Quantcast

Author: david b.

Hacking in the Far East 8: Summarizing the Most Striking Security Flaws

Proceeding to the summary, Paul S. Ziegler lists the top three security-related problems he has encountered during the years spent in the Eastern Asia. After I’ve shown you all of this cool stuff that we can do and all these weird vectors, we’re going to sum them up a little, and we’re going to look at...

Hacking in the Far East 7: Too-Near Field Communication

In this part, Paul Ziegler gets critical about the way near field communication technology is implemented in Japan, from a security person’s perspective. Next thing we’re going to look at is what I like to call the Too-Near Field Communication, which is kind of an international topic, because if you...

Hacking in the Far East 6: Wireless Insecurity and the SEED Encryption Algorithm

Security of wireless communication in Eastern Asia and details of the crypto algorithm used in South Korea are the issues Paul S. Ziegler looks into here. Let’s jump to wireless for a second. So, if any of you have been wardriving recently in a European city or in an American city, and you’ve seen all...

Hacking in the Far East 5: Effects of Lifetime Employment and Bonus System on Corporate Security

Paul S. Ziegler points out the issues of corporate security in Eastern Asia, namely the peculiarities of an employee’s perspective upon taking responsibility. We’re going to move on to probably one of the most fun parts of this, at least if you like stories that make your hair stand up. We’re going...

Hacking in the Far East 4: Locked but Unsafe

This part of Paul Ziegler’s presentation is dedicated to an insight into the security measures for mailboxes and electronic PIN code locks in Japan and Korea. Mailboxes in Japan No matter if you live in an apartment or in a mansion, one of the other central parts you will run into is this thing: it’s a...

Hacking in the Far East 3: Home Insecurity in Japan

Based on Paul S. Ziegler’s observations, in this section you can learn some facts about the measures adopted in Japan to prevent intrusion into one’s home. What we’re going to look at next is ‘home insecurity’. I have this basic approach that if anyone has access to your home, your work...

Hacking in the Far East 2: The Suit Works Wonders

Paul S. Ziegler is now shifting the focus over to the importance of one’s appearance and the Asian stereotypes with regard to informal classes of foreigners. For every element I’m going to point out to you today, after this we’re going to look at the exploitation vector, because that’s what makes...

Hacking in the Far East

The entry reflects an extremely interesting insight into the peculiarities of general security perception in Eastern Asia, presented by the well-known German computer security specialist Paul Sebastian Ziegler at Hack In The Box 2012 Conference. Today’s talk is entitled “I Honorably Assure You: It Is...

Advanced Phishing Tactics Beyond User Awareness 8: The Countermeasures

As a summary, Accuvant’s Eric Milam and Martin Bos are providing some food for thought on why user awareness is insufficient for preventing phishing attacks. Martin Bos: Like in every good presentation, what we really wanted to talk about here is why user awareness isn’t working. Once again, this was...

Advanced Phishing Tactics Beyond User Awareness 7: Getting Persuasive

Martin Bos and Eric Milam are now singling out some attributes of a successful attack, such authenticity of secure login page, excessive requests script, etc. Martin Bos: So, then what we do is we log in to our free GoDaddy email account, infosec@humana-portal.com. And what we do is we just save it in...

Advanced Phishing Tactics Beyond User Awareness 6: Payloads and Post Exploitation

This post highlights the possible options of picking the right payload, some tips to get around AVs, and the importance of what you do after getting the shell. Martin Bos: Alright, next thing you’ve got to do is, obviously, choose the payload (see image). I know this is more of my corporate slot....

Advanced Phishing Tactics Beyond User Awareness 5: Credential Harvesting and Other Attack Vectors

The speakers from Accuvant now proceed to demonstrate a couple of tricks they utilize for greater attack plausibility and credential harvesting on a pentest. Martin Bos: The next thing you got to do is choose the attack vector (see image). And this goes back to our research: what type of AV they are using,...

Advanced Phishing Tactics Beyond User Awareness 4: Creating an Attack Scenario

In this section, Martin Bos and Eric Milam are discussing the different nuances to be taken into account for optimal phishing attack implementation workflow. Martin Bos: The next thing we do is we have to create a scenario. How are we going to get these people to click on the link? So, the first thing that...

Advanced Phishing Tactics Beyond User Awareness 3: Creating a Valid Email List for the Attack

Accuvant’s Martin Bos and Eric Milam now demonstrate a demo on building a list of company employees based on Jigsaw data and some social engineering tricks. Martin Bos: Basically, what we’re doing here is we’re going to look for a company. The first thing you want to do is do an ‘-s’ and...

Advanced Phishing Tactics Beyond User Awareness 2: Anatomy of a Spear Phishing Attack

Sharing their pentesting experience, Martin Bos and Eric Milam outline the stages of a spear phishing attack and analyze email harvesting as a starting point. Martin Bos: Here are our obligatory statistics (see image); every presentation has to have some statistics. Like I said, these are more for the...

Advanced Phishing Tactics Beyond User Awareness

Accuvant LABS’ Senior Security Consultant Martin Bos and the Company’s Principal Security Assessor Eric Milam spotlight the issues related to spear phishing from the pentester’s perspective during their session at Hack3rCon event. Martin Bos: Hi everybody! We’re here from Accuvant LABS; we’re...

An Attacker’s Day into Human Virology 6: Crossing the Frontier

The primary issue looked into within this part of the presentation is blurring and crossing the border between the realms of biological and computer viruses. Same Essence, Different Materialization Now, you guys who are security researches probably know that software is vulnerable. And all these data,...

An Attacker’s Day into Human Virology 5: Thoughts on Designed Biological Viruses and Darwinian Computer Viruses

The matters Guillaume Lovet touches upon in this section have to do with the frontier between bio and PC viruses, and whether it can be crossed spontaneously. Guillaume Lovet: The defense mechanisms: we’ve been over some of those already. Detecting viruses inside of the body makes use of heuristics; we...

An Attacker’s Day into Human Virology 4: Which World Wins the Race?

Ruchna Nigam proceeds with the analysis of self-preservation techniques, attack hallmarks, and individual advantages of the viruses from both worlds concerned. Attacking the Defenses Something really smart that you can see in human viruses is that instead of trying to penetrate the defenses of the body,...

An Attacker’s Day into Human Virology 3: Common Properties of Human and Computer Viruses

Ruchna Nigam, representative of the FortiGuard Labs, now takes the floor to talk about some essential things human and computer viruses have in common. Ruchna Nigam: Okay, now that you have had your Biology lesson, let’s look at some of the attack strategies that are common between the biological world and...

An Attacker’s Day into Human Virology 2: Structure and Hallmarks of the Immune System

Having introduced the subject, Guillaume Lovet breaks down the human immune system into constituents and does some comparing with computer defense mechanisms. What do we have in our bodies to fight against viruses? (see right-hand image) Basically, the immune system is divided in two different subsystems....

An Attacker’s Day into Human Virology: Human vs Computer

This entry reflects the Black Hat Europe presentation based on the research by Fortinet’s Guillaume Lovet and Axelle Apvrille, dedicated to comparing the human virus defense mechanisms with those implemented in computers. Guillaume Lovet: This presentation is a bit different from the other talks that you...

Moti Yung and Adam Young on Kleptography and Cryptovirology 6: The Summary

Having explained the concepts and applications of cryptovirology and kleptography, Moti Yung now provides a set of conclusions on the subject. I will now move to the conclusion. I showed you several malware attacks, either general malware or Trojans, I mentioned just Trojans inside cryptosystems. In each...

Moti Yung and Adam Young on Kleptography and Cryptovirology 5: Skeptical Experts and Smart Attackers

Moti Yung now outlines how the expert community and antivirus industry reacted to his and Adam Young’s book, and dwells on the applied aspects of kleptography. Reactions to “Malicious Cryptography – Exposing Cryptovirology” Book We got some reaction to what we described in our book....

Moti Yung and Adam Young on Kleptography and Cryptovirology 4: Password Snatching and Secure Info Stealing

The main subjects covered in this section are two types of attacks doable through the use of cryptovirologic techniques and aiming at latent info retrieval. The Classic and Deniable Password Snatching Attack The second idea that I will cover is password snatching that we did. A typical password snatching...

Moti Yung and Adam Young on Kleptography and Cryptovirology 3: Deploying Cryptoviral Extortion Attack

In this part, Moti Yung lists the main possible applications for cryptovirology and goes into detail of a typical cryptoviral extortion attack. Now we’re going to get to the subject of cryptovirology, and I will review three topics (see image). The first one is cryptoviral extortion; this is an active...

Moti Yung and Adam Young on Kleptography and Cryptovirology 2: Cryptography in Polymorphic Viruses

Continuing with the retrospective overview of malicious software, in this part Moti Yung focuses on the role of crypto in the execution workflow of polymorphic viruses and touches upon the basic principles of public-key cryptography. I want to point out one interesting design – actually,...

“Yes We Can’t!” – On Kleptography and Cryptovirology

This is a study conducted by computer scientists and well-known cryptographers Moti Yung and Adam Young on the two-way relation between cryptography and malicious software. The research was presented by Moti Yung at 26th Chaos Communication Congress (26C3) in Berlin. Yes, we can’t! Yes, we can or yes, we...

Mikko Hypponen on Cyber Warfare 4: Challenges of the Cyber Arms Race

This part encompasses Mikko Hypponen’s thoughts on why sophisticated viruses like Stuxnet and Flame are so hard to detect using the regular security technology. If you look at Miniflame which was found recently, one of the files actually contains country information, which tells us in which country that...

Mikko Hypponen on Cyber Warfare 3: Stuxnet as an Offensive Attack Weapon

Mr. Hypponen now draws attention to the process where computer science basically turned into an offensive weapon capable of killing people, namely Stuxnet worm. Stuxnet is the only one which actually does physical damage. It controls the PLC gear inside the Natanz nuclear enrichment facility, blowing up...