«
Expand/Collapse
131 items tagged "analysis"
Related tags:
code [+],
exposition [+],
chaos communication congress [+],
video [+],
similarity analysis [+],
sate [+],
whitepaper [+],
traffic [+],
tool [+],
static analysis [+],
static [+],
paper [+],
hack in the box [+],
flake [+],
encoding algorithm [+],
data [+],
codetective [+],
binary [+],
application [+],
analysis tool [+],
vulnerability [+],
read [+],
quist [+],
python [+],
network flow analysis [+],
network [+],
memory analysis [+],
matias [+],
malaysia [+],
madou [+],
lorie [+],
lars weiler [+],
jacob west [+],
insider [+],
graph [+],
forensics [+],
europe [+],
engineering [+],
data access system [+],
danny quist [+],
daniel raygoza [+],
bruce potter [+],
audio [+],
web application [+],
web [+],
wayne huang [+],
vulnerability analysis [+],
virus vendors [+],
virus activity [+],
virus [+],
trust metrics [+],
trust analysis [+],
tor [+],
testing [+],
target [+],
stefan katzenbeisser [+],
stefan bhlmann [+],
statistical database [+],
start ups [+],
spam [+],
sophos antivirus [+],
sophos [+],
software vulnerabilities [+],
smart card chips [+],
silberman [+],
side channel [+],
security patches [+],
security metrics [+],
security analysis [+],
rootkit [+],
reverse engineering tools [+],
reverse engineering [+],
registry hives [+],
registry contents [+],
registry [+],
reference material [+],
raide [+],
project alternatives [+],
product patches [+],
privacy event [+],
physical memory [+],
peter silberman [+],
penetration tests [+],
pdf [+],
patch [+],
password [+],
pack [+],
novel tool [+],
nicholas j. percoco [+],
nathan fain [+],
microsoft windows operating systems [+],
logic [+],
krakow [+],
kendall [+],
kay hamacher [+],
jtag [+],
joel [+],
jeremy chiu [+],
jason ross tags [+],
jason ross [+],
integer overflow [+],
instruction [+],
industrial design students [+],
improving [+],
helios [+],
fundamental techniques [+],
functionality [+],
filesystem [+],
facebook [+],
examination [+],
decoder [+],
de haas [+],
current tracers [+],
currency questions [+],
critical analysis [+],
covert channel [+],
chaos communication camp [+],
chad [+],
card [+],
business impact analysis [+],
bruteforce password [+],
browser extensions [+],
bitcoin [+],
billy hoffman [+],
authors [+],
authentication tokens [+],
antivirus [+],
andrew case [+],
analysis stage [+],
Software [+],
Skype [+],
Countermeasures [+],
manipulation tool [+],
logs [+],
firewall [+],
faar [+],
dbedit [+],
malware [+],
black hat [+],
yi tags [+],
wombat [+],
windows security [+],
wes brown tags [+],
wes brown [+],
war [+],
wapi [+],
vulnerabilities [+],
video introduction [+],
video analysis [+],
victim [+],
val smith [+],
vadim okun [+],
use [+],
tucker taft [+],
true positives [+],
traffic analysis [+],
tom parker tags [+],
time analysis [+],
threat analysis [+],
threat [+],
test cases [+],
tactics [+],
symbolic execution [+],
sue wang [+],
struggle [+],
stefano zanero [+],
stefan frei [+],
stealth techniques [+],
standalone version [+],
speed [+],
specification languages [+],
sparrow [+],
software supply [+],
software assurance [+],
smartcard [+],
smart card [+],
shelf programs [+],
security event [+],
sean m. bodmer [+],
seamless manner [+],
recent incidents [+],
project [+],
presentation [+],
practical [+],
powerful [+],
peter henriksen [+],
paul e. black [+],
paul anderson tags [+],
paolo milani [+],
osint [+],
observations [+],
north korea [+],
noah johnson tags [+],
noah johnson [+],
nicolas fischbach [+],
next generation [+],
next [+],
networking environment [+],
network trace [+],
network sniffer [+],
nat hillary tags [+],
multinational corporation [+],
mitigation [+],
merits and demerits [+],
meaningful [+],
mcafee [+],
martin may [+],
markup language [+],
level authors [+],
leadership [+],
koobface [+],
ken hines [+],
job [+],
jamie butler [+],
ivan buetler [+],
intrusion detection [+],
intrusion [+],
infrastructure level [+],
impact [+],
host [+],
hacks [+],
hacker [+],
ground truth [+],
graphical tools [+],
graffiti art [+],
graffiti [+],
goanna [+],
gml [+],
flow [+],
fischbach [+],
false negatives [+],
exploitation techniques [+],
experience [+],
encryption [+],
encrypted file system [+],
dynamic analysis [+],
dubai [+],
disk encryption [+],
discovering [+],
dino covotsos [+],
detection [+],
ddos [+],
data flow analysis [+],
darknet [+],
cyber threats [+],
cryptography [+],
cryptographic code [+],
cryptographic [+],
criminal investigators [+],
crash [+],
coverity [+],
comparative analysis [+],
comparative [+],
colin ames [+],
classic [+],
ciat [+],
chris wysopal [+],
choosing [+],
china [+],
charlie miller [+],
challenges [+],
causal [+],
catalysts [+],
building [+],
buetler [+],
bodmer [+],
black [+],
bitblaze [+],
binaries [+],
automatic classification [+],
automated [+],
asia [+],
arun lakhotia [+],
application crash [+],
apdu [+],
anthony lai [+],
ansgar fehnker [+],
andrzej dereszowski [+],
analysis toolkit [+],
analysis software [+],
analysis platform [+],
analyser [+],
amendment act [+],
afterdark [+],
adversary [+],
adversarial [+],
act 2000 [+],
act [+],
abstract interpretation [+],
Discussion [+],
Community [+],
Bugs [+],
usa [+],
static analysis tool [+],
slides [+],
security [+]
-
-
![Permalink for '[Video] Reviving smart card analysis'](/themes/lilina/web//media/mark_off.gif)
21:32
»
SecDocs
Authors:
Karsten Nohl Tags:
smart card Event:
Chaos Communication Camp 2011 Abstract: Smart cards chips – originally invented as a protection for cryptographic keys – are increasingly used to keep protocols secret. This talk challenges the chips' security measures to unlock the protocols for public analysis. Hardened security chips are protecting secret cryptographic keys throughout the virtual and physical worlds. These smart card chips are found in banking cards, authentication tokens, encryption appliances, and master key vaults. The protection capabilities of the chips is increasingly used to also keep secret application code running on the devices. For example, the protocols of modern EMV credit cards are not publicly known. Such obscurity is hindering analysis, hence letting logic and implementation flaws go unnoticed in widely deployed systems, including credit card systems. We demonstrate a method of extracting application code from smart cards with simple equipment to open the application code for further analysis.
-
21:32
»
SecDocs
Authors:
Karsten Nohl Tags:
smart card Event:
Chaos Communication Camp 2011 Abstract: Smart cards chips – originally invented as a protection for cryptographic keys – are increasingly used to keep protocols secret. This talk challenges the chips' security measures to unlock the protocols for public analysis. Hardened security chips are protecting secret cryptographic keys throughout the virtual and physical worlds. These smart card chips are found in banking cards, authentication tokens, encryption appliances, and master key vaults. The protection capabilities of the chips is increasingly used to also keep secret application code running on the devices. For example, the protocols of modern EMV credit cards are not publicly known. Such obscurity is hindering analysis, hence letting logic and implementation flaws go unnoticed in widely deployed systems, including credit card systems. We demonstrate a method of extracting application code from smart cards with simple equipment to open the application code for further analysis.
-
-
7:05
»
Packet Storm Security Recent Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
7:05
»
Packet Storm Security Tools
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
7:05
»
Packet Storm Security Misc. Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
-
15:11
»
SecDocs
Authors:
Lars Weiler Tags:
sniffer Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: Network traffic grows faster than monitoring and analysis tools can handle. During the last two years a couple of appliances hit the market which help in finding the “bits of interest”. Recently installed strategies and solutions for carriers, banks or lawful interception organizations will be discussed as examples. Quite every laptop nowadays is capable of handling Gigabit traffic. But doing a network analysis will hit the boundaries of CPU load quite quickly. Now, with 10GbE lines as the usual speed of carrier's and company's backbone, traffic monitoring and analysis became more and more painful. Even the biggest and most expensive analysis appliances on the market are barely capable of a real time traffic monitoring for more than 8Gbit/s. That's were a couple of vendors showed up and created devices which can handle multiple 10GbE lines at the same time. They call them “Active Distributed Traffic Capture Systems” or “Intelligent Data Access Networking Switches” – in short “Data Access Systems”. The primary use is for the aggregation and distribution of traffic. But all of the Data Access Systems are also capable of filtering traffic with the help of FPGA or CPLD techniques. So a carrier, bank or lawful interception organization can aggregate the data from many physical lines into one Data Access System, enter some filters with the help of a browser GUI, and distribute the resulting traffic to the analysis machines. It's easy to monitor 100 lines of 10GbE traffic. For competitive reasons, those vendors started to invent new features for a better or easier analysis of the data on the analysis devices. These include ingress port tagging, time stamping with nanosecond accuracy, slicing of packets and recalculation of checksums in realtime, blanking bits in packets, or even layer 7 filtering for e-mail and instant messenger addresses with full flow capturing. The interesting part for the usage is to create an infrastructure where even without data retention and a long term analysis specific users or just their communication with possible ”interesting“ data for intelligence agencies can be triggered and captured in real time. So, the process of the analysis can be quickened to quite no time. It's safe to say, that the flagship appliance by a vendor has been designed by request of US intelligence agencies. Of course, those devices have to be managed by administrators. For the ease of usage every vendor moved from a CLI based configuration interface to a shiny web GUI – with a couple of flaws. It is easy to break into the system or read out the configuration without access. This lecture will discuss the possibilities of today's data analysis with the help of these Data Access Systems. An overview of the features will help to understand that data analysis devices are not anymore the limiting factor in deep packet inspection of a huge amount of traffic. Examples will show what already has been set up and what is possible by companies and organizations – and which traffic they might monitor yet. During the last three years the speaker installed those appliances from different vendors at customers across Europe, gained deep knowledge of their usage, established a strong contact to the technicians and chief officers both at the vendors and customers side, and found out a lot about the hardware and software by reverse engineering.
-
14:48
»
SecDocs
Authors:
Lars Weiler Tags:
sniffer Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: Network traffic grows faster than monitoring and analysis tools can handle. During the last two years a couple of appliances hit the market which help in finding the “bits of interest”. Recently installed strategies and solutions for carriers, banks or lawful interception organizations will be discussed as examples. Quite every laptop nowadays is capable of handling Gigabit traffic. But doing a network analysis will hit the boundaries of CPU load quite quickly. Now, with 10GbE lines as the usual speed of carrier's and company's backbone, traffic monitoring and analysis became more and more painful. Even the biggest and most expensive analysis appliances on the market are barely capable of a real time traffic monitoring for more than 8Gbit/s. That's were a couple of vendors showed up and created devices which can handle multiple 10GbE lines at the same time. They call them “Active Distributed Traffic Capture Systems” or “Intelligent Data Access Networking Switches” – in short “Data Access Systems”. The primary use is for the aggregation and distribution of traffic. But all of the Data Access Systems are also capable of filtering traffic with the help of FPGA or CPLD techniques. So a carrier, bank or lawful interception organization can aggregate the data from many physical lines into one Data Access System, enter some filters with the help of a browser GUI, and distribute the resulting traffic to the analysis machines. It's easy to monitor 100 lines of 10GbE traffic. For competitive reasons, those vendors started to invent new features for a better or easier analysis of the data on the analysis devices. These include ingress port tagging, time stamping with nanosecond accuracy, slicing of packets and recalculation of checksums in realtime, blanking bits in packets, or even layer 7 filtering for e-mail and instant messenger addresses with full flow capturing. The interesting part for the usage is to create an infrastructure where even without data retention and a long term analysis specific users or just their communication with possible ”interesting“ data for intelligence agencies can be triggered and captured in real time. So, the process of the analysis can be quickened to quite no time. It's safe to say, that the flagship appliance by a vendor has been designed by request of US intelligence agencies. Of course, those devices have to be managed by administrators. For the ease of usage every vendor moved from a CLI based configuration interface to a shiny web GUI – with a couple of flaws. It is easy to break into the system or read out the configuration without access. This lecture will discuss the possibilities of today's data analysis with the help of these Data Access Systems. An overview of the features will help to understand that data analysis devices are not anymore the limiting factor in deep packet inspection of a huge amount of traffic. Examples will show what already has been set up and what is possible by companies and organizations – and which traffic they might monitor yet. During the last three years the speaker installed those appliances from different vendors at customers across Europe, gained deep knowledge of their usage, established a strong contact to the technicians and chief officers both at the vendors and customers side, and found out a lot about the hardware and software by reverse engineering.
-
14:46
»
SecDocs
Authors:
Lars Weiler Tags:
sniffer Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: Network traffic grows faster than monitoring and analysis tools can handle. During the last two years a couple of appliances hit the market which help in finding the “bits of interest”. Recently installed strategies and solutions for carriers, banks or lawful interception organizations will be discussed as examples. Quite every laptop nowadays is capable of handling Gigabit traffic. But doing a network analysis will hit the boundaries of CPU load quite quickly. Now, with 10GbE lines as the usual speed of carrier's and company's backbone, traffic monitoring and analysis became more and more painful. Even the biggest and most expensive analysis appliances on the market are barely capable of a real time traffic monitoring for more than 8Gbit/s. That's were a couple of vendors showed up and created devices which can handle multiple 10GbE lines at the same time. They call them “Active Distributed Traffic Capture Systems” or “Intelligent Data Access Networking Switches” – in short “Data Access Systems”. The primary use is for the aggregation and distribution of traffic. But all of the Data Access Systems are also capable of filtering traffic with the help of FPGA or CPLD techniques. So a carrier, bank or lawful interception organization can aggregate the data from many physical lines into one Data Access System, enter some filters with the help of a browser GUI, and distribute the resulting traffic to the analysis machines. It's easy to monitor 100 lines of 10GbE traffic. For competitive reasons, those vendors started to invent new features for a better or easier analysis of the data on the analysis devices. These include ingress port tagging, time stamping with nanosecond accuracy, slicing of packets and recalculation of checksums in realtime, blanking bits in packets, or even layer 7 filtering for e-mail and instant messenger addresses with full flow capturing. The interesting part for the usage is to create an infrastructure where even without data retention and a long term analysis specific users or just their communication with possible ”interesting“ data for intelligence agencies can be triggered and captured in real time. So, the process of the analysis can be quickened to quite no time. It's safe to say, that the flagship appliance by a vendor has been designed by request of US intelligence agencies. Of course, those devices have to be managed by administrators. For the ease of usage every vendor moved from a CLI based configuration interface to a shiny web GUI – with a couple of flaws. It is easy to break into the system or read out the configuration without access. This lecture will discuss the possibilities of today's data analysis with the help of these Data Access Systems. An overview of the features will help to understand that data analysis devices are not anymore the limiting factor in deep packet inspection of a huge amount of traffic. Examples will show what already has been set up and what is possible by companies and organizations – and which traffic they might monitor yet. During the last three years the speaker installed those appliances from different vendors at customers across Europe, gained deep knowledge of their usage, established a strong contact to the technicians and chief officers both at the vendors and customers side, and found out a lot about the hardware and software by reverse engineering.
-
-
21:33
»
Packet Storm Security Recent Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
21:33
»
Packet Storm Security Tools
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
21:33
»
Packet Storm Security Misc. Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
-
7:34
»
Packet Storm Security Recent Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
7:34
»
Packet Storm Security Tools
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
7:34
»
Packet Storm Security Misc. Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
-
21:55
»
SecDocs
Authors:
Nathan Fain Tags:
embedded hardware hacking Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: Bring your target. Will release a slew of simple tools that explore attack surfaces and explain of how to use: jtag/serial scanners, parallel flash dumper, DePCB board routing analysis. So, crossover from software RE and start hacking/improving like its 1996 again. (full documentation and reference at: http://events.ccc.de/congress/2010/wiki/Embedded_Analysis) "All non-trivial abstractions, to some degree, are leaky." -- Joel on Software This applies just as well to hardware. In the soft center of embedded security are the human abstraction layers between embedded developers, pcb designers and asic designers which expose attack surfaces that are often rudimentary and unmovable. Using a theoretical embedded target we walk through each surface overcoming obfuscation to gain control. Will release a slew of embedded analysis tools, some lolarduino based, some not. These tools are based on frameworks that support Industrial Design students with electronics prototyping. Meaning, with little technical background you can adapt these tools to your needs. The audience is invited to bring their target where contributors will be clustered in the hack center and be available to suggest means of protection or application of analysis techniques in your project.
-
-
21:33
»
SecDocs
Authors:
Nathan Fain Tags:
embedded hardware hacking Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: Bring your target. Will release a slew of simple tools that explore attack surfaces and explain of how to use: jtag/serial scanners, parallel flash dumper, DePCB board routing analysis. So, crossover from software RE and start hacking/improving like its 1996 again. (full documentation and reference at: http://events.ccc.de/congress/2010/wiki/Embedded_Analysis) "All non-trivial abstractions, to some degree, are leaky." -- Joel on Software This applies just as well to hardware. In the soft center of embedded security are the human abstraction layers between embedded developers, pcb designers and asic designers which expose attack surfaces that are often rudimentary and unmovable. Using a theoretical embedded target we walk through each surface overcoming obfuscation to gain control. Will release a slew of embedded analysis tools, some lolarduino based, some not. These tools are based on frameworks that support Industrial Design students with electronics prototyping. Meaning, with little technical background you can adapt these tools to your needs. The audience is invited to bring their target where contributors will be clustered in the hack center and be available to suggest means of protection or application of analysis techniques in your project.
-
-
12:22
»
Packet Storm Security Tools
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
5:12
»
Packet Storm Security Tools
Codetective is an analysis tool to determine the crypto/encoding algorithm used according to traces of its representation. It can be used as a standalone version or as a volatility plugin for memory analysis. Written in Python.
-
-
21:47
»
SecDocs
Authors:
Kay Hamacher Stefan Katzenbeisser Tags:
bank Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: Bitcoin is the first distributed, digital currency. It received a lot of attention recently as it questions the state monopoly to issue legal tender. It relies on distributed proof-of-work concepts to ensure money-like characteristics. The existence and potential widespread use of such a distributed, non-centralized, non-regulated currency questions the ability of governments to control money supply, issue debt, and tax its populace. Transactions in bitcoin form a publicly accessible network of economic relations, which can be extracted from the transaction history available to all users in the P2P-network of bitcoin. Using re-identification algorithms it is possible to attack the proposed anonymity of users. While this is already an interesting security issue, the insight into a real-world economic experiment allows for the first time the empirical test of community structures in such social networks, which is definitely more substantial than the "I-like"-network in facebook and the like. In this presentation, we show results on network analysis of the money flow, the behavior of individuals, and the overall scalability of P2P-currencies. At the same time we will discuss advanced "financial instruments" that one might find in the transactions.
-
21:47
»
SecDocs
Authors:
Kay Hamacher Stefan Katzenbeisser Tags:
bank Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: Bitcoin is the first distributed, digital currency. It received a lot of attention recently as it questions the state monopoly to issue legal tender. It relies on distributed proof-of-work concepts to ensure money-like characteristics. The existence and potential widespread use of such a distributed, non-centralized, non-regulated currency questions the ability of governments to control money supply, issue debt, and tax its populace. Transactions in bitcoin form a publicly accessible network of economic relations, which can be extracted from the transaction history available to all users in the P2P-network of bitcoin. Using re-identification algorithms it is possible to attack the proposed anonymity of users. While this is already an interesting security issue, the insight into a real-world economic experiment allows for the first time the empirical test of community structures in such social networks, which is definitely more substantial than the "I-like"-network in facebook and the like. In this presentation, we show results on network analysis of the money flow, the behavior of individuals, and the overall scalability of P2P-currencies. At the same time we will discuss advanced "financial instruments" that one might find in the transactions.
-
-
20:12
»
Packet Storm Security Recent Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
20:12
»
Packet Storm Security Tools
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
20:12
»
Packet Storm Security Misc. Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
-
15:55
»
Packet Storm Security Recent Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
15:55
»
Packet Storm Security Tools
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
15:55
»
Packet Storm Security Misc. Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
-
18:12
»
Packet Storm Security Recent Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
18:12
»
Packet Storm Security Tools
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
18:12
»
Packet Storm Security Misc. Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
-
9:22
»
Packet Storm Security Recent Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
9:22
»
Packet Storm Security Tools
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
9:22
»
Packet Storm Security Misc. Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
-
8:02
»
Packet Storm Security Recent Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
8:02
»
Packet Storm Security Tools
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
8:02
»
Packet Storm Security Misc. Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
-
9:22
»
Packet Storm Security Recent Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
9:22
»
Packet Storm Security Tools
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
9:22
»
Packet Storm Security Misc. Files
360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.
-
8:37
»
Packet Storm Security Tools
Codetective is a simple tool to determine the crypto/encoding algorithm used according to traces of its representation. Written in Python.
-
-
11:52
»
SecDocs
Authors:
Anthony Lai Colin Ames Val Smith Tags:
exploiting Event:
Black Hat USA 2010 Abstract: China has become a major player in the security community in recent years. From numerous news articles regarding government, military and commercial spying, to high profile cases such as the recent attack on Google, the tools, research and hacking groups coming out of China are are high on everyone's radar. This talk will provide an analysis of the Chinese hacking community, including its capabilities, goals, and cultural differences as well as similarities. A deep technical analysis and reverse engineering of prominent Chinese tools and techniques will be provided as well. We will highlight specifics such as binary obfuscators, encryption, and specific stealth techniques in order to round out an, up til now, spotty picture about this formidible member of the security community.
-
11:52
»
SecDocs
Authors:
Tom Parker Tags:
vulnerability Event:
Black Hat USA 2010 Abstract: Recent incidents commonly thought to be linked to state sponsored activities have given rise to much discussion over the reliability of technical analysis as a source for adversary attribution - specifically in regards to what is commonly termed as the Advanced Persistent Threat (or APT). We now live in a world where the reverse engineering of a malicious binary, or analysis of a compromised host may very well play into a world-changing decision, such as whether a country should declare war on another - or indeed, whether it is no longer viable for a large, multinational corporation to continue doing business in a given part of the globe. This talk will discuss in depth the merits and demerits of technical analysis; demonstrating ways in which various techniques including static binary analysis and memory forensics may be utilized to build a granular profile of the adversary, and where the same techniques may fall short. The presentation will discuss detailed characterization matrix that can be leveraged to assess and even automate assessment of multiple aspects of the adversary (such as motive, technical skill, technological research resources) that may all play into the way in which we respond to an incident, or reposition ourselves to handle a specific threat over in long term.
-
-
11:18
»
SecDocs
Authors:
Jeongwook Oh Tags:
reverse engineering exploiting bug hunting Event:
Black Hat USA 2010 Abstract: We already have many kinds of binary patching systems available. There are commercial ones and free ones. But the current implementations only concentrate on finding the difference between binaries. But what the security researchers really want from the patch analysis is security patches. Sometimes it's very hard to locate security patches because they are buried inside normal feature updates. The time for locating the security patches will increase drastically as more feature updates are included in the released patches. This is especially true with all the Adobe and Sun product patches. They tend to mix security patches and feature updates. In that case, we need another way to boost the speed of the analysis. The automatic way to locate the security patches! This can be done by analyzing the patched parts and see if it has some specific patterns that the usual security patches have. Some integer overflow will have some comparison against the boundary integer values. And buffer overflow will involve the vulnerable "strcpy" or "memcpy" replaced with safer functions. Even free-after-use type bug has their own patch patterns. We will present all the common patterns that we saw and also present way to locate them using pattern matching. But there can be more thing to be done in addition to this simple approach. You can introduce static taint analysis to binary diffing world. You can trace back all the suspicious variables(expressed as register value or memory location) found in the patch by using binary diffing. And you can see if they are controllable or taint-able from the user controllable input like network packets or user supplied file input. This automatic security patch locating ability will be beneficial to the IPS rule writers. They can spend more time in concentrating on what really matters instead of spending time to find the actual parts to analyze. To achieve all these, I upgraded the current implementation of "DarunGrim(http://www.darungrim.org)" binary diffing system to support pattern matching and static taint analysis. It will become DarunGrim v3. DarunGrim is the most featured opensource binary diffing implementation. I will show how fast we can locate the vendor patches that, otherwise, will take few hours using other tools. All the updated source code will be released at the presentation.
-
11:17
»
SecDocs
Authors:
Jeongwook Oh Tags:
reverse engineering exploiting bug hunting Event:
Black Hat USA 2010 Abstract: We already have many kinds of binary patching systems available. There are commercial ones and free ones. But the current implementations only concentrate on finding the difference between binaries. But what the security researchers really want from the patch analysis is security patches. Sometimes it's very hard to locate security patches because they are buried inside normal feature updates. The time for locating the security patches will increase drastically as more feature updates are included in the released patches. This is especially true with all the Adobe and Sun product patches. They tend to mix security patches and feature updates. In that case, we need another way to boost the speed of the analysis. The automatic way to locate the security patches! This can be done by analyzing the patched parts and see if it has some specific patterns that the usual security patches have. Some integer overflow will have some comparison against the boundary integer values. And buffer overflow will involve the vulnerable "strcpy" or "memcpy" replaced with safer functions. Even free-after-use type bug has their own patch patterns. We will present all the common patterns that we saw and also present way to locate them using pattern matching. But there can be more thing to be done in addition to this simple approach. You can introduce static taint analysis to binary diffing world. You can trace back all the suspicious variables(expressed as register value or memory location) found in the patch by using binary diffing. And you can see if they are controllable or taint-able from the user controllable input like network packets or user supplied file input. This automatic security patch locating ability will be beneficial to the IPS rule writers. They can spend more time in concentrating on what really matters instead of spending time to find the actual parts to analyze. To achieve all these, I upgraded the current implementation of "DarunGrim(http://www.darungrim.org)" binary diffing system to support pattern matching and static taint analysis. It will become DarunGrim v3. DarunGrim is the most featured opensource binary diffing implementation. I will show how fast we can locate the vendor patches that, otherwise, will take few hours using other tools. All the updated source code will be released at the presentation.
-
-
6:32
»
SecDocs
Authors:
Charlie Miller Noah Johnson Tags:
reverse engineering fuzzing Event:
Black Hat USA 2010 Abstract: You’ve fuzzed your favorite application and found a mountain of crashes, now what? BitBlaze is an open source binary analysis platform which can perform whole system taint tracing, dynamic symbolic execution, as well as static analysis. Using BitBlaze, it is possible to determine, upon application crash, which registers and memory locations are tainted from the fuzzed input and in what ways they are used. Furthermore, this taint information can give a level of understanding on what went wrong with the program and why, reducing crash analysis from days to hours and sometimes minutes. In this talk, we present BitBlaze as well as walk through real life case studies of its use.
-
-
18:51
»
Packet Storm Security Recent Files
Digital forensics deals with the analysis of artifacts on all types of digital devices. One of the most prevalent analysis techniques performed is that of the registry hives contained in Microsoft Windows operating systems. Registry Decoder was developed with the purpose of providing a single tool for the acquisition, analysis, and reporting of registry contents.
-
18:51
»
Packet Storm Security Misc. Files
Digital forensics deals with the analysis of artifacts on all types of digital devices. One of the most prevalent analysis techniques performed is that of the registry hives contained in Microsoft Windows operating systems. Registry Decoder was developed with the purpose of providing a single tool for the acquisition, analysis, and reporting of registry contents.
-
-
13:13
»
SecDocs
Authors:
Christiaan Schade Damiano Bolzoni Tags:
malware malware analysis Event:
Black Hat USA 2010 Abstract: In this presentation we will show a new approach to perform on-the-fly malware analysis (even of previously unknown malware), without the need of deploying any instrumentation at the end host before hand. Our approach leverages the fact that malware quite often comes as a small (in size) "spore", which is then responsible for making the malware persistent on the targeted host and download additional components ("eggs"). Eggs usually come in the shape of executables or DLLs, and extend the capabilities of the spore (password grabbing, URL redirection, etc.) Our system, we call it Avatar, detect failed attempts to download eggs, and ships back to the suspected malware what we call a "red pill". When the malware executes the red pill, this performs some preliminary checks and can send to an instrumented host a copy of the parent process' executable. In this instrumented (i.e., sand-boxed) environment it is possible to perform real-time analysis of the suspicious program. The red pill can be then remotely instrumented to terminate the monitored process, in case it appears to be a real threat. By doing so, it is possible to effectively contain a large infection.
-
-
10:15
»
SecDocs
Authors:
Stefan Bühlmann Tags:
debugger debugging code analysis Event:
Hashdays 2010 Abstract: An instruction trace is the sequence of instructions executed when running a program. Instruction traces have a large number of applications in malware analysis. Examples of such applications are detection of self-modifying code, automated unpacking, code-similarity analysis, reverse engineering of cryptographic code, vulnerability analysis, etc. It is thus not astonishing that we have recently seen considerable interest in instruction traces in the malware research community. Accordingly, there already exists a range of instruction tracers such as Ether, Temu and Pin. An ideal tracer will be efficient (support analysis of large numbers of malware), transparent (hard to detect and evade), and portable to different versions of the Windows operating system and shall run on virtual and physical machines. None of the current tracers features all of these properties. We have developed a novel tracer dubbed "Helios", which overcomes these limitations. To this end Helios uses several advanced and novel techniques. Our talk will first introduce to the topic of tracing and its applications, followed by a detailed discussion of Helios. In particular, we will demonstrate Joedoc a novel tool for detecting exploits in documents (e.g. PDFs) which is based on instruction traces.
-
10:10
»
SecDocs
Authors:
Stefan Bühlmann Tags:
debugger debugging code analysis Event:
Hashdays 2010 Abstract: An instruction trace is the sequence of instructions executed when running a program. Instruction traces have a large number of applications in malware analysis. Examples of such applications are detection of self-modifying code, automated unpacking, code-similarity analysis, reverse engineering of cryptographic code, vulnerability analysis, etc. It is thus not astonishing that we have recently seen considerable interest in instruction traces in the malware research community. Accordingly, there already exists a range of instruction tracers such as Ether, Temu and Pin. An ideal tracer will be efficient (support analysis of large numbers of malware), transparent (hard to detect and evade), and portable to different versions of the Windows operating system and shall run on virtual and physical machines. None of the current tracers features all of these properties. We have developed a novel tracer dubbed "Helios", which overcomes these limitations. To this end Helios uses several advanced and novel techniques. Our talk will first introduce to the topic of tracing and its applications, followed by a detailed discussion of Helios. In particular, we will demonstrate Joedoc a novel tool for detecting exploits in documents (e.g. PDFs) which is based on instruction traces.
-
-
16:04
»
Packet Storm Security Recent Files
This paper describes the results of a thorough examination of Sophos Antivirus internals. The author presents a technical analysis of claims made by the vendor, and publishes the tools and reference material required to reproduce their results. Furthermore, they examine the product from the perspective of a vulnerability researcher, exploring the rich attack surface exposed, and demonstrating weaknesses and vulnerabilities.
-
16:04
»
Packet Storm Security Misc. Files
This paper describes the results of a thorough examination of Sophos Antivirus internals. The author presents a technical analysis of claims made by the vendor, and publishes the tools and reference material required to reproduce their results. Furthermore, they examine the product from the perspective of a vulnerability researcher, exploring the rich attack surface exposed, and demonstrating weaknesses and vulnerabilities.
-
-
20:38
»
Packet Storm Security Recent Files
PACK (Password Analysis and Cracking Kit) is a toolkit that allows researchers to optimize their password cracking tasks, analyze previously cracked passwords, and implements a novel attack on corporate passwords using minimum password policy. The goal of this toolkit is to assist in automatic preparation for the "better than bruteforce" password attacks by analyzing common ways that people create passwords. After the analysis stage, the statistical database can be used to generate attack masks for common tools such as Hashcat, oclHashcat, and others.
-
20:38
»
Packet Storm Security Misc. Files
PACK (Password Analysis and Cracking Kit) is a toolkit that allows researchers to optimize their password cracking tasks, analyze previously cracked passwords, and implements a novel attack on corporate passwords using minimum password policy. The goal of this toolkit is to assist in automatic preparation for the "better than bruteforce" password attacks by analyzing common ways that people create passwords. After the analysis stage, the statistical database can be used to generate attack masks for common tools such as Hashcat, oclHashcat, and others.
-
-
13:38
»
SecDocs
-
-
11:36
»
SecDocs
Authors:
Andrew Case Tags:
Tor privacy Event:
Black Hat DC 2011 Abstract: Traditional digital forensics encompasses the examination of data from an offline or “dead” source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a large problem for this forensics model though as they run solely in RAM and do not interact with the local disk. This removes the ability to perform an orderly examination since the filesystem is no longer readily available and putting random pages of data into context can be very difficult for in-depth investigations. In order to solve this problem, we present a number of techniques that allow for complete recovery of a live CD’s in-memory filesystem and partial recovery of its previously deleted contents. We also present memory analysis of the popular Tor application as it is used by a number of live CDs in an attempt to keep network communications encrypted and anonymous.
-
11:36
»
SecDocs
Authors:
Andrew Case Tags:
Tor privacy Event:
Black Hat DC 2011 Abstract: Traditional digital forensics encompasses the examination of data from an offline or “dead” source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a large problem for this forensics model though as they run solely in RAM and do not interact with the local disk. This removes the ability to perform an orderly examination since the filesystem is no longer readily available and putting random pages of data into context can be very difficult for in-depth investigations. In order to solve this problem, we present a number of techniques that allow for complete recovery of a live CD’s in-memory filesystem and partial recovery of its previously deleted contents. We also present memory analysis of the popular Tor application as it is used by a number of live CDs in an attempt to keep network communications encrypted and anonymous.
-
-
14:25
»
SecDocs
-
-
21:25
»
SecDocs
-
21:25
»
SecDocs
-
-
21:25
»
SecDocs
-
21:25
»
SecDocs
-
-
4:44
»
Packet Storm Security Recent Files
The Open Source Security Testing Methodology Manual 3.0 covering security testing, security analysis, operational security metrics, trust analysis, operational trust metrics, and the tactics required to define and build the best possible security over Physical, Data Network, Wireless, Telecommunications, and Human channels.
-
4:44
»
Packet Storm Security Misc. Files
The Open Source Security Testing Methodology Manual 3.0 covering security testing, security analysis, operational security metrics, trust analysis, operational trust metrics, and the tactics required to define and build the best possible security over Physical, Data Network, Wireless, Telecommunications, and Human channels.
-
-
10:46
»
SecDocs
Tags:
vulnerability Event:
PhreakNIC 11 Abstract: This presentation will cover the basics of vulnerability analysis. It will cover topics ranging from reading a public advisory, to analyzing binaries, and finally identifying the location of the problem. An overview of various tools used and how to use them in tracking down a bug will also be given.
-
-
0:10
»
SecDocs
Authors:
Sean M. Bodmer Tags:
forensic IDS Event:
PhreakNIC 11 Abstract: Intrustion analysis has been primarily reserved for network junkies and bit biters. However, due to the advances in network systems automation we now have time to pay more attention to the subtle observations left by attackers at the scene of the incident. Century old sciences have enabled criminal investigators the ability to attribute attacks to specific individuals or groups. Intrusion Analysis and Criminal Sciences can be combined to learn more about the cyber threats slipping into your systems. You will walk away from this talk with a better understanding of how to approach and intrusion and analyze more than just the minutia. I will attempt to convey processes and procedures that you can implement in your Security Program that supports a deeper approach to Intrusion Analysis and Attacker Characterization.
-
-
21:11
»
SecDocs
-
21:11
»
SecDocs
-
21:11
»
SecDocs
-
21:11
»
SecDocs
-
21:11
»
SecDocs
-
5:55
»
SecDocs
-
5:53
»
SecDocs
-
2:11
»
SecDocs
-
1:55
»
SecDocs
-
1:48
»
SecDocs
-
1:16
»
SecDocs
-
0:48
»
SecDocs
-
-
21:02
»
SecDocs
-
21:02
»
SecDocs
-
-
3:08
»
SecDocs
-
-
11:00
»
Hack a Day
Here’s a fascinating project that started with a great idea and piled on a remarkable amount of innovation. Graffiti Analysis is a project that captures gestures used to create graffiti art and codifies them through a data-type called Graffiti Markup Language (GML). After the break you can watch a video showing the data capture method [...]
-
-
21:11
»
SecDocs
-
-
21:11
»
SecDocs
-
21:11
»
SecDocs
-
-
21:04
»
SecDocs
-
-
2:00
»
SecDocs
Authors:
Andrzej Dereszowski Tags:
malware exploiting browser malware analysis Event:
Black Hat EU 2010 Abstract: This presentation is an analysis of a common sort of targeted attacks performed nowadays against many organizations. As it turns out, publicly available remote access tools - RAT (which we usually call trojans) are frequently used to maintain control over the victim after a successful penetration. The presentation and the white paper do not focus on a particular exploitation techniques used in these attacks. Instead, they aim to get a closer look at one of the most popular remote access trojans. The presentation describes a way to figure out which particular trojan has been used. It shows the architecture, capabilities and techniques employed by developers of the identified trojan, including mechanisms to hide its presence in the system, and to cover its network trace. It speaks about tools and techniques used to perform this analysis. Finally, it presents a vulnerability analysis and a proof of concept exploit to show that the intruders could also be an object of an attack.
-
-
21:03
»
SecDocs
Authors:
Stefano Zanero Paolo Milani Comparetti Tags:
malware malware analysis honeypot Event:
Black Hat DC 2010 Abstract: In this talk we will report on the the advances we made in building an automatic, global network which can perform early warning, automatic classification and analysis of malware and exploits as they propagate, or are used, worldwide. After analyzing briefly the WOMBAT project in its 3-year outlook, we will introduce some key advances already realized, among which behavioral analysis and specification languages, and the WOMBAT APIs, a set of APIs meant for the analysts and researcher to be able to query the WOMBAT datasets in a seamless manner. We will show how easy it is, for external projects, to use our APIs to query our datasets; or to give access to their data through the WAPI. This talk is also open for contribution from the audience on the future directions of the WOMBAT project.
-
-
5:36
»
SecDocs
Authors:
Jason Ross Tags:
malware malware analysis Event:
Black Hat DC 2010 Abstract: Your organization has Anti-Virus deployed and is logging virus activity to a central location. Your IDS is watching the perimeter, and you have your systems on a regular patch cycle. Malware doesn't affect you, right? Wrong. This presentation shows where these technologies are falling short and why malware analysis is quickly becoming a need for companies other than Anti Virus vendors. We'll discuss the pros and cons to virtual machines and bare metal as they apply to the purpose of analyzing malicious software.
-
5:36
»
SecDocs
Authors:
Jason Ross Tags:
malware malware analysis Event:
Black Hat DC 2010 Abstract: Your organization has Anti-Virus deployed and is logging virus activity to a central location. Your IDS is watching the perimeter, and you have your systems on a regular patch cycle. Malware doesn't affect you, right? Wrong. This presentation shows where these technologies are falling short and why malware analysis is quickly becoming a need for companies other than Anti Virus vendors. We'll discuss the pros and cons to virtual machines and bare metal as they apply to the purpose of analyzing malicious software.
-
-
3:30
»
SecDocs
Authors:
Nicholas J. Percoco Tags:
security cybercrime Event:
Black Hat DC 2010 Abstract: From January 1, 2009 to December 31, 2009, we performed approximately 2000* penetration tests (network, application, wireless, and physical) for organizations ranging from the largest companies on the planet to nimble start-ups. In addition, we also performed around 200* security incident and compromise investigations for organizations located in nearly 20 different countries around the world. The data we have gathered from these engagements is substantial and comprehensive. This presentation will be the first viewing of the results of the analysis of the data gathered during 2009. The results will be presented both technical and business impact analysis with an emphasis on technical for the Black Hat audience. This presentation will coincide with the release of the paper with the same title. The paper will be released after the conclusion of the talk.
-
3:30
»
SecDocs
Authors:
Nicholas J. Percoco Tags:
security cybercrime Event:
Black Hat DC 2010 Abstract: From January 1, 2009 to December 31, 2009, we performed approximately 2000* penetration tests (network, application, wireless, and physical) for organizations ranging from the largest companies on the planet to nimble start-ups. In addition, we also performed around 200* security incident and compromise investigations for organizations located in nearly 20 different countries around the world. The data we have gathered from these engagements is substantial and comprehensive. This presentation will be the first viewing of the results of the analysis of the data gathered during 2009. The results will be presented both technical and business impact analysis with an emphasis on technical for the Black Hat audience. This presentation will coincide with the release of the paper with the same title. The paper will be released after the conclusion of the talk.
