Notes TASK May 25 2011: Difference between revisions
From Federal Burro of Information
Jump to navigationJump to search
(Created page with "== Exfiltration == * attackers don't user the front door. * Wholesale v retail ** we have seen wholesale attacks that affect common components. ** in the retail world we attack ...") |
No edit summary |
||
Line 71: | Line 71: | ||
* data destruction policy | * data destruction policy | ||
== Second talk: Palo Alto Networks== | |||
* silver creeek | |||
* fireeye | |||
* bit9 | |||
"What happens if the hacker is "INSIDE?" | |||
NAC - network access control system | |||
no antivirus | |||
no mac auth | |||
site protector | |||
inbound / outbound examined , stops attacks . | |||
ncase servlet for forensic examination | |||
Blackice ibm tool | |||
Proventia Desktop | |||
Running version: winsows XP 5.1.2600j | |||
BNS | |||
== Hacking Android == | |||
* tl;dr: android is a jvm on a linux machine |
Latest revision as of 22:16, 15 October 2011
Exfiltration
- attackers don't user the front door.
- Wholesale v retail
- we have seen wholesale attacks that affect common components.
- in the retail world we attack those things that are specific to the target.
- "one shot one kill"
- the long game
- need email address.
- predictable email addresses.
- PTO news later , getting
- multigo - intel gathering
- linked in google hacks
- inference attack,
- troop movements are an exmaple
- http://samy.pl/peepmail/
- profile the company and build a scenario
- 10k filings
- mergers and aquisitions
- defence contractors
- corp fileing, news, layoff
- Fedex and UPS doesn't validate sedner address
- register tuns of variations of your domain to protect against others registering variations
- The speaker explained a scenario where he send training cds to staff that took over their computer. As part of the atttack he registered a variation of the targets company's name to gain validity in the eyes of the users.
- DT to what end? are you just scaring peple ? is it possible to protect ?
- DT are you tring to create twitching balls of anxiety?
- DT how can a company possibly protect against this?
- payload contruction
- microsoft signed applet.
- site loader , valid cert , valid domain, user clicks ok.
- annoucing the hiring of a new exec
- homographic attacks
- utf8 domains
- idn register with duplicate S in cyrillic.
- multifactor foils this a bit, slows this down,
- not all sigs get distributed in the GA data releaase.
- pescrambler can be used to create exes that are hard to "understand", this works in the spear phishing scenario as there is no widespread knowledge of the behaviors.
C&C
- listening on 443
- some IPS can detect suspected traffic
- you can use ie to handle the out bound connection for you.
- exfiltration:
- DNS DNS2tcp nstx , iodine
- simple to detect , difficult to deter.
- the best defence is dns whileisting.
- cyber pompeii
- no scanning
- no escalating
- password reuse.,
- serivce accounts
- general pilfering
- gather data.
- antivirus service account are great targets.
- targets are patent pipeline, sourc econtrol
- now what?
- perimeters in perimeters
- strong open processes
- so more than any security product.
- internal red teams, DIY,
- jericho initiative ??
- phish your own users and clients
- how do you protect against invading the wrong people's privacy
- policy: "wont' targets machines you don't own"
- data destruction policy
Second talk: Palo Alto Networks
- silver creeek
- fireeye
- bit9
"What happens if the hacker is "INSIDE?"
NAC - network access control system
no antivirus no mac auth site protector inbound / outbound examined , stops attacks . ncase servlet for forensic examination Blackice ibm tool Proventia Desktop
Running version: winsows XP 5.1.2600j BNS
Hacking Android
- tl;dr: android is a jvm on a linux machine