Notes TASK May 25 2011: Difference between revisions

From Federal Burro of Information
Jump to navigationJump to search
(Created page with "== Exfiltration == * attackers don't user the front door. * Wholesale v retail ** we have seen wholesale attacks that affect common components. ** in the retail world we attack ...")
 
No edit summary
 
Line 71: Line 71:


* data destruction policy
* data destruction policy
== Second talk: Palo Alto Networks==
* silver creeek
* fireeye
* bit9
"What happens if the hacker is "INSIDE?"
NAC - network access control system
no antivirus
no mac auth
site protector
  inbound / outbound examined , stops attacks .
ncase servlet for forensic examination
Blackice ibm tool
Proventia Desktop
Running version: winsows XP 5.1.2600j
BNS
== Hacking Android ==
* tl;dr: android is a jvm on a linux machine

Latest revision as of 22:16, 15 October 2011

Exfiltration

  • attackers don't user the front door.
  • Wholesale v retail
    • we have seen wholesale attacks that affect common components.
    • in the retail world we attack those things that are specific to the target.
    • "one shot one kill"
  • the long game
  • need email address.
  • predictable email addresses.
  • PTO news later , getting
    • multigo - intel gathering
    • linked in google hacks
  • inference attack,
    • troop movements are an exmaple
  • http://samy.pl/peepmail/
  • profile the company and build a scenario
    • 10k filings
    • mergers and aquisitions
    • defence contractors
    • corp fileing, news, layoff
  • Fedex and UPS doesn't validate sedner address
  • register tuns of variations of your domain to protect against others registering variations
  • The speaker explained a scenario where he send training cds to staff that took over their computer. As part of the atttack he registered a variation of the targets company's name to gain validity in the eyes of the users.
    • DT to what end? are you just scaring peple ? is it possible to protect ?
    • DT are you tring to create twitching balls of anxiety?
    • DT how can a company possibly protect against this?
  • payload contruction
    • microsoft signed applet.
    • site loader , valid cert , valid domain, user clicks ok.
  • annoucing the hiring of a new exec
  • homographic attacks
  • utf8 domains
  • idn register with duplicate S in cyrillic.
  • multifactor foils this a bit, slows this down,
  • not all sigs get distributed in the GA data releaase.
  • pescrambler can be used to create exes that are hard to "understand", this works in the spear phishing scenario as there is no widespread knowledge of the behaviors.

C&C

  • listening on 443
  • some IPS can detect suspected traffic
  • you can use ie to handle the out bound connection for you.
  • exfiltration:
    • DNS DNS2tcp nstx , iodine
    • simple to detect , difficult to deter.
    • the best defence is dns whileisting.
  • cyber pompeii
    • no scanning
    • no escalating
    • password reuse.,
    • serivce accounts
    • general pilfering
  • gather data.
    • antivirus service account are great targets.
    • targets are patent pipeline, sourc econtrol
  • now what?
    • perimeters in perimeters
    • strong open processes
    • so more than any security product.
  • internal red teams, DIY,
    • jericho initiative ??
  • phish your own users and clients
  • how do you protect against invading the wrong people's privacy
    • policy: "wont' targets machines you don't own"
  • data destruction policy

Second talk: Palo Alto Networks

  • silver creeek
  • fireeye
  • bit9

"What happens if the hacker is "INSIDE?"

NAC - network access control system

no antivirus
no mac auth
site protector
 inbound / outbound examined , stops attacks .
ncase servlet for forensic examination
Blackice ibm tool
Proventia Desktop

Running version: winsows XP 5.1.2600j BNS

Hacking Android

  • tl;dr: android is a jvm on a linux machine