Archive for the ‘Cybersecurity’ Category

What Can Reverse Engineering Do For You?

Thursday, January 18th, 2018

From the description:

Reverse engineering is a core skill in the information security space, but it doesn’t necessarily get the wide spread exposure that other skills do even though it can help you with your security challenges. We will talk about getting you quickly up and running with a reverse engineering starter pack and explore some interesting x86 assembly code patterns you may encounter in the wild. These patterns are essentially common malware evasion techniques that include packing, analysis evasion, shellcode execution, and crypto usages. It is not always easy recognizing when a technique is used. This talk will begin by defining the each technique as a pattern and then the approaches for reading or bypassing the evasion.

Technical keynote at Shellcon 2017 by Amanda Rousseau (@malwareunicorn).

Even if you’re not interested in reverse engineering, watch the video to see a true master describing their craft.

The “patterns” she speaks of are what I would call “subject identity” in a topic maps context.

Tips for Entering the Penetration Testing Field

Tuesday, January 16th, 2018

Tips for Entering the Penetration Testing Field by Ed Skoudis.

From the post:

It’s an exciting time to be a professional penetration tester. As malicious computer attackers amp up the number and magnitude of their breaches, the information security industry needs an enormous amount of help in proactively finding and resolving vulnerabilities. Penetration testers who are able to identify flaws, understand them, and demonstrate their business impact through careful exploitation are an important piece of the defensive puzzle.

In the courses I teach on penetration testing, I’m frequently asked about how someone can land their first job in the field after they’ve acquired the appropriate technical skills and gained a good understanding of methodologies. Also, over the past decade, I’ve counseled a lot of my friends and acquaintances as they’ve moved into various penetration testing jobs. Although there are many different paths to pen test nirvana, let’s zoom into three of the most promising. It’s worth noting that these three paths aren’t mutually exclusive either. I know many people who started on the first path, jumped to the second mid-way, and later found themselves on path #3. Or, you can jumble them up in arbitrary order.

Career advice and a great listing of resources for any aspiring penetration “tester.”

If you do penetration work for a government, you may be a national hero. If you do commercial penetration testing, not a national hero but not on the run either. If you do non-sanctioned penetration work, life is uncertain. Same skill, same activity. Go figure.

Updated Hacking Challenge Site Links (Signatures as Subject Identifiers)

Tuesday, January 16th, 2018

Updated Hacking Challenge Site Links

From the post:

These are 70+ sites which offer free challenges for hackers to practice their skills. Some are web-based challenges, some require VPN access to private labs and some are downloadable ISOs and VMs. I’ve tested the links at the time of this posting and they work.

Most of them are at but if I missed a few they will be there.

WeChall is a portal to hacking challenges where you can link your account to all the sites and get ranked. I’ve been a member since 2/2/14.

Internally to the site they have challenges there as well so make sure you check them out!

To find CTFs go to

On Twitter in the search field type CTF

Google is also your friend.

I’d rephrase “Google is also your friend.” to “Sometimes Google allows you to find ….”

When visiting hacker or CTF (capture the flag) sites, use the same levels of security as any government or other known hostile site.

What is an exploit or vulnerability signature if not a subject identifier?

Introduction to reverse engineering and Assembly (Suicidal Bricking by Ubuntu Servers)

Thursday, January 11th, 2018

Introduction to reverse engineering and Assembly by Youness Alaoui.

From the post:

Recently, I’ve finished reverse engineering the Intel FSP-S “entry” code, that is from the entry point (FspSiliconInit) all the way to the end of the function and all the subfunctions that it calls. This is only some initial foray into reverse engineering the FSP as a whole, but reverse engineering is something that takes a lot of time and effort. Today’s blog post is here to illustrate that, and to lay the foundations for understanding what I’ve done with the FSP code (in a future blog post).

Over the years, many people asked me to teach them what I do, or to explain to them how to reverse engineer assembly code in general. Sometimes I hear the infamous “How hard can it be?” catchphrase. Last week someone I was discussing with thought that the assembly language is just like a regular programming language, but in binary form—it’s easy to make that mistake if you’ve never seen what assembly is or looks like. Historically, I’ve always said that reverse engineering and ASM is “too complicated to explain” or that “If you need help to get started, then you won’t be able to finish it on your own” and various other vague responses—I often wanted to explain to others why I said things like that but I never found a way to do it. You see, when something is complex, it’s easy to say that it’s complex, but it’s much harder to explain to people why it’s complex.

I was lucky to recently stumble onto a little function while reverse engineering the Intel FSP, a function that was both simple and complex, where figuring out what it does was an interesting challenge that I can easily walk you through. This function wasn’t a difficult thing to understand, and by far, it’s not one of the hard or complex things to reverse engineer, but this one is “small and complex enough” that it’s a perfect example to explain, without writing an entire book or getting into the more complex aspects of reverse engineering. So today’s post serves as a “primer” guide to reverse engineering for all of those interested in the subject. It is a required read in order to understand the next blog posts I would be writing about the Intel FSP. Ready? Strap on your geek helmet and let’s get started!
… (emphasis in original)

Intel? Intel? I heard something recently about Intel chips. You? 😉

No, this won’t help you specifically with Spectre and Meltdown, but it’s a step in the direction of building such skills.

The Project Zero team at Google did not begin life with the skills necessary to discover Spectre and Meltdown.

It took 20 years for those vulnerabilities to be discovered.

What vulnerabilities await discovery by you?

PS: Word on the street is that Ubuntu 16.04 servers are committing suicide rather than run more slowly with patches for Meltdown and Spectre. Meltdown and Spectre Patches Bricking Ubuntu 16.04 Computers. The attribution of intention to Ubuntu servers may be a bit overdone but the bricking part is true.

Tails With Meltdown and Spectre Fixes w/ Caveats

Wednesday, January 10th, 2018

Tails 3.4 is out

From the post:

In particular, Tails 3.4 fixes the widely reported Meltdown attack, and includes the partial mitigation for Spectre.

Timely security patches are always good news.

Three caveats:

1. Meltdown and Spectre patches originate in the same community that missed these vulnerabilities for twenty-odd years. How confident are you in these patches?

2. Meltdown and Spectre are more evidence for the existence of other fundamental design flaws than we have for life on other planets.

3. When did the NSA become aware of Meltdown and Spectre?

Are LaTeX Users Script Kiddies?

Monday, January 8th, 2018

NO! Despite most LaTeX users not writing their own LaTeX engines or many of the packages they use, they are not script kiddies.

LaTeX users are experts in mathematics, statistics and probability, physics, computer science, astronomy and astrophysics, (François Brischoux and Pierre Legagneux 2009), as well as being skilled LaTeX authors.

There’s no shame in using LaTeX, despite not implementing a LaTeX engine. LaTeX makes high quality typesetting available to hundreds of thousands of users around the globe.

Contrast that view of LaTeX with making use of cyber vulnerabilities more widely available, which is dismissed as empowering “script kiddies.”

Every cyber vulnerability is a step towards transparency. Government and corporations fear cyber vulnerabilities, fearing their use will uncover evidence of their crimes and favoritism.

Fearing public exposure, it’s no surprise that governments prohibit the use of cyber vulnerabilities. Governments that also finance and support rape, torture, murder, etc., in pursuit of national policy.

The question for you is:

Do you want to assist such governments and corporations to continue hiding their secrets?

Your answer to that question should determine your position on the discovery, use and spread of cyber vulnerabilities.

Bait Avoidance, Congress, Kaspersky Lab

Monday, January 8th, 2018

Should you use that USB key you found? by Jeffrey Esposito.

Here is a scenario for you: You are walking around, catching Pokémon, getting fresh air, people-watching, taking Fido out to do his business, when something catches your eye. It’s a USB stick, and it’s just sitting there in the middle of the sidewalk.

Jackpot! Christmas morning! (A very small) lottery win! So, now the question is, what is on the device? Spring Break photos? Evil plans to rule the world? Some college kid’s homework? You can’t know unless…

Esposito details an experiement leaving USB keys about at University of Illinois resulted in 48% of them being plugged into computers.

Reports like this from Kaspersky Lab, given the interest in Kaspersky by Congress, could lead to what the pest control industry calls “bait avoidance.”

Imagine members of Congress or their staffs not stuffing random USB keys into their computers. This warning from Kaspersky could poison the well for everyone.

For what it’s worth, salting the halls and offices of Congress with new release music and movies on USB keys, may help develop and maintain insecure USB practices. Countering bait avoidance is everyone’s responsibility.

…Anyone With Less Technical Knowledge…

Friday, January 5th, 2018

The headline came from Critical “Same Origin Policy” Bypass Flaw Found in Samsung Android Browser by Mohit Kumar, the last paragraph which reads:

Since the Metasploit exploit code for the SOP bypass vulnerability in the Samsung Internet Browser is now publicly available, anyone with less technical knowledge can use and exploit the flaw on a large number of Samsung devices, most of which are still using the old Android Stock browser.
… (emphasis added)

Kumar tosses off the … anyone with less technical knowledge … line like that’s a bad thing.

I wonder if Kumar can:

  1. Design and create a CPU chip?
  2. Design and create a memory chip?
  3. Design and create from scratch a digital computer?
  4. Design and implement an operating system?
  5. Design and create a programming language?
  6. Design and create a compiler for creation of binaries?
  7. Design and create the application he now uses for editing?

I’m guessing that Kumar strikes out on one or more of those questions, making him one of those anyone with less technical knowledge types.

I don’t doubt Kumar has a wide range of deep technical skills but lacking some particular technical skill doesn’t diminish your value as a person or even as a technical geek.

Moreover, security failures should be made as easy to use as possible.

No corporation or government is going to voluntarily engage in behavior changing transparency. The NSA was outed for illegal surveillance, Congress then passes a law making that illegal surveillance retroactively legal and when that authorization expired, the NSA continued its originally illegal surveillance.

Every security vulnerability is one potential step towards behavior changing transparency. People with “…less technical knowledge…” aren’t going to find those but with assistance, they can make the best use of the ones that are found.

Security researchers should take pride in their work. But there’s no reflected glory in dissing people who are good at other things.

Transparency, behavior changing transparency, will only result from discovery and widespread use of security flaws. (Voluntary transparency being a contradiction in terms.)

So You Want to Play God? Intel Delivers – FUCKWIT Inside

Thursday, January 4th, 2018

Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign by John Leyden and Chris Williams.

From the post:

It is understood the bug is present in modern Intel processors produced in the past decade. It allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the layout or contents of protected kernel memory areas.

The fix is to separate the kernel’s memory completely from user processes using what’s called Kernel Page Table Isolation, or KPTI. At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers.

Think of the kernel as God sitting on a cloud, looking down on Earth. It’s there, and no normal being can see it, yet they can pray to it.

Patches are forthcoming, to make your Intel machine 5% to 30% slower.

Cloud providers are upgrading but there’s a decade of Intel chips not in the cloud that await exploitation.

Show of hands. How many of you will slow your machines down by 5% to 30% to defeat this bug?

Next question: How long will it take to cycle out of service the most recent decade of Intel chips?

You’ll have to make your own sticker for your laptop/desktop/server:

BTW, for FUCKWIT and another deep chip flaw, see: Researchers Discover Two Major Flaws in the World’s Computers.

These fundamental flaws should alter your cybersecurity conversations. But will they?

The Coolest Hacks of 2017 [Inspirational Reading for 2018]

Wednesday, December 27th, 2017

The Coolest Hacks of 2017 by Kelly Jackson Higgins.

From the post:

You’d think by now with the pervasiveness of inherently insecure Internet of Things things that creative hacking would be a thing of the past for security researchers. It’s gotten too easy to find security holes and ways to abuse IoT devices; they’re such easy marks.

But our annual look at the coolest hacks we covered this year on Dark Reading shows that, alas, innovation is not dead. Security researchers found intriguing and scary security flaws that can be abused to bend the will of everything from robots to voting machines, and even the wind. They weaponized seemingly benign systems such as back-end servers and machine learning tools in 2017, exposing a potential dark side to these systems.

So grab a cold one from your WiFi-connected smart fridge and take a look at seven of the coolest hacks of the year.

“Dark side” language brings a sense of intrigue and naughtiness. But the “dark side(s)” of any system is just a side that meets different requirements. Such as access without authorization. May not be your requirement but it may be mine, or your government’s.

Let’s drop the dodging and posing as though there is a common interest in cybersecurity. There is no such common interest nor has there even been one. Governments want backdoors, privacy advocates, black marketeers and spies want none. Users want effortless security, while security experts know security ads are just short of actionable fraud.

Cybersecurity marketeers may resist but detail your specific requirements. In writing and appended to your contract.

From the Valley of Disinformation Rode the 770 – Opportunity Knocks

Wednesday, December 27th, 2017

More than 700 employees have left the EPA since Scott Pruitt took over by Natasha Geiling.

From the post:

Since Environmental Protection Agency Administrator Scott Pruitt took over the top job at the agency in March, more than 700 employees have either retired, taken voluntary buyouts, or quit, signaling the second-highest exodus of employees from the agency in nearly a decade.

According to agency documents and federal employment statistics, 770 EPA employees departed the agency between April and December, leaving employment levels close to Reagan-era levels of staffing. According to the EPA’s contingency shutdown plan for December, the agency currently has 14,449 employees on board — a marked change from the April contingency plan, which showed a staff of 15,219.

These departures offer journalists a rare opportunity to bleed the government like a stuck pig. From untimely remission of login credentials to acceptance of spear phishing emails, opportunities abound.

Not for “reach it to me” journalists who use sources as shields from potential criminal liability. While their colleagues are imprisoned for the simple act of publication or murdered (as of today in 2017, 42).

Governments have not, are not and will not act in the public interest. Laws that criminalize acquisition of data or documents are a continuation of their failure to act in the public interest.

Journalists who serve the public interest, by exposing the government’s failure to do so, should use any means at their disposal to obtain data and documents that evidence government failure and misconduct.

Are you a journalist serving the public interest or a “reach it to me” journalist, serving the public interest when there’s no threat to you?

Ichano AtHome IP Cameras – Free Vulnerabilities from Amazon

Sunday, December 24th, 2017

SSD Advisory – Ichano AtHome IP Cameras Multiple Vulnerabilities

Catalin Cimpanu @campuscodi pointed to these free vulnerabilities:

AtHome Camera is “a remote video surveillance app which turns your personal computer, smart TV/set-top box, smart phone, and tablet into a professional video monitoring system in a minute.”

The vulnerabilities found are:

  • Hard-coded username and password – telnet
  • Hard-coded username and password – Web server
  • Unauthenticated Remote Code Execution

Did you know the AtHome Camera – Remote video surveillance, Home security, Monitoring, IP Camera by iChano is a free download at Amazon?

That’s right! You can get all three of these vulnerabilities for free! Ranked “#270 in Apps & Games > Utilities,” as of 24 December 2017.

Sleuth Kit – Checking Your Footprints (if any)

Sunday, December 24th, 2017

Open Source File System Digital Forensics: The Sleuth Kit

From the webpage:

The Sleuth Kit is an open source forensic toolkit for analyzing Microsoft and UNIX file systems and disks. The Sleuth Kit enables investigators to identify and recover evidence from images acquired during incident response or from live systems. The Sleuth Kit is open source, which allows investigators to verify the actions of the tool or customize it to specific needs.

The Sleuth Kit uses code from the file system analysis tools of The Coroner’s Toolkit (TCT) by Wietse Venema and Dan Farmer. The TCT code was modified for platform independence. In addition, support was added for the NTFS and FAT file systems. Previously, The Sleuth Kit was called The @stake Sleuth Kit (TASK). The Sleuth Kit is now independent of any commercial or academic organizations.

It is recommended that these command line tools can be used with the Autopsy Forensic Browser. Autopsy is a graphical interface to the tools of The Sleuth Kit and automates many of the procedures and provides features such as image searching and MD5 image integrity checks.

As with any investigation tool, any results found with The Sleuth Kit should be be recreated with a second tool to verify the data.

The Sleuth Kit allows one to analyze a disk or file system image created by ‘dd’, or a similar application that creates a raw image. These tools are low-level and each performs a single task. When used together, they can perform a full analysis.

Question: Who should find your foot prints first? You or someone investigating an incident?

Test your penetration techniques for foot prints before someone else does. Yes?

BTW, pick up a copy of the Autopsy Forensic Browser.

SMB – 1 billion vulnerable machines

Thursday, December 21st, 2017

An Introduction to SMB for Network Security Analysts by Nate “Doomsday” Marx.

Of all the common protocols a new analyst encounters, perhaps none is quite as impenetrable as Server Message Block (SMB). Its enormous size, sparse documentation, and wide variety of uses can make it one of the most intimidating protocols for junior analysts to learn. But SMB is vitally important: lateral movement in Windows Active Directory environments can be the difference between a minor and a catastrophic breach, and almost all publicly available techniques for this movement involve SMB in some way. While there are numerous guides to certain aspects of SMB available, I found a dearth of material that was accessible, thorough, and targeted towards network analysis. The goal of this guide is to explain this confusing protocol in a way that helps new analysts immediately start threat hunting with it in their networks, ignoring the irrelevant minutiae that seem to form the core of most SMB primers and focusing instead on the kinds of threats an analyst is most likely to see. This guide necessarily sacrifices completeness for accessibility: further in-depth reading is provided in footnotes. There are numerous simplifications throughout to make the basic operation of the protocol more clear; the fact that they are simplifications will not always be highlighted. Lastly, since this guide is an attempt to explain the SMB protocol from a network perspective, the discussion of host based information (windows logs, for example) has been omitted.

It never occurred to me that NTLM, introduced with Windows NT in 1993, is still supported in the latest version of Windows.

That means a deep knowledge of SMB pushes systems vulnerable to you almost north of 1 billion.

How’s that for a line in your CV?

Keeper Security – Beyond Boo-Hooing Over Security Bullies

Thursday, December 21st, 2017

Security firm Keeper sues news reporter over vulnerability story by Zack Whittaker.

From the post:

Keeper, a password manager software maker, has filed a lawsuit against a news reporter and its publication after a story was posted reporting a vulnerability disclosure.

Dan Goodin, security editor at Ars Technica, was named defendant in a suit filed Tuesday by Chicago-based Keeper Security, which accused Goodin of “false and misleading statements” about the company’s password manager.

Goodin’s story, posted December 15, cited Google security researcher Tavis Ormandy, who said in a vulnerability disclosure report he posted a day earlier that a security flaw in Keeper allowed “any website to steal any password” through the password manager’s browser extension.

Goodin was one of the first to cover news of the vulnerability disclosure. He wrote that the password manager was bundled in some versions of Windows 10. When Ormandy tested the bundled password manager, he found a password stealing bug that was nearly identical to one he previously discovered in 2016.

Ormandy also posted a proof-of-concept exploit for the new vulnerability.

I’ll spare you the boo-hooing over Keeper Security‘s attempt to bully Dan Goodin and Ars Technica.

Social media criticism is like the vice-presidency, it’s not worth a warm bucket of piss.

What the hand-wringers over the bullying of Dan Goodin and Ars Technica fail to mention is your ability to no longer use Keeper Security. Not a word.

In The Best Password Managers of 2018, I see ten (10) top password managers, three of which are rated as equal to or better than Keeper Security.

Sadly I don’t use Keeper Security so I can’t send tweet #1: I refuse to use/renew Keeper Security until it abandons persecution of @dangoodin001 and @arstechnica, plus pays their legal fees.

I’m left with tweet #2: I refuse to consider using Keeper Security until it abandons persecution of @dangoodin001 and @arstechnica, plus pays their legal fees.

Choose tweet 1 or 2, ask your friends to take action, and to retweet.

Weird machines, exploitability, and provable unexploitability

Thursday, December 21st, 2017

Weird machines, exploitability, and provable unexploitability by Thomas Dullien (IEEE pre-print, to appear IEEE Transactions on Emerging Topics in Computing)


The concept of exploit is central to computer security, particularly in the context of memory corruptions. Yet, in spite of the centrality of the concept and voluminous descriptions of various exploitation techniques or countermeasures, a good theoretical framework for describing and reasoning about exploitation has not yet been put forward.

A body of concepts and folk theorems exists in the community of exploitation practitioners; unfortunately, these concepts are rarely written down or made sufficiently precise for people outside of this community to benefit from them.

This paper clarifies a number of these concepts, provides a clear definition of exploit, a clear definition of the concept of a weird machine, and how programming of a weird machine leads to exploitation. The papers also shows, somewhat counterintuitively, that it is feasible to design some software in a way that even powerful attackers – with the ability to corrupt memory once – cannot gain an advantage.

The approach in this paper is focused on memory corruptions. While it can be applied to many security vulnerabilities introduced by other programming mistakes, it does not address side channel attacks, protocol weaknesses, or security problems that are present by design.

A common vocabulary to bridge the gap between ‘Exploit practitioners’ (EPs) and academic researchers. Whether it will in fact bridge that gap remains to be seen. Even the attempt will prove to be useful.

Tracing the use/propagation of Dullien’s vocabulary across Google’s Project Zero reports and papers would provide a unique data set on the spread (or not) of a new vocabulary in computer science.

Not to mention being a way to map back into earlier literature with the newer vocabulary, via a topic map.

BTW, Dullien’s statement “is is feasible to design some software in a way that even powerful attackers … cannot gain an advantage,” is speculation and should not dampen your holiday spirits. (I root for the hare and not the hounds as a rule.)

Violating TCP

Wednesday, December 20th, 2017

This is strictly a violation of the TCP specification by Marek Majkowski.

From the post:

I was asked to debug another weird issue on our network. Apparently every now and then a connection going through CloudFlare would time out with 522 HTTP error.

522 error on CloudFlare indicates a connection issue between our edge server and the origin server. Most often the blame is on the origin server side – the origin server is slow, offline or encountering high packet loss. Less often the problem is on our side.

In the case I was debugging it was neither. The internet connectivity between CloudFlare and origin was perfect. No packet loss, flat latency. So why did we see a 522 error?

The root cause of this issue was pretty complex. After a lot of debugging we identified an important symptom: sometimes, once in thousands of runs, our test program failed to establish a connection between two daemons on the same machine. To be precise, an NGINX instance was trying to establish a TCP connection to our internal acceleration service on localhost. This failed with a timeout error.

It’s unlikely that you will encounter this issue but Majkowski’s debugging of it is a great story.

It also illustrates how deep the foundations of an error, bug or vulnerability may lie.

Offensive Security Conference – February 12-17 2018 // Berlin

Wednesday, December 20th, 2017

Offensive Security Conference – February 12-17 2018 // Berlin

If you haven’t already registered/made travel arrangements, perhaps the speakers list will hurry you along.

While you wait for the conference, can you match the author(s) to the papers based on title alone? Several papers have multiple authors, but which ones?


What’s in Your Wallet? Photo Defeats Windows 10 Facial Recognition

Wednesday, December 20th, 2017

It took more than a wallet-sized photo, but until patched, the Window 10 Hello facial recognition feature accepted a near IR printed (340×340 pixel) image to access a Windows device.

Catalin Cimpanu has the details at: Windows 10 Facial Recognition Feature Can Be Bypassed with a Photo.

The disturbing line in Cipanu’s report reads:

The feature is not that widespread since not many devices with the necessary hardware, yet when present, it is often used since it’s quite useful at unlocking computers without having users type in long passwords.

When hardware support for Windows Hello spreads, you can imagine its default use in corporate and government offices.

The Microsoft patch may defeat a 2-D near IR image but for the future, I’d invest in a 3-D printer with the ability to print in the near IR.

I don’t think your Guy Fawkes mask will work on most Windows devices:

But it might make a useful “cover” for a less common mask. If security forces have to search every Guy Fawkes mask, some Guy Fawkes+ masks are bound to slip through. Statistically speaking.

Practicing Vulnerability Hunting in Programming Languages for Music

Tuesday, December 19th, 2017

If you watched Natalie Silvanovich‘s presentation on mining the JavaScript standard for vulnerabilities, the tweet from Computer Science @CompSciFact pointing to Programming Languages Used for Music must have you drooling like one of Pavlov‘s dogs.

I count one hundred and forty-seven (147) languages, of varying degrees of popularity, none of which has gotten the security review of ECMA-262. (Michael Aranda wades through terminology/naming issues for ECMAScript vs. JavaScript at: What’s the difference between JavaScript and ECMAScript?.)

Good hunting!

Standard Driven Bugs – Must Watch Presentation For Standards Geeks

Saturday, December 16th, 2017

From the description:

Web standards are ever-evolving and determine what browsers can do. But new features can also lead to new vulnerabilities as they exercise existing functionality in new and unexpected ways. This talk discusses some of the more interesting and unusual features of JavaScript, and how they lead to bugs in a variety of software, including Adobe Flash, Chrome, Microsoft Edge and Safari.

Natalie Silvanovich is a security researcher at Google Project Zero.

Whether you are looking for origin of bugs in a standard or playing the long game, creating the origin of bugs in standards (NSA for example), this is a must watch video!

A transcript with CVE links, etc, would be especially useful.

Russians? Nation State? Dorm Room? Mirai Botnet Facts

Saturday, December 16th, 2017

How a Dorm Room Minecraft Scam Brought Down the Internet by Garett M. Graff.

From the post:

The most dramatic cybersecurity story of 2016 came to a quiet conclusion Friday in an Anchorage courtroom, as three young American computer savants pleaded guilty to masterminding an unprecedented botnet—powered by unsecured internet-of-things devices like security cameras and wireless routers—that unleashed sweeping attacks on key internet services around the globe last fall. What drove them wasn’t anarchist politics or shadowy ties to a nation-state. It was Minecraft.

Graff’s account is mandatory reading for:

  • Hackers who want to avoid discovery by the FBI
  • Journalists who want to avoid false and/or misleading claims about cyberattacks
  • Manufacturers who want to avoid producing insecure devices (a very small number)
  • Readers who interested in how the Mirai botnet hype played out


“It is more blessed to give than to receive.” Mallers, WiFiPhisher Can Help You With That!

Saturday, December 16th, 2017

Acts 20:35 records Jesus as saying, in part: “It is more blessed to give than to receive.”

Mall shoppers may honor that admonition without their knowledge (or consent).

Automated WPA Phishing Attacks: WiFiPhisher

From the webpage:

Wifiphisher is a security tool that mounts automated victim-customized phishing attacks against WiFi clients in order to obtain credentials or infect the victims with malwares. It is primarily a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages (e.g. in social networks) or WPA/WPA2 pre-shared keys.

Security advice for mallers:

  • Go hard copy, shop with cash/checks.
  • Leave all wifi devices at home, not in your car, at home.

Otherwise, you may have a very blessed holiday shopping experience.

Evil Foca [Encourage Upgrades from Windows XP]

Saturday, December 16th, 2017

Network Security Testing: Evil Foca

From the webpage:

Evil Foca is a tool for security pentesters and auditors whose purpose it is to test security in IPv4 and IPv6 data networks. The software automatically scans the networks and identifies all devices and their respective network interfaces, specifying their IPv4 and IPv6 addresses as well as the physical addresses through a convenient and intuitive interface.

The tool is capable of carrying out various attacks such as:

  • MITM over IPv4 networks with ARP Spoofing and DHCP ACK Injection.
  • MITM on IPv6 networks with Neighbor Advertisement Spoofing, SLAAC attack, fake DHCPv6.
  • DoS (Denial of Service) on IPv4 networks with ARP Spoofing.
  • DoS (Denial of Service) on IPv6 networks with SLAAC DoS.
  • DNS Hijacking.


  • Windows XP or later.

ATMs and users running Windows XP are justification for possessing Windows XP.

But upgrading from Windows XP as an operations platform should be encouraged. For any purpose.


Otherwise, what’s next? A luggable computer for your next assignment?

getExploit (utility)

Friday, December 15th, 2017


From the webpage:

Python script to explore exploits from Exist a similar script in Kali Linux, but in difference this python script will have provide more flexibility at search and download time.

Looks useful, modulo the added risk of a local copy.

Yeti (You Are What You Record)

Friday, December 15th, 2017

Open Distributed Threat Intelligence: Yeti

From the webpage:

Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don’t have to. Yeti provides an interface for humans (shiny Bootstrap-based UI) and one for machines (web API) so that your other tools can talk nicely to it.

Yeti was born out of frustration of having to answer the question “where have I seen this artifact before?” or Googling shady domains to tie them to a malware family.

In a nutshell, Yeti allows you to:

  • Submit observables and get a pretty good guess on the nature of the threat.
  • Inversely, focus on a threat and quickly list all TTPs, Observables, and associated malware.
  • Let responders skip the “Google the artifact” stage of incident response.
  • Let analysts focus on adding intelligence rather than worrying about machine-readable export formats.
  • Visualize relationship graphs between different threats.

This is done by:

  • Collecting and processing observables from a wide array of different sources (MISP instances, malware trackers, XML feeds, JSON feeds…)
  • Providing a web API to automate queries (think incident management platform) and enrichment (think malware sandbox).
  • Export the data in user-defined formats so that they can be ingested by third-party applications (think blocklists, SIEM).

Yeti sounds like a good tool, but always remember: You Are What You Record.

Innocent activities captured in your Yeti repository could be made to look like plans for criminal activity.

Just a word to the wise.

KubeCon/CloudNativeCon [Breaking Into Clouds]

Friday, December 15th, 2017

KubeCon/CloudNativeCon just concluded in Austin, Texas with 179 videos now available on YouTube.

A sortable list of presentations: How long that will persist isn’t clear.

If you missed Why The Federal Government Warmed Up To Cloud Computing, take a minute to review it now. It’s a promotional piece but the essential take away, government data is moving to the cloud, remains valid.

To detect security failures during migration and post-migration, you will need to know cloud technology better than the average migration tech.

The videos from KubeCon/CloudNativeCon 2017 are a nice starter set in that direction.

THC-Hydra – Very Fast Network Logon Cracker

Friday, December 15th, 2017

Very Fast Network Logon Cracker: THC-Hydra

From the webpage:

Number one of the biggest security holes are passwords, as every password security study shows. Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast. This fast, and many will say fastest network logon cracker supports many different services. Deemed ‘The best parallelized login hacker’: for Samba, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support and is part of Nessus.

If you don’t know CyberPunk, they have great graphics:

If you have found the recent 1.4 billion password dump, THC-Hydra is in your near future.

98% Fail Rate on Privileged Accounts – Transparency in 2018

Thursday, December 14th, 2017

Half of companies fail to tell customers about data breaches, claims study by Nicholas Fearn.

From the post:

Half of organisations don’t bother telling customers when their personal information might have been compromised following a cyber attack, according to a new study.

The latest survey from security firm CyberArk comes with the full implementation of the European Union General Data Protection Regulation (GDPR) just months away.

Organisations that fail to notify the relevant data protection authorities of a breach within 72 hours of finding it can expect to face crippling fines of up to four per cent of turnover – with companies trying to hide breaches likely to be hit with the biggest punishments.

The findings have been published in the second iteration the CyberArk Global Advanced Threat Landscape Report 2018, which explores business leaders’ attitudes towards IT security and data protection.

The survey found that, overall, security “does not translate into accountability”. Some 46 per cent of organisations struggle to stop every attempt to breach their IT infrastructure.

And 63 per cent of business leaders acknowledge that their companies are vulnerable to attacks, such as phishing. Despite this concern, 49 per cent of organisations don’t have the right knowledge about security policies.

You can download the report cited in Fearn’s post at: Cyberark Global Advanced Threat Landscape Report 2018: The Business View of Security.

If you think that report has implications for involuntary/inadvertent transparency, Cyberark Global Advanced Threat Landscape Report 2018: Focus on DevOps, reports this gem:

It’s not just that businesses underestimate threats. As noted above, they also do not seem to fully understand where privileged accounts and secrets exist. When asked which IT environments and devices contain privileged accounts and secrets, responses (IT decision maker and DevOps/app developer respondents) were at odds with the claim that most businesses have implemented a privileged account security solution. A massive 98% did not select at least one of the ‘containers’, ‘microservices’, ‘CI/CD tools’, ‘cloud environments’ or ‘source code repositories’ options. At the risk of repetition, privileged accounts and secrets are stored in all of these entities.

A fail rate of 98% on identifying “privileged accounts and secrets?”

Reports like this make you wonder about the clamor for transparency of organizations and governments. Why bother?

Information in 2018 is kept secure by a lack of interest in collecting it.

Remember that for your next transparency discussion.

A Guide To Kernel Exploitation: Attacking the Core (source files)

Wednesday, December 13th, 2017

If you know or are interested in >A Guide To Kernel Exploitation: Attacking the Core by Enrico Perla and Massimiliano Oldani, the source files are now available at:

The website that accompanied the book is now reported to be defunct. Thanks to yrp604 for preserving these files.