New Endeavors Ahead

{0 Comments}

This weekend, I had a fleeting thought about how long it had been since I posted here, but I suppose I didn’t realize it had been quite that long. Long story short, the past few months have been pretty busy and there are some very exciting things coming around the corner for me that I’m very much looking forward to. First and foremost, I’ve got a son on the way and he’ll be here 1Q 2014! Super excited about this as it signifies a new chapter in my life as our family grows. Although I probably should be (and may be later), I’m not really nervous, but definitely excited. I’m guessing there may be some opportunities for middle-of-the-night blog posts once he arrives Keeping with my ways, I’ve already started stockpiling plenty of supplies and I think we’ll be good on baby wipes for a few weeks, months, errr… years? The second major announcement is that I’ve got a side job in the form of a small business, and that’s really what has been taking most of my time in the recent months. After speaking with a few people, and given my interest and previous work with maltego, I decided […]

Continue Reading...

BsidesBoston!

{0 Comments}

I had the pleasure of attending my first Bsides event yesterday and it went great! Special thanks to all the organizers, sponsors, and other presenters for making it awesome. The venue was nice, and I think events like these are perfect for newb presenters like myself to start getting some experience. I was also happy to finally be able to meet several of the people I’ve talked to on Twitter and put some faces to the names. Schedule available here and be sure to keep checking for the recordings, or follow @BSidesBoston on twitter. The morning Keynote was, as expected, superb. Dr. Dan Geer gave an interesting and thought provoking talk about the pace of technological development and effects on identify and privacy. I won’t rehash all the worthwhile quotes (many of which are available in the #BsidesBOS twitter feed), but there was one point that I liked a lot. What’s your definition of privacy? Is privacy based on observability, or is it the lack of identifiability? That is, if you can still observe someone, do they still enjoy privacy so long as you can’t identify them? When you frame this in a digital context, it raises a good point. […]

Continue Reading...

BeaCon Preso on Malformity

{0 Comments}

I had the pleasure of speaking at BeaCon yesterday in Boston, MA. Thanks to MassHackers and everyone else that helped put the event on! It was great to be able to meet other security people in New England, especially since I’ve talked to many of them on Twitter. My presentation went well, though I came up a bit short on time, but it gives me a good reference for future presentations and additional content to add. The event itself was great and I was thoroughly impressed with the quality of talks for such a small event. For anyone interested, all the slides will be available at some point, as well as recordings for most of them. The best place to check for these is probably here or by monitoring the @MassHackers twitter account. My presentation is available on slideshare. Malformity BeaCon2013 from digital4rensics

Continue Reading...

Understanding Your Adversary

{0 Comments}

Over the past year, perhaps more, there has been an increasing amount of discussion about whether or not organizations need to “know” their adversary. The topic roared up upon the publication of Mandiant’s Intel Report and the subsequent publications by other vendors. Naturally, much of the discussion seems to focus on espionage type attacks, but but depending on the organization, others are equally as important. Of course, there are experts and organizations on both sides of the spectrum. Some believe that any effort put towards identifying an attacker or likely attacker is wasted. After all, organizations have a hard enough time just keeping defenses up, let alone pulling analysts to work on something that doesn’t have immediate impact. On the other side, some others think that direct attribution is critical because without it, no direct action can be taken. As with many things, I think the true answer lies somewhere in between. I’ll take a stab at the second situation first, as I think it’s quicker to run through. The question: Do you or your organization need to know the PERSON sitting behind the keyboard at the other end of the attack? I still believe that the answer, in most […]

Continue Reading...

How To: Installing Malformity

{0 Comments}

Malformity was released a couple of weeks ago. If you missed it, the original post and the follow up provide more background on the project. This post is meant to get you started using Malformity and provides a quick overview of how to install it. First, if you don’t have Maltego, you should head over to the Paterva site and download Maltego CE, which is free for personal use. If you’ve never used it before, but want to give Malformity a try, I suggest fooling around with Maltego a bit to get used to it. Alternatively, Paterva has a great set of video tutorials up on YouTube. Once you have Maltego, you’ll have to grab Canari (supports Python 2.x) in order to install the Malformity package. You can do this by running the following: $ sudo easy_install canari Now, make sure you’re in your desired directory. You then need to clone Malformity from Github. You should see similar output when using the command below. $git clone http://github.com/digital4rensics/Malformity Cloning into Malformity… remote: Counting objects: 158, done. remote: Compressing objects: 100% (87/87), done. remote: Total 158 (delta 77), reused 146 (delta 65) Receiving objects: 100% (158/158), 64.97 KiB | 63 KiB/s, done. […]

Continue Reading...

Book Review: Violent Python

{0 Comments}

A plane ride last week provided me the opportunity to knock one of my queued books off the stack. I had the pleasure of reading Violent Python by TJ O’Connor in its entirety during my flight. I wish that I would have been in a better environment to try out some of the exercises, but the code was pretty straightforward, even for someone relatively new to the language. I definitely wanted to get this post out quick because I know the book’s still relatively new, and I’ve actually had several inquiries as to my recommendation for the book. Long story short, I think I fit in to the prime demographic for this book. Based on my job/interests/etc., I most enjoyed the forensic analysis, network traffic, and web recon chapters. These most closely align with projects that I’m likely to work on so I felt that I gained the most out of them. That’s not to suggest that the other chapters weren’t great, and I assume everyone will have a slightly different interest or focus depending on personal interests. The biggest thing I liked about the book is that the scripts provided are actually useful, and can become a base to […]

Continue Reading...

Additional Notes on Malformity

{0 Comments}

Earlier this week, I published a post on my employer’s blog about a project that I’ve started working on. The project, called Malformity, is a local transform package for Maltego that can be used to assist in conducting malware and malicious infrastructure research. Since this won’t re-hash all the basics introduced in that post, I highly recommend you read it first, if you haven’t done so already. This post will just lay out a few more notes related to the project. First, if the project helps you out, awesome. I’m adding transforms right now that I think will be the most useful and the ones that help me out when I’m doing my analysis. If there’s a query or source that would be helpful for you, please feel free to submit a request for a new transform or transform set! I’d love to see this project grow to meet the needs of as wide a range of people as possible (within the scope of malz/infra of course…). In the near term, I plan on creating a Virustotal account and distributing an API key with Malformity so that people don’t have to create their own accounts. The option to specify your […]

Continue Reading...

Book Review: Reverse Deception

{0 Comments}

I recently finished reading Reverse Deception: Organized Cyber Threat Counter-Exploitation by Bodmer, Kilger, Carpenter, and Jones. When I purchased the book, I was a little hesitant because of the current and former positions the authors have held. I know that, with topics such as those in this book, the pre-publication review process has the potential to significantly limit the interesting bits that can be included. However, the general book description and my interest in Psychology pushed me over the edge to purchase the book anyway. While I’m generally happy with the book, I think the back cover was slightly misleading regarding the level of technical material in the book. I don’t think it detracted from the book, but the primary focus is a high-level conceptual overview of the topics at hand. The foreword and chapter 1 do a great job of setting the groundwork for the rest of the book. For those with absolutely no Intel/CI background, this is a great description of the major topics in the book. For me, one of the most important points is that deception is not simply about deceiving the adversary. Instead, deception is most beneficial if you can alter the adversary’s actions in […]

Continue Reading...

Brief OSINT review for CVE-2012-1535 Attacks

{0 Comments}

On August 15th, Jaime Blasco over at AlienVault Labs posted a description of a malicious word document with an embedded flash file that exploits CVE-2012-1535 (Original here). The document described within the specific attack was titled “iPhone 5 Battery.doc”, and the dummy document displayed after exploitation is a legitimate article that was posted on August 10th, 2012 on Techrunch here. Metadata on the document analysis via VirusTotal here shows that the malicious file was created on the same day. We also know that the VirusTotal analysis was completed on August 15th, which suggests a relatively short period of infection of 5 days (probably less given the AV article). However, the malicious dll (taskman.dll) has a compile time of 2012-07-26 07:20:06+2:00, which also suggests the specific payload could have been in use for up to 2 weeks prior to this round of delivery. Yes, it is acknowledged that the timestamp could be manipulated, but due to the general relation to the rest of the attack, it doesn’t seem likely. Lastly, the generic topic selected for this document does little to suggest potential targets since it could be of interest to almost anyone. Since this article, several other sample malicious documents (8 […]

Continue Reading...

Crowdsourcing for InfoSec

{0 Comments}

About a week ago, I saw a tweet by @c_APT_ure referencing a new category in the established domain-tagging system at OpenDNS. They (OpenDNS) recently added both a malware and botnet category that can be submitted for review (official announcement here). For those who don’t know how the domain tagging works, it basically goes like this: 1.)Someone submits a domain for review, usually in a category chosen by the submitter. 2.) The domain is then reviewed for accuracy 3.) If verified beyond a certain level, it’s added to the tagged category. In this particular effort, OpenDNS required those wanting access to the malware and botnet categories to apply, which makes sense. These categories are probably going to result in blocked sites, and as such, you want people who know what they’re doing reviewing the sites. Based upon mailing list emails, OpenDNS was happy with the number of requests that were received to conduct malware and botnet tag reviews. I requested any basic statistics (# applicants, # active, # reviews, etc.) and will update if or when I get them. I will say that based upon the amount of conversation in the mailing list, there is at least a strong core group […]

Continue Reading...