Tuesday, July 2, 2013
Wednesday, June 26, 2013
Automated Secure Code Review Anyone?
Summary
Imagine you are given the source code for a JAVA web application with about a million lines and were asked to review the code for any vulnerabilities and report back in a week. This can turn into an interesting exercise if you are a team of one. What are your options: crowdsource, ask for mercy, do your best? Thankfully there are other options, such as automated code review software. In this post I'll talk about Checkmarx's cloud based solution that does security code analysis and use OWASP's WebGoat (v5.4) project to see how it measures up.Monday, May 13, 2013
check_dtrace - A Volatility Plugin Arises
Summary
After reading through fG!'s presentation on OS X rootkits I decided to look into some other D-Trace providers, such as fbt and mach_trap to close the loop on the D-Trace topic. While this endeavor didn't start with the intention of building a plugin, I decided to do so to save time for myself and possibly others (and of course have some fun!).Tuesday, April 23, 2013
Hunting D-Trace Rootkits with The Volatility Framework
Summary
I recently attended InfiltrateCon 2013 and got to see the latest and greatest offensive security issues. There was a presentation by Nemo titled 'Destructive D-Trace - With Great Power Comes Great Responsibility' that caught my attention. In his talk Nemo showed examples on how to use D-Trace on OS X to hide an attacker's presence and claimed that forensics techniques would have a hard time detecting these. That claim made me think about the Volatility Framework's latest support for Mac OS X memory analysis and its capability to detect the presence of D-Trace cloaking.
Friday, February 8, 2013
The Analysis of Process Token Privileges
My presentation at the 2012 Open Source Memory Forensics Workshop:
Reverse engineering windows systems nowadays involves looking at static data, such as executables, symbols, pdbs, and/or dynamic data when debugging with a tool like windbg. Determining data structures and the meaning of their content has proven to be time consuming, especially when dealing with undocumented objects. This presentation tackles the problem by describing a novel approach, which utilizes the Volatility Framework and F-response to monitor changes taking place on a live system’s RAM that appear as a result of manipulating the targeted structures’ content. The technique is used in the discovery of the process privileges on Windows operating systems and the development of a new plugin. The presentation also provides examples of how the new plugin is used to discover malicious activity.
The privileges plugin can be found in the latest version of the Volatility Framework.
Summary
Reverse engineering windows systems nowadays involves looking at static data, such as executables, symbols, pdbs, and/or dynamic data when debugging with a tool like windbg. Determining data structures and the meaning of their content has proven to be time consuming, especially when dealing with undocumented objects. This presentation tackles the problem by describing a novel approach, which utilizes the Volatility Framework and F-response to monitor changes taking place on a live system’s RAM that appear as a result of manipulating the targeted structures’ content. The technique is used in the discovery of the process privileges on Windows operating systems and the development of a new plugin. The presentation also provides examples of how the new plugin is used to discover malicious activity.
The privileges plugin can be found in the latest version of the Volatility Framework.
Thursday, February 7, 2013
Sneaking into networks with the Demyo Power Strip
Summary
Let's see if this silicon blade is sharp enough to cut through the security cheese!
Some intros: The Demyo Power Strip (DPS) is a covert penetration testing device built by Demyo Sec made to be used for penetration tests. While not being the first of its kind out there, is a strong competitor to other existing tools, such as Power Pwn, and the PlugBot etc. The DPS gives you the ability to launch attacks over ethernet, WiFi and Bluetooth.
Some intros: The Demyo Power Strip (DPS) is a covert penetration testing device built by Demyo Sec made to be used for penetration tests. While not being the first of its kind out there, is a strong competitor to other existing tools, such as Power Pwn, and the PlugBot etc. The DPS gives you the ability to launch attacks over ethernet, WiFi and Bluetooth.
Features
- Based on Raspberry Pi
- CPU 700Mhz, boostable to 1Ghz, 512MB RAM, 32GB SD
- Ethernet (10/100), WiFi b/g/n and Bluetooth connectivity
- Runs Debian Linux
- CLI (via SSH) and GUI (via VNC)
- Physical dimensions 14″ x 2.25″ x 8.25″ or 35.56cm x 5.72cm x 20.96cm
- Actually functions as a real power strip
Tuesday, November 6, 2012
Setting up for Data Analysis with Python
How to install numpy, scipy, pandas, matplotlib, IPython on OS X Mountain Lion:
- install Xcode and associated Command Line Tools from http://developer.apple.com
- easy_install pip
- pip install numpy
- download and install gfortran binaries from http://r.research.att.com/tools/
- pip install scipy
- pip install pandas
- download and install freetype from http://sourceforge.net/projects/freetype/files/
- run ln -s /usr/local/include/freetype2/freetype/ /usr/include/freetype
- download and install libpng from http://sourceforge.net/projects/libpng/files/
- pip install matplotlib
- pip install IPython
Subscribe to:
Posts (Atom)