Notes TASK May 25 2011

From Federal Burro of Information
Jump to navigationJump to search

Exfiltration

  • attackers don't user the front door.
  • Wholesale v retail
    • we have seen wholesale attacks that affect common components.
    • in the retail world we attack those things that are specific to the target.
    • "one shot one kill"
  • the long game
  • need email address.
  • predictable email addresses.
  • PTO news later , getting
    • multigo - intel gathering
    • linked in google hacks
  • inference attack,
    • troop movements are an exmaple
  • http://samy.pl/peepmail/
  • profile the company and build a scenario
    • 10k filings
    • mergers and aquisitions
    • defence contractors
    • corp fileing, news, layoff
  • Fedex and UPS doesn't validate sedner address
  • register tuns of variations of your domain to protect against others registering variations
  • The speaker explained a scenario where he send training cds to staff that took over their computer. As part of the atttack he registered a variation of the targets company's name to gain validity in the eyes of the users.
    • DT to what end? are you just scaring peple ? is it possible to protect ?
    • DT are you tring to create twitching balls of anxiety?
    • DT how can a company possibly protect against this?
  • payload contruction
    • microsoft signed applet.
    • site loader , valid cert , valid domain, user clicks ok.
  • annoucing the hiring of a new exec
  • homographic attacks
  • utf8 domains
  • idn register with duplicate S in cyrillic.
  • multifactor foils this a bit, slows this down,
  • not all sigs get distributed in the GA data releaase.
  • pescrambler can be used to create exes that are hard to "understand", this works in the spear phishing scenario as there is no widespread knowledge of the behaviors.

C&C

  • listening on 443
  • some IPS can detect suspected traffic
  • you can use ie to handle the out bound connection for you.
  • exfiltration:
    • DNS DNS2tcp nstx , iodine
    • simple to detect , difficult to deter.
    • the best defence is dns whileisting.
  • cyber pompeii
    • no scanning
    • no escalating
    • password reuse.,
    • serivce accounts
    • general pilfering
  • gather data.
    • antivirus service account are great targets.
    • targets are patent pipeline, sourc econtrol
  • now what?
    • perimeters in perimeters
    • strong open processes
    • so more than any security product.
  • internal red teams, DIY,
    • jericho initiative ??
  • phish your own users and clients
  • how do you protect against invading the wrong people's privacy
    • policy: "wont' targets machines you don't own"
  • data destruction policy

Second talk: Palo Alto Networks

  • silver creeek
  • fireeye
  • bit9

"What happens if the hacker is "INSIDE?"

NAC - network access control system 

no antivirus
no mac auth
site protector
 inbound / outbound examined , stops attacks .
ncase servlet for forensic examination
Blackice ibm tool
Proventia Desktop

Running version: winsows XP 5.1.2600j BNS

Hacking Android

  • tl;dr: android is a jvm on a linux machine
Retrieved from "https://wiki.quadratic.net/index.php?title=Notes_TASK_May_25_2011&oldid=954"