exploit Development, Penetration Testing and Reverse Engineering. He has been a speaker at CONFidence, Swiss Cyber Storm, c0c0n, IstSec, Kuwait Info Security Forum. He enjoys hunting bugs and has discovered critical vulnerabilities affect well-known vendors such as Adobe, IBM, Microsoft, Novell etc.
The document provides an agenda and information about a Concourse workshop at the SpringOne Platform 2019 conference. The agenda includes welcome remarks, talks on Concourse 102 and the Concourse roadmap, breakout sessions, and a wrap-up. Several Concourse sessions are also listed that will take place at the conference. The rest of the document outlines features and updates for Concourse version 5.5.3, including performance improvements, audit logging, UI refinements, and automated SSL certificate support.
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:
-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-OPINT
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)
This document describes a new technique called "IRONSQUIRREL" for encrypting browser exploits during delivery to prevent their analysis and leakage. It uses elliptic curve Diffie-Hellman key exchange to encrypt the exploit code between the server and client browser. This makes the exploit non-replayable and difficult for reverse engineers to analyze from network traffic alone. The document provides details on how IRONSQUIRREL works and recommendations to further obstruct analysis through techniques like one-time URLs, anti-debugging, and obfuscation.
This document introduces Vorlon.js, an open-source remote debugging tool for web applications. It allows cross-browser, cross-platform debugging. Vorlon.js is based on Node.js, Passport.js, Socket.io, and Express.js. It includes 10 default plugins for tasks like inspecting the DOM, debugging with the console, monitoring network requests, and more. The document explains how to install Vorlon.js, connect a client website, and use various plugins to debug issues. It also discusses how dynamic analysis with the best practices plugin can provide more precise results than static scanning alone. Finally, it notes that Vorlon.js can be used via a proxy to quickly analyze a website across
Testing safety critical systems: Practice and Theory (14-05-2013, VU Amsterdam)Jaap van Ekris
Presentation about the steps required for Verifying and Validating safety critical systems, as well as the test approach used. It goes beyond the simple processes, and also talks about the required safety culture and people required. The presentation contains examples of real-life IEC 61508 SIL 4 systems used on stormsurge barriers..
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan RomanDevSecCon
The document discusses integrating security testing into existing integration tests. It begins by defining Selenium and integration testing. It then outlines how existing tests can be modified to find security bugs without false positives or much change. The presenter provides examples of how penetration testers and security engineers can leverage existing tests to find more bugs. The document then discusses workshops where attendees can modify example tests to detect XSS, SQL injection, authorization bugs, and other issues. The goal is to help testers, managers, and security professionals find security bugs more easily while testing functionality.
The document discusses application sandboxes from a penetration tester's perspective. It describes two main types of sandboxes - Type A which uses OS enhancements to isolate untrusted code, and Type B which uses a master/slave model with a lower privileged slave process. Both types are fundamentally vulnerable to kernel and some user mode vulnerabilities on the OS that can allow bypassing of the sandbox isolation. Type A sandboxes are easier to escape than Type B. The document demonstrates exploits against both sandbox types using vulnerabilities such as in CSRSS and the Windows kernel. It concludes that application sandboxes are not sufficient for malware analysis due to their vulnerability to OS exploits.
This document discusses various exploit techniques, mitigations against exploits, and ways to bypass mitigations. It covers popular exploitation methods like stack-based buffer overflows, heap overflows, and return-oriented programming (ROP). It also outlines key mitigations like stack cookies, data execution prevention (DEP), address space layout randomization (ASLR), and structured exception handler overwrite protection (SEHOP). Finally, it examines techniques for bypassing protections like avoiding ASLR, memory leaks to disclose addresses, and using ROP chains combined with memory leaks to bypass DEP and ASLR. The document provides a technical overview of the exploit-mitigation landscape.
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th October 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.
This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)
The document discusses developing Groovy scripts securely and productively in the cloud for Oracle Application Developer Framework (ADF). It outlines using Groovy AST transformations to add debugging capabilities and runtime security checks when executing scripts in the cloud. Caching is also discussed to improve performance of compiling thousands of scripts across many applications. The implementation transforms the AST to wrap method calls and inject breakpoints while limiting access to restricted APIs.
Test-driven security involves writing security-focused test cases to test for vulnerabilities during the development process. This helps enable continuous deployment by ensuring new code does not introduce security bugs. The key aspects discussed are:
1) Having developers or security experts write test cases to validate common vulnerabilities like authentication failures, input validation, and authorization checks.
2) Involving non-technical team members like project managers in writing test cases using plain language to specify scenarios.
3) Integrating security testing into continuous integration pipelines to automatically catch issues during code reviews.
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...The Hacker News
This document describes a backdoor found on the Linksys WAG200G wireless router. The author discovered an unknown service listening on TCP port 32764 that responded to any request. Through reverse engineering the firmware, the author found it was possible to execute commands on the router by sending specially crafted payloads. This included the ability to dump and reset configurations, run a shell, and write files to the device. The backdoor provided a way to gain full access to the administrative interface without authentication when the normal methods were not accessible.
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
PH-Neutral lecture about Permutation Oriented Programming (formerly known as Exploit Next Generation® Methodology).
Permutation Oriented Programming is the simplest way to avoid security solution detection and shows the Pattern Matching technology weakness.
Sensu and Sensibility - Puppetconf 2014Tomas Doran
As the Yelp infrastructure and engineering team grew, so did the pain of managing Nagios. Problems like splitting alerting across multiple teams, providing high availability and managing nagios systems in multiple environments had become pressing. As we grew towards a service oriented architecture and pushed some services out into the cloud, we rapidly needed more automated monitoring configuration.
An evolutionary solution wasn’t going to solve all of our problems, we needed to revolutionize our monitoring. Sensu is built from the ground up to solve many of our issues and be easy to extend.
This talk covers our puppet ‘monitoring_check’ API (that sets up monitoring for our services within puppet), how and why we deploy Sensu and our custom handlers and escalations, along with how we provide automatic ‘self service’ monitoring for dynamic services and how we deal with the challenges posed by the more ephemeral nature of cloud architectures.
Hieupc-The role of psychology in enhancing cybersecuritySecurity Bootcamp
The document discusses the role of psychology in enhancing cybersecurity, noting that humans are often the weakest link. It provides statistics on internet users and connected devices to illustrate how everything is connected and vulnerable. It then outlines principles that social engineers exploit, like social proof, reciprocity, and scarcity. Examples are given of major data breaches from companies like Equifax and Marriott that involved human factors. Recommendations are made for governments, corporations, and individuals to improve cybersecurity through education, policies, and secure product development. The role of psychology in security is emphasized, as technological and social engineering techniques combined pose real threats.
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewSecurity Bootcamp
This document discusses building a high performance web application vulnerability scanner. It begins with an introduction of the speaker and agenda. It then defines what a WAVS is and why they are needed for both penetration testers and businesses to discover vulnerabilities. The document discusses why building your own WAVS is typically not recommended and reviews common challenges. It proposes an architecture with core and plugin components and discusses approaches like crawling and fuzzing, CPE and CVE mapping, and public exploit testing. Recommendations are provided around programming languages, code design patterns, and challenges like JavaScript crawling, high overhead, false positives, and other considerations.
The document discusses insider threat and solutions from the US Department of Defense perspective. It defines insider threat, discusses motivations and past cases like Edward Snowden. It outlines government measures including the National Insider Threat Task Force and requirements around user activity monitoring. Technical solutions discussed include user and entity behavior analytics using machine learning, extensive logging and forensic capabilities, and combining internal monitoring with external threat protection.
This document discusses common techniques used in macro malware. It describes how macro malware typically works by evading analysis through spawning child processes under different process names. Specific techniques covered include spawning via WMI, ShellCOM, and parent PID spoofing. It also discusses how macro malware can create scheduled tasks to persist and avoid detection. Examples of these techniques observed in real-world macro malware samples are provided.
This document discusses using machine learning and deep learning for malware detection. It notes that over 350,000 new malware are created daily, posing a significant threat. Traditional signature-based detection has limitations in detecting new malware. The document reviews research applying machine learning and deep learning techniques to malware detection using static and dynamic analysis of features. It then describes the authors' approach of using opcode frequency models with random forest and neural networks to classify files, achieving 97-98% precision and recall on a test set. The conclusion is that machine learning and deep learning can help address limitations of traditional approaches by enabling detection of new malware.
This document discusses threat detection strategies with "zero-cost" solutions. It outlines a threat detection architecture that centralizes logging, establishes context, and enables real-time and historical analysis. It proposes using free, open-source tools like Sysmon and Elastalert for data gathering and analytics to detect threats. The document concludes with a demonstration of detecting threats using ATT&CK tactics.
Xin chân thành cảm ơn các nhà tài trợ. Chúng tôi rất biết ơn sự hỗ trợ tài chính quý báu của quý vị dành cho chương trình này. Chúng tôi xin hứa sẽ sử dụng mọi nguồn lực được cấp phát một cách hiệu
Xin chân thành cảm ơn các nhà tài trợ. Chúng tôi rất biết ơn sự hỗ trợ tài chính quý báu của quý vị dành cho chương trình này. Chúng tôi xin hứa sẽ sử dụng mọi nguồn lực được cấp phát một cách hiệu
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectorySecurity Bootcamp
The document discusses an untold story from the Vietnam War. It thanks sponsors for their support. The document focuses on an aspect of the Vietnam War that has not been widely shared or discussed.
Five simple strategies are proposed for securing APIs:
1. Validate all parameters from consumers to prevent injection attacks.
2. Apply explicit threat detection such as blacklisting dangerous tags and virus scanning.
3. Enable SSL encryption everywhere to protect against man-in-the-middle attacks.
4. Apply rigorous authentication and authorization using multiple identity factors and OAuth.
5. Use proven security solutions like an API gateway to separate the API implementation from security concerns and provide access control, monitoring, and auditing.
The document discusses various tactics, techniques and common knowledge for detecting cyber attacks. It outlines general security problems like authenticity, authorization, confidentiality, integrity and availability. It then discusses specific techniques used in cyber attacks like escalation of privilege, credential dumping, modifying file system permissions and disabling security tools. It provides details on how each technique works and potential ways to detect them, such as monitoring specific Windows registry keys or processes. The overall document serves as a guide on common cyber attack vectors and approaches for detection.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
11. Packing
• Packer Analysis/Detection :
– PEiD : it can detect more than 400 different signatures in PE files
– RDG Packer Detector
10/29/2013 11:13 AM
www.securitybootcamp.vn
12. Packing
• More :
– The Art of Unpacking
– Anti-Unpacking Tricks - Peter Ferrie
10/29/2013 11:13 AM
www.securitybootcamp.vn
13. Anti-Disassembly
• Type of Disassembly :
– Linear sweep :
• Disassemble one instruction at a time
• Do not look at type of instruction
– Recursive traversal :
• Look at instruction and disassemble based on program flow
• Used by IDA Pro and other commercial products
10/29/2013 11:13 AM
www.securitybootcamp.vn
14. Anti-Disassembly
• Confuse Linear Disassembly Algorithm
– Insert Garbage byte :
• Since data is mixed with code, data can disassemble to valid instructions
jmp .destination
db 0x6a ; garbage byte
.destination:
; rest of the code
pop eax
• Result of disassembler :
eb 01 jmp 0x401003
6a 58 push 0x58
10/29/2013 11:13 AM
www.securitybootcamp.vn
17. Anti-Disassembly
• Confuse Recursive traversal Disassembly Algorithm
Conditional that is, say, always true
– Jump Instructions with the Same Target
• The most common anti-disassembly technique seen in the wild is two backto-back conditional jump instructions that both point to the same target
jz short near ptr loc_4011C4+1
75 01 jnz short near ptr loc_4011C4+1
– A Jump Instruction with a Constant Condition
• XOR : XOR instruction immediately followed by JNZ or JZ instruction
xor eax, eax
jz short near ptr loc_4011C4+1
• STC : STC instruction immediately followed by JNC or JAE instruction
• CLC : CLC instruction immediately followed by JC or JB instruction
10/29/2013 11:13 AM
www.securitybootcamp.vn
18. Anti-Disassembly
• Splicing Instructions - Called “impossible disassembly”
– A problem of representation
jmp -1
;these are hidden
inc eax
dec eax
10/29/2013 11:13 AM
www.securitybootcamp.vn
19. Anti-Disassembly
• Splicing Instructions - Called “impossible disassembly”
– A problem of representation
jmp -1
;these are hidden
inc eax
dec eax
10/29/2013 11:13 AM
EB FF C0 48
www.securitybootcamp.vn
20. Anti-Disassembly
• Function pointer problems
– It is easy to hide function calls made through pointers
• RET
004011C0
var_4
= byte ptr -4
004011C0
call
$+5
004011C5
add [esp+4+var_4], 5
004011C9
ret
004011C9
sp-analysis failed
004011CA
Confused IDA Pro…..
• Misusing Structured Exception Handlers
10/29/2013 11:13 AM
www.securitybootcamp.vn
21. Anti-Disassembly
• More :
–
–
Practical Malware analysis – chapter 15
http://leetmatrix.blogspot.com/2013/02/an-anti-disassembly-trick.html
10/29/2013 11:13 AM
www.securitybootcamp.vn
22. Anti-Anti-Disassembly
• IDA supports manually re-classifying code as well as code
replacement to “fix” problem areas
• Deobfuscator : Deobfuscation plugin for IDA http://code.google.com/p/optimice/
• Good malware analysts can recognize impossible assembly and
run through the code to figure out what is going on
10/29/2013 11:13 AM
www.securitybootcamp.vn
23. Anti-Debugging
• IsDebuggerPresent() Windows API
•
•
•
•
if (IsDebuggerPresent()) {
MessageBox(NULL, L"Debugger Detected Via IsDebuggerPresent",
L"Debugger Detected", MB_OK);
}
10/29/2013 11:13 AM
www.securitybootcamp.vn
24. Anti-Debugging
• CheckRemoteDebuggerPresent() Windows API
•
•
•
•
•
CheckRemoteDebuggerPresent(GetCurrentProcess(), &pbIsPresent);
if (pbIsPresent) {
MessageBox(NULL, L"Debugger Detected Via
CheckRemoteDebuggerPresent", L"Debugger Detected", MB_OK);
}
10/29/2013 11:13 AM
www.securitybootcamp.vn
25. Anti-Debugging
• IsDebuggerPresent : check the PEB.BeingDebugged flag
•
•
•
•
•
•
status = (_NtQueryInformationProcess) (hnd, ProcessBasicInformation, &pPIB,
sizeof(PROCESS_BASIC_INFORMATION), &bytesWritten);
if (status == 0 ) {
if (pPIB.PebBaseAddress->BeingDebugged == 1) {
MessageBox(NULL, L"Debugger Detected Using PEB!IsDebugged", L"Debugger Detected", MB_OK);
} else {
MessageBox(NULL, L"No Debugger Detected", L"No Debugger Detected", MB_OK)
10/29/2013 11:13 AM
www.securitybootcamp.vn
28. Anti-Debugging
• PEB!NtGlobalFlag
•
•
•
•
•
•
•
•
status = (_NtQueryInformationProcess) (hnd, ProcessBasicInformation, &pPIB,
sizeof(PROCESS_BASIC_INFORMATION), &bytesWritten);
value = (pPIB.PebBaseAddress);
value = value+0x68;
if (*value == 0x70) {
MessageBox(NULL, L"Debugger Detected Using PEB!NTGlobalFlag", MessageBox(NULL, L"Debugger
Detected Using PEB!NTGlobalFlag", L"Debugger Detected", MB_OK);
} else {
MessageBox(NULL, L"No Debugger Detected", L"No Debugger Detected", MB_OK);
}
10/29/2013 11:13 AM
www.securitybootcamp.vn
29. Anti-Debugging
•
RDTSC is used to retrieve the time stamp counter (number of clocks
since boot-up) so this is a time-related trick. When you debug, the
distance between those values that are returned in EAX will be higher
than those when the program runs without being debugged. So, if there
is really a difference you're debugging
10/29/2013 11:13 AM
www.securitybootcamp.vn
32. Anti-Debugging
• Find evidence of debugger on system:
– Registry entries
– FindWindow API call :
•
•
•
•
•
•
•
•
HANDLE ollyHandle = NULL;
ollyHandle = FindWindow(L"OLLYDBG", 0);
if (ollyHandle == NULL) {
MessageBox(NULL, L"OllyDbg Not Detected", L"Not Detected", MB_OK);
} else {
MessageBox(NULL, L"Ollydbg Detected Via OllyDbg FindWindow()", MessageBox(NULL,
L"Ollydbg Detected Via OllyDbg FindWindow()",
L"OllyDbg Detected", MB_OK);
}
10/29/2013 11:13 AM
www.securitybootcamp.vn
33. Anti-Debugging
• More :
– Anti-Debugging - A Developers Viewpoint
– Windows Anti-Debug Reference
– The “Ultimate”Anti-Debugging Reference
10/29/2013 11:13 AM
www.securitybootcamp.vn
35. Anti-VM
• VM Fingerprints
–
–
–
–
–
–
–
–
Descriptor Table addresses (IDT, LDT, etc.)
Running Processes (eg. VMWare Tools)
Registry entries that include "VMWare“
loaded modules name
Default virtual machine hardware
Common VM MAC addresses
VMWare specific I/O port
Basically, any difference between a VM and a real computer
10/29/2013 11:13 AM
www.securitybootcamp.vn
39. Anti-VM
• Red Pill is an anti-VM technique that executes the sidt instruction
to grab the value of the IDTR register. The virtual machine
monitor must relocate the guest’s IDTR to avoid conflict with the
host’s IDTR. Since the virtual machine monitor is not notified
when the virtual machine runs the sidt instruction, the IDTR for
the virtual machine is returned. The Red Pill tests for this
discrepancy to detect the usage of VMware.
10/29/2013 11:13 AM
www.securitybootcamp.vn
40. Anti-VM
• The sgdt and sldt instruction technique for VMware detection is
commonly known as No Pill. Unlike Red Pill, No Pill relies on the
fact that the LDT structure is assigned to a processor, not an
operating system. And because Windows does not normally use
the LDT structure, but VMware provides virtual support for it, the
table will differ predictably : The LDT location on the host
machine will be zero, and on the virtual machine, it will be
nonzero. A simple check for zero against the result of the sldt
instruction does the trick.
10/29/2013 11:13 AM
www.securitybootcamp.vn
41. Anti-VM
• ScoopyNG - The VMware Detection Tool
– ScoopyNG combines the detection tricks of Scoopy Doo and Jerry as well as
some new techniques to determine if a current OS is running inside a
VMware Virtual Machine (VM) or on a native system.
– The first three checks look for the sidt, sgdt, and sldt (Red Pill and No Pill)
instructions.
– The fourth check looks for str.
– The fifth and sixth use the backdoor I/O port 0xa and 0x14 options,
respectively.
– The seventh check relies on a bug in older VMware versions running in
emulation mode.
10/29/2013 11:13 AM
www.securitybootcamp.vn
43. Anti-VM
• The same with VirtualBox
–
9 method to detect VirtualBox by waleedassar : http://pastebin.com/RU6A2UuB
10/29/2013 11:13 AM
www.securitybootcamp.vn
44. Anti-VM
• More :
– Thwarting Virtual Machine Detection
– Detecting the Presence of Virtual Machines Using the Local Data Table
10/29/2013 11:13 AM
www.securitybootcamp.vn
45. Anti-anti-vm
• Hardening your VM
– Don’t install the VMware tool
– Change the configuration of your virtual machine by adding the following
options to your .vmx file :
•
•
•
•
•
•
•
•
•
•
•
•
•
isolation.tools.getPtrLocation.disable = "TRUE“
isolation.tools.setPtrLocation.disable = "TRUE“
isolation.tools.setVersion.disable = "TRUE“
isolation.tools.getVersion.disable = "TRUE“
monitor_control.disable_directexec = "TRUE“
monitor_control.disable_chksimd = "TRUE“
monitor_control.disable_ntreloc = "TRUE“
monitor_control.disable_selfmod = "TRUE“
monitor_control.disable_reloc = "TRUE“
monitor_control.disable_btinout = "TRUE“
monitor_control.disable_btmemspace = "TRUE“
monitor_control.disable_btpriv = "TRUE“
monitor_control.disable_btseg = "TRUE"
10/29/2013 11:13 AM
www.securitybootcamp.vn
46. Anti-anti-vm
• Patching the code : If you debug the malware and identify some
of the specific instructions (e.g. sidt, sgdt, sldt) you can replace
the code with NOPs to prevent it.
• More :
–
–
–
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf
http://radlab.cs.berkeley.edu/w/upload/3/3d/Detecting_VM_Aware_Malware.pdf
http://vrt-blog.snort.org/2009/10/how-does-malware-know-difference.html
10/29/2013 11:13 AM
www.securitybootcamp.vn
47. Anti-Sandbox
• Logic bombs are particular checks in the program which require
certain events to be true in order to execute the malicious
payload
– Checking if something changes on the user desktop
– checking if the mouse pointer is not moving for a particular time
• Sandbox Overloading
– Malware flood the sandbox by generating too much worthless behavior data
(e.g the sleep call) before executing the real payload. Logging the generated
behavior data introduces additional delays and therefore the execution does
not reach the real payload
– Solution : only analysis network traffic, does not capture any system level
behavior
10/29/2013 11:13 AM
www.securitybootcamp.vn
49. Anti-Sandbox
• Pafish is a demo tool that performs some
anti(debugger/VM/sandbox) tricks :
– https://github.com/a0rtega/pafish
10/29/2013 11:13 AM
www.securitybootcamp.vn
50. Anti-Anti-Sandbox
Logic bombs :
– By understanding the behavior of the logic bomb code in the analysis report
human analysts, we can improve your sandbox
Sandbox Overload :
– In some case, we should only analyses only network traffic and does not
capture any system level behavior
– In addition we could also write a signature to detect and blacklist the
massive worthless behavior data (e.g the sleep call)
10/29/2013 11:13 AM
www.securitybootcamp.vn
51. Some tools can help you
• Crowd Detox : plugin for Hex-Rays automatically removes junk
code and variables from Hex-Rays function decompilations
• CrowdRE : aims to make it easier for developers to reverse
engineer complex applications by working collaboratively with
other users
• http://www.crowdstrike.com/community-tools/index.html
10/29/2013 11:13 AM
www.securitybootcamp.vn
52. Conclusion
• Automated Malware Analysis is good but it can be defeat by new
anti-* techniques => we still need manual analysis for advance
malwares and update back to AMAs
10/29/2013 11:13 AM
www.securitybootcamp.vn