Department of Defense Cyber Crime Conference 2011
Posted on by Zuly GonzalezCategories Computer Security, Events, Security1 Comment on Department of Defense Cyber Crime Conference 2011

The DoD Cyber Crime Conference focuses on all aspects of computer crime and incident response including intrusion investigations, cyber crime law, digital forensics, information assurance, cyber crime investigations, as well as the research, development, testing, and evaluation of digital forensic tools.

The goal is to prepare attendees for the new crimes of today and the near future. Speakers will discuss new approaches and new perspectives. The conference is sponsored by the DoD Cyber Crime Center.

The 2011 DoD Cyber Crime Conference will be held January 21- 28, 2011 at the Hyatt Regency Hotel in Atlanta, GA.

Department of Defense Cyber Crime Conference 2011

Cyber Crime Conference Schedule

The schedule for the 2011 Department of Defense Cyber Crime Conference is as follows:

Pre-Conference Training: January 21-24, 2011
Conference: January 25-28, 2011
Exposition: January 25-27, 2011

Who Can Attend the Cyber Crime Conference

In order to attend the conference you must meet the below criteria:

  • DoD personnel
  • DoD-sponsored contractors
  • Defense Industrial Base (DIB) Partners  (CIPAC)
  • Federal, state and local law enforcement
  • U.S. sponsored government representatives working in the following fields:
    • Counterintelligence Special Agents
    • Criminal Investigators
    • Computer Forensics Examiners
    • Prosecutors – federal, state, local, military
    • DoD Information Assurance/Systems Administrators
    • Computer Forensics Research and Development Personnel
    • Federal, State and Local Law Enforcement
    • Educators in federally funded information assurance program, like CyberCops or National Centers of Excellence for Information Assurance
  • U.S.-sponsored government representatives from Australia, Canada, the United Kingdom and New Zealand

Registration Fees

Registration is open for the 2011 Cyber Crime Conference, and closes on January 14, 2011. The registration fee schedule is as follows:

  • Early Registration (ends December 31, 2010)
    • Government Attendee: $400
    • Industry Attendee: $575
    • Fee includes: Tuesday night reception and all activities from Tuesday morning through Friday. This does not include the pre-conference training.
  • Late Registration (after December 31, 2010)
    • Government Attendee: $500
    • Industry Attendee: $675
  • Speaker Registration
    • Fee: $150
    • Fee applies only for those attending conference sessions (the conference sessions begin Tuesday morning and end Friday).
    • Fee includes: The reception and all activities.
  • Classified Training (Cyber Counterintelligence)
    • Fee: $80
    • Clearances must be submitted no later than 4 January 2011.
  • Exhibitor Registration
    • Fee: $135
  • Press Registration
    • Fee: $0
    • Press can attend the general session on January 25, 2011

Training Sessions for Cyber Crime Conference 2011

The 16 training sessions that will be available at the 2011 DoD Cyber Crime Conference are as follows:

DoD Cyber Crime Conference Training SessionFollow the Script Please!
This workshop will introduce students to the concepts of writing and editing scripts to automate incident response activities. Students will learn how to author and edit incident response scripts for Windows and Linux environments. This session is intended for beginners and those who simply need a refresher.

Advanced Network Intrusion Traffic Analysis
Attendees will learn how to identify intrusion traffic, understand the techniques used by the attacker, and how to reconstruct the intrusion traffic. Attendees will also learn how to identify the attack vector and mitigate loss and secure the vulnerability using Wireshark, Netwitness and Snort.

Analyzing Malicious Carrier Files
This class will cover the fundamentals of analyzing malicious carrier files such as PDFs, Microsoft Office documents, and CHM files, used in spear phishing attacks. They will cover the structure of common carrier file types and methods for recognizing, extracting, deobfuscating and analyzing embedded scripts and shellcode. They will then leverage this embedded logic to enable accurate extraction of any additional payloads found within the carrier file. This course will be a combination of file-level forensic examination and malicious code analysis.

Introduction to Botnets

Botnets are a significant part of the Advanced Persistent Threat (APT) facing corporate and government networks today. This course introduces botnets and gives the students an opportunity to get hands-on experience setting up and running a self-contained botnet.  In addition, students will look at the evidence left behind from a botnet compromise in network traffic and Windows system artifacts.

Introduction to Cyber Analysis: Teaching an Old Dogma New Tricks

Cyber analysis is a growing field that combines traditional analysis with the highly technical concepts of network intrusions to determine how various incidents are connected. This course provides an overview of cyber analysis as it applies to the network intrusion problem, and covers a basic overview of network intrusions and electronic artifacts, an introduction to basic Analyst Notebook use, and an introduction to analyzing the data.

Introduction to EnCase for Prosecutors and Case Agents
A quality computer forensic examination is worthless if the communicated results are not understood by the consumer. This course will cover some of the basic terminology, functions, capabilities and limitations of a common primary forensic tool used during forensic examinations.

Intro to Malware Analysis Techniques
This course teaches fundamentals and concepts involved in malware analysis at a basic level. Malicious code is often found on computer systems during network intrusion investigations. The main goals of analysis are to assess an executable to discover its functionality, and to identify the artifacts of its presence and usage.

Mac Forensics – 2011
This training addresses forensic examinations of Mac systems (OS X). They will approach the Mac platform with traditional forensic methods using EnCase to find and analyze OS X artifacts. They will also use OS X to examine exported OS X specific data which can best be viewed in its native environment.

Network Exploitation Analysis Techniques
This training session combines the disciplines of Pen Testing, Information Assurance, and Forensics into a unique opportunity to learn the components of a network attack, the traffic the attack generates, and the artifacts left behind. Presenters will use Metasploit to launch attacks while monitoring network traffic for analysis. After examining the captured traffic, forensic artifacts of the attack will be identified and discussed.

NW3C TUX4N6

This course will teach students how to use the TUX4N6 digital triage tool to safely preview the active files on a suspect computer in a forensically sound manner.  The TUX4N6 tool is based on the Linux operating system and has the advantage of being able to “read” other computer system’s files without writing to or altering the data on those systems. Students will be taught how to conduct a manual search of a computer, use automated features to search the computer for keywords and specific file types, and how to save evidence to external storage media.

Online Anonymity
In this course, tools and methodologies will be demonstrated and provided that will enable an examiner or investigator to conduct information gathering efforts while obfuscating their source location.

Pen Testing 101
This training session will introduce open source pen testing tools and methods to students. You’ll learn the importance of Rules of Engagement for both tester and target.  Then you’ll dive into a white box test to prepare for the black box test at the end of the session.

Snort for Network Analysis
This training session is intended for incident responders and anyone with a desire to learn how to use Snort to analyze network traffic. Attendees will use Snort to quickly gain insight into the analysis of previously captured network traffic to locate particular files, or types of files, and for “anomalies” that are indicators of an intrusion.

Windows Incident Response
This course focuses on response in a Windows environment. Topics addressed include search and seizure, and incident response with Windows 2003 server.

Wireless Technology Workshop
This session makes use of practical, hands-on exercises to present and reinforce wireless technologies and techniques.  Attendees will learn how to use various wireless technologies and walk away knowing both the strengths and weaknesses of commercial wireless solutions.  Attendees will utilize Bluetooth and WiFi technologies, and learn open-source as well as proprietary attacks to exploit their inherent weaknesses.  Attendees will also capture and analyze open and encrypted data traffic with Wireshark and other open source tools.  Further, the presenters will cover methodologies to secure wireless networks, and techniques to scan for hidden access points and other wireless devices.  Other topics that will be presented include cracking tools, accidental association, direction finding, creating wireless heat maps, and denial of service.

Cyber Crime Conference Training Session

Windows 7 Forensics
Among the topics that will be discussed are: Libraries, Jump Lists, Pinning, Gadgets, Thumbnail Caching, Sticky Notes, exFAT, System Protection and Backup (Windows Backup, System Image, Previous Versions, Volume Shadow Copies), Virtualization, XP Mode, Registry, SuperFetch, Windows Search, Indexing, BitLocker and BitLocker to Go.

SANS Metasploit Kung FU Training Sessions

Metasploit was designed to help testers with confirming vulnerabilities using an Open Source framework. This course will help students get the most out of this free tool. This class will provide students with an in-depth understanding of the Metasploit Framework, and show them how to apply the capabilities of the framework in a comprehensive penetration testing and vulnerability assessment regimen. The class will cover exploitation, post-exploitation reconnaissance, token manipulation, spear-phishing attacks, and the rich feature set of the Meterpreter, a customized shell environment specially created for exploiting and analyzing security flaws. The course will also cover many of the pitfalls that a tester may encounter when using the Metasploit Framework and how to avoid or work around them, making tests more efficient and safe.

Classified Training Session

The classified session will focus on cyber counterintelligence topics in the following areas:

  • Cyber CI Policy both at the National and DoD levels
  • Cyber CI training both at the National and DoD levels
  • What the DoD services are seeing from State and Non-State actors in terms of Cyber CI
  • What the DoD services are doing in regards to Cyber CI
  • National level program with a Cyber CI focus

The briefings will center around the tactics, techniques, and procedures along with updates on current policies, investigations and operations from the services and National level agencies.  Due to the sensitive nature of the Tactics, Techniques and Procedures (TTPs), policies, investigations and operations the session will be classified Secret//NOFORN.

More on the 2011 DoD Cyber Crime Conference

If you have any questions on the conference, email Info@TechnologyForums.com.

Follow the DoD Cyber Crime Conference on Twitter.

Do you plan on attending this conference or any other security conference in 2011?

Facebook Email Scam – Alma Commented on Your Photo
Posted on by Zuly GonzalezCategories Computer Security, Security, Web Security1 Comment on Facebook Email Scam – Alma Commented on Your Photo

I received an email message from “Facebook” with the subject line “Alma commented on your photo”. I was so excited, until I realized I wasn’t friends with anyone named Alma…then I was sad 🙁 (Clue #1)

Okay, the truth is I knew it was spam just from reading the subject line; my Facebook settings are not setup to email me every time someone comments on my photos, so this email couldn’t have really been from Facebook. (Clue #2)

I don’t normally open up emails that I know are spam, but now that I blog about this topic, every now and then I’ll open one up to alert you all. Since I knew this was a scam, I opened up the email using our security product, Light Point Web, to avoid infecting my computer with malware. And this is what I found…

About the Facebook Email Scam

Facebook Email Scam - Alma commented on your photo

The email said it was from Facebook, but the email address associated with the account is noreply@netlogmail.com, which is not a Facebook domain. (Clue #3)

If this email had really been from Facebook, I would have expected either my name or email address to be in the To field. However, there was nothing there. This means that my email address was placed in the Bcc line, instead of the To line. This leads me to believe that this email was sent to more than one person, and that the sender did not want the receivers to see all the other email addresses. This is consistent with spammer behavior – they craft one generic email message, and send it to lots of people. (Clue #4)

My email provider had already marked the message as spam – it was sitting in my junk folder when I found it. (Clue #5)

The body of the message said:

Alma commented on your photo.

Alma wrote:
“very nice photo i like thiss “

Reply to this email to comment on this photo.

To see the comment thread, follow the link below:
http://www.facebook.com/n/?photo.php….

Thanks,
The Facebook Team

—–
Find people from your Windows Live Hotmail address book on Facebook! Go to: http://www.facebook.com/find-friends/?ref=email

This message was intended for. If you do not wish to receive this type of email from Facebook in the future, please follow the link http://www.facebook.com/o.php?…
Facebook, Inc. P.O. Box 10005, Palo Alto, CA 94303

The email asks you to reply to the email in order to comment on that photo. However, Facebook does not support this functionality. (Clue #6)

Notice that the links in the message supposedly have the URL spelled out, and all the links seem to point to the facebook.com domain. But, by hovering your mouse over the link, you can get the real URL the link points to. In this case, all the links in the message point to the website likemp3.net. This is obviously not Facebook (see below for a report of this website). (Clue #7)

Lastly, take a look at the footer of the email. It says, “This message was intended for.”. There should be an email address after the word for in that sentence, otherwise it doesn’t make sense. Since this exact email was sent to various email addresses, the spammers removed that portion from the footer. (Clue #8)

Below is the footer from a legitimate email from Facebook. Compare it to the footer shown in the scam email above.

Facebook Unsubscribe Footer

likemp3.net is a Malicious Website

Norton Safe Web identified likemp3.net to be a malicious website, and found 1 computer threat on the site. A computer threat is an item, such as viruses and worms, that loads directly on your computer, with the potential to do harm to your computer. Please do not go to that site.

Norton Safe Web reports likemp3.net as maliciousHow to Protect Yourself From Email Scams

Here are a few things you can do to prevent your computer from being infected with malware:

  • If you receive an email like this one, do not open it, and delete it right away.
  • Never click on links in an email message. Instead type the URL of the website directly in the address bar, and log into your account that way.
  • If you must click on a link in an email, for example it’s not a check your account status type of email, hover over the link and look at what the status bar tells you. If the URL shown in the status bar isn’t for the website you’re expecting to go to, don’t click on the link. In the case of this Facebook email scam, the URL in the status bar doesn’t link to facebook.com. Instead it links to likemp3.net.
  • Note that the only domain name used by Facebook is facebook.com. Any URL that doesn’t start with http://www.facebook.com/ is not an official Facebook page. That’s not to say it’s a malicious site, it’s just not an official Facebook page, so use caution when going to these sites.

Have you received any Facebook email scams? Tell us about it in the comments section.

Light Point Web Reaches MVP With 0.6 Release
Posted on by Beau AdkinsCategories Computer Security, Light Point Security Update, Light Point Web, Web Security1 Comment on Light Point Web Reaches MVP With 0.6 Release

Light Point Web LogoThis week Light Point Security has reached an important milestone. We have finally completed a Minimally Viable Product (MVP) for Light Point Web. In short, an MVP is a product that contains the bare minimum of features to be useful to someone.

Read more “Light Point Web Reaches MVP With 0.6 Release”

Latest Malicious Websites Identified by Norton Safe Web
Posted on by Zuly GonzalezCategories Computer Security, Fun Friday, Web SecurityLeave a comment on Latest Malicious Websites Identified by Norton Safe Web

Norton Safe Web LogoIn this Fun Friday post, I’m going to share the 10 latest malicious websites, as identified by Norton Safe Web. Norton Safe Web analyzes websites for safety and security problems.

  1. thebizblueprint.com: 22 computer threats identified by Norton Safe Web.
  2. gtr2.com: 17 computer threats identified by Norton Safe Web.
  3. zabukym.co.cc: 6 computer threats identified by Norton Safe Web.
  4. yahoochas.info: 2 computer threats identified by Norton Safe Web.
  5. facebook-surprise4mf.tk: 2 computer threats identified by Norton Safe Web.
  6. maalliso.strefa.pl: 942 computer threats identified by Norton Safe Web.
  7. bosladen.strefa.pl: 1425 computer threats identified by Norton Safe Web.
  8. wiehldesigns.com: 36 computer threats identified by Norton Safe Web.
  9. itemcreator.tk: 2 identity threats identified by Norton Safe Web.
  10. yabigson.fileave.com: 3 computer threats identified by Norton Safe Web.

What Is Norton Safe Web?

Norton Safe Web is a reputation service from Symantec. Their servers analyze websites to see how they will affect your computer, and let you know if a particular website is safe to visit before you view it.

This service is not guaranteed to be 100% accurate, so as always, please use caution when browsing the web. If Norton Safe Web identifies a site as malicious, you can be confident in those results. However, it not finding any threats on a site, does not guarantee that the site is safe to browse.

What Is Fun Friday?

I created the Fun Friday category to be a collection of very short, and easy to read, posts. The intention is to provide useful information in a compact form factor. These posts will showcase short videos, graphs, top 10 lists, and anything else that can be digested quickly.

In this Fun Friday [/content/category/fun-friday] post, I’m going to share the 10 latest malicious websites, as identified by Norton Safe Web. Norton Safe Web analyzes websites for safety and security problems.

  1. thebizblueprint.com: 22 computer threats identified [http://safeweb.norton.com/report/show?name=thebizblueprint.com] by Norton Safe Web.
  2. gtr2.com: 17 computer threats identified [http://safeweb.norton.com/report/show?name=gtr2.com] by Norton Safe Web.
  3. zabukym.co.cc: 6 computer threats identified [http://safeweb.norton.com/report/show?name=zabukym.co.cc] by Norton Safe Web.
  4. yahoochas.info: 2 computer threats identified [http://safeweb.norton.com/report/show?name=yahoochas.info]by Norton Safe Web.
  5. facebook-surprise4mf.tk: 2 computer threats identified [http://safeweb.norton.com/report/show?name=facebook-surprise4mf.tk]by Norton Safe Web.
  6. maalliso.strefa.pl: 942 computer threats identified [http://safeweb.norton.com/report/show?name=maalliso.strefa.pl]by Norton Safe Web.
  7. bosladen.strefa.pl: 1425 computer threats identified [http://safeweb.norton.com/report/show?name=bosladen.strefa.pl]by Norton Safe Web.
  8. wiehldesigns.com: 36 computer threats identified [http://safeweb.norton.com/report/show?name=wiehldesigns.com]by Norton Safe Web.
  9. itemcreator.tk: 2 identity threats identified [http://safeweb.norton.com/report/show?name=itemcreator.tk]by Norton Safe Web.
  10. yabigson.fileave.com: 3 computer threats identified [http://safeweb.norton.com/report/show?name=yabigson.fileave.com]by Norton Safe Web.

What is Norton Safe Web?

Norton Safe Web is a reputation service from Symantec. Their servers analyze websites to see how they will affect your computer, and let you if a particular website is safe to visit before you view it.

What is Fun Friday?

I created the Fun Friday category to be a collection of very short, and easy to read, posts. The intention is to provide useful information in a compact form factor. These posts will showcase short videos, graphs, top 10 lists, and anything else that can be digested quickly.

Free Black Hat Webcast: Attacking With HTML5
Posted on by Zuly GonzalezCategories Computer Security, Events, Resources, Security, Web Security1 Comment on Free Black Hat Webcast: Attacking With HTML5

Black Hat LogoThe founders of the Black Hat conference, the best computer security conference in the world, will be hosting a free webcast. The webcast, Attacking with HTML5, will be held on December 16, 2010 at 2:00 PM EST. You can register for the Black Hat webcast here.

Black Hat has been hosting security webcasts since July 2008. The Black Hat webcasts are a regular series of live web events focusing on what’s hot in Information Security. Each month, they bring together Black Hat speakers, independent researchers and leading experts to discuss relevant topics in security, and give you a chance to ask questions live. You can see a list of all the previously recorded Black Hat webcasts here.

Attacking With HTML5 Description

HTML5 is a set of powerful features aimed at moving the web applications closer to existing desktop applications in terms of user experience and features. HTML5 is not the technology of the future as many believe; it is available right now in almost all modern browsers. Though the widespread use of HTML5 by websites is still a few years away, the abuse of these features is already possible.

Web developers and users assume that just because their site does not implement any HTML5 features that they are unaffected. A large section of the internet community believes that HTML5 is only about stunning graphics and video streaming. This talk will show how these assumptions are completely contrary to reality.

This presentation will show how existing ‘HTML4’ sites can be attacked using HTML5 features in a number of interesting ways. Then we look at how it is possible to use the browser to perform attacks that were once thought to require code execution outside the sandbox. Finally, they will look at an attack where the attacker is not interested in the victim’s data or a shell on the machine, but is instead after something that might perhaps even be legal to steal.

Special Offer for Black Hat DC 2011

If you register for the free webcast, you will receive $250 off of a new registration to the Black Hat DC 2011 Briefings (Training classes are excluded). When you register for the webcast you will receive a discount code in your confirmation email to use when registering for the Black Hat DC 2011 Briefings.

Do you know of any other security webcasts? Share with us in the comments.

Black Hat DC 2011 Conference
Posted on by Zuly GonzalezCategories Events, Security, Web Security2 Comments on Black Hat DC 2011 Conference

The Black Hat conference is the biggest, and most important security conference in the world. Black Hat has become a premiere venue for elite security researchers, and serves the information security community by delivering timely, and actionable, security information. The Black Hat conference series is now held four times a year

  • Black Hat DC: January 16-19, 2011 in Arlington, VA
  • Black Hat Europe: March 15-18, 2011 in Barcelona, Spain
  • Black Hat USA: July 30 – August 4, 2011 in Las Vegas, NV
  • Black Hat Abu Dhabi: November 2011 in United Arab Emirates

and is separated into a training portion and a briefings portion.

Black Hat DC 2011 Conference

The Black Hat Briefings are a series of highly technical information security presentations that bring together leaders from all facets of the infosec world – from the corporate and government sectors to academic and even underground researchers. The environment is strictly vendor-neutral and focused on the sharing of practical insights and knowledge.

Black Hat also provides hands-on, high-intensity, multi-day Trainings. The training sessions are provided by some of the most respected experts in the world and many also provide formal certifications to qualifying attendees.

The 2011 Black Hat DC conference will be held January 16 – 19 at the Hyatt Regency in Arlington, VA. The training portion of the conference will be from January 16 to 17, and the briefings portion will be from January 18 to 19.

Black Hat DC 2011 Registration Fees

Registration is now open for the 2011 Black Hat DC conference, and the registration fee schedule is as follows:

  • Briefings
    • Regular: $1395 (ends Dec 15)
    • Late: $1595 (ends Jan 15)
    • Onsite: $1895 (Jan 16 – Jan 19)
    • Academic: $600 (ends Dec 15)
    • Group: 10% – 15% discount (ends Dec 15)
    • Press: $0
  • Training
    • $1800 – $3800 per course

Group Registration: There is a 10% discount for groups of 6 or more. Groups of 12 or more receive a 15% discount. This discount rate applies to the Briefings portion only. If there are 4 or more people from your group attending the same training class and session, you can also qualify for a discount on the Training portion. The discount will be based on the rate at the time that you submit your group registration agreement form. Group registrations must be paid by Dec 15.

Academic Registration: The Academic registration is available to those who are either full-time students or full-time professors at an accredited university. The academic registration rate is $600, but gives you access to the Briefings portion only. Registration for the Academic pass ends on December 15, 2010.

Press Registration: Any media member that works for a publication that covers computer security on a regular basis can apply for a free press pass. Be prepared to show copies of your articles, a business card, and your assignment editor’s contact information. The press pass is normally only granted for the Briefings portion, but in very rare cases may be granted for the Training portion as well. During the conference a press room with internet access will be provided, and a separate room for filming interviews may also be available.

Briefings for Black Hat DC 2011

The 14 briefings that will be presented at the 2011 Black Hat DC are as follows:

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications
Speaker: David Perez

In this presentation they will show a practical attack against GPRS, EDGE, UMTS and HSPA (2G/3G) mobile data communications. They will demonstrate that an attacker with a budget of less than $10,000 can set up a rogue BTS, make the victim devices connect to such BTS, and gain full control over the victim’s data communications. Two vulnerabilities make the attack possible: first, the absence of mutual authentication in GPRS and EDGE (2G), which makes GPRS and EDGE devices completely vulnerable to this attack, and second, the mechanism implemented on most UMTS and HSPA (3G) devices that makes them fall back to GPRS and EDGE when UMTS or HSPA are not available, which makes it possible to extend the attack to these 3G devices.

Counterattack: Turning the tables on exploitation attempts from tools like Metasploit
Speaker: Matthew Weeks

In hostile networks, most people hope their con kung-fu is good enough to avoid getting owned. But for everyone who has ever wanted to reverse the attack, not getting owned is not enough. We will see how it is often possible for the intended victim to not only confuse and frustrate the attacker, but actually trade places and own the attacker. This talk will detail vulnerabilities in security tools, how these vulnerabilities were discovered, factors increasing the number of vulnerable systems, how the exploits work, creating cross-platform payloads, and how to defend yourself whether attacking or counterattacking. The audience will be invited to participate as complete exploit code will be released and demonstrated against the Metasploit Framework itself.

Checkmate with Denial of Service
Speaker: Tom Brennan

Denial-Of-Service is an attempt to make a computer resource unavailable to its intended users. A new and very lethal form of Layer 7 attack technique, which uses slow HTTP POST connections, was discovered. An attacker will send properly crafted HTTP POST headers, which contains a legitimate “Content-Length” field to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up precious server resources.

They will demonstrate how an “agentless” DDOS botnet can be created via malicious online games and how a victim website can be brought down in matter of minutes using the HTTP POST DDOS attack.

The Getaway: Methods and Defenses for Data Exfiltration
Speaker: Sean Coyne

There are several stages to a successful cyber attack. The most crucial of which is also the least discussed: data theft. Whether it be financial information, intellectual property, or personally identifiable information; the most valuable thing on your network is the data. Intruders may get in, but until they get out with what they came for, the game’s not over. During this presentation they will take a look at some of the advanced methods of stealing data they have recently encountered in the field, including: preparing and cleaning staging areas, avoiding DLP/traffic scanning products, and how attackers use a victim’s own infrastructure and architecture against them.

De-Anonymizing Live CDs through Physical Memory Analysis
Speaker: Andrew Case

Traditional digital forensics encompasses the examination of data from an offline or “dead” source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a large problem for this forensics model though as they run solely in RAM and do not interact with the local disk. This removes the ability to perform an orderly examination since the filesystem is no longer readily available and putting random pages of data into context can be very difficult for in-depth investigations. In order to solve this problem, they present a number of techniques that allow for complete recovery of a live CD’s in-memory filesystem and partial recovery of its previously deleted contents. They also present memory analysis of the popular Tor application as it is used by a number of live CDs in an attempt to keep network communications encrypted and anonymous.

Beyond AutoRun: Exploiting software vulnerabilities with removable storage
Speaker: Jon Larimer

Malware has been using the AutoRun functionality in Windows for years to spread through removable storage devices. That feature is easy to disable, but the Stuxnet worm was able to spread through USB drives by exploiting a vulnerability in Windows. In this talk, they will examine different ways that attackers can abuse operating system functionality to execute malicious payloads from USB mass storage devices without relying on AutoRun. There’s a lot of code that runs between the USB drivers themselves and the desktop software that renders icons and thumbnails for documents, providing security researchers and hackers with a rich set of targets to exploit. Since the normal exploit payloads of remote shells aren’t totally useful when performing an attack locally from a USB drive, they will look at alternative payloads that can give attackers immediate access to the system. To show that these vulnerabilities aren’t just limited Windows systems, they will provide a demonstration showing how they can unlock a locked Linux desktop system just by inserting a USB thumb drive into the PC.

Malware Distribution via Widgetization of the Web
Speaker: Neil Daswani

The Web 2.0 transformation has in part involved many sites using third-party widgets. They present the “widgetized web graph” showing the structure of high traffic web sites from the standpoint of widgets, show how web-based malware and scareware is propagated via such widgets, and provide data on how a mass web-based malware attack can take place against the Quantcast 1000 web sites via widgets.

Attacking Oracle Web Applications With Metasploit
Speaker: Chris Gates

In 2009, Metasploit released a suite of auxiliary modules targeting oracle databases and attacking them via the TNS listener. This year lets security test Oracle but do it over HTTP/HTTPS. Rather than relying on developers to write bad code, lets see what can be done with default content and various unpatched Oracle middleware servers that you’ll commonly run into on penetration tests. They will also re-implement the TNS attack against the isqlplus web portal with Metasploit auxiliary modules.

Inglourious Hackerds: Targeting Web Clients
Speaker: Laurent Oudot

This talk will look at technical security issues related to multiple internet web clients. While such tools are used to crawl the internet and retrieve information, there might exist many scenarios where evil attackers can abuse them. By studying the protocols, and by doing some kind of fuzzing operations, they will show how TEHTRI-Security was able to find multiple security issues on many handled devices and workstations.

Hacking the Fast Lane: security issues with 802.11p, DSRC, and WAVE
Speaker: Rob Havelt

The new 802.11p standard aims to provide reliable wireless communication for vehicular environments. The P802.11p specification defines functions and services required by Wireless Access in Vehicular Environments (WAVE) conformant stations to operate in varying environments and exchange messages, either without having to join a BSS or within a BSS, and defines the WAVE signaling technique and interface functions that are controlled by the 802.11 MAC.

Wireless telecommunications and information exchange between roadside and vehicle systems present some interesting security implications. This talk will present an analysis of the 802.11p 5.9 GHz band Wireless Access in Vehicular Environments (WAVE) / Dedicated Short Range Communications (DSRC), Medium Access Control (MAC), and Physical Layer (PHY) Specifications of this protocol. They will present methods of analyzing network communications (GNU Radio/USRP, firmware modifications, etc.), and potential security issues in the implementation of the protocol in practical environments such as in toll road implementations, telematics systems, and other implementations.

Your crown jewels online: Attacks to SAP Web Applications
Speaker: Mariano NUNEZ Di Croce

“SAP platforms are only accessible internally”. You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organization’s SAP platform in order to perform espionage, sabotage and fraud attacks.

Through many live demos, this talk will explain how remote attackers may compromise the security of different SAP web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting “hardened” SAP Enterprise Portal implementations will be detailed.

Kernel Pool Exploitation on Windows 7
Speaker: Tarjei Mandt

In Windows 7, Microsoft introduced safe unlinking to the kernel pool to address the growing number of vulnerabilities affecting the Windows kernel. Prior to removing an entry from a doubly-linked list, safe unlinking aims to detect memory corruption by validating the pointers to adjacent list entries. Hence, an attacker cannot easily leverage generic “write 4” techniques in exploiting pool overflows or other pool corruption vulnerabilities. In this talk, they show that in spite of the efforts made to remove generic exploit vectors, Windows 7 is still susceptible to generic kernel pool attacks. In particular, they show that the pool allocator may under certain conditions fail to safely unlink free list entries, thus allowing an attacker to corrupt arbitrary memory. In order to thwart the presented attacks, they conclusively propose ways to further harden and enhance the security of the kernel pool.

Identifying the true IP/Network identity of I2P service hosts
Speaker: Adrian Crenshaw

They will present research into services hosted internally on the I2P anonymity network, especially I2P hosted websites known as eepSites, and how the true identity of the internet host providing the service may be identified via information leaks on the application layer. By knowing the identity of the internet host providing the service, the anonymity set of the person that administrates the service can be greatly reduced. The core of this presentation will be to test the anonymity provided by I2P for hosting eepSites, focusing primarily on the application layer and mistakes administrators may make that could expose a service provider’s identity or reduce the anonymity set they are part of. They will show attacks based on the intersection of I2P users hosting eepSites on public IPs with virtual hosting, the use of common web application vulnerabilities to reveal the IP of an eepSite, as well as general information that can be collected concerning the nodes participating in the I2P anonymity network.

Responsibility for the Harm and Risk of Software Security Flaws
Speaker: Cassio Goldschmidt

Who is responsible for the harm and risk of security flaws? The advent of worldwide networks, such as the internet, made software security an international problem. There are no mathematical risk models available today to assess networked systems with interdependent failures. Experience suggests that no party is solely responsible for the harm and risk of software security flaws, but a model of partial responsibility can only emerge once the duties and motivations of all parties are examine and understood.

This presentation describes the role of each player involved in the software lifecycle and the incentives (and disincentives) they have to perform the task, the network effects of their actions, and the results on the state of software security.

Black Hat DC 2011 Conference

Training Courses for Black Hat DC 2011

There will be 11 courses offered at the 2011 Black Hat DC conference, ranging in price from $1800 to $3800 per course. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered for each class. The 11 courses are as follows:

Cyber Network Defense Bootcamp
Trainer: Adam Meyers

A two day workshop focusing on the progression from incident identification, investigation and malware analysis to explaining to management why it matters. In other words, how to go from geek to sleek.

Real World Security: Attack, Defend, Repel
Trainer: Peak Security

An intensive two day course for security professionals that want to up the ante on their current skill sets in offensive and defensive security. Learn new tactics and receive guidance from expert instructors while you test yourself in a team vs team environment.

Designing Secure Protocols and Intercepting Secure Communication
Trainer: Moxie Marlinspike

This training covers both designing and attacking secure protocols. Attendees will learn the fundamentals of how to design a secure protocol, and be armed with the knowledge of how to evaluate the security of and discover weaknesses in existing protocols.

CISSP Boot Camp (Four Day Course – Jan 16-19)
Trainer: Shon Harris

This Logical Security course trains students in all areas of the security Common Body of Knowledge (CBK). Using this course, students prepare for the exam, while at the same time obtaining essential security knowledge that can be immediately used to improve organizational security.

Information Assurance Officer (IAO) Course (CNSS-4014E) Certified
Trainer: Information Assurance Associates (IA2)

Very intense, highly concentrated, non-technical professional training necessary to achieve the fundamental knowledge needed to define, design, integrate and manage information system security policies, processes, practices, and procedures within federal interest information systems and networks.

Tactical Exploitation
Trainer: Val Smith

Using a combination of new tools and lesser-known techniques, attendees will learn how hackers compromise systems without depending on standard exploits.

Virtualization for Incident Responders
Trainer: Eric Fiterman, Methodvue

Principles and techniques for recovering evidence from virtualized systems and cloud environments – this course is intended for information security personnel who are responsible for handling incidents involving virtual infrastructure, cloud service providers, or desktop virtualization platforms.

Digital Intelligence Gathering Using Maltego
Trainer: Paterva

Unlock the true potential and raw power of Maltego. Learn how to navigate and map the internet’s darkest rivers.

TCP/IP Weapons School 3.0
Trainer: Richard Bejtlich, TaoSecurity

Use the network to your advantage while building incident detection and response skills to counter advanced and targeted threats.

Database Breach Investigations: Oracle Edition
Trainer: David Litchfield

This training course will teach students the tricks and techniques hackers use to break into Oracle database servers and then how to peform a database security breach investigation covering evidence collection, collation and analysis using V3RITY for Oracle, the world’s first database specific forensics and breach investigation tool.

Windows Physical Memory Acquisition and Analysis
Trainer: Matthieu Suiche

Learn all about memory dumps, including how they work and deep analysis using Windbg.

Black Hat DC 2011 Conference

More on Black Hat

You can follow Black Hat on Twitter, Facebook, and LinkedIn.

Twitter: Black Hat has two accounts on Twitter. For security research and updates on Black Hat events, follow @blackhatevents. For behind the scenes information from Black Hat HQ staff members, follow @blackhathq.

Facebook: Black Hat maintains an active Facebook page to communicate with members of the security community and provide information updates.

LinkedIn: Black Hat also maintains a LinkedIn group to reach out to professional security experts and provide information updates.

Will you be attending Black Hat DC 2011? Have you attended past Black Hat events? If so, what did you like the best?

Increasing Website Sales: Rob Walling’s 2010 Business of Software Presentation
Posted on by Zuly GonzalezCategories Business of Software, Events, Startups3 Comments on Increasing Website Sales: Rob Walling’s 2010 Business of Software Presentation

This post is part of a series of posts from the 2010 Business of Software conference (BoS2010). For a summary of the conference, and an index to the other presentations, click here.

Rob’s 2010 Business of Software presentation: “The Primary Goal of Your Website” – What’s the primary goal of your website? Not to sell software. With most visitors returning multiple times before making a purchase, your primary goal should be to draw visitors back to your site.

Rob Walling at the 2010 Business of Software conference (BoS2010)
Image credit: Betsy Weber

Rob Walling’s 2010 Business of Software presentation was another BoS2010 talk I really enjoyed, and got a lot of value out of. Rob discussed how we can use permission based email marketing to increase sales and profits. His presentation was eye opening for me, because I always thought of email marketing as ineffective, and a nuisance to the receiving party.

I spoke to Rob very briefly, and he seemed like a genuinely nice guy. I even got to see his adorable baby boy, and I’ll tell you what, he is definitely one of the cutest babies I’ve ever seen!

Effectively Using Your Website

Most of us think that the number one goal of our website is to sell our products. And in a way it is. However, to best achieve that you must motivate a visitor to return to your website.

Rob has researched this topic, and determined that returning visitors are much more likely to purchase your product than first time visitors (and he shared some statistics to back it up). In essence, the ineffective marketer asks you to buy too soon.

The main reasons why people don’t buy from your website are:

  • There’s not enough information on your website to make the decision.
  • They don’t trust you.
  • They don’t have the money.
  • They don’t have a need for your product.
  • They are never going to buy your product.

Rob examines each of these reasons, and suggests how to overcome all of these issues (except for the last one, because there’s nothing you can do about that).

A note on that first bullet item about insufficient information on your website: When Rob mentioned this, the first thing that came to mind was Bob Walsh’s StartupToDo website. I’ve heard good things about StartupToDo, and have thought about joining on several occasions. However, the fact that there’s no evidence on the website of the quality of the service has kept me from joining – even with the free 30 day trial. I’d just like to see a sample Guide, or two, before giving away my information. So I can totally relate to that first bullet item. Rob’s own Micropreneur Academy, which is similar to StartupToDo, is guilty of this.

Statistics on Returning Website Visitors

Rob shared with us statistics from four websites showing the importance of repeat visitors. These are all his websites, except for CrazyEgg.

  • DotNetInvoice: Using three years worth of data, Rob determined that returning visitors accounted for 450% more sales than first time visitors. The per visit value earned from first time visitors was $0.55, and $2.41 for returning visitors – a 440% increase.
  • JustBeachTowels: Looking at a one year period shows that returning visitors accounted for 770% more sales than first time visitors. The per visit value earned from first time visitors was $0.17, and $1.53 for returning visitors. That’s a 900% increase!
  • Another WordPress Classifieds Plugin: Here Rob saw a 583% increase from returning visitor sales over first time visitor sales. He looked at 8 days worth of data.
  • CrazyEgg: A 60 day period showed returning visitors accounted for 1585% more sales than new visitors.

To clarify the term returning visitor, Rob defines a returning visitor as someone who has returned to the website more than two times. However, someone can visit the website from more than one computer. So with that in mind, the actual percentages of sales to returning visitors are actually higher than the statistics indicate.

So now that you’re convinced on the value of returning visitors, the question is, how do you get visitors to return to your website?

Getting Returning Visitors to Your Website

Email is your answer. Email has the highest click through rates, and is one of the most effective ways to get people to return to your website. Email is a form of personalized broadcasting – the ability to communicate with a large number of people, while making it seem like an individual/personal communication. And as a bonus, email is an excellent way to A/B test pricing and special offers.

Blogging is much harder to pull off than email – it is also a lot more time consuming. Blogging is a good way to get someone to initially visit your website. But, after that initial visit, it’s much harder to motivate someone to return to your website with blogging. Social media can be effective, however, it’s very time intensive as well.

By following the simple 3 step process outlined below, you will increase the number of returning visitors to your website. This process takes advantage of the benefits of email, and should increase your revenue by 10%. Best of all, it will only take about 2 days to implement.

Step 1: Create a killer landing page. Don’t skimp on design. Ensure your landing pages are truly optimized to get your visitors to give you their email address (and permission to contact them). For example, provide a free downloadable user’s manual to your product, or a free demo. Also, don’t make your form too long, or you’ll turn away potential customers. In general, the more value your freebie is perceived to have, the more information your visitor will be willing to give up. Take a look at the below landing pages for inspiration.

Good landing page example - credit card processing

Good landing page example - DotNetInvoice

Good landing page example - Stripe-A-Zone

Step 2: Give something away for free. For example, consider putting together an eBook on a topic of interest to your target market, and give it away in exchange for an email address. It really helps to be unique here. The more unique (and valuable) the free item, the more email addresses you’ll get in return. Smart Bear Software gives away a free book (yup, book, as in an actual physical book) on peer code review. The makers of freckle time tracking give away an eBook on credit card processing.

Smart Bear Software Free Book Offer

Free eBook example from freckle time tracking

Step 3: Setup the follow-up. Follow up with your prospective customers via email. Rob recommends using MailChimp, which offers free service for lists with up to 1,000 subscribers.

Now, let’s go back to the reasons why people don’t buy from your website, and how you can counter each of these concerns. These strategies will become the foundation of your follow-up emails to prospective customers.

  • Problem: There’s not enough information on your website to make the decision.
    • Solution: Provide information.
  • Problem: They don’t trust you.
    • Solution: Build trust.
  • Problem: They don’t have the money.
    • Solution: Provide discounts and wait.
  • Problem: They don’t have a need for your product right now.
    • Solution: Stay fresh in their minds and wait.
  • Problem: They are never going to buy your product.
    • Solution: There is no solution. Forget this segment, and focus your energy on something else.

Let’s look at an example that shows how this follow-up technique can work for you. Test group A was allowed to download a free trial with no email required. Those in test group B needed to provide a valid email address to download the free trial, and were exposed to the below follow-up sequence.

  • On day 0 they received a welcome email with a $5 discount coupon, a link to the free trial, a link to the Getting Started Guide, and customer testimonials.
  • On day 2 they received an email with a buying guide (that highlighted other products), information on the standard and pro plans, information on their iPhone app, and customer testimonials.
  • On day 6 they received an email with an invitation to subscribe to their newsletter, benefits to some of the available features, and customer testimonials.
  • On day 30 they received an outright invitation to buy, and more customer testimonials.

The number of downloads by test group B was down by 33.6% when compared to test group A. That’s not a big surprise since those in group B had to overcome the fear of providing personal information. However, test group B showed a 3.4% increase in sales, an increase in profits by 15.4%, and an increase in first-time purchases by an average of 13.5%.

Avoiding Spam Filters

An extremely costly mistake you can make is letting your emails get stuck in spam filters. Not only is this going to destroy your email marketing, it can also hurt your brand (and reputation), if customers are not receiving your support emails.

Some common, and not so common, spam filter triggers are:

  • Sending the email message only in HTML format instead of text format.
  • Using all capital letters in the subject line.
  • Having a low text to image ratio.
  • Using poorly coded HTML.
  • Using the following terms in your subject line:
    • Dear
    • Extra inches
    • Stop further distribution (instead of using unsubscribe)
    • You registered with a partner
    • Oprah

Side note: This was something we struggled with in the beginning, and still do to some extent. At first, all of our Light Point Security emails were getting flagged as spam. We’ve since made a few changes that helped our emails get through spam filters. By far what helped us the most was using email verification tools, like those provided by All About Spam and Port25 Solutions. These free services print out a report detailing what they found when you send them a sample email message – I highly recommend it.

Increasing Email Open Rates

Now that you’ve made it past a prospective customer’s spam filter, you have to encourage the person to actually open your email message. An important factor in someone’s decision on whether to open your email or not, is the content of the subject line. Emails with the lowest open rates contain the following terms in their subject lines:

  • Reminder
  • Specials: Because it indicates you are trying to sell them something.
  • X% off: Because it indicates you are trying to sell them something.
  • Help: Because it indicates you want something from them.

Something else that has a big influence on email open rates is the From name. The From name is usually the second thing a user sees, and the more personal it is, the better. Remember, people buy from people not companies.

The best choice is to use the sender’s name in the From field. For example, if you receive an email from me, it will say Zuly Gonzalez. The next best option is to use the sender’s name along with the company name. For example, Zuly Gonzalez | Light Point Security. The third best option is to use the person or department’s role. For example, Light Point Security Support. The worst option is to just use the company name. For example, Light Point Security.

Rob Walling presenting at the 2010 Business of Software conference (BoS2010)
Image credit: Mark Littlewood

More Email Marketing Recommendations

One problem you may encounter is people giving you a fake email address. To discourage this behavior, try implementing a double opt-in process. For example, you may require the user to click on a link sent to the email address they provided, in order to validate the email.

A good technique to try is requiring the user’s email address at install time, instead of before downloading the free trial. Once they have downloaded the trial, they are much more committed, and will be more likely to give you their email address. You can request the email address after your product has been downloaded in order to send the user a key required to install the product. There was one data point from an audience member who used this technique, and he said it increased his email capture by 10%.

If you haven’t contacted someone within the last 6 months, throw away their email address. After 6 months, odds are they have forgotten about you, and will see your email message as spam.

In your initial welcome email, thank them for buying your product, and ask them what they want to do with your product. Learning how your customers use your product, and why they want to use your product, will help you improve it.

When emailing your users, also ask them if they have any feature requests. Again, this is great feedback you can use to improve your product.

One of the nice things about SaaS products is that you can tell if people are actually using your product, or not. You can use this information to email your inactive customers, and hopefully get some feedback as to why they are not using your product. This can also help you A/B test your email marketing campaigns to learn which emails worked, and which ones flopped.

Key Takeaway From Rob’s BoS2010 Presentation

Returning visitors buy more than first time visitors. Therefore, the primary goal of your website is to encourage visitors to come back. Because the most effective way to get returning visitors is via permission based email marketing, the main goal of your website is to obtain a visitor’s email address. After obtaining email addresses, implement an email follow-up strategy.

Rob posted a brief summary of his 2010 Business of Software presentation on his blog, along with a copy of the slides.

Memorable Quote

The most memorable quote from Rob’s BoS2010 presentation was:

  • “The ineffective marketer asks you to buy too soon.”

More on Rob Walling

Rob Walling is a serial entrepreneur and author of Start Small, Stay Small: A Developer’s Guide to Launching a Startup. He blogs at SoftwareByRob.com about building self-funded startups and runs the Micropreneur Academy, an online learning community of like-minded founders designed to get a startup from zero to launch in six months. Walling runs 11 one-man technology businesses and has been building web applications professionally for 11 years.

Follow Rob on Twitter here.

You can find Rob’s blog here.

If you found this information to be useful, take a look at Rob’s new book, Start Small, Stay Small: A Developer’s Guide to Launching a Startup – you can even download the first chapter for free. You can also read the chapter on virtual assistants on Jason Cohen’s Smart Bear blog.

What are your thoughts on Rob’s presentation? If you attended BoS2010, did I miss an important point? What was your favorite part of Rob’s presentation? What was your key takeaway from his talk?

Categories
Archives