Friday, August 26, 2011

Getting Approval to Attend a Security Conference

One of the great things about working in Information Security is attending the various conferences that are held throughout the year. One of the biggest drawbacks is justifying the attending of the previously mentioned conferences.

I am writing this post as a guide to help the security professionals in explaining/justifying their trip(s) to their managers and bosses. Let me continue by saying that your management are not bad people for asking for justification. Contrarily, they are looking out for the business and organization which benefits everyone. It's not that they don't want you to go; it's just that they need to make a business decision and you get a chance to weigh in.

In order to help those making a decision, you have to show them how their choice to allow you to attend will benefit the company.

Draft an email stating the following:

  1. Purpose of the email (to attend the conference). Include the name of the conference, a short description, the date(s) and location.
  2. The costs associated with attending the conference. Include the registration, any travel expense (airfare, mileage, parking, etc.), lodging (don't forget taxes) and per diem (if applicable)
  3. Value to the company. This is important! This is where you justify the expense of going. Benefits like education as well as networking should be backed up by examples as to how it will benefit your company directly.
OK, so what if you do all this and are still not allowed to go? There are still some things that you can do.

Maybe there is a chance that your boss will let you go if you offer to pay your own way or some of the costs. He/she may be more inclined to let you go if they can spend less money. Perhaps they can give you the time off with pay and you pay for your tickets and/or travel? Compromise is the key here.

Another thing that may help is if you attend part of a day or the time. There may be times when your boss cannot afford to not have you at work. Take advantage of a day or two of a week-long conference or maybe pick a few sessions that you absolutely want to attend.

Lastly, if the other options don't seem to work, most conferences have either presentations or videos of sessions/talks available afterwards. Yes, this is not the best scenario, but it's better than not getting any information.

I hope that this post has been helpful to those of you looking to attend security conferences.

Monday, August 22, 2011

GFIRST - Advanced (Malware) Command and Control - Review

Advanced Command and Control

The scope of this article is to look at some of the advanced methods of Malware Command and Control that might typically be overlooked.

Command and Control (C2) is a term that in this situation, applies to Malware and to how and when it receives it orders/instructions.

The life cycle of a typical malware incident is as follows:

  1. The malware implants itself into the victim
  2. It then makes a DNS query to a rogue domain
  3. The malware finally makes an HTTP request in order to download additional programs, etc.
Traditional Command and Control
Traditional C2 is generally easy to mitigate because:

  1. Is noisy in how it behaves
  2. Generally easy to find the IP address associated with the C2 domain because so little traffic is going TO it.

Advanced Avenues of C2 Communication
Advanced Command and Control can take the form of legitimate conversations and applications such as:


  • Twitter provides the attackers a centralized place from which to issue commands. Twitter is generally open.
  • Attackers set up a bogus Twitter profile and use Base 64 encoded strings in status messages for issuing commands to run and URLs to access


  • Similar to Twitter, a bogus profile is set up and information is passed via a Facebook "Note"

GMail Dead Drop

  • A Bogus email account is set up
  • The malware tha gets installed on the targets workstation has the account information hard coded into it.
  • Informarion for C2 is contained in a draft email that is created, but never sent. All communication is done this way, so no mail traffic can be detected, simply an SSL connection to a GMAIL server
  • When the malware logs in, base 64 code is read from the message title. Hex code is read from the body of the draft. ...RSMS Feed (Real Simple Malware Syndication)

  • Command and control information can also be received via an RSS feed. The malware makes a web request and receives it's instructions via the feed


  • A small SMTP server (sendmail.dll) can be pulled during stage 2 of a malware infection
  • Traffic goes out over SMTP (port 25) and looks like regular mail, however...

        mail.subject contains malicious information

        mail.body contains exfiltrated data encoded in hex

The timing of the malware can be such as to either execute it's instructions immediately or can wait until the user makes an Internet connection either by web browser or email client. The client then assumes that the action is legitimate and it passes undetected.

I also wanted to mention that tools like IDA and OllyDbg can be used to make investigations easier.

I hope that this brief explanation of Advanced Command and Control mechanisms for malware brings a level of awareness as to the different and out of the ordinary mechanisms that can be used.

Tuesday, August 16, 2011

GFIRST - Hacking Web Applications (Review)

Hacking Web Applications was a live action presentation that was given by McAfee. One of the first things that was discussed was the order of prominence for specific types of data that are attacked.

39% - structured data
34% - applications/web applications
16% - other
11% - unstructured data such as file servers

Resources like databases are more vulnerable because although they are structured, their configurations can vary greatly. They are like molding pottery and although may be simiar to others, they are each unique.

After years of user education, people still use very weak and insecure passwords. A recent study of 32 million passwords revealed that the three most popular passwords (in order) were:


There are traits and vectors of attacks that bear the highest value and return for the attacker.

These common elements include:

    High profile positions in a company such as a CFO, CIO, and CEOs
    Industries such as Oil and gas companies
    Common old unpatched vulnerabilities such as SQL injection
    Attacks come from "known malicious" sources such as China

The attack that was looked at was a SQLi (SQL injection) attack. A SQL injection (SQLi) attack is one that exploits the vulnerabilities in a web server database. These vulnerabilities allow the attacker to gain access to the database and give him/her the ability to read/extract, modify, or delete information.

It's interesting to note that SQL injection attacks are an old and preventable attack that essentially allow the successful attacker to control the database in question.

There are many different ways to formulate the attack, the most basic is to make the condition of the fields of a web form to be validated as being true statements.

Normally, when you go to a form and enter the information, that information is validated against the backend database and if shown to be true, returns a subsequent set of information.

In the most basic form of SQLi, information is inputted in a form that makes the database see the statement as true, thus providing access to the information.

When a condition is successfully met such as with entering  1' or '1'='1 in the user name field, the first record (user name) is returned. More on this in a subsequent post on SQLi

Mitigations of the attacks comes from validation, blacklisting and whitelisting of accounts, domains and countries.

GFIRST Conference Review Coming Soon

Hopefully tonight, I'll start posting the first of a series of reviews from events/talks at this year's GFIRST.

There was a lot of interesting information gleaned from last week that I believe that InfoSec people will find very interesting.

Thursday, August 11, 2011

Nashville InfoSec CTF

A colleague of mine and myself will be hosting a Capture the Flag competition at this year's Nashville InfoSec.

You can register a team as an individual or as a group. This event is geared to accommodate people within a wide range of skill sets and experience. The goal for this CTF is to provide an educational experience with some friendly competition.

The CTF consists of a vulnerable network environment that can be exploited to gain access to different areas where flags will be hidden. Details on the flag format will be presented at the time of the challenge. The structure will be set so that each flag has a value proportionate to the level of difficulty in achieving it. The CTF will run for a fixed amount of time and whichever team has the most points at that time, wins!

Teams will need to bring their own laptops, but network jacks will be provided. This will be a closed environment with no access to the Internet. Wireless connectivity may be provided by the venue, but if you chose to connect to both the CTF and wireless Internet, keep in mind what network you are attacking. Attacks against the venue's networks is not permitted and will be grounds for disqualification.

Each team is welcome to bring whatever arsenal they have compiled, but all vulnerabilities can be successfully exploited with the BackTrack live ISO.

*Please register your team by September 10th, 2011. You can register by emailing with the team name and number of team members you have. Limited space is available.

Email or with any questions concerning the event.