This blog by Lenny Zeltser focuses on information security. Lenny is a seasoned business leader with extensive hands-on experience in IT and information security.Tumblr (3.0; @lennyzeltser)http://blog.zeltser.com/http://www.zeltser.com/http://www.zeltser.com/interface/lenny_zeltser_logo.gifzeltserhttp://feedburner.google.com<p><img alt="image" src="http://media.tumblr.com/42f0ccd8ec799d7c9454f96257f04ca2/tumblr_inline_mn77lfv99G1qz4rgp.jpg"/></p> <p><span>There is much we can learn about coordinated online activities of skilled attackers with nation-state affiliations. The following two write-ups provide a wealth of information about one such attack group, which has been targeting organization in South Asia over the past few years and appears to reside in India:</span></p> <ul><li>ESET: <a href="http://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/">Targeted information stealing attacks in South Asia use email, signed binaries</a></li> <li>Norman and Shadowserver: <a href="http://enterprise.norman.com/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf">Operation Hangover: Unveiling an Indian Cyberattack Infrastructure</a> (PDF)</li> </ul><p>According to these reports, the group engaged in industrial espionage and spying on political activists. The victims resided in many countries, but Pakistan stood out as the most targeted location. The attackers relied on spear phishing to gain initial access to the targeted environment. The emails were thematically appropriate to the targets and included malicious documents that exploited unpatched vulnerabilities. Some of the malware was digitally signed.</p> <p>The analysts attributed these cyberattack activities to specific source by examining:</p> <ul><li>Types and locations of the targeted organizations</li> <li>Categories and contents of the data pursued by the attackers</li> <li>Contents of decoy documents used for spear phishing</li> <li>Debug path and other strings embedded in the malicious programs</li> <li>Code-signing certificate details</li> <li>Domain registration records of the systems used by the attackers</li> </ul><p>As the result, Norman and Shadowserver researchers concluded that the attackers apparently operated from India &#8220;and have been conducting attacks against business, government and political organizations.&#8221; Similarly, ESET analysts concluded &#8220;that the entire campaign originates from India.&#8221;</p> <p>In addition, Norman and Shadowserver researchers concluded that the malicious software used in these campaigns was created by multiple software developers who were &#8220;tasked with specific malware deliverances.&#8221; The developers collaborated, &#8220;working on separate subprojects, but apparently not using a centralized source control system.&#8221;</p> <p>&#8212; <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=ymEZwnrjyuo:toDll_60W-4:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=ymEZwnrjyuo:toDll_60W-4:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=ymEZwnrjyuo:toDll_60W-4:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/ymEZwnrjyuo" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/ymEZwnrjyuo/51061827623http://blog.zeltser.com/post/51061827623Wed, 22 May 2013 06:39:00 -0400cybercrimeAPTinformation technologysecuritytargeted attacksmalwarehttp://blog.zeltser.com/post/51061827623<p><img alt="image" src="http://media.tumblr.com/6a45bf29da8c39f342374182c659e927/tumblr_inline_mmtf1d84kS1qz4rgp.png"/></p> <p>In the past weeks I published several posts describing malware analysis tools and approaches at other blogs:</p> <ul><li><a href="http://computer-forensics.sans.org/blog/2013/04/10/installing-remnux-virtual-appliance">Installing the REMnux Virtual Appliance for Malware Analysis</a>: Starting with version 4, the REMnux virtual appliance is available as the Open Virtualization Format (OVF/OVA) file, which can be imported into most virtualization tools, such as VMware and VirtualBox. Extra: Explore other updates in the <a href="http://blog.zeltser.com/post/47545363323/new-release-of-remnux-linux-distro-for-malware-analysis">Announcement of the REMnux v4 Release</a>.</li> </ul><ul><li><a href="http://computer-forensics.sans.org/blog/2013/05/07/mastiff-for-auto-static-malware-analysis">Automating Static Malware Analysis With MASTIFF</a>: MASTIFF is an open source framework for automating static malware analysis. This tool, created by Tyler Hudak, determines the type of file that is being analyzed and then applies only the static analysis techniques that are appropriate for that file type. MASTIFF offers a useful way for performing triage on a large set of suspicious files. Extra: See my MASTIFF demo as part of the <a href="https://www.sans.org/webcasts/remnux-v4-malware-analysis-96585">What’s New in REMnux v4 for Malware Analysis</a> webcast.</li> </ul><ul><li><a href="https://isc.sans.edu/diary/Extracting+Digital+Signatures+from+Signed+Malware/15779">Extracting Digital Signatures from Signed Malware</a>: Sometimes attackers digitally sign their malicious software. Examining properties of the signature helps malware analysts understand the context of the incident. Moreover, analysts could use the signature as an indicator of compromise. Here are some tips and tools for determining whether a suspicious Windows executable has been signed and for extracting the embedded signature in a Linux environment. Extra: Check out <a href="https://isc.sans.edu/diary/Extracting+signatures+from+Apple+.apps/15821">steps to extract signatures from Apple .app files</a> and <a href="http://blog.didierstevens.com/programs/authenticode-tools/">Didier Steven&#8217;s AnalyzePESig tool</a>.</li> </ul><ul><li><a href="http://computer-forensics.sans.org/blog/2013/05/14/tools-for-examining-xor-obfuscation-for-malware-analysis">Tools for Examining XOR Obfuscation for Malware Analysis</a>: There are numerous ways of concealing sensitive data and code within malicious files and programs. Fortunately, attackers use one particular XOR-based technique very frequently, because offers sufficient protection and is simple to implement. Here&#8217;s a look at several tools for deobfuscating XOR-encoded data during static malware analysis. Extra: Experiment with <a href="https://github.com/tomchop/unxor/">Thomas Chopitea&#8217;s unXOR tool</a>.</li> </ul><p>Also, on my own blog I took a look at Cylance&#8217;<span>s </span>Accelerify tool for <a href="http://blog.zeltser.com/post/49399925347/accelerify-speeds-up-clock-for-malware">speeding up the lab system&#8217;s clock for malware analysis</a>.</p> <p>&#8212; <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=AWgqI7IwzpU:yzujKZfUgO4:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=AWgqI7IwzpU:yzujKZfUgO4:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=AWgqI7IwzpU:yzujKZfUgO4:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/AWgqI7IwzpU" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/AWgqI7IwzpU/50728264398http://blog.zeltser.com/post/50728264398Sat, 18 May 2013 10:03:35 -0400malwaremalware analysistoolsinformation technologyhttp://blog.zeltser.com/post/50728264398<p><img alt="image" src="http://media.tumblr.com/4b4fabd9ab3dfe3428e89b9d03865d81/tumblr_inline_mmug9vTiOu1qz4rgp.jpg"/></p> <p>Some organizations have encountered <a href="http://blog.zeltser.com/post/3459353024/touchy-security-topics-apt">Advanced Persistent Threat</a> over 5 years ago—earlier than most of us. Because of the types of data they process, these initial APT victims were exposed to carefully-orchestrated, espionage-motivated attacks before they spread to a wider range of targets.</p> <p>Now, half a decade later, might the time to look at the attacks that the initial APT victims are fighting nowadays to forecast the threats that will eventually reach other companies. I am wondering:</p> <ul><li>Will traditional APT actors eventually disengage from early APT targets, perhaps after obtaining the necessary data, finding the cost of maintaining presence too costly or deciding to focus on easier-to-attack victims? Have they done this already?</li> <li>Will APT groups remain engaged, but drastically change tactics according to new goals and in response to new defensive elements? How have these tactics changed in the recent years?</li> <li>What can we learn by treating initial APT targets as predictors of threat dynamics that will eventually affect a broader set of victims? What attacks are effective today against the organizations that had the time and skills to adapt to initial APT tactics?</li> </ul><p>It&#8217;s hard to answer these questions without first-hand access to the companies that witnessed the first wave of APT attacks. Furthermore, the dilution of the term APT by marketing departments makes it harder to differentiate between reliable APT insights, such as <a href="http://intelreport.mandiant.com/">what Mandiant has been publishing</a>, from generic APT-themed sales collateral peppered throughout the web.</p> <p>Based on public information and observations, I suspect the threat landscape over the next few years will involve:</p> <ul><li>A greater use of purchased non-public exploits. (See Reuters&#8217; article on the <a href="http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510">trends in the exploits market</a>.)</li> <li>More professional oversight of multiple aspects of attack operations and logistics to improve effectiveness and efficiency.</li> <li>Smarter mining of stolen data (&#8220;big data&#8221;) to derive intel for subsequent attacks, discover relationships and spot other valuable information.</li> <li>The adoption of the techniques seen in &#8220;military-grade&#8221; malware, <a href="https://www.cs.columbia.edu/~smb/blog//2010-09/2010-09-27.html">such as Stuxnet</a>, by a broader range of attack groups. (See Eugene Kaspersky&#8217;s <a href="http://eugene.kaspersky.com/2011/11/25/internet-military-free-zone/">concerns over military&#8217;s use of malware</a>.)</li> <li>Increased use of anti-forensics and evasion techniques to conceal attackers&#8217; capabilities and motives. (See Eugene Rodionov and Alexandr Matrosov&#8217;s <a href="http://www.welivesecurity.com/2012/10/11/defeating-anti-forensics-in-contemporary-complex-threats/">overview of anti-forensics malware features</a>.)</li> </ul><p>These are just conjectures. I don&#8217;t have the answers to the questions I posed above; however, I thought I&#8217;d at least ask them and explore the idea of looking at early APT targets&#8217; current state to anticipate advanced threats that will later affect other organizations.</p> <p>Related articles you might like:</p> <ul><li><a href="http://blog.zeltser.com/post/27846821868/mutually-assured-destruction-in-cyberspace">Mutually-Assured Destruction in Cyberspace</a></li> <li><a href="http://blog.zeltser.com/post/44795789779/indicators-of-compromise-entering-the-mainstream">Indicators of Compromise Entering the Mainstream Enterprise?</a></li> <li><a href="http://blog.zeltser.com/post/5032824447/why-make-fun-of-apt">Why I Make Fun of Advanced Persistent Threat (APT)</a></li> </ul><p>&#8212; <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=0MDP0OBtis8:2g4dexCS1yM:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=0MDP0OBtis8:2g4dexCS1yM:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=0MDP0OBtis8:2g4dexCS1yM:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/0MDP0OBtis8" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/0MDP0OBtis8/50497161014http://blog.zeltser.com/post/50497161014Wed, 15 May 2013 10:30:00 -0400information technologysecurityAPTmalwaretargeted attacksespionageincident responsehttp://blog.zeltser.com/post/50497161014<iframe src="//www.tumblr.com/video/lennyzeltser/49399925347/400" id="tumblr_video_iframe_49399925347" class="tumblr_video_iframe" width="400" height="333" style="display:block;background-color:transparent;overflow:hidden;" allowTransparency="true" frameborder="0" scrolling="no" webkitAllowFullScreen mozallowfullscreen allowFullScreen></iframe><br/><br/><p><strong>Speeding up the Clock for Malware Analysis With </strong><strong>Accelerify</strong></p> <p>Sometimes malware doesn’t perform “interesting” actions until some time has passed, stretching out its activities over hours or days. This approach tricks some automated analysis tools and helps evade detection. Cylance’s free tool <a href="http://www.cylance.com/tools/Accelerify.shtml">Accelerify</a> helps analysts in such situations by accelerating the lab system’s clock.</p> <p>Accelerify modifies the system’s time at the rate specified by the analyst. For instance, in the video attached to this article, I directed the tool to modify the clock every second, advancing it by 300 seconds. This had the effect of accelerating the time by the factor of 300.</p> <p>The “-i” parameter sets the interval, in seconds, between adjusting the time. I used 1; the default is 10. The “-a” parameter specifies the number of seconds by which to advance the clock. I used 300; the default is 3600.</p> <p>You can use Accelerify in conjunction with behavioral monitoring tools to explore situations where the specimen’s actions are triggered by the passage of time or by specific date and time values. In such scenarios, you could activate the monitoring tools, launch Accelerify, infect the laboratory system and see what develops.</p> <p>— <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=sEz2EXkwAyQ:b4p2L2dzufU:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=sEz2EXkwAyQ:b4p2L2dzufU:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=sEz2EXkwAyQ:b4p2L2dzufU:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/sEz2EXkwAyQ" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/sEz2EXkwAyQ/49399925347http://blog.zeltser.com/post/49399925347Wed, 01 May 2013 20:38:00 -0400malwaremalware analysistoolsinformation technologysecurityhttp://blog.zeltser.com/post/49399925347<p><img alt="image" src="http://media.tumblr.com/tumblr_m7ze0uNq881qd9o7r.jpg"/></p> <p>In the field of IT in general and digital forensics in particular, you become obsolete the moment you stop learning. Here are several free webcasts related to reverse-engineering and malware analysis that will help you keep your skills up to date.</p> <p>Upcoming live malware forensics webcasts:</p> <ul><li><a href="https://www.sans.org/webcasts/pwning-apt1-yara-signatures-96675">Pwn&#8217;ing APT1 with Yara Signatures</a> by Jake Williams, May 29, 2013</li> </ul><p>Previously-recorded malware forensics webcasts:</p> <ul><li><a href="https://www.sans.org/webcasts/introduction-malware-analysis-turn-malware-out-95490">Introduction to Malware Analysis on Windows: Turn Malware Inside Out!</a> by Lenny Zeltser</li> <li><a href="https://www.sans.org/webcasts/sharper-incident-response-protocol-reverse-engineering-95454">Sharper Incident Response with Protocol Reverse Engineering</a> by Michael Cloppert</li> <li><a href="https://www.sans.org/webcasts/forensics-prague-webcast-malware-analysis-essentials-remnux-lenny-zeltser-95379">Malware Analysis Essentials using REMnux</a> by Lenny Zeltser</li> <li><a href="https://www.sans.org/webcasts/remnux-v4-malware-analysis-96585">What&#8217;s New in REMnux v4 for Malware Analysis?</a> by Lenny Zeltser</li> <li><a href="https://www.sans.org/webcasts/memory-forensics-incident-response-95647">Memory Forensics for Incident Response</a> by Hal Pomeranz</li> <li><a href="https://www.sans.org/webcasts/finding-unknown-malware-95614">Finding Unknown Malware</a> by Alissa Torres</li> <li><a href="https://www.sans.org/webcasts/50-shades-hidden-diving-deep-code-injection-96665">50 Shades of Hidden - Diving Deep Into Code Injection</a> by Jake Williams</li> </ul><p>&#8212; <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=ALyypWZtrfE:G7ne8U9QT70:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=ALyypWZtrfE:G7ne8U9QT70:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=ALyypWZtrfE:G7ne8U9QT70:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/ALyypWZtrfE" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/ALyypWZtrfE/28484562049http://blog.zeltser.com/post/28484562049Fri, 26 Apr 2013 15:58:00 -0400securitytrainingmalwaremalware analysisinformation technologyreverse-engineeringforensicshttp://blog.zeltser.com/post/28484562049<p><img alt="image" src="http://media.tumblr.com/e05fee779539eccba33a4ab807561018/tumblr_inline_mkqjizS2rC1qz4rgp.png"/></p> <p>I’m pleased to announce the release of version 4 of the REMnux Linux distribution for reverse-engineering malicious software. The new version includes a variety of new malware analysis tools and updates the utilities that have already been present on the distro.</p> <p>What&#8217;s new in REMnux v4? See the details below and <a href="https://www.sans.org/webcasts/remnux-v4-malware-analysis-96585">register for a free webcast where I will showcase some of the key additions</a>. You can download the latest release at <a href="http://REMnux.org/">REMnux.org</a>.</p> <p><strong>What&#8217;s New in REMnux v4</strong></p> <p>REMnux is now available as a Open Virtualization Format (OVF/OVA) file for improved compatibility with virtualization software, including VMware and VirtualBox. (<a href="http://computer-forensics.sans.org/blog/2013/04/10/installing-remnux-virtual-appliance">Here&#8217;s how to easily install the REMnux virtual appliance.</a>) A proprietary VMware file is also available. You can also get REMnux as an ISO image of a Live CD.</p> <p>Key updates to existing tools and components:</p> <ul><li><em>Core system:</em> Upgraded the underlying Ubuntu OS components and packages; increased default RAM of the virtual appliance to 512MB; replaced OpenJDK with Oracle Java 7 runtime.</li> <li><em>Memory analysis:</em> Updated <a href="https://www.volatilesystems.com/default/volatility">Volatility</a> to version 2.2.</li> <li><em>PDF analysis:</em> Updated <a href="http://blog.didierstevens.com/programs/pdf-tools/">pdfid and pdf-parser</a>, <a href="http://esec-lab.sogeti.com/pages/Origami">Origami</a>, <a href="http://eternal-todo.com/tools/peepdf-pdf-analysis-tool">peepdf</a></li> <li><em>Web analysis:</em> Updated <a href="http://www.swftools.org/">SWFTools</a>, <a href="https://code.google.com/p/v8/">V8</a>, <a href="http://libemu.carnivore.it/">libemu</a>, <a href="http://www.netresec.com/?page=NetworkMiner">NetworkMiner</a>, <a href="http://portswigger.net/burp/proxy.html">Burp Proxy</a>, <a href="http://www.wireshark.org/">Wireshark</a>, <a href="http://www.mozilla.org/en-US/firefox/new/">Firefox</a> and its add-ons.</li> <li><em>Other changes:</em> Updated <a href="http://blog.didierstevens.com/programs/xorsearch/">xorsearch</a>, <a href="http://www.cert.at/downloads/software/densityscout_en.html">DensityScout</a>, <a href="https://code.google.com/p/pyew/">Pyew</a>, <a href="https://code.google.com/p/passive-dns-query-tool/">passive-dns</a>, <a href="http://www.clamav.net/">ClamAV</a>, <a href="https://code.google.com/p/malwarecookbook/source/browse/trunk/3/5/capabilities.yara">capabilities.yara</a>; replaced <a href="http://freemind.sourceforge.net/wiki/index.php/Main_Page">FreeMind</a> with <a href="http://www.xmind.net/">XMind</a></li> </ul><p>New tools added to REMnux:</p> <ul><li><em>Windows tools:</em> Installed <a href="http://www.winehq.org/">Wine</a>; added <a href="http://www.reconstructer.org/code.html">OfficeMalScanner</a>, <a href="http://malzilla.sourceforge.net/">Malzilla</a></li> <li><em>XOR analysis: </em>Added <a href="https://github.com/hiddenillusion/NoMoreXOR">NoMoreXOR</a>, <a href="http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html">brutexor</a>, <a href="http://eternal-todo.com/category/bruteforce">XORBruteForcer</a></li> <li><em>PE file analysis:</em> Added <a href="http://sourceforge.net/projects/pev/">pev</a>, <a href="http://hooked-on-mnemonics.blogspot.com/2012/10/dism-thispy.html">dism-this</a>, <a href="http://securityxploded.com/exe-scan.php">ExeScan</a>, <a href="http://udis86.sourceforge.net/">udis86</a> (udcli), <a href="http://joxeankoret.com/blog/2012/04/29/extracting-binary-patterns-in-malware-sets-and-generating-yara-rules/">autorule</a> (/usr/local/autorule), <a href="http://blog.didierstevens.com/programs/disitool/">disitool</a></li> <li><em>Other file analysis:</em> Added <a href="https://gist.github.com/noonat/821548">extract_swf.py</a>, <a href="http://www.sno.phy.queensu.ca/~phil/exiftool/">ExifTool</a>, <a href="http://sourceforge.net/projects/mastiff/">MASTIFF</a></li> <li><em>Other additions: </em>Added <a href="https://github.com/merces/hack-functions">hack-functions</a> (/usr/local/hack-functions), <a href="http://www.forensicswiki.org/wiki/Bulk_extractor">bulk_extractor</a><span>, <a href="http://www.cert.at/downloads/software/procdot_en.html">ProcDot</a></span></li> </ul><p><strong>Getting Started With REMnux</strong></p> <p>The one-page <a href="http://zeltser.com/remnux/remnux-malware-analysis-tips.html">REMnux Usage Tips</a> cheat sheet outlines some of the more popular tools installed on REMnux. Feel free to customize it to incorporate your own tips and tricks.</p> <p>The recorded <a href="https://www.sans.org/webcasts/malware-analysis-essentials-remnux-96397">Malware Analysis Essentials Using REMnux</a> webcast provides a good overview and examples of some of the tools for performing static malware analysis. I also recorded a webcast to discuss <a href="https://www.sans.org/webcasts/remnux-v4-malware-analysis-96585">What&#8217;s New in REMnux v4 for Malware Analysis</a> and to demonstrate the new tools.</p> <p>If you find REMnux useful, take a look at the <a href="http://LearnREM.com/">reverse-engineering malware course</a> that my colleagues and I teach at SANS. It makes use of REMnux and various other tools.</p> <p>If you haven&#8217;t already, download the REMnux distro at <a href="http://REMnux.org/">REMnux.org</a>.</p> <p>For tips, issues and workarounds related to installing REMnux v4, see <a href="http://zeltser.com/remnux/remnux4-installation-notes.html">REMnux Version 4 Installation Notes</a>.</p> <p><span>&#8212; </span><a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=xreD4BJVRII:7RzIVdYAMKo:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=xreD4BJVRII:7RzIVdYAMKo:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=xreD4BJVRII:7RzIVdYAMKo:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/xreD4BJVRII" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/xreD4BJVRII/47545363323http://blog.zeltser.com/post/47545363323Tue, 09 Apr 2013 12:16:00 -0400Linuxmalware analysisreverse-engineeringsecuritytoolsinformation technologyhttp://blog.zeltser.com/post/47545363323<p>Apple&#8217;s introduction of two-step verification for Apple IDs is consistent with the trend in the industry to strengthen user authentication practices. Facebook has been <a href="http://blog.zeltser.com/post/1319041093/why-facebook-one-time-passwords">experimenting with one-time passwords</a> and <a href="http://blog.zeltser.com/post/1258010402/facebook-social-captcha-authentication">social CAPTCHA authentication</a>; Google <a href="http://support.google.com/accounts/bin/answer.py?hl=en&amp;answer=180744">began offering 2-step verification</a> a while back. It&#8217;s great to see Apple get onto this bus.</p> <p><a href="http://support.apple.com/kb/HT5570">Apple explains</a> that &#8220;two-step verification is an optional security feature for your Apple ID.&#8221; To activate it, sign into <a href="http://appleid.apple.com/">My Apple ID</a> on Apple&#8217;s website and go to the Password and Security area. You will then have the ability to specify which &#8220;trusted devices&#8221; associated with your Apple ID you wish to use as the second authentication token.</p> <p>When designating a trusted device, such as an iPhone or an iPad, Apple will send a 4-digit verification code, which will pop up on the device almost instantaneously. You&#8217;ll need to enter the code on Apple&#8217;s website to confirm that you&#8217;re in the possession of the device.</p> <p>Once you&#8217;ve enabled two-step verification, you&#8217;ll need to verify that you still have the device whenever you login to the My Apple ID website, when you &#8220;make an iTunes, App Store, or iBookstore purchase from a new device&#8221; or when you attempt to &#8220;get Apple ID-related support from Apple.&#8221;</p> <p>For example, after signing into the My Apple ID website with your username and password, you&#8217;ll be presented with the prompt to &#8220;verify your identity&#8221; using one of the enrolled devices.</p> <p><img alt="image" src="http://media.tumblr.com/9ac443c46dafb33c3bd57cf90728bd40/tumblr_inline_mk2x12TfBH1qz4rgp.png"/></p> <p><span>A pop-up like this will appear on the designated trusted device:</span></p> <p><img alt="image" src="http://media.tumblr.com/5207a0b8d24d8a5289548494205b6c88/tumblr_inline_mk2xh8NtwG1qz4rgp.png"/></p> <p><span>If your device is locked when the code is delivered, you will need to unlock it before seeing the code. The overall experience is a bit more streamlined than what Google uses, because Google requires the user to install and the activate the </span><a href="http://support.google.com/accounts/bin/answer.py?hl=en&amp;answer=1066447">Google Authenticator</a><span> app on the mobile device.</span></p> <p><span>Receiving the code requires an active data connection.</span><span> </span><span>If you are using an iPhone, don&#8217;t have data but are able to receive SMS, Apple can send a verification code to your a verified phone via SMS. To take advantage of this feature, you need to verify the phone number through the </span>My Apple ID website.</p> <p>When activating the two-step verification option, Apple automatically generates a Recovery Key, which can be used as an authentication token if you lose access to a trusted device:</p> <p><img alt="image" src="http://media.tumblr.com/495f5fcb5017d61bd6aaba94f8c439df/tumblr_inline_mk2xjnbLGb1qz4rgp.png"/></p> <p><span>Google, Apple and to some extent Facebook now give users the option of strengthening their account authentication process. It&#8217;s only a matter of time before other industry giants, such as Twitter, jump in. Perhaps stronger authentication becomes the norm, we might see some </span><a href="http://blog.zeltser.com/post/40486607746/better-mobile-phone-user-authentication">innovation in making it more reliable and convenient</a><span> for end-users.</span></p> <p>&#8212; <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=gdBD8fHaP8A:e_QMoQaOeuE:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=gdBD8fHaP8A:e_QMoQaOeuE:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=gdBD8fHaP8A:e_QMoQaOeuE:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/gdBD8fHaP8A" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/gdBD8fHaP8A/46013353353http://blog.zeltser.com/post/46013353353Fri, 22 Mar 2013 16:47:00 -0400authenticationmobileinformation technologysecurityhttp://blog.zeltser.com/post/46013353353<p><img alt="image" src="http://media.tumblr.com/1e755aa5c2846c798011f03f121bb12b/tumblr_inline_mjazyhJq2M1qz4rgp.png"/></p> <p>The need to define custom, incident-specific signatures is slowly gaining traction in the mainstream enterprise. A few years ago this concept, often called <em>Indicators of Compromise</em> (IOCs), was mostly discussed by government organizations and defense contractors who were coming to terms with <a href="http://blog.zeltser.com/post/3459353024/touchy-security-topics-apt">Advanced Persistent Threat</a> (APT) attacks.</p> <p>Madiant began popularizing the term IOC around 2007. Kris Kendall&#8217;s paper <a href="http://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Paper/bh-dc-07-Kendall_McMillan-WP.pdf">Practical Malware Analysis</a> mentioned IOCs in the context of malware reversing at Black Hat DC 2007. For a precursor to this, see Kevin Mandia&#8217;s <a href="http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Mandia.pdf">Foreign Attacks on Corporate America</a> slides from Black Hat Federal 2006. At the time, few organizations saw the need to go beyond antivirus-based detection by analyzing the adversary&#8217;s artifacts to define custom host-level signatures.</p> <p>Now, several years later, the term IOC is pretty well-known in the infosec industry. More companies are adding malware and related analysis skills to incident response teams. <a href="http://computer-forensics.sans.org/blog/2013/02/12/jake-williams-tips-on-malware-analysis-and-reverse-engineering-2">As Jake Williams put it</a>, such firms know how to examine new malware and extract IOCs. &#8220;These are then fed back into the system and scans are repeated until no new malware is found.&#8221; Automated analysis products from vendors such as Norman, Mandiant, FireEye and HB Gary are being increasingly positioned as IR triage-enablers.</p> <p>That said, the knowledge and skills for deriving and using IOCs is far from being mainstream. Anton Chuvakin <a href="http://blogs.gartner.com/anton-chuvakin/2013/03/04/a-quiet-assumption/">highlighted the distinction between security <em>haves</em> and <em>have-nots</em></a> along the lines of this capability. The <em>haves</em> know how to reverse-engineer malware to &#8220;extract the IOCs FAST (or get those IOCs shared with you by trusted friends) and then look for them on other systems.&#8221;</p> <p>IOC techniques haven&#8217;t entered the mainstream just yet. But we&#8217;re heading in that direction, as more people attain forensics skills and as more tools become available for defining and making use of such custom, incident-specific signatures.</p> <p>To learn how to define and make use of IOCs, take a look at:</p> <ul><li><a href="http://computer-forensics.sans.org/blog/2011/04/12/digital-forensics-signatures-for-security-incident-response">Context-Specific Signatures for Computer Security Incident Response</a></li> <li><a href="http://computer-forensics.sans.org/blog/2012/07/24/mutex-for-malware-discovery-and-iocs">Looking at Mutex Objects for Malware Discovery and Indicators of Compromise</a></li> <li><a href="http://www.sans.org/course/reverse-engineering-malware-malware-analysis-tools-techniques">SANS Reverse-Engineering Malware Course</a></li> </ul><p>&#8212; <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=REqDrYd7ieI:tJOkzxFKjLU:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=REqDrYd7ieI:tJOkzxFKjLU:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=REqDrYd7ieI:tJOkzxFKjLU:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/REqDrYd7ieI" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/REqDrYd7ieI/44795789779http://blog.zeltser.com/post/44795789779Thu, 07 Mar 2013 13:45:00 -0500malwaremalware analysisincident responseforensicsapthttp://blog.zeltser.com/post/44795789779<p><img alt="image" src="http://media.tumblr.com/tumblr_lt8665M7WD1qd9o7r.png"/></p> <p><strong>Update: </strong>This position has been filled.</p> <p>I&#8217;m looking for a software engineering manager to join <a href="http://blog.zeltser.com/post/8535896950/new-job-challenges-opportunities">my team at NCR</a> in Dallas, TX. The person leads the efforts to develop and maintain software that addresses our customers&#8217; information technology needs. To accomplish this, the manager motivates team members and oversees their activities in the context of Agile-inspired development practices.</p> <p>Some of the required skills and proficiency levels include:</p> <ul><li>Experience managing a software engineering team</li> <li>Past experience developing applications using C, C++, C#/.NET or Java</li> <li>Experience in overseeing the development of mission-critical software projects from design to completion</li> <li><span>A cultural fit that allows the person and the team to have fun and be productive</span></li> </ul><p>Are you such a person or do you know someone like this?</p> <p>&#8212; <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=QAr4yja1Nyc:K9x81OL9PE8:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=QAr4yja1Nyc:K9x81OL9PE8:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=QAr4yja1Nyc:K9x81OL9PE8:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/QAr4yja1Nyc" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/QAr4yja1Nyc/17065044342http://blog.zeltser.com/post/17065044342Mon, 04 Mar 2013 12:19:00 -0500careerinformation technologysoftwarehttp://blog.zeltser.com/post/17065044342<iframe src="//www.tumblr.com/video/lennyzeltser/43644617774/400" id="tumblr_video_iframe_43644617774" class="tumblr_video_iframe" width="400" height="242" style="display:block;background-color:transparent;overflow:hidden;" allowTransparency="true" frameborder="0" scrolling="no" webkitAllowFullScreen mozallowfullscreen allowFullScreen></iframe><br/><br/><p><strong>Proxify and BadAssProxy in Action</strong></p> <p>GNUCITIZEN <a href="http://www.gnucitizen.org/blog/landing-proxify/">released a lightweight proxy called Proxify</a>, designed to conveniently integrate with other tools. Proxify can handle both HTTP and HTTPS, displaying or saving the interactions between the client and the server. Its authors expect the tool to be embedded in applications that require proxy functionality, explaining that:</p> <blockquote> <p>“The tool will do all the hard work and you just need to provide a very simple restful HTTP service to do the forwarding of data between the browser and the remote target. “</p> </blockquote> <p>Proxify is easy to run from the command-line, as you can see in the video attached to this post. In this example, I directed Proxify to listen on port 8080 and save all requests and responses it intercepts to the “output” directory.</p> <p><img alt="" src="http://zeltser.com/media/archive/proxify.png"/></p> <p>Proxify is free for non-commercial use, and is <a href="http://code.google.com/p/gnucitizen/downloads/list">available in a binary form</a> for Windows, Linux and OS X.</p> <p>For an example of a GUI tool that uses Proxify behind the scenes, take a look at <a href="http://badassproxy.com/">BadAssProxy</a> (BAP), <a href="http://blog.websecurify.com/2013/02/landing-a-badassproxy.html">released for free by Websecurify</a>. The initial release of BAP isn’t as full-featured as the established tools in this category, such as <a href="http://www.fiddler2.com/fiddler2/">Fiddler</a> and <a href="http://www.portswigger.net/burp/">Burp</a>. However, it has a clean user interface and promises additional functionality in future versions.</p> <p><img alt="" src="http://zeltser.com/media/archive/badassproxy.png"/></p> <p>BAP is available as a free Windows download. It requires <a href="http://www.microsoft.com/en-us/download/details.aspx?id=5555">Microsoft Visual C++ 2010 Redistributable Package</a> to run.</p> <p>I like the simplicity of Proxify and the convenience of being able to run it from the command-line to examine web traffic. I wish it offered the convenience of easily carving files from HTTP responses, though. (I am planning to include Proxify in the next release of the <a href="http://REMnux.org/">REMnux</a> distro.) BAP looks nice as a proof-of-concept and is built using a promising (Java-free) architecture; I’m looking forward to seeing this tool’s future releases with more functionality.</p> <p>— <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=htncR_jXp6w:QKE2YtS63wg:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=htncR_jXp6w:QKE2YtS63wg:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=htncR_jXp6w:QKE2YtS63wg:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/htncR_jXp6w" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/htncR_jXp6w/43644617774http://blog.zeltser.com/post/43644617774Thu, 21 Feb 2013 09:26:00 -0500toolsvideowebinformation technologysecurityhttp://blog.zeltser.com/post/43644617774<p><img alt="image" src="http://media.tumblr.com/1287cc63f4753016cb117574b13d047e/tumblr_inline_miiyvtHanw1qz4rgp.jpg"/></p> <p>Think you know malware? I created a new fun quiz to see whether you can recognize the 10 malware specimens you should probably know by name. Test your knowledge and learn something along the way.</p> <p><a href="http://www.proprofs.com/quiz-school/story.php?title=name-that-malware"><strong>Take the 10-question Name That Malware! quiz.</strong></a></p> <p>If you like this approach to learning, here are two more quizzes I put together:</p> <ul><li><a href="http://blog.zeltser.com/post/4408713183/certified-apt-nerd">Certified APT Nerd (CAPTN) Examination</a></li> <li><a href="http://www.proprofs.com/quiz-school/story.php?title=whats-your-malware-analysis-prowess">What&#8217;s Your Malware Analysis Prowess?</a></li> </ul><p>&#8212; Lenny Zeltser</p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=nCfFlBGkM1A:MTOo3G6Ns3I:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=nCfFlBGkM1A:MTOo3G6Ns3I:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=nCfFlBGkM1A:MTOo3G6Ns3I:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/nCfFlBGkM1A" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/nCfFlBGkM1A/43567955186http://blog.zeltser.com/post/43567955186Wed, 20 Feb 2013 10:27:00 -0500securitymalwareeducationhttp://blog.zeltser.com/post/43567955186<p><img alt="image" src="http://media.tumblr.com/2f60080e1cf4975d538172f0dadf73f9/tumblr_inline_mi5z3qznZm1qz4rgp.png"/></p> <p>I had the pleasure of speaking with Jake Williams, my colleague at SANS Institute, about his perspective on various malware analysis and reverse-engineering topics. You can read the interview in three parts:</p> <ul><li><span><a href="http://computer-forensics.sans.org/blog/2013/02/04/jake-williams-tips-on-malware-analysis-and-reverse-engineering">Part 1</a>: Getting into digital forensics, crafting a strong malware analysis reports and making use of the analyst&#8217;s findings</span></li> <li><span><span><a href="http://computer-forensics.sans.org/blog/2013/02/12/jake-williams-tips-on-malware-analysis-and-reverse-engineering-2">Part 2</a>: A</span></span>cting upon malware analyst&#8217;s findings and the role of indicators of compromise (IOCs) in the incident response effort</li> <li><a href="http://computer-forensics.sans.org/blog/2013/02/12/jake-williams-tips-on-malware-analysis-and-reverse-engineering-3">Part 3</a>: Various approaches to malware analysis, including behavioral, dynamic, static and memory forensics </li> </ul><p>Jake is highly experienced in this space and shared helpful insights in the interview above. Jake will be teaching <a href="http://www.sans.org/course/reverse-engineering-malware-malware-analysis-tools-techniques">FOR610: Reverse-Engineering Malware</a> on several occasions at SANS this year.</p> <p>&#8212; <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=6If5FUO1ums:AxPW7HgEEQc:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=6If5FUO1ums:AxPW7HgEEQc:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=6If5FUO1ums:AxPW7HgEEQc:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/6If5FUO1ums" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/6If5FUO1ums/43398309587http://blog.zeltser.com/post/43398309587Mon, 18 Feb 2013 09:10:17 -0500malwaremalware analysisinformation technologyinterviewsecurityincident responseforensicshttp://blog.zeltser.com/post/43398309587<p><img alt="image" src="http://media.tumblr.com/d435aa4a2b7a2baaa9ec90d540dd5bb8/tumblr_inline_mh25csulyg1qd9o7r.png"/></p> <p>User authentication is usually discussed in the context of the person&#8217;s initial interactions with the system&#8212;a safeguard often implemented by a classic login screen. However, one-time validation of the user&#8217;s identity is becoming insufficient for modern devices and applications that process sensitive data. Such situations might benefit from a seamless authentication approach that incorporates <strong>continuous verification of the user&#8217;s identity</strong>.</p> <p>Initial attempts at continuous user authentication can be seen in security policies that lock the user&#8217;s workstation after a period of inactivity or settings demanding that mobile phone users enter their PIN every few minutes. These traditional security measures annoy people and leave much room for innovation.</p> <p>Continuous user authentication could occur transparently by spotting anomalies in which the user interacts with the system. Such methods could avoid interrupting the user unless the system begins to doubt the person&#8217;s identity. For instance, the user&#8217;s web application activities could be continuously scrutinized for deviations from normal workflow and UI interaction patterns. Similarly, a mobile phone could regularly examine the user&#8217;s bio-signs to spot an impostor.</p> <p>The notion of continuous and seamless authentication isn&#8217;t new; however, it has yet to enter mainstream computing in a meaningful way. Here are a few examples of what might be feasible:</p> <ul><li><a href="http://www.tapironline.no/last-ned/208">Continuous Authentication using Biometric Keystroke Dynamics</a> and <a href="http://www.europeanjournalofscientificresearch.com/ISSUES/EJSR_82_3_14.pdf">Keystroke Dynamics Based Human Authentication System using Genetic Algorithm</a> discussed challenges and solutions for continuous authentication techniques based on the user&#8217;s <strong>typing activity</strong>.</li> <li><a href="http://www.researchgate.net/publication/4337851_Physical_Access_Protection_using_Continuous_Authentication">Physical Access Protection using Continuous Authentication</a> discussed prototype systems that continuously and seamlessly authenticated PC users through &#8220;<strong>video from a camera</strong>, and <strong>fingerprint images</strong> from a mouse equipped with a fingerprint scanner.&#8221;</li> <li><a href="http://users.cis.fiu.edu/~carbunar/mobileauthen.pdf">Continuous Mobile Authentication Using Touchscreen Gestures</a> proposed an approach that tracked the user&#8217;s user&#8217;s &#8220;unique touch features, such as <strong>finger pressure and trajectory</strong>, the <strong>speed and acceleration of movement</strong>&#8221; as the person interacted with the mobile device.</li> <li><a href="http://www2.hawaii.edu/~rcia/Continuous%20authentication.pdf">Continuous Identity Authentication Using Multi-modal Physiological Sensors</a> proposed multiple physiological sensors that could be used for this purpose, including <strong>eye position</strong>, <strong>pupil size</strong>, <strong>skin conductivity</strong>, <strong>blink rate</strong>, etc.</li> </ul><p>Users of modern web applications and mobile devices demand strong security measures that don&#8217;t get in the way of normal activities. Continuous user authentication could help fulfill such seemingly unattainable demands by passively tracking relevant sensors and metrics, getting on the way only after observing an anomaly that exceeded a reasonable threshold.</p> <p>Related articles you might like:</p> <ul><li><a href="http://blog.zeltser.com/post/40486607746/better-mobile-phone-user-authentication">Creative Options for Better Authentication of Mobile Phone Users</a></li> <li><a href="http://blog.zeltser.com/post/6723873340/we-still-suck-at-protecting-logon-credentials">We Still Suck at Protecting Logon Credentials</a></li> </ul><p>&#8212; <a href="http:/zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=A-BEYNN755o:RfQbwgesAS4:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=A-BEYNN755o:RfQbwgesAS4:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=A-BEYNN755o:RfQbwgesAS4:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/A-BEYNN755o" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/A-BEYNN755o/41275913909http://blog.zeltser.com/post/41275913909Wed, 23 Jan 2013 08:47:00 -0500securitymobilewebinformation technologyauthenticationhttp://blog.zeltser.com/post/41275913909<p><img alt="image" src="http://media.tumblr.com/fdace14f53a9e8016da04e40d0089187/tumblr_inline_mglgvmQlks1qd9o7r.png"/></p> <p>If you think your mobile phone is already deeply embedded in your life, consider the critical role it will have in just a few years. As the importance and sensitivity of the data handled by mobile phones increase, so do the repercussions of the devices falling into unauthorized hands. Manufacturers and app developers will need to implement creative ways of authenticating legitimate phone users without relying on awkward passwords and PINs.</p> <p>Here are a few creative options for determining whether an authorized person is using the phone:</p> <ul><li><strong>Scan the user&#8217;s fingerprint</strong> while the person is holding the phone. <a href="http://www.reuters.com/article/2012/07/27/us-authentec-acquisition-apple-idUSBRE86Q0KD20120727">Apple&#8217;s purchase of AuthenTec</a> fueled speculations that <a href="http://thenextweb.com/apple/2012/08/16/the-real-reason-apple-acquired-authentec-because-needed-new-technology-quickly-products/">Apple will include a 2D fingerprint reader in an upcoming iPhone</a>.</li> <li><strong>Identify the unique walking pattern</strong> of the phone&#8217;s user using an accelerometer already built into many smartphones. This authentication approach is described in a paper titled <a href="http://users.ece.cmu.edu/~juefeix/btas_2012_felix.pdf">Pace Independent Human Identification Using Cell Phone Accelerometer Dynamics</a>.</li> <li><strong>Examine the user&#8217;s appearance</strong> using the phone&#8217;s built-in camera, potentially looking at eye patterns, facial geometry or ear shape. One such approach is described in the paper <a href="http://www.ee.oulu.fi/mvg/files/pdf/ICDSC07_Final.pdf">Face and Eye Detection for Person Authentication in Mobile Phones</a>. For another example, consider <a href="http://www.eyeverify.com/products.php">EyeVerify&#8217;s authentication software based on eye vein biometrics</a>.</li> <li><strong>Analyze the phone user&#8217;s thermal imaging patterns</strong> as means of authentication. This approach is described in the paper <a href="http://digitalcommons.fiu.edu/cgi/viewcontent.cgi?article=1635&amp;context=etd">Thermal Imaging As A Biometrics Approach To Facial Signature Authentication</a>. For an example of thermal imaging phone technology, see the <a href="http://www.kickstarter.com/projects/andyrawson/ir-blue-thermal-imaging-smartphone-accessory">IR-Blue accessory for iPhone and Android devices</a>.</li> <li><strong>Tune into the user&#8217;s voice patterns</strong> to authenticate the person using approaches outlined in the paper <a href="http://www.sans.org/reading_room/whitepapers/authentication/shedding-light-voice-authentication_847">Shedding Some Light on Voice Authentication</a> and <a href="http://www.technologyreview.com/news/428970/securing-your-voice/">implemented by researchers in the context of mobile phones</a>.</li> <li><strong>Sense the manner in which the user holds the phone</strong>, paying attention to the strength of the grip or finger placement. This approach is being discussed in the context of firearms&#8212;see papers <a href="http://www.scientificjournals.org/journals2007/articles/1226.pdf">Hangrip Recognition</a> and <a href="http://doc.utwente.nl/53692/1/shang05algorithm.pdf">Algorithm Design for Grip-Pattern Verification in Smart Gun</a>. It could be applied to mobile phones, too.</li> </ul><p>Authentication factors above might not work on their own, but they could be combined with each other to reach the right balance between false positives and false negatives.</p> <p>For additional context, the authentication decision could <strong>account for the expected bio-pattern</strong> of the legitimate user, such as the heart rate range that could be obtained using activity trackers that integrate with phones, such as <a href="http://www.nike.com/us/en_us/lp/nikeplus-fuelband">FuelBand</a>, <a href="http://www.fitbit.com/">Fitbit</a> or <a href="https://jawbone.com/up">UP</a>. The phone could also <strong>pay attention to the user&#8217;s breathing patterns</strong>, in the style of the <a href="http://www.breathing-zone.com/">Breathing Zone iPhone App</a>.The decision could also <strong>incorporate the person&#8217;s expected physical location and activities</strong> (i.e. jogging); for an example of the phone can &#8220;predict&#8221; the user&#8217;s activities see the <a href="http://www.google.com/landing/now/">Google Now app</a>.</p> <p>Innovative authentication options are gradually becoming available for mobile phones. More will come to light over the next few years. In the next decade, we&#8217;ll see authentication mechanisms that effortlessly tie the bio-measured identity and  context with the phone&#8217;s hardware and software functions. In some ways, it will be hard to distinguish between the mobile device and its user.</p> <p>For a follow up to this post, take a look at <a href="http://blog.zeltser.com/post/41275913909/continuous-user-authentication">Beyond Logins: Continuous and Seamless User Authentication</a>.</p> <p>&#8212; <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=qZY6KO5pRow:NE7boBosLgQ:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=qZY6KO5pRow:NE7boBosLgQ:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=qZY6KO5pRow:NE7boBosLgQ:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/qZY6KO5pRow" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/qZY6KO5pRow/40486607746http://blog.zeltser.com/post/40486607746Sun, 13 Jan 2013 21:45:00 -0500authenticationinformation technologymobilesecuritytrendshttp://blog.zeltser.com/post/40486607746<p>Here&#8217;s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:</p> <ul><li><a href="http://www.rationalsurvivability.com/blog/2012/07/six-degrees-of-desperation/">Six Degrees Of Desperation: When Defense Becomes Offense</a> by Christopher Hoff</li> <li><a href="http://blogs.rsa.com/will-gragido/premature-counter-offensive-actions-could-yield-painful-results-2/">Premature Counter Offensive Actions Could Yield Painful Results</a> by Will Gragido</li> <li><a href="http://www.sans.org/cloud/2012/07/10/laptops-as-a-security-model-for-hybrid-cloud">Laptops as a Security Model for Hybrid Cloud</a> by Chris Brenton</li> <li><a href="http://journeyintoir.blogspot.com/2012/07/malware-root-cause-analysis.html">Malware Root Cause Analysis</a> by Corey Harrell</li> <li><a href="http://software-security.sans.org/blog/2012/06/26/different-ways-of-looking-at-security-bugs">Different Ways of Looking at Security Bugs</a> by Jim Bird</li> </ul><p>Also, below are the articles I published in the past couple of weeks:</p> <ul><li><a href="http://blog.zeltser.com/post/27977007932/tips-for-getting-the-right-it-job">Tips For Getting the Right IT Job - New Cheat Sheet</a></li> <li><a href="http://blog.zeltser.com/post/27846821868/mutually-assured-destruction-in-cyberspace">Mutually-Assured Destruction in Cyberspace</a></li> <li><a href="http://blog.zeltser.com/post/27427354967/what-is-security-product-manager">What Does a Security Product Manager Do?</a></li> <li><a href="http://blog.zeltser.com/post/26805092079/self-selecting-gullible-victims">Allowing Gullible Victims to Self-Select in Online Attacks</a></li> <li><a href="http://computer-forensics.sans.org/blog/2012/07/24/mutex-for-malware-discovery-and-iocs">Looking at Mutex Objects for Malware Discovery and Indicators of Compromise</a> (SANS forensics blog)</li> </ul><p>Looking forward to next week!</p> <p>For more recommendations, see my earlier <a href="http://blog.zeltser.com/tagged/review">security reads of the week</a>.</p> <p>&#8212; <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=sqlkzeiBQOY:145WE-ie2hc:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=sqlkzeiBQOY:145WE-ie2hc:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=sqlkzeiBQOY:145WE-ie2hc:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/sqlkzeiBQOY" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/sqlkzeiBQOY/28423011898http://blog.zeltser.com/post/28423011898Tue, 31 Jul 2012 14:15:12 -0400securityreviewhttp://blog.zeltser.com/post/28423011898<p><a href="http://zeltser.com/cheat-sheets/getting-the-right-it-job-tips.html"><img alt="image" height="149" src="http://zeltser.com/cheat-sheets/getting-the-right-it-job-tips-preview.png" width="385"/></a></p> <p>I published a new cheat sheet, this one offering <a href="http://zeltser.com/cheat-sheets/getting-the-right-it-job-tips.html">practical tips for finding and getting the right job in Information Technology</a>, with a slant towards information security. You can view the contents on the web or print them as a 1-page PDF file.</p> <p>This cheat sheet covers the following topics:</p> <ul><li>What to do before you start looking for a job</li> <li>How to use social networking as an ongoing part of your career</li> <li>Steps towards finding the IT position worth pursuing</li> <li>Advice on crafting and polishing your resume</li> <li>Tips for negotiating a favorable compensation package</li> </ul><p>If you have comments or tips related to getting the right IT job, please leave a comment or <a href="http://zeltser.com/about/contact.html">drop me a note</a>.</p> <p>— <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=ZAt1NPs4Ako:AHImSKOc5JY:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=ZAt1NPs4Ako:AHImSKOc5JY:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=ZAt1NPs4Ako:AHImSKOc5JY:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/ZAt1NPs4Ako" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/ZAt1NPs4Ako/27977007932http://blog.zeltser.com/post/27977007932Wed, 25 Jul 2012 07:50:00 -0400careerinformation technologyresumeinterviewcheat sheethttp://blog.zeltser.com/post/27977007932<p>Public accounts of intrusions conducted or supported by state actors highlight the importance that military organizations are placing on cyber warfare. Those without access to privileged information have been debating when &#8220;real-world&#8221; warfare will find its way to the Internet, without realizing that such activities have been ongoing for at least several years.</p> <p>Intrusions initiated by nation states against companies and governments of other countries are motivated by political and economic reasons, much like the traditional form of warfare. My hypothesis is that a country looking to safeguard its own cyber interests has to engage in a systemic campaign to compromise IT assets of its adversaries. The logical goal of such offensive operations is the state of <a href="http://en.wikipedia.org/wiki/Mutual_assured_destruction">mutually-assured destruction</a> that deters each party in the conflict from taking advantage of the IT assets it compromised.</p> <p>Here&#8217;s why I believe this might be the case:</p> <ol><li>There is presently no practical way to defend IT infrastructure of any nation state against intrusions, be they commercial or government assets. If there was, we wouldn&#8217;t be experiencing so many breaches.</li> <li>As the result, a country needs to assume that an adversarial nation state will be able to successfully compromise a significant number of the country&#8217;s critical IT assets. Many of these intrusions will be undetected.</li> <li>Therefore, the country will need to find a way to deter the adversary from taking aggressive action against a significant number of the IT assets it illicitly controls.</li> <li>One way to accomplish this is for the country to compromise a meaningful amount of the adversary&#8217;s critical IT infrastructure, creating the situation of a mutually-assured destruction.</li> </ol><p>The idea of mutually-assured destruction in cyberspace isn&#8217;t novel. It was brought up at an RSA Conference panel in February 2012. <a href="http://threatpost.com/en_us/blogs/despite-intrusions-chances-us-china-cyber-war-are-small-030112">According to the Threatpost&#8217;s article</a> discussing that panel:</p> <blockquote> <p>&#8220;Deterrence will play an important role in avoiding conflict, as it did in the Cold War with Russia. The Chinese military appreciates that both it and the U.S. have cyber offensive capabilities and defensive vulnerabilities - &#8216;big stones, and plate glass windows,&#8217; said Lewis. &#8216;We&#8217;re back to mutually assured destruction.&#8217;&#8221;</p> </blockquote> <p>A <a href="http://www.nytimes.com/2012/06/03/sunday-review/mutually-assured-cyberdestruction.html">June 2012 article in the New York Times</a> discusses several cyber warfare initiatives that appear to have been conducted by the U.S. and highlights some of the challenges of achieving cyber warfare dominance and reaching the state of mutually-assured destruction.</p> <p>Nations with the interest, expertise and budget to conduct offensive cyber activities are probably busy hacking each other to avoid being outpaced in this process by their adversaries. They are doing this to achieve the state of mutually-assured destruction as a way of deterring each other from launching a full-scale cyber war. Just a theory.</p> <p>&#8212; <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=sXoF95mA9QM:qTQu8PmW_eU:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=sXoF95mA9QM:qTQu8PmW_eU:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=sXoF95mA9QM:qTQu8PmW_eU:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/sXoF95mA9QM" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/sXoF95mA9QM/27846821868http://blog.zeltser.com/post/27846821868Mon, 23 Jul 2012 14:25:00 -0400breachcyberwarhackinginformation technologysecurityhttp://blog.zeltser.com/post/27846821868““Be doubly vigilant after a physical break-in. Don’t just look for what’s missing, but what might have been left behind.””<br/><br/> - <em>Paul Ducklin, <a href="http://nakedsecurity.sophos.com/2012/07/16/seattle-cybercrime-trio-sentenced-for-3m-hacking-spree-via-wifi-and-malware/">discussing the practice of some cyber-criminals</a> to install a keylogger after breaking into victims’ offices and stores.</em><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=LpOtT4r39oM:h6tXxdeAIT8:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=LpOtT4r39oM:h6tXxdeAIT8:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=LpOtT4r39oM:h6tXxdeAIT8:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/LpOtT4r39oM" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/LpOtT4r39oM/27637192924http://blog.zeltser.com/post/27637192924Fri, 20 Jul 2012 13:47:03 -0400malwarebreachhackinghttp://blog.zeltser.com/post/27637192924<p><img alt="image" src="http://media.tumblr.com/tumblr_m7bma1XkJT1qd9o7r.png"/></p> <p>It&#8217;s unusual for information security professionals to work in a group that directly generates revenue instead of <a href="http://blog.zeltser.com/post/3477924637/touchy-security-topics-roi">being a cost center</a>. Many find working within a cost center hard, in part because when it is time to cut costs, infosec budgets are among the first to go. Product management provides an opportunity for infosec pros to work in a profit center for a change. (There are others, such as <a href="http://blog.zeltser.com/tagged/consulting">consulting</a> and sales.)</p> <p>From my perspective, the primary goal of product management is to define product capabilities and drive product adoption. Sometimes this view on product management is called product development.</p> <ul><li><em>Defining product capabilities</em> entails working closely with customers to understand and anticipate their needs. It also requires understanding the company&#8217;s strengths and weaknesses related to the market as well as the competitive landscape.</li> <li><em>Driving product adoption</em> involves those steps that help the product find its way to its consumers. This usually requires the need to understand the company&#8217;s channel and partnerships, unless the product is sold directly. It also involves regular customer interactions and some aspects of marketing.</li> </ul><p>In the world of information security, a product might be a hardware gadget, such as a network tap, a piece of software such as an anti-malware tool, or a service, such as a managed security offering. Sometimes it is a combination of these categories.</p> <p>Here are the type of tasks a product manager might be asked to perform to support the objectives outlined above:</p> <ul><li>Define a strategy for the product’s evolution to support business and customer needs.</li> <li>Create specifications, prioritize requirements and maintain a roadmap of the features being developed.</li> <li>Manage the process of making the product available to customers.</li> <li>Act as a subject matter expert for the product&#8217;s capabilities in pre and post-sales discussions.</li> <li>Collaborate with the engineering team building the product to clarify requirements and specifications.</li> </ul><p>&#8212; <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=Nx-0IUcpY7k:li_zNcHoPF4:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=Nx-0IUcpY7k:li_zNcHoPF4:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=Nx-0IUcpY7k:li_zNcHoPF4:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/Nx-0IUcpY7k" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/Nx-0IUcpY7k/27427354967http://blog.zeltser.com/post/27427354967Tue, 17 Jul 2012 16:05:00 -0400careersecuritybusinesshttp://blog.zeltser.com/post/27427354967<p><img src="http://media.tumblr.com/tumblr_m6vgxyZhDv1qd9o7r.png"/></p> <p>Cormac Herley&#8217;s paper <a href="http://research.microsoft.com/pubs/167719/WhyFromNigeria.pdf">Why do Nigerian Scammers Say They are from Nigeria?</a> explains how some purposefully-lame scam emails are advantageous to the attacker. Such messages allow the scammer to avoid victims who will consume valuable time, but will turn out to be too savvy to fall for the scam. Herley explains that by initiating contact using a blatantly fraudulent email &#8220;that repels all but the most gullible, the scammer gets the most promising marks to self-select.&#8221;</p> <p>This motivates some scammers to send messages that are easily identified as fraudulent by many people, yet succeed at catching the more gullible portion of the population. An excerpt from <a href="http://www.fraudaid.com/scamspeak/nigerian/419/N-Z/odiwo.htm">one such example</a>:</p> <blockquote> <p>&#8220;We are top officials of the Federal Government Contract Review Panel who are interested in importation of goods into our country with funds which are presently trapped in Nigeria. In order to commence this business we solicit your assistance to enable us RECEIVE the said trapped funds ABROAD.&#8221;</p> </blockquote> <p><a href="http://www.economist.com/node/21557726">An article in The Economist on this subject</a> quotes Basil Udotai, a former cybersecurity director of Nigeria&#8217;s National Security Adviser: &#8220;There are more non-Nigerian scammers claiming [to be] Nigerian than ever reported.&#8221; One motive for this might be &#8220;Nigeria&#8217;s dreadful reputation for corruption that makes the strange tales of dodgy lawyers, sudden death and orphaned fortunes seem plausible in the first place.&#8221;</p> <p>Allowing victims to self-select as being vulnerable might be useful for online attacks and scams that involve <a href="http://blog.zeltser.com/tagged/social_engineering">social engineering</a> and require human involvement on the attacker&#8217;s part. They also seem most appropriate for mass-scale attacks, where a small percentage of gullible people produces a sufficiently large set of likely targets.</p> <p>Self-selecting victims by using blatantly malicious communications also might be useful for some penetration testing and targeted attack scenarios. A human-powered attack will want to focus on people most likely to assist the attacker. Moreover, the attacker might conceal his true sophistication by purposefully appearing amateurish.</p> <p>So perhaps the next time you come across a poorly-worded email scam, filled with all-uppercase letters, typos, grandiose titles and financial promises, you won&#8217;t laugh at the naive message. The scammer might be so clever, that his apparent incompetence is a charade.</p> <p>Hand-picked related articles:</p> <ul><li><a href="http://blog.zeltser.com/post/2822651353/bots-chatting-on-social-networks">When Bots Chat With Social Network Participants</a></li> <li><a href="http://blog.zeltser.com/post/1609709966/faux-targeted-attacks">Faux-Targeted Attacks and the Magic of Cold Reading</a></li> <li><a href="http://blog.zeltser.com/post/2685898823/social-engineering-in-online-scams">Social Engineering in On-Line Scams: &#8220;Home Income Kit&#8221;</a></li> </ul><p>&#8212; <a href="http://zeltser.com/">Lenny Zeltser</a></p><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/zeltser?a=i0ujh2JxCLs:EPEDIV1LPiI:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/zeltser?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/zeltser?a=i0ujh2JxCLs:EPEDIV1LPiI:RvL6FdYZ88I"><img src="http://feeds.feedburner.com/~ff/zeltser?i=i0ujh2JxCLs:EPEDIV1LPiI:RvL6FdYZ88I" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/zeltser/~4/i0ujh2JxCLs" height="1" width="1"/>http://feedproxy.google.com/~r/zeltser/~3/i0ujh2JxCLs/26805092079http://blog.zeltser.com/post/26805092079Sun, 08 Jul 2012 22:44:38 -0400social engineeringscamfraudhttp://blog.zeltser.com/post/26805092079