Facebook Supports HTTPS Secure Connection
Posted on by Zuly GonzalezCategories How To, Security, Web Security7 Comments on Facebook Supports HTTPS Secure Connection

HTTPS Secure ConnectionFacebook announced that it will expand its current usage of HTTPS to all Facebook pages.  Until now Facebook had only supported HTTPS on its login page in order to encrypt a user’s password. Now they will give users the option to experience Facebook entirely over HTTPS.

This is a huge step forward for Facebook, who in my opinion, has hugely neglected the privacy and security issues plaguing the social network. My only complaint is that Facebook has decided not to make this a default setting, so users must manually turn the option on (I show you how to do this below). Facebook points out that some features, including many third-party applications, are currently not supported in HTTPS. They are working to resolve those issues, and claim that they plan to offer HTTPS as a default in the future. Let’s hope they keep their word.

What Is HTTPS?

HTTPS is a protocol that allows secure communication with a website by encrypting user data, and prevents eavesdroppers from obtaining your personal information. HTTPS is used by online banking and financial institutions to secure your financial information.

Because there are tools available that allow malicious attackers to obtain unencrypted data being transferred by your web browser, it is especially important to use HTTPS when using an unprotected public Wi-Fi connection, such as those found at Starbucks and airports.

You know you are in an HTTPS session if you see https in the address bar, instead of http. You will also see a yellow lock in your browser window. Internet Explorer displays the lock in the address bar, while Firefox displays the lock in the lower right corner of your browser window. And depending on what browser you use, the address bar may change color when in an HTTPS session.

How to Enable HTTPS

As I mentioned above, Facebook did not enable HTTPS usage by default, so if you want to use HTTPS on Facebook, you must manually set it. Here I show you how to do this. (Please note that this feature will not be available to all 500 million users at once, but will instead be rolled out slowly over the next few weeks.)

I highly encourage you to set HTTPS as your default, especially if you frequently use unsecured public Wi-Fi. If you are relying on remembering to switch over to HTTPS when in public, I can almost guarantee you will forget. It’s best to set it, and forget it. If having HTTPS enabled becomes too annoying for you because you just can’t get enough of FarmVille, then you can always turn it off.

To enable HTTPS, first go to Account Settings. You can find Account Settings in the Account tab drop down menu located in the upper right corner.

Facebook Account Settings

Once in the Account Settings page, go down to Account Security and click on the change link.

Facebook Edit Account Settings

If the HTTPS feature has been rolled out to your account, you will see an option that says “Secure Browsing (https), Browse Facebook on a secure connection (https) whenever possible”. Click on the box next to that option to enable it, and hit save. If you do not see the option for Secure Browsing that means that this feature has not been rolled out to your account yet.

Facebook HTTPS Settings

For more on this, check out this video from Facebook.

And if you’re interested in Facebook security, learn how to remove malicious third party apps from your Facebook account.

Has HTTPS been rolled out to your Facebook account yet? If you’ve tried it out, how has it impacted your Facebook experience? Is it noticeably slower? Are there any games, or other apps, that don’t work?

Guide to Removing Malicious Apps From Your Facebook Account
Posted on by Zuly GonzalezCategories How To, Security, Web Security10 Comments on Guide to Removing Malicious Apps From Your Facebook Account

Let’s kick off this new year right by removing unnecessary third party apps from our social media accounts. (This blog post is a How To guide on removing third party apps from your Facebook account. For a guide on removing apps from your Twitter account, see this blog post.)

My sister informed me that she has given 146 apps permission to access her Facebook account. That is just too many! And I know for a fact that some of those apps have malicious intentions, because my Facebook wall has been spammed by some of them.

I for one, only allow a certain few applications that I trust access to my social accounts. Why? Because for starters, you don’t know what an application was really designed to do. Cyber criminals can create malicious applications designed to steal your personal information, or to take over your account in order to trick your friends into clicking on a malicious link. If you inadvertently give one of these malicious apps permission to access your account, you and your friends risk losing valuable personal information. So unless you trust the source of the application, do not give it access to your social account!

Secondly, although a third party application may be legitimate (and not intent on ruining your life), it may unknowingly contain security holes that open it up to being hacked by cyber criminals. So, the more third party apps you give permission to access your social account, the more vulnerable that account becomes.

Which Applications Should You Remove?

You should have as few third party applications as possible accessing your social accounts. Again, the more apps you have accessing your account, the more vulnerable that account is. You should remove:

  • any application you do not recognize
  • any application you no longer use or need
  • any application that has been identified as malicious or not secure

Examples of such applications include contest or prize apps you have given permission to send out a message on your behalf during a contest. For example, there are many applications designed to send out a tweet to all of your followers alerting them that you have entered a contest. That’s fine to do if you wish to, but once the contest is over, you should revoke that app’s access to your account, because it is no longer needed.

It is also good practice to remove any applications you do not recognize. Usually this means that you either gave an app permission to access your account without realizing it (a sign that the app may be malicious), or you knowingly gave it permission a long time ago, and no longer use it so you forgot about it. If it turns out that you removed an app you actually need, you can always re-allow it to access your social account. It’s better to be safe than sorry.

And of course, if a report comes out that an application you are using is malicious, you should immediately revoke its access. For example, a malicious Facebook app was recently released that spreads virally by posting itself on users’ walls.

How to Remove Apps From Your Facebook Account

To remove third party applications from your Facebook account, follow these 5 easy steps.

Step 1: While logged into your Facebook account, click on Privacy Settings. You can find Privacy Settings by clicking on the Account tab.

Facebook Privacy Settings

Step 2: Go to the bottom of the Privacy Settings page, and click on the Apps and Websites link.

Facebook Privacy Settings Page

Step 3: Click on the Edit Settings button in the Apps you use section.

Facebook App - Edit Settings

Step 4: Once in the Apps You Use Page, you will see a list of all the third party apps you have given permission to access your Facebook account. Look for any apps that you either don’t recognize or no longer have a need for. To revoke an app’s permission, simply click on the x next to the Edit Settings link.

Facebook: Remove App

Step 5: Click on the Remove button to confirm your selection.

Facebook: Confirm App RemovalAt this point the app you selected has been removed. Repeat steps 4 and 5 until you have removed all unwanted apps.

You also have the option to view the permissions each app you have given access to has. You can do this by clicking on the app. For example, the image below shows that the app I have selected only has permission to access my basic information, and send me an email. Some apps, on the other hand, pretty much have the freedom to do as they please on your account. You can use this information to help you determine whether you should revoke an app’s permission.

What a Facebook app has permission to do

If you’d like, watch the Sophos video below, which walks you through the same exact steps I just did.

Do you also have a Twitter account? Learn how to remove third party apps from your Twitter account.

How many Facebook apps have you given permission to access your account? How many apps did you end up removing? Were you surprised with what you found? Share with us in the comments.

How to Remove Third Party Apps From Your Twitter Account
Posted on by Zuly GonzalezCategories How To, Security, Web Security4 Comments on How to Remove Third Party Apps From Your Twitter Account

Let’s start off 2011 right by removing unnecessary third party apps from our social media accounts. (This blog post is a How To guide on removing third party apps from your Twitter account. For a guide on removing apps from your Facebook account, see this blog post.)

My sister informed me that she has given 146 apps permission to access her Facebook account. That is just too many! And I know for a fact that some of those apps have malicious intentions, because my Facebook wall has been spammed by some of them.

I for one, only allow a certain few applications that I trust access to my social accounts. Why? Because for starters, you don’t know what an application was really designed to do. Cyber criminals can create malicious applications designed to steal your personal information, or to take over your account in order to trick your friends into clicking on a malicious link. If you inadvertently give one of these malicious apps permission to access your account, you and your friends risk losing valuable personal information. So unless you trust the source of the application, do not give it access to your social account!

Secondly, although a third party application may be legitimate (and not intent on ruining your life), it may unknowingly contain security holes that open it up to being hacked by cyber criminals. So, the more third party apps you give permission to access your social account, the more vulnerable that account becomes.

Which Applications Should You Remove?

You should have as few third party applications as possible accessing your social accounts. Again, the more apps you have accessing your account, the more vulnerable that account is. You should remove:

  • any application you do not recognize
  • any application you no longer use or need
  • any application that has been identified as malicious or not secure

Examples of such applications include contest or prize apps you have given permission to send out a message on your behalf during a contest. For example, there are many applications designed to send out a tweet to all of your followers alerting them that you have entered a contest. That’s fine to do if you wish to, but once the contest is over, you should revoke that app’s access to your account, because it is no longer needed.

It is also good practice to remove any applications you do not recognize. Usually this means that you either gave an app permission to access your account without realizing it (a sign that the app may be malicious), or you knowingly gave it permission a long time ago, and no longer use it so you forgot about it. If it turns out that you removed an app you actually need, you can always re-allow it to access your social account. It’s better to be safe than sorry.

And of course, if a report comes out that an application you are using is malicious, you should immediately revoke its access. For example, a Trojan horse was recently discovered in repackaged versions of various applications and games in the Android Market.

How to Remove Third Party Apps

To remove third party applications from your Twitter account, follow these 3 easy steps.

Step 1: While logged into Twitter, go to Settings. You can find Settings by clicking the drop down arrow next to your Twitter username.

Twitter Account Settings

Step 2: Once in your Settings page, click on Connections.

Twitter Account Settings - Connections

Step 3: While in the Connections page, you will see a list of all the third party apps you have given permission to access your Twitter account. It will also list the date and time you gave each app permission to access your account, and the permissions given to that app (e.g. read and write access, read-only access). Look through the list for any apps that you don’t recognize, or no longer use. To remove unwanted apps, click on the Revoke Access link associated with that app.

Twitter Revoke Access To Third Party Apps

At this point any permissions you have granted that app have been revoked. You can verify the action did in fact take, if now instead of the link saying “Revoke Access” it says “Undo Revoke Access”. You will also notice that the app’s icon is now grayed out. Once you navigate away from the Connections page you will no longer see the removed app in your list.

Twitter Undo Revoke Access For Third Party Apps

Do you also have a Facebook account? Learn how to remove third party apps from your Facebook account.

What did you find in your Twitter Connections page? Were you surprised with what you found? Share with us in the comments.


Department of Defense Cyber Crime Conference 2011
Posted on by Zuly GonzalezCategories Computer Security, Events, Security1 Comment on Department of Defense Cyber Crime Conference 2011

The DoD Cyber Crime Conference focuses on all aspects of computer crime and incident response including intrusion investigations, cyber crime law, digital forensics, information assurance, cyber crime investigations, as well as the research, development, testing, and evaluation of digital forensic tools.

The goal is to prepare attendees for the new crimes of today and the near future. Speakers will discuss new approaches and new perspectives. The conference is sponsored by the DoD Cyber Crime Center.

The 2011 DoD Cyber Crime Conference will be held January 21- 28, 2011 at the Hyatt Regency Hotel in Atlanta, GA.

Department of Defense Cyber Crime Conference 2011

Cyber Crime Conference Schedule

The schedule for the 2011 Department of Defense Cyber Crime Conference is as follows:

Pre-Conference Training: January 21-24, 2011
Conference: January 25-28, 2011
Exposition: January 25-27, 2011

Who Can Attend the Cyber Crime Conference

In order to attend the conference you must meet the below criteria:

  • DoD personnel
  • DoD-sponsored contractors
  • Defense Industrial Base (DIB) Partners  (CIPAC)
  • Federal, state and local law enforcement
  • U.S. sponsored government representatives working in the following fields:
    • Counterintelligence Special Agents
    • Criminal Investigators
    • Computer Forensics Examiners
    • Prosecutors – federal, state, local, military
    • DoD Information Assurance/Systems Administrators
    • Computer Forensics Research and Development Personnel
    • Federal, State and Local Law Enforcement
    • Educators in federally funded information assurance program, like CyberCops or National Centers of Excellence for Information Assurance
  • U.S.-sponsored government representatives from Australia, Canada, the United Kingdom and New Zealand

Registration Fees

Registration is open for the 2011 Cyber Crime Conference, and closes on January 14, 2011. The registration fee schedule is as follows:

  • Early Registration (ends December 31, 2010)
    • Government Attendee: $400
    • Industry Attendee: $575
    • Fee includes: Tuesday night reception and all activities from Tuesday morning through Friday. This does not include the pre-conference training.
  • Late Registration (after December 31, 2010)
    • Government Attendee: $500
    • Industry Attendee: $675
  • Speaker Registration
    • Fee: $150
    • Fee applies only for those attending conference sessions (the conference sessions begin Tuesday morning and end Friday).
    • Fee includes: The reception and all activities.
  • Classified Training (Cyber Counterintelligence)
    • Fee: $80
    • Clearances must be submitted no later than 4 January 2011.
  • Exhibitor Registration
    • Fee: $135
  • Press Registration
    • Fee: $0
    • Press can attend the general session on January 25, 2011

Training Sessions for Cyber Crime Conference 2011

The 16 training sessions that will be available at the 2011 DoD Cyber Crime Conference are as follows:

DoD Cyber Crime Conference Training SessionFollow the Script Please!
This workshop will introduce students to the concepts of writing and editing scripts to automate incident response activities. Students will learn how to author and edit incident response scripts for Windows and Linux environments. This session is intended for beginners and those who simply need a refresher.

Advanced Network Intrusion Traffic Analysis
Attendees will learn how to identify intrusion traffic, understand the techniques used by the attacker, and how to reconstruct the intrusion traffic. Attendees will also learn how to identify the attack vector and mitigate loss and secure the vulnerability using Wireshark, Netwitness and Snort.

Analyzing Malicious Carrier Files
This class will cover the fundamentals of analyzing malicious carrier files such as PDFs, Microsoft Office documents, and CHM files, used in spear phishing attacks. They will cover the structure of common carrier file types and methods for recognizing, extracting, deobfuscating and analyzing embedded scripts and shellcode. They will then leverage this embedded logic to enable accurate extraction of any additional payloads found within the carrier file. This course will be a combination of file-level forensic examination and malicious code analysis.

Introduction to Botnets

Botnets are a significant part of the Advanced Persistent Threat (APT) facing corporate and government networks today. This course introduces botnets and gives the students an opportunity to get hands-on experience setting up and running a self-contained botnet.  In addition, students will look at the evidence left behind from a botnet compromise in network traffic and Windows system artifacts.

Introduction to Cyber Analysis: Teaching an Old Dogma New Tricks

Cyber analysis is a growing field that combines traditional analysis with the highly technical concepts of network intrusions to determine how various incidents are connected. This course provides an overview of cyber analysis as it applies to the network intrusion problem, and covers a basic overview of network intrusions and electronic artifacts, an introduction to basic Analyst Notebook use, and an introduction to analyzing the data.

Introduction to EnCase for Prosecutors and Case Agents
A quality computer forensic examination is worthless if the communicated results are not understood by the consumer. This course will cover some of the basic terminology, functions, capabilities and limitations of a common primary forensic tool used during forensic examinations.

Intro to Malware Analysis Techniques
This course teaches fundamentals and concepts involved in malware analysis at a basic level. Malicious code is often found on computer systems during network intrusion investigations. The main goals of analysis are to assess an executable to discover its functionality, and to identify the artifacts of its presence and usage.

Mac Forensics – 2011
This training addresses forensic examinations of Mac systems (OS X). They will approach the Mac platform with traditional forensic methods using EnCase to find and analyze OS X artifacts. They will also use OS X to examine exported OS X specific data which can best be viewed in its native environment.

Network Exploitation Analysis Techniques
This training session combines the disciplines of Pen Testing, Information Assurance, and Forensics into a unique opportunity to learn the components of a network attack, the traffic the attack generates, and the artifacts left behind. Presenters will use Metasploit to launch attacks while monitoring network traffic for analysis. After examining the captured traffic, forensic artifacts of the attack will be identified and discussed.

NW3C TUX4N6

This course will teach students how to use the TUX4N6 digital triage tool to safely preview the active files on a suspect computer in a forensically sound manner.  The TUX4N6 tool is based on the Linux operating system and has the advantage of being able to “read” other computer system’s files without writing to or altering the data on those systems. Students will be taught how to conduct a manual search of a computer, use automated features to search the computer for keywords and specific file types, and how to save evidence to external storage media.

Online Anonymity
In this course, tools and methodologies will be demonstrated and provided that will enable an examiner or investigator to conduct information gathering efforts while obfuscating their source location.

Pen Testing 101
This training session will introduce open source pen testing tools and methods to students. You’ll learn the importance of Rules of Engagement for both tester and target.  Then you’ll dive into a white box test to prepare for the black box test at the end of the session.

Snort for Network Analysis
This training session is intended for incident responders and anyone with a desire to learn how to use Snort to analyze network traffic. Attendees will use Snort to quickly gain insight into the analysis of previously captured network traffic to locate particular files, or types of files, and for “anomalies” that are indicators of an intrusion.

Windows Incident Response
This course focuses on response in a Windows environment. Topics addressed include search and seizure, and incident response with Windows 2003 server.

Wireless Technology Workshop
This session makes use of practical, hands-on exercises to present and reinforce wireless technologies and techniques.  Attendees will learn how to use various wireless technologies and walk away knowing both the strengths and weaknesses of commercial wireless solutions.  Attendees will utilize Bluetooth and WiFi technologies, and learn open-source as well as proprietary attacks to exploit their inherent weaknesses.  Attendees will also capture and analyze open and encrypted data traffic with Wireshark and other open source tools.  Further, the presenters will cover methodologies to secure wireless networks, and techniques to scan for hidden access points and other wireless devices.  Other topics that will be presented include cracking tools, accidental association, direction finding, creating wireless heat maps, and denial of service.

Cyber Crime Conference Training Session

Windows 7 Forensics
Among the topics that will be discussed are: Libraries, Jump Lists, Pinning, Gadgets, Thumbnail Caching, Sticky Notes, exFAT, System Protection and Backup (Windows Backup, System Image, Previous Versions, Volume Shadow Copies), Virtualization, XP Mode, Registry, SuperFetch, Windows Search, Indexing, BitLocker and BitLocker to Go.

SANS Metasploit Kung FU Training Sessions

Metasploit was designed to help testers with confirming vulnerabilities using an Open Source framework. This course will help students get the most out of this free tool. This class will provide students with an in-depth understanding of the Metasploit Framework, and show them how to apply the capabilities of the framework in a comprehensive penetration testing and vulnerability assessment regimen. The class will cover exploitation, post-exploitation reconnaissance, token manipulation, spear-phishing attacks, and the rich feature set of the Meterpreter, a customized shell environment specially created for exploiting and analyzing security flaws. The course will also cover many of the pitfalls that a tester may encounter when using the Metasploit Framework and how to avoid or work around them, making tests more efficient and safe.

Classified Training Session

The classified session will focus on cyber counterintelligence topics in the following areas:

  • Cyber CI Policy both at the National and DoD levels
  • Cyber CI training both at the National and DoD levels
  • What the DoD services are seeing from State and Non-State actors in terms of Cyber CI
  • What the DoD services are doing in regards to Cyber CI
  • National level program with a Cyber CI focus

The briefings will center around the tactics, techniques, and procedures along with updates on current policies, investigations and operations from the services and National level agencies.  Due to the sensitive nature of the Tactics, Techniques and Procedures (TTPs), policies, investigations and operations the session will be classified Secret//NOFORN.

More on the 2011 DoD Cyber Crime Conference

If you have any questions on the conference, email Info@TechnologyForums.com.

Follow the DoD Cyber Crime Conference on Twitter.

Do you plan on attending this conference or any other security conference in 2011?

Facebook Email Scam – Alma Commented on Your Photo
Posted on by Zuly GonzalezCategories Computer Security, Security, Web Security1 Comment on Facebook Email Scam – Alma Commented on Your Photo

I received an email message from “Facebook” with the subject line “Alma commented on your photo”. I was so excited, until I realized I wasn’t friends with anyone named Alma…then I was sad 🙁 (Clue #1)

Okay, the truth is I knew it was spam just from reading the subject line; my Facebook settings are not setup to email me every time someone comments on my photos, so this email couldn’t have really been from Facebook. (Clue #2)

I don’t normally open up emails that I know are spam, but now that I blog about this topic, every now and then I’ll open one up to alert you all. Since I knew this was a scam, I opened up the email using our security product, Light Point Web, to avoid infecting my computer with malware. And this is what I found…

About the Facebook Email Scam

Facebook Email Scam - Alma commented on your photo

The email said it was from Facebook, but the email address associated with the account is noreply@netlogmail.com, which is not a Facebook domain. (Clue #3)

If this email had really been from Facebook, I would have expected either my name or email address to be in the To field. However, there was nothing there. This means that my email address was placed in the Bcc line, instead of the To line. This leads me to believe that this email was sent to more than one person, and that the sender did not want the receivers to see all the other email addresses. This is consistent with spammer behavior – they craft one generic email message, and send it to lots of people. (Clue #4)

My email provider had already marked the message as spam – it was sitting in my junk folder when I found it. (Clue #5)

The body of the message said:

Alma commented on your photo.

Alma wrote:
“very nice photo i like thiss “

Reply to this email to comment on this photo.

To see the comment thread, follow the link below:
http://www.facebook.com/n/?photo.php….

Thanks,
The Facebook Team

—–
Find people from your Windows Live Hotmail address book on Facebook! Go to: http://www.facebook.com/find-friends/?ref=email

This message was intended for. If you do not wish to receive this type of email from Facebook in the future, please follow the link http://www.facebook.com/o.php?…
Facebook, Inc. P.O. Box 10005, Palo Alto, CA 94303

The email asks you to reply to the email in order to comment on that photo. However, Facebook does not support this functionality. (Clue #6)

Notice that the links in the message supposedly have the URL spelled out, and all the links seem to point to the facebook.com domain. But, by hovering your mouse over the link, you can get the real URL the link points to. In this case, all the links in the message point to the website likemp3.net. This is obviously not Facebook (see below for a report of this website). (Clue #7)

Lastly, take a look at the footer of the email. It says, “This message was intended for.”. There should be an email address after the word for in that sentence, otherwise it doesn’t make sense. Since this exact email was sent to various email addresses, the spammers removed that portion from the footer. (Clue #8)

Below is the footer from a legitimate email from Facebook. Compare it to the footer shown in the scam email above.

Facebook Unsubscribe Footer

likemp3.net is a Malicious Website

Norton Safe Web identified likemp3.net to be a malicious website, and found 1 computer threat on the site. A computer threat is an item, such as viruses and worms, that loads directly on your computer, with the potential to do harm to your computer. Please do not go to that site.

Norton Safe Web reports likemp3.net as maliciousHow to Protect Yourself From Email Scams

Here are a few things you can do to prevent your computer from being infected with malware:

  • If you receive an email like this one, do not open it, and delete it right away.
  • Never click on links in an email message. Instead type the URL of the website directly in the address bar, and log into your account that way.
  • If you must click on a link in an email, for example it’s not a check your account status type of email, hover over the link and look at what the status bar tells you. If the URL shown in the status bar isn’t for the website you’re expecting to go to, don’t click on the link. In the case of this Facebook email scam, the URL in the status bar doesn’t link to facebook.com. Instead it links to likemp3.net.
  • Note that the only domain name used by Facebook is facebook.com. Any URL that doesn’t start with http://www.facebook.com/ is not an official Facebook page. That’s not to say it’s a malicious site, it’s just not an official Facebook page, so use caution when going to these sites.

Have you received any Facebook email scams? Tell us about it in the comments section.

Free Black Hat Webcast: Attacking With HTML5
Posted on by Zuly GonzalezCategories Computer Security, Events, Resources, Security, Web Security1 Comment on Free Black Hat Webcast: Attacking With HTML5

Black Hat LogoThe founders of the Black Hat conference, the best computer security conference in the world, will be hosting a free webcast. The webcast, Attacking with HTML5, will be held on December 16, 2010 at 2:00 PM EST. You can register for the Black Hat webcast here.

Black Hat has been hosting security webcasts since July 2008. The Black Hat webcasts are a regular series of live web events focusing on what’s hot in Information Security. Each month, they bring together Black Hat speakers, independent researchers and leading experts to discuss relevant topics in security, and give you a chance to ask questions live. You can see a list of all the previously recorded Black Hat webcasts here.

Attacking With HTML5 Description

HTML5 is a set of powerful features aimed at moving the web applications closer to existing desktop applications in terms of user experience and features. HTML5 is not the technology of the future as many believe; it is available right now in almost all modern browsers. Though the widespread use of HTML5 by websites is still a few years away, the abuse of these features is already possible.

Web developers and users assume that just because their site does not implement any HTML5 features that they are unaffected. A large section of the internet community believes that HTML5 is only about stunning graphics and video streaming. This talk will show how these assumptions are completely contrary to reality.

This presentation will show how existing ‘HTML4’ sites can be attacked using HTML5 features in a number of interesting ways. Then we look at how it is possible to use the browser to perform attacks that were once thought to require code execution outside the sandbox. Finally, they will look at an attack where the attacker is not interested in the victim’s data or a shell on the machine, but is instead after something that might perhaps even be legal to steal.

Special Offer for Black Hat DC 2011

If you register for the free webcast, you will receive $250 off of a new registration to the Black Hat DC 2011 Briefings (Training classes are excluded). When you register for the webcast you will receive a discount code in your confirmation email to use when registering for the Black Hat DC 2011 Briefings.

Do you know of any other security webcasts? Share with us in the comments.

Black Hat DC 2011 Conference
Posted on by Zuly GonzalezCategories Events, Security, Web Security2 Comments on Black Hat DC 2011 Conference

The Black Hat conference is the biggest, and most important security conference in the world. Black Hat has become a premiere venue for elite security researchers, and serves the information security community by delivering timely, and actionable, security information. The Black Hat conference series is now held four times a year

  • Black Hat DC: January 16-19, 2011 in Arlington, VA
  • Black Hat Europe: March 15-18, 2011 in Barcelona, Spain
  • Black Hat USA: July 30 – August 4, 2011 in Las Vegas, NV
  • Black Hat Abu Dhabi: November 2011 in United Arab Emirates

and is separated into a training portion and a briefings portion.

Black Hat DC 2011 Conference

The Black Hat Briefings are a series of highly technical information security presentations that bring together leaders from all facets of the infosec world – from the corporate and government sectors to academic and even underground researchers. The environment is strictly vendor-neutral and focused on the sharing of practical insights and knowledge.

Black Hat also provides hands-on, high-intensity, multi-day Trainings. The training sessions are provided by some of the most respected experts in the world and many also provide formal certifications to qualifying attendees.

The 2011 Black Hat DC conference will be held January 16 – 19 at the Hyatt Regency in Arlington, VA. The training portion of the conference will be from January 16 to 17, and the briefings portion will be from January 18 to 19.

Black Hat DC 2011 Registration Fees

Registration is now open for the 2011 Black Hat DC conference, and the registration fee schedule is as follows:

  • Briefings
    • Regular: $1395 (ends Dec 15)
    • Late: $1595 (ends Jan 15)
    • Onsite: $1895 (Jan 16 – Jan 19)
    • Academic: $600 (ends Dec 15)
    • Group: 10% – 15% discount (ends Dec 15)
    • Press: $0
  • Training
    • $1800 – $3800 per course

Group Registration: There is a 10% discount for groups of 6 or more. Groups of 12 or more receive a 15% discount. This discount rate applies to the Briefings portion only. If there are 4 or more people from your group attending the same training class and session, you can also qualify for a discount on the Training portion. The discount will be based on the rate at the time that you submit your group registration agreement form. Group registrations must be paid by Dec 15.

Academic Registration: The Academic registration is available to those who are either full-time students or full-time professors at an accredited university. The academic registration rate is $600, but gives you access to the Briefings portion only. Registration for the Academic pass ends on December 15, 2010.

Press Registration: Any media member that works for a publication that covers computer security on a regular basis can apply for a free press pass. Be prepared to show copies of your articles, a business card, and your assignment editor’s contact information. The press pass is normally only granted for the Briefings portion, but in very rare cases may be granted for the Training portion as well. During the conference a press room with internet access will be provided, and a separate room for filming interviews may also be available.

Briefings for Black Hat DC 2011

The 14 briefings that will be presented at the 2011 Black Hat DC are as follows:

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications
Speaker: David Perez

In this presentation they will show a practical attack against GPRS, EDGE, UMTS and HSPA (2G/3G) mobile data communications. They will demonstrate that an attacker with a budget of less than $10,000 can set up a rogue BTS, make the victim devices connect to such BTS, and gain full control over the victim’s data communications. Two vulnerabilities make the attack possible: first, the absence of mutual authentication in GPRS and EDGE (2G), which makes GPRS and EDGE devices completely vulnerable to this attack, and second, the mechanism implemented on most UMTS and HSPA (3G) devices that makes them fall back to GPRS and EDGE when UMTS or HSPA are not available, which makes it possible to extend the attack to these 3G devices.

Counterattack: Turning the tables on exploitation attempts from tools like Metasploit
Speaker: Matthew Weeks

In hostile networks, most people hope their con kung-fu is good enough to avoid getting owned. But for everyone who has ever wanted to reverse the attack, not getting owned is not enough. We will see how it is often possible for the intended victim to not only confuse and frustrate the attacker, but actually trade places and own the attacker. This talk will detail vulnerabilities in security tools, how these vulnerabilities were discovered, factors increasing the number of vulnerable systems, how the exploits work, creating cross-platform payloads, and how to defend yourself whether attacking or counterattacking. The audience will be invited to participate as complete exploit code will be released and demonstrated against the Metasploit Framework itself.

Checkmate with Denial of Service
Speaker: Tom Brennan

Denial-Of-Service is an attempt to make a computer resource unavailable to its intended users. A new and very lethal form of Layer 7 attack technique, which uses slow HTTP POST connections, was discovered. An attacker will send properly crafted HTTP POST headers, which contains a legitimate “Content-Length” field to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up precious server resources.

They will demonstrate how an “agentless” DDOS botnet can be created via malicious online games and how a victim website can be brought down in matter of minutes using the HTTP POST DDOS attack.

The Getaway: Methods and Defenses for Data Exfiltration
Speaker: Sean Coyne

There are several stages to a successful cyber attack. The most crucial of which is also the least discussed: data theft. Whether it be financial information, intellectual property, or personally identifiable information; the most valuable thing on your network is the data. Intruders may get in, but until they get out with what they came for, the game’s not over. During this presentation they will take a look at some of the advanced methods of stealing data they have recently encountered in the field, including: preparing and cleaning staging areas, avoiding DLP/traffic scanning products, and how attackers use a victim’s own infrastructure and architecture against them.

De-Anonymizing Live CDs through Physical Memory Analysis
Speaker: Andrew Case

Traditional digital forensics encompasses the examination of data from an offline or “dead” source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a large problem for this forensics model though as they run solely in RAM and do not interact with the local disk. This removes the ability to perform an orderly examination since the filesystem is no longer readily available and putting random pages of data into context can be very difficult for in-depth investigations. In order to solve this problem, they present a number of techniques that allow for complete recovery of a live CD’s in-memory filesystem and partial recovery of its previously deleted contents. They also present memory analysis of the popular Tor application as it is used by a number of live CDs in an attempt to keep network communications encrypted and anonymous.

Beyond AutoRun: Exploiting software vulnerabilities with removable storage
Speaker: Jon Larimer

Malware has been using the AutoRun functionality in Windows for years to spread through removable storage devices. That feature is easy to disable, but the Stuxnet worm was able to spread through USB drives by exploiting a vulnerability in Windows. In this talk, they will examine different ways that attackers can abuse operating system functionality to execute malicious payloads from USB mass storage devices without relying on AutoRun. There’s a lot of code that runs between the USB drivers themselves and the desktop software that renders icons and thumbnails for documents, providing security researchers and hackers with a rich set of targets to exploit. Since the normal exploit payloads of remote shells aren’t totally useful when performing an attack locally from a USB drive, they will look at alternative payloads that can give attackers immediate access to the system. To show that these vulnerabilities aren’t just limited Windows systems, they will provide a demonstration showing how they can unlock a locked Linux desktop system just by inserting a USB thumb drive into the PC.

Malware Distribution via Widgetization of the Web
Speaker: Neil Daswani

The Web 2.0 transformation has in part involved many sites using third-party widgets. They present the “widgetized web graph” showing the structure of high traffic web sites from the standpoint of widgets, show how web-based malware and scareware is propagated via such widgets, and provide data on how a mass web-based malware attack can take place against the Quantcast 1000 web sites via widgets.

Attacking Oracle Web Applications With Metasploit
Speaker: Chris Gates

In 2009, Metasploit released a suite of auxiliary modules targeting oracle databases and attacking them via the TNS listener. This year lets security test Oracle but do it over HTTP/HTTPS. Rather than relying on developers to write bad code, lets see what can be done with default content and various unpatched Oracle middleware servers that you’ll commonly run into on penetration tests. They will also re-implement the TNS attack against the isqlplus web portal with Metasploit auxiliary modules.

Inglourious Hackerds: Targeting Web Clients
Speaker: Laurent Oudot

This talk will look at technical security issues related to multiple internet web clients. While such tools are used to crawl the internet and retrieve information, there might exist many scenarios where evil attackers can abuse them. By studying the protocols, and by doing some kind of fuzzing operations, they will show how TEHTRI-Security was able to find multiple security issues on many handled devices and workstations.

Hacking the Fast Lane: security issues with 802.11p, DSRC, and WAVE
Speaker: Rob Havelt

The new 802.11p standard aims to provide reliable wireless communication for vehicular environments. The P802.11p specification defines functions and services required by Wireless Access in Vehicular Environments (WAVE) conformant stations to operate in varying environments and exchange messages, either without having to join a BSS or within a BSS, and defines the WAVE signaling technique and interface functions that are controlled by the 802.11 MAC.

Wireless telecommunications and information exchange between roadside and vehicle systems present some interesting security implications. This talk will present an analysis of the 802.11p 5.9 GHz band Wireless Access in Vehicular Environments (WAVE) / Dedicated Short Range Communications (DSRC), Medium Access Control (MAC), and Physical Layer (PHY) Specifications of this protocol. They will present methods of analyzing network communications (GNU Radio/USRP, firmware modifications, etc.), and potential security issues in the implementation of the protocol in practical environments such as in toll road implementations, telematics systems, and other implementations.

Your crown jewels online: Attacks to SAP Web Applications
Speaker: Mariano NUNEZ Di Croce

“SAP platforms are only accessible internally”. You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organization’s SAP platform in order to perform espionage, sabotage and fraud attacks.

Through many live demos, this talk will explain how remote attackers may compromise the security of different SAP web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting “hardened” SAP Enterprise Portal implementations will be detailed.

Kernel Pool Exploitation on Windows 7
Speaker: Tarjei Mandt

In Windows 7, Microsoft introduced safe unlinking to the kernel pool to address the growing number of vulnerabilities affecting the Windows kernel. Prior to removing an entry from a doubly-linked list, safe unlinking aims to detect memory corruption by validating the pointers to adjacent list entries. Hence, an attacker cannot easily leverage generic “write 4” techniques in exploiting pool overflows or other pool corruption vulnerabilities. In this talk, they show that in spite of the efforts made to remove generic exploit vectors, Windows 7 is still susceptible to generic kernel pool attacks. In particular, they show that the pool allocator may under certain conditions fail to safely unlink free list entries, thus allowing an attacker to corrupt arbitrary memory. In order to thwart the presented attacks, they conclusively propose ways to further harden and enhance the security of the kernel pool.

Identifying the true IP/Network identity of I2P service hosts
Speaker: Adrian Crenshaw

They will present research into services hosted internally on the I2P anonymity network, especially I2P hosted websites known as eepSites, and how the true identity of the internet host providing the service may be identified via information leaks on the application layer. By knowing the identity of the internet host providing the service, the anonymity set of the person that administrates the service can be greatly reduced. The core of this presentation will be to test the anonymity provided by I2P for hosting eepSites, focusing primarily on the application layer and mistakes administrators may make that could expose a service provider’s identity or reduce the anonymity set they are part of. They will show attacks based on the intersection of I2P users hosting eepSites on public IPs with virtual hosting, the use of common web application vulnerabilities to reveal the IP of an eepSite, as well as general information that can be collected concerning the nodes participating in the I2P anonymity network.

Responsibility for the Harm and Risk of Software Security Flaws
Speaker: Cassio Goldschmidt

Who is responsible for the harm and risk of security flaws? The advent of worldwide networks, such as the internet, made software security an international problem. There are no mathematical risk models available today to assess networked systems with interdependent failures. Experience suggests that no party is solely responsible for the harm and risk of software security flaws, but a model of partial responsibility can only emerge once the duties and motivations of all parties are examine and understood.

This presentation describes the role of each player involved in the software lifecycle and the incentives (and disincentives) they have to perform the task, the network effects of their actions, and the results on the state of software security.

Black Hat DC 2011 Conference

Training Courses for Black Hat DC 2011

There will be 11 courses offered at the 2011 Black Hat DC conference, ranging in price from $1800 to $3800 per course. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered for each class. The 11 courses are as follows:

Cyber Network Defense Bootcamp
Trainer: Adam Meyers

A two day workshop focusing on the progression from incident identification, investigation and malware analysis to explaining to management why it matters. In other words, how to go from geek to sleek.

Real World Security: Attack, Defend, Repel
Trainer: Peak Security

An intensive two day course for security professionals that want to up the ante on their current skill sets in offensive and defensive security. Learn new tactics and receive guidance from expert instructors while you test yourself in a team vs team environment.

Designing Secure Protocols and Intercepting Secure Communication
Trainer: Moxie Marlinspike

This training covers both designing and attacking secure protocols. Attendees will learn the fundamentals of how to design a secure protocol, and be armed with the knowledge of how to evaluate the security of and discover weaknesses in existing protocols.

CISSP Boot Camp (Four Day Course – Jan 16-19)
Trainer: Shon Harris

This Logical Security course trains students in all areas of the security Common Body of Knowledge (CBK). Using this course, students prepare for the exam, while at the same time obtaining essential security knowledge that can be immediately used to improve organizational security.

Information Assurance Officer (IAO) Course (CNSS-4014E) Certified
Trainer: Information Assurance Associates (IA2)

Very intense, highly concentrated, non-technical professional training necessary to achieve the fundamental knowledge needed to define, design, integrate and manage information system security policies, processes, practices, and procedures within federal interest information systems and networks.

Tactical Exploitation
Trainer: Val Smith

Using a combination of new tools and lesser-known techniques, attendees will learn how hackers compromise systems without depending on standard exploits.

Virtualization for Incident Responders
Trainer: Eric Fiterman, Methodvue

Principles and techniques for recovering evidence from virtualized systems and cloud environments – this course is intended for information security personnel who are responsible for handling incidents involving virtual infrastructure, cloud service providers, or desktop virtualization platforms.

Digital Intelligence Gathering Using Maltego
Trainer: Paterva

Unlock the true potential and raw power of Maltego. Learn how to navigate and map the internet’s darkest rivers.

TCP/IP Weapons School 3.0
Trainer: Richard Bejtlich, TaoSecurity

Use the network to your advantage while building incident detection and response skills to counter advanced and targeted threats.

Database Breach Investigations: Oracle Edition
Trainer: David Litchfield

This training course will teach students the tricks and techniques hackers use to break into Oracle database servers and then how to peform a database security breach investigation covering evidence collection, collation and analysis using V3RITY for Oracle, the world’s first database specific forensics and breach investigation tool.

Windows Physical Memory Acquisition and Analysis
Trainer: Matthieu Suiche

Learn all about memory dumps, including how they work and deep analysis using Windbg.

Black Hat DC 2011 Conference

More on Black Hat

You can follow Black Hat on Twitter, Facebook, and LinkedIn.

Twitter: Black Hat has two accounts on Twitter. For security research and updates on Black Hat events, follow @blackhatevents. For behind the scenes information from Black Hat HQ staff members, follow @blackhathq.

Facebook: Black Hat maintains an active Facebook page to communicate with members of the security community and provide information updates.

LinkedIn: Black Hat also maintains a LinkedIn group to reach out to professional security experts and provide information updates.

Will you be attending Black Hat DC 2011? Have you attended past Black Hat events? If so, what did you like the best?

Citibank Email Phishing Scam Targets Federal Government Employees
Posted on by Zuly GonzalezCategories Security, Web SecurityLeave a comment on Citibank Email Phishing Scam Targets Federal Government Employees

I received the below email phishing scam spoofing Citibank. Along with running Light Point Security, I’m also a government employee.

Citibank Phishing Email Scam Linking to Malicious digikad.ro

The subject of the Citibank email scam is “Message ID: 72195”. As soon as I saw that subject line, I knew it was a scam, because it’s too generic. I wanted to get more information about this phishing scam, so I opened the email using Light Point Web to avoid downloading any malware.

The email says it is from “Citibank – Service” and the email address associated with that account is citibank.service@serviceemail.citibank.com. The body of the email message says, “You have received an urgent system message from the Citibank Department. To read your message, please, go to your account immediately.” You’d think that for such an urgent message they would have taken the time to provide a more descriptive subject line.

The link in the scam email points to the Romanian domain online.citibankcom.US.JPS.portal.Index.do.jTgFfNULSY.digikad.ro.

Citibank Email Phishing Scam Malicious Domain digikad.ro

The Norton site rating for digikad.ro identified 4 identity threats on the phishing site. Norton defines identity threats as items such as spyware or keyloggers that attempt to steal personal information from your computer.

Norton Rating For Malicious digikad.ro Domain of the Citibank Phishing Email Scam

How to Protect Yourself From Phishing Scams

Here are 4 things you can do to protect your identity, and personal information, from malicious phishing email scams.

  • If you receive an email message claiming to be from Citi, or Citibank, with the subject line Message ID: [set of two numbers here], do not open it, and delete it right away.
  • If you receive an email message from Citi, or Citibank, and are not sure if it’s a legitimate message, call Citi to confirm the email. Your account has a log of the email messages Citi has sent you. The Citi representative can tell you if they’ve sent you any recent emails. Citi’s 24 hour customer service number is 1-866-670-6462.
  • If you mistakenly open the email message, and it states that you need to check your Citi messages, or inbox, open up a new browser window and login directly to your Citi account. Never click on a link in these email messages. If after logging in to your online account, you don’t have any recent messages from Citi, you can be sure the email you received is a phishing scam. Delete it immediately.
  • If there is a link in an email message you are unsure about, hover over the link and look at what the status bar tells you. If the URL shown in the status bar isn’t for the website you’re expecting, it’s likely a phishing scam. In this Citibank scam email the link points to the digikad.ro website, not a legitimate Citi website. Note that the scammers tried to make it look like a legitimate Citi website by including citibankcom as part of the URL. Also notice the strange http-like characters at the beginning of the URL.

Malicious Citibank Email Phishing Scam Expanded Domain With Explanation

Citi will never ask you for your password, or to update personal information via email. If you receive a suspicious email claiming to be from Citi, or Citbank, forward it to submitphishing@citi.com.

Have you received similar phishing emails claiming to be from Citi? Let us know.

The 2010 Hacker Challenge
Posted on by Zuly GonzalezCategories Events, Security1 Comment on The 2010 Hacker Challenge

October is national Cyber Security awareness month, and what better way to promote it than with the 2010 Hacker Challenge.

The 2010 Hacker Challenge Logo

The Hacker Challenge is a competition in which Department of Defense Sailors, Soldiers, Marines, Airmen and civilian government employees try their hands at solving computer and network security problems. It’s a free and open competition designed for beginner to intermediate level security professionals and enthusiasts, and is designed to engage military and civilian members in a fun and educational way.

It started three years ago as a way to address training deficiencies in some of the military’s mandatory computer security training courses.

Hacker Challenge 2010 Details

The 2010 Hacker Challenge begins on October 27, 2010, and ends November 10, 2010.  During this two week period, participants will work at their own pace to solve the challenges. If you’re interested in participating in the 2010 Hacker Challenge, you must sign up before October 25, 2010.

Teams of up to 6 members are allowed, including one person teams.

The Hacker Challenge is comprised of two parts – a written portion and a hands-on portion. The written portion involves a series of questions that will test a participant’s knowledge of technology and security topics. The hands-on portion will test the participant’s security knowledge through the use of tools during practical exercises. Some challenges will be easier than others. For a few examples see the sample Hacker Challenge questions below.

This is a friendly competition, and does not involve the use of any malicious software. There are also strict rules on cheating, and what is considered cheating. Any team caught cheating will be disqualified, and it will be publicized on the Hacker Challenge blog.

Sample Hacker Challenge Questions

Below are a few of the questions you might find in the Hacker Challenge competition. These questions were taken from the 2009 Hacker Challenge. Remember this contest is for beginner to intermediate level security enthusiasts.

1) Download and crack the passwords found at this link.

2) You perform a banner grab against a customer’s web server and get the following response. What does it mean?

GET / JUNK/1.0
HTTP/1.1 200 OK
Date: Sun, 15 Jun 2003 17:17:47 GMT
Server: Apache/1.3.23
Last-Modified: Thu, 27 Feb 2003 03:48:19 GMT
ETag: "32417-c4-3e5d8a83"
Accept-Ranges: bytes
Content-Length: 196
Connection: close
Content-Type: text/html

3) Download the packet capture in the below link and look at the device with the MAC address of 00:12:0E:6F:B4:4B. What is this device, and what do you think it’s doing during the time period traffic was captured?

4) Watch Hak5 episodes 1 and 3 from season 4 and pay attention to the sections dealing with the “WiFi Pineapple.” Discuss how the WiFi Pineapple is able to masquerade as a “trusted” AP and suggest at least one way that a user can tell this type of attack is occurring.

5) Dig through the below captured packet and state the following things: (a) What browser is being employed? (b) What application on the browser will be used? (c) What OS is being used? (d) What device did this packet come from?

0000    00 04  5a f2  25 d8  00 12  0e  6f b4  4b  08  00   45  00
0010    00 de  a2 ab  40 00  40 06  b5  3d ac  14  14  05   4a  dc
0020    d7 3b  05 f9  00 50  c5 5f  13  be 38  8e  eb  66   50  18
0030    0b 68  c9 47  00 00  47 45  54  20 2f  63  68  75   6d  62
0040    79 5f  76 69  64 65  6f 73  2f  62 61  6c  6c  73   2e  66
0050    6c 76  20 48  54 54  50 2f  31  2e 31  0d  0a  48   6f  73
0060    74 3a  20 72  62 65  6c 6f  74  74 65  2e  6e  65   74  0d
0070    0a 41  63 63  65 70  74 3a  20  2a 2f  2a  0d  0a   55  73
0080    65 72  2d 41  67 65  6e 74  3a  20 4d  6f  7a  69   6c  6c
0090    61 2f  35 2e  30 20  28 63  6f  6d 70  61  74  69   62  6c
00a0    65 3b  20 55  3b 20  43 68  75  6d 62  79  3b  20   4c  69
00b0    6e 75  78 29  20 46  6c 61  73  68 20  4c  69  74   65  20
00c0    33 2e  30 2e  34 0d  0a 50  72  61 67  6d  61  3a   20  43
00d0    68 75  6d 62  79 0d  0a 43  6f  6e 6e  65  63  74   69  6f
00e0    6e 3a  20 63  6c 6f  73 65  0d  0a 0d  0a

For more information on Hacker Challenge 2010, visit the official website.

Coming Soon: The Advanced Hacker Challenge

If you are a security professional in the advanced category, don’t lose hope. In late 2011 an advanced Hacker Challenge will be introduced, and it will be completely different from the basic/intermediate version. The new advanced version will be almost completely hands-on. The advanced version write-ups will require a deeper understanding of security concepts, and the targets will be a bit of a challenge. And FYI, some of the advanced challenges will require participants to sign a “release of liability” form.

Categories
Archives