This is an excellent series of articles by Kai the Security Guy about insider threat, to help understand the issue, and answer some tricky questions, such as “why do companies ignore it?”, “how big is the risk?”, “why do they do it?” and “what are they after?”.
“Dripping Data: Understanding and Reducing Insider Threat“
(part I, part II, part III, part IV, part V), part VI)
Apparently more parts are yet to be published. I’ll add the appropriate links as Kai posts them.
Don’t know what to read this weekend? :)
“A Multi-perspective Analysis of the Storm (Peacomm) Worm” by Phillip Porras, Hassen Saidi, and Vinod Yegneswaran. Also, some useful links in the same site with further info on Storm.
Very cool paper on “Digital Image Analysis and Forensics” by Neal Krawetz, presented at Black Hat 2007. Fascinating read.
Researchers from Stanford University have published a paper titled “Protecting browsers from DNS rebinding attacks“. Abstract:
DNS rebinding attacks subvert the same-origin policy of browsers and convert them into open network proxies. We survey new DNS rebinding attacks that exploit the interaction
between the browser and browser plug-ins such as Flash and Java LiveConnect. These attacks can be used to circumvent firewalls and are highly cost-effective for sending
spam e-mail and defrauding pay-per-click advertisers, requiring less than $100 to temporarily hijack 100,000 IP addresses. We show that a well-known, existing defense
against these attacks, called “DNS pinning,” is ineffective in modern browsers. The primary focus of this work, however, is the design of strong defenses against DNS rebinding attacks that protect modern browsers. For the near-term, we suggest easy-to-deploy defenses that prevent large-scale exploitation by patching individual plug-ins and improving the robustness of browser DNS pinning strategies. For the longterm, we propose two solutions, circumvention-resistant firewalls
and host name authorization, that fix the root cause of DNS rebinding vulnerabilities by preventing the attacker from naming a target server.
You can download the paper (PDF) here.
Very interesting presentation at BlackHat 2007, by HD Moore and Valsmith, about pentesting without having to rely on “transient” vulnerabilities.
This is cool.
The approach involves building a virtual SOHO network, which is in turn connected to a virtual Internet. Both the virtual LAN and WAN are populated with virtual machines. The suspected worm is introduced into this environment, and executed therein. The whole system is closely monitored as execution progresses in the isolated environment, and data is amassed describing what the suspected worm did as it executed. This data is then processed by the system in an attempt to automatically determine whether or not the suspect programming is performing actions indicative of a worm or internet-aware malware.
You can find the complete paper here: “An Environment for Controlled Worm Replication and Analysis“
The Web Application Security Consortium (WASC) has released an interesting paper with the results of the Distributed Open Proxy Honeypot Project.
The idea of the Distributed Open Proxy Honeypot Project is to place monitored “open proxies” around the world, which are normally used by hackers to mask their origin when performing attacks, scans, etc. According to the authors:
During this timeframe, we had 7 internationally placed honeypot sensors deployed and sending their data back to our central logging host. What did we see? Here are some brief highlights
- SQL Injection Attacks
- Brute Force Attacks
- OS Command Injection
- Web Defacement Attempts
- Google-Abuses (Google-Hacking and Proxying for BannerAd/Click Fraud)
- Information Leakage
You can download the report here.
Ok, maybe this is some days old. The papers for HotBots ‘07 (the First Workshop on Hot Topics in Understanding Botnets) have been made available on their website.
Here you can find download links for several of the most interesting-looking papers:
Some other blogs commented about it first: TaoSecurity, Noticias de Seguridad
A new excellent article by the (also excellent) Raul Siles at the RaDaJo blog describing a practical demostration of the new kind of WEP-cracking described in the paper “Breaking 104 bit WEP in less than 60 seconds” by Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin. Raul uses this information together with the aircrack-ptw tool and the latest release of Backtrack 2 to check the validity of the method.
And guess what? It works beautifully :)
In Raul’s own words: “Awesome results and advancements for auditing the security of WEP-based wireless networks!“
Stop using WEP now. Switch to WPA/WPA2 as soon as possible.
You can read Raul’s post here.
Here is the complete kit:
Download the “Breaking 104 bit WEP in less than 60 seconds paper.
Download the aircrack-ptw tool.
Download Backtrack 2 Stable.
We have already commented on how pump-and-dump stock scams work, and how much money they provide the scammer when they work.
Symantec, in its latest Internet Security Threat Report talks about underground economy servers which are “used by criminals and criminal organizations to sell stolen information, typically for subsequent use in identity theft.” In the second half of 2006, about half of these servers were located in the USA.
According to the report, these are the current advertised prices for stuff such as credit card information, lists of emails, banking accounts, compromised computers, etc.
You can download the full Internet Security Threat Report (PDF) from Symantec.
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Dec | ||||||
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 | |
