May 2013
3 posts
4 tags
Several Posts on Malware Analysis Tools
In the past weeks I published several posts describing malware analysis tools and approaches at other blogs:
Installing the REMnux Virtual Appliance for Malware Analysis: Starting with version 4, the REMnux virtual appliance is available as the Open Virtualization Format (OVF/OVA) file, which can be imported into most virtualization tools, such as VMware and VirtualBox. Extra: Explore other...
7 tags
Anticipating Cyber Threats Beyond APT
Some organizations have encountered Advanced Persistent Threat over 5 years ago—earlier than most of us. Because of the types of data they process, these initial APT victims were exposed to carefully-orchestrated, espionage-motivated attacks before they spread to a wider range of targets.
Now, half a decade later, might the time to look at the attacks that the initial APT victims are fighting...
5 tags
WatchSpeeding up the Clock for Malware Analysis With Accelerify
Sometimes malware doesn’t perform “interesting” actions until some time has passed, stretching out its activities over hours or days. This approach tricks some automated analysis tools and helps evade detection. Cylance’s free tool Accelerify helps analysts in such situations by accelerating the lab system’s...
April 2013
2 posts
7 tags
Live and Recorded Malware Forensics Webcasts
In the field of IT in general and digital forensics in particular, you become obsolete the moment you stop learning. Here are several free webcasts related to reverse-engineering and malware analysis that will help you keep your skills up to date.
Upcoming live malware forensics webcasts:
Pwn’ing APT1 with Yara Signatures by Jake Williams, May 29, 2013
Previously-recorded malware...
6 tags
New Release of REMnux Linux Distro for Malware...
I’m pleased to announce the release of version 4 of the REMnux Linux distribution for reverse-engineering malicious software. The new version includes a variety of new malware analysis tools and updates the utilities that have already been present on the distro.
What’s new in REMnux v4? See the details below and register for a free webcast where I will showcase some of the key additions....
March 2013
3 posts
4 tags
Two-Step Verification for Apple ID Consistent With...
Apple’s introduction of two-step verification for Apple IDs is consistent with the trend in the industry to strengthen user authentication practices. Facebook has been experimenting with one-time passwords and social CAPTCHA authentication; Google began offering 2-step verification a while back. It’s great to see Apple get onto this bus.
Apple explains that “two-step...
5 tags
Indicators of Compromise Entering the Mainstream...
The need to define custom, incident-specific signatures is slowly gaining traction in the mainstream enterprise. A few years ago this concept, often called Indicators of Compromise (IOCs), was mostly discussed by government organizations and defense contractors who were coming to terms with Advanced Persistent Threat (APT) attacks.
Madiant began popularizing the term IOC around 2007. Kris...
3 tags
Hiring a Software Engineering Manager in Dallas,...
Update: This position has been filled.
I’m looking for a software engineering manager to join my team at NCR in Dallas, TX. The person leads the efforts to develop and maintain software that addresses our customers’ information technology needs. To accomplish this, the manager motivates team members and oversees their activities in the context of Agile-inspired development...
February 2013
3 posts
5 tags
WatchProxify and BadAssProxy in Action
GNUCITIZEN released a lightweight proxy called Proxify, designed to conveniently integrate with other tools. Proxify can handle both HTTP and HTTPS, displaying or saving the interactions between the client and the server. Its authors expect the tool to be embedded in applications that require proxy functionality, explaining that:
“The tool will do all the...
3 tags
Name That Malware!
Think you know malware? I created a new fun quiz to see whether you can recognize the 10 malware specimens you should probably know by name. Test your knowledge and learn something along the way.
Take the 10-question Name That Malware! quiz.
If you like this approach to learning, here are two more quizzes I put together:
Certified APT Nerd (CAPTN) Examination
What’s Your Malware...
7 tags
Tips on Malware Analysis from Jake Williams
I had the pleasure of speaking with Jake Williams, my colleague at SANS Institute, about his perspective on various malware analysis and reverse-engineering topics. You can read the interview in three parts:
Part 1: Getting into digital forensics, crafting a strong malware analysis reports and making use of the analyst’s findings
Part 2: Acting upon malware analyst’s findings and...
January 2013
2 posts
5 tags
Beyond Logins: Continuous and Seamless User...
User authentication is usually discussed in the context of the person’s initial interactions with the system—a safeguard often implemented by a classic login screen. However, one-time validation of the user’s identity is becoming insufficient for modern devices and applications that process sensitive data. Such situations might benefit from a seamless authentication approach...
5 tags
Creative Options for Better Authentication of...
If you think your mobile phone is already deeply embedded in your life, consider the critical role it will have in just a few years. As the importance and sensitivity of the data handled by mobile phones increase, so do the repercussions of the devices falling into unauthorized hands. Manufacturers and app developers will need to implement creative ways of authenticating legitimate phone users...
July 2012
6 posts
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
Six Degrees Of Desperation: When Defense Becomes Offense by Christopher Hoff
Premature Counter Offensive Actions Could Yield Painful Results by Will Gragido
Laptops as a Security Model for Hybrid Cloud by Chris Brenton
Malware Root Cause Analysis by Corey Harrell
Different...
5 tags
Tips for Getting the Right IT Job - New Cheat...
I published a new cheat sheet, this one offering practical tips for finding and getting the right job in Information Technology, with a slant towards information security. You can view the contents on the web or print them as a 1-page PDF file.
This cheat sheet covers the following topics:
What to do before you start looking for a job
How to use social networking as an ongoing part of your...
5 tags
Mutually-Assured Destruction in Cyberspace
Public accounts of intrusions conducted or supported by state actors highlight the importance that military organizations are placing on cyber warfare. Those without access to privileged information have been debating when “real-world” warfare will find its way to the Internet, without realizing that such activities have been ongoing for at least several years.
Intrusions initiated by...
3 tags
“Be doubly vigilant after a physical break-in. Don’t just look for...”
– Paul Ducklin, discussing the practice of some cyber-criminals to install a keylogger after breaking into victims’ offices and stores.
3 tags
What Does a Security Product Manager Do?
It’s unusual for information security professionals to work in a group that directly generates revenue instead of being a cost center. Many find working within a cost center hard, in part because when it is time to cut costs, infosec budgets are among the first to go. Product management provides an opportunity for infosec pros to work in a profit center for a change. (There are others,...
3 tags
Allowing Gullible Victims to Self-Select in Online...
Cormac Herley’s paper Why do Nigerian Scammers Say They are from Nigeria? explains how some purposefully-lame scam emails are advantageous to the attacker. Such messages allow the scammer to avoid victims who will consume valuable time, but will turn out to be too savvy to fall for the scam. Herley explains that by initiating contact using a blatantly fraudulent email “that repels...
June 2012
1 post
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
Browsers and Malware by Augusto Paes de Barros
Safe in Its Shell by Anil Dash
Citadel Trojan Uses Insidious Forms of Social Engineering by Social-Engineer.org
Malware Uncertainty & False Positives by Gunter Ollmann
Obama Order Sped Up Wave of Cyberattacks Against Iran by...
3 tags
The Endowment Effect in Information Security
There are many reasons why business managers seem to ignore the risks brought forth by information security professionals. I outlined six of them in an earlier post. In this note, I’d like to add another possible explanation: the endowment effect, which affects how humans value their possessions.
Richard Thaler coined the term endowment effect to describe the tendency of individuals to...
May 2012
4 posts
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
Why the Public Cloud Shuns Security by Branden Williams
SEC Guidance Is a Really Big Deal by Richard Bejtlich
How Long Until Apple iOS Needs Its Own Patch Super Tuesday? by Mark Kelly
Cyber Espionage & Strategic Web Compromises by Steven Adair and Ned Moran
Why Info Sec...
3 tags
How Malicious Code Can Run in Microsoft Office...
One of the most effective methods of compromising computer security, especially as part of a targeted attack, involves emailing the victim a malicious Microsoft Office document. Even though the notion of a document originally involved non-executable data, attackers found ways to cause Microsoft Office to execute code embedded within the document. Below are 4 of the most popular techniques used to...
5 tags
Confusing the Padlock and the Favicon in the Web...
Web browser makers are continuing to change how they display two visual elements that people have been taking for granted: the padlock that designates an HTTPS connection and the favicon that acts as the thumbnail of the website’s visual identity. These changes are aimed at helping to minimize the risk that a favicon that looks like a lock might instill a false sense of security.
Users of...
April 2012
3 posts
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
Security Failure Scenarios by Gunnar Peterson
Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 1) by Chad Tilbury
What’s RIGHT with Infosec by Dave Shackleford
Trojan moves its configuration to Twitter, LinkedIn, MSDN and Baidu by Snorre...
5 tags
Slides for Presentation on Real-World Social... →
I published the slides to my presentation “How attackers use social engineering to bypass your defenses,” which shows numerous examples of real-world social engineering attacks. These materials are designed to help you improve the relevance of your security awareness training and to adjust your data defenses by revisiting your perspective of the threat landscape. They cover techniques...
3 tags
Are Anxious People More Vigilant in Information...
Common wisdom suggests that anxious individuals are better at spotting danger than those with more mellow personalities. However, research by Tahl Frenkel and Yair Bar-Haim indicates that the opposite may be true: People with nonanxious personalities might be more skilled at spotting the early signs of trouble. This finding could highlight the type of people best suited for information security...
March 2012
4 posts
2 tags
4 Favorite Security Reads of the Week
Here’s a listing of my 4 favorite on-line security articles, papers and blog posts that I read in the past week. This week I’m featuring a series of articles that profile Anonymous that were written by Josh Corman and Brian Martin:
Introduction & Approach
Fact vs Fiction
How We Got it All Wrong
How Anonymous Has Failed in Theory & Practice
Also, during the past week I...
4 tags
The Risks of Remote Desktop for Access Over the...
It’s convenient to use the Remote Desktop Protocol (RDP) for accessing systems over the Internet, especially in server environments. However, exposing RDP to direct connections is risky. This setup not only gives remote attackers the opportunity to guess logon credentials, but also relies on the lack of a remotely-exploitable vulnerability in Microsoft’s RDP implementation.
...
3 tags
5 tags
“I recognize that my code will be used in ways I cannot anticipate, in ways it...”
– An excerpt from the Rugged Software Manifesto
February 2012
6 posts
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
More or Less by Dan Geer (PDF)
The SpyEye Competitive Landscape by Gunter Ollmann
Password Check by Frank Lesser
Trojan Caught on Camera Shows CAPTCHA is Still a Security Issue by Elad Sharf
Vishing: To Have Your Identity Stolen, Press One by Idan Aharoni
Also, during the...
3 tags
Why Are Executives More Prone to Accept Risks?
Information security professionals are often frustrated when their concerns regarding vulnerabilities and associated threats appear to be ignored by the company’s executives. I already discussed 6 reasons why business managers ignore IT security risk recommendations. I’d like to add a few more to the list, based on recent research into the links between power, prestige and...
6 tags
An Example of SMS Text Phishing
Phishing—a technique grounded in social engineering—remains an effective way for attackers to trick people into giving up sensitive information. Potential victims can be contacted by email, fax, phone calls and SMS text messages. Below is an example of such a scam sent through SMS—a practice sometimes called smishing.
In this case, the recipient is requested to visit...
3 tags
The Role of a Resume in an IT Job Search
Although people tend to rely too much much on a resume during an IT job search, having a strong resume is still necessary for many job applications and candidates. In my mind, the goal of a resume is primarily to get past the initial screening, which is often conducted by an HR representative or a recruiter.
A good resume allows the candidate to reach the hiring manager and start deeply...
5 tags
Who Was The First To Use The Term Exfiltration?
Information security professionals seem to use the word exfiltration with increasing frequency. However, it remains a relatively geeky way of referring to the process whereby data leaves a compromised network. That’s why I was surprised to see VeriSign use this term to describe its 2010 data breach in a 2011 SEC filing when saying, “Information stored on the compromised corporate...
4 tags
Some Facts and Conjecture About the VeriSign Data...
The web is abuzz with stories about the 2010 data breach that VeriSign reported in its Oct 28, 2011, 10-Q statement. The document devotes a couple of paragraphs to the breach and includes the following:
“In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have...
January 2012
4 posts
4 tags
Anticipating The Future of User Account Access...
We might learn what the future holds for information technology by observing how teens use IT. After all, a decade or so from now, today’s teenagers will be consuming, influencing and creating a significant portion of IT products and services. In this note I’d like to consider how today’s use of shared user accounts among teens might influence our future access restriction...
4 tags
Dealing With The Illusion of Invulnerability in...
People overestimate their immunity to threats in many situations. One such example is discussed in a research paper by Grant and Hofmann, which explores how to motivate hand hygiene among healthcare professionals. Their findings might apply to other areas where individuals experience the illusion of invulnerability, including information security.
According to the researchers, doctors and...
3 tags
“2012 may well become known as the year the criminal underground started getting...”
– Brian Krebs, discussing the search engine that “aggregates data about compromised payment cards, and points searchers to various fraud shops selling them.”
7 tags
Using Free Windows XP Mode as a VMware Virtual...
It’s becoming hard to obtain a licensed copy of Windows XP. Yet, many IT professionals, including malware analysts, like having Windows XP in their virtualized labs. After all, Windows XP is still running on numerous personal and business systems. Fortunately, you can download a virtualized instance of Windows XP from Microsoft for free if you are running Windows 7 Professional, Enterprise,...
December 2011
4 posts
6 tags
Version 3 Release of REMnux Linux Distro is Now...
I’m happy to announce the release of version 3 of the REMnux Linux distribution for reverse-engineering malware. This release incorporates many usability improvements, software updates and new tools to make the environment even more useful for analyzing malicious software.
REMnux is available as a VMware virtual appliance and as an ISO image of a Live CD. The easiest way to get started...
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
Lost USB Keys Have 66% Chance of Malware by Paul Ducklin
Changes Coming to the CISO Role by Jon Oltsik
Twitter Bots Drown Out Anti-Kremlin Tweets by Brian Krebs
Common Ways Security Fails People by Ben Tomhave
Manipulating Windows File Protection and Indicators of Compromise...
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
Analyzing Malicious Files for Writing Network Signatures by Umesh Wanve
SMS Trojans: All Around the World by Denis Maslennikov
Verified by Visa? by Rik Ferguson
Stealing Apps, Installing Ads by Tim Armstrong
China’s Great Firewall Tests Mysterious Scans On Encrypted...
5 tags
Incident Response on 64-Bit Windows Using 32-Bit...
Incident responders and forensic investigators need to be careful when using 32-bit tools to examine file system artifacts on 64-bit Windows. Christian Wojner documented the issue in a paper titled The WOW-Effect. He demonstrated how the WOW64 File System Redirector built into 64-bit Windows transparently redirects 32-bit tools’ access to core OS directories and registry values. This is...
November 2011
5 posts
3 tags
Balancing Brevity and Verbosity in Business...
“The most valuable of all talents is that of never using two words when one will do,” proclaimed Thomas Jefferson a few centuries ago. Succinctness seems more valuable in the 21st century, where we’re bombarded by words in spoken and written forms. However, knowing how to be brief is no less critical as knowing when to be brief.
I generally recommend assuming that the audience...
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
The Duqu Saga Continues: Enter Mr. B. Jason and TV’s Dexter by Alexander Gostev
A New Cybersecurity Research Agenda (In Three Minutes or Less) by Dan Geer
Facebook Likes and Cold-Call Scams by David Harley
APEC SpearPhish by Kahu Security
Managed Services in a Security...
7 tags
Extracting Malicious Flash Objects from PDFs Using...
PDF files designed for infecting computer systems can include a malicious Flash/SWF program that’s designed to aid in exploiting a vulnerability in Adobe Reader or Flash Player. In an earlier article I explained how to extract SWF object from a PDF file using PDF Stream Dumper and pdf-parser. A new tool SWF Mastah, by Brandon Dixon, can assist with this process as well.
SWF Mastah makes use...
3 tags
Preparing The Next Release of REMnux Distro
Update: REMnux v3 is out!
I’m preparing the next release of the REMnux Linux distribution. REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. To date, the distro has been downloaded about 20,000 times in its live CD and virtual appliance forms.
I expect the new REMnux release (version 3) to incorporate the following major...
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
Applied Network Security Analysis: The Malware Analysis Use Case by Mike Rothman
Stolen Password Checking: A Question of Trust by David Harley
Intro to HDMoore’s Law by Josh Corman
Breaking Into the Digital Forensics Field: Melia Kelley’s Path by Michael Kassner
...
